Although considered burdensome by some, data protection impact assessments (DPIAs) help controllers assess any data protection implications of their processing operations, with the added benefit of demonstrating compliance with the EU General Data Protection Regulation (GDPR). The Article 29 Working Party (WP29) recently published Guidelines on DPIAs and on determining whether processing is “likely to
Article 29 Working Party
Article 29 Working Party issues guidance on data portability, DPOs and lead supervisory authorities
As we enter 2017, 2018 doesn’t seem that far away…and with the new General Data Protection Regulation (GDPR) due to come into effect from 25 May 2018, organisations are running out of time to ensure compliance with the new data protection requirements. It is therefore not surprising that the Article 29 Working Party (“Working Party”) is already issuing guidance.
Here, we discuss the Working Party’s recent guidelines on:
Continue Reading Article 29 Working Party issues guidance on data portability, DPOs and lead supervisory authorities
International Data Transfers Face Further Setbacks: MEPs and the EDPS Reject the Privacy Shield & the Adequacy Challenge Spreads to EU Model Clauses
The options available to EU organisations for lawfully transferring personal data from Europe to the United States appear to be dwindling. In particular, there have been further setbacks to the approval of the Privacy Shield and, separately, a new legal challenge to the validity of EU model contract clauses. For more information click here to…
Privacy Shield does not achieve adequacy of protection under current regime, say EU Data Protection Authorities
On 13 April, the Article 29 Data Protection Working Party (‘WP29’) published its opinion on whether the proposed Privacy Shield programme, which is intended to replace the now-invalid Safe Harbor pact for facilitating trans-Atlantic data flows, achieved an adequate level of protection. The WP29 acknowledged that many of the shortcomings of Safe Harbor have been addressed; however, they stated that “some key principles as outlined in European law are not reflected [in the Privacy Shield],” and went on to identify “strong concerns” and make a number of suggested improvements. The WP29’s opinion is not binding and it does not halt the process in the EU of formally approving the Privacy Shield, although, at the very least, the opinion will be grist to the mill for the Privacy Shield’s detractors.
Concerns identified: In its press release, WP29 calls on the European Commission to resolve its concerns to “ensure that the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU”. Specific concerns raised were: (1) lack of obligation on Privacy Shield organisations to delete data if no longer necessary (i.e., lack of detail on data retention); (2) the U.S. administration does not exclude the possibility of continued massive and indiscriminate collection of data; and (3) the Ombudsman role may lack sufficient powers to function effectively as an additional redress mechanism.
As well as these, the WP29 suggested that restraints on onward transfers by Privacy Shield organisations should be strengthened and clarified, particularly in relation to scope, purpose limitation and transfers to agents.
Continue Reading Privacy Shield does not achieve adequacy of protection under current regime, say EU Data Protection Authorities
The CNIL sets expectations as to the ‘EU-U.S. Privacy Shield’ and starts implementing enforcement measures in case of Safe Harbor remediation default
The CNIL issued a press release February 4, setting expectations concerning the “EU-U.S. Privacy Shield” work-in-progress. In the same time, it has switched to enforcement mode concerning Safe Harbor remediation failure.
Click here to read more in the issued Client Alert.
Article 29 Working Party updates its Opinion on applicable law
The Article 29 Working Party (WP29) has updated its Opinion on applicable law and has introduced a new ‘inextricable link’ test representing a new element to the existing ‘in the context of the activities of an establishment’ criteria. This updated Opinion follows the Court of Justice of the European Union’s (CJEU) judgment in the case of Google Spain.
The update addresses the territorial scope of the Data Protection Directive (95/46/EC) (the Directive), and is particularly relevant to search engine providers.
Continue Reading Article 29 Working Party updates its Opinion on applicable law
The Article 29 Working Party releases statement on Safe Harbor
On 16 October, the Article 29 Working Party released a statement (“Statement”) on the implications of the Court of Justice of the European Union’s (“CJEU”) judgment in Maximillian Schrems v Data Protection Commissioner (C-362-14). In that judgment, the CJEU invalidated the Safe Harbor regime, which for 15 years had been one of the main…
Privacy in financial markets, not to be ignored
The Article 29 Working Party published a letter it sent to the European Commission urging it to consider the data protection and privacy issues when adopting the secondary regulations (‘Regulations’) necessary to implement two European Union financial services laws.
These Regulations are required as part of the implementation of the EU Markets in Financial Instruments Directive (‘MiFID’) and the EU Market Abuse Regulation (‘MAR’). According to the Article 29 Working Party, the Regulations (known as delegated acts and implementing measures), do not effectively deal with privacy concerns. The Article 29 Working Party is concerned that key privacy principles such as proportionality and necessity, data retention limitation and transparency, and the future data protection regulation, appear to have been ignored.
Continue Reading Privacy in financial markets, not to be ignored
APEC and Article 29 Working Party cooperation helps facilitate growth of BCRs and CBPRs
In late May, the Article 29 Working Party published the letter it sent to the APEC Data Protection subgroup. The letter follows previous discussions and extends cooperation between the two international organisations on data transfer mechanisms, and sets out new plans to align the EU Binding Corporate Rules (‘BCR’) with the APEC Cross-Border Privacy Rules (‘CBPR’) to make it easier for organisations to be granted approval under both regimes.
Three initiatives put forward at the previous meeting were adopted by the Art. 29 Working Party to ‘develop the practical tools that will help organisations implement both requirements from the BCR and CBPR systems’. Both processes currently take significant time and resources to achieve, so the continued relationship between the EU and APEC will benefit organisations certified, or seeking certification, to BCRs and CBPRs. Despite this cooperation, no uniform standard will be produced, and organisations will still need to go through each certification process separately.Continue Reading APEC and Article 29 Working Party cooperation helps facilitate growth of BCRs and CBPRs
Article 29 Working Party publishes opinion on draft Data Protection Regulation
Following adoption by the EU Council of the draft General Data Protection Regulation (the ‘draft Regulation’) in June, the Article 29 Working Party has published an opinion based on draft proposals set out by the various EU institutions, and which is likely to be referred to during the trilogue negotiations currently underway.
The opinion follows publication of the Council’s general approach and sets out a common position taken by the Working Party on the various key topics within the draft Regulation, including the definitions, scope of application, main principles, data subjects’ rights, power of authorities and governance model.
The Working Party are keen to ensure that this new regulatory framework does not lower the existing levels of data protection currently, nor undermine the existing data protection principles provided for within the Data Protection Directive.Continue Reading Article 29 Working Party publishes opinion on draft Data Protection Regulation