Tag Archive: WP29

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

Whilst WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g. WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.


Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.




Permanent link to this article: http://blogs.dlapiper.com/privacymatters/eu-first-gdpr-guidance-published-by-article-29-wp/

EUROPE: The Applicability Of EU Data Protection Laws To Non-EU Businesses

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).

This article first appeared in E-Commerce Law and Policy – volume 18 issue 03 (March 2016).

On 16 December 2015, the Article 29 Data Protection Working Party (“WP29”) updated their Opinion 8/2010[1] on applicable law in light of the landmark decision Costeja v. Google[2] rendered by the Court of Justice of the European Union (“ECJ”) on 13 May 2014.

In a context where local data protection authorities are increasingly scrutinizing cross-border data processing operations, companies worldwide need to identify whether and which EU data protection law(s) apply to processing of personal data taking place wholly or partially outside the EU.

Yet the extent of the territorial scope of the Directive has always raised many questions. In 2010, the WP29 concluded in their Opinion 8/2010 that Article 4(1)(a) of the Data Protection Directive 94/46/EC[3] (“Directive”), which provides that a Member State’s data protection law shall apply to data processing “carried out in the context of the activities of an establishment of the controller on the territory of the Member State“, suggests a very broad scope of application.

The exact extent of application remained rather unclear despite the WP29’s guidelines until four years later when the question of whether EU data protection laws should apply to a business based and processing personal data outside the EU came up before the ECJ in the so-called “right to be forgotten” case, Costeja v. Google. In its judgement, the ECJ held that Spanish law applied to the personal data processing performed by the search engine operated by Google Inc., a US-based controller, on the ground that it was “inextricably linked to“, and therefore was carried out “in the context of the activities of” Google Spain, whose advertising and commercial activities constituted the “means of rendering the search engine at issue economically profitable“.

The WP29 have recently updated their 2010 opinion to take into account Costeja. According to the WP29, the implications of the judgement are very broad and should certainly not be limited to the question of determining applicable law in relation to the operation of the Google search engine in Spain.  And indeed, Costeja confirms the broad territorial application of Article 4(1)(a) of the Directive that was espoused by the W29 in 2010.  In this respect, the WP29 recall that the notion of establishment in itself must be interpreted broadly, in line with recital 19 of the Directive, which provides that the notion of “establishment (…) implies the effective and real exercise of activity through stable arrangements[4], such as subsidiaries or branches for example. In Costeja, there was no doubt that Google Spain, the Google Inc. subsidiary responsible for promoting in Spain the sale of advertising space generated on the website google.com, fell under that definition. However, it was disputed whether the data processing in question, carried out exclusively by Google Inc. by operation of Google Search without any intervention on the part of Google Spain, was nevertheless carried out “in the context of the activities of” Google Spain.

The ECJ then introduced a new criterion: the “inextricable link” between the activities of a local establishment and the data processing activities of a non-EU data controller. As underlined by the WP29, the key point is that even if the local establishment is not involved in any direct way in the data processing, the activities of that establishment might still trigger the application of EU data protection laws to the non-EU controller, provided there is an “inextricable link” between the two.

What this “inextricable link” might be raises many questions. The WP29, while insisting on the importance of conducting a case-by-case analysis, consider that, depending on the role played by local establishments, non-EU companies offering free services within the EU, which are then financed by making use of the personal data collected from users, could also be subject to EU data protection laws. The same reasoning would apply, for example, tor non-EU companies providing services in exchange for membership fees or subscriptions, where individuals may only access the services by subscribing and providing their personal data to the EU establishments.

The WP29 are careful to say that being part of a same group of companies is not in itself sufficient to establish the existence of an “inextricable link“, and that additional factors are necessary, such as promotion and sale of advertising space or revenue-raising, irrespective of whether such proceeds are used to fund the data processing operations in the EU. But because the examples provided by the WP29 are almost solely based on revenue flow as the source of the “inextricable link“, it is difficult to conceive of what type of multinational will not have such an “inextricable link” between the activities of a subsidiary (let alone a branch) in the EU and a parent company outside the EU.  The long arm of the Directive is in effect stretched even further.

Will this criterion still be relevant when the General Data Protection Regulation[5] (“GDPR”) applies, likely by July 2018? Certainly, insofar as article 3(1) provides that the GDPR applies “to the processing of personal data in the context of the activities of an establishment of a controller… in the Union“. But the GDPR goes much farther: not only does it consecrate Costeja by specifying that the GDPR applies “regardless of whether the processing takes place in the Union”, it also applies to processing in the context of the activities of an establishment of a processor in the EU, even if the processing occurs outside the EU. Moreover, relying more explicitly on the “effect principle”, article 3(2) of the GDPR further extends the territorial scope of EU data protection law to any data controller based outside the EU that either: (i) offers goods or services to EU residents; or (ii) monitors the behaviour of EU residents.

Another important aspect the WP29 infer from the Costeja decision concerns the applicable law where a business has multiple establishments in the EU, with a designated “EU headquarters”, and this establishment alone carries out the functions of a data controller in relation with the processing operations in question. The WP29 note that, although the Court did not directly address this question, neither did it distinguish its ruling according to whether or not there is an EU establishment acting as a data controller or being otherwise involved in the processing activities.  For the WP29, this means that where there is an “inextricable link“, several national laws may apply to the activities of a business having several establishments in different Member States, regardless of whether one of them qualifies as data controller in respect of the processing in question. This position goes beyond the plain meaning of article 4(a) of the Directive, which provides that “when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable”.[6]

In conclusion, although the WP29’s recent update provides some useful illustrations to help businesses determine whether they should comply with EU data protection law, it does not clarify its exact scope. In particular, WP29’s analysis mostly focuses on websites where data subjects have a connection with one EU establishment, leaving aside other scenarios, such as when data subjects have absolutely no connection with any EU establishment. And the question of how are companies to deal with conflicts of laws remains unanswered. The discussions over these questions promise to be challenging, even more so now with the prospect of the application of the GDPR.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] WP29, Opinion 8/2010 on applicable law, December 16, 2010

[2] Case C-121/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014

[3] Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[4] Recital 19 of the Directive

[5] COM/2010/2011 final, Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data

[6] The recitals of the Directive are admittedly puzzling. Recital (18) states that any processing of personal data in the Community must be carried out in accordance with the law of one of the Member States and processing carried out under the responsibility of a controller who is established in a Member State should be governed by the law of that State. But recital (19) provides that if a single controller is established on the territory of several Member States, particularly by means of subsidiaries, he must ensure that each of the establishments fulfils the obligations imposed by the national law applicable to its activities – thereby vitiating the entire concept of separate legal personality, and failing to denote whether those subsidiaries are to be considered controllers or processors.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-the-applicability-of-eu-data-protection-laws-to-non-eu-businesses/

EUROPE – Towards Privacy by Design Regulations for Drones

There is an increasing usage of unmanned aerial vehicles (“UAV”, more widely known as drones) for civil and commercial purposes: from environment monitoring to agriculture, from audiovisual productions to my favorite football team training… Whilst there are no doubts about the potential benefits of the civil use of drones, there is still no certainty about what are the most appropriate rules to address the data protection risks deriving from a large-scale deployment of drone technology.

The concerns are in essence very similar to those outlined for the Internet of Things (see here our post on IoT data protection concerns), as after all this is also about the increasing usage of sensors.

Read the rest of this entry »

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-towards-privacy-by-design-regulations-for-drones/

EUROPE: Article 29 Working Party Provides Guidance on Personal Data Breach Notification

By Carol Umhoefer & Mathilde Hallé

On March 25, 2014, the Article 29 Working Party (the “WP29”) issued Opinion 03/2014 On Personal Data Breach Notification in order to help data controllers to assess whether to notify data subjects of a personal data breach.

Currently, only providers of telecommunications services are required to notify data subjects in the event of a personal data breach likely to adversely affect such data subjects’ personal data or privacy. Nevertheless, this obligation will be expanded in coming years to all data controllers, whatever their business sectors, with the upcoming adoption of the EU General Data Protection Regulation.

Anticipating the adoption of that Regulation, the WP29 has issued an opinion to provide general guidance for data controllers to assess, on a case-by-case basis, whether a breach is likely to adversely affect the personal data or privacy of data subjects, and therefore should be notified to data subjects.

In this opinion, the WP29 provides examples of data breaches likely to adversely affect the data subjects’ personal data or privacy, and gives some recommendations in terms of appropriate measures that, if implemented beforehand, may prevent such breaches (e.g., using an appropriate encryption product with a sufficiently strong and secret key, etc.). The WP29 also lists some scenarios where notification to data subjects would not be required (e.g., a personal data breach only relating to confidentiality where the data was securely encrypted with a state-of-the-art algorithm).

In addition to these practical examples and recommendations, the WP29 addresses key issues that data controllers may face while considering whether to notify data subjects. In particular, the WP29 underlines the need to notify even if only one data subject is concerned by the breach. In case of doubt regarding the likelihood of adverse effects on the personal data or privacy, the WP29 recommends to “err on the side of caution and proceed with notification“.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/europe-article-29-working-party-provides-guidance-on-personal-data-breach-notification/