GDPR guidance on data portability, DPOs and lead authority

In December the Article 29 Working Party (WP29), an advisory body made up of all the EU national data protection authorities, has published three long awaited guidelines and frequently asked question (FAQ) on General Data Protection Regulation (GDPR). Guidelines covers following topics:

You can submit any additional comments on guidelines until the end of January 2017.

Balancing the interests in big data processing

A paper from Anons looks at challenges to big data analytics under upcoming GDPR (General Data Protection Regulation) and legal solutions to them. Although new obligations imposed by the GDPR, they do require new technical and organizational measures to protect big data.

The body of this paper describes in detail the regulatory background, technological innovations, and practical applications of Controlled Linkable Data, leading to the maximization of data value and individual privacy in a GDPR-compliant manner.

Download paper

EU ePrivacy Regulation proposed

Yesterday, January 10, 2017, European Commission announced its proposal for new Regulation on Privacy and Electronic Communications (ePrivacy Regulation) that will supplement General Data Protection Regulation (GDPR) and replace existing ePrivacy directive.

Aim of new ePrivacy regulation is to harmonise data protection framework relating to electronic communications within the European Union and ensure consistency with the GDPR. Main changes introduced by ePrivacy Regulation are:

  • Greater scope of coverage. If current ePrivacy Directive only applies to traditional telecoms operators, new rules will also cover new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.
  • Same law to whole EU. Current Directive that has to be adapted into each Member State’s law will be replaced with a directly applicable Regulation meaning the same ruleas and protection for electronic communications.
  • Protection for content and metadata. Privacy will be guaranteed for both content and metadata derived from electronic communications (e.g. time of a call and location). Under the proposed rules, operators will have to anonymis or deleted both content and metadata if users have not given their consent, unless the data is required, for instance, for billing purposes.
  • Simpler rules on cookies. Regulation will streamline so called “cookie provision” that resulted in an overload of consent requests for internet users. New rules will provide an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. No consent will be needed for non-privacy intrusive cookies improving internet experience (e.g. to remember shopping cart history) or cookies set by a visited website counting the number of visitors to that website.
  • Opportunities for new services. With a customers consent traditional telecoms operators will have more opportunities to use communications content and/or metadata data to provide additional services.
  • Protection against spam. Proposed Regulation bans unsolicited electronic communication by any means including emails, SMS and also by phone calls if users have not given their consent. Member States may opt for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls, for example by registering their number on a do-not-call list. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
  • More effective enforcement. The enforcement of the confidentiality rules in the Regulation will be the responsibility of national data protection authorities.

Commission emphasis that the proposed Regulation on Privacy and Electronic Communications will increase the protection of people’s private life and open up new opportunities for business.

Breaches of ePrivacy regulation will be punishable under GDPR and mean penalties up to EUR 20 million or 4% of the total worldwide annual turnover of company group, whichever is higher.


EU will start adequacy talks with Japan and Korea

In its communication published yesterday, January 10, 2017, the European Commission announced it will proactively engage in discussions on reaching “adequacy decisions” with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017. Adequacy decisions allow the free flow of personal data from European Union (EU) to countries with adequate or “essentially equivalent” data protection rules to those in the EU.

Besides East and South-East Asia also will open discussion with interested countries of Latin America and the Europe. Also, Commission states that it can now adopt adequacy decisions for the law enforcement sector, particular territory of a third country or a specific sector or industry within a third country.

Read EU Commision’s communication

Italy recognises adequacy of the Privacy Shield

Italian Data Protection Authority (Garante per la protezione dei dati personali) has authorized the transfer of personal data to the US under the Privacy Shield so recognizing it provides adequate level of protection of personal data. However, Italian Data Protection Authority has reserved the right to further monitor and review the adequacy of data transfer scheme.

Source: ITALY – Personal data “CAN” be transferred under the Privacy Shield

DPAs to issue GDPR guidance

Chair of the Article 29 Working Party, Isabelle Falque-Pierrotin, has promised that EU Data Protection Authorities will issue the first parts of their guidance on the EU Data Protection Regulation (GDPR) soon after their plenary meeting on 12-13 December. She also invited companies to provide their input to the Article 29 Working Party’s action plan for next year.

Companies are awaiting guidance from Working Parties and  Data Protection Authorities to sooner and better adjust their business practices and policies with upcoming data protection law. Guidance can be expected on Data Protection Officers (DPOs), data portability and designation of lead data protection authorities.


MEPs back EU-US Umbrella Agreement on data exchanges for law enforcement purposes

EU Parliament on December 1, 2016 voted to back the EU-US Umbrella Agreement on data protection in exchanges for law enforcement purposes. Agreement covers the transfer of all personal data exchanged between the EU and US regarding criminal offences.

The deal is to ensure high, binding data protection standards in the data exchanged. The Agreement itself is not a legal basis for data transfers, but protects those data that are already exchanged legally, says Parliament’s lead MEP Jan Philipp Albrecht.

Umbrella Agreement will ensure citizens in both in EU and US have equal rights to:

– be informed in the event of data security breaches,

– have inaccurate information corrected and

– judicial redress at court.

The Agreement also sets limits on onward transfers of data and retention periods.

Source: MEPs back EU-US data protection deal on exchanges for law enforcement purposes

Germany publishes second draft of a new data protection act

Germany has published second draft of its new German Federal Data Protection Act. First draft, published in September 2016, was heavily criticized. New draft law aims to align German data protection law with the EU General Data Protection Regulation (GDPR) and EU directive 2016/680. To become a law, draft has to be approved by the Department of Justice and the parliament.

Read full story

France adopts class action regime for data protection infringement

France on November 19, 2016, has the enacted a law giving a legal basis for class actions against both data controllers and processors if they breach French Data Protection Act. Under new law class actions can be brought by several individuals in a similar position incur damages resulting from a data controller’s or data processor’s infringement.

The new class action right does not allow individuals to claim financial compensation, however, they may seek for injunctive relief.

Read more

UK state surveillance extending ‘Snooper’s charter’ bill becomes law

The Investigatory Powers Act 2016 or so called “snooper’s charter” bill has became a law on Tuesday. This law heavily extends the state surveillance in UK. It requires web and phone companies to store everyone’s web browsing histories for 12 months and give the police, security services and official agencies unprecedented access to the data.

Although the home secretary Amber Rudd states that new law provides “unprecedented transparency and substantial privacy protection”, activists say this bill is too intrusive and dangerous to privacy. Also, it will allow authoritarian regimes around the world justify their extensive surveillance practices.

A petition calling for it to be repealed collected more that 130,000 signatures.

Source: ‘Snooper’s charter’ bill becomes law, extending UK state surveillance