First Guidelines on Applying EU Data Protection Regulation
On 13 December 2016 the Article 29 Working Party (''WP 29''), an advisory body composed of European data protection authorities, issued its first guidelines on the General Data protection Regulation ("GDPR"). The GDPR becomes applicable on 25 May 2018. The guidelines and FAQ documents cover the following topics: (i) right to data portability (guidelines, FAQ), (ii) data protection officers (guidelines, FAQ) and (iii) determining the so-called lead supervisory authority (guidelines, FAQ). WP 29 has invited comments on these guidelines until the end of January 2017. WP 29 will issue two additional sets of GDPR guidelines on Data Protection Impact Assessments and Certification in 2017.
Data portability is a new right under the GDPR
The GDPR introduces a new right for data subjects, the "right to data portability" which is meant to enhance the data subject's control over his or her data. Under Article 20 of the GDPR, an individual "data subject" has the right to receive personal data concerning him or her, which he or she "has provided" to a controller for processing based on consent or contract. The GDPR does not clarify the scope of data covered by this right.
WP 29 interprets the scope of data portability broadly
WP 29 has interpreted the data portability right in an extremely broad manner. Portability covers the following types of personal data:
• Data provided directly by the data subject, for example: name, email address, username
• Data generated and collected from activities of the data subject, for example: traffic and location data, search history, raw data collected by fitness apps
However, the portability right does not extend to inferred and derived data. For example, a credit score calculated based on the data subject's financial information or heath analysis based on exercise data and heart rate monitor would not be covered by the portability right.
The portability right should not be confused with the access right, which guarantees the data subject the right to access (see and receive) his/her personal data under the GDPR. The access right also covers data categories that are not included in the portability right.
The process for transferring data
Data portability only applies to automatic handling of data, not data on paper. Under the GDPR, data must be transferred in a structured, commonly used and machine-readable format.
The GPDR requires the data controller to provide personal data to the data subject “without undue delay” and in any case “within one month of receipt of the request”. For complex cases and under certain specific circumstances, data must be provided within a maximum of three months. As the main rule, data must be transferred free of charge.
WP29 strongly encourages cooperation between stakeholders and trade associations to create a common set of interoperable standards and formats to meet the requirements of the right to data portability. In WP29's view data controllers should offer the data subject a direct download opportunity and allow data subjects to directly transmit their data to another data controller.
When delivering the data, strong identification is not necessarily required. Instead, for example, a user name and password to an online service will suffice. However, the controller should be able to ensure that the data portability request comes from the data subject, and adapt the required identification to the types of data and processing in question, as well as to the identification used when collecting the data.
Responsibilities of the "old" and "new" data controller
The fact that a data subject transfers their data to another service provider does not mean that the original controller should cease processing the data altogether. On the other hand, the portability right does not require data controllers to keep personal data for longer than necessary.
The receiving data controller is not exempted from ensuring that the portable data provided are relevant and not excessive to process the new data.
What are the implications for businesses?
The portability right enforces the idea of personal data as a currency that the data subject can use to pay for different providers' services. However, for the transferring data controller the broad interpretation of the portability right may become costly, since businesses should be able to identify and extract the portable data from their systems upon request. This is likely to require significant investments, especially if the number of requests becomes high or the current IT systems do not allow all necessary functionalities.
It remains to be seen how the new portability right will impact user preferences, system design and new business models.
Data Protection Officer
The GDPR requires data controllers and processors to appoint a data protection officer (DPO) when the controller is a public authority or when the core activities of the controller consist of regular and systematic monitoring of data subjects or of processing sensitive data on a large scale. The WP 29 guidelines define "core activity", "large scale" and "regular and systematic", emphasizing that the DPO has no personal responsibility over the company's data processing.
The WP 29 also encourages companies to voluntarily appoint a DPO when not required by the GDPR. The GDPR will nevertheless apply to these voluntarily-appointed DPOs. A company should thus carefully consider whether to voluntarily appoint a DPO or to organize its internal data protection responsibilities in some other way.
The DPO can be an employee or an external consultant. However, the DPO cannot hold a position that requires them to decide on the means and purposes of data processing. According to WP29, such positions include, for example, senior management and heads or marketing, HR and IT. A group of companies can appoint a single DPO provided that the DPO is easily available from all locations both internally and externally, and that the DPO is capable of communicating with the authorities in local languages.
The DPO should have sufficient knowledge of the business concerned, of data protection law and of the processing. However, the guidelines do not list any educational or other qualifications. In addition, the company should ensure that its DPO has sufficient resources to ensure compliance with the GDPR.
Lead Supervisory Authority
The third guidelines issued by the WP 29 concern identification of a lead supervisory authority in situations where a controller or processor carries out cross-border processing of personal data. The lead supervisory authority is the national authority with the primary responsibility for overseeing data processing activity that covers several countries. The lead supervisory authority is defined by the location of the main establishment of the controller or processor, for example, the location of the company's central administration.
The WP 29 guidelines define "cross-border processing" and "main establishment". Cross-border processing means either processing that is conducted in the context of activities of several establishments of the controller or processor in the EU, or alternatively, processing that affects data subjects in several member states despite being conducted by a single establishment. In addition, it addresses some difficult cases, notably those situations where the controller has no main establishment in the EU. The WP 29 emphasizes that it is primarily the company's responsibility to define its own main establishment and to identify the lead supervisory authority.
CJEU Case law on Data Protection
CJEU ruled on a high threshold for anonymization in the Breyer case
In its ruling in Patrick Breyer v. Federal Republic of Germany (C-582/14) of 19 October 2016, the Court of Justice of the European Union (“CJEU”) ruled that a dynamic IP address may constitute personal data under the Data Protection Directive (95/46/EC). The CJEU found that a dynamic IP address collected by a third party constitutes personal data only when the third party has the possibility and means to combine the IP address with the additional information so as to identify a person. In addition, when the CJEU defined "means", it referred to the possibility that the means are “likely reasonably to be used to identify” the individual. This criteria is relatively loose, because in its judgment the CJEU also held that only a legal possibility (for example, the means provided by law) to request such information from an online media service provider constitutes a sufficient possibility to identify an individual.
In addition, the CJEU employed a restrictive interpretation of Member State legislation (in this case a German law provision), which limits the use of legitimate interest as a basis for processing of personal data in an online context. The CJEU held that the provision does not comply with the Data Protection Directive if it does not take into account the concept of legitimate interest.
CJEU Rules on Acceptability of Data Retention Obligation in National Laws
The CJEU issued a decision in the joined cases C‑203/15 and C‑698/15 (Tele2 Sverige AB Post- och telestyrelsen and Secretary of State for the Home Department v. Tom Watson, Peter Brice, Geoffrey Lewis) on 21 December 2016. The case concerns national legislation on the data retention obligations of telecommunications operators. This judgment complements the Court's earlier decision in Digital Rights Ireland case (joined cases C-293/12 and C-594/12) repealing the data retention directive.
The CJEU considered that national legislation providing for unlimited retention of telecommunications data exceeds the limits of what is strictly necessary; therefore, it is not justified. However, Member States may pass legislation allowing targeted data retention for the purposes of fighting serious crime. The retention obligation should be limited to only to what is strictly necessary with respect to data categories, means of communication, concerned individuals and the retention period. In addition, access to and use of the retained data should be subject to substantial and procedural conditions as well as to safeguards that protect fundamental rights. The retained data should be stored within the EU.
The Tele2 decision emphasizes the CJEU's position that general and indiscriminate surveillance is not allowed under EU data protection laws, as already stated in its decisions Digital Rights Ireland and Schrems (C‑362/14).
Commission Proposes a New ePrivacy Regulation
The EU Commission has published its proposal for a new ePrivacy Regulation that would repeal the current ePrivacy Directive on data protection in electronic communications. The regulation is intended to enter into force on 25 May 2018 together with the GDPR. However, it remains to be seen whether this optimistic deadline will be met.
The most important changes include:
• Instead of a directive, the new proposal is a Regulation directly applicable in all EU Member States.
• The Regulation will also apply to over-the-top ("OTT") services, for example, online chat and messaging service providers that do not operate over traditional telecommunications networks. (These services are already covered in Finland by the Information Society Code.)
• In addition, the Regulation covers information stored in end-users' devices and machine-to-machine communication
• A new definition of "metadata" covers traffic and location data. This is subject to somewhat less rigid rules than the content of communication.
• Cookie-consent rules would be relaxed so that browser settings would be accepted as consent. (This interpretation is already applied by Finnish Data Protection Ombudsman.)