The Article 29 Working Party (WP29) discussed a number of important issues during its April plenary meeting on 17 April 2018. In its summary press release, the WP29 gave an update on the issues it discussed.

Implementation of the General Data Protection Regulation (GDPR) and adopted guidelines

WP29 formally adopted guidelines on consent and transparency following a public consultation of six weeks. WP29 additionally formally adopted revised Binding Corporate Rules application forms, an updated working document on the Binding Corporate Rules approval procedure and revised guidelines on the GDPR urgency procedure.

WP29 also highlighted that it had adopted a position paper on GDPR Article 30(5). GDPR Article 30(5) generally exempts organisations employing fewer than 250 people from having to keep records of personal data processing.

WP29 further stated that it will continue working on guidelines about GDPR certification, territorial scope and codes of conduct.

It was also stated that WP29 has been granted a mandate to develop guidance in relation to GDPR Article 6(1)(b) in the context of the provision of ‘free’ online services. GDPR Article 6(1)(b) enables organisations to process personal data where such processing is necessary for the performance of a contract to which a data subject is party.

A discussion was also had on the European Data Protection Board and how its rules of procedure, budget, technical set-up and meetings timetable in 2019 will be structured.

New Social Media Working Group

The Information Commissioner’s Office (the UK’s data protection authority) updated WP29 on its ongoing investigations of Cambridge Analytica and Facebook. WP29 underlined its commitment to working together through the existing Facebook Contact Group. WP29 agreed to set up a Social Media Working Group, to develop a broader long-term strategy on the issues that have come to light in this area.

Adoption of opinions and letters

The WP29 adopted an opinion on interoperability between EU information systems, specifically concerning borders, visas, asylum, migration and police and judicial cooperation. The opinion analyses the tools and access rights regarding the fundamental right to privacy and data protection, under draft regulations which will form the basis for future European travel and migration systems.

The WP29 also issued a statement on encryption and the impact it has on protecting individuals with regard to the processing of their personal data in the EU.

The WP29 sent letters to:

  • the EU Commission on passenger name record agreements;
  • the European Parliament Civil Liberties, Justice and Home Affairs Committee, regarding s. 702 of the US Foreign Intelligence Surveillance Act;
  • the Internet Corporation for Assigned Names and Numbers and stakeholders on GDPR compliance;
  • the ISO on making the ISO 17065 standard available free of charge;
  • Facebook, expressing concern about facial recognition functionality; and
  • the European Securities and Markets Authority and International Organization of Securities Commissions on the draft administrative agreement.

Mandates and ongoing work

The WP29 is monitoring ongoing developments in the EU-US Privacy Shield. The European Commission provided WP29 with an update on this issue during the plenary session.

The WP29 enforcement subgroup is working on:

  • a best practices manual for enforcement communication in cross-border cases;
  • identifying open cases which will not be resolved before GDPR implementation on 25 May 2018;
  • recommending measures for effective cooperation; and
  • identifying concrete enforcement actions to initiate from May 2018.

The WP29 technology subgroup was given a mandate to work on video surveillance issues, with a view to drafting an opinion in the near future.