Dec 192016

The Article 29 Working Party Releases Draft Guidelines on Key Elements of the GDPR Including the Right to Data Portability, Data Protection Officers and the Lead Supervisory Authority

Colleen Theresa Brown, William RM Long, Cameron F. Kerry and Thomas Fearon
, , , ,

On 15 December 2016 the Article 29 Working Party (“WP29”) released draft guidelines and FAQs on key provisions in the EU’s General Data Protection Regulation (“GDPR”). The guidelines cover the right to data portability, data protection officers and the lead supervisory authority. The WP29 has invited comments from stakeholders on the draft guidelines and FAQs. The deadline for comments is January 31, 2017. Although this invitation for comment is directed at the new guidance, some members of the WP29 have expressed interest in comments on additional issues for the WP29 2017 work plan, for which guidance has not been issued.

1. The right to data portability

The WP29’s guidelines provide information on the implementation, interpretation and scope of the right to data portability. In particular, the guidelines conclude that:

  • the right to data portability applies to data provided by the data subject actively and knowingly (for example,  a mailing address or user name). It also applies to data “provided” by the data subject by virtue of the use of a device or a service (for example, search history and location data);
  • the right to data portability does not apply to inferred or derived data generated by a data controller on the basis of raw data provided by the data subject (for example, a credit score);
  • the right to data portability cannot be undermined or limited to the personal data directly communicated by the data subject via, for example, an online form; and
  • data controllers should start developing systems to answer data portability requests, such as download tools and Application Programming Interfaces. Personal data should be transmitted by data controllers in a structured, commonly used and machine-readable format.

The WP29 also recommend that industry stakeholders and trade associations work together to produce a set of interoperable standards and formats to deliver the right to data portability. The WP29’s draft guidelines on the right to data portability are available here. The FAQs are available here.

2. Data protection officers

The WP29’s guidelines provide an explanation of the mandatory and voluntary designation of a DPO, including considerations for the appointment of a DPO at corporate group level. It should be noted that the guidelines confirm that the triggers for the mandatory DPO designation requirement are substantial and that many companies will therefore not be required to appoint a DPA. Nevertheless, the WP29 recommends that unless it is obvious that the mandatory designation requirement does not apply, controllers and processors should document the internal analysis carried out to determine whether a DPO is required.

The guidelines also provide key definitions for the designation obligation and consider the position of the DPO, its role within a company, and the tasks which are expected of the DPO.  These include compliance monitoring, record keeping, carrying out data protection impact assessments and risk management. The guidelines also detail the resources that should be provided to the DPO, which include active support by senior management, and “adequate support in terms of financial resources, infrastructure (premises, facilities, equipment) and staff where appropriate.”  The guidance also makes clear that, while DPOs have significant responsibilities, they “are not personally responsible for non-compliance” with the laws.  Ultimate responsibility for violations rests with the data controllers and data processors.

The WP29’s draft guidelines on data protection officers are available here. The FAQs are available here.

3. Lead supervisory authority

The WP29’s guidelines provide helpful guidance for companies to determine who is the lead supervisory authority where a company carries out cross-border processing of personal data, known as the One-Stop-Shop principle. Cross-border processing occurs where:

  • processing of personal data occurs in the “context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one EU Member State;” or
  • processing of personal data takes place in the context of activities of a single establishment of a controller or processor, but is likely to or does “substantially affect” data subjects of multiple Member States.  There is no quantitative or qualitative threshold for substantial affects, rather Supervisory Authorities will interpret “substantially affects” on a case by case basis.

The guidelines make it clear that the GDPR does not permit “forum shopping.” Nevertheless, the WP29 also stressed that internal decision making on privacy and data protection matters can also affect the choice of a lead DPA, and thus should be considered when structuring data protection compliance programs. The guidelines also state that where a company does not have an establishment in the EU, the One-Stop-Shop principle does not apply and it must deal with supervisory authorities in every EU Member State in which it is active.

The WP29’s draft guidelines on the lead supervisory authority are available here. The FAQs are available here.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

William RM Long

London

wlong@sidley.com

Cameron F. Kerry

ckerry@sidley.com

Thomas Fearon

tfearon@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.