EU Privacy Law Guide Coming Soon: Regulator Group Chief

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Oct. 19 — Companies unsure of how regulators will enforce the new European Union privacy regime may soon be receiving official guidance, the head of the EU's official privacy regulator group told Bloomberg BNA.

Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Party of privacy officials from the 28 EU countries, said the group's initial guidance on enforcement, privacy officer and data portability provisions of the EU General Data Protection Regulation (GDPR) are slated for release before the end of 2016.

The GDPR, which replaces the 21-year old EU Data Protection Directive (95/46/EC), is set to take effect May 25, 2018.

Companies need the guidance because “there are ambiguities in the GDPR text,” Falque-Pierrotin, who is also president of the French privacy office, told Bloomberg BNA on the sidelines of the 38th International Conference of Data Protection and Privacy Commissioners in Marrakesh, Morocco. The goal is to “transform the text into an operational toolbox,” she said.

Coming to “a common interpretation” to keep intact the GDPR's goal of privacy harmonization is a challenge, Falque-Pierrotin said. “The idea is really to keep to the harmonization direction of the GDPR through these common guidelines.”

Falque-Pierrotin also discussed emerging plans for further GDPR guidance to be released in 2017, including likely guidance on consent, the EU-U.S. Privacy Shield data transfer framework and what Brexit may mean for privacy issues in the U.K. and EU.

Isabelle Falque-Pierrotin
Enforcement Guidance

The Art. 29 Party is “very much interested in setting out as clearly as possible the enforcement procedures that we will have to use from May 2018,” Falque-Pierrotin said.

Guidance is necessary to explain new processes adopted in the GDPR, including setting a lead authority for complaints and enforcement proceedings and a one-stop-shop approach to privacy oversight and enforcement, she said.

Interpretive guidance is also needed on the GDPR provision on bilateral cooperation among EU privacy regulators and the establishment of a European Data Protection Board to resolve enforcement disputes, Falque-Pierrotin said.

“We have to work out how all these little bits should be articulated for the entire enforcement procedure to be workable,” she said

Corporate Privacy Officers

The GDPR's provisions on privacy officers—called data protection officers (DPO) in the regulation—are also priorities for the Art. 29 Party, Falque-Pierrotin said.

Companies have “a lot of different practical questions” about what they should do to put a DPO in place, she said.

“The DPO is going to be a key tool for compliance,” she said. “The GDPR gives an increased role to the DPO and a lot of companies are wondering in what circumstances they have to have a DPO and what the position of the DPO in the organization should be,” she said.

The GDPR introduces a new right of data portability to allow individuals to request access to their personal data processed automatically by companies and, in some instances, to have that data transferred to competitors, such as transferring mobile phone data from one provider to another. The new right is “very important” to individuals, so the Art. 29 Party is focusing carefully on the scope of the right and how to implement it correctly, she said.

The Art. 29 Party is also working on privacy impact assessment guidance and compliance certification procedures as part of its 2016 action plan and will probably issue guidance the next plenary at the beginning of next year, Falque-Pierrotin said.

Proof of Consent

Although it is too early to say definitively what the Art. 29 Party will prioritize for additional guidance to be issued in 2017, dealing with the new individual consent standards in the GDPR is a likely subject, Falque-Pierrotin said.

The GDPR, for example, says that companies engaged in online marketing must provide some kind of opt-in process and provide proof of consent, she said. Companies need to know what the proof of consent standard will be well in advance of the effective date of the GDPR, so they can develop internal tools, she said.

Guidance on the GDPR's consent and other provisions is particularly important for smaller companies, Falque-Pierrotin said.

Small and medium-sized companies have traditionally had a more difficult time with privacy requirements, she said. Startups “are closer to innovation and they are more interested in using privacy protection as a lever for innovation,” she said.

“But for regular small and medium companies, we have the idea to develop some very simple pedagogical tools,” she said.

Overall, privacy awareness appears to be rising as the GDPR comes closer to its effective date and that may be due to the large potential sanctions in the regulation, Falque-Pierrotin said.

Privacy Shield Review

The Art. 29 Party won't have any further official comment on the EU-U.S. Privacy Shield data transfer program until after the program has been in place for a year and evaluated by the European Commission, Falque-Pierrotin said.

The Privacy Shield, which replaced the now defunct U.S.-EU Safe Harbor Program, allows U.S. companies that self-certify with the U.S. Department of Commerce to comply with privacy and security principles akin to those in EU law to send personal data of EU citizens to those companies. It took effect in July.

The European Commission—the EU's administrative arm—is slated to complete its first annual review of the Privacy Shield in summer or early fall of 2017. The commission will evaluate whether the Privacy Shield is providing adequate privacy protection.

“What I can say as a representative of the Art. 29 Working Party is that we're going to be very vigilant on the implementation of the Privacy Shield,” Falque-Pierrotin said. The Working Party expressed concerns in July that the Privacy Shield might not provide adequate privacy protection.

We are going to use the first year of implementation as a test period to verify if there are grounds for these concerns,” she said.

No Position on Brexit

The Art. 29 Party hasn't reached any conclusions about the U.K.'s move to leave the EU, known as Brexit, Falque-Pierrotin said.

“We have been very cautious about the Brexit consequences for the privacy community. We've said we will keep a neutral point of view and try to see how it evolves,” she said.

The U.S.-EU Privacy Shield “is definitely a kind of standard for international data flows between Europe and the rest of the world,” Falque-Pierrotin said. “So if the U.K. decides really to leave Europe, it could be useful for the U.K. also,” she said.

By Stephen Gardner

To contact the reporter on this story: Stephen Gardner in Marrakesh at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.