First Guidance on New EU Privacy Law Will Help Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

European Union data protection regulators Dec. 16 made public the keenly awaited first official guidance on the EU’s new privacy regime.

The Article 29 Working Party of data protection officials from the 28 EU countries issued guidance on the extent to which corporate data protection officers may be held personally liable for noncompliance with the EU’s General Data Protection Regulation (GDPR) and the scope of a new data portability right. The group also issued guidance on the factors for identifying the lead privacy office for complaints and enforcement for particular cases.

The EU is presently in a transition period to the GDPR, which will May 25, 2018 replace the bloc’s 1995 Data Protection Directive. Companies consider Art. 29 Working Party guidance crucial to help privacy supervisors clarify issues relating to the practical implementation of the GDPR.

In a statement, the Art. 29 Working Party said public comments on the guidance may be submitted through Jan. 31, 2017.

Jorg Hladjk, cybersecurity, privacy and data protection of counsel with Jones Day in Brussels, told Bloomberg BNA Dec. 16 that he was “positively surprised” about the quality of the guidance. “It’s comprehensive, it’s detailed, it has checklists—they’ve done a good job,” he said.

Marine de Baillenx, a spokeswoman for the French privacy office (CNIL), whose president serves as chairwoman of the Art. 29 Working Party, told Bloomberg BNA Dec. 16 that although the guidance had been “definitively adopted” by the working party, comments on the documents, public comments would be expected through Jan. 31, 2017, and updated guidance might be issued thereafter.

The Art. 29 Working Party adopted the guidance at a Dec. 12-13 plenary meeting in Brussels. The working party said in a Dec. 15 statement that further guidance on data protection impact assessments and privacy certification schemes would be issued in 2017.

New Portability Right

On data portability, or the right introduced by the GDPR for individuals to request that personal data be transferred to an alternative service provider, the Art. 29 guidance said that the right “covers data provided knowingly and actively by the data subject as well as the personal data generated by his or her activity.”

The data portability right cannot be “limited to the personal information directly communicated by the data subject,” the Art. 29 guidance said. Data controllers should already start to put in place procedures to answer data portability requests, the guidance added.

Monika Kuschewsky, a data protection partner with Squire Patton Boggs LLP in Brussels, told Bloomberg BNA Dec. 16 that this “seems an extremely broad interpretation of the right to data portability.”

“This will affect many more companies than what is obvious from looking at the wording or the legal history of the relevant article” in the GDPR, Kuschewsky said.

The guidance also places a requirement on companies that receive transferred data to ensure that it is “relevant and not excessive with regard to the new data processing.” An example of this could be that e-mail addresses and contact information wouldn’t need to be processed if an individual requests the transfer of the content of his or her e-mails to a cloud storage provider, according to the guidance.

Carlo Piltz, an information technology and data protection lawyer with JBB in Berlin, told Bloomberg BNA Dec. 16 that the provision raised the question of “how the receiving controller actually knows what kind of purposes the data subject pursues and, as a consequence, what kind of data must not be stored.”

“This might actually create a compliance issue for the receiving controller,” Piltz said.

Data Protection Officers

The GDPR will require many companies to appoint data protection officers (DPOs). Piltz said that notable issues covered in the Art. 29 guidance included liability, profiling and the qualifications of DPOs.

The guidance said that companies that use data are liable for ensuring GDPR compliance, so DPOs “are not personally responsible in case of non-compliance.”

The guidance also clarifies that the requirement to designate a DPO would cover behavioral advertising services, because they would be considered to be monitoring the online behavior of individuals which is one of the GDPR factors for requiring a DPO.

On the qualifications of DPOs, the guidance said that candidates should “have expertise in national and European data protection laws and practices and an in-depth understanding of the GDPR.” The Art. 29 guidance means that DPOs will largely be lawyers, Piltz said.

Supervisory Clarity

The Art. 29 guidance also focused on the identification of the lead privacy regulator for data companies with a presence in more than one EU country. Under the GDPR, the privacy office in the country of the “main establishment” of a company should act as its lead regulator, the guidance said.

Hladjk said the guidance would aid companies to know where they stand “in the light of very complex corporate structures nowadays.”

The guidance said that lead privacy regulators for multinational companies would be determined by the country where the “central administration” is located, though there will be “complex situations where it is difficult to identify the main establishment or to determine where decisions about data processing are taken.”

In such complex situations, a company could “designate the establishment that will act as its main establishment,” though DPAs would reserve the right to step in to prevent companies designating establishments in countries where they have no substantive presence, the guidance said.

The Art. 29 Working Party adopted the guidance at a Dec. 12-13 plenary meeting in Brussels. The working party said in a Dec. 15 statement that further guidance on data protection impact assessments and privacy certification schemes would be issued in 2017.

To contact the reporter on this story: Donald Aplin in Washington at daplin@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security