NEWS

By Stephen Gardner

European Union regulatory guidance on preparing for the bloc’s new privacy regime may change once the General Data Protection Regulation (GDPR) takes effect in May 2018, the EU’s top privacy adviser told Bloomberg BNA May 4.

Although companies are eager for guidance on the complex GDPR privacy and data security requirements they may not get official final guidance until it is formally adopted by the new European Data Protection Board. Multinationals from outside the EU and thousands of companies based inside the bloc will rely on the official guidance to make decisions on how to handle personal data.

Even guidance that is now labeled “final” could change, because the Article 29 Working Party of privacy officials from the 28 EU countries that is issuing the guidance will be ceding that power to the new advisory body, European Data Protection Supervisor Giovanni Buttarelli said.

Bojana Bellamy, president of the Hunton & Williams LLP Center for Information Policy Leadership in London, told Bloomberg BNA May 4 that companies were “eagerly awaiting” GDPR guidance because “there are so many unanswered questions” in the regulation. However, companies “shouldn’t over-rely on guidance” from the Working Party, Bellamy said.

The GDPR presents many new privacy and cybersecurity compliance challenges for companies, including mandatory data breach notification and stiffer requirements for individual consent to use of personal data. The new law also includes new enforcement fines, which can reach a maximum of 20 million euros ($21.9 million) or 4 percent of a company’s global annual revenue.

In any event, companies shouldn’t expect the official guidance to revisit the terms of the GDPR, Buttarelli said. Surprisingly, he said, companies and trade associations that had argued for less prescriptive terms in the text of the GDPR are “now pushing for very prescriptive guidance.”

Companies shouldn’t shy away from making decisions about their data handling operations just because there may be a lack of GDPR guidance in some areas, Bellamy said. Even without guidance, companies “have to take decisions because that’s what it means to be an accountable organization,” she said.

European Data Protection Board

The European Data Protection Board is authorized under the regulation to issue GDPR guidance. The board becomes an official body May 25, 2018, when the GDPR takes full effect.

The board will be similar in composition to the Working Party group, with privacy office representatives from each of the EU countries and the EDPS. The board will have an advisory role similar to the Working Party, but also be charged with resolving disputes among privacy regulators.

The board will need to “consolidate” and formally adopt all guidance issued by the Article 29 Working Party, Buttarelli said. Once the board is in place, there could be changes to the working party’s guidance.

The working party has adopted guidance on the role of corporate data protection officers, a new right to data portability and on how lead privacy regulators will be selected when companies have a presence in more than one EU country. The working party has also issued draft guidance on data protection impact assessments.

Buttarelli said that the Art. 29 GDPR is working on guidance on individual consent to the collection and use of data, the use of collected data for profiling and enforcement fines.

Data Portability Right

One issue the new board may revisit is the GDPR’s data portability provisions. Those provisions give individuals the right to request that data they provided be transferred from one company to another—such as between mobile communications providers.

The European Commission, the EU’s executive arm, has questioned the Art. 29 guidance on data portability, saying that it “might go beyond” the provisions of the GDPR by including a wider range of data within the scope of the portability right.

“The point raised by the commission deserves attention,” Buttarelli said.

Bellamy said the data portability right is an example of a new area of data protection law for which companies need guidance. The guidance should “evolve” based on how data portability is applied in practice “to tease out the problems,” she said.

“We don’t think Article 29 at this point understands it all—nobody does,” Bellamy said. Data portability “requires lots of thinking because it’s new,” she said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.