Tag Archive: eu regulations

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

 

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

 

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.

 

Background

The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.

Conclusion

The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

ITALY (and EU): New Data Protection Regulation and Outsourcing Contracts: good news for data sub-processing!

There have been a lot of talks about the new EU Data Protection Regulation, but there remains one issue that has not yet been addressed by many commentators. According to the new Regulation, it will be possible to appoint sub-processors, provided that: (i) the data controller grants its written consent (which can be general or specifically addressed to one or more sub-processors), and (ii) the processor imposes to the sub-processors the same data processing obligations that have been undertaken by the processor towards the data controller. Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/italy-and-eu-new-data-protection-regulation-and-outsourcing-contracts-good-news-for-data-sub-processing/

EUROPE: EU Commissioner Reding introduces her Eight Principles of Data Protection

By Patrick Van Eecke

On Data Protection Day, EU Commissioner Viviane Reding introduced the so-called “Data Protection Compact”, her 8 principles of Data Protection that should govern the way personal data is processed by the public and the private sector.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-eu-commissioner-reding-introduces-her-eight-principles-of-data-protection/

EUROPE: Focus on new Regulation No. 611/2013 detailing notification procedures for providers of publicly-available electronic communications services in the event of a personal data breach

By Carol Umhoefer & Mathilde Hallé

On June 24, 2013, the European Commission enacted Regulation No. 611/2013 “on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC on privacy and electronic communications”.

Article 4, paragraph 3 of Directive 2002/58/EC (as amended by Directives 2006/24/EC and 2009/136/EC) provides that, in case of personal data breach, any provider of publicly available electronic communications services shall notify (i) the competent national authority and (ii) any individual when the breach is likely to adversely affect personal data or privacy.

Regulation No. 611/2013 clarifies providers’ obligations by detailing the requirements for notification procedures:

  • Notification to the national competent authority shall be delivered within 24 hours of the detection of the breach, if possible.

The notification must indicate in particular: (i) identification details of the provider, (ii) information on the nature, circumstances and potential effects of the breach (including an estimate of the number of individuals likely to be impacted), (iii) the protective measures already implemented or proposed by the supplier to remedy the breach, (iv) information on the possible additional notification to individuals, and (v) possible cross-border issues.

If certain information cannot be provided within the 24-hour period a second notification shall be delivered within 3 days of the first notification.

Competent national authorities must implement a secure electronic means for providers to send notifications.

  • Notification to individuals shall be delivered without undue delay after the detection of the breach.

The notification must indicate in particular: (i) identification details of the provider, (ii) information on the nature, circumstances and likely consequences of the breach, (iii) the protective measures already implemented by the provider to remedy the breach and those that the provider recommends the individual implement to mitigate losses.

This notification shall be delivered by any appropriately secured means of communication that ensures prompt receipt.

This notification is not required notably where the provider has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures to render the data concerned by the breach unintelligible by any unauthorized third party.

As an example, in 2011 France implemented Article 4, paragraph 3 of Directive 2002/58/EC into Article 34 bis of the French Data Protection Act. Other requirements included in Regulation No. 611/2013 were adopted in France by Decree No. 2012-436, dated March 30, 2012. Further to the enactment of Regulation No. 611/2013, the French data protection authority, the CNIL, has created a dedicated page on its own website enabling providers to file notifications online, if needed.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-focus-on-new-regulation-no-6112013-detailing-notification-procedures-for-providers-of-publicly-available-electronic-communications-services-in-the-event-of-a-personal-data-breach/