Author Archives: Cristina Pauner

Autoriteit Persoonsgegevens

Letter from European Data Protection Authorities to WhatsApp

Press release announcing that the Article 29 Working Party has sent a joint letter to WhatsApp calling for more clarity in WhatsApp’s privacy policy, and in particular regarding sharing European data with the parent company Facebook, following on from a change in privacy policy in October 2016.

Commission Nationale de l’Informatique et des Libertés (CNIL)

The passing of the Digital Republic Bill: its implications for organizations

On October 2016, the New Digital Republic Bill (hereinafter, the Bill) passed in France and significant changes for organisations have been implemented.

Now, data subjects have the right to access and control their personal information including: how long their data is stored, how will be used and the right to be forgotten or the right to request that personal data be removed without delay in case of minors.

It also contains the provision for any interested person to obtain, free of charge, a copy of any of his data resulting from the use of a online service provided by a service provider, except for data that has been significantly enriched by the service provider.

In addition, sanctions to be taken by the Commission Nationale de l’Informatique et des Libertés CNIL) have increased from €150,000 up to €3 Million euros in accordance with the new General Data Protection Regulation (GDPR) that will come into force in 2018.

The Information Commissioner of the Republic of Slovenia

The IPRS issues a report on the Use of Drones

On 30 July 2015, the Information Commissioner (IP) issued a report on the use of drones in relation to the Data Protection Act.

It highlighted the features of such processing of personal data which may include; weapon systems, systems for the transportation and delivery and systems for control and data acquisition and outlined a wide range of risks which differ depending on what kind of data acquisition systems are used, giving a special enphasis to data capture by the police, especially in the case of mass captures and processes data.

One section of the report analyses risks associated with protecting information privacy and explain in detail to a wide range of stakeholders the principle of legality and the press exception and the principle of proportionality according to its national Data Protection Act.

Ultimately, the report examined the use of unmanned aircrafts by law enforcement authorities as they have important implications not only for the full range of constitutionally protected human rights but also as an ethical imperative and gave the following recommendations based on International Working Party on Data Protection and Telecommunications and the Article 29 Working Party:

a) The use of drones should be regulated in a way that ensures safe use and at the same time providing adequate safeguards for the provision and protection of fundamental rights.

b) They must ensure compliance with the reasonable expectations of privacy, both in private contexts such as in public places.

c) The collection and further processing of personal data by public sector shall be defined by law or under the terms of Article 9 of the PDPA-1.

d) They shall comply with the requirements regarding the protection of personal data (eg. the statements and actions of awareness among managers, certification of operators, etc.) and if necessary, the identification of the exemption for journalistic purposes.

e) In cooperation with the supervisory authorities for data protection regulators, it should develop an appropriate scheme for carrying out Data Protection Impact assesment, which will help operators of unmanned aircrafts.

f)  It is also necessary to improve the cooperation between the Civil Aviation Agency and the supervisory authorities for data protection and involve all stakeholders, including representatives of the media, non-governmental organizations, operators and service providers, among others.

h) Ultimately, it is indispensable to encourage the development of self-regulatory codes of conduct and other initiatives to ensure responsible use of drones.

2017 the year of mutual assistance testing

Blog_zJacek Safell, Specialist
Department of Social Education and International Cooperation
Bureau of the Inspector General for Personal Data Protection

The year 2016 came to an end and people are turning their heads towards 2017 with new energy and hope. And as we all know there is significant change on the horizon of European data protection. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), is slowly yet unavoidably approaching. It won’t get here quite yet in 2017 but that doesn’t mean this upcoming year will be less important for that. On the contrary, we are facing a year of important decisions and tests. How Europe manages to handle these tasks will have a direct influence on the future of data protection under the GDPR.

In order to prepare data protection authorities (DPAs) for the upcoming changes the Article 29 Working Party (WP29) has been keeping busy, creating guidelines and FAQs that will aid DPAs during the transition. During the December 2016 plenary meeting, WP29 discussed certain critical matters with regard to the implementation GDPR and consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the December plenary:

  • Guidelines on the right to data portability (WP 242),
  • Guidelines for identifying a controller or processor’s lead supervisory authority  (WP 244), and
  • Guidelines on Data Protection Officers (DPOs) (WP 243).

 As the PHAEDRA project’s main goal is to identify, develop and recommend measures for improving practical co-operation EU DPAs we believe that the abovementioned guidelines are worth summarising. However, since the issues of DPOs as well data portability don’t relate so directly to DPAs co-operation, we’ll skip it in the following article.

Lead Supervisory Authority

One of the key topics discussed and agreed upon by the WP29 is the issue of cross-border processing of personal data in connection to identifying a lead supervisory authority. As Article 4(23) GDPR clearly states, there are two scenarios in which we’ll be dealing with ‘cross-border processing’. Out of these two cases, one’s “cross-border” character is based on the vague term of “substantial affect”.

A question may arise – what does the Regulation mean by “substantially affects”? Now we won’t find a direct answer in the text of the GDPR so, according to the Opinion WP 244, DPAs will have to determine this on a case-by-case basis. The intention of the wording was to ensure that not all processing activities, with any effect and that take place within the context of a single establishment, fall within the definition of “cross-border processing”. But if we look at a general definition of the word “affect”, we’ll see that there must be influence, that the data processing must impact someone in some way. That way being of “substantial” nature.

So once we establish that we are in fact dealing with cross-border processing, it is mandatory to identify the lead supervisory authority.

Ok, so why do we need this lead supervisory authority? To put it in simple terms, a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data and the controller/processor is established in more than one EU Member State. The lead supervisory authority will coordinate any investigation, involving other supervisory authorities, according to the consistency mechanism.

Although Article 56 GDPR gives means of determining the lead supervisory authority, often things won’t be so clear and it might be up to data controllers to establish clearly where decisions on the purposes and means of personal data processing activities are being made, thus allowing the lead authority to be appointed. The process of determining where the main establishment is may require active inquiry and co-operation by the supervisory authorities. Conclusions cannot be based solely on statements by the organization under review. The burden of proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented. Effective records of data processing activity would help both organizations and supervisory authorities to determine the lead authority.

One may ask what about other DPAs? Are they excluded from any operations once the lead supervisory authority is established? Well no, quite the contrary. As Article 4(22) GDPR states, other supervisory authorities can be “concerned”. The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’ model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data processing activity.

The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective remedy for data subjects. Supervisory authorities should endeavor to reach a mutually acceptable course of action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.

Mutual acceptance of decisions can apply to substantive conclusions, but also to the course of action decided upon, including enforcement activity (e.g. full investigation, investigation with limited scope, a warning or a press statement). It can also apply to a decision not to handle a case in accordance with GDPR, for example because of a formal policy of prioritisation, or because there are other concerned authorities as described above. The development of consensus and good will between supervisory authorities is essential to the success of the GDPR co-operation and consistency process.

To summarise this post, we would like to point out that although the GDPR creates a framework for co-operation and goals which are to be achieved, success depends solely on the DPAs co-operation. With further guidelines from WP29 and enough time to implement, the GDPR can have a positive impact on the data protection in Europe. We will closely follow the WP29’s work and assist DPAs in their difficult task.



Agencia Española de Protección de Datos (AEPD)

The AEPD starts an investigation to evaluate the Yahoo´s largest data breach

On 15 December 2016, Yahoo admitted that a large cyber attack affected more than a billion personal accounts worldwide which include different personal information such as names, email addresses, phone numbers, photos and other personal files stored online and even passwords and other encrypted or unencrypted security codes. This disclosure follows September’s incident in which the company admitted the theft ascribed to an unnamed foreign government that affected more than 500 million users dating back to 2014.

Yahoo breach is now being investigated and causes are under investigation. Meanwhile, it’s notifying users who may have been affected by the breach and making them changes their passwords.

The Director of the Spanish Data Protection Agency (AEPD) has expressed her intention to open an investigation to clarify the massive theft of data. In this regard, the AEPD is considering whether to impose sanctions if it determines that Yahoo has not informed users of a security breach.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Rules for the use of personal data in electoral campaigns

On July 2016, the France’s National Data Protection Commission (CNIL) issued a formal notice to Microsoft Cooperation urging Microsoft to make Windows 10 to comply with French data protection law. The CNIL criticized the company for tree actions:

a) tracking its users web browsing habits without their consent,

b) failing to offer proper security protections, and

c) delivering targeted advertising materials without the user’s consent.

This notification does not seek to prohibit Microsoft from using its services to advertise but seeks to enable users to make their choice freely, having been properly informed of their rights.

Consequently, the CNIL gave the company three months to comply with its orders to stop collecting personal data without the consent of those users concerned. Otherwise, the company may impose any applicable sanctions of up to 150,000 euros.

Agencia Española de Protección de Datos (AEPD)

Facebook Stops WhatsApp Data Sharing Across Europe

On 16 November 2016, WhatsApp announced it had temporarily blocked user data from being shared with its parent company Facebook along Europe. It means that Facebook would only make use of WhatsApp data to prevent spam.

As a consequence, the Spanish Data Protection Agency (AEPD) initiated in early October an investigation to examine the communications and the treatment of personal data made between WhatsApp and Facebook. More specifically, it will study what information collected from WhatsApp users is sent to Facebook, for what purpose, how long it is kept and what options users are offered if they wish to object.

Background of the case

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. Last August, the company made changes to its terms and conditions which allowed user data to be shared with its parent company as well as Facebook group of companies including Messenger and Instagram for services including advertising and product development purposes. The messaging app argued that it would allow for a better advertising experience and would help fight spam.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.