Tag Archives: WP29

2017 the year of mutual assistance testing

Blog_zJacek Safell, Specialist
Department of Social Education and International Cooperation
Bureau of the Inspector General for Personal Data Protection

The year 2016 came to an end and people are turning their heads towards 2017 with new energy and hope. And as we all know there is significant change on the horizon of European data protection. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; GDPR), is slowly yet unavoidably approaching. It won’t get here quite yet in 2017 but that doesn’t mean this upcoming year will be less important for that. On the contrary, we are facing a year of important decisions and tests. How Europe manages to handle these tasks will have a direct influence on the future of data protection under the GDPR.

In order to prepare data protection authorities (DPAs) for the upcoming changes the Article 29 Working Party (WP29) has been keeping busy, creating guidelines and FAQs that will aid DPAs during the transition. During the December 2016 plenary meeting, WP29 discussed certain critical matters with regard to the implementation GDPR and consistent with its 2016 Action Plan decided in February 2016, the WP29 adopted during the December plenary:

  • Guidelines on the right to data portability (WP 242),
  • Guidelines for identifying a controller or processor’s lead supervisory authority  (WP 244), and
  • Guidelines on Data Protection Officers (DPOs) (WP 243).

 As the PHAEDRA project’s main goal is to identify, develop and recommend measures for improving practical co-operation EU DPAs we believe that the abovementioned guidelines are worth summarising. However, since the issues of DPOs as well data portability don’t relate so directly to DPAs co-operation, we’ll skip it in the following article.

Lead Supervisory Authority

One of the key topics discussed and agreed upon by the WP29 is the issue of cross-border processing of personal data in connection to identifying a lead supervisory authority. As Article 4(23) GDPR clearly states, there are two scenarios in which we’ll be dealing with ‘cross-border processing’. Out of these two cases, one’s “cross-border” character is based on the vague term of “substantial affect”.

A question may arise – what does the Regulation mean by “substantially affects”? Now we won’t find a direct answer in the text of the GDPR so, according to the Opinion WP 244, DPAs will have to determine this on a case-by-case basis. The intention of the wording was to ensure that not all processing activities, with any effect and that take place within the context of a single establishment, fall within the definition of “cross-border processing”. But if we look at a general definition of the word “affect”, we’ll see that there must be influence, that the data processing must impact someone in some way. That way being of “substantial” nature.

So once we establish that we are in fact dealing with cross-border processing, it is mandatory to identify the lead supervisory authority.

Ok, so why do we need this lead supervisory authority? To put it in simple terms, a ‘lead supervisory authority’ is the authority with the primary responsibility for dealing with a cross-border data processing activity, for example when a data subject makes a complaint about the processing of his or her personal data and the controller/processor is established in more than one EU Member State. The lead supervisory authority will coordinate any investigation, involving other supervisory authorities, according to the consistency mechanism.

Although Article 56 GDPR gives means of determining the lead supervisory authority, often things won’t be so clear and it might be up to data controllers to establish clearly where decisions on the purposes and means of personal data processing activities are being made, thus allowing the lead authority to be appointed. The process of determining where the main establishment is may require active inquiry and co-operation by the supervisory authorities. Conclusions cannot be based solely on statements by the organization under review. The burden of proof ultimately falls on controllers and processors. They should be able to demonstrate to supervisory authorities where decisions about data processing are actually taken and implemented. Effective records of data processing activity would help both organizations and supervisory authorities to determine the lead authority.

One may ask what about other DPAs? Are they excluded from any operations once the lead supervisory authority is established? Well no, quite the contrary. As Article 4(22) GDPR states, other supervisory authorities can be “concerned”. The concept of a concerned supervisory authority is meant to ensure that the ‘lead authority’ model does not prevent other supervisory authorities having a say in how a matter is dealt with when, for example, individuals residing outside the lead authority’s jurisdiction are substantially affected by a data processing activity.

The GDPR requires lead and concerned supervisory authorities to co-operate, with due respect for each other’s views, to ensure a matter is investigated and resolved to each authority’s satisfaction – and with an effective remedy for data subjects. Supervisory authorities should endeavor to reach a mutually acceptable course of action. The formal consistency mechanism should only be invoked where co-operation does not reach a mutually acceptable outcome.

Mutual acceptance of decisions can apply to substantive conclusions, but also to the course of action decided upon, including enforcement activity (e.g. full investigation, investigation with limited scope, a warning or a press statement). It can also apply to a decision not to handle a case in accordance with GDPR, for example because of a formal policy of prioritisation, or because there are other concerned authorities as described above. The development of consensus and good will between supervisory authorities is essential to the success of the GDPR co-operation and consistency process.

To summarise this post, we would like to point out that although the GDPR creates a framework for co-operation and goals which are to be achieved, success depends solely on the DPAs co-operation. With further guidelines from WP29 and enough time to implement, the GDPR can have a positive impact on the data protection in Europe. We will closely follow the WP29’s work and assist DPAs in their difficult task.



Article 29 Working Party (WP29)

WP29 issues Opinion on the evaluation and review of the ePrivacy Directive

On July 19th, 2016, the WP29 presented an Opinion on the evaluation and review of the e-Privacy Directive (2002/58/EC). For the WP29, a thorough revision of the rules in the e-Privacy Directive is necessary in order to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (GDPR).

Background information

The revision of the e-Privacy Directive is part of the Digital Single Market Strategy, announced by the European Commission (EC) on May 2015. The EC started the review of the Directive in 2015 by requesting a study about the transposition and effectiveness of the privacy related articles of the e-Privacy Directive as well as about the relationship between the Directive and the GDPR. A report[1] was published in June 2015. The EC launched in April 2016 a public consultation, open to citizens, legal entities and public authorities. The Commission consulted stakeholders on both the retrospective evaluation and the possible changes to the current e-Privacy Directive. The Opinion of the WP29 responds to this call. The EC intends to use the feedback provided from the consultation to prepare a new legislative proposal, which is expected by the end of 2016.

Article 29 Working Party (WP29)

Opinion of Article 29 WP29 on the EU – Privacy Shield draft adequacy decision

The Article 29 Data Protection Working Party (WP29) adopted its opinion on the EU-US Privacy Shield draft adequacy decision on April 13, 2016. The Privacy Shield saw the light after the invalidation by the Court of Justice of the European Union or CJEU (Schrems judgement) of the previous Safe Harbor agreement. The Opinion is complemented by a Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance when transferring personal data (European Essential Guarantees).

Months before, on October 2015, the WP29 stated that an assessment of the consequences of the Schrems decision with respect to all mechanism permitting data transfers to the US will be carried out. The WP29 proceed then to inventor and examine the jurisprudence of the CJEU as regards to Articles 7, 8 and 47 of the European Union Charter of Fundamental Rights and the Jurisprudence as well as the of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights dealing with surveillance issues. The conclusions of this assessment led to the four European Essential Guarantees.

The Opinion of the WP29 includes an assessment of the Guarantees for data transfer to the US. According to it, the Privacy Shield includes significant improvements compared to the EU-US Safe Harbor framework. However, major points of concern remain and further clarification is needed in several aspects. The Working Party stressed the general complexity and lack of clarity regarding the Privacy Shield and expressed concerns with respect to both the commercial and national security aspects of the new framework.