Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
European Union regulatory guidance on preparing for the bloc’s new privacy regime may change once the General Data Protection Regulation (GDPR) takes effect in May 2018, the EU’s top privacy adviser told Bloomberg BNA May 4.
Although companies are eager for guidance on the complex GDPR privacy and data security requirements they may not get official final guidance until it is formally adopted by the new European Data Protection Board. Multinationals from outside the EU and thousands of companies based inside the bloc will rely on the official guidance to make decisions on how to handle personal data.
Even guidance that is now labeled “final” could change, because the Article 29 Working Party of privacy officials from the 28 EU countries that is issuing the guidance will be ceding that power to the new advisory body, European Data Protection Supervisor Giovanni Buttarelli said.
Bojana Bellamy, president of the Hunton & Williams LLP Center for Information Policy Leadership in London, told Bloomberg BNA May 4 that companies were “eagerly awaiting” GDPR guidance because “there are so many unanswered questions” in the regulation. However, companies “shouldn’t over-rely on guidance” from the Working Party, Bellamy said.
The GDPR presents many new privacy and cybersecurity compliance challenges for companies, including mandatory data breach notification and stiffer requirements for individual consent to use of personal data. The new law also includes new enforcement fines, which can reach a maximum of 20 million euros ($21.9 million) or 4 percent of a company’s global annual revenue.
In any event, companies shouldn’t expect the official guidance to revisit the terms of the GDPR, Buttarelli said. Surprisingly, he said, companies and trade associations that had argued for less prescriptive terms in the text of the GDPR are “now pushing for very prescriptive guidance.”
Companies shouldn’t shy away from making decisions about their data handling operations just because there may be a lack of GDPR guidance in some areas, Bellamy said. Even without guidance, companies “have to take decisions because that’s what it means to be an accountable organization,” she said.
The European Data Protection Board is authorized under the regulation to issue GDPR guidance. The board becomes an official body May 25, 2018, when the GDPR takes full effect.
The board will be similar in composition to the Working Party group, with privacy office representatives from each of the EU countries and the EDPS. The board will have an advisory role similar to the Working Party, but also be charged with resolving disputes among privacy regulators.
The board will need to “consolidate” and formally adopt all guidance issued by the Article 29 Working Party, Buttarelli said. Once the board is in place, there could be changes to the working party’s guidance.
The working party has adopted guidance on the role of corporate data protection officers, a new right to data portability and on how lead privacy regulators will be selected when companies have a presence in more than one EU country. The working party has also issued draft guidance on data protection impact assessments.
Buttarelli said that the Art. 29 GDPR is working on guidance on individual consent to the collection and use of data, the use of collected data for profiling and enforcement fines.
One issue the new board may revisit is the GDPR’s data portability provisions. Those provisions give individuals the right to request that data they provided be transferred from one company to another—such as between mobile communications providers.
The European Commission, the EU’s executive arm, has questioned the Art. 29 guidance on data portability, saying that it “might go beyond” the provisions of the GDPR by including a wider range of data within the scope of the portability right.
“The point raised by the commission deserves attention,” Buttarelli said.
Bellamy said the data portability right is an example of a new area of data protection law for which companies need guidance. The guidance should “evolve” based on how data portability is applied in practice “to tease out the problems,” she said.
“We don’t think Article 29 at this point understands it all—nobody does,” Bellamy said. Data portability “requires lots of thinking because it’s new,” she said.
To contact the reporter on this story: Stephen Gardner in Brussels at email@example.com
To contact the editor responsible for this story: Donald G. Aplin at firstname.lastname@example.org
Art. 29 Working Party GDPR guidance is available at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)