AEDH

What progress on GDPR? The work of the Article 29 Working Party

This post is also available in: frFrançais (French)

Passed in April 2016, the General Data Protection Regulation has to be applied as of 25 May 2018 after a two-year transition and replace Directive 95/46/EC. The Regulation aims to modernise the European data protection framework in order to take into account technological advances and to reduce juridical differences between the Member States.

Since the vote of the GDPR, which has to be uniformly implemented in all Member States, the preparation of the implementation is institutionally supervised and supported particularly by theEuropean Commission and the Article 29 Working Party (Art. 29 WP).

The Art. 29 WP, composed by the independent 28 Member States data protection regulatory bodies, the European Commission and the European data Protection Supervisor, works on publishing guidelines in order to give an accurate and clear interpretation. They permit to define more precisely the terms used in the legislation and to clarify legal and technical requirements in order to fulfil 3 objectives: harmonisation, simplification and clarification.

Guidelines have already been published on the right to data portability, Data Protection Officers (DPO) and the Lead Supervisory Authority. To pursue the work, the Art. 29 WP organised a workshop on three topics (consent, profiling and breach notification) at the beginning of April.

Consent

Key concept of the processing of personal data, consent is an important element of the GDPR: the definition is aligned with the former legislation but Article 6 reinforces requirements of the validity.

It raises a concern for some companies because the Regulation requires consent to be collected or processed, which could represent a risk for European Union’s digital economy and for sectors such as health and research (researchers consider that data exchange, whatever the juridical framework of countries, is necessary for their work).

The continuity of free services, for which use of personal data replaces financial payment, raises concerns: what conditions must be satisfied for compliance with the GDPR? Is it still a compliant business model? Can a refusal of consent be a reason for a ban on the use of services?

It is necessary to clearly define terms, especially due to the fact that consent has to be a « positive action », « freely given » as well as the level of technological protection (with the choice between “privacy by default[1]” and “privacy by design[2]”).

Clarifications on the proof of consent that companies may have to provide, in particular, the nature of the proof and the duration of conservation of this proof.

However, companies wish that guidelines will not be too prescriptive and hope that they will have a transition period and that G29 requirements will not deeply affect their activities.

Profiling

It is a form of automatic processing of personal data. Article 22 of the GDPR protects against decisions based solely on automated processing: considered as a threat, profiling is also seen as a tool creating many opportunities to combat fraud or to conduct medical research for example. Provisions for profiling raise fear and questions.

Firstly, the transparency obligation (articles 13 and 14) is of concern to some companies: it would be extremely complicated to explain processing operations due to the used technologies. Companies propose that the Art. 29 WP develops, along with the other actors, standard explanations for each type of processing, in order to make them accessible to users.

Companies underline also the fact that transparency risk to reveal business secrets.

Profiling raises ethical questions: should GDPR exclude sensitive data from profiling in so far as sectoral legislations are already implemented?

Finally, the profiling of minors has also been broached: participants questioned the age limit for processing personal data as well as the verification procedure.

Breach notification

There were many questions about the content, the process and the impacts of breach notifications. With regards to the content, companies need to know which information has to be sent. They also broached the subject of impacts of data breach notifications; they fear negative impacts on their activities (especially concerning reputation). They request sectorial reports in order to benefit from

There were many questions about the content, the process and the impacts of breach notifications. With regards to the content, companies need to know which information has to be sent. They also broached the subject of impacts of data breach notifications; they fear negative impacts on their activities (especially concerning reputation). They request sectorial reports in order to benefit from

There were many questions about the content, the process and the impacts of breach notifications. With regards to the content, companies need to know which information has to be sent. They also broached the subject of impacts of data breach notifications; they fear negative impacts on their activities (especially concerning reputation). They request sectorial reports in order to benefit from the lesson learned by other companies.

There were many questions about the content, the process and the impacts of breach notifications. With regards to the content, companies need to know which information has to be sent. They also broached the subject of impacts of data breach notifications; they fear negative impacts on their activities (especially concerning reputation). They request sectorial reports in order to benefit from the lesson learned by other companies.

Procedures should be clarified especially the person to whom notification should be sent and clarifications on the 72-hour delay (at what point should it start?), that companies find extremely short. They ask to make possible incomplete notifications in order to verify whether a breach really happened. It would also be interesting to publish general notes on good practices to help actors to fulfil these new obligations.

Finally, companies question the behaviour to adopt toward supervisory authority in case of a criminal investigation if law enforcement prohibits any notification.

 

AEDH is delighted with the dialogue established by the Art. 29 WP with different actors (NGOS, companies, authorities/Data Protection Officers). However, AEDH regrets that companies, numerous, were omnipresent in a debate at the expense of civil society representatives and that companies were more interested in a “re-negotiation” of the GDPR (already adopted) than concrete proposals to suggest to the Art.29 WP.

webmin