Photo of Chantelle Taylor

The Article 29 Working Party (“WP29”) recently published an opinion on data processing at work (“Opinion”).

The Opinion restates the position and conclusions in WP29’s 2001 Opinion on processing personal data in the employment context (WP48), and its 2002 WP55 Working Document on the surveillance of electronic communications in the workplace. However, it addresses the need for a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees, because of risks posed by advancements in modern technologies since the other documents were published.

The Opinion is primarily concerned with the Data Protection Directive 95/46/EC (“DPD”), so employers should continue to take account of the fundamental principles of the DPD when processing personal data in an employment context. Technological developments and new methods of processing have not changed this position.

The Opinion also looks towards the “new” obligations placed on all controllers, including employers, under the General Data Protection Regulation 2016/679 (“GDPR”) – including data protection by design, the need to carry out Data Protection Impact Assessments for high-risk processing, and any specific national rules that are introduced pursuant to Article 88 relating to processing employees’ personal data.

WP29 has considered various scenarios in the Opinion which describe how certain technologies might be used to process personal data in the workplace, and the points that employers should consider. Some of these include:
Continue Reading Article 29 Working Party releases detailed opinion on data processing in the workplace

This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC countries. The Ministry of Interior and the Korea Communications Commission stated on Monday that approval for joining the CBPR had been secured. In order for countries to opt in to the system, their legal systems and privacy protection must meet APEC’s standards.

APEC is an economic forum comprised of countries throughout Asia-Pacific. APEC’s importance should be noted: its 21 member economies comprise 54 per cent of the world’s GDP and 40 per cent of world trade. It exists to assist in trade through faster customs procedures and initiatives to synchronise regulatory systems across its member countries. The CBPR is a voluntary accountability-based system that facilitates the safe transfer of personal information across the APEC region.Continue Reading South Korea joins APEC’s Cross Border Privacy Rules system

The ICO recently published its Information Rights Strategic Plan for 2017 – 2021  (the ‘Plan’). Within it, the ICO Commissioner, Elizabeth Denham, asserts that we are on the “edge of a new frontier,” and that the data protection landscape is about to be reshaped by the “game changing” General Data Protection Regulation (the ‘GDPR’). Noting the significant changes for organisations, the public and regulators, the Commissioner sets the key aim of ensuring that data protection regulators stay relevant. According to the Commissioner’s opening statement, this entails increasing the public’s trust in government, public bodies and the private sector in terms of not only transparency, but also their involvement in the digital economy and digital public services.

The Plan specifies five clear goals:

  1. Increase the public’s trust and confidence in how data is used and made available;
  2. Improve standards of information rights practice through clear, inspiring and targeted engagement and influence;
  3. Maintain and develop influence within the global information rights regulatory community;
  4. Stay relevant, provide excellent public service and keep abreast of evolving technology; and
  5. Enforce the laws the ICO helps to shape and oversee

Continue Reading ICO’s Strategic Plan for the ‘New Frontier’ of Data Protection

The Court of Justice of the European Union (CJEU) recently gave its preliminary ruling on the interpretation of the legitimate interests condition under Article 7(f) of the Data Protection Directive 95/46/EC (the Directive) in the context of processing by a public authority.

A collision

In 2012, a passenger in a taxi in Latvia suddenly opened the door to get out, and proceeded to damage a passing tram owned by Rīgas satiksme (Rīgas). Rīgas requested the personal details of the passenger (full name, ID number and address) in order to sue for damages so as to repair the tram. It was unknown at this stage that the passenger was a minor. The Latvian police provided the passenger’s full name only, on the basis that Latvian law does not provide for the disclosure of other data to people who are not a party to administrative proceedings leading to sanctions. Rīgas challenged this decision, stating that it required further information to enable it to locate the passenger. This challenge was upheld before later being appealed by the police. Eventually, the Latvian Supreme Court, noting doubts as to the meaning of ‘necessity’ in relation to the interpretation of ‘legitimate interests’ under the Directive, requested an opinion as to whether: (i) the Directive imposed an obligation to disclose personal data to a third party to enable it to bring an action for damages; and (ii) the age of the individual had any bearing as to interpretation.Continue Reading Legitimate interests: a balancing act

As part of its GDPR Implementation Project, the Centre for Information Policy Leadership (‘CIPL’) has released a discussion paper on certifications, seals and marks. The paper stresses the benefits of certifications that can be adapted to different companies and contexts, all while retaining common cross-border baselines. As no such measure is currently in place ahead

For organisations with data flows between the United States and Switzerland, it is now possible to self-certify into the Swiss-U.S. Privacy Shield Framework. This process became available on 12 April 2017. The Swiss-U.S. Privacy Shield will operate in a substantially similar way to the EU-U.S. Privacy Shield. There are, however,  key differences, including: (1) the

Although considered burdensome by some, data protection impact assessments (DPIAs) help controllers assess any data protection implications of their processing operations, with the added benefit of demonstrating compliance with the EU General Data Protection Regulation (GDPR). The Article 29 Working Party (WP29) recently published Guidelines on DPIAs and on determining whether processing is “likely to

In January, the UK government confirmed that it will be implementing the EU’s Network and Information Security Directive (NIS Directive) regardless of Brexit. EU countries have until 9 May 2018 to implement the Directive into their national laws. Given Brexit, the UK government confirmed in its Cyber Security Regulation and Incentives Review that details of the UK’s implementation of the NIS Directive will be released in 2017.
Continue Reading NIS Directive to be implemented in UK despite Brexit

In early January, the Article 29 Working Party (WP29) adopted its 2017 Action Plan (Action Plan) on the implementation of the General Data Protection Regulation (GDPR).

Amongst the actions proposed, the Action Plan provides a list of guidelines to be published throughout the year; which are set to cover:
Continue Reading Article 29 Working Party adopts its 2017 Action Plan

“Do as I say, not as I do”

It is difficult to miss the irony of the ICO’s first-awarded fine for nuisance calls since taking over the Telephone Preference Service (TPS), as reported in our earlier blog in December.

IT Protect Ltd., a Bognor Regis firm in the business of selling a call-blocking device that purportedly stops unwanted marketing calls, was fined £40,000 on 11 January by the ICO for making nuisance calls. After more than 30 complaints were received, the ICO investigated and found that IT Protect Ltd. had been making unsolicited marketing calls for more than a year to people registered with the TPS.
Continue Reading “Do as I say, not as I do”: A business specialising in blocking unsolicited marketing calls is fined for making unsolicited marketing calls