The Article 29 Working Party gears up for the trilogues on the GDPR.
What's the issue?
The Article 29 Working Party (WP) comprising European data protection regulators, has an influential role in shaping data protection legislation and providing guidance on thorny issues.
What's the development?
The WP has published a number of documents of interest lately, not least a letter sent to the Commission, the Council and the Parliament, setting out views on the General Data Protection Regulation (GDPR) pending the trilogues which started in June. The WP has also published an Opinion on drones and updated its guidance on Binding Corporate Rules for processors.
What does this mean for you?
Letter on GDPR Trilogues: this highlights the issues the WP feels most strongly about and may prove influential during the final stages of negotiation.
Opinion on drones: this is useful reading for anyone involved in the manufacture or supply of drones and adds to the ICO's guidance on the same subject.
Updated guidance on Binding Corporate Rules for processors: this principally provides further recommendations on how to deal with requests from non-EU regulators or government agencies to hand over data.
The Article 29 Working Party (WP) has written to representatives of the three institutions involved in agreeing a GDPR, formally giving its Opinion on issues it feels require special attention which include:
- the legislation must be in the form of a Regulation. The scope of the proposed Directive should not go wider than currently proposed;
- personal data should be defined in a broad manner in line with technical evolution and take into account CJEU judgments on the extent to which IP addresses and other identifiers constitute personal data. The WP encourages pseudonymisation but says it should not be defined as a separate category of data with lower standards of protection;
- it should be possible for controllers to process personal data for purposes that are not incompatible with the purpose for which the data was originally collected, provided there is a legal basis. Processing for archiving and research should also remain possible and be considered as a not incompatible purpose. The importance of retaining the purpose limitation is also stressed;
- existing rights must not be reduced and the data portability right should be included. Data Protection Authorities (DPAs) must be endowed with sufficient resource and powers to allow them to enforce effectively, not just in terms of sanctions (which must be sufficiently weighty to act as a real deterrent) but also in terms of providing guidance and compliance tools; and
- a new governance model based on proximity to citizens and efficiency for business. Sufficient powers for DPAs and increased cooperation between them via a lead DPA and, where necessary, a financially and functionally independent EDPB will be necessary.
The Article 29 Working Party (WP) has published an Opinion on drones, setting out the data protection issues, highlighting applicable legislation and providing guidance on legitimising the processing of personal data collected by drones. Transparency, security, purpose limitation and data minimisation are set out as key to lawful processing. Privacy by design and default is encouraged. Manufacturers are urged to include information about privacy within the operating instructions. Appointing a Data Protection Officer and adopting industry codes of conduct are also recommended.
In addition, the Opinion recommends Member States adopt national policies around the use of drones and that the European Aviation Safety Agency develop pan-European standards. Specific recommendations are made in relation to drones used for law enforcement which, says the WP, should, as a rule, not allow for constant tracking and technical and sensing equipment must be in line with the purpose of the processing.
Updated guidance on Binding Corporate Rules
The Article 29 Working Party (WP) has updated its explanatory document on Binding Corporate Rules (BCRs) for processors.
The updated guidance principally provides further recommendations on how to deal with requests from non-EU regulators or government agencies to hand over data. The WP says:
- any legally binding request from a law enforcement authority or state security body should be communicated to the data controller (unless the processor is prohibited from doing so);
- in any event, the request for disclosure should be put on hold while the DPA for the controller and the DPA for the BCR for processors are clearly informed about it and the BCRs should make this a binding commitment;
- the BCRs must also commit the processor to assessing each access request on a case-by–case basis;
- the relevant DPAs will endeavour to reply within a reasonable timeframe and will respond either with an order suspending or banning the transfer or with a positive opinion or a prior authorisation;
- if the processor is legally prohibited from disclosing the information, the BCRs must provide that the processor will use its best endeavours to get the prohibition removed or its scope reduced;
- in the event the processor cannot get around the prohibition, it must commit in the BCRs to providing an annual notification of the number and nature of the types of these requests received; and
- disclosures to public authorities must not be made in an indiscriminate or disproportionate manner.
The updated guidance also says BCRs may be updated to reflect changes in group structures or regulatory requirements provided updates are notified group-wide and to the relevant DPA, and it reminds parties that BCRs must comply with EU data protection law and be capable of being understood and applied by relevant group members. Data controllers are also reminded that it is they who are ultimately responsible for ensuring their processors provide sufficient guarantees in relation to the data they are processing.