Who: Article 29 Working Party of EU Data Protection Authorities
Where: Brussels
When: February 2016
Law stated as at: 16 February 2016
What happened:
The Article 29 Working Party (“A29WP“) published a “Statement on the 2016 action plan for the implementation of the General Data Protection Regulation (GDPR)” (“Statement“).
The A29WP says in its Statement that with the GDPR close to adoption, it must develop guidelines, tools and procedures to allow the new legal framework to be effective for the first semester of 2018.”
The Statement is an action plan identifying the A29WP’s priorities in preparing for the big transition, including its own metamorphosis into the “European Data Protection Board” (“EDPB“)
The action plan is based on 4 priorities:
1. Setting up the EDPB including the development of the IT systems needed to administer the one stop shop;
2. Preparing the “one stop shop” for multinational data controllers and data processors and the related consistency mechanism, including the designation of lead data protection authorities for multinationals and setting up systems to facilitate the enforcement co-operation procedures currently set out in Article 54 of the latest draft of the GDPR. These procedures are necessary because somewhat counter-intuitively, the one stop shop still allows a multi shop shop. This is because a local DPA which is not a multinational’s lead DPA can handle complaints about alleged GDPR breaches if the subject matter of the complaint relates only to the multinational’s establishment in the country of the local DPA or if it substantially affects only data subjects in that country;
3. Issuing guidance for controllers and processors on four “priority subjects” as follows:
3.1 New personal data portability rights (Article 18) which apply to any personal data given by a data subject to a data controller where the processing is based on consent or, in the case of “special categories of data” (broadly equivalent to the UK’s existing categories of “sensitive personal data”) explicit consent ;
3.2 “Notion of high risk” and Data Protection Impact Assessment (Article 33 requires these if processing is likely to result in high risk to data subjects’ rights). The concept of “high risk” also comes into play in the context of the obligation to report data security breaches to affected data subjects without undue delay if the breach puts their rights and freedoms at “high risk” (Article 32);
3.3 Certification (Article 39 obliges Member States, DPAs, the EDPB and the European Commission to encourage the establishment of data protection certification mechanisms and of data protection seals and marks. The idea is that these will be of particular benefit to micro, small and medium sized data controllers or data processors seeking a convenient means of demonstrating to potential customers that they are compliant with the GDPR;
3.4 Data protection officer (under Articles 35-37 appointing a data protection officer – with all that entails – will be compulsory for all public authorities regardless of what they do with personal data and for any other data controllers or data processors, whatever their size, if their “core activities” consist of either processing operations which require “regular and systematic monitoring of data subjects on a large scale”, or processing on a large scale of special categories of data and data relating to criminal convictions and offences;
4. Communications around the EDPB/GDPR-the Statement says it is essential to make the EDPB “visible and identifiable as a key player” and the action plan requires that steps are taken to achieve this by participating in external events to promote the new governance model, creating an online communication tool and strengthening relationships with EU institutions and agencies.
Why this matters:
On any view the A29WP and its constituent members have a busy time ahead. In that vein, the Statement makes it clear that this action plan is only the start and that it will be complemented in 2017 with new objectives and deliverables.
Looking in particular at the slim list of just four priority areas for guidance to be produced in 2016, however, it is of concern that the A29WP is leaving itself (and potentially local DPAs) a disproportionate amount of work to do in 2017, when European organisations will be thirsting for guidance on a good deal more than these topics, such as, to name but a few:
- the new right to erasure;
- the new obligation to maintain records of data processing activities;
- the new rules on when the GDPR applies;
- the new security breach reporting obligations;
- the new “data protection by design and default” principle;
- the new rules throughout the GDPR affecting profiling;
- the new rules governing data controller/data processor relationships;
- the new rules on consent; and
- the new rules on “legitimate interest” as a ground for processing.