Article 29 Working Party releases guidelines on transparency under the GDPR.

On 11 December 2017, the Article 29 Working Party (Art 29 WP) published its draft guidance on transparency. The guidelines are open for consultation until 23 January 2018.

The Art 29 WP analyse the elements of transparency required by the General Data Protection Regulation (GDPR). They also provide further details on the information that data controllers must provide to data subjects, specifically in relation to Articles 12 and 13.

1. The concept of transparency

Transparency is a key concept of the GDPR. It is fundamentally linked to the GDPR’s central principles of fairness and accountability.

Under Article 4(2) of the GDPR, data controllers must be able to demonstrate that the personal data they process is processed transparently.

2. The elements of transparency

Article 12(1) requires that any information that is given to data subjects is provided:

  • in a concise, transparent, intelligible and easily accessible form;
  • using clear and plain language;
  • in writing, or by other means;
  • where requested by the data subject, orally; and
  • free of charge.

The Art 29 WP analyse each of these elements. Continue Reading

D.C. Circuit finds dissemination, but not mere existence, of inaccurate information in government database satisfies Article III standing requirement post-Spokeo

“[I]f inaccurate information falls into a government database, does it make a sound?” Partly affirming summary judgment for the defendant in Owner-Operator Indep. Drivers Ass’n, v. DOT, No. 16-5355 (D.C. Cir. Jan. 12, 2018), the U.S. Court of Appeals for the D.C. Circuit answered its own question in the negative and held that a handful of truck drivers lacked standing to sue over the existence of allegedly inaccurate driver information in a government database. However, the court also ruled that two truck drivers about whom information was disseminated could overcome the Spokeo bar that sunk the claims of their peers and permitted their claims to go forward. In doing so, the appeals court helped clarify what actions in the digital realm rise to the level of concrete harm.

Plaintiffs in Owner-Operator were five commercial truck drivers and their industry association. Pursuant to federal regulations, the drivers’ safety records were contained in the Motor Carrier Management Information System, which employers may access through the Department of Transportation’s (DOT) Pre-Employment Screening Program. Each of the plaintiff drivers successfully challenged safety citations they had received in court, and then asked to have the citation reports removed from the safety record database.

Continue Reading

Article 29 Working Party publishes updated guidance on adequacy referential

On 28 November 2017, the Article 29 Working Party (‘WP29’) published a working document updating its previous guidance on transfers of personal data to third countries (WP12), (‘WP29 Document’). WP29 has reviewed its earlier guidance in the context of the General Data Protection Regulation (‘GDPR’) and recent case law of the European Court of Justice (‘CJEU’).

The WP29 Document only deals with Chapter 1 of WP12 and focuses solely on adequacy decisions. Chapters 2 and 3 of WP12 will be updated at a later stage. The WP29 Document is currently open for consultation and comments should be submitted by 17 January 2018.

The updated guidance consists of four chapters, the key points of which are discussed below.

Continue Reading

Article 29 Working Party releases guidelines on consent under the GDPR

On 28 November 2017, the Article 29 Working Party (“WP29”) published its guidelines on consent under the General Data Protection Regulation (“GDPR”). The guidelines are open for public consultation until 23 January 2018. They provide an analysis of the concept of consent. They also provide practical guidance for organisations on the requirements to obtaining and demonstrating valid consent under the GDPR.

The concept of consent

Under GDPR, a data controller can only process personal data on the basis of one of six legal grounds. An individual’s consent to processing is one of these lawful grounds. The GDPR defines consent as a “freely given, specific, informed and unambiguous” indication of an individual’s wishes to signify agreement to the processing of their personal data.

Elements of valid consent

The guidelines analyse four areas relevant to free consent under GDPR:

  1. Imbalance of power: an imbalance exists wherever it is unlikely that an individual will be able to deny his/her consent to data processing without fear of detriment. For example, an imbalance of power is likely to exist in an employment context between employers and employees.
  2. Conditionality: requests for consent to the processing of personal data should not be “bundled up” with acceptance of other terms or conditions, unless necessary for the performance of a contract.
  3. Granular and specific: data controllers need to obtain separate consents from individuals for each specific purpose they intend to process individuals’ personal data. For example, separate consents should be obtained for direct marketing activities and sharing personal data with third parties.
  4. Detriment: individuals must be able to withdraw or refuse to grant consent to data processing without detriment. For example, such withdrawal or refusal should not lead to the individual incurring costs.

Continue Reading

Article 29 Working Party issues new guidelines for Binding Corporate Rules

The Article 29 Working Party (WP29) has published updated guidelines on Binding Corporate Rules (BCRs) to reflect the requirements set out in the General Data Protection Regulation (GDPR). The two documents, which replace previous WP29 working papers (WP 153 and WP 195) and remain open for public consultation until January 17, 2018, are:

(i) Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)

(ii) Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The two documents include tables setting out the elements and principles to be included in controller BCRs and processor BCRs. These tables have been amended specifically to:

Meet the requirements of Article 47 GDPR

  • Clarify the necessary content of BCRs as stated in Article 47 GDPR
  • Make the distinction between what must be included in BCRs and what must be presented to the competent supervisory authority in the BCRs application
  • Give the principles the corresponding text references in Article 47 GDPR (for controller BCRs)
  • Provide further guidance on each of the requirements

Both documents note that Article 47 GDPR is clearly modeled on the working documents relating to BCRs previously adopted by WP29. However, to ensure their compatibility with GDPR, Article 47 does specify new requirements to be considered for adopting new BCRs or updating existing ones. Continue Reading

Nation on Hold for Supreme Court Carpenter v. United States Decision

On November 29, many interested audience members packed into the Supreme Court to witness oral argument on the issue of whether the Fourth Amendment demands that the government obtain a warrant in order to acquire long-term, cell-site location information (CSLI) from wireless service providers, in what could be one of the most influential privacy decisions of this generation: Carpenter v. United States.

In the wake of a string of armed robberies at electronic retail stores in the Detroit area in 2011, the Federal Bureau of Investigation (FBI) obtained orders pursuant to the Stored Communications Act (SCA) requesting “transactional records” from wireless service providers, including CSLI pertaining to the call origination and termination of the arrested suspects’ phone numbers. Under the SCA, the government may require disclosure of such records upon a finding of “specific and articulable facts” that “there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.” 18 U.S.C. 2703(d). Defendant Timothy Carpenter moved to suppress the government’s cell-site evidence before trial, claiming the government obtaining CSLI from his wireless service provider constituted a warrantless search in violation of the Fourth Amendment. The district court denied the motion, the Sixth Circuit affirmed, and the Supreme Court granted certiorari last June.

Continue Reading

Pre-Christmas Update on the ePrivacy Regulation

The General Data Protection Regulation (“GDPR”) will enter into force 25 May 2018, and will provide new general data protection standards. In its draft ePrivacy Regulation of 10 January 2017 (“ePrivacy Regulation”), which includes specific provisions for electronic communications, the European Commission sought to ensure that both sets of rules will enter into force at the same time.

Current legislative status of the ePrivacy Regulation

The European Council published its first revisions to the ePrivacy Regulation (read more on our blog here) on 8 September 2017, and European Data Protection Supervisor Giovanni Buttarelli issued recommendations on specific aspects of the ePrivacy Regulation on 5 October 2017 (read more on our blog here). The European Parliament adopted a report, including its draft resolution on the ePrivacy Regulation (“Report”), on 23 October 2017. Adhering to the requirements for processing personal data under the ePrivacy Regulation, the Report does not allow further data processing for compatible purposes or on the basis of legitimate interest. On 5 December 2017, the European Council released a consolidated version of the ePrivacy Regulation (“Consolidated Version”) which summarizes the work done so far in the European Council as a basis for its future work. The Consolidated Version also outlines that further internal discussions will be necessary, i.e., on Art. 6, 7, 9 ePrivacy Regulation as well as on further grounds for processing.

Continue Reading

Morrisons found vicariously liable for a data breach committed by one of its employees

Following a recent ruling by the High Court against WM Morrisons Supermarket PLC (“Morrisons”), employers may now find themselves vicariously liable for data breaches perpetrated by their employees (https://www.judiciary.gov.uk/judgments/various-claimants-v-wm-morrisons-supermarket-plc/).

Background

In 2014, it was discovered that a file containing the pay roll data of 99,998 Morrisons’ employees had been uploaded to a file sharing website. This data included names, dates of birth, addresses, national insurance numbers, and details of employees’ salaries and bank accounts.

Following an investigation, it was revealed that one of Morrisons’ employees, Andrew Skelton – a senior IT auditor – had copied the data which he was supposed to send to KPMG, Morrisons’ external auditors, to a personal USB drive. Mr Skelton then uploaded this data to a file-sharing website.

Mr Skelton’s actions were reportedly the result of a grudge that he held against his employer following an earlier, unrelated disciplinary incident. As a result, Mr Skelton was subsequently arrested and sentenced to eight years in prison pursuant to the Computer Misuse Act 1990 and the Data Protection Act 1998 (the “DPA”).

Now, in what is the first-ever group action case involving a data breach, 5,518 of the affected employees have bought a group class action against Morrisons for breach of its statutory duty under the DPA and at common law.

The claim was made on the basis that Morrisons was (i) directly liable for breaching its statutory duty; and (ii) in the alternative, vicariously liable for the breach in its capacity as Mr Skelton’s employer. Continue Reading

ENISA publishes report on recommendations for data protection certification mechanisms under the GDPR

On 27 November 2017, the European Union Agency for Network and Information Security (“ENISA”) published a report on Recommendations on European Data Protection Certification (“Report”). The aim of the Report is to identify and analyse challenges and opportunities of data protection certification mechanisms, as introduced by the General Data Protection Regulation (“GDPR”).

The Report provides an overview of existing data protection certification mechanisms, and looks at the terminology and clarifying concepts that are relevant to GDPR certification, as established in Articles 42 and 43 of the GDPR. The Report also presents research and analysis on various certification schemes, including the ePrivacyseal EU, EuroPrise, CNIL Labels and the ICO Privacy Seal. It further focuses on some of the questions relating to successful take-up of certifications, as well as the role of certification as a transparency and accountability instrument under the GDPR. The Report additionally notes that data protection certification mechanisms under the GDPR are likely to face challenges, given the diversity of existing data protection certifications.

The Report sets out several recommendations that are intended to provide high-level guidance to data protection authorities, certification bodies, and data controllers/processors. The main recommendations include: Continue Reading

CJEU rules Digital Rights Ireland’s Privacy Shield invalidation action inadmissible

Background

On 22 November 2017, the Court of Justice of the European Union (“CJEU”) gave judgment in a case taken by the not-for-profit company, Digital Rights Ireland Limited (“DRIL”). DRIL sought an annulment of the European Commission’s Privacy Shield decision. This decision states that the US ensures an adequate level of protection for personal data transferred from the EU to companies in the US under the EU-US Privacy Shield (the “Contested Decision”).

The CJEU ruled that DRIL’s annulment request was inadmissible for two reasons; (1) it cannot show that it is sufficiently affected by the Contested Decision to bring proceedings in its own name; and (2) a lack of standing to bring proceedings in the name of its members, supporters and the general public.

In this case, the DRIL acted as the applicant and the European Commission was the defendant.

Admissibility of the action brought by DRIL in its own name

DRIL presented three arguments to demonstrate the admissibility of the action brought in its own name.

Argument 1: DRIL argued that, given that it possesses a mobile phone and a computer, its own personal data is liable to be transferred to the US pursuant to the Contested Decision. The CJEU rejected this argument. The CJEU ruled that in its capacity as a legal person, DRIL does not possess personal data. The Data Protection Directive only provides for the protection of personal data of natural persons, not legal entities.

Continue Reading

LexBlog