The Article 29 Working Party held its April plenary meeting last week, where it continued its work preparing for the GDPR, adopted an opinion on the draft e-Privacy Regulation, and discussed the annual review of Privacy Shield. Highlights of the meeting included:

GDPR Guidelines

The Working Party has now formally adopted guidelines on data portability, lead supervisory authorities and Data Protection Officers, following drafts published for consultation in December 2016. There have been no substantial changes to any of these guidelines since the consultation, although clarifications have been made in some areas, including:

Data portability: The Working Party stressed that there will be very few cases in which a controller will be able to justify refusing a request from an individual to exercise their right to data portability. From May next year, then, controllers must be ready to accept and respond to these requests.

Lead supervisory authority: Where a processor provides services to multiple controllers in different Member States, the lead supervisory authority will be the authority competent to act for the controller. Large processing providers, such as cloud services providers, should be prepared to deal with multiple supervisory authorities as a result.

Data Protection Officers (DPO): The Working Party underlined that a decision about whether to appoint a DPO needs to be documented as part of demonstrating compliance with the accountability principle. A short ‘FAQ’ section has also been added to the guidance, answering common questions about appointing a DPO.

e-Privacy Regulation

The Working Party has adopted an opinion on the draft e-Privacy Regulation. In particular, in four key areas the Working Party found that the proposed Regulation provides a lower standard of protection than the GDPR, and recommends changes. These areas are: location tracking through WiFi; the conditions which permit analysis of content and metadata; consent for tracking; and ensuring privacy by default in device and browser settings.

Privacy Shield

To make the US Privacy Shield Ombudsman more visible, the Working Party agreed that a specific form will be published on its website, and on the website of each national Data Protection Authority. This will allow individuals to submit requests to the Ombudsman about whether their personal data have been accessed by US intelligence agencies.

The annual review of Privacy Shield was also discussed, and the first review will take place in Autumn 2017.

Next Steps

Going forward, the Working Party has adopted Guidelines on Data Protection Impact Assessments, which it will put to public consultation. It has also adopted a position on the Code of Conduct for privacy in mobile health applications, and is in the process of preparing an Opinion on employee monitoring (which will specifically discuss data loss prevention and Bring Your Own Device policies).

All the documents discussed in this post can be found on the website of the Working Party here.

Special thanks to Sabrina Salhi in our London office for her assistance in preparing this entry.