The EU General Data Protection Regulation ("GDPR") enters into force in May 2018. As part of the implementation period, the EU’s Article 29 Working Party ("WP29”) has recently issued additional key guidelines addressing various key aspects of the GDPR (see our report regarding the previous set of guidelines here).
Although the WP29’s opinions and guidelines are not binding, since it is an advisory body made up of a representative from the data protection authority of each EU Member State, and includes the European Data Protection Supervisor and the European Commission, these guidelines can assist in understanding how European data protection authorities will interpret various requirements of the GDPR.
The new guidelines include the following:
- Guidelines on Binding Corporate Rules ("BCRs") for Controller BCRs and for Processor BCRs (adopted and available for public consultation before their final adaption);
- Guidelines on Consent (adopted and available for public consultation before their final adaption);
- Guidelines on Transparency (adopted and available for public consultation before their final adaption); and
- Guidelines on Adequacy Referential (adopted and available for public consultation before their final adaption).
Guidelines on BCRs
BCRs consist of internal rules that allow companies, under the GDPR, to transfer personal data to group entities located outside of the EU. The Controller BCRs Guidelines and the Processor BCRs Guidelines apply to the transfers of personal data from controllers or processors (respectively), established in the EU to other entities of the same group established outside the EU. These guidelines elaborate on the following key principles that should be covered by the BCRs in order to be approved:
- Binding nature;
- Cooperation duty;
- Description of processing and data flows;
- Mechanism for reporting and recording changes; and
- Data protection safeguards.
Guidelines on Consent
The Consent Guidelines specify the key requirements for obtaining data subject’s consent and demonstrating it under the GDPR in attempt to assist companies understand and anticipate the authorities’ expectations. According to the guidelines, controllers must ensure that the following key elements of valid consent exist when collecting personal information based on consent of the data subjects:
- Freely given - individuals must have a real choice; consent is not free where individuals feel compelled to consent, where they will endure negative consequences if they do not consent, or where consent is bundled up as a non-negotiable part of terms and conditions. Moreover, the guidelines analyze some challenges of collecting consent in cases of imbalance between the entity processing the personal data and the individual, conditionality of consent, granularity, and detriment;
- Specific - consent is specific where the purpose of the processing is explained, the granularity principle is implemented and information related to obtaining consent for data processing activities from information about other matters is clearly separated;
- Informed - relevant information must be provided by the companies in clear and plain language and be distinguishable from other matters. The information may be presented in various ways, but it should always be easily understandable for the average person;
- Unambiguous - for consent to be unambiguous, it should be given through an active motion or declaration. Therefore, pre-ticked boxes do not constitute unambiguous consent. However, active motions such as swiping on a screen, waiving in front of a smart camera provide a valid consent as it is clear that such motions signify agreement to a specific request;
- “Explicit” consent - consent as a legal basis of processing sensitive data, consent for an automated individual decision-making process or consent for transferring personal data outside of the EU must also be “explicit”;
- Demonstrating consent - controllers should be able to demonstrate that they have obtained a data subject’s consent, and they are free to develop their own mechanisms for addressing this requirement;
- Withdrawal of consent - individuals should be able to withdraw their consent at any given time, and it should be as easy to withdraw it as to give it.
In addition, the guidelines provide additional notes on digital consent of children, according to which controllers must obtain parental authorization and make reasonable efforts to verify that the person providing that consent is a holder of parental responsibility. Reasonable efforts may depend on the risks inherent in the processing as well as available technology. In low risk cases, verification of parental responsibility via email may suffice, while in high-risk cases, it may be appropriate to ask for more proof.
Guidelines on Transparency
The Transparency Guidelines are aimed to assist controllers in understanding the obligation of transparency concerning the processing of personal data under the GDPR. Transparency applies to how controllers inform individuals about their processing activities, how they communicate with them about their rights, and how they facilitate the exercise of these rights. The key elements of transparency, as analyzed in the guidelines are:
- Concise, transparent, intelligible and easily accessible - the information must be presented efficiently and succinctly in order to avoid "information fatigue” and it also should be understandable by an average member of the intended audience. Individuals should not have to seek out the information and it should be immediately apparent to them where this information can be accessed;
- Clear and plain language - the information should be concrete and definitive. It is recommended that language qualifiers such as "may", "might", "some", "often" and "possible" should be avoided;
- In writing or by other means - the information should be in writing form or included by other means such as pop-ups, 3D touch, privacy dashboards, etc. Electronic means which may be provided "in addition" to a layered privacy notice might include videos and smartphone or IoT voice alerts;
- The information may be provided orally - automated oral information may be provided in addition to written means, such as in the context of persons who are visually impaired when interacting with information society service providers;
- Free of charge - individuals cannot be charged for obtaining information, and the provision thereof may never be conditional upon goods or services; and
- Changes in privacy notices - changes must be actually noticed by individuals by using an appropriate modality specifically devoted to such changes. Additionally, controllers should remind individuals of the applicable privacy notice at appropriate intervals in case of ongoing data processing activities to ensure individuals remain well informed.
Guidelines on Adequacy Referential
According to the GDPR, personal information may not be processed to third countries outside the EU, unless one of the exceptions applies. These include an explicit consent for such processing, processing under binding contractual obligations or as per BCRs, and processing to third countries which were declared by the European Commission as countries with adequate level of data protection laws.
The Adequacy Referential Guidelines provide updated guidance to the European Commission for the assessment of the level of data protection in third countries and international organizations by establishing the core data protection principles that have to be present in a third country legal framework or an international organization, in order to ensure essential equivalence with the EU framework. In addition, the guidelines may assist third countries and international organizations interested in obtaining adequacy.