Dec 192016

The Article 29 Working Party Releases Draft Guidelines on Key Elements of the GDPR Including the Right to Data Portability, Data Protection Officers and the Lead Supervisory Authority

Colleen Theresa Brown, William RM Long, Cameron F. Kerry and Thomas Fearon
, , , ,

On 15 December 2016 the Article 29 Working Party (“WP29”) released draft guidelines and FAQs on key provisions in the EU’s General Data Protection Regulation (“GDPR”). The guidelines cover the right to data portability, data protection officers and the lead supervisory authority. The WP29 has invited comments from stakeholders on the draft guidelines and FAQs. The deadline for comments is January 31, 2017. Although this invitation for comment is directed at the new guidance, some members of the WP29 have expressed interest in comments on additional issues for the WP29 2017 work plan, for which guidance has not been issued.

1. The right to data portability

The WP29’s guidelines provide information on the implementation, interpretation and scope of the right to data portability. In particular, the guidelines conclude that:

  • the right to data portability applies to data provided by the data subject actively and knowingly (for example,  a mailing address or user name). It also applies to data “provided” by the data subject by virtue of the use of a device or a service (for example, search history and location data);
  • the right to data portability does not apply to inferred or derived data generated by a data controller on the basis of raw data provided by the data subject (for example, a credit score);
  • the right to data portability cannot be undermined or limited to the personal data directly communicated by the data subject via, for example, an online form; and
  • data controllers should start developing systems to answer data portability requests, such as download tools and Application Programming Interfaces. Personal data should be transmitted by data controllers in a structured, commonly used and machine-readable format.

The WP29 also recommend that industry stakeholders and trade associations work together to produce a set of interoperable standards and formats to deliver the right to data portability. The WP29’s draft guidelines on the right to data portability are available here. The FAQs are available here.

2. Data protection officers

The WP29’s guidelines provide an explanation of the mandatory and voluntary designation of a DPO, including considerations for the appointment of a DPO at corporate group level. It should be noted that the guidelines confirm that the triggers for the mandatory DPO designation requirement are substantial and that many companies will therefore not be required to appoint a DPA. Nevertheless, the WP29 recommends that unless it is obvious that the mandatory designation requirement does not apply, controllers and processors should document the internal analysis carried out to determine whether a DPO is required.

The guidelines also provide key definitions for the designation obligation and consider the position of the DPO, its role within a company, and the tasks which are expected of the DPO.  These include compliance monitoring, record keeping, carrying out data protection impact assessments and risk management. The guidelines also detail the resources that should be provided to the DPO, which include active support by senior management, and “adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate.”  The guidance also makes clear that, while DPOs have significant responsibilities, they “are not personally responsible for non-compliance” with the laws.  Ultimate responsibility for violations rests with the data controllers and data processors.

The WP29’s draft guidelines on data protection officers are available here. The FAQs are available here.

3. Lead supervisory authority

The WP29’s guidelines provide helpful guidance for companies to determine who is the lead supervisory authority where a company carries out cross-border processing of personal data, known as the One-Stop-Shop principle. Cross-border processing occurs where:

  • processing of personal data occurs in the “context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one EU Member State;” or
  • processing of personal data takes place in the context of activities of a single establishment of a controller or processor, but is likely to or does “substantially affect” data subjects of multiple Member States.  There is no quantitative or qualitative threshold for substantial affects, rather Supervisory Authorities will interpret “substantially affects” on a case by case basis.

The guidelines make it clear that the GDPR does not permit “forum shopping.” Nevertheless, the WP29 also stressed that internal decision making on privacy and data protection matters can also affect the choice of a lead DPA, and thus should be considered when structuring data protection compliance programs. The guidelines also state that where a company does not have an establishment in the EU, the One-Stop-Shop principle does not apply and it must deal with supervisory authorities in every EU Member State in which it is active.

The WP29’s draft guidelines on the lead supervisory authority are available here. The FAQs are available here.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.