Jan 172019

French DPA Publishes Updated Data Protection Impact Assessment Guidance

William RM Long, Jasmine Agyekum and Geraldine Scali
, , , ,

Under Article 35(3) of the EU General Data Protection Regulation (GDPR), organisations are required to conduct a data protection impact assessment (DPIA) where they: (i) engage in a systematic and extensive evaluation of personal aspects of individuals, based on automated processing, and on which decisions are based that produce legal or other effects that concern the individual, or (ii) process special categories of personal data (e.g. health data) on a large scale or personal data relating to criminal convictions, or (iii) engage in a systematic monitoring of a publicly accessible area on a large scale.

The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), had published a draft list of processing operations which require a DPIA to be carried out prior to the processing of personal data.  These include: (i) the processing of health data by health establishments, (ii) the processing of genetic data of vulnerable persons, (iii) profiling of employees for HR purposes, (iv) monitoring of employees for HR purposes, (v) processing of personal data in the context of whistleblowing helplines, (vi) various types of profiling, (vii) and the processing of biometric data.

The CNIL’s list was been submitted to the European Data Protection Board (EDPB) for approval. Under Article 64(1) of the GDPR, where a Member State data protection authority (DPA) intends to adopt a list of processing operations which require a DPIA, the DPA must submit the draft list to the EDPB.  The EDPB will then issue an opinion on the list, with the aim of ensuring a harmonised approach to data processing across the EU.

In its opinion, published and adopted on 25 September 2018, the EDPB asked the CNIL to explicitly clarify that the list is not exhaustive, and to highlight that the creation of a DPIA list was based on the Article 29 Working Party (the predecessor to the EDPB) guidelines on DPIAs.

Regarding the processing of biometric data listed by the CNIL, the EDPB was of the opinion that processing biometric data, without more factors, likely to represent a “high risk to the rights and freedoms of individuals.” Rather, a DPIA is required to be conducted where biometric data is processed for the purpose of uniquely identifying an individual in conjunction with at least one other criteria. As such, the EDPB required the CNIL to amend their list so that a DPIA is required where biometric data is processed for the purpose of uniquely identifying an individual only when done in conjunction with at least one other triggering criteria, to be applied without prejudice to Article 35(3) of the GDPR.

On the processing of genetic data, the EDPB also considered that the processing of genetic data on its own does not necessarily represent a “high risk to the rights and freedoms of individuals.”  The EDPB therefore has asked the CNIL to amend its list so that a DPIA is required where the processing of genetic data is done in conjunction with at least one other criteria, to be applied without prejudice to Article 35(3) of the GDPR.

Notably, the CNIL’s initial list did not contain reference to processing location data. The EDPB asked CNIL to include in its list a reference to the processing of location data, together with another criterion.

The EDPB also requested refinement of references to DPIAs in the event of employee monitoring.  Specifically, the EDPB requested the CNIL to add additional criteria where the employee monitoring involves vulnerable data subjects and systematic monitoring of individuals.

In response to the EDPB’s opinion, the CNIL accepted all of the EDPB recommendations and on 6 November 2018 published an updated list.

William RM Long

London

wlong@sidley.com

Jasmine Agyekum

jagyekum@sidley.com

Geraldine Scali

gscali@sidley.com

You might also like
UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

U.S. Employers Need to Reconsider Use of Confidentiality and Nondisparagement Provisions in Light of New NLRB Decision

Employers frequently seek to include confidentiality and nondisparagement provisions in severance agreements provided to departing employees. Last week, the U.S. National Labor Relations Board (NLRB or Board) significantly altered the legal landscape governing such provisions, making it much more difficult for unionized and nonunionized employers alike to use them for nonsupervisory employees without running afoul of the National Labor Relations Act (NLRA). The decision is likely to be appealed, and we will issue updates as they become appropriate. In the interim, however, it is critically important for employers to understand the implications of the decision (see below) and to adjust their use of these provisions to limit their risk.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.