Tag Archives: cooperation

2017 the year of mutual assistance testing

Blog_zJacek Safell, Specialist
Department of Social Education and International Cooperation
Bureau of the Inspector General for Personal Data Protection

The year 2016 came to an end and people are turning their heads towards 2017 with new energy and hope. And as we all know there is significant change on the horizon of European data protection. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), is slowly yet unavoidably approaching. It won’t get here quite yet in 2017 but that doesn’t mean this upcoming year will be less important for that. On the contrary, we are facing a year of important decisions and tests. How Europe manages to handle these tasks will have a direct influence on the future of data protection under the GDPR.

In order to prepare data protection authorities (DPAs) for the upcoming changes the Article 29 Working Party (WP29) has been keeping busy, creating guidelines and FAQs that will aid DPAs during the transition. During the December 2016 plenary meeting, WP29 discussed certain critical matters with regard to the implementation GDPR and consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the December plenary:

  • Guidelines on the right to data portability (WP 242),
  • Guidelines for identifying a controller or processor’s lead supervisory authority  (WP 244), and
  • Guidelines on Data Protection Officers (DPOs) (WP 243).

 As the PHAEDRA project’s main goal is to identify, develop and recommend measures for improving practical co-operation EU DPAs we believe that the abovementioned guidelines are worth summarising. However, since the issues of DPOs as well data portability don’t relate so directly to DPAs co-operation, we’ll skip it in the following article.

Lead Supervisory Authority

One of the key topics discussed and agreed upon by the WP29 is the issue of cross-border processing of personal data in connection to identifying a lead supervisory authority. As Article 4(23) GDPR clearly states, there are two scenarios in which we’ll be dealing with ‘cross-border processing’. Out of these two cases, one’s “cross-border” character is based on the vague term of “substantial affect”.

A question may arise – what does the Regulation mean by “substantially affects”? Now we won’t find a direct answer in the text of the GDPR so, according to the Opinion WP 244, DPAs will have to determine this on a case-by-case basis. The intention of the wording was to ensure that not all processing activities, with any effect and that take place within the context of a single establishment, fall within the definition of “cross-border processing”. But if we look at a general definition of the word “affect”, we’ll see that there must be influence, that the data processing must impact someone in some way. That way being of “substantial” nature.

So once we establish that we are in fact dealing with cross-border processing, it is mandatory to identify the lead supervisory authority.

Ok, so why do we need this lead supervisory authority? To put it in simple terms, a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data and the controller/processor is established in more than one EU Member State. The lead supervisory authority will coordinate any investigation, involving other supervisory authorities, according to the consistency mechanism.

Although Article 56 GDPR gives means of determining the lead supervisory authority, often things won’t be so clear and it might be up to data controllers to establish clearly where decisions on the purposes and means of personal data processing activities are being made, thus allowing the lead authority to be appointed. The process of determining where the main establishment is may require active inquiry and co-operation by the supervisory authorities. Conclusions cannot be based solely on statements by the organization under review. The burden of proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented. Effective records of data processing activity would help both organizations and supervisory authorities to determine the lead authority.

One may ask what about other DPAs? Are they excluded from any operations once the lead supervisory authority is established? Well no, quite the contrary. As Article 4(22) GDPR states, other supervisory authorities can be “concerned”. The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’ model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data processing activity.

The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective remedy for data subjects. Supervisory authorities should endeavor to reach a mutually acceptable course of action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.

Mutual acceptance of decisions can apply to substantive conclusions, but also to the course of action decided upon, including enforcement activity (e.g. full investigation, investigation with limited scope, a warning or a press statement). It can also apply to a decision not to handle a case in accordance with GDPR, for example because of a formal policy of prioritisation, or because there are other concerned authorities as described above. The development of consensus and good will between supervisory authorities is essential to the success of the GDPR co-operation and consistency process.

To summarise this post, we would like to point out that although the GDPR creates a framework for co-operation and goals which are to be achieved, success depends solely on the DPAs co-operation. With further guidelines from WP29 and enough time to implement, the GDPR can have a positive impact on the data protection in Europe. We will closely follow the WP29’s work and assist DPAs in their difficult task.



Agencia Española de Protección de Datos (AEPD)

The AEPD starts an investigation to evaluate the Yahoo´s largest data breach

On 15 December 2016, Yahoo admitted that a large cyber attack affected more than a billion personal accounts worldwide which include different personal information such as names, email addresses, phone numbers, photos and other personal files stored online and even passwords and other encrypted or unencrypted security codes. This disclosure follows September’s incident in which the company admitted the theft ascribed to an unnamed foreign government that affected more than 500 million users dating back to 2014.

Yahoo breach is now being investigated and causes are under investigation. Meanwhile, it’s notifying users who may have been affected by the breach and making them changes their passwords.

The Director of the Spanish Data Protection Agency (AEPD) has expressed her intention to open an investigation to clarify the massive theft of data. In this regard, the AEPD is considering whether to impose sanctions if it determines that Yahoo has not informed users of a security breach.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Rules for the use of personal data in electoral campaigns

On July 2016, the France’s National Data Protection Commission (CNIL) issued a formal notice to Microsoft Cooperation urging Microsoft to make Windows 10 to comply with French data protection law. The CNIL criticized the company for tree actions:

a) tracking its users web browsing habits without their consent,

b) failing to offer proper security protections, and

c) delivering targeted advertising materials without the user’s consent.

This notification does not seek to prohibit Microsoft from using its services to advertise but seeks to enable users to make their choice freely, having been properly informed of their rights.

Consequently, the CNIL gave the company three months to comply with its orders to stop collecting personal data without the consent of those users concerned. Otherwise, the company may impose any applicable sanctions of up to 150,000 euros.

Agencia Española de Protección de Datos (AEPD)

Facebook Stops WhatsApp Data Sharing Across Europe

On 16 November 2016, WhatsApp announced it had temporarily blocked user data from being shared with its parent company Facebook along Europe. It means that Facebook would only make use of WhatsApp data to prevent spam.

As a consequence, the Spanish Data Protection Agency (AEPD) initiated in early October an investigation to examine the communications and the treatment of personal data made between WhatsApp and Facebook. More specifically, it will study what information collected from WhatsApp users is sent to Facebook, for what purpose, how long it is kept and what options users are offered if they wish to object.

Background of the case

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. Last August, the company made changes to its terms and conditions which allowed user data to be shared with its parent company as well as Facebook group of companies including Messenger and Instagram for services including advertising and product development purposes. The messaging app argued that it would allow for a better advertising experience and would help fight spam.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

German Data Protection Authorities

German DPAs audit 500 Companies on Data Exports to countries outside the EU

On November 3, 2016, the Berlin data protection authority (DPA) in cooperation with the rest of the German DPAs (to be precise, a total of 10 German DPAs) announced in a press released that they will send formal questionnaires to approximately 500 small, medium-sized and large German companies to evaluate their cross-border data transfers.

The DPAs pointed out in the formal press release that all German companies involved in the processing of personal data must pay adequate attention to data privacy issues raised by cloud computing and software as a service (SaaS).

In this regard, DPAs warn that some German companies are not fully aware of applicable data privacy laws as they are frequently operating with cross-border data exports in cloud and SaaS services and the personal data collected is frequently being transferred to third countries outside the European Union (EU) without complying with data protection laws.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Guidance on political campaigning

On October 20, 2016, the French Commission Nationale de l’Informatique et des Libertés (CNIL) issued a guidance on political campaigning which regulates how the political parties have to address to electors and to process their personal data according to the French Data Protection Act.

Also, the guidance contains how to process the personal data in a wide range of fields that political parties or candidates uses during the political campaign and specially, communication by phone, text or video message (SMS, MSM), the automatic calling machines and social networks and establishes clearly how to comply with the requirements stated in the national law.

In this regard, the CNIL stresses that political parties who can purchase or lease a customer file or prospects must provide transparency on the processing of personal data. Besides, the CNIL aims to reinforce the following information:

–       When the data are initially collected, the customers and prospects shall be warned from the outset, the potential use of their personal data for purposes of political communication,

–       All political communication messages must include specific mention of the origin of the data used (e.g. consular electoral lists of such year, commercial database in such a society, since such voluntary subscription website, etc.) not only when they receive the first message but also for each communication message.

Apart from that, the guideline sets out in detail the information that must contain the party activities and campaigns (specially the political communication messages) and how to oppose to the reception again political communication via email.

Information Commissioner’s Office (ICO)

ICO’s blog on its international work

Blog post from multiple authors at the ICO detailing some of the ICO’s recent international cooperation work: including the attending and participating in the 38th International Privacy Conference in Marrakesh (including a GPEN session), and a visit by ICO staff to the Office of the Personal Data Protection Inspector in Georgia.

Cooperation among EU DPAs: current status (2015-2016)

1408730997720Andrés Cuella Brenchat, consultant for the Data Protection and Fundamental Rights Group (PRODADEF), University Jaume I (Spain)

The PHAEDRA II project has been devoted to improving practical cooperation and coordination between Data Protection Agencies (DPAs), Privacy Commissioners (PCs) and Privacy Enforcement Authorities (PEAs) in the European Union (EU), especially with regard to the enforcement of privacy and data protection laws. In order to follow up and assess cooperation among EU DPAs, PHAEDRA II created a commented repository of leading decisions in individual cases with cross-border implications among national DPAs in the EU. Since its beginnings, a shortage of “pure” cases of cooperation was noted. Not surprisingly though, as under the current Data Protection Directive 95/46/EC the obligation to cooperate in Article 28 is rather imprecise. From May 2018, the 28 European Union (EU) Member States will have to abide to the recent reform of the basic EU data protection legal framework. The new General Data Protection Regulation (GDPR) 2016/679 introduces major changes in how data protection law is applied and enforced among the EU Member States. It also introduces major changes in the character and scope of cooperation between EU DPAs. Cooperation will not merely be a possibility, but an obligation under EU law. Intensified cooperation among authorities at the European level will be necessary to adequately address cross-border issues.

The repository has shown that cooperation among EU DPAs has actually taken place during the last two years. It has identified cases of cooperation that have taken very different forms and degrees.

The most relevant one, under the current regime, might be the joint investigation teams created by different DPAs. For instance, in 2015 Facebook faced numerous privacy-related investigations in Europe in order to verify if the company was complying with EU and national law. DPAs from France, Spain, the Netherlands, Belgium and Germany (Hamburg’s DPA) joined efforts and created a Working Group to tackle potential breaches or shortcomings in Facebook’s policies. The Article 29 Data Protection Working Party (WP29) also participated in the investigation exercise. We consider this initiative to be one of the most important forms of cooperation and collaboration among EU DPAs.

International platforms have also acquired a major role in the cooperation among DPAs. The PHAEDRA II repository has focused in the activity of two key networks. The first is the International Cybersecurity Enforcement Network (or the so-called LAP-London Action Plan), which seeks to promote international spam enforcement cooperation and address spam related issues (such as online fraud and deception, phishing or dissemination of viruses). Both private sector representatives and government and public agencies are represented. DPAs from Ireland, Spain and the UK are part of this network. Moreover, other EU Member States – Belgium, Finland, Hungary, Latvia, the Netherlands, Portugal and Sweden – are represented through other governmental bodies, mainly consumer agencies. The latest form of cooperation occurred in June 2016, when 11 enforcement authorities across the globe, including those from the UK and the Netherlands, signed a Memorandum of Understanding (MoU) to provide a framework for information and intelligence sharing and to reinforce cross-border cooperation to address unwanted messages and calls. This MoU strengthens the international fight against a global problem.

The second network is more globally represented: the Global Privacy Enforcement Network (GPEN), which aims at facilitating cross border cooperation in the enforcement of privacy laws. The Network enables privacy regulators worldwide to work and cooperate as they address risks to the personal information of their citizens. 17 out of the 28 EU DPAs are members to the GPEN. An example of recent cooperation where the GPEN had the coordinating role is the “Privacy Sweep” or international evaluation dedicated to verify the respect of privacy in the Internet of Things. In this Sweep, which took place on 11-15 April 2016, participated, among others, DPAs from France, Ireland, Italy and Belgium. This exercise is a continuation of the good collaboration between DPAs (in May 2014, 26 DPAs conducted an “Internet Sweep Day” that analysed information related to mobile application; in September 2015, another “Sweep Day” focused on online services for children). Another example is the MoU signed in October 2015 between the Dutch DPA with seven other privacy regulators for exchange of information in the GPEN Alert System or the “Sweeps”. In general terms, DPAs participate, to a greater or lesser extent, to different conferences and seminars organized worldwide where they have the opportunity to share about good practices or new policies, present new projects or to formalize bilateral agreements.

The soon to be replaced WP29 configures itself also as an important actor for cooperation. Indeed, it meets about multiple times a year in Brussels and its latest position in a specific matter was adopted in June through the “Opinion 03/2016 on the evaluation and review of the ePrivacy Directive (2002/58/EC)”. The Working Party will be replaced by the European Data Protection Board (EDPB) and will become a EU body with legal personality. It will be composed of national data protection authorities and the European Data Protection Supervisor (EDPS).

This non-exhaustive description of forms of cooperation allows us to conclude that EU DPAs share common activities and goals and do engage in mutual cooperation. However, there are areas where cooperation could be increased to better achieve their mutual goals. For instance, guidelines are one of the favored instruments of DPAs. Positions papers or guidelines on different aspects of the General Data Protection Regulation (GDPR) have been released by, among others, the UK, Spain, Germany or Belgium. The WP29 has also released an Action plan concerning the implementation of the new Regulation. Other topics have brought the attention of many DPAs and have published their own guidelines, for instance, the implications of the Schrems Judgement, the implications of the right to be forgotten (France, Spain, Denmark, WP29) or the data protection issues relating to the utilization of drones (Sweden, WP29, Ireland). Moreover, the same issue may be tackled through different channels. For instance, video surveillance has raised interrogations in Spain (the Supreme Court has ruled and clarified data protection issues), France (guidelines have been issued) and Italy (the Italian DPA notes in its Annual Report that it handled more than 30.000 queries concerning, among others, video-surveillance). Finally, the European Data Protection Day, held every year on 28 January, is an event seeking to raise awareness and promote privacy and data protection. In 2016, 22 out of the 28 EU DPAs participated in the event. Nevertheless, the activities were not especially coordinated and were addressed to domestic audience. PHAEDRA’s study on best practices of cooperation found that the benefits of coordination in this area are however limited by the need for DPAs to communicate with the media and the public in the relevant Member State languages and to be responsive to local contexts, media usage and channels, and public attitudes.

Apart from the novel joint investigation teams, the rest of the cooperation activities were organized in the framework of existing platforms and bodies. The Investigations Teams therefore constitute the most telling example of spontaneous cooperation among DPAs. Moreover, it can be inferred from the above that DPAs collaborate mainly in three issues: investigation of common threats (Facebook, Sweeps), tackling very specific issues (MoU) and participation in common approaches (WP29).

Even if the new GDPR changes how data protection law is applied and enforced among the EU Member States, uncertainties persist as to how this new legal framework will be applied in practice and how it will impact the day-to-day activities of EU DPAs. The recent GDPR makes cooperation among DPAs mandatory but does not provide comprehensive rules on the modalities and procedures involved. As the recently published PHAEDRA study shows, there is a need for supplementary operational and legal guidance. Be that as it may, many questions arise: are there other circumstances hampering a more enhanced cooperation (different national legislation, political willingness…)? Are DPAs in a position to reinforce their cooperation? Will the entry into force of the GDPR boost cooperation? The extent and purpose of this entry in this blog cannot cover in these many issues but two main remarks may be added. Firstly, with the entering into force of the GDPR in less than two years, cooperation will be granted the importance it deserves. Indeed, Chapter VII of the GDPR boosts many aspects of cooperation (most notably, the consistency or the one-stop-shop mechanisms) that are missing in the Data Protection Directive. Secondly, cooperation is not circumscribed to a single chapter or provision acting independently of the rest of the Regulation. Quite the contrary, cooperation is predicated throughout the rest of the text, present in the tasks and duties carried out by each EU DPA. Consequently, a multiplication of “pure” cooperation cases in a very near foreseeable future should not be surprising. In order to follow-up, just check PHAEDRA’s repository!

Image credit: A New Resource For Educators, Practitioners & Researchers (via CaseRe3: Case Report Research Repository)

Commission Nationale de l’Informatique et des Libertés (CNIL)

CNIL issues Internet Sweep Outcomes on Connected Devices
On September 23, 2016, the French Data Protection Authority (CNIL) issued the outcomes of the Internet sweep on connected devices that was created last May to evaluate the quality of the information that operators provide to end users but also the level of user empowerment and the degree of security of the personal data.
This initiative, announced by the CNIL last April, organised by the Global Privacy Enforcement Network (GPEN), lies within a coordinated online audit to analyse the impact of ordinary IT- devices.
It was made up of data protection authorities throughout the world and more than 300 connected devices were examined and audited. Specifically in France, 12 connected devices were tested by the CNIL in the field of home automation, health and well-being and this administrative regulatory body concluded that:
1. Users of connected devices are not adequately informed of the processing of their personal data as the product did not provide users appropriate information about how their personal data will be processed.
2. Users have an acceptable degree of control over their personal data as the personal data was subject to the user’s consent.
Like the other DPAs, the CNIL announced that it reserves the right to conduct more inspections in order to assess the compliance of connected devices to the French Data Protection Act.

Agencia Española de Protección de Datos (AEPD)

Changes in Whatsapp´s Privacy Policy

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. However, last August, the company announced a big change to its privacy policy as the new terms and conditions allows to share some user data (such as the phone number and the last time the client used the application) with its Facebook family of companies for undetermined range of services.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

Facebook has maintained that its end-to-end encryption system will remain in place for the purpose of respecting the user´s privacy and giving an improved experience without third-party banner ads and spam.