Tag Archive: Big Data

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

 

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

 

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

EU – The right to be forgotten and the role of the Companies Registry

On 8 September 2016, Advocate General Bot released his opinion on the “Camera di Commercio Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni” c-398/15  (“Manni Case“). If confirmed by the European Court of Justice, the opinion will no doubt shed further light on the construction of the right to be forgotten.

Background

The original plaintiff, Salvatore Manni, is an Italian citizen and former sole director of a building company which went bankrupt. The information about the building company’s bankruptcy and its then sole director had been permanently stored in the Companies Registry (Registro delle Imprese) held by the local Chamber of Commerce (Camera di Commercio), despite the company had been liquidated. Mr Manni claimed that access to the above data from third parties jeopardized certain sales of real estate, and accordingly requested the Companies Registry to anonymize his data or restrict access to the same Registry. The Chamber of Commerce opposed that the Companies Registry is a public database with a specific obligation to provide to everyone (upon specific request) the companies’ main information. The case escalated up to the Italian Supreme Court (Corte Suprema di Cassazione), which referred the issue to the ECJ, asking whether certain personal information (legally) made available by the Companies Registry should after a certain time be erased, or anonymized, or restricted to a limited number of third parties.

The Advocate General’s Conclusions

According to the Advocate General all Companies Registry’s data should be made available with no restriction. Indeed, the Company Law Directive 68/151 requires Member States to take all necessary measures to ensure the compulsory disclosure by a company of a number of limited information and documents, including general details of the legal representatives.

The fundamental function of the Companies Registry is to provide a complete picture of the life and history of a company, allowing anyone to read the information at any time. While acknowledging that any derogation to a (fundamental) data protection right should be limited to the strict necessary, the Advocate General stressed that allowing a public Company Registry to keep track of the whole life of a company (even when such company no longer exists) would not be disproportionate, also taking considering that the information is very limited (i.e. the name of the individuals that had the power to represent the company) and certain rights may be exercised also after the company ceased to operate (for instance for actions against the liquidators, etc.). The  Registry does not play a limited statistical role, it safeguards legal certainty as a mean to encourage market transactions, also through information about who represented a certain company over a certain period of time. While Directive 68/151 does not provide for a period of time after which it is necessary to cancel a certain information, the Advocate General added that it should also not be for the Registry to determine when such information should be restricted or anonymized, as it would otherwise add a discretionary assessment of the legitimate interests of the parties involved, with obvious risks of uneven decisions from the various public Registries.

The Right to be Forgotten is not Absolute

The Advocate General’s analysis echoes the ruling of the Google Spain Case, confirming that the right to be forgotten is not absolute and should be balanced with other fundamental rights, such as freedom of expression or – like in the Manni Case – interests of third parties to gain information on particular persons that held a key position in a company. The right to be forgotten will still require a case-by-case assessment, taking into account the specific type of information, its sensivity for the individual’s private life as well as the interest of the public in having access to that information and the role played by the data subject.

In this case, the essence is that a Companies Registry is not a broadly disseminated newspaper or a social media, and it should be treated accordingly. It is a public registry, aimed at facilitating certain fundamental economic transactions. It is true that, by entering a specific enquiry with the Companies Registry, it is possible gather the information that a certain individual was the sole administrator of a bankrupt company, and this information may, from the perspective of potential buyer, be a determining factor in completing a certain purchase. However, the fact of associating in a public Registry a certain person holding a specific office to a company that was declared bankrupt, is not per se derogatory for such person. A bankruptcy may be due to many factors, including some external market trends.

Albeit the Advocate General took into account the balance between the Company Law Directive (68/151) and the Data Protection Directive (95/46), his views would stand also taking into account the right to be forgotten as devised by Article 17 the European General Data Protection Regulation, which among other things also confirms that the right to be forgotten does not apply for the purposes of archiving in the public interest.

For further information on this opinion, see also here from Cristina Ulessi.  It will no doubt be very interesting to review the ECJ’s final position.

@giangiolivi

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-right-to-be-forgotten-and-the-role-of-the-companies-registry/

ITALY – “Digital Authorities” Round Table, University of Milan, 22 May 2015

Follow us on Friday 22 May 2015 at the University of Milan, with the main experts of our Italian “Digital Authorities” – Giuseppe Galasso (Director Communications – AGCM), Benedetta Liberatore (Director Audiovisual Services – AGCOM) and Luigi Montuori (Director Communications and Electronic Networks – Data Protection Authority), together with Marco Cuniberti (UNIMI) and Giangiacomo Olivi (DLA Piper).

We will be discussing the regulatory challenges for digital media and new technologies, including the latest regulations on cookies and the consultation on IoT launched by the Italian Data Protection Authority. We look forward to seeing you at 2:30 PM, Sala Napoleonica of the University of Milan, via Sant’Antonio 2. The entrance is free, but please register with infomaster.giurisrprudenza@unimi.it. See you soon!

@giangiolivi

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-digital-authorities-round-table-university-of-milan-22-may-2015/

European Data Protection Supervisor launches its 2015-2019 strategy

By Patrick Van Eecke

The European Data Protection Supervisor (EDPS) launched it data protection strategy, summarizing it in three strategic objectives and 10 accompanying measures for the next five years.

The EDPS stated that it is a crucial moment for data protection, a period of unprecedented change and political importance, not only in the EU but globally.

1. Data protection goes digital

  • Promoting technologies to enhance privacy and data protection;
  • Identifying cross-disciplinary policy solutions;
  • Increasing transparency, user control and accountability in big data processing.

2. Forging global partnerships

  • Developing an ethical dimension to data protection;
  • Speaking with a single EU voice in the international arena;
  • Mainstreaming data protection into international policies.

3. Opening a new chapter for EU data protection

  • Adopting and implementing up-to-date data protection rules;
  • Increasing accountability of EU bodies collecting, using and storing personal information;
  • Facilitating responsible and informed policymaking;
  • Promoting a mature conversation on security and privacy.

Special attention will be given by the EDPS to the data protection challenges of cloud computing, big data analytics, the internet of things and techniques for electronic mass surveillance.

The strategy can be consulted at the EDPS website

For more information about the strategy and its impact, please contact Patrick Van Eecke (patrick.vaneecke@dlapiper.com)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/european-data-protection-supervisor-launches-its-2015-2019-strategy/

GLOBAL: Internet of Things – Top ten data protection concerns

As we discussed in our previous posts, there are a number of positive trends that make the Internet of Things a long lasting evolution. Hardware is improving, there is an increasing understanding from the industry of the benefits that can be drawn from harmonization and interoperability, customers ever more expect to control appliances, whilst third and fourth generation communications are making connections between “things” a lot easier. All this is causing an exponential increase in data processing. After all, the Internet of Things is about big data, and how such data are processed remains a cause for concern. Here are the top 10 privacy and data protection concerns. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/global-internet-of-things-top-ten-data-protection-concerns/

Join us – Media & Entertainment Webinars – “Second Screen” – Tuesday 28 October @3:00 PM GMT (4:00 PM CET)

Join us on Tuesday 28 October from 4:00 PM to 5:00 PM CET, for a new session of our free Webinars. This session will focus on “Second Screen”.

Second Screen, Social TV and other enhanced broadcasting applications have become increasingly popular. They are changing the Media & Entertainment market, introducing new measurement metrics and allowing the implementation of sophisticated applications and services. What are the current technology and commercial trends? What broadcasting and data protection regulatory issues? Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/join-us-media-entertainment-webinars-second-screen-tuesday-28-october-300-pm-gmt-400-pm-cet/

Big Data, Big Privacy Issues

By Patrick Van Eecke & Mathieu Le Boudec

Last week, a resolution on big data was adopted under the auspices of the 36th International Conference of Data Protection and Privacy Commissioners (hereafter: “ICDPPC”). After earlier guiding documents released this year by, among others, the Executive Office of the President of the United States, the Information Commissioner’s Office (UK), the Working Party 29 and the European Data Protection Supervisor, this resolution is yet another confirmation of the attention big data gets from regulators worldwide.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/big-data-big-privacy-issues/