To coincide with Data Privacy Day, we have prepared a roundup of 5 recent announcements and developments in the world of privacy and data protection. The focus of these is, somewhat unsurprisingly, centred on the General Data Protection Regulation (“GDPR”), updates to EU law on the privacy of electronic communications, and changes to mechanisms for the transfer of personal data outside the EEA.
1. EU Regulators begin issuing GDPR guidance
With the commencement of the GDPR now less than 18 months away, the collective body of EU data protection authorities’ (“DPAs”), Article 29 Working Party (“WP29”), recently began issuing guidance on aspects of the GDPR. To date, WP29 has published guidelines regarding data portability, data protection officers (“DPOs”) and the lead supervisory authority.
Some key points to note:
- DPOs cannot fulfil duties outside the scope of data protection which would “result in a conflict of interest”. Senior management positions which involve decision-making around how and why personal data is used will conflict with the role of the DPO.
- The right to data portability, a new right under the GDPR, allows data subjects to receive their personal data in a structured format and to transmit such data to another data controller. This right applies to data generated by the use of a service or device. According to WP29, the right can apply to search history, internet traffic data, location data, and attributes tracked by a fitness or health tracker.
- In cases of cross-border processing, the lead regulator is determined from the location of the organisation’s ‘main establishment’. However, this may not be straightforward if a company’s decisions regarding cross-border processing activities are made in different locations. This could result in different ‘main establishments’ for those activities and potentially subject the organisation to the jurisdiction of different lead authorities for different processing activities.
2. EU Regulators’ action plan for 2017
Following the release of the initial guidance documents, WP29 published its action plan for this coming year. In 2017, WP29 has committed to continuing its work on a number of topics relevant to the GDPR. These include:
- data processing likely to result in a high risk and data protection impact assessments (“DPIAs”); administrative fines
- the administration of the European Data Protection Board (“EDPB”) and preparation of the consistency mechanism for cooperation between data protection authorities
- the ‘one-stop shop’ mechanism
WP29 has also set a number of new priorities for 2017 and has committed to producing further guidelines covering a number of key concepts under the GDPR, including on consent, profiling and transparency. It has also committed to updating a number of existing Opinions, including opinions on data transfers to countries outside the EEA and on data breach notifications.
3. The EU proposes a new ePrivacy law
The European Commission has proposed a revised law to govern the privacy of electronic communications (the “Regulation”). If adopted, this proposal will replace the existing ePrivacy Directive, which regulates the use of communications data, cookies and similar technologies, location data and unsolicited direct marketing.
The Regulation is intended to complement the GDPR, by laying down rules on the protection of personal data processed in relation to electronic communications. So-called ‘over the top’ communications providers, which provide communication services over the internet but do not provide the underlying physical infrastructure, will be caught by the Regulation. This will bring a wide variety of email and personal messaging services within the Regulation. Other changes include:
- tightening the grounds upon which communications content and metadata may be processed
- aligning the concept of consent with that under the GDPR
- requiring, in certain instances, prior consultation with regulators
- obliging providers of browser and communication software to offer a variety of privacy options
The European Parliament and Council are due to consider the draft text and we can expect to see revisions to the proposal. Given the significant impact the Regulation will have in the online sphere, and the need for a serious debate of the proposal, achieving the 25 May 2018 target date for implementation may be challenging.
4. Updated MCCs and Adequacy Decisions
Two of the core mechanisms that permit the transfer of personal data to countries outside the EEA are the European Commission adequacy decisions on certain third countries (“Adequacy Decisions”) and the Standard Contractual Clauses (“SCCs”). Both the SCCs and the Adequacy Decisions have been subject to subtle amendments, published in December 2016. These changes, it appears, were made in the wake of the Schrems decision aimed at minimising the risk of their invalidation.
The amendment to the SCCs sought to remove certain perceived restrictions on DPAs’ powers to suspend or prohibit transfers in specific cases. However, this does not affect the text of the SCCs, which remains unchanged. A similar change was made to the Adequacy Decisions, aiming to remove restrictions on DPAs’ powers. The Adequacy Decisions now oblige the Commission to monitor the rules of each whitelisted jurisdiction to ensure that the scope of the Adequacy Decision remains valid.
In addition, the Commission recently announced the intention to explore further Adequacy Decisions, beginning with Japan and South Korea later this year.
5. Swiss Privacy Shield
Following the introduction of the EU-US Privacy Shield Framework last year, US and Swiss authorities recently announced agreement on a new cross-border data transfer mechanism, the Swiss-US Privacy Shield Framework (the “Swiss Privacy Shield”). Following the Schrems decision, the Swiss-US Safe Harbor Framework entered a period of limbo. Although the Swiss regulator expressed dissatisfaction with the framework, it was not formally invalidated and remained active.
Swiss Privacy Shield will replace the Swiss-US Safe Harbor Framework and will apply the same standards to the transfer of personal data to the US as are applied under the EU-US Privacy Shield.
The US Department of Commerce will start accepting self-certification applications for the Swiss Privacy Shield on 12 April 2017, and will no longer accept any US-Swiss Safe Harbor certifications.