Article 29 Working Party

The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), following its public consultation.

Technology Law Dispatch looked at the draft guidance on transparency earlier this year, so this blog focuses on the key issues and what is new in the final guidelines.

Information being “intelligible”

The updated guidelines link the requirement for information to be intelligible, using plain and clear language, and accountable. The guidelines now state that an “accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.” This includes, for example, assuming working professionals have a higher understanding of certain issues than children or non-specialists. In other words, the data controller is expected to customize its notices and information as appropriate to the applicable audience. The final guidelines also suggest mechanisms by which controllers can test their interfaces, notices and policies for intelligibility and transparency – including the use of industry groups, consumer advocacy groups, readability tests and regulatory bodies.Continue Reading Article 29 Working Party adopts finalized guidelines on transparency under GDPR

The Article 29 Working Party (WP29) discussed a number of important issues during its April plenary meeting on 17 April 2018. In its summary press release, the WP29 gave an update on the issues it discussed.

Implementation of the General Data Protection Regulation (GDPR) and adopted guidelines

WP29 formally adopted guidelines on consent and transparency following a public consultation of six weeks. WP29 additionally formally adopted revised Binding Corporate Rules application forms, an updated working document on the Binding Corporate Rules approval procedure and revised guidelines on the GDPR urgency procedure.

WP29 also highlighted that it had adopted a position paper on GDPR Article 30(5). GDPR Article 30(5) generally exempts organisations employing fewer than 250 people from having to keep records of personal data processing.

WP29 further stated that it will continue working on guidelines about GDPR certification, territorial scope and codes of conduct.

It was also stated that WP29 has been granted a mandate to develop guidance in relation to GDPR Article 6(1)(b) in the context of the provision of ‘free’ online services. GDPR Article 6(1)(b) enables organisations to process personal data where such processing is necessary for the performance of a contract to which a data subject is party.

A discussion was also had on the European Data Protection Board and how its rules of procedure, budget, technical set-up and meetings timetable in 2019 will be structured.
Continue Reading Article 29 Working Party update on GDPR implementation

Recently, the European Commission endorsed draft horizontal provisions for cross-border data flows and personal data protection in trade agreements – as personal data is a fundamental right, it is not something which can be the subject of negotiation in EU trade deals.

Relatedly, the Article 29 Working Party (A29WP) consultation on the guidelines under Article 49 of the General Data Protection Regulation (GDPR) concerning cross-border data transfer derogations has closed, paving the way for the guidance to be finalised and issued later this year.

Cross-border data flows

Cross-border data flows are key to most organisations, which include moving around employee information, sharing financial details for online transactions, and analysing individuals’ browsing habits to serve them targeted advertisements.

The European Commission is seeking to break down barriers to the flow of data between businesses in future trade deals as part of its push towards a more digital economy, while at the same time safeguarding these key fundamental data protection principles. The preferred approach to facilitate the ongoing trade negotiations and to legitimise cross-border data flows are ‘adequacy decisions’ – which means the European Commission (the Commission) identified the third country (which is outside the European Economic Area) as providing adequate protections to those data protection laws in the EU.
Continue Reading European Commission approves provisions for cross-border data flows while consultation on GDPR Article 49 guidance closes

During an Article 29 Working Party (WP29) press conference on 7 February 2018, the outgoing chair and French privacy chief, Isabelle Falque-Pierrotin, expressed concerns that EU data protection authorities (DPAs) may not be able to enforce the General Data Protection Regulation (GDPR) effectively and in a unified manner in accordance with the consistency mechanism, by 25 May 2018.

On 25 May 2018, the WP29 will be replaced by the European Data Protection Board (EDPB), which will invoke the consistency mechanism to streamline the enforcement of data protection laws throughout the region. According to Falque-Pierrotin, 26 of the 28 EU member states (with Germany and Austria being the exceptions) are yet to align their national laws with the GDPR. This is concerning because if one member state’s supervisory authority is unable to take part in the consistency mechanism, the whole system of regulation and enforcement under the GDPR could be undermined.
Continue Reading Will EU data protection authorities ‘consistency mechanism’ be ready in time for the GDPR?

With less than three months until the General Data Protection Regulation 2016/279 (GDPR) comes into effect on 25 May 2018, the Article 29 Working Party (WP29) published revised guidelines on personal data breach notification (Guidelines). You may well remember our recent blog covering the Guidelines when the WP29 issued its initial guidance on 3 October 2017.

The revised Guidelines are largely similar, so in this blog, we provide a recap of the Guidelines regarding personal data breach notification requirements under GDPR.

Personal data breach

The WP29 has provided that a personal data breach – that is, a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data – can be categorised as follows:

  1. Confidentiality breach: unauthorised or accidental disclosure or access to personal data.
  2. Integrity breach: unauthorised or accidental alteration of personal data.
  3. Availability breach: accidental or unauthorised loss of access or destruction of personal data.

Continue Reading Article 29 Working Party issues revised guidance on personal data breach notification

On 28 November 2017, the Article 29 Working Party (‘WP29’) published a working document updating its previous guidance on transfers of personal data to third countries (WP12), (‘WP29 Document’). WP29 has reviewed its earlier guidance in the context of the General Data Protection Regulation (‘GDPR’) and recent case law of the European Court of Justice (‘CJEU’).

The WP29 Document only deals with Chapter 1 of WP12 and focuses solely on adequacy decisions. Chapters 2 and 3 of WP12 will be updated at a later stage. The WP29 Document is currently open for consultation and comments should be submitted by 17 January 2018.

The updated guidance consists of four chapters, the key points of which are discussed below.Continue Reading Article 29 Working Party publishes updated guidance on adequacy referential

The Article 29 Working Party (WP29) has published updated guidelines on Binding Corporate Rules (BCRs) to reflect the requirements set out in the General Data Protection Regulation (GDPR). The two documents, which replace previous WP29 working papers (WP 153 and WP 195) and remain open for public consultation until January 17, 2018, are:

(i) Working Document setting up a table with the elements and principles to be found in Binding Corporate Rules (WP 256)

(ii) Working Document setting up a table with the elements and principles to be found in Processor Binding Corporate Rules (WP 257)

The two documents include tables setting out the elements and principles to be included in controller BCRs and processor BCRs. These tables have been amended specifically to:

Meet the requirements of Article 47 GDPR

  • Clarify the necessary content of BCRs as stated in Article 47 GDPR
  • Make the distinction between what must be included in BCRs and what must be presented to the competent supervisory authority in the BCRs application
  • Give the principles the corresponding text references in Article 47 GDPR (for controller BCRs)
  • Provide further guidance on each of the requirements

Both documents note that Article 47 GDPR is clearly modeled on the working documents relating to BCRs previously adopted by WP29. However, to ensure their compatibility with GDPR, Article 47 does specify new requirements to be considered for adopting new BCRs or updating existing ones.
Continue Reading Article 29 Working Party issues new guidelines for Binding Corporate Rules

On 3 October 2017, the Article 29 Working Party (“WP29”) published draft guidelines on personal data breach notification (“Guidelines”) under the General Data Protection Regulation 2016/279 (“GDPR”). In this blog, we look at some of the key concepts that are considered in the Guidelines regarding the mandatory breach notification and communication requirements of the GDPR.

What is a personal data breach?

Article 4(12) of the GDPR broadly defines this as a breach of security which could lead to loss, destruction, damage or unauthorised disclosure or access to personal data. WP29 explains that security breaches can be categorised according to the following three principles:

  • Confidentiality breach: unauthorised or accidental disclosure or access to personal data
  • Integrity breach: unauthorised or accidental alteration of personal data
  • Availability breach: unauthorised or accidental loss of access or destruction of personal data

WP29 notes that an availability breach may be less obvious. Where, however, there has been a permanent loss or destruction of personal data, this will always qualify as an availability breach.

When do you need to notify the supervisory authority?

Article 33(1) of the GDPR requires controllers to notify a personal data breach to the supervisory authority within 72 hours after having become aware of it.

WP29 considers that a controller becomes “aware” when it has a reasonable degree of certainty that a security incident has occurred that led to personal data being compromised. For example:

  • Loss of unencrypted CD – controller becomes aware when it realises the CD is lost despite not knowing if unauthorised persons gained access to the data
  • Third party informs controller they have accidentally received a customer’s personal data – controller becomes aware as soon as it has been informed
  • Cybercriminal contacts controller with ransom demand after hacking its system – controller becomes aware immediately

Continue Reading Article 29 Working Party publishes guidelines on personal data breach notification

On 17 October 2017, the Article 29 Working Party (“Art 29 WP”) published draft guidelines on automated individual decision-making and profiling (“Guidelines”).

In the Guidelines, the Art 29 WP states that profiling and automated decision making can be useful for individuals and organisations by delivering increased efficiencies and resource savings, whilst recognising that they may pose significant risks for individuals unless appropriate safeguards are put in place.

The Guidelines clarify the provisions of the General Data Protection Regulation (“GDPR”) that aim to address these risks.

What is the difference between automated decision-making and profiling?

The Guidelines distinguish between automated decision-making and profiling.

Automated decision-making refers to the ability to make decisions by technological means without human involvement. Profiling, on the other hand, entails the collection of data about an individual and analysing their characteristics or behaviour patterns in order to categorise them and/or make predictions or assessments about their (i) ability to perform a task, (ii) interests; or (iii) likely behaviour.

While the Art 29 WP notes that automated decisions and profiling are distinct, they recognise that something that starts off as a simple automated decision-making process could become one based on profiling depending on the use of the data.
Continue Reading Article 29 Working Party publishes guidelines on automated individual decision making and profiling.

This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC countries. The Ministry of Interior and the Korea Communications Commission stated on Monday that approval for joining the CBPR had been secured. In order for countries to opt in to the system, their legal systems and privacy protection must meet APEC’s standards.

APEC is an economic forum comprised of countries throughout Asia-Pacific. APEC’s importance should be noted: its 21 member economies comprise 54 per cent of the world’s GDP and 40 per cent of world trade. It exists to assist in trade through faster customs procedures and initiatives to synchronise regulatory systems across its member countries. The CBPR is a voluntary accountability-based system that facilitates the safe transfer of personal information across the APEC region.Continue Reading South Korea joins APEC’s Cross Border Privacy Rules system