Photo of Kirill Albrecht

On 28 November 2017, the Article 29 Working Party (‘WP29’) published a working document updating its previous guidance on transfers of personal data to third countries (WP12), (‘WP29 Document’). WP29 has reviewed its earlier guidance in the context of the General Data Protection Regulation (‘GDPR’) and recent case law of the European Court of Justice (‘CJEU’).

The WP29 Document only deals with Chapter 1 of WP12 and focuses solely on adequacy decisions. Chapters 2 and 3 of WP12 will be updated at a later stage. The WP29 Document is currently open for consultation and comments should be submitted by 17 January 2018.

The updated guidance consists of four chapters, the key points of which are discussed below.Continue Reading Article 29 Working Party publishes updated guidance on adequacy referential

On 27 November 2017, the European Union Agency for Network and Information Security (“ENISA”) published a report on Recommendations on European Data Protection Certification (“Report”). The aim of the Report is to identify and analyse challenges and opportunities of data protection certification mechanisms, as introduced by the General Data Protection Regulation (“GDPR”).

The Report provides an overview of existing data protection certification mechanisms, and looks at the terminology and clarifying concepts that are relevant to GDPR certification, as established in Articles 42 and 43 of the GDPR. The Report also presents research and analysis on various certification schemes, including the ePrivacyseal EU, EuroPrise, CNIL Labels and the ICO Privacy Seal. It further focuses on some of the questions relating to successful take-up of certifications, as well as the role of certification as a transparency and accountability instrument under the GDPR. The Report additionally notes that data protection certification mechanisms under the GDPR are likely to face challenges, given the diversity of existing data protection certifications.

The Report sets out several recommendations that are intended to provide high-level guidance to data protection authorities, certification bodies, and data controllers/processors. The main recommendations include:
Continue Reading ENISA publishes report on recommendations for data protection certification mechanisms under the GDPR

On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR.

What is a personal data breach?

Article 4(12) of the GDPR broadly defines this as a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data. WP29 explains that security breaches can be categorised according to the following three principles:

  • Confidentiality breach: unauthorised or accidental disclosure or access to personal data
  • Integrity breach: unauthorised or accidental alteration of personal data
  • Availability breach: unauthorised or accidental loss of access or destruction of personal data

WP29 notes that an availability breach may be less obvious. Where, however, there has been a permanent loss or destruction of personal data, this will always qualify as an availability breach.

When do you need to notify the supervisory authority?

Article 33(1) of the GDPR requires controllers to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.

WP29 considers that a controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred that led to personal data being compromised. For example:

  • Loss of unencrypted CD – controller becomes aware when it realises the CD is lost despite not knowing if unauthorised persons gained access to the data
  • Third party informs controller they have accidentally received a customer’s personal data – controller becomes aware as soon as it has been informed
  • Cybercriminal contacts controller with ransom demand after hacking its system – controller becomes aware immediately

Continue Reading Article 29 Working Party publishes guidelines on personal data breach notification

The House of Lords Library, which provides research and information services to Members of the House of Lords, has published a briefing on the Data Protection Bill (“Bill”) which sets out an overview of and reactions to the Bill (“Briefing”). The Briefing was prepared in advance of the Bill’s second reading in the House of Lords, which took place 10 October.

Some of the key points to note from the Briefing are as follows:

The Bill in the context of Brexit

The Briefing highlights the recommendations of the House of Lords European Union Committee that the government should:

  • Pursue and maintain regulatory equivalence with the EU for data protection to ensure unhindered data flows between the UK and EU post-Brexit
  • Seek an adequacy decision from the European Commission

The Committee noted that “stakes are high” because any post-Brexit arrangement that results in greater friction around data transfers between the UK and the EU could present a non-tariff trade barrier, putting the UK at a competitive disadvantage. It could also hinder police and security cooperation.

This is particularly relevant considering the estimate cited in the Department for Exiting the European Union’s government position paper that 75 percent of the UK’s cross-border data flows are with EU countries.
Continue Reading House of Lords publishes briefing on Data Protection Bill

The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act).

In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further below.

Processing sensitive personal data for advertising purposes without consent

The AEPD held that Facebook did not obtain its users’ consent for the collection of their sensitive personal data in accordance with the requirements of the Act, since the consent obtained was not valid, express and in writing.

It was noted that Facebook uses the preferences of its users to profile them based on their sensitive personal data, and offer content in relation to that profile. However, Facebook did not establish a separate procedure for the treatment of sensitive personal data, as prior consent was not requested, and all personal data was used for profiling for advertising purposes by default. For example, when configuring a user’s profile, the “Basic and Contact Information” section includes options to “add your religious beliefs” and “add your political ideology”. However, no express consent is requested from Facebook regarding the use of this information for advertising purposes, nor is the user informed at any stage that their data will be used for that purpose.
Continue Reading Spanish DPA fines Facebook €1.2 million for data protection infringements

In early 2016, a European Court of Human Rights (ECHR) case (Barbulescu v. Romania) attracted much publicity because it appeared to give employers the green light to read employees’ private emails (read our original commentary here). The decision in the original case has now been overturned by the Grand Chamber of the ECHR.

Background

The case concerned a Romanian national, Bogdan Mihai Bărbulescu. Mr Bărbulescu had been dismissed after his employer monitored his work-related Yahoo Messenger account and discovered that Mr Bărbulescu had used it for private communications, including messages to his brother and fiancée, which was in breach of the employer’s internal policies.

After unsuccessfully bringing employment claims in the Romanian courts, Mr Bărbulescu brought his case before the ECHR, claiming that Romania had failed to protect his Article 8 right under the European Convention on Human Rights in relation to respect for his private and family life, his home, and correspondence.

The Fourth Section of the ECHR dismissed Mr Bărbulescu’s claim, who then appealed to the Grand Chamber of the ECHR.
Continue Reading EU Case Confirms That Employers Do Not Have Carte Blanche For Workplace Monitoring

In her blog last week, the UK Information Commissioner, Elizabeth Denham, tackled the issue of consent under the GDPR. This blog, the second in a series to be published by the ICO, is intended to address some of the myths that have developed around the GDPR. The first blog looked at the ICO’s new fining powers under the GDPR.

The latest blog deals specifically with two myths that are creating uncertainty for organisations that want to be compliant under the GDPR.

Myth #1 – You must have consent if you want to process personal data.

The Commissioner notes that the rules around consent only apply if you are relying on consent as your basis for processing personal data. While consent is one way to comply with the GDPR, it is not the only way. There are, in fact, five other grounds for processing data lawfully under the GDPR, where processing personal data is necessary:

  • For the performance of a contract with the data subject or to take steps to enter into a contract
  • To comply with a legal obligation
  • To protect vital interests of a data subject or another person
  • For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
  • For the purposes of legitimate interests pursued by the controller or a third party

It is therefore not the case that you must have consent if you want to process personal data.

The Commissioner comments that the GDPR is instead raising the bar to a higher standard for consent. Pre-ticked, opt-in boxes, for example, will no longer be valid, and data subjects must be provided with a straightforward way to withdraw their consent.Continue Reading ICO confirms that consent is not the ‘silver bullet’ for GDPR compliance