ERA SUMMER COURSE ON DATA PROTECTION - Updated Speakers Contributions

Documentation
SUMMER COURSE
ON EUROPEAN DATA PROTECTION
LAW
417B02 Trier, 11-15 September 2017

SUMMER COURSE ON ALTERNATIVE DISPUTE RESOLUTION
417B02
Trier, 11 – 15 September 2017
Speakers’ contributions
Ralf Bendrath
 CV
 What’s new with the GDPR? Assessing key legal features
Frederik Zuiderveen Borgesius
 CV
 The GDPR in its EU legislative context: focus on the proposed e-Privacy Regulation
Dan Shefet
 CV
 The GDPR: advancing citizens’ digital rights? Focus on remedies
 PARALLEL SESSIONS: PRACTICAL WORKSHOPS
(I) The right to be forgotten
Hielke Hijmans
 CV
(II) The right not to be subject to Automated Decision Making
 The public governance framework
 Article
Georgia Skouma
 CV
 The private governance framework: how to design a corporate compliance strategy on
personal data protection?
 PRACTICAL WORKSHOP III: How to build a Data Protection Impact Assessment (DPIA)?
 Case Study 1
 Case Study 2
Daniel Drewer
 CV
 The role of the Data Protection Officer (DPO): status, tasks and challenges – an insider
Perspective
 PRACTICAL WORKSHOP IV: The role of the DPO in practice – a simulation exercise
 Article
Julien Debussche
 CV
 Big data analytics, Cloud computing, The Internet of Things (IoT) and Artificial
Intelligence (AI)
Copyright ©
ERA Trier
SUMMER COURSE ON ALTERNATIVE DISPUTE RESOLUTION
417B02
Trier, 11 – 15 September 2017
Paul Van den Bulck
 CV
 The EU toolkit for international transfers (I)
 The EU toolkit for international transfers (II)
(V) Case study with a focus on international data transfers for commercial purposes
Diana Alonso Blas
 CV
 Data retention and mass surveillance in international and EU context
(VI) Case study with a focus on international data transfers involving law enforcement
authorities
Johnny Ryan
 CV
 GDPR consent and online media and advertising
Sophie Kwasny
 CV
 The wider legal framework of the Council of Europe
Copyright ©
ERA Trier
Ralf Bendrath
Ralf Bendrath
Ralf Bendrath hacked the Commodore C-64 in the eighties, studied security policy
and information warfare in the nineties, and has been researching various aspects
of internet privacy in the 2000s. A graduate in political science from the Free
University of Berlin, he also worked at the University of Bremen, Columbia
University, George Washington University and Technical University of Delft before
moving on to Brussels. Since 2009 he has been policy advisor for Jan Philipp
Albrecht, Member of the European Parliament. Since 2012 he is Albrecht's senior
policy advisor and has worked mainly on the data protection reform since then.
Ralf Bendrath was a civil society member of the German delegation to the UN
World Summits on the Information Society in 2003 and 2005 and has coordinated
the related civil society activities on privacy and security. He is a member of the
advisory board of Privacy International.
What’s new with the GDPR?
Assessing key (legal) features
Ralf Bendrath
senior policy advisor to
Jan Philipp Albrecht
Member of the European Parliament
Rapporteur for the
General Data Protection Regulation
The EU‘s data protection reform
Why #EUdataP?
– Update of 1995 rules
– Digital Single Market
– Closing loopholes
– Stricter and harmonised enforcement
– Trust and legal certainty
– Setting and exporting an EU standard
EU Primary Law
Article 16 TFEU
1. Everyone has the right to the protection of

personal data concerning them.
2. The European Parliament and the Council,
acting in accordance with the ordinary
legislative procedure, shall lay down the rules
relating to the protection of individuals (…)
Compliance with these rules shall be subject to
the control of independent authorities.
Article 8 EU Charter of Fundamental Rights
1. Everyone has the right to the protection of personal

data concerning him or her.
2. Such data must be processed fairly for specified
purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid
down by law. Everyone has the right of access to data
which has been collected concerning him or her, and
the right to have it rectified.
3. Compliance with these rules shall be subject to
control by an independent authority.
European Union ordinary legislation
Civil Liberties, Justice & Home affairs Justice & Home Affairs Council
Committee
(European Parliament LIBE Committee) (Council of Ministers JHA Council)
Lead negotiator: Lead negotiator:
Jan Philipp Albrecht MEP Felix Braz, Luxembourg Minister of

Justice
Some details on process
• Biggest lobbying tsunami ever in Brussels
– 4000+ amendments
– our team: 168 meetings with lobbyists alone in
nine months of 2012
– some understandable concerns
• don‘t overburden SMEs, RTBF, ...
– some just way over the top
• „EudataP should not apply to us“, reduce scope of
data protection, …
3999 amendments
(on my desk)
poor trees...
More than 4 years (plus 2)
• COM legislative proposal: January 2012
• EP first reading position: March 2014
• Council general approach: June 2015
• Political agreement: December 2015
• Lawyer-linguists, translations: April 2016
• Publication / into force: May 2016
• Corrigendum: upcoming
• Application: 25 May 2018
help from Edward Snowden
… but also from Max Schrems
Key Issues
• Definition of personal data
– IP#, RFID ID, etc covered
– „single out“ (identifiable)
• Material Scope:
– private and public entities
– no law enforcement / national security
• Territorial scope / 3rd Countries:
– market location principle → Brexit?
– Privacy Shield?
– know where your data is
Key Issues II
• Data minimisation
• Purpose limitation
• Legal basis: consent, contract, legal
obligation, public authority, vital interest,
legitimate interest
• Information obligations
• Data protection by design and by default
• RTBF and Data Portability
• Profiling
Legitimate interest
• balancing test
• reasonable expectations, based on the
relationship with the data controller
• direct marketing may be ok
• opt-out always possible (Do Not Track)
Informational self-determination
Transfers to 3rd countries?
• Adequacy decision
– CJEU: „essentially equivalent“
– Data protection laws? Access by agencies?
Right to redress?
• or suitable safeguards (B2B)
• Safe Harbor  Privacy Shield  ?
• Brexit!
• Trade agreements?
Enforcement
• Administrative fines
– up to 4% worldwide annual turnover
• Collective redress as option
• Consistency
– One-stop-shop
– European Data Protection Board
– Final decision in case of conflict: EDPB
– No loopholes anymore
What‘s next?
• Guidelines for GDPR
• Application and case-law to develop
• EU Institutions (replacing 2001/45/EC)

• ePrivacy (replacing 2002/58/EC)
• CJEU case law

Questions?
ralf.bendrath@europarl.europa.eu
@bendrath
@janalbrecht
#EUdataP
Frederik Zuiderveen Borgesius
Bio Frederik Zuiderveen Borgesius
Dr. Frederik Zuiderveen Borgesius is a researcher at the Institute for Information

Law (IViR) of the University of Amsterdam. His research interests include profiling,
privacy, data protection law, freedom of expression, and discrimination. He has
published widely on these topics. He regularly presents at national and international
conferences, and he has presented for the Dutch and the European parliaments.
He obtained his Research Master’s degree in Information Law at IViR, and studied
for one semester at Hong Kong University. During his Master’s, he worked at SOLV
Attorneys, a law firm dedicated to technology, media and communications. He also
spent a semester at New York University for research.
His book ‘Improving Privacy Protection in the Area of Behavioural Targeting’ was
published in 2015. He is a member of the editorial committee of the European Data
Protection Law Review, of the Dutch journal Computerrecht, and of the Meijers
Committee, an independent group of experts in the field of European criminal,
migration, refugee, privacy, non-discrimination and constitutional law. Currently,
Frederik is working on the interdisciplinary Personalised Communication project, a
joint initiative of the Institute for Information Law and the Amsterdam School of
Communication Research (ASCoR). In 2017, he wrote a report on the European
Commission’s proposal for an ePrivacy Regulation for the European Parliament.
1 January 2018 Frederik starts a 2-year Marie Curie fellowship at the LSTS
interdisciplinary Research Group on Law Science Technology & Society, of the VUB
Free University Brussels. He will focus on machine learning and automated
profiling, and the risks of unfair and illegal discrimination in that context.
www.ivir.nl/employee/zuiderveen-borgesius
https://twitter.com/FBorgesius
***
Dr. Frederik Zuiderveen Borgesius
The proposed ePrivacy Regulation

and its relation to the GDPR
Summer Course on EU Data Protection Law, ERA, Trier, 11 September 2017

Proposal ePrivacy Regulation
January 2017
EUROPEAN
COMMISSION
Proposal ePrivacy Regulation

Brussels, 10.1.2017
COM(2017) 10 final
2017/0003 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
concerning the respect for private life and the protection of personal data in electronic
communications and repealing Directive 2002/58/EC (Regulation on Privacy and
Electronic Communications)
(Text with EEA relevance)
{SWD(2017) 3 final}
{SWD(2017) 4 final}
{SWD(2017) 5 final}
{SWD(2017) 6 final}
ePrivacy Regulation
Should replace current ePrivacy Directive

(communications confidentiality, cookies,
spam…)
EU Charter Fundamental Rights 2000
Art 7 EU Charter: Right to privacy &
communications confidentiality
‘Everyone has the right to respect for his

private and family life, his home and his
communication.’
Art 7 EU Charter: Right to privacy &
‘Everyone has the right to respect for his

private and family life, his home and his
communication.’
≈ European Convention on Human Rights,
art 8.
ECHR, art 8 Klass/Germany 1978
ECHR, art 8 Copland/UK 2007
Art 8 EU Charter: data protection
‘Everyone has the right to the protection of

personal data concerning him or her.’
 
Art 7 EU Charter,
privacy & communications confidentiality:
ePrivacy rules
Art 8 EU Charter, personal data:

GDPR
ePrivacy Regulation: why?
- Implements art 7 EU Charter, and protects

- Harmonisation
- Adds specific rules for certain situations
(GDPR has open norms & six legal bases)
- Protects user device
Main ePrivacy rules
- Communications confidentiality
- Traffic & location data (metadata)
- Spam
- Cookies, tracking, etc.
- Protecting user device
ePrivacy Regulation: main novelties
- Regulation (not directive)

- Fines like GDPR
- Scope is wider than directive
Scope ePrivacy Directive
- Many rules: only for

‘providers of publicly available electronic
communications services’
≈ phone & internet access companies

ePrivacy directive:
Communications confidentiality applies to:

Phone & internet access companies
Outside scope:
Gmail, WhatsApp, Skype…
ePrivacy Regulation: wider scope
- Within scope:
Gmail, WhatsApp, Skype, Facebook chat…
wholly or mainly of the conveyance of signals, and (iii) interpersonal communications
services. There are two types of ‘interpersonal communications’: (iii(a)) number-based, and
(iii(b)) number-independent. These types of service may partly overlap.144
The illustration below may clarify the structure of the definition of ‘electronic communications
service’:
ePrivacy Regulation: wider scope
Internet access
Electronic
Conveyance of
communications
signals
service
Number-based
Interpersonal
communications
Number-
independent
Art 4(1)(b) ePrivacy proposal & art 2(4) EU Electronic Communications Code
(i) The definition of ‘electronic communications services’ encompasses internet access

ePrivacy Regulation: various
Art 8 web tracking & protecting devices
Use of processing and storage capabilities

of user device other than by the user
concerned shall be prohibited
+ exceptions
Art 8 web tracking & protecting devices
Cookie prohibition + 4 exceptions:

a) transmission
b) consent
c) requested service
d) analytics
Tracking
Tracking
Tracking walls / take-it-or-leave-it choices
No consent:
No access
European Data Protection Supervisor &

Article 29 Working Party (EU DPAs):
‘Ban tracking walls’

Browsers & tracking
Art 10: choice regarding tracking
Browsers & tracking
Art 10: choice regarding tracking
Suggestion:
• Privacy-friendly default settings
• Require firms to comply with Do Not Track?
Location tracking, wi-fi etc.
Art 8: allowed if firm hangs up poster:
‘Turn off wi-fi to stop being tracked’
Art 8(2)(b) eP proposal

Location tracking, wi-fi etc.
Art 8: allowed if firm hangs up poster:
‘Turn off wi-fi to stop being tracked’
Suggestion:
(i) Consent, or
(ii) Anonymised & aggregated statistics,
opt-out option, safeguards...
Art 8(2)(b) eP proposal
Communications confidentiality (art 5)
‘Electronic communications data shall be
confidential.’
‘Electronic communications data shall be
An assessment of the Commission’s proposal on Privacy and Electronic Communications
_________________________________________________________________________
confidential.’
Electronic
communications
Electronic content
communications
data Electronic
communications
metadata
We recommend that the EU lawmaker keeps in mind that the ePrivacy proposal
‘Any interference with electronic communications
data, such as by.. storing, monitoring, scanning or
other kinds of interception, surveillance or
processing of electronic communications data,
by persons other than the end-users,
shall be prohibited,
except when permitted by this Regulation.’
Communications confidentiality
Art 5 Prohibition of interception and surveillance
An assessment of the Commission’s proposal on Privacy and Electronic Communications
_________________________________________________________________________
Art 6 Exceptions
Electronic
communications
Electronic content
communications
data Electronic
communications
metadata
We recommend that the EU lawmaker keeps in mind that the ePrivacy proposal
does not only apply to typical communication services such as email, phone, Skype,
and WhatsApp, but also applies to machine-to-machine communications.186 For
instance, a computer might automatically send a security update to another computer. And
metering equipment or sensors might regularly communicate with a central data storage
facility.
We also recommend that the EU lawmaker clarifies whether the data exchanged
Surveillance prohibition (art 5), unless (art 6)
(i) user’s consent, or
(ii) exception (billing etc.)
User consent (singular): art 6(2)(c); art 6(3)(a) eP proposal

Surveillance prohibition (art 5), unless (art 6)
(i) user’s consent, or
(ii) exception (billing etc.)
Suggestion:
(i) Consent of all users, or:
(ii) More exceptions (spam filtering…)
User consent (singular): art 6(2)(c); art 6(3)(a) eP proposal
More info: study for the EP
Zuiderveen Borgesius, Van Hoboken, Fahy, Irion, Rozendaal,

https://ssrn.com/abstract=2982290
Thank you!
@Fborgesius
Dan Shefet
Dan Shefet
Lawyer and Individual Specialist to UNESCO

President of AAID
French lawyer born in Denmark, Dan Shefet holds a Philosophy Degree and a Law
Degree from the University of Copenhagen. Specialized in European Law, Competition
Law as well as Human Rights in general and in the IT environment in particular, he
participates in conferences in academic venues on IT Law, Data Privacy and Human
Rights on the internet.
In 2014 he founded the Association for Accountability and Internet

Democracy (AAID) the main objective of which is to introduce a general principle
of accountability on the internet in order to secure the protection of human integrity.
SUMMER COURSE ON EUROPEAN
DATA PROTECTION LAW
THE GDPR: ADVANCING CITIZENS’ DIGITAL RIGHTS?
FOCUS ON REMEDIES
TRIER, 11-15 SEPTEMBER 2017
Speaker: Dan Shefet

CITIZENS’ RIGHTS
• GDPR Art. 15 (Right of access)

• GDPR Art. 16 (Right to rectification)
• GDPR Art. 17 (Right to erasure / be forgotten)
• GDPR Art. 22 (Automated individual decision-making)
• GDPR Art. 34 (Breach notification)
2
GDPR Article 16
Right to rectification
The data subject shall have the right to obtain from the
controller without undue delay the rectification of inaccurate
personal data concerning him or her. Taking into account the
purposes of the processing, the data subject shall have the right
to have incomplete personal data completed, including by
means of providing a supplementary statement.
3
GDPR Article 17
Right to erasure (‘right to be
forgotten’)
1. The data subject shall have the right to obtain from the controller
the erasure of personal data concerning him or her without undue
delay and the controller shall have the obligation to erase personal
data without undue delay where one of the following grounds
applies:
(a) the personal data are no longer necessary in relation to the
purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent (…)
(c) the data subject objects (…)and there are no overriding
legitimate grounds for the processing (…)
(d) the personal data have been unlawfully processed;
4
GDPR Article 22
Automated individual decision-
making, including profiling
1. The data subject shall have the right not to be subject to a

decision based solely on automated processing, including
profiling, which produces legal effects concerning him or her or
similarly significantly affects him or her.
5
GDPR Article 34
Communication of a personal data
breach to the data subject
1. When the personal data breach is likely to result in a high risk

to the rights and freedoms of natural persons, the controller shall
communicate the personal data breach to the data subject
without undue delay.
6
PROCEDURE / REMEDIES
• Google Request Format

• GDPR Art. 77 (DPA)
• GDPR Art. 78 (Judicial remedy)
• GDPR Art. 80 (”Class action”)
7
ARTICLE 79
• Administrastive / Judicial
Reg. 1215/2012
”An establishment”
Suspensive effect
Choice of venne (recital 147)
8
ARTICLE 82
• Solidarity
• Controller
• Processor
• Soft Law (Corporate Governance)
9
• Unregulated remedies
• Google Request Procedure
• Online Dispute Resolution
10
CASES
• Fiona Sherill (C-68/93, 7 March 1995)
• E-date and Martinez (C-509/09 and C-161/90, 25 November
2011)
• Concurrence Sàrl v Samsung Electronics France SAS and
Amazon Services Europe Sàrl (ECJ, 21 December 2016, French
Supreme Court, 5 July 2017, Case No. 14 – 16.737)
11
JURISDICTION
• The problem
• Targeted jurisdiction
• Focused jurisdiction
• Territoriality
• Regulatory
• Adudicatory
• Enforcement
• Geo-blocking
12
CASES
• Yahoo
• CNIL v. Google
• Pipeda
• Equustek
• Hegglin
• Raphael (Forum Shopping)
• Lotus
• Die Grünen v. Facebook Ireland Limited (Appelate Court; May
5, 2017; 5 R 5/17t)
13
THANK YOU FOR YOUR ATTENTION!
13
Hielke Hijmans
Hielke Hijmans
Dr Hielke Hijmans works as independent legal advisor and researcher in the domains of
fundamental rights, EU law, privacy and data protection. He is based in Brussels.
His clients include the Centre for Information Policy Leadership (CIPL, a global think tank
based in Washington DC, London and Brussels), Considerati (a consultancy based in
Amsterdam), the Brussels Privacy Hub and the University of Luxembourg. He is member of
the Meijers Committee, an independent group of experts that researches and advises on
European criminal, migration, refugee, privacy, non-discrimination and constitutional law.
Until 1 October 2016, Hielke served for 12 years at the EDPS, e.g. as Head of Unit Policy &
Consultations. Before, he worked at the CJEU in Luxembourg and at the Ministry of Justice
in The Hague. He holds a double doctorate in law at the Vrije Universiteit Brussels and the
University of Amsterdam. He is the author of: “The European Union as Guardian of Internet
Privacy, The Story of Art 16 TFEU” (Springer International Publishing 2016).
He publishes on a wide range of issues in relation to the General Data Protection Regulation,
with a focus on governance and the role of independent data protection authorities and on
ethics.
1
WORKSHOP SUMMER SCHOOL ERA, 11 SEPTEMBER 2017

15h-17h
Hielke Hijmans
ARTICLE 22 GDPR
Right not to be subject to automated individual decision-making
CASE ON Automated Credit Scoring

2
CASE:
A bank offers an on line service for a loan. Individuals can apply and
the application is approved or refused on the basis of an Automated
Credit Scoring.
QUESTIONS:
1. Is this practice covered by Article 22 (1) GDPR? Is it allowed?

2. Must data subjects invoke their right not to be subject to
automated decision making (object) or does it automatically
apply?
3. The GDPR requires to inform the data subject about the
existence of automated decision-making. What information
should be provided in this case and how?
4. What is the meaning of the right to obtain human intervention
in Art 22 (3) GDPR in this case? In other words, what should it
at least imply?
5. Mendoza and Bygrave claim that this right can be easily
circumvented. Do you agree and why?
The group will be split up in three different subgroups that each will
have to prepare a 10 min presentation, looking at the questions from
different perspectives:
- A bank/insurance company.
- A consumers organisation.
- A data protection authority.
Timing:
- Start: 15.00-15.05
- Intro of case (HH): 15.00-15.15
- Preparation in subgroups: 15.15-16.10
- Presentation by subgroups: 16.10-16.40
- Debrief (HH): 16.40-17.00
3
Chapter III, Section 4 GDPR

Right to object and automated individual decision-making
[..]
Article 22
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects concerning him or
her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a)is necessary for entering into, or performance of, a contract between the data subject and a
data controller;
(b)is authorised by Union or Member State law to which the controller is subject and which
also lays down suitable measures to safeguard the data subject's rights and freedoms and
legitimate interests; or
(c) is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall
implement suitable measures to safeguard the data subject's rights and freedoms and
legitimate interests, at least the right to obtain human intervention on the part of the
controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal
data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable
measures to safeguard the data subject's rights and freedoms and legitimate interests are in
place.
Relevant Recitals
(70)Where personal data are processed for the purposes of direct marketing, the data subject
should have the right to object to such processing, including profiling to the extent that it
is related to such direct marketing, whether with regard to initial or further processing, at
any time and free of charge. That right should be explicitly brought to the attention of the
data subject and presented clearly and separately from any other information.
(71)The data subject should have the right not to be subject to a decision, which may include
a measure, evaluating personal aspects relating to him or her which is based solely on
automated processing and which produces legal effects concerning him or her or
similarly significantly affects him or her, such as automatic refusal of an online credit
application or e-recruiting practices without any human intervention. Such processing
includes ‘profiling’ that consists of any form of automated processing of personal data
evaluating the personal aspects relating to a natural person, in particular to analyse or
predict aspects concerning the data subject's performance at work, economic situation,
health, personal preferences or interests, reliability or behaviour, location or movements,
where it produces legal effects concerning him or her or similarly significantly affects
him or her. However, decision-making based on such processing, including profiling,
4
should be allowed where expressly authorised by Union or Member State law to which
the controller is subject, including for fraud and tax-evasion monitoring and prevention
purposes conducted in accordance with the regulations, standards and recommendations
of Union institutions or national oversight bodies and to ensure the security and
reliability of a service provided by the controller, or necessary for the entering or
performance of a contract between the data subject and a controller, or when the data
subject has given his or her explicit consent. In any case, such processing should be
subject to suitable safeguards, which should include specific information to the data
subject and the right to obtain human intervention, to express his or her point of view, to
obtain an explanation of the decision reached after such assessment and to challenge the
decision. Such measure should not concern a child.
In order to ensure fair and transparent processing in respect of the data subject, taking
into account the specific circumstances and context in which the personal data are
processed, the controller should use appropriate mathematical or statistical procedures for
the profiling, implement technical and organisational measures appropriate to ensure, in
particular, that factors which result in inaccuracies in personal data are corrected and the
risk of errors is minimised, secure personal data in a manner that takes account of the
potential risks involved for the interests and rights of the data subject and that prevents,
inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin,
political opinion, religion or beliefs, trade union membership, genetic or health status or
sexual orientation, or that result in measures having such an effect. Automated decision-
making and profiling based on special categories of personal data should be allowed only
under specific conditions.
(72)Profiling is subject to the rules of this Regulation governing the processing of personal
data, such as the legal grounds for processing or data protection principles. The European
Data Protection Board established by this Regulation (the ‘Board’) should be able to
issue guidance in that context.
Other Relevant Provision
Article 14
Information to be provided where personal data have not been obtained from the data
subject
1. Where personal data have not been obtained from the data subject, the controller shall
provide the data subject with the following information: [..]
2. In addition to the information referred to in paragraph 1, the controller shall, at the
time when personal data are obtained, provide the data subject with the following
further information necessary to ensure fair and transparent processing: […]
g. the existence of automated decision-making, including profiling, referred to
in Article 22(1) and (4) and, at least in those cases, meaningful information
about the logic involved, as well as the significance and the envisaged
consequences of such processing for the data subject.
NB: The same information must be provided where personal data are collected from the
data subject (Art 13). The right of access by the data subject also applies to this type of
information (Art 12).
5
ABSTRACT FROM
University of Oslo Faculty of Law Legal Studies Research Paper

Series No. 2017-20
Isak Mendoza and Lee A. Bygrave
The Right not to be Subject to Automated Decisions based on Profiling
1. Introduction
One of the most enigmatic, intriguing and forward-looking rights provided by European
Union (EU) law on the protection of personal data is a qualified right for a person not to be
subject to automated decisions based on profiling.
In general, profiling denotes the process of (i) inferring a set of characteristics about an
individual person or collective entity (i.e., the process of creating a profile), and/or (ii)
treating that person or entity (or other persons/entities) in light of these characteristics
(i.e., the process of applying a profile).
The above-mentioned right primarily affects the latter facet of profiling. It has the potential
to curtail the increasingly widespread use by businesses and government agencies of
automated methods for categorising, assessing and discriminating between persons. These
methods are instituted for a variety of ends, such as enhancing the impact of advertising,
screening applicants for jobs or bank loans, and creating differentiated pricing for services.
Examples include online behavioural advertising, erecruiting, and weblining.
Over the last two decades, the right under EU law not to be subject to automated decisions
based on profiling has chiefly inhered in Art. 15(1) of the 1995 Directive on data protection
(Data Protection Directive or DPD). [..], it is a complex right in its formulation. It is also, in
some ways, a second-class data protection right: it is rarely enforced, poorly understood
and easily circumvented. Its marginality is remarkable given that we live in an era when
decision making is increasingly the result of computer algorithms fed by ‘Big Data’-
analytics.
The Data Protection Directive will soon be replaced by the General Data Protection
Regulation (GDPR), which shall apply from 25 May 2018. Article 22 of the GDPR […]
replicates the right in DPD Art. 15(1), but with some changes. These changes raise several
questions. […]
04.09.2017
Public Governance of Data
Protection in the EU
Dr Hielke HIJMANS
Summer Course ERA on Data Protection
Trier, 13 September 2016
Dr Hielke HIJMANS
Summer Course ERA on Data Protection
Trier, 12 September 2017
STARTING POINTS FOR DATA PROTECTION
GOVERNANCE
Description of actor and its role eTaOne law (GDPR) and harmonised
iGeneral characteristics system:
• A shared responsibility between the EU and the Member States: executive
federalism.
• One law (GDPR) and harmonised interpretation and application (with exceptions).
• Heavy reliance on public enforcement with independent authorities.
Distinction of four tasks in EU data protection:
• Law making (GDPR, DPD and other instruments).
• Guidance/Interpretation of the law.
• Application and enforcement of the law (TFEU and Charter use term “control”).
• Judicial control.
1
04.09.2017
EU and Member States share Responsibilities

• Article 16 TFEU:
• EU guarantees everyone’s right to data protection
• EU legislator adopts THE rules
• Control by DPAs, mostly national authorities
• Law making = EU task; Member States legislate by delegation.
• Interpretation: Strong incentives EU harmonisation.
• Control: Member States leading.
• Result: A hybrid system reconciling national and EU prerogatives.
One law for EU, but ….
2
04.09.2017
One law for the whole Union, but …..

• A regulation, meant as one law for the internet.
• Harmonised interpretation needed.
• Roles for European Commission, WP29/EDPB, CJEU.
• Harmonised application needed.
• Roles for: Controllers, processors, DPOs, DPAs (incl EDPS), Lead DPA
WP29/EDPB, National courts/CJEU.
• Derogations to national law: Special categories of data, Children’s age
of consent, Restrictions public interest, Freedom of expression,
employment context (etc, etc).
Relying on public bodies
• The EU legislature: law making.
• Member States legislatures:
• Implementation GDPR; use discretionary powers
• Transposition Directive 2016/680.
• National data protection authorities and European Data Protection Supervisor: “control”.
• Concept of “Lead DPA”.
• Article 29 Working Party: interpretation.
• European Data Protection Board: control and interpretation.
• National courts and EU Court of Justice: judicial control.
• The Commission: law making, interpretation, but no control/enforcement in individual
cases.
• Not to forget: Controllers, processors and data protection officers. They are the
accountable actors that should make system work.
3
04.09.2017
Legislation
• Art 16 TFEU: An assignment for EP and Council to adopt the rules.
Ordinary legal procedure (PM Art 39 TEU).
• GDPR (Reg 2016/679) and Directive for police/justice (Dir 2016/680):
Key instruments from May 2018 on.
• In pipeline: new ePrivacy Regulation; Instrument for EU Institutions.
• International agreements (ex Art 216 and 218 TFEU).
• “Adequacy” and EU‐US Privacy Shield.
Independent Public Bodies: DPAs
• Art 8 (3) Charter and Art 16 (2) TFEU: Constitutional status, “control
as essential component data protection”.
• Case law strengthening/confirming role: Infringement cases (DE, AU,
HU), Schrems.
• GDPR specifying wide range of tasks and powers (Art 57‐58).
• More than control strictu sensu.
• Cooperation as essential element of control (although not laid down
at Treaty level).
4
04.09.2017
DPAs operate in between EU and Member

State
• DPAs: national bodies established under national law, but once
established, they exercise tasks attributed to them primarily by EU
law.
• Task to contribute to level protection in whole EU (Art 51(2) GDPR).
• National autonomy in relation to DPAs gradually diminished, even
more in GDPR.
• In between status raises two types of issues
• Legal: how to reconcile requirements GDPR with national administrative law?
• Practical: how to reconcile priorities?
Variety of DPA roles
• Article 57 GDPR: Supervision, advice and awareness raising.
• Leader / advisor: Consultants, Educators, Policy advisors, Negotiators
• Policeman / enforcer: Enforcement of the Law; Use of “hard powers”.
• Complaint handler: Redress for Individual, “Ombudsman”.
• Authoriser: Where Prior Authorisation is Needed. EX: BCRs, Codes of
Conduct and Certification, Prior Consultation for DPIAs.
• SOURCE: CIPL
5
04.09.2017
Complete Independence
• Different to most other EU/National Agencies.
• COM/GER, COM/AUS, COM/HUN: No external influence, not bound
by “guidance” of governments.
• Organisational: distance to executive.
• Appointment procedure critical factor.
• Schrems (63), examine claims with due diligence.
• Weltimmo: use of investigative powers, even if law of another
Member State is applicable.
• However, COM/GER: “Not free from any parliamentary influence”.
Effectiveness
• 26 Effective powers distinguished in Art 58 GDPR.
• High sanctioning powers (Art 83): Up to 20 mln Euros and 4%
Worldwide Turnover.
• Resources remains problem.
• Proximity and effectiveness.
• DPAs free to set own agenda, but how about effective dealing with
complaints? Schrems; “Due diligence”.
6
04.09.2017
Due diligence
EDPS
• The DPA for the European institutions
• Three tasks:
• Supervision, Consultation, Cooperation
• Not expected to change after 25 May 2018
• Supervising the public sector; not an EU Agency
• Advice on all EU legislation and policies
• Cooperation on equal footing with national DPAs
• Under GDPR: provide EDPB Secretariat.
• Its own Legislative Framework, but brought in line with GDPR.
7
04.09.2017
Art 29 Working Party
• WILL BE REPLACED BY EDPB
• Consists of national DPAs, EDPS and European Commission
• The voice of the EU data protection community
• Strictly advisory, no enforcement
• Informal harmonisation through explanations main data protection
concepts
• Informal forum for enforcement cooperation (Google, Facebook).
• Preparation EDPB
8
04.09.2017
Lead DPA and One Stop Shop

• Lead DPA in Country of Main/Single Establishment.
• Essence: Leading cooperation.
• Organise consultation and take account of results
consultation.
• Enforcement, authorisation (e.g. BCRs).
• To lead: includes exchanging and providing mutual legal
assistance.
• Takes decisions and implements opinions EDPB.
• Contact point for companies, also for EDPB.
EDPB
• Successor of WP29:
• Advisory tasks, emphasis on guidelines
• Codes of conduct certification.
• The novelty: A consistency mechanism: An additional layer of
coordination (Artt 63‐66).
• Consistent application through opinions EDPB.
• In specific situations compulsory.
• Normal rule however: on voluntary initiative of a DPA.
• Binding dispute resolution by the EDPB.
9
04.09.2017
EDPB and Consistency Mechanism (Art 63 +

64 GDPR)
• An additional layer of coordination.
• Art 64: Consistent application through opinions EDPB.
• In specific situations compulsory (DPIAs, codes of conduct, BCRs,
etc).
• Normal rule however: on voluntary initiative of a DPA.
• Outcome: Opinion of EDPB (not binding, but almost binding).
• Weakness of system. No harmonised application of the law
guaranteed.
• Much depends on willingness DPAs to trigger the system.
10
04.09.2017
Binding dispute resolution (Art 65)

• Task of EDPB.
• Triggered when DPAs:
• disagree on substance (after relevant and reasoned objection)
• disagree on competence DPAs/lead DPA
• procedural rules have not been respected
• EDPB takes decision and on that basis lead DPA takes “final decision”.
• Judicial review by CJEU and national judges.
• Conflicts are solved, but consistency is not guaranteed.
• How many cases a year?
EDPB as an EU Body
• EDPB (Artt 68‐76).
• New EU body with legal personality.
• Functionally separate, but organisationally integrated in EDPS.
• “Chinese walls”.
• Commission is not member; has right to participate.
• Strong role Chair.
• Independence, comparable to independence DPAs.
• Tasks and duties, comparable to DPAs.
11
04.09.2017
Judicial control by CJEU and national courts

• Decentralised system of judicial remedies.
• Remedies against the DPA (Art 78).
• Remedies directly against controllers.
• Cooperation of national courts in case of parallel proceedings (Art 81).
• Preliminary proceedings must play strong role (see also Schrems‐ruling).
• Direct appeals to CJEU, against the EDPB.
• Parallel proceedings before national courts.
• Class actions and recognition of privacy organisations.
The role of the Commission

• Plays its normal role as guardian of Treaties.
• Proposes legislation; adopts implementing and delegated acts.
• Infringement procedures.
• Certain overlap with tasks EDPB, dealing with consistent application
of the law.
• Commission participating in meetings EDPB .
12
04.09.2017
• THANK YOU
• Hielke.hijmans@gmail.com
13
The DPAs and their cooperation: how far are we in making
enforcement of data protection law more European?
Hielke Hijmans1
1. Introduction
Regulation (EU) 2016/679, better known as the General Data Protection Regulation
(“GDPR”),2 has the intention of making the enforcement of EU data protection law by
independent data protection authorities (“DPAs”), first, stronger and, second, more European.
This paper focuses on the second development: as a result of the GDPR, the enforcement by
the DPAs is becoming more European.3 This is a significant change compared to the present
structure of enforcement of EU data protection law by the national DPAs, with limited
coordination.
The GDPR does not to create a system of European supervision, not even for the big internet
companies operating on a pan European or global scale. As will be explained below, the
provisions in the GDPR on DPA cooperation, on the one hand, envisage ensuring a level
playing field in the EU and, on the other hand, respect the general feature of the EU as a
mechanism of executive federalism4, where enforcement of EU law is a task of the Member
States. This dual purpose is reflected in the consistency mechanism5, which is set up more as
a mechanism for conflict solving than for proper harmonisation or consistent application of
EU law.
This paper shows that it is not easy to reconcile the purpose of creating a level playing field
with the respect of powers of national authorities. It takes the perspective that the existing
divergences in EU data protection enforcement of the Member States are not helpful to
1
The author works from 1 October 2016 on as independent consultant and researcher in the areas of EU law
and data protection, On a part time basis, he is senior policy advisor of the Centre for Informational Policy
Leadership. He thanks Herke Kranenborg and the independent reviewer for their comments on an earlier
draft.
2
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1.
3
The Europeanisation of EU data protection law, but not specifically dealing with DPA cooperation, is also a
main theme of Orla Lynskey, The Foundations of EU Data Protection Law, Oxford University Press 2015.
4
Koen Lenaerts and Piet van Nuffel, European Union Law, Third edition, Sweet & Maxwell 2010, at 17-002.
5
Articles 63-66 GDPR; See Section 5 below.
1
guarantee a high level of control,6 as intended by Article 8 (3) of the EU Charter of
Fundamental Rights (“Charter”) and Article 16 (2) TFEU. According to these provisions,
compliance with the rules on data protection shall be subject to the control of independent
authorities. The Court of Justice regards the control as an essential element of data
protection.7
This paper discusses the weakness of the present system and the GDPR (section 2), the
increasing European dimension of the DPAs' task (section 3), the one stop shop mechanism
and the cooperation with the lead DPA (section 4) and the consistency mechanism and the
European Data Protection Board (“EDPB”) (section 5). Section 6 contains conclusions.
The article builds on the doctorate thesis of the author, entitled: "The European Union as a
constitutional guardian of internet privacy and data protection: the story of Article 16
TFEU."8
2. The weakness of the present system and the GDPR
The GDPR must remedy the situation where European citizens are dependent on the
protection by the DPA of the Member State where a controller has its establishment in the
EU. Presently, Article 4(1)(a) of Directive 95/469 provides that the applicable law is the law
of the Member State where the processing of personal data is carried out in the context of an
establishment of the data controller.10 In order to qualify as an establishment, there must be
an effective and real exercise of an activity through stable arrangements, meaning that virtual
6
Control by DPAs comprises in any event enforcement of the law, in the event of breaches, and also includes
other instruments DPAs use to promote compliance. In this paper focusing on enforcement, the concept of
control is not further elaborated.
7
Case C-518/07, Commission v Germany, EU:C:2010:125, at 23.
8
On-line version is available on http://hdl.handle.net/11245/1.511969. An updated and slightly modified
version is published by Springer International Publishing as: Hielke Hijmans, The European Union as Guardian
of Internet Privacy, ISBN 978-3-319-34089-0.
9
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31
(“Directive 95/46”).
10
See on Article 4(1)(a) also Paul de Hert and Michal Czerniawski, Expanding the European data protection
scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context, International
Data Privacy Law 2016 (published online).
2
presence in a Member State is not enough.11 Article 28(6) of the Directive determines that a
DPA is competent to exercise powers within the territory of its own Member State.12
This establishment will in many cases not coincide and sometimes even be far away from the
country where an individual, who is affected by a data processing operation, has his or her
residence. Moreover, a company can, presently, also choose its main European establishment
in a country with a perceived low level of control by a DPA. This phenomenon of forum
shopping13 by a controller may prejudice the effectiveness of the EU system of data
protection.
These characteristics made the present legal system as strong as its weakest chain. The
example often mentioned in this context is Ireland. As McLaughlin observes, the presence of
the European headquarters of a number of multinational tech companies in Ireland 14 requires
a world class data protection regime.15 She describes an action by Digital Rights Ireland
challenging the independence of the Irish Data Protection Commissioner before the Irish
judiciary, casting doubts over the quality of the data protection regime in that Member State.
The Schrems-case is the main illustration of the dependency of EU citizens on a DPA in the
country where a controller has its EU establishment.16 The Austrian student Schrems, living
in Austria, had to make his claim concerning the processing of his personal data before the
Irish DPA. This DPA subsequently did not act, requiring Mr. Schrems to pursue his case
before an Irish Court. The case was - by way of preliminary questions of the Irish High Court
- brought before the EU Court of Justice, which ruled that it is incumbent upon a national
DPA to examine claims by individuals with “all due diligence”.17
By the way, these observations must not be seen as criticizing the effectiveness of data
protection provided in Ireland as such. On the contrary, the proactive approach of civil
society in that country resulted in another landmark case of the Court of Justice (Digital
11
Recital 19 of the Directive. See also Case C-230/14, Weltimmo, EU:C:2015:639, and Dan Jerker B.
Svantesson, The CJEU’S Weltimmo Data Privacy Ruling, Maastricht Journal of European and Comparative Law,
23 MJ 2 (2016).
12
The interpretation of Articles 4(1)(a) and Article 28(6) of Directive 95/46 is at stake in the pending Case C-
210/16, Wirtschaftsakademie Schleswig-Holstein.
13
As described by E. Chiti, An important part of the EU’s institutional machinery: Features, problems and
perspectives of European agencies, CMLR 46 (2009), pp. 1395–1442, at 1412.
14
Which includes Google, Facebook, LinkedIn and Twitter.
15
Sharon McLaughlin, Ireland -Independence of Data Protection Commissioner Challenged by Digital Rights
Ireland, EDPL Volume 2 (2016), Issue 1, at 114-116.
16
Case C-362/14, Schrems, EU:C:2015:650.
17
Case C-362/14, Schrems, EU:C:2015:650, at 63.
3
Rights Ireland and Seitlinger)18, which was – equally to the Schrems-case – instigated by the
Irish High Court. The preliminary questions of the Irish High Court in both cases made it
possible for the Court of Justice to deliver important judgements, also covering the tasks of
the DPAs19 under Directive 95/46.
The GDPR should also be to the benefit of economic actors and contribute to the digital
single market. With a one stop shop and a consistency mechanism, EU wide operating
providers of services and goods will have one DPA as interlocutor and will be confronted
with decisions on processing operations having effect in the territory of the entire Union.
They will no longer be confronted with divergent decisions in the different Member States.
The different ways in which EU DPAs dealt with Facebook’s privacy settings illustrate the
shortcomings of the present system quite well.20
3. The European dimension of the DPAs' task increases.
Article 16 TFEU and Article 8 Charter provide, on the level of the EU Treaties, that everyone
has a right to data protection under EU law. Article 16 TFEU also provide that the EU
legislator must lay down the rules on data protection, whereas Article 8 Charter contains the
main elements of this right.
Moreover, and most relevant for this paper, both articles lay down the task of ensuring
control of the protection of the fundamental rights of privacy and data protection by the
DPAs at the level of primary EU law.
The DPAs are mostly national public authorities, established under national law.21 However,
the tasks of the DPAs are not strictly confined to the national jurisdictions, nor are their
duties and powers solely defined under national law.
Under the GDPR, the European dimensions of the role of DPAs increase. EU law will set the
standards for their establishment and functioning,22 and the cooperation mechanisms of DPAs
(e.g., within the framework of the EDPB) will also deal with enforcement of data protection
18
Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger (C-594/12).
19
See also Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger (C-594/12), at
68.
20
See section 4 below and David Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and co-
operation between Data Protection Authorities”, www.phaedra-project.eu, at 39-44..
21
G. González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU, Law,
Governance and Technology Series 16, 2014, Chapter 3.
22
See the detailed provisions on DPAs in Chapter VI of the GDPR.
4
rules.23 Under current law, the main cooperation mechanism of DPAs - the Article 29
Working Party - only has an advisory role.
Moreover, the DPAs' task includes the obligation to contribute to a harmonised and effective
level of data protection within the wider territory of Union. This is particularly important in
an internet environment, where dealing with cross-border effects is an inherent element of the
protection that must be given. This obligation for DPAs is also the consequence of the
recognition in Article 16 TFEU that the European Union is the appropriate platform for
dealing with privacy and data protection. Article 51(2) of the GDPR makes this obligation
explicit.24 The obligation also exists – although in a more implicit manner – under current
data protection law.25
In other words, the position of the DPAs has a national as well as a European component.
This "hybrid position"26 of DPAs has legal dimensions (the interface between requirements
under EU law and national procedural law) and also practical dimensions (conflicting
priorities).
Legal dimensions
The DPAs are national bodies established according to national law. They operate within the
national frameworks of administrative law. However, they exercise the tasks attributed to
them by EU law. Currently, this attribution of tasks by instruments of EU law is rather
general. Article 28 (3) of Directive 95/46, for instance, lays down that the DPAs should have
investigative powers, effective powers of intervention and the power to engage in legal
proceedings, but is not prescriptive as far as the precise content of these powers is concerned.
This will significantly change under the GDPR. Articles 57 and 58 thereof distinguish a wide
range of tasks and powers of DPAs. These provisions describe precisely what the tasks and
powers of the DPAs should entail, leaving - a prima vista - little room for national law.
Recital 129 confirms this starting point where it is stated that "in order to ensure consistent
monitoring and enforcement of this Regulation throughout the Union, the supervisory
authorities should have in each Member State the same tasks and effective powers".
23
See, in particular, Article 64 GDPR, on opinions of the EDPB, and Article 65 GDPR, on dispute resolution
leading to decisions by the EDPB.
24
Article 51(2) GDPR reads as follows: “Each supervisory authority shall contribute to the consistent
application of this Regulation throughout the Union. [...].”
25
Recital 65 and Articles 29 and Article 30 (1) (a) of Directive 95/46.
26
Comparable to EU agencies and certain national agencies. See Michelle Everson, Cosimo Monda, and Ellen
Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, Ch.
1.
5
A closer look at the GDPR nuances this starting point, to a certain extent. In a few cases, the
attribution of powers contains a reference to national law,27 particularly to specify the extent
of the DPAs' advisory role within the national parliamentary democracies and to ensure the
embedding of the DPAs' tasks and powers in national procedural law. Moreover, Article
58(6) of the GDPR lays down that the Member States may provide the DPAs with additional
powers. A similar provision is not included in Article 57 GDPR, on DPAs' tasks, but an
opening for giving additional tasks to the DPAs under national law can be found in recital
129. Recital 129 mentions that Member States may specify other tasks relating to data
protection.
The question arises how Articles 57 and 58 relate to one of the essential features of the Union
structure, more specifically to the decentralised implementation of EU law, in what can be
referred to as executive federalism28 or the principle of national procedural autonomy.29
Executive federalism means, in essence, that in the legal system of the EU legislative tasks
are exercised at EU level and executive tasks at national level, by authorities of the Member
States. These authorities operate primarily within the national jurisdiction, the modalities for
the exercise of their tasks being determined by national constitutional systems.30
The principle of national procedural autonomy, as explained by the CJEU, leaves it up to the
Member States to organise the procedures for implementing EU law, in accordance with
requirements of equivalence and effectiveness. They must, e.g., "designate the courts and
tribunals having jurisdiction", and "lay down the detailed procedural rules governing actions
for safeguarding rights which individuals derive from European Union law."31 In short, the
Member States enjoy a procedural autonomy, although they are under an obligation to give
effect to procedural rights of individuals under EU law. This autonomy will significantly
shrink in the area covered by the GDPR, because of the precise procedural rules included in
that instrument. The same applies more or less to data protection in the police and justice
sectors, excluded from the scope of application of the GDPR, but covered by the new Data
Protection Directive.32
27
Article 57(1)(c), Article 58 (1)(f), (3)(b), (3)(c) and (4) refer to national law, Article 58 (4) gives an assignment
to the national legislator.
28
A starting point for the GDPR (see Section 1 of this article); Term is used by Koen Lenaerts and Piet van
Nuffel, European Union Law, Third edition, Sweet & Maxwell 2010, at 17-002.
29
Case C-93/12, Agrokonsulting-04, EU:C:2013:432, at 35.
30
Further read: Carol Harlow, “Three Phases in the Evolution of EU Administrative Law”, in: Paul Craig and
Grainne de Búrca, The evolution of EU Law (second edition), (Oxford University Press, 2011), Chapter 15.
31
Case C-93/12 - Agrokonsulting-04, EU:C:2013:432, at 34 and 35.
32
Articles 46 and 47 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data by competent authorities
6
In other words, the EU level (the “federal” level) intervenes in a domain that normally is
reserved to the national level (the “state” level). Arguably, this also delimits the applicability
of the principle of executive federalism in this area.
This intervention is not unique for data protection, since also in other areas EU law
determines tasks of national authorities. An example is the EU framework for the operation
of national regulatory authorities in the electronic communications sector.33 This framework
determines in quite detail the tasks of the national regulatory authorities, but remains general
as far as the powers of these authorities are concerned, leaving wide discretionary powers
with the Member States. Another example is the intervention by the EU legislator in the
exercise of powers by the national competition authorities. EU law gives precise rules on the
cooperation between the national authorities and the European Commission, in its role of
European competition authority.34However, it does not specify in detail the powers of the
national authorities.
The intervention by the GDPR raises legal questions which are not necessarily solved in other
areas. The DPAs operate in a pluralist legal context, with tasks and duties under EU law and
under national law. These tasks and duties are not necessarily always compatible.
Obviously, EU law has primacy over national law, in case of conflict of laws. However, it is
not evident to what extent a national law may complement the GDPR without breaching an
obligation under EU law. Recital 129 of the GDPR declares, as explained above, that
Member States may specify additional tasks and Article 58 (6) lays down that national law
may provide for additional powers of DPAs. Recital 129 and Article 58 (6) do not necessarily
mean that Member States are free to add elements to powers which are provided under the
GDPR, nor that the additional powers - to the extent they are compatible with the GDPR -
can be imposed on controllers across the border, established in other Member States.
This lack of clarity can be explained by a provision in present Dutch law which is not
necessarily compliant with the GDPR. In The Netherlands, the DPA will be bound by the
GDPR, but it is also an administrative authority that falls within the scope of the General
for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing Council Framework
Decision 2008/977/JHA, OJ L119/89.
33
Chapter II of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services (Framework Directive),
OJ L 108, 24.4.2002, as amended by Directive 2009/140/EC and Regulation 544/2009. Article 3(2) of the
Directive lays down that powers must be exercised impartially, transparently and in a timely manner, without
specifying what these powers are.
34
Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition
laid down in Articles 81 and 82 of the Treaty, OJ (2003) L 1/1, mainly Chapter IV.
7
Administrative Law Act.35 This Act contains a Chapter with specific rules on enforcement.
An important instrument in this Chapter is a specific remedial sanction. Under Article 5.32 of
the Act, an administrative authority which is entitled to take enforcement action may instead
impose on the offender a duty backed by an astreinte. If the offender does not remedy the
offence he needs to pay a lump sum.
Such an alternative is not envisaged in the list of corrective powers of Article 58(2) GDPR.
The question arises whether this alternative, which plays a significant role in the practice of
the Dutch DPA will still be available under the GDPR. Arguably, this alternative strengthens
the enforcement and would therefore be in line with the objectives of the GDPR. However,
one could also defend that an essential element of consistency as envisaged by the GDPR, is
its exhaustive list of remedial sanctions.
An example of cross border enforcement can be found in the situation of Weltimmo,36 where
a controller targeted consumers in another Member State (Hungary) than where it was
registered (Slovakia).37 The Court accepted a flexible definition of establishment confirming
the competence of the Hungarian DPA because the controller specifically targeted Hungarian
residents. This would however, not necessarily mean that - after the GDPR has become
applicable - the Hungarian DPA could also use its additional investigative or enforcement
powers vis-à-vis a controller in the other Member State.
Practical dimensions
A DPA has, like any other public authority in times of austerity, scarce resources. As reported
by the EU's Fundamental Rights Agency in 2010, understaffing and lack of financial
resources resulted in a situation where European DPAs did not carry out all their tasks.38
Insufficient resources is a recurring issue in the policy debates in data protection and the
Article 29 Working Party even proposed to include a quantitative formula in the GDPR,
guaranteeing sufficient resources for a DPA in each Member State, e.g. based on the size of
the population.39
Hence, choices have to be made on how to use scarce resources in the most efficient way.
Obviously, the European dimension of the task of DPAs may collide with their tasks within
35
Algemene Wet Bestuursrecht (AWB), see:
https://www.rijksoverheid.nl/documenten/besluiten/2006/06/21/engelse-tekst-awb.
36
Case C-230/14, Weltimmo, EU:C:2015:639.
37
As explained by Dan Jerker B. Svantesson, The CJEU’S Weltimmo Data Privacy Ruling, Maastricht Journal of
European and Comparative Law, 23 MJ 2 (2016).
38
Fundamental Rights Agency, 2010, Data Protection in the European Union, the role of National Data
Protection Authorities, at 5.1.1.
39
Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals - WP
191, at 17.
8
the national jurisdiction. To put it simply, a DPA will be requested to investigate a case by
the authority in another Member State, for instance in the cooperation procedure between the
lead supervisory authority and other supervisory authorities laid down in Article 60 GDPR.
The requested DPA is under an obligation to provide assistance,40 also where the request will
require considerable resources. This obligation could, in a wider sense, also be based on the
principle of sincere cooperation,41 one of the founding principles of the EU project.
At the same time, the DPA should ensure a high level of data protection within its own
national territory. Since the DPAs are national authorities, their primary task is to ensure
protection for the residents within their respective Member States. For example, if a big
security breach occurs within the national territory, spending considerable resources in
investigating this breach would be most logical. A DPA would find it difficult to suspend this
investigation in order to be able to give assistance to a peer in another Member State.
Moreover, as far as DPAs are accountable vis-à-vis democratic institutions, this is primarily
accountability before national parliaments. As the Court of Justice underlined, although
DPAs should be completely independent, "the absence of any parliamentary influence over
those authorities is inconceivable."42
This accountability vis-à-vis the elected bodies in the Member States, and also the influence
of the public opinion in the Member State where a DPA is established, may be an incentive to
the DPAs to prioritise national cases.
In the absence of what Weiler calls a European demos,43 the primary loyalty of people - and,
hence, also of national authorities - will be national.
This incentive may be contrary to the objectives of the GDPR to enhance the European
dimension of the role of the DPAs and to encourage the consistent application of the
Regulation.
How far does the changing position of DPAs make the control more European?
It is beyond doubt that the European dimension of the position of DPAs becomes more
dominant, under the GDPR. The legal as well as the practical dimensions described above
demonstrate that much is still uncertain, but the trend seems clear. The DPAs will need to
operate more as European authorities and, hence, to a certain extent, give up their national
identities.
40
See, in particular, Article 60 GDPR.
41
Article 4(3) Treaty on European Union.
42
Case C-518/07, Commission v Germany, EU:C:2010:125, at 43.
43
As described by Paul Craig in Paul Craig and Grainne de Búrca (eds), 2011, The evolution of EU Law (second
edition), Oxford University Press, at 15.
9
However, the GDPR also confirms the situation where the national DPAs remain in the
driving seat, as responsible for the enforcement of EU data protection law within national
territory. Some tasks will be given to the EDPB, an EU body with legal personality,44 yet the
EU legislator ensured that the national DPAs are fully in charge of this new body.
This attitude of the EU legislator is illustrated by the fact that, where the Commission
proposal contained some provisions with a - limited! - centralising effect, these provisions did
not make it to the final text of the GDPR.
For instance, in order to ensure that the EU perspective would be sufficiently taken into
account, the Commission itself was given the possibility to provide an opinion in cases before
the EDPB. The EDPB had to take the utmost account of this opinion.45 Moreover, the
European DPA - the EDPS - was supposed to become the statutory vice-chair of the EDPB.46
However, these provisions did not survive the legislative procedure and, on the contrary,
Article 68(6) GDPR now even contains a limitation of the voting rights of the EDPS, in cases
where the EDPB will take a binding decision.47
It is against this background that this paper suggests the EDPB to bring clarity on the
consequences of the changing position of the DPAs by means of guidelines,
recommendations or best practices, in order to encourage consistent application of the GDPR,
as foreseen in Article 70 (e) thereof.
4. The one stop shop mechanism and the cooperation with the lead DPA
The structured cooperation mechanism of Chapter VII, Section 1, of the GDPR is the
example par excellence of the ambition of the EU legislator to reconcile two goals - a level
playing field and respect of powers of the national authorities - which are hardly fit for
reconciliation.
Where the processing of personal data takes place in more than one Member State, one single
DPA should act as a one stop shop for controllers and processors. This one single DPA will
be the DPA of the main establishment - or the single establishment - of the controller.48
This DPA will be the sole interlocutor for the cross-border processing carried out by a
controller or processor.49 This DPA, acting as lead supervisory authority, will have the
44
Article 68(1) GDPR; see Section 4 below.
45
Article 59 of Commission Proposal for a GDPR, COM (2012), 11 final.
46
Article 69(1) of Commission Proposal for a GDPR, COM (2012), 11 final
47
Article 68(6) GDPR, containing a reference to the dispute resolution mechanism of Article 65.
48
The concept of establishment was explained by the CJEU in Case C-230/14, Weltimmo, EU:C:2015:639. It is
characterized as a flexible concept, Dan Jerker B. Svantesson, The CJEU’S Weltimmo Data Privacy Ruling,
Maastricht Journal of European and Comparative Law, 23 MJ 2 (2016), at 336.
10
exclusively competence to take binding enforcement decisions.50 This is the first key element
of the one stop shop mechanism.
The mechanism has a second key element: close cooperation between this lead supervisory
authority and all other concerned authorities. Articles 56 and 60 GDPR specify in detail the
competences of the lead authority and how the cooperation of the lead authority with other
DPAs should be conducted.
This structured cooperation mechanism allows other concerned DPAs to raise objections, but,
at the end of the day, all DPAs concerned are bound by the decision of the lead DPA. 51 This
is a novelty compared to the current regime under Directive 95/46, where the same data
processing operation may be subject to diverging enforcement actions initiated by DPAs in
various Member States.52 An obvious ongoing example of divergence, already indicated
before, is the enforcement relating to Facebook's terms and policies of personal data and
cookies. Some DPAs cooperate within a contact group53, but the DPA of the country where
Facebook has its EU establishment (Ireland) is not part of this contact group. In Belgium, the
national privacy commission sued Facebook before a national court54 because of alleged
infringement of Belgian law. Also in Germany, a case is pending before the Federal
Administrative Court with involvement of a DPA of a German State. In this case, preliminary
questions were asked.55
The new rules, however, prevent the lead DPA from acting without considering the views of
other DPAs involved. This also responds to the criticism that the one-stop shop would lead to
an exclusive competence of one DPA and not to a structured system of cooperation between
DPAs.56
49
Article 56(6) GDPR.
50
See mainly Articles 56 (1) and 60 GDPR.
51
See mainly Articles 60 and 65 GDPR. The final decision of the lead DPA may result from dispute resolution by
the EDPB, in case a DPA raised a relevant and reasoned objection.
52
Some cases of enforcement cooperation – e.g. in relation to Google and WhatsApp - are explained in David
Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and co-operation between Data Protection
Authorities”, www.phaedra-project.eu.
53
See David Barnard-Wills & Vagelis Papakonstantinou, Deliverable 2.2, Best Practices for cooperation
between EU DPAs, www.phaedra-project.eu, at 2.1.2.
54
Ruling of the Dutch Speaking Court of First Instance in Brussels of 9 November 2015, Nr 15/57/C; Ruling of
Court of Appeal of Brussels of 29 June 2016, Nr. 2016/5747.
55
BVerwG 1 C 28.14 OVG 4 LB 20/13; CJEU, Case C-210/16, Wirtschaftsakademie Schleswig-Holstein.
56
E.g., European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection reform package,
at 237.
11
The Commission proposal mentioned the main reasons for this mechanism: to increase the
consistency in the application of the data protection rules, to provide legal certainty and to
reduce the administrative burden for the controllers and processors of personal data.57 In
essence, consistent enforcement of data protection rules across Europe should enhance legal
certainty of companies and reduce costs, also because it prevents multinational companies
from having to deal with divergent enforcement decisions. The strong emphasis on the
importance of the mechanism for companies is confirmed by the link the Commission makes
between the one stop-shop mechanism – and the consistency mechanism discussed below –
and the digital single market.58
The advantages for the protection of the individual
The consequences for the individual seem to be of less importance, at least in the justification
given by the Commission.
Of course, the one stop shop mechanism also strengthens the position of the data subject,
because of the following secondary effects: creating legal certainty, protection in an equal
way, and preventing forum shopping by data controllers and processors choosing the
perceived most lenient DPA.
Moreover, the mechanism is triggered in situations of cross border processing, which

specifically extend to a processing activity "which substantially affects or is likely to
substantially affect data subjects in more than one Member State."59 A data subject who is
(likely) substantially affected, has the assurance that the DPA in the Member State where he
resides is involved. He or she is also entitled to lodge a complaint in this Member State. 60
This means, for instance, that Mr Schrems would no longer have to involve the Irish DPA,
but may directly lodge a complaint in his country of residence, Austria. If he would be
dissatisfied with the result, he could bring the case before an Austrian administrative tribunal,
which would save high costs.
This mechanism implements the concept of proximity which is a specification of a basic

principle of the Treaty on European Union, namely that decisions are taken as closely as
possible to the citizen.61 Proximity played a role in the debate during the legislative procedure
57
Recital 97 of Proposal for a Regulation of the European Parliament and of the Council on the protection of
individuals with regard to the processing of personal data and on the free movement of such data (General
Data Protection Regulation), COM (2012), 11 final.
58
Communication from the Commission to the European Parliament, the Council, the European Economic and
Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World A European
Data Protection Framework for the 21st Century, COM (2012) 9 final, at 7-8.
59
Article 4(23) GDPR.
60
Article 77(1) GDPR, mentioning the habitual residence as well as the place of work.
61
Article 1(2) TEU.
12
on the GDPR and is set to enhance the effectiveness of the fundamental rights protection.62
However, at the end of the day proximity is not fully guaranteed by the GDPR. A decision on
a processing operation will be taken by the lead DPA and this decision will be subject to
judicial review in the Member State of the lead DPA.
It will be interesting how the combination of these various elements will work out in practice.
To be more concrete: a data subject may lodge a complaint before the DPA in the country of
residence. If his or her complaint is not upheld he or she can appeal before a tribunal in that
same Member State.63 It is not evident how this tribunal will deal with this appeal, when the
contested operation is subject to an enforcement decision of the lead DPA in the Member
State of establishment of the controller or processor. It will be even more complicated when
data subjects in several Member States bring cases before national courts concerning the
same breach of data protection law. This situation could, for instance, occur in connection
with privacy settings of EU wide operating service providers on the internet. Although recital
144 of the GDPR gives some indication how to deal with parallel proceedings in more than
one Member State, it does not give clarity on the outcome.
How far does the one stop shop and the cooperation with the lead DPA make the control
more European?
The essence of the one stop shop is to leave the responsibility for enforcement of data
protection with the national DPAs.64 It is not meant as centralizing enforcement. The
mechanism, however, could have a harmonising effect, because it strengthens the
enforcement cooperation between DPAs.
Moreover, the cooperation mechanism also provides for mutual assistance between DPAs and
for joint investigations and enforcement measures of DPAs of different Member States.65
These provisions should contribute to a more consistent approach within the EU.
The mechanism could have a harmonising effect, but this is not a priori evident. It will
depend how the lead authority will interpret its role. Would a lead authority, for instance,
give priority to cases where the effect of its enforcement actions will be mainly noticeable in
other Member States? The GDPR includes a correction mechanism - the dispute resolution by
the EDPB, as explained below -, but it has to be seen to what extent this correction will work
in practice.
62
Council of the European Union, various Council documents on Council Public Register, re Interinstitutional
file 2012/0011 (COD), e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.eu), 14788/1/14 (13-11-2014).
63
Article 78(3) GDPR.
64
Paolo Balboni, Enrico Pelino and Lucio Scudiero, 2014, “Rethinking the one-stop-shop mechanism: Legal
certainty and legitimate expectation”, Computer Law & Security Review 30 (2014) 392–402.
65
Articles 61 and 62 GDPR.
13
Will, for instance, a policy of non-intervention prevail in the practices of the DPAs or would
DPAs indeed be prepared to draft relevant and reasoned objections to positions taken by their
peers?66 The GDPR contains incentives, yet no guarantees.
5. The consistency mechanism and the EDPB.
Articles 63-66 GDPR provide a consistency mechanism.67 The purpose of this consistency
mechanism is to contribute to the consistent application of the Regulation throughout the
Union, although one may question whether all elements of the consistency mechanism are fit
for purpose.68
The key player in the consistency mechanism is the EDPB that will be established by Article
68(1) of the GDPR as a body of the EU with legal personality.
The EDPB is the successor to the Article 29 Working Party and will consist of
representatives of the national DPAs and of the European Data Protection Supervisor
(EDPS). The EDPB must play a formal role in the enforcement of EU data protection law, in
contrast with the Article 29 Working Party, which only has an advisory role. This formal role
normally ends with a non-binding - but probably persuasive - opinion of the EDPB.
Sometimes, it may result in a binding decision, in cases where the EDPB resolves a dispute
between DPAs.69
Ensuring consistency is the first of a long list of tasks of the EDPB, specified in Article 70 (1)
of the GDPR. Whereas most of these tasks are of an advisory nature,70 in line with the
activities of the Article 29 Working Party under present law, the consistency mechanism is
intended to be a part of data protection enforcement. Recital 135 stipulates that the
mechanism "should in particular apply where a supervisory authority intends to adopt a
measure intended to produce legal effects as regards processing operations which
substantially affect a significant number of data subjects in several Member States". This
confirms that this mechanism relates to the enforcement of data protection law.
The consistency mechanism potentially extends to all activities on the internet within the
scope of European Union law, which includes the offering of services and goods and the
monitoring of behaviour by non EU based controllers.
66
Wording taken from Article 65(1)(a) GDPR.
67
See also Orla Lynskey, The Foundations of EU Data Protection Law, Oxford University Press 2015.
68
Particularly, the dispute resolution mechanism of Article 65 GDPR, as explained below.
69
Article 65 GDPR.
70
NB: not all of the other tasks have an advisory nature. See, e.g., Article 70 (1) (o), on the accreditation of
certification bodies.
14
This does not mean that all activities within this wide scope are finally scrutinised by the
EDPB or even less that the EDPB ultimately decides, but in all these cases the EDPB may be
informed and it may be called upon to act. Article 64 (2) GDPR provides that any DPA - and
also the Chair of the EDPB or the European Commission - may request that the Board
examines any matter of general application or producing effect in more than one Member
State.
This mechanism – which was substantially amended during the legislative process – is a
further instrument to regain control over data processing operations on the internet. The
consistency mechanism consists of two pillars, distinguished in Articles 64 and 65 GDPR. To
be complete, the mechanism also comprises an urgency procedure simplifying the procedural
rules, in exceptional circumstances (Article 66 GDPR).
The first pillar is the more genuine form of consistency. Where a DPA wishes to consult its
peers before taking an enforcement decision, it does the request to the EDPB, as mentioned
before, in accordance with Article 64 (2) GDPR. This request is a way to implement the
obligation of a DPA to contribute to harmonised and effective data protection in the EU. The
DPA verifies the positions of its peers in the EDPB and - normally - follows the position
taken by the EDPB. There is no obligation to follow the EDPB’s decision, yet a DPA should
take the utmost account.71
However, this first pillar has some ambiguous - or in stronger terms: weak - elements. First,
there is no obligation for a DPA to consult the EDPB. This obligation exists in a few specific
situations, notably acts in connection to data protection impact assessments, codes of
conduct, accreditation, standard data protection clauses or contractual clauses, or binding
corporate rules.72
However, there is no obligation to involve the EDPB in the normal enforcement context, in
individual cases of alleged breaches of data protection law. In this context, there is not even
an obligation to inform the EDPB. Although recital 135 stipulates that the mechanism should
apply where a DPA intends to adopt an enforcement measure that substantially affects a
significant number of data subjects in several Member States, the mechanism is presented as
optional in Article 64(2) GDPR.
Second, the EU legislator gives the impression that Article 64(2) is meant for the situation
where a DPA does not properly cooperate with a peer cross border, not where it has a
different view on substance.73 This impression follows from the references to mutual
71
Article 64(7) GDPR.
72
Article 64(1) GDPR.
73
Article 64 (2) reads, where relevant: " [....]:in particular where a competent supervisory authority does not
comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in
accordance with Article 62."
15
assistance and joint operations, but is not fully evident and not supported by the text of recital
135. However, it is nevertheless there.
The second pillar is the dispute resolution mechanism of Article 65 GDPR, which will lead to
a binding decision by the EDPB resolving disputes between DPAs. This dispute may arise on
the substance of a case handled within the one stop shop mechanism, on the competence of a
DPA in a specific case, or in cases where a DPA does not comply with some of the
obligations of Article 64 GDPR. The decision in the dispute resolution mechanism is,
primarily, binding upon the concerned DPAs. On the basis of this decision, the lead DPA (or,
in some situations, another involved national DPA) takes a "final decision".74 However, this
somehow ambiguous drafting does not mean that the initial decision of the EDPB cannot be
challenged by other concerned parties. As recital 143 explains, controllers, processors or
complainants can challenge the EDPB decisions before the Court of Justice, in accordance
with Article 263 TFEU.
How far does the consistency mechanism make the control more European?
The consistency mechanism as originally proposed by the Commission aimed at contributing

to the mandate of Article 16 TFEU, in compliance with requirements of effectiveness.75
However, as the negotiations in the European Parliament and the Council reveal, the
legitimacy of the envisaged mechanism raises questions relating to the absence of a
communis opinio regarding its rationale.
The need for clear and uniform rules for businesses providing legal certainty and minimising
the administrative burden was a reason for the Commission to propose the reform of the legal
framework for data protection, which is expected to stimulate economic growth, create new
jobs and foster innovation.
The regulation as proposed by the Commission was supposed to do away with the fragmented
legal environment resulting not only from divergences between the rules themselves, but also
from the diverging control of the rules.76 A level playing field requires a uniform law as well
uniformity in the enforcement.
However, the outcome of the legislative process is less ambitious. Whereas the Commission
saw a level playing field as an important rationale of the consistency mechanism, 77 the
74
Article 65(6) GDPR.
75
Effectiveness is a general requirement of EU law, Koen Lenaerts, Ignace Maselis, and Kathleen Gutman,
2014, EU Procedural Law, Oxford University Press, at 4.05.
76
Communication from the Commission to the European Parliament, the Council, the European Economic and
Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World A European
Data Protection Framework for the 21st Century, COM (2012), 9 final, at 2, 7-9.
77
See in particular the procedure foreseen in Article 58(3) of the Commission proposal.
16
outcome is mainly a conflict-solving mechanism, to avoid problems where the views of the
DPAs in a specific case may possibly diverge. Also Article 64 (2), despite its ambiguity, can
be seen as a system for solving conflicts, and, possibly, a system encouraging DPAs to
effectively cooperate.
Hence, the consistency mechanism does not ensure the correct and uniform application of the
regulation within the wider territory of the European Union.78
The difference between the aspirational goal of the Commission and the outcome of the
legislative process is explained as follows. The Commission aimed at ensuring that a specific
processing operation – for instance an internet application – is not judged in divergent
manners in the Member States and that the supplier of this application is confronted with one
decision applicable in the whole European Union. In addition, a decision should also be
consistent with decisions taken in other cases and hence contribute to the uniform (and
correct) application of EU data protection law.79 The second purpose is connected to the
obligation of DPAs to contribute to a harmonised and effective level of protection in the
European Union, stipulated in Article 51 (2) GDPR and explained above.
The less ambitious outcome may be the result of other contributions to the legislative process
in reaction to the Commission proposal. To start with, the Article 29 Working Party was
critical of the Commission proposal: the “mechanism should ensure consistency in matters
only there where it is necessary, should not encroach upon the independence of national
supervisory authorities and should leave the responsibilities of the different actors where they
belong”.80 The Working Party considered that the consistency mechanism should only be
triggered where the DPAs do not reach consensus on the assessment of the case and/or
measures to be taken.81 This position underscores the more limited ambition. A harmonised
level of protection within the EU did not seem relevant for the Working Party. This was also
due to the fact that the Working Party is opposed to a role of the Commission in the
procedure82 and seeks to limit the caseload.83
78
See in particular the procedure foreseen in Article 58(4) of the Commission proposal.
79
To be complete, the Commission proposal also foresees a role for the consistency mechanism in procedures
not relating to individual cases, such as the adoption of a list of the processing operations subject to prior
consultation and various procedures relating to the transfer of personal data to third countries (Article 58 (2))
of the proposal.
80
191 (23.03.2012), at 20.
81
191 (23.03.2012), at 20.
82
In the same sense, European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection
reform package, at 248-255.
17
The view that the consistency mechanism should be limited to cases of disagreements
between authorities in a specific case seemed to be shared by the European Parliament. One
of the amendments of the European Parliament limited the consistency mechanism to cases of
serious objections of an authority to a draft measure of another authority, the ‘lead
authority’.84 A similar approach is taken by the Council. In individual cases, relevant and
reasoned objections and conflicting views may trigger the consistency mechanism.85
This paper submits that the consistency mechanism would only succeed in neutralising the
fragmented legal environmentif both aspirational goals, as intended by the Commission, are
achieved. This would allow the EDPB to grow into a centre of excellence of data protection
in the EU, operating in close cooperation with the EDPS and combining the European and the
national perspectives. It would also enable the EDPB to operate on the EU level as a focal
point for data protection enforcement and to become the main interlocutor for global
companies operating on the internet and, for instance, also for regulators in other domains.
For instance, the synergies between enforcement of EU data protection law and EU
competition law86 would be easier to deal with if the European Commission in its role as
enforcer of EU competition law had a strong interlocutor in the domain of data protection, at
EU level.
This all is not impossible under the GDPR, in view of the fact that the DPAs have a wide
discretion to decide what cases they step up to the consistency mechanism. They might have
good reasons to do so, if only because an opinion of the EDPB can be seen as a support of
good governance by DPAs, in compliance with the principle of sincere cooperation enshrined
in Article 4(3) of the Treaty on European Union.
In more pragmatic terms, the EDPB can be of help, where the resources of a DPA are limited.
Especially for DPAs in smaller Member States, it may be attractive to involve the EDPB.
6. Conclusions
The GDPR has only been adopted very recently. At this stage, it is not possible to give a
definitive answer to the question whether the GDPR successfully reconciles the ambition of
83
In the same sense, European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection
reform package, at 245.
84
Amendment 167, introducing a new Article 58a, European Parliament legislative resolution of 12 March
2014 on the proposal for a GDPR (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).
85
Article 57 (3) (a) and (b) of Council general approach (Council document 9565/15 of 11 June 2015).
86
See on this European Data Protection Supervisor, Preliminary Opinion of 26 March 2014 on “Privacy and
competitiveness in the age of big data: The interplay between data protection, competition law and consumer
protection in the Digital Economy”
18
creating a level playing field with the purpose of respecting the powers of the national data
protection authorities.
One thing is clear. The text of the GDPR leaves much room for discrepancies between the
enforcement practices of the Member States. This being said, the GDPR also presents the
opportunities for a genuine consistent approach on data protection in the EU. In this
perspective, there is no reason to conclude that the provisions in the GDPR on DPA
cooperation are a glass half empty. Based on several arguments in this paper, one should
rather state the opposite: the GDPR is a glass half full.
It is a further step towards better and more harmonised data protection enforcement in the
EU. The GDPR contains a number of incentives to become a success. Much will depend on
how the cooperation mechanisms of DPAs will be put into practice. Will this practice be
based on national reflexes and policies of non-intervention, or will the cooperation be
characterised by giving priority to consistency and mutual cooperation in view of the fact that
the huge challenges posed by the internet, big data and mass surveillance can only be faced
through common efforts?
As said, the GDPR contains incentives and creates the EDPB as a potentially strong and
effective body. This paper pointed before at Article 70 (e) GDPR which gives a basis to the
EDPB to issue guidelines, recommendations and best practices, in order to encourage
consistent application of the GDPR. It is suggested to use this provision as a concrete
instrument to stimulate the DPAs to use the cooperation mechanisms in a proactive manner
and, for instance, specify the situations where the DPAs should invoke the consistency
mechanism on the basis of Article 64 (2) GDPR.
Success should, of course, be measured by the impact the GDPR will have on the level of the
protection of the individual as envisaged by Article 8 Charter and Article 16 TFEU. The
future will tell.
19
Georgia Skouma
Georgia Skouma – Risk Advisory
Profession Enterprise Legal Adviser (ICT and privacy law)
Current Deloitte Reviseurs d’Entreprises, Belgium / Risk Advisory Services

Employer
Current Legal Director, Risk Advisory Services (working with Deloitte since October,
Position 2006)
Specialization European Law

Areas Privacy & Data Protection / Data governance
Identity management & document management
Digital Economy at large (e-commerce, e-business, cyber security)
Standardization
Summary of Former member of the Brussels (Belgium) and Athens (Greece) Bars, I practised
Role and as lawyer specialised in Information Technology, Communications and Privacy
Qualifications Law until September 2006.
in the Data
Protection My role as business legal adviser with Deloitte is to help corporate clients and the
Area public sector develop and implement risk-based solutions and procedures to
meet their legal obligations in a number of areas, especially in the provision of
information society services, the gradual de-materialization of their business
through innovation and data governance.
(Personal) data protection and ICT law are the key areas of the consulting
services I have been providing with Deloitte over the last ten years. I assist
leading multinational companies, SMEs and the public sector in assessing their
level of compliance with the requirements of the data protection regulatory
framework and best business practices in this area. On top of that, I guide my
clients in designing business processes and data management practices which
align with the European and local prerequisites and the recommendations of local
regulators (i.e., local data protection authorities).
The geographic scope of the projects I am involved in with Deloitte is wider than
Belgium. Regarding my privacy-related assignments, I advise clients (if
necessary, with support of selected local legal advisors) with queries and project
implementation in many other countries all over the world, in Europe, Middle
East, Asia and Latin America.
The data protection assignments I have been involved usually include:

- Organization and conduct of legal/privacy audits

- GDPR quick scans / assessments
- Advice in the implementation of new technology systems and tools that
involve
personal data processing or which may have an impact on privacy
- Assistance before regulators and Employee Works Councils
- Registrations related work / Design of data inventories
- Cross-border personal data flows / Contractual clauses & BCR design
- Policy and documentation editing, incl. contracts review
- “Right to be forgotten” & assistance in the design of data retention/archiving
schemes & data classification programs
- Data analytics, Internet of Things, cyber-crime and mass surveillance
Relevant For corporate clients

Project  For a lead financial institution in Belgium and the Netherlands, support in the
Experience design of a GDPR-compliance program through a gap assessment and
remediation plan.
 For a Belgian provider of insurance services, assistance in defining the
company’s GDPR program based on a gap and risk assessment of their
company’s current practices and internal regulations on personal data
protection.
 For a major financial institution with headquarters in Belgium, assistance in
the implementation of a data leakage prevention program in line with GDPR
requirements and best industry practices. For the same institution,
assistance in the design of the company’s global GDPR program.
 For a lead banking company in Belgium, support in the design of a
benchmarking study related to information/transparency requirements
towards their clients. Amongst others, assistance in updating the company’s
on-line privacy statement in line with GDPR requirements.
 For a network operator of electricity and gas, assistance in the conduct of a
Privacy Impact Assessment of the smart metering system and advice on
remediation actions. The project involved tackling smart meter
implementation taking into account sector-specific and GDPR requirements.
 For a global leader in the manufacturing and selling of pharmaceuticals,
drafting of a global handbook (guidebook) relating to the processing of
personal data by HR.
 For a provider of electronic communications services, advice on national laws
applicable to rights of access, retention and disclosure of electronic
communications and personal data, incl. duties of co-operation of ISPs with
local police and prosecution authorities.
 For a leading company in the leisure and hospitality sector, assistance in the
drafting of Corporate Binding Rules. The assignment covers all facets of the
BCR preparation, from the drafting of the Rules to the establishment of a
communications plan to have them approved by all regional offices and
group’s properties (hotels), as well as the client’s representation before

regulators.
 For the same client as above, assistance almost on a monthly basis in
advising on the privacy aspects of investigations conducted by third parties
(police, other investigative authorities) or the internal forensics team.
 For one of the major distributors of funds and other financial products, with
offices in Continental Europe, Asia and the US, conduct of a privacy
assessment program to understand the company’s compliance with data
protection rules.
 For the same client as above, assistance in understanding the “right to be
forgotten” and other new concepts introduced by the GDPR.
 For a leading banking institution in Belgium, advice in the design and
implementation of a Data Protection Program at global level. Assistance in
the program’s roll-out in the major affiliates of the group.
 For a leading private equity company based in the US, assistance in making
the company’s privacy program compliant with EU rules and industry best
practices. On-going advising work on the implementation of the program in
the company’s affiliates and representative offices in Europe.
 For a multinational pharmaceutical group with European presence in
Switzerland and Germany, assistance in reviewing the privacy program and
identify gaps and areas for improvement. Building of training materials
adapted to national/regional privacy legislation for Europe and the rest of
continents.
 For a big car manufacturer, review of the privacy program of the company to
ensure consistence with requirements addressed in the company’s Binding
Corporate Rules (BCR) program (currently under design).
 For the leading provider of e-communications services in Belgium, advice in
assessing the privacy and document management practices of the company
and drafting a roadmap for improving legal compliance. Both the B2B and
B2C aspects of the project were tackled.
 For a provider of electronic communications services, advice on national laws
applicable to rights of access, conservation and disclosure of electronic
communications and personal data, incl. duties of co-operation of ISPs with
local police and prosecution authorities.
 For many companies, esp. finance institutions, advertising companies and
telecommunications companies, advice in voice (call) recording practices
operated either through call centers or by company’s own technical
equipment.
 For many companies, esp. healthcare institutions and mobile operators,
advice on the use of cookies on companies’ websites, customer profiling on-
line techniques and behavioral advertising.
 Regular advice on customer opt-in/opt-out requirements in the marketing
and CRM practices of electronic communications operators developing an
international market.
 For a leading finance institution based in Belgium with an international
network of affiliates and branches worldwide, carrying out of a data privacy
assessment project with the aim to strengthening the group’s practices in the
area of personal data protection.
 For an international pharmaceutical company, advice in the implementation
of a CRM application and an on-line customer complaint-handling solutions.
 For a leading worldwide hotel chain, guidance in the implementation of

several innovative marketing tools, incl.: on-line booking solutions,
automated applications to report and share on-line customer preferences,
centralization of customer databases and on-line complaint-handling
procedures, etc.
 For a pharmaceutical global company based in the US with affiliates all over
Europe: conduct of a high-level “sanity check” of the company’s content on
the web, in particular of terms and conditions. Jurisdictions the advice
focused on: the Benelux, France, and Germany.
 For a multinational pharmaceutical company, advice on the centralization of
internal electronic communications systems, notably the feasibility under
applicable various national IT and privacy laws.
 For a US-based multinational measurement company, advice on the
implementation of a B2B marketing portal and the implementation of various
behavioral tracking on-line procedures. For the same company, guidance on
the progress of implementation of cookie laws in Europe.
 For various clients, advice on electronic advertising, esp. unsolicited
commercial communications via emails, SMS and telephones. Scrutiny of the
legislative progress on this topic in all countries in Europe, with the
assistance of Deloitte legal network.
 For a company of the hospitality sector, advice on the privacy risks and
conditions that should be fulfilled while working with market research
companies, marketing service providers or social networks.
For EU Institutions
 For the EU Commission, DG Justice, project lead in the preparation of an
impact assessment of the e-Privacy Directive, with a view to assess the
need of revision of this legal instrument (study just published at:).
 For ENISA, lead and main core expert in the preparation of a study on
personal data clouds (definition, legal requirements and best practices.
 For ENISA, lead and main core expert in the preparation of a stock-
taking project on the initiatives and practices European countries have
been taken to foster information exchanges in the area of information
security.
 For the European Commission, DG TAXUD, member of the core team
working on a feasibility study about the introduction of a Tax
Identification Number (TIN) to all European taxpayers (ongoing).
 For the European Commission, DG Employment, leader of the legal track
working on a project relevant to the setting up of an automated platform
for the exchange of social security documents between social security
administrations of 30 countries (ongoing).
 For the European Commission, DG Research and Innovation, legal expert
in a study looking into the deployment of an electronic researcher’s card
for all EU-based researchers.
 For the European agency on Interoperability Solutions for European
Public Administrations (ISA), definition of the legal restrictions on the
creation of electronic base-registries and e-services portals available to
public administrations for cross-border use.
 For the European Agency on Network and Information Security (ENISA),
quality control reviewer and legal expert to a study on the definition of
measurements and metrics on the assessment of the resilience of public
e-communications networks, incl. the design of a “good practice”

handbook on the same topic.
 For the European Agency on Network and Information Security (ENISA),
legal adviser on the design of policy requirements for the organization of
national CERT(s).
 For the European Parliament, drafting of the Privacy Policy and guidelines
for its implementation.
 For Frontex, drafting of the agency’s privacy and security policies, incl. a
master plan on how privacy requirements should be met in the light of
the adoption of the revised Frontex regulation in September 2011.
 For the European Commission, DG Information Society, contribution as
legal expert in the Deloitte project team to assess the compliance of
software filtering solutions used to protect the use of internet by
children.
 For the European Commission, DG Enterprise, core legal expert and
project manager in carrying out a pan-European study on the
harmonization of the regulatory framework relating to B2B e-
marketplaces.
 For the European Commission, DG Information Society, core legal expert
in the European "electronic signatures" study on the implementation
progress of the Electronic Signatures Directive in 30 European countries
and on the needed revision of the current e-signatures legislation.
 For the European Commission, DG Internal Market, core legal expert in
the European "e-payments" study on the security of European e-
payment systems.
 For the European Commission, DG Enterprise, provide support at the
carrying out of the feasibility study on the set-up of a European Bridge
CA (Certification Authority) in the framework of the IDA programme
("Interchange of Data between -public- Administrations").
For CEN
 As CEN Workshop Manager: responsible for CEN’s standards-setting
initiatives in the areas of: electronic signatures/trust service providers,
privacy/data protection, e-commerce.
 As external expert: Involvement in the DPP Workshop as reviewer of
deliverables: Model clauses to implement art. 17 of EU Data Protection
Directive (CWA 15292) and Baseline Audit Framework (CWA 15499-1).
National Authorities and public sector organizations

 For the Flemish government in Belgium, legal advice in the feasibility
study of a number of applications based on the use of the e-ID signature
with a view to enhancing information exchange and submission of
documents between the Flemish administration and Belgian citizens.
 For the operator of the Belgian railways, legal advice in a project aiming
at reinforcing the confidentiality culture within the organization through
the implementation of a set of actions (policy, legal and technical) aiming
at enhance the organizations’ level of data privacy, as well as physical
and IT security.
 For the same organization, assistance in the conduct of a PIA of their
CRM application and the design of data inventories/data flow analysis
relating to this system and according to GDPR requirements.
 For the operator of the electricity grid in Belgium, legal advice in the
design and implementation of an e-archiving program covering the
organization’s more critical and costly information systems and
applications.
 For the incumbent e-communications operator in Belgium, assistance in
the design of a data retention strategy and email archiving guidelines to
company’s staff.
Previous  DLA Piper Law Firm, Belgium: ICT and Media law, Associate (years:
work 2003-2006).
experience &  Bogaert and Vandemeulebroeke law firm (Landwell): ICT and IP law,
Associate (years: 2000 to 2003)
trainings
 European Standards Committee (Comité Européen de Normalisation,
CEN), Workshop Manager (years: 1998 to 2000).
Georgia’s traineeships as lawyer in Belgium and Greece were with renowned

firms and the public sector, namely:
 European Commission, Belgium: internship with DG Energy
 Legal Counsel of State, Ministry of External Affairs, Greece: internship in
litigation before the EU Court of Justice.
 Conseil d’Etat, Greece: internship in administrative / public law
 Lovells law firm, Belgium: internship in energy law and EU competition
 Foussas law office, Greece: internship in criminal litigation.
Education 1996-1998 Research on Doctoral thesis in Human Rights Law,

Law faculty, ULB, Belgium
1997-1998
Master in Maritime and Aviation Law
Law faculty, ULB, Belgium
1994-1995
Master in European law,
Institut d’Etudes européennes, ULB, Belgium
1989-1993
Law degree ; Cum Laude
Athens Law School, Greece
Professional Before joining Deloitte:

Qualifications Lawyer, Member of Athens Bar (since 1994)
and Lawyer, Member of Brussels Bar (List A, since 2000)
Affiliations
Professional Speaker at:

Involvements European Law Academy, Data Protection Summer School, Sept. 2016
European Law Academy, Data Transfers conference, January 2016

Conferences, client seminars, webinars. Latest subject matters include several
themes in relation to the New General Data Protection Regulation (GDPR),
Privacy Impact Assessments, the design of Privacy Programs for companies or
governments/
International Union of Lawyers, speaker during the Data Protection Seminar
organized in the European Court of Justice, Luxembourg, Sept. 2014.
Privacy in the Digital Age, 3-days international conference organized by the
Kosovar Data Protection Authority under the auspices of the European
Commission, January 2015.
Author, co-author or reviewer of:

The principal changes of the new legislative framework on personal data
protection (GDPR) and their practical impact on business and professionals, Les
enjeux européens et mondiaux de la protection des données personnelles,
Larcier edition 2015.
On-line behavioral tracking: What may change after the legal reform on personal
data protection in Reforming European Data Protection Law, editors S.Gutwirth,
R. Leenes, P. de Hert, Springer, 2014.
Unfair commercial practices in B2B e-marketplaces, EU Commission 2006
Personal Data Protection Audit Framework, PriceWaterhouseCoopers
Netherlands, 2006
Data Protection and RFID: A difficult marriage? Journal of Computer, Media and
Telecommunications Law, 2005.
Protection des données personnelles et informatisation des services de santé:
notions contradictoires ou complémentaires, Healthcare Executive, n°. 34, June
2007.
Lead editor of Privacy Flash, Deloitte on-line news, at:
http://www2.deloitte.com/be/en/pages/risk/articles/privacy-flash-2016.html
Language  English : fluent

Ability  French : fluent
 Greek : fluent (native)
 Dutch: understanding
 German: good (reading/understanding) / basics (writing/speaking)
Summer Course on
European Data
Protection Law
Sept. 2017
The private governance framework: How to

design a corporate compliance strategy on
personal data protection
1
GDPR challenges & impact on
company’s governance
© 2017 Deloitte Belgium ERA Summer School 2017 2

Data Protection for business – Factual changes & challenges
• Technology today is allowing companies to gain important competitive advantages

through cross-border and inter-departmental sharing of (personal) data.
• Privacy cannot be tackled anymore as only a legal, compliance or IT issue. It requires a

fresh, more holistic approach combining all of the above aspects in a pragmatic manner.
• To this end, the General Data Protection Regulation has been approved, harmonising
the current fragmented legal framework for data privacy across Europe and introducing a
high level of protection for individuals.
• Along with the opportunities, specific privacy challenges have surfaced for organisations
requiring robust privacy governance:
 new requirements and challenges for legal and compliance functions,
 changes to the ways in which technologies are designed and managed,
 clear information management and control of information
 renewed emphasis on organisation’s accountability.
© 2017 Deloitte Belgium. ERA Summer School 2017 3

Data Protection for business: Changes in governance landscape
Data Protection Governance
• Has many facets: organizational and data governance are two of the most important
• Organizational governance will set out the people and means to drive data protection compliance
• Data governance will support the execution, the monitoring and communication of data
• Data governance and organizational governance will both ensure that accountability obligation is met
• Data Protection Governance is at the end all about a design, tailoring and maintenance of a Data
Protection/GDPR Program
Processes & Planning

Awareness architecture Risks & Legal
Yet another project among
Employee awareness Change in processes Risks ongoing projects
and architecture
• The education of the • Evaluate the risks associated • How to become GDPR
employees (support & • The client with non-compliance compliant keeping cost-
business lines) in order to communication efficiency in mind
• Decide on risk acceptance
keep track of GDPR channels are
level • How to deliver within the
guidelines in daily activities continuously evolving
Legal notice pre-defined period?
• Advisory functions must • New technologies are
explain what GDPR implies adapted • Review and adapt the • How to mobilize resources
(Controller, Processor, ‘privacy guidelines’ on all for yet another
• Numerous data transformation program?
Controller, Inventories, channels used by your
transfers between
Accountability…) clients, partners and
applications, partners
prospects
• Organize and monitor and various forms of
compliance with GDPR data usage
GDPR requires a multidisciplinary and holistic approach

Becoming compliant - Action items
Changes triggering updates
If not yet in place and if applicable to your organization, consider how you can adapt or implement the
following new operational requirements :
Appoint a DPO Document each

Implement the right to Create a PIA
processing of personal
portability (internal / external) methodology
data
Create a third party Determine which

Create privacy training Set up a data breach
assessment processes require a
and awareness management procedure
methodology prior consultation
Implement Access right Focus on Processing

Implement the based on automated
Review Information procedure (including
processing based on decision making
notice rectification, erasure
consent (including profiling)
and objection)
Agreements with third

parties processing Review Data security
personal data

Becoming compliant
Companies' reactions today
The GDPR has evocated a number of reactions amongst European companies. The major types of reaction
are listed below:
REACTION A REACTION B REACTION C
Explore the waters Explore degree of readiness Wait and see
• Almost all companies try to • 80% and above are eager to • Only with regard to certain
understand GDPR requirements learn their degree of readiness to specific GDPR requirements, the
and seek for pragmatic comply with GDPR majority of companies adopt a
interpretation “wait and see” approach
• They have expressed their
• They are now preparing their willingness to carry out • This means waiting before
GDPR vision and solicit advice on implementing certain GDPR
the “to be” organizational model − High-level horizontal GDPR requirements until the moment
Impact Assessments additional guidance has been
provided from EU level or below
− GDPR Quick Scans & Gap (ex. data portability, codes of
Assessments conduct, seals)
• 40% being the most mature

ones take concrete steps to
implement new requirements
(inventories, DPO function, etc.)

How to design the privacy
compliance strategy?
© 2017 Deloitte Belgium. ERA Summer School 2017 7

GDPR Program: building blocks
GDPR mainly impacts four layers of a company’s operating model
Information Security and Risk Management
Governance, organisation & people

Governance, Adopt an organizational model in the company including the division of labor,
organisation & coordinating, interrelationships and responsibilities
people
Processes
Processes allow the company to deliver value to customers in a repeatable
and scalable manner
Processes
Data
Individuals and teams within the company tasked with data governance and
data management will be challenged to provide clearer, more proactive
Data oversight on data storage, journeys, and lineage
Technology
New GDPR requirements will mean changes to the ways in which technologies
Technology
are designed and managed, including a focus on profiling and security

Focus on governance & organisation
Privacy governance program (1)
Main regulatory impacts / challenges
• Even though the GDPR abolishes the need of notifying the supervisory authorities, it introduces the
explicit obligation to the controller as well as the processor to be able to demonstrate their
compliance to the GDPR (i.e. through performing data protection impact assessments, using
Accountability data protection by design and by default approaches, keeping records of processing
activities, …).
• Companies will have to appoint a Data Protection Officer in certain cases (public authorities, when
monitoring of data subjects on a large scale, when processing special categories of data…).
Adopt an organizational model: define roles and responsibilities
Recommended
solutions • Assess whether the company is obliged or may appoint a DPO
• Design alternative options for organizational model (i.e. Privacy office)
• Define prevailing model and fine-tune details of it
• Define how interacting and communicating with other business units & dpts (Legal, HR, IT)
• Define actions for formal adoption of model and execute those (e.g. need to document model
and responsibilities, if yes on which document, etc.)

• Even though the GDPR abolishes the need of notifying the supervisory authorities, it introduces the
explicit obligation to the controller as well as the processor to be able to demonstrate their
activities, …).
monitoring of data subjects on a large scale, when processing special categories of data…).
Roll out privacy assessment exercises
Recommended
solutions • Identify and review of checklists or other materials used for assessment exercises (audits)
internally
• (If missing) design of the conformity assessment template, questionnaires and relevant
checklists
• Organize conformity assessment plan (prioritization of processes subject to assessment,
timelines, scope, form of processes, e.g. combination of f2f assessment vs. QU-based
assessment)

• Even though the GDPR abolishes the need of notifying the supervisory authorities, it will introduce
the explicit obligation to the controller as well as the processor to be able to demonstrate their
activities, …).
monitoring of data subjects on a large scale and when processing special categories of data).
Work on the implementation of the Minimum Standard on data retention
Recommended
solutions • Select 6-10 business processes to define a) business’ concrete data retention practices currently
followed; b) rationalized data retention requirements for both paper and on-line repositories and
c) business data retention expectations
• Design a Data Retention Framework (in alignment with technical work that has to be done in
tandem)
• Design an activities’ roadmap with the specific actions to be taken in short and longer term
• Design a Data Retention/Data Archiving Guideline with practical do’s and don’ts for business
on data deletion/retention

• Existing rights of individuals are reinforced and further specified, including the right of access,
rectification, restriction, erasure, objection to processing and the right not to be subject to automated
processing and data profiling.
Data subjects
rights • The GDPR introduces the rights to data portability.
Define a procedure on how to satisfy customer privacy rights
Recommended
solutions • Define stakeholders to be involved in the task to confirm today’s practices and define needs for
the future (Marketing, Communications, Legal, Front Office, Customer Service, etc.)
• Design the relevant procedures (access, objection/blocking of data and rectification)
• Design the templates to be used by business and customers to ensure effective exercise of the
rights
• Design the internal procedure (back-office) to ensure that the company manages effectively
customer requests regarding their privacy rights

• Data Protection Authorities (DPAs) already have investigative, corrective, advisory and authorisation
powers.
Enforcement • Data Protection Authorities (DPAs) will soon be entitled to impose administrative fines ranging
between 2 to 4% of the groups worldwide annual turnover of the preceding financial year
or EUR 10 to 20 million, whichever is higher for infringements of data subject rights, non-
compliance with an order of the DPA or the obligations of the controller and processor.
Define clear communication channels with the DPAs
Recommended
solutions • Sustain the communication and the implementation with appropriate level of sponsorship
• Document and enforce sustaining policies (Data management, privacy, security… )
• Conduct risk assessment and PIA and be ready to share the conclusions on demand with
authorities
• Take mitigation actions and follow them up

• Spelled out more clearly and focus on ability of individuals to distinguish a consent.
• Special regime for children under 16 where consent will have to be given or authorized by the holder
Consent of parental responsibility over the child. This age may be lowered to 13 by member states.
Update and review statements
Recommended
solutions • Edit and publish new (General) Privacy Statement
• Synchronise changes in the “product-specific” privacy statements
• Update other privacy-related documentation
• Check & review data processing registrations’ work
• Check and update the specific cookie statement
• Checklist maintenance (determine owner of Privacy Statement Checklist and determine review
times & procedure, incl. periodical review of “points of improvement”)

GDPR program: what are practically
companies doing

Becoming Compliant – Process
A structured approach helps companies mobilize and avoids the risks of over-analysis
and getting lost in details
Current-State Assessment
Scoping Methodology
“What processes or elements to assess?” “How to assess against a legal text?”
Roadmap
Work Package Structure Ownership Sizing
“Where to start and how to “Who is accountable for any “How much time and budget
‘slice’ intertwined tasks?” given work package?” to allocate to each issue?”
Program Structure, Mobilization, and Execution

Governance Centralization
“Who sponsors, owns, executes the “How much local autonomy do BUs
remediation program?” and countries get?”

Open discussion & your questions
ERA Summer School 2017

ISO Privacy Family
PRACTICAL WORKSHOP III: How to build a

Data Protection Impact Assessment
(DPIA) – Georgia Skouma
ERA – Summer Course on European Data Protection Law
How to build a Data Protection Impact Assessment (DPIA)
What is a PIA and building blocks 2
The PIA process 13
Case Studies 16
Conclusion 17
Annex 20
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 2
How to build a Data Protection
Impact Assessment (DPIA)
Introduction & building blocks
Introduction
What is a PIA? (art. 35 GDPR)
A Data Protection Impact Assessment (PIA) is an

assessment of the impact of the processing
operations on the data subject’s protection of
personal data.
• Systematic and extensive
automated evaluation of
Required natural persons (including
• At the introduction of new when profiling)
operations, applications, • Processing on a large scale of
systems When sensitive data
• Must occur before • Systematic monitoring of a
implementation & roll out of publicly accessible area on a
applications large scale
Content
• Can be one per single operation or set of

operations
• It is NOT a single document
• It is a PROCESS reflecting in
documentation that
• MUST be maintained
Building blocks
Required information
Proportionality and necessity

An assessment of the necessity
and proportionality of the
processing in relation to the
Description of the envisaged purpose.
processing
Description of the processing operations
and the purposes, including, where
applicable, the legitimate interests
pursued by the data controller.
Measures and safeguards

Risk analysis
The measures in place to address risk,
An assessment of the risks to the
including security, and to demonstrate
rights and freedoms of data
that the Data Controller is complying with
subjects.
GDPR
Building blocks
Description of the envisaged processing
Example of description of a processing

operation
Risk analysis
Legal requirement
“A DPIA is a form of risk management. When conducting a PIA, an organisation is systematically considering how their project will affect
individuals’ privacy.” – ICO PIA Code of Practice
Recital 75 of GDPR refers to the risks of varying likelihood and severity related to “rights and freedoms of natural persons resulting from
personal data processing”. The WP29 has specified an even broader scope, including risks to freedom of speech, freedom of thought, freedom
of movement, prohibition of discrimination, right to liberty, conscience and religion.
Although these descriptions are rather broad in nature, they can practically be translated into a specific set of technological and organizational
measures such as encryption, access control and authorization.
Risk analysis
Risk management methodology
Organisations can leverage upon existing risk management and risk assessment methodologies. These assessment can for example be
built upon ISO/IEC 27005 risk management process embedded in the ISO/IEC 27001 information security management system.
Although existing risk management processes may provide a basis for a DPIA, attention should be paid that privacy requirements as
defined under GDPR are added to the scope of the assessment.
Develop/ refresh Identify and define the key risks faced by the company
(though interviews, monitoring KRIs and emerging risks,
risk universe
environmental scans, scenario analysis, etc. )
Identify priority Identify a manageable number of priority business risks Monitor

having the most direct and significant impact on the mitigation Develop/
Business risks
ability of the company to achieve its strategy. plans refresh risk
universe
Conduct risk Assess the potential impact and likelihood of priority

business risks using interviews, surveys, workshops, etc.
assessment
Develop &
execute
mitigation Identify
Evaluate results Analyze results and commentary from risk assessment plans priority
and rank risks and determine overall risk rating. business
risks
Develop and Plan additional mitigation activities needed and any
execute mitigation relevant key indicators and thresholds; implement
identified actions. Evaluate
plans
results &
rank risks Conduct
Monitor mitigation Periodically monitor progress against developed risk
mitigation action plans. assessment
plans
Periodic reporting Reports to Executive and Board (or Board committee)

semi-annually.
ISO/IEC27005 Risk assessment process

Risk analysis
Risk rating
Every risk should be assessed using consistent and meaningful risk rating criteria in order to prioritize them and map adequate measures to
mitigate.
The risk is the product of the severity and likelihood. It can result in a specific impact, that can be:
1. Compliance impact / Reputational impact / Material impact (on business turnover, sales, competition, etc.) for both companies
and individuals
2. Likelihood: what are the chances that the risk materialize?
High High chances that the risk materialize and the impact on the individuals or the company is severe.
There are quite some chances that the risk materialize; however, even if it does, the negative impact on the
Medium individuals or the company is serious but can be circumvented with medium cost/effort.
It is unlikely that the risk materializes and even if it does, the negative impact on the individuals or the
Low company may be circumvented easily.
Mitigation strategy
The measures and safeguards documented in a DPIA are the result of the risk assessment performed in an
earlier stage. Depending on the impact and likelihood of a certain risk, taking into account the risk
acceptance criteria and the cost/benefit analysis, organisations should determine a mitigation strategy.
“Organisations need to identify possible

privacy solutions to address the risks that
have been identified” – ICO PIA Code of “In risk management terms, a DPIA aims at “managing risks” to the
Practice rights and freedoms of natural persons, using the following three
processes, by:
- establishing the context: “taking into account the nature, scope,
context and purposes of the
processing and the sources of the risk”;
- assessing the risks: “assess the particular likelihood and severity of
“Privacy Risk Management, which allows to the high risk”;
determine the adequate technical and - treating the risks: “mitigating that risk” and “ensuring the protection
organizational controls to protect personal of personal data”, and
data” – CNIL PIA manual “demonstrating compliance with this Regulation”
– Article 29 Data Protection Working Party
Mitigation strategy
Risk reduction
The level of risk should be managed by introducing, removing or altering controls so that the Risk is reduced by a
diminution of the Impact or the Likelihood.
Risk retention
The decision on retaining the risk without further action should be taken depending on risk evaluation. If the level
of risk meets the risk acceptance criteria, there is no need for implementing additional controls and the risk can
be retained.
Risk avoidance
The activity or condition that gives rise to the particular risk is avoided
Risk sharing
The risk is shared with another party that can most effectively manage the particular risk (e.g. insurance company)
Risk mitigation strategies
Risk reduction
Risk reduction is the process of reducing a risk to an acceptable level by

implementing adequate technological or organizational measures (controls).
• Privacy Governance • Automatic anonymization

• Privacy Management • Encryption
• Policies, standards, procedures • Cookie-cutters
• Training & Awareness • Platform for Privacy Preferences
(P3P)
• Strategy and Vision
• eXtensible Access Control
• Privacy by Design (DPIA)
Markup Language (XACML)
• Contract reviews
• Identity and Access
• … Management
• Data Loss Prevention
• …
Organisational measures Technological measures

(Privacy Enhancing Technologies (PETs))
How to build a Data Protection
Impact Assessment (DPIA)
The process
The process
High level DPIA steps
1 2 3
Scope Necessity Privacy risk
determination analysis assessment
6 5 4
Gap
Conclusion Risk treatment
assessment
Methodologies
Existing guidance and methodologies
Article 29 Data Protection DPA France (CNIL) DPA France (CNIL) DPA UK (ICO)
Working Party Privacy Risk Treatment – Conducting PIAs – Code
PIA guidelines
Guidelines on DPIA and Good Practices of practice
determining risk
Case Studies
Conclusion
Practical “to do’s” to take away
Case studies 1 & 2
• Learn as much as you can about the application / system / operation subject to PIA
• Involve all relevant stakeholders: operational and IT teams, application owners, business
users and 2nd line support team (IT, Legal, Compliance, DPO…)
• Request the company’s risk assessment methodology and if there isn’t, design one using
regulatory guidance and widely-acknowledged standards
• Have the PIA signed off by company’s management
• Review the PIA assessment and its findings at pre-defined intervals
Notification to the supervisory authority
When should the supervisory authority be notified?
“Whenever a data controller cannot find sufficient measures (i.e. when the residual risks are still high),
consultation with the supervisory authority will be necessary.” - WP29 DPIA Guidelines
1 2 3
Scope Necessity Privacy risk
determination analysis assessment
The residual risk will determine the
necessity to consult the
supervisory authority. The residual
risk is the risk score taking into
account the mitigating controls.
6 5 4
Gap
Conclusion Risk treatment
assessment
Annex:
Methodologies
ISO/IEC 29134 - Privacy Impact
Assessment
Member firms and DTTL: Insert appropriate copyright Presentation title 20

[To edit, click View > Slide Master > Slide Master] [To edit, click View > Slide Master > Slide Master]
ISO/IEC 29134 - Privacy Impact Assessment
Family of privacy standards
Framework
ISO 29100:2011 Privacy Reference List
Privacy (freely available)
Framework http://www.din.de/en/meta/jtc1sc27
Management
ISO 29134 ISO 29190

Privacy Impact Assessment Privacy Capability
Methodology Maturity Model
Technology
Controls
ISO 27002:2013 ISO 29151 ISO 27018:2014 ISO 29101:2013 ISO 29191:2012
Code of practice Code of practice Code of practice Privacy Req. for partially
for info. sec. for PII protection for PII protection Architecture anonymous,
management in public clouds Framework partially
acting as PII unlinkable auth.
processors
PIA
Case Study 1
In an effort to increase its market share and to offer truly personalized services to its clients, a renowned
German bank, member of a multinational retail banking group, wants to implement personalized
advertising on its website. Actually, the company’s Marketing and Communications team have created
an algorithm that enables the tracking of all the web-pages a web user has visited on the bank’s website.
This solution, called Agile, enables to identify and retrieve all the content a web user visited the last
times he logged on the company’s website and to target him with advertisements relating to this
content. For example, if a website user has looked at credit products the bank offers and even filled out
an on-line form for more information, Agile will target the visitor with customized advertising next time
he visits its website: for example, by offering the user a reduced interest rate for a credit he will use to
buy a car or house). Moreover, all data that will be collected through Agile will automatically feed a
global CRM application that is used by all customer services teams of the banking group and which is
hosted in the company’s headquarters in the US.
The management committee asks several questions to the IT & Compliance teams regarding data
protection; in particular, they would like to know under which conditions the company can implement
the tool and what measures it should take to make the implementation of Agile compliant with GDPR
rules.
Moreover, they are wondering whether they are obliged to conduct a PIA for this application and if yes,
to identify the relevant risks and mitigating measures.
Can you help them?
--------------------------------------
QUESTIONS (to answer with the help of Annex)
1] What questions would you ask to define whether a PIA is mandatory in this case?
2] What questions would you ask to define the risks to the data subjects?
3] What questions would you ask to define the risks to the German bank, the group or other parties?
4] Can you help the Legal team to identify and risk-rank the related risks based on the table below?
1
PIA
Data Protection Risk to Individuals Risk to company / Risk ranking (high, Mitigation
Requirement group, other medium, low) measure
persons
2
PIA
Annex
3
PIA
Examples of relevant data protection risks
Examples of Corporate Risks
4
PIA
Case Study 2
A big financial organization, with several affiliates and agencies worldwide, is concerned about cyber-
attacks and particularly leakage of information it considers strategically important and business sensitive.
Their IT team introduces to the group’s management the idea of implementation a new DLP (Data Loss
Prevention) application. The application can enable, after appropriate tailoring, the screening of all
incoming and outgoing emails transferred through the company’s corporate network, as well as the
screening of all “static” information (data and files kept in company’s folders, drives, incl. employee PC
hard drives, etc.).
The management committee asks several questions to the IT & Compliance teams regarding data
protection; in particular, they would like to know under which conditions the company can implement
the tool and what measures it should take to make the implementation of the DLP solution compliant
with GDPR rules.
Moreover, they are wondering whether they are obliged to conduct a PIA for this application and if yes,
to identify the relevant risks and mitigating measures.
Can you help them?
--------------------------------------
QUESTIONS (to answer with the help of Annex)
1] What questions would you ask to define whether a PIA is mandatory in this case?
2] What questions would you ask to define the risks to the data subjects?
3] What questions would you ask to define the risks to the German bank, the group or other parties?
4] Can you help the Legal team to identify and risk-rank the related risks based on the table below?
Data Protection Risk to Individuals Risk to company / Risk ranking (high, Mitigation
Requirement group, other medium, low) measure
persons
1
PIA
2
PIA
Annex
3
PIA
Examples of relevant data protection risks
Examples of Corporate Risks
4
Daniel Drewer
Biographical Details – Daniel Drewer
Daniel Drewer is Head of the Data Protection Office of the European

Police Office. He holds a Masters Degree in Law from the University
of Hamburg (Germany).
Daniel Drewer worked as legal advisor for a media group before

starting further professional training at the Hanseatic Court of
Appeal. During this time he had been seconded to Eurojust, Europol
and to the Data Protection Authority of the City of Hamburg.
At the Europol, his first post was as a lawyer in the area of

corporate standards. He went on to become Confidentiality Officer
with responsibility in the area of data security, handling of classified
information and security clearances. After that he became Head of
the Data Protection and Confidentiality Unit with responsibility for
policy and information assurance regarding the processing of law
enforcement data at Europol.
Since 2010 he is appointed as Data Protection Officer for Europol as

an agency of the EU and Head of the Data Protection Function.
July 2017
05.09.2017
1
05.09.2017
2
05.09.2017
3
05.09.2017
4
05.09.2017
5
05.09.2017
6
05.09.2017
7
05.09.2017
8
05.09.2017
9
05.09.2017
10
ERA Summer Course on Data Protection Law
Practical Workshop IV: The role of the DPO in practice –

a simulation exercise
Tuesday 12 September 2017 – Daniel Drewer
1. Aim
The aim of the simulation exercise is to provide a practical example of the main challenges of the
function of Data Protection Officer. The simulation’s goal is to apply in practice the main data
protection principles as enshrined in the GDPR.
2. Case study
You are the Data Protection Officer of an organisation that would like to introduce an IT system
designed to collect and store information by automated means on working hours, supplementary
working hours (overtime), and absences of employees.
The proposal comes to you for assessment and evaluation on a Thursday afternoon. The colleague
from Human Resources stresses the importance of the file, since financial auditors requested the
organisation to implement such a system long time ago. Therefore Management gave its approval to
purchase the related IT soft- and hardware (Smartcards, Badge scanners etc.). The IT and Security
department signalised, that the system could be operational next Monday. Only the green light from
the DPO is missing. The Director invited the DPO for a meeting on Friday morning in order to discuss
the urgency of the file.
3. Considerations
What would you advice the business?
What would you propose as a way forward?
What further procedural steps have to be undertaken before the implementation of the new
processing operation?
Is the proposed measure proportionate and necessary?
What measures are going to be taken to ensure that infringements of the rights to private life are
limited to a minimum?
How would you provide sufficient information about the monitoring that takes place to employees?
What about consent?

Dear all,
I promised the participants a link to an article (in German only unfortunately).
And here it is: http://www.faz.net/aktuell/feuilleton/datenschuetzer-die-ueberforderte-zunft-

11961683.html
Have a good weekend,

Daniel
Daniel Drewer
Head of Unit – Data Protection Function

Data Protection Officer
Eisenhowerlaan 73, 2517KK

The Hague, Netherlands
Phone: +31 (0) 70 353 1149
My out of office message does not reply to externals.

Julien Debussche
Julien Debussche
Julien is a senior associate in the Bird & Bird Brussels office specialised in Technology, Media
& Telecommunications, Privacy & Data Protection and Intellectual Property.
He regularly undertakes both advisory work and litigation practices in a wide range of legal
areas including privacy and data protection, copyright, e-commerce, e-marketing and IT
contracts. Julien assists clients in information and technology related-matters such as cloud
computing, big data, the Internet of Things, 3D printing, cookies, electronic signatures,
intermediary liability and online gaming.
Moreover, Julien managed the legal aspects of the CoCo cloud EU-funded research and
innovation project on cloud computing until end-2016 and currently manages the entire legal
compliance of the 6M€ Toreador EU-funded research and innovation project on big data.
Julien writes and speaks widely on various IP and TMT subjects.
He recently co-authored the book "Vers un droit européen de la protection des données ?"
published by Larcier, where he focused on companies' compliance obligations.
Before being admitted to the Brussels Bar and joining Bird & Bird in 2011, Julien obtained his
Law degree at the University of Louvain. His international experience is strengthened through
his participation in the CBL International China Law School at Tongji University in Shanghai.
Admin\33174323.1
GDPR Challenges of New Technologies
Julien Debussche
Bird & Bird LLP
julien.debussche@twobirds.com
Senior Associate, Brussels office
September 2017
This work was partly supported by the EU-funded project TOREADOR

(contract n. H2020-688797)
Table of Contents
● About me ● Overview of "disruptive technologies"

● About CoCo Cloud & TOREADOR • Cloud Computing
• Big Data
• Internet of Things
● Overview of key aspects of the GDPR • Artificial Intelligence
• Principles
• Roles of Actors
● Analysis of selected data protection issues
• Grounds for Processing
• Contractual arrangements between key actors
• Rights of Individuals
• Grounds for processing
• Accountability
• Purpose limitation and further processing
• International Data Transfers
• Accountability: privacy-by-design & by-default
• Security & Breach Notifications
• Anonymisation & pseudonymisation
• Anonymisation and Pseudonymisation
● Data Ownership: introduction to the issue
Page 2
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
About me
About me
• Brussels-based lawyer since 2011 Recent publications

• Specialised in • Vers un droit européen de la protection des données?,
• Technology Larcier, 2017
• Media & Telecommunications • Novel EU Legal Requirements in Big Data Security; Big
• Privacy & Data Protection Data - Big Security Headaches?, JIPITEC, 2017
• Intellectual Property • White Paper - Data ownership in the context of the
European data economy: proposal for a new right,
• Advisory work and litigation (at national and EU level) twobirds.com, 2017
• Managed the legal aspects of the CoCo cloud EU-funded • Big data – bigger contracts?, twobirds.com, 2017
research and innovation project on cloud computing
until end-2016 • Big data, small problem. Is the antitrust toolkit
compatible for data?, twobirds.com, 2017
• Currently managing the entire legal compliance of the
6M€ Toreador EU-funded research and innovation
project on big data
Page 4
About
(Confidential and Compliant Cloud Computing)
Aim Legal aspects

• Allowing cloud users to securely and privately share • Multi-Jurisdictional Study to highlight some of the
their data in the cloud particularities of national laws on key specific issues in
ten selected EU Member States
• Providing assurances on data protection and data usage
control in order to facilitate data sharing between
individuals and organisations or between organisations
to create new ventures and novel means of leveraging
the data value
• Permitting the control of the disseminated data based
on mutually agreed data sharing agreements, that
reflect legal, contractual or user defined preferences
Partners
Page 6
(TrustwOrthy model-awaRE Analytics Data platfORm)
Aim Legal aspects

• Overcoming some major hurdles that until now have
prevented many European companies from reaping the Legal issues linked to the project
full benefits of Big Data Analytics (BDA)
• Ownership & intellectual property rights
• TOREADOR takes a model-based BDA-as-a-service • Privacy & security
(MBDAaaS) approach, providing models of the entire
Big Data analysis process and of its artefacts. Activities
supported and automatised by TOREADOR will include
• planning Big Data sources preparation
Specific legal requirements of the
• negotiating machine-readable SLAs for BDA detailing
privacy, timing, and accuracy needs pilots
• choosing data management and algorithm parallelisation
strategies
• ensuring auditing and assessment of legal compliance (for
example, with privacy regulations) of BDA enactment.
General compliance of the project
Page 7
Overview of key aspects of the GDPR
• Principles
• Accountability
• Roles of Actors
• Grounds for Processing
• Rights of Individuals
• International Data Transfers
• Security & Breach Notifications
• Anonymisation and Pseudonymisation
GDPR – Principles
Lawfulness,
fairness &
transparency
Purpose
Accuracy
limitation
7
Integrity principles
Data
&
minimisation
Confidentiality
Storage
Accountability
limitation
Page 9
GDPR – Accountability
Privacy-by-design
&
Privacy-by-default
Adherance to
Registers of
approved codes
Processing
of conduct,
Activities
certifications,
(RPA)
etc.
Facets of the
acountability
principle
Contractual
Privacy
organisation
Impact
(policies, contracts,
Assessments
procedures,
(PIAs)
etc.)
Data
Protection
Officer
(DPO)
Page 10
GDPR – Roles of Actors
A natural or legal person, public authority,
The natural or legal person, agency or other body which processes
public authority, agency or personal data on behalf of the controller
other body which, alone or
jointly with others,
determines the Data A natural or legal person,
purposes and means of
the processing of personal Data (sub-) public authority, agency or
another body, to which the
data (…)
(co-) Processor personal data are disclosed,
whether a third party or not.
controller (…)
Recipient
A natural or legal person, Data
public authority, agency or
body other than the data Third party subject
subject, controller,
processor and persons who,
under the direct authority of
the controller or processor,
An identified or identifiable
are authorised to process
natural person
personal data
Page 11
GDPR – Ground for Processing
Processing on the basis of consent
Processing is necessary:
for the performance of a contract with the individual or to perform

pre-contractual obligations
for compliance with a legal obligation
to protect the vital interests of the individual or of another natural

person FURTHER
PROCESSING
for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the controller
for the purposes of the legitimate interests of the controller
Other grounds (introduced by Member States)
Page 12
GDPR – Right of Individuals
GDPR Chapter III. Rights of the data subject

Section 4.
Section 2. Section 3.
Right to object and automated
Information and access Rectification and erasure
individual decision-making
Information Rectification Objection
Access Erasure Automated

decision-making
/ profiling
Restriction
Portability
Page 13
GDPR – International Data Transfers
EEA
Adequacy decision • Privacy Shield

• Switzerland
• Canada (specific) • Model Contract Clauses (MCCs)
• Andorra
• Controller-controller
• Argentina
• Guernsey • Controller-processor
• Isle of Man • Binding Corporate Rules
• Faeroe Islands (BCRs)
• Jersey • Approved code of conduct
• Israel • Approved certification
• New Zealand
mechanism
• Uruguay
• Derogations (e.g. consent)
Page 14
GDPR – Security
state of
the art
• Proportionality
risk for the Appropriate
rights and technical • Suggestions of (generic) measures in the
freedoms of and
costs of GDPR
implementation
natural organisational
persons measures
• Adherence to an approved code of conduct
or an approved certification mechanism
may be used as an element to demonstrate
compliance with the security requirements
nature,
scope,
context and
purposes of
processing
Page 15
GDPR – Breach Notifications
Notification obligations
Duty Timing Exemption

No exemptions mentioned in the GDPR, but
Data processor the European Data Protection Board is
Without undue delay after becoming
to notify data tasked to issue guidelines on the particular
aware of the data breach
controller circumstances in which a breach shall be
notified
Data controller Without undue delay and, where
Notification is not required if the breach is
to notify feasible, not later than 72 hours after
unlikely to result in a risk for the rights and
supervisory having become aware of the data
freedoms of individuals
authority breach
Data controller
Notification is not required in certain
to notify affected Without undue delay
cases
individuals
Page 16
Overview of "disruptive technologies"
Overview of "disruptive technologies"
Ability of
turning data
into value
Data
Big Data
Artificial Intelligence
Internet of Things
Cloud Computing
Page 18
Taxonomy of types of data*
• The GDPR does not

distinguish:
• ‘personal data’
means any
information
relating to an
identified or
identifiable
natural person
(‘data subject’)
*Information Commissioner's Office, 'Big Data, Artificial Intelligence, Machine Learning and Data Protection' (ICO 2017) 1 <https://ico.org.uk/media/for-
organisations/documents/2013559/big-data-ai-ml-and-data-protection.pdf>
Page 19
Multiplicity of Actors in the Data Value Cycle
Source: OECD, Data-driven Innovation: big data for Growth and Well-being [2015] OECD Publishing, Paris.
Page 20
A TOREADOR example
• Based on an asset management platform called the
"Lightsource Monitoring Platform"
• Aims to provide information on the operation of the
Lightsource solar farms and smart homes in order to
improve the functioning and the maintenance of those
farms/smart homes
• A considerable volume and variety of data is collected from
the solar farms and smart homes and subsequently
analysed
• The categories of data collected from the solar farms
include both data inherent to the solar installations as such
(energy-related data) and data related to the installations'
surroundings (ambient data); for example:
• Energy-related data: active and reactive energy; active and
reactive power; voltage, current and frequency levels; daily
energy produced; total energy produced; string combiner
details; etc.
• Ambient data: irradiance data; ambient temperature data;
photovoltaic module temperature data; wind speed/direction
data; humidity data; etc.
• The categories of data collected from the smart homes
include, among others: generated power/energy,
consumed power/energy, export-import power/energy,
frequency and voltage levels, etc.
Page 21
Analysis of selected data protection issues
• Contractual arrangements between key actors
• Grounds for processing
• Purpose limitation and further processing
• Accountability: privacy-by-design & by-default
• Anonymisation & pseudonymisation
Overview of key aspects of the GDPR
International data Security & Breach
7 Key principles Accountability Actors Grounds for processing Rights of individuals
transfers notifications
Lawfulness, fairness Contractual Appropriate

Subject Consent Information Within EEA technical &
and transparency organisation
organisational
measures
Privacy-by-design
Purpose limitation Controller Contract Access Adequacy decision
& Privacy-by-default Notification of
breaches
Records of data Privacy Shields

Data minimisation Processor Legal obligation Rectification Anonymisation &
processing activities (USA only)
Pseudonymisation
Integrity and Privacy Impact

Third Party Vital interest Erasure MCCs
confidentiality Assessments Avoid applicability
of DP law
Data Protection Task carried out in

Storage limitation Recipient Restriction BCRs Avoid applicability
Officer the public interest
of specific
obligations
Codes of conduct, Codes of conduct /
Accuracy Legitimate interest Portability
certifications, etc. Certification
Comply with DP law
Accountability Other MS grounds Objection Derogations
Automated
Further processing
decision-making
limits
/ profiling
Page 23
Contractual arrangements
between key actors
Contractual arrangements between key actors
Controller-Processor: fundamental aspects of the GDPR

• Factual situation to examine to determine role played by actors and location
• Concepts of the Directive remain unchanged
• Joint controllership clarified in the GDPR (art. 26)
• Controllers must determine in a contract the respective responsibilities
• The contract shall duly reflect the respective roles and relationships of the joint controllers vis-à-
vis the individuals
• The essence of the contract shall be made available to individuals
• Data processors must process on behalf of the controller
• Decisions on the 'purposes' and 'essential means' should be made by the controller
• But margin of manoeuvre regarding 'essential means'
– Cloud service providers may determine technical and organisational aspects without being
qualified "controllers"
• Increased obligations for data processors
• Big impact on service providers in the IT sector (often 'processors')
• E.g.: accountability principle, breach notification requirements, appointment of DPO
Page 25
About the data processing:
 Subject-matter of the processing
 Duration of the processing
Engaging processors and sub-processors  Nature and purpose of the processing
 Type of personal data and categories of data subjects
• Controllers may only appoint data processors that The rights and obligations of the controller:
provide sufficient guarantees to implement  The obligations and rights of the controller (in general)
appropriate technical and organisational The obligations of the data processor to:
measures to ensure processing meets the  Process personal data only on documented instructions from the controller
requirements of the GDPR 
Transfer personal data to a third country or an international organisation only on documented
instructions from the controller (unless required to do so by law)
• Processors are required to process personal data Ensure that persons authorised to process the personal data are bound by a confidentiality
in accordance with the controller's instructions 
obligation
Implement appropriate technical and organisational measures to ensure a level of security
• The controller-processor relationship must be 
appropriate to the risk
governed by a contract 
Assist the controller, insofar as this is possible, for the fulfilment of the controller's obligation to
respond to requests for exercising the data subject's rights
• Engaging sub-processors is strictly regulated  Assist the controller with the data breach notification requirements
• Prior written consent (which can be general)  Assist the controller with data protection impact assessment (“DPIA”) requirements
• Must inform when sub-processing 

Delete or return all the personal data to the controller after the end of the provision of the
services, and delete existing copies
• Controller may object 
Make available to the controller all information necessary to demonstrate compliance with the
above and the contract
• Lead processor Allow for and contribute to audits, including inspections, conducted by the controller or an

– must reflect contractual obligations with auditor mandated by the controller
Engage a sub-processor only with the prior specific or general written authorisation of the data
controller controller (in the case of general written authorisation, the processor shall inform the controller

– remains liable to the controller of any intended changes concerning the addition or replacement of sub-processors, giving the
controller the opportunity to object to such changes)
Impose by way of contract the same obligations as above in case the processor engages a sub-

processor
Page 26
Allocation of responsibilities in the context of disruptive technologies

• Distinction between controller and processor can quickly become complex due to:
• The many actors that may be included in the data value chain
• The technologies' characteristics
– Finding correlations
processor
– Making predictions
sub-processor
– Aiding decision-making controller
– etc.
Who is actually determining the

means and purposes when
certain processing activities are
outsourced?
processor
Page 27
Grounds for processing
Lawful processing
• Article 6(1) GDPR sets out the conditions for the processing of personal data to be lawful (from the outset
and throughout the activity)
• It must always be based on one of the 6 grounds exhaustively listed in the GDPR
• Broadly replicate those in the Data Protection Directive - but
– specified in several ways
– exemplified in some cases in the corresponding Recitals of the GDPR
• Such grounds can be difficult to rely on with new technologies – application to big data analytics
Processing is necessary:
for the performance of a contract with the individual or to perform pre-contractual obligations
to protect the vital interests of the individual or of another natural person
for the performance of a task carried out in the public interest …
for the purposes of the legitimate interests of the controller
Page 29
Lawful processing (big data analytics)

for the performance of a contract with the individual or to perform pre-contractual obligations
• Unlikely that big data analytics is "necessary for the performance of a contract with the individual"
• Likely to represent a level of analysis that goes beyond what is required simply to sell a product or deliver a service
• often takes the data that is generated by the basic provision of a service and repurposes it

• The legal obligation in question must be:
• an obligation of Member State or EU law to which the controller is subject; and
• “clear and precise” and its application foreseeable
• Unlikely that such ground would permit big data analysis
to protect the vital interests of the individual or of another natural person

• Applies to processing that is necessary for humanitarian purposes / emergencies
• In cases where personal data are processed in the vital interests of a person other than the data subject,
this ground should be relied on only where no other legal basis is available
• Unlikely that such ground would permit big data analysis
for the performance of a task carried out in the public interest …

• Applies only where the task carried out, or the authority of the controller, is laid down in EU or
Member State law to which the controller is subject
• Such ground will only very seldom apply to big data analytics
Page 30

• Strengthened concept in the GDPR
• "Consent":
• Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or
she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data
relating to him or her
• Proof of consent
• Specific conditions
Form Withdrawal Freedom

Ability to withdraw Freedom of choice - must be
distinguishable consent as easy as to able to refuse or to withdraw
give it consent without prejudice
intelligible
Does not affect There can be no imbalance
lawfulness of processing (especially if the controller is a
easily accessible before withdrawal public authority)
clear and plain Must inform about

language withdrawal right
Page 31

• "Consent" in a big data context may be unpractical, difficult, or even impossible… but
“It may be possible to have a process of graduated

Difficult to recognise Difficult to balance consent, in which people can give consent or not to
Opaque nature of
the connection advantages different uses of their data throughout their relationship
data analysis can
between the (often short-term)
make it difficult for with a service provider (…).”
different steps of Big vs.
meaningful consent
Data processing disadvantages
to be provided
practices (often long-term) “Practical implementation of consent in big data
should go beyond the existing models and provide
more automation, both in the collection and withdrawal
To what extent can Is it possible to Consent is seen as of consent. Software agents providing consent on user’s
an individual anticipate the something binary [sic] behalf based on the properties of certain
provide a valid different data which is applications could be a topic to explore. Moreover,
informed consent processing activities incompatible with
taking into account the sensors and smart devices in big
with respect to big and have a valid big data analytics
(e.g. tendency to find data, other types of usable and practical user positive
data analytics? informed consent? new uses for data) actions, which could constitute consent (e.g. gesture,
spatial patterns, behavioural patterns, motions), need to
be analysed.”
Page 32

Processing is necessary for the purposes of the legitimate interests of the controller
• The protection of privacy and personal data is not absolute and often requires a balance of interests
• Given the difficulties to rely on consent and other grounds, the legitimate interests of an organisation may be an alternative
• However:
• Must exercise a balance between the interests of the organisation and those of individuals
• The processing must be “necessary” for the legitimate interests of the controller (or third party)
– a certain threshold must be met (the processing must be more than just potentially interesting)
– there must be no other way of meeting the legitimate interest that interferes less with people is privacy!
• The balance of interests should not be over-stretched so as to encompass any possible third-party interest
“ A big data organisation will have to have a

“in big data cases where it is difficult to strike a balance
framework of values against which to test the proposed
between the legitimate interests of the organisation and
processing, and a method of carrying out the assessment
the rights and interests of the data subject, it may be
and keeping the processing under review. It will also
helpful to also give people the opportunity of
have to be able to demonstrate it has these elements in
an opt-out.”
place, in case of objections by the data subjects or
investigations by the regulator”
Page 33
Purpose limitation
& further processing
Purpose limitation and further processing
Factors to consider when assessing whether any further processing
is for an (in)compatible purpose
• Personal data must Article 29 Working Party
Article 6(4) GDPR
• be collected for specified, explicit and Opinion 03/2013
legitimate purposes; the relationship between the any link between the purposes for
purposes for which the personal which the personal data have been
• not be further processed in a way data have been collected and the
=
collected and the purposes of the
incompatible with those purposes purposes of further processing intended further processing
• Distinguishing between compatible and the context in which the personal the context in which the personal
data have been collected and the data have been collected, in
incompatible processing is often a complex
reasonable expectations of the data = particular regarding the
and delicate exercise subjects as to their further use relationship between data subjects
• Compatibility must be assessed on a and the controller
case-by-case basis the nature of the personal data the nature of the personal data, in
and the impact of the further particular whether special
• Transparency towards individuals must be processing on the data subjects categories of personal data are
preserved in case of further processing (the ≈ processed, (…), or whether personal
aim of the processing and the manner in data related to criminal convictions
which it takes place) and offences are processed, (…)
the safeguards adopted by the the existence of appropriate
controller to ensure fair processing safeguards, which may include
=
and to prevent any undue impact encryption or pseudonymisation.
on the data subjects
the possible consequences of the
Page 35  ≠ intended further processing for data
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797) subjects
Purpose limitation and further processing
Is the processing for Data processing

No compatibility
Scenario
Processing personal data for purpose 2 – permitted? Yes for purpose 2 can
purpose 2 based on
Based on consent
1
a new consent? test needed
take place
Processing personal data for purpose 1
No
Is the processing for Check Art. 23 Data processing
Scenario
purpose 2 No compatibility
Yes GDPR for purpose 2 can
2
permitted by test needed
EU or MS law? ("restrictions") take place
Based on another ground
(e.g. legitimate interest)
No

Link Can process
Scenario
Yes
3B
Context based on same ground as purpose 1
Compatibility test
Nature Compatible?
required Liberal view: can process
Restrictive view:
Scenario
Safeguards
No for purpose 2 with new
3A
cannot process
Consequences ground
Page 36
Privacy-by-design
&
Privacy-by-default
Adherance to
Registers of
approved codes
Processing
of conduct,
Activities
certifications,
(RPA)
etc.
Accountability: Facets of the
privacy-by-design & by-default acountability
principle
Contractual
Privacy
organisation
Impact
(policies, contracts,
Assessments
procedures,
(PIAs)
etc.)
Data
Protection
Officer
(DPO)
Accountability: privacy-by-design & by-default
Privacy-by-design
• Obligations of the controller: • Elements to take into account :

• Implement appropriate technical and • the state of the art
organisational measures • the cost of implementation
– measures designed to implement the • the nature, scope, context and purposes
principles of the GDPR of processing
– effective implementation of principles • the risks (of varying likelihood and
• Integrate the necessary safeguards in severity) for rights and freedoms of
order to individuals
– meet the requirements of the GDPR
– protect the rights of data subjects Proportionality
Page 38
Privacy-by-default
• Obligations of the controller: • The measures shall:

• Implementation of appropriate technical • Ensure that by default personal data are
and organisational measures for not made accessible without the
ensuring that, by default, only personal individual's intervention to an indefinite
data which are necessary for each number of natural persons
specific purpose of the processing are
processed
• Applies to:
– the amount of personal data collected
– the extent of their processing
– the period of their storage, and
– their accessibility
Page 39
Sources: George Danezis and others, 'Privacy and Data
Protection by Design – from Policy to Engineering'
(December 2014)

Giuseppe D'Acquisto and others, 'Privacy by Design in
Big Data. An Overview of Privacy Enhancing
Technologies in the Era of Big Data Analytics'
(December 2015)
Privacy-by-design (and by-default)

Minimise Collection
• Define data needed before collection (select before collect) • Reduce data fields
• The amount of personal data should be restricted to the minimal amount • Define relevant controls
• Carry out DPIA • Delete unwanted information
• Delete outdated data
Hide Collection / Analysis / Storage

• Personal data and their interrelations should be hidden from plain view • Anti-tracking tools • Privacy-preserving computation
• Put in place privacy-enhancing technologies (PETs) • Encryption tools • Secure data storage measures
• Identity masking tools
• Secure file sharing
•X Separate Storage
• Personal data should be processed in a distributed fashion, in separate • Distributed / de-centralised storage and analytics facilities
compartments whenever possible
Aggregate Collection / Analysis / Use

• Personal data should be processed at the highest level of aggregation • Anonymisation techniques (e.g. K-anonymity)
and with the least possible detail in which it is (still) useful • Pseudonymisation techniques
• Data quality and provenance measures
Page 40
Sources: George Danezis and others, 'Privacy and Data
Protection by Design – from Policy to Engineering'
(December 2014)

Giuseppe D'Acquisto and others, 'Privacy by Design in
Big Data. An Overview of Privacy Enhancing
Technologies in the Era of Big Data Analytics'
(December 2015)
Privacy-by-design (and by-default)

Inform Collection
• Individuals should be adequately informed (transparency principles and • Privacy notices
right to information) • Transparency requirements/tools/mechanisms
Control Collection
• Individuals should be provided agency over the processing of their data • Appropriate consent mechanisms • Sticky policies
• Opt-out mechanisms • Personal data stores
• Mechanisms to express privacy
preferences
•X Secure All phases (Collection / Analysis / Storage / Use)

• Appropriate technical and organisational measures should be adopted • Encryption • Source filtering
• Security testing and code auditing • Monitoring and logging
• Access control and authentication • Certification standards
Enforce & Demonstrate All phases (Collection / Analysis / Storage / Use)

• Compliance should be demonstrated through policies • Automated policy definition, enforcement, accountability and
compliance tools
Page 41
Anonymisation & pseudonymisation
Anonymisation Pseudonymisation Encryption as a means as a means

to avoid the to avoid the
A technique of applicability of applicability of
A technique of processing personal data protection specific
processing personal data in such a way that A technique whereby
law? obligations
data to reduce the it can no longer be plain text is changed
likelihood of attributed to a specific into unintelligible
identifiability of individual without the code as a means
individuals use of additional to comply with
information data protection
law
= Processing Subject to Data Protection Law
Page 43
● Recital 26 GDPR
• Data protection principles should not apply to anonymous data
(data subject is no longer identifiable) as a means as a means
● WP29 Opinion 05/2014 to avoid the to avoid the
• Requires anonymisation as permanent as erasure (irreversible) applicability of applicability of
data protection specific
• Three key questions
law? obligations
– Is it still possible to single out an individual?
– Is it still possible to link records relating to an individual? as a means
– Can information be inferred concerning an individual? to comply with
Is still a risk:
Noise addition
Singling out
Yes
Linkability
May not
Inference
May not data protection
Substitution
Aggregation or K-anonymity
Yes
No
Yes
Yes
May not
Yes
law
L-diversity No Yes May not
Differential privacy May not May not May not
Hashing/Tokenization Yes Yes May not
● Zero-risk approach does not exist

● Risk-based approach (see Breyer, CJEU C-582/14, 19 Oct. 2016)
Page 44
● Notification of a personal data breach to the supervisory authority

• Not required if able to demonstrate that the breach is unlikely to
result in a risk to the rights and freedoms of natural persons as a means as a means
• Could be reasonably advocated that a breach of anonymised or to avoid the to avoid the
pseudonymised data is less likely, or even unlikely, to result in a applicability of applicability of
risk data protection specific
– WP29 on Personal Data Breach Notification (03/2014): appropriate law? obligations
measures (e.g. encryption) may reduce the residual privacy risks on
the data subject to a negligible level
as a means
● Communication of a personal data breach to the data subject to comply with
• Must communicate the personal data breach to the data subject data protection
when the breach is likely to result in a high risk to the rights and law
freedoms of natural persons
• No required if appropriate technical and organisational
protection measures
– Article 34 GDPR: measures that render the personal data
unintelligible to any person who is not authorised to access it, such
as encryption
Page 45
● Recital 28 GDPR: "the application of pseudonymisation to personal

data can (…) help controllers and processors to meet their data-
protection obligations" as a means as a means
Accountability
to avoid the to avoid the
•Article 25(1): implement appropriate technical and organisational
(privacy-by-design measures, such as pseudonymisation, which are designed to implement applicability of applicability of
and by-default) data-protection principles data protection specific
law? obligations
•Article 32(1)(a): implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including
Security inter alia as appropriate: (a) the pseudonymisation and encryption of as a means
personal data to comply with
data protection
•Personal data must not be further processed in a manner incompatible
with the initial purposes law
Purpose limitation •To determine compatibility: take into account the existence of
appropriate safeguards, including pseudonymisation and encryption
•Personal data must not be kept for longer than is necessary

•Call for deletion or anonymisation
Storage limitation •Anonymisation might constitute a compulsory processing activity to
comply with the GDPR
Page 46
Data Ownership
Data Ownership
• Multitude of actors involved in the data value cycle • No civil law ownership over intangible assets such as
data
• No EU or national legislation regulates the
question of ownership in data
• CJEU case law does not recognise ownership
right in data
– Ownership in intangible assets (UsedSoft)?
• However: numerous legislations impact data
somehow
• Need to protect companies' assets engaged in the data
economy?
• To what extent can or will organisations claim
proprietary rights in data?
Page 48
Ownership of data
Complex EU Legal Framework
Competition Data sharing obligations
Ownership-like Individuals' rights &
rights rights (non-exhaustive)
obligations
Life Sciences
Intellectual
Property Privacy
Trade secrets
undertakings
Privacy (GDPR)
Consumer rights
Agreements between
& acquisitions
Merger
& essential facilities

Dominance
Public sector
Food
Automotive
Copyright
Database rights
e-Privacy
Spatial
Transport
Utilities
Energy &
Aviation
services
Financial
Chemicals
Pharmaceuticals
Environment
Page 49
Ownership of data
Copyright Database rights

• Several features of copyright beneficial for the • Obsolete concepts and protection
protection of data
• Long-term protection
Trade secrets protection
• Broad exclusive rights
• Disclosure of data permitted • Created for other reasons than blanket protection of all
data
• Numerous disadvantages hinder the protection of data
• Requires information to stay secret
• Originality requirement
• Territoriality
• Exclusivity
• Text and data mining
(EU legislation in progress)
– Need to introduce the principle that
copyright only applies when "a work is used
as a work"
Page 50
Ownership of data
Competition rights and obligations Data sharing obligations

• Attention from antitrust regulators and scholars for • Numerous legislations impact a company's control of,
issues regarding data and competition law the access to, or the rights in data
• Antitrust regulators still apply old competition • Data sharing obligations depend on factors such as:
principles to a new reality • Sector concerned (transport, spatial, food, etc.)
• Data as new corporate assets • Public interest (public security or health, etc.)
• Determination of market share used to be based
on tangible assets • Such legislations remain mute on ownership
• Lack of legal certainty
Page 51
Is privacy and data protection the main issue relating to data
discussed by scholars in your jurisdiction?
Ownership of data
Belgium France German Italy Spain UK
Privacy & Data Protection aspects Yes Yes Yes Yes Yes Yes
• Do data subjects own their personal data?

• some scholars argue that personal data should belong to the individual
• other commentators however agree that individuals have no general rights in their data
• Does the GDPR recognise an ownership right?
• some say that the GDPR "recognises different levels of control rights to consumers in accordance with a
'proprietarian' approach to personal data."*
• Does the proposal for a Directive on certain aspects concerning contracts for the supply of digital content recognise an
ownership right?
• "information about individuals is often and increasingly seen by market participants as having a value
comparable to money."
• the scope of such (proposed) Directive would also apply when the consumer actively provides counter-
performance other than money in the form of personal data or any other data.
• according to certain scholars:
– it provides for the commodification of (personal) data
– 'propertisation' of personal data
– creation of a property right (in rem) in relation to data concerning an individual
*Gianclaudio Malgieri, 'Property and (Intellectual) Ownership of Consumers' Information: A New Taxonomy for Personal Data' (2016)
Page 52
Ownership of data
• Complex EU legal framework not fit for purpose • Dichotomy between the EU's strive for a data economy
• Data ownership not addressed and the flawed legal framework
• Maze of different possibly applicable
legislations
 Reluctance to engage in data sharing initiatives Building a
EU
 Hurdle to the uptake of data analytics European Data
legalframework
Economy
• Solution: contractual arrangements?

• Contractual arrangements not sufficient due to:
• Multitude of actors, data sources, analyses, etc.
• Complexity of data flows
• Unenforceability vis-à-vis 3rd parties
Page 53
Ownership of data
Moving forward – our suggestion
https://www.twobirds.com/en/news/articl
es/2017/global/data-ownership-in-the-
• Creation - in favour of each processor - of a non-exclusive, flexible and extensible context-of-the-european-data-economy
"ownership" right in data(sets)
• Safeguards:
• Data traceability obligation (updated log file of each path of successive process)
• "FRAND" principle (in line with market evolution)
• Characteristics:
right in Traceability
ownership- individual obligation
non-exclusive type of right pieces of data
&
right (extending to
(not IP) the entire FRAND
datasets) principle
• The log file obligation shall match the GDPR accountability principle where
applicable
• Reinforcement of the concept of "independent creation" (log file as evidence)
Page 54
Thank You!
Julien Debussche
Bird & Bird LLP
julien.debussche@twobirds.com
Senior Associate, Brussels office
September 2017
This work was partly supported by the EU-funded project TOREADOR

(contract n. H2020-688797)
twobirds.com
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number
OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of
any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
Paul Van den Bulck
Paul Van den Bulck
Paul Van den Bulck’s practice focuses on legal issues around information technology
(IT), data privacy and security, intellectual property (IP), media and entertainment,
and fair trade practices. He counsels clients from a broad spectrum of industries on
day-to-day IT and IP issues. Paul provides strategic advice to clients on all aspects of
international and domestic data protection and security, including general
compliance (processing for HR purposes, CRM strategy, direct marketing compliance,
etc.), information security and cybercrime, international data transfers, processing
and cloud agreements, policy and procedure assistance. In addition, he assists clients
in their relationships with certain national data protection authorities. Paul holds
the CIPP/E certification as a Certified Information Privacy Professional from the
International Association of Privacy Professionals (IAPP).
Paul regularly serves as a mediator and arbitrator in information technology and
intellectual property disputes (WIPO, CMAP, b.Mediation; CEPANI; etc.). He also acts
as arbitrator for Pharma.be, the Belgian Pharmaceutical Industry Association.
Paul is a member of the Brussels and Paris Bars.
He was the recipient of a BAEF fellowship from the Hoover Foundation Brussels
(1992) and of a Wiener-Anspach fellowship from Cambridge University (1992).
Paul and his team are consistently ranked in The Legal 500 Europe, Middle East &
Africa. In the 2017 edition, The Legal 500 noted that “The firm has notable expertise
in cloud computing, data security and data breaches." The Brussels-based IT lawyers
at McGuireWoods LLP are valued for their "outstanding level of service" and
"sophisticated legal engineering". Practice head Paul Van den Bulck shows
“creativity and personal commitment.”
In previous years, The Legal 500 has described Paul as “a great listener and well
connected in Brussels and Paris,” and said “McGuireWoods LLP [in Belgium] has a
"highly dedicated team which gives concise advice". Paul has also been described as
having “excellent knowledge of legislation in privacy and data protection.”
Paul is also very active in non-profit associations.
The EU Toolkit
For International Transfers (I)
Adequacy Decisions, Privacy Shield, Oversight

and Redress Mechanisms
ERA
Trier, 14th September 2017
Paul Van den Bulck

McGuireWoods
Partner
www.mcguirewoods.com
Plan
1. Third country transfer notion
2. Conditions for international transfer
3. Adequacy decisions
4. EU-U.S. Privacy Shield

• Oversight
• Remedies
• Validity
• Pending cases
McGuireWoods | 2
Third country transfer notion
 No legal definition of transfer, international transfer or transfer

to third countries (non-EEA countries)
 EDPS’s definition: "communication, disclosure or otherwise

making available of personal data, conducted with the
knowledge or intention of a sender subject to the regulation that
the recipient(s) will have access to it"
McGuireWoods | 3
Third country transfer notion
 Examples:
• Sent by post or email by an EU controller to a third country recipient
• Internet-based deliberate transfer: push
• Internet-based permitted access: pull
• Direct on-line collection in the EU by a non-EU processor, on behalf
of an EU controller
• Publication on the internet by an EU controller (But Lindqvist case
(2003) C-101/01): according to EDPS, must be limited to
"circumstances such as those in the case in the main proceedings"
McGuireWoods | 4
Conditions for international transfer
 In principle, data transfer may take place only to recipients

located:
• In the EEA (EU + Norway, Liechtenstein, Iceland); or
• In third countries recognized by the EU Commission (Commission)
as providing adequate protection
 If not, the controller must rely on appropriate safeguards,

including:
• Binding Corporate Rules
• Data Protection Clauses (standard or ad hoc)
• Codes of Conduct
• Certification
McGuireWoods | 5
 If the third country transfer is not repeated and not massive

(limited number of data subjects):
• Explicit consent, with information on risks due to the absence of
adequacy decisions or appropriate safeguards
• Necessary for contract performance or precontractual measures
implementation at data subject’s request
• Necessary for conclusion of a contract between controller and third
party in the data subject’s interest
• Necessary for important reasons of public interest
• Necessary for the establishment, exercise or defense of legal claims
McGuireWoods | 6
• Necessary for protection of data subject’s or other person’s vital
interest, where physically impossible of giving consent
• Made from an official register providing information to the public
and open to consultation by the public or by any person having a
legitimate interest, to the extent that the conditions laid down by
Union or Member State law for consultation are fulfilled
• When no other means possible, necessary for the purposes of
compelling legitimate interests not overridden by the data subject’s
interests or rights and freedoms, provided that:
– Assessment of all circumstances surrounding the transfer and
provision of suitable safeguards;
– Notification to supervisory authority; and
– Notification to data subject on the transfer and compelling legitimate
interests.
McGuireWoods | 7
Adequacy decisions
 Commission assesses and decides which countries ensure such

an adequate level of protection
 Commission is assisted by a Committee composed of EU

Member States’ representatives and chaired by the
Commission’s representative
McGuireWoods | 8
Adequacy decisions
 If Commission’s decision diverges with the Committee’s

opinion: the Council may repeal the Commission’s decision
 The Working Party of the Article 29 (WP29) (data protection

authorities of the EU Member States + EDPS), entered into the
practice of issuing an opinion during the adequacy assessment
McGuireWoods | 9
Adequacy decisions
 Criteria to be applied by the Commission:

• Rule of law and fundamental freedoms, including public security,
national security, access of authorities to personal data, data
protection rules, security measures, onward transfer to another third
country, case-law, effective and enforceable data subject rights,
effective administrative and judicial redress for the data subjects
• Existence and effective functioning of supervisory authorities
responsible for ensuring and enforcing data protection compliance,
including assisting data subjects in exercising their rights
• International commitments to legally binding conventions or
instruments and participation in multilateral or regional systems for
data protection
McGuireWoods | 10
Adequacy decisions
 Currently, countries ensuring a complete adequate protection:

• Andorra
• Argentina
• Faeroe Islands
• Guernsey
• Israel
• Isle of Man
• Jersey
• New Zealand
• Switzerland
• Uruguay
McGuireWoods | 11
Adequacy decisions
 Currently, countries ensuring a partial adequate protection, i.e.

transfer is possible subject to conditions:
• Canada, where the recipient is an organization from the private

sector processing data in the course of commercial activities
• United States of America, where the recipient is certified with

the Privacy-Shield self-certification
 These adequacy decisions remain in due force under the GDPR
McGuireWoods | 12
Adequacy decisions
 Next adequacy decisions?
• In the pipe: Japan and South Korea
• New criteria for the Commission to decide what will be the next
countries to assess:
• Extent of EU's commercial relation
• Extent of personal data flows
• Pioneering role of the third country in data protection ("model
for the region")
• Overall political relationship
McGuireWoods | 13
Adequacy decisions
 Review mechanism of the adequacy:
• Monitoring legislative developments in third countries on an

ongoing basis
• Mechanism for a periodic review, at least every four years
McGuireWoods | 14
EU-U.S. Privacy Shield
 Successor of the Safe Harbor
 Very basically, the mechanism remains the same:

• Agreement between EU and U.S.
• The agreement provides for the implementation in the U.S. of self-
certification mechanisms for U.S. companies, committing to some
data protection principles
• Basis on which an adequacy decision may be taken, allowing
transfers to the certified companies
McGuireWoods | 15
 Invalidation of the Safe Harbor by the CJEU on 6 October 2015

(Schrems case) for various reasons, including:
• Restriction of DPA’s powers (mission: authorizing transfer)
• Level of protection not equivalent than in the EU:
– Requirements related to national security, public interest and the laws of

the United States prevailed, without restriction, on the data protection
rules laid down by the Safe Harbor
– The Safe Harbor did not restrict U.S. authorities to intrude in the
privacy of data subjects and allowed for undefined retention of personal
data
– The Safe Harbor did not provide redress mechanisms entitling data
subjects to access, rectify or erase the data processed
McGuireWoods | 16
 The Privacy Shield tried to address the issues raised by the Safe
Harbor decision:
• Restriction on access by U.S. authorities

• Redress
• Power of supervisory authorities
• Procedure for annual revision
McGuireWoods | 17
 The Privacy Shield enacts the following six main principles:

• Notice: privacy policy to data subjects providing details on these
principles
• Data Integrity and Purpose Limitation Principal
• Security: reasonable and appropriate measures to protect from loss,
misuse, unauthorized access, etc.
• Access: right to access, correct, amend, or delete inaccurate
information or to process in breach of the principles
• Recourse, Enforcement and liability: (hereafter)
• Accountability for Onward Transfer Principle
McGuireWoods | 18
EU-U.S. Privacy Shield - Oversight
 U.S. oversight for private companies:
• Public list of self-certified companies

• Control by Department of Commerce:
– Initial control (fake declaration, abuse, etc.)
– Ex-officio control, systematic in case of claim
– Systematic control once the certification expires or when the company
withdraw or looses its certification: Department of Commerce check
that data has been erased
McGuireWoods | 19
 EU oversight for private companies:
• Periodic control by the Commission: does U.S. law continue to

provide sufficient guarantee?
• Obligation of the U.S. authorities to provide details on all new
legislation impacting the Privacy Shield, including with national
security and public interest purposes
• Possibility to suspend the adequacy decision based on the Privacy
Shield if the control is negative
McGuireWoods | 20
 U.S. companies are subject to the review of the following

authorities:
• For human resource purposes: EU DPA
• For other purposes: designation by the company of one of the
following authority:
– EU DPA
– Specific independent organism for dispute resolution, under the
review of the FTC
• If the dispute is not settled (except if it was brought before an EU
DPA): the claim in last resort may be brought before the Privacy
Shield panel, composed of 20 representatives of the Department of
Commerce and the Commission, with binding decision power, but
not pecuniary
McGuireWoods | 21
 U.S. oversight for intelligence services:
• All departments with intelligence responsibilities have civil

liberties officers/privacy officers with oversight responsibilities
• Each intelligence community element has its own Inspector
General with responsibility to oversee intelligence activities
• The Privacy and Civil Liberties Oversight Board: access to all
relevant agency records, reports, audits, reviews, documents,
papers and recommendations, including classified information
• Intelligence Oversight Board, established within the President's
Intelligence Advisory Board, oversees compliance by U.S.
intelligence authorities
McGuireWoods | 22
 Oversight corrective procedure:

• When a significant compliance issue in an intelligence service is
revealed: it is promptly reported to the head of the Intelligence
Community body
• The head of the Intelligence Community body then notifies the
Director of National Intelligence, who shall determine if any
corrective actions are necessary
 Finally, none of those administrative authorities have

complete binding power
McGuireWoods | 23
EU-U.S. Privacy Shield - Remedies
 U.S. law provides a number of remedies, available to non-U.S.:
• Civil cause of action for money damages when data has been
unlawfully used or disclosed
• Suing officials in their personal capacity for money damages
• Challenging the legality of surveillance if the government intends
to use or disclose data obtained from electronic surveillance against
the individual in judicial or administrative proceedings
 But those mechanisms do not cover all legal basis for surveillance
McGuireWoods | 24
EU-U.S. Privacy Shield – Remedies
 For all non-covered issues: the Privacy Shield Ombudsperson:

• Different from a pure government-to-government mechanism:
receives and responds to individual complaints, possibly with
assistance of an EU DPA
• Relies on the cooperation from other independent oversight bodies
(e.g. Inspector Generals) with power to carry out a thorough
investigation and address non-compliance
• Should be independent from, and thus free from instructions by,
the U.S. Intelligence Community
McGuireWoods | 25
EU-U.S. Privacy Shield – Validity
 Concerns about the validity of the Privacy Shield:
• EPDS opinion 4/2016 of May 30, 2016
– Better specify purpose limitation, data retention, right to oppose and

rules on onward transfer
– Derogations to legal basis for authorities access should be more precise
– Redress mechanisms should be improved, notably the Ombudperson
that should be independent from all authorities, not only intelligence
community
McGuireWoods | 26
EU-U.S. Privacy Shield – Pending cases
• Action brought before CJEU on 16 September 2016 by Digital Rights
Ireland:
– U.S. law still allow secret agencies’ access on a generalized basis to the
content of electronic communications
– No complete transposition of the right to access, rectify, oppose and erase
– No authority with complete effective and binding redress power
• Action brought before CJEU on 25 October 2016 by French associations:

– The Ombudsperson is not an effective mechanism for dealing with
complaints
– The Ombudsperson lacks independence
McGuireWoods | 27
Annual Review
 Annual review by the Commission of the Privacy Shield with

both U.S. and EU officials, to check the U.S. commitments:
September 2017, on stage
 WP29 should issue a separate report and announced that it will

check:
• The inherent issues with Privacy Shield (e.g. rights of individuals,
bulk surveillance, etc.)
• The effectiveness and practicalities of the Privacy Shield's
safeguards
McGuireWoods | 28
Questions or Comments?
pvandenbulck@mcguirewoods.com
@Pbulck
T: +32 629 42 39
M: +32 475 52 84 08
McGuireWoods | 29
The EU Toolkit For International
Transfers (II)
Appropriate Safeguards, Derogations,

Oversight and Redress
ERA
Trier, 14th September 2017
Paul Van den Bulck

McGuireWoods
Partner
Plan
1. Appropriate safeguards
2. Binding Corporate Rules
3. Contractual Clauses (Standard and Ad hoc)
4. Codes of conduct
5. Certification
6. Derogations
7. Specific information to data subjects
8. Redress and remedies
McGuireWoods | 2
Appropriate safeguards: principle and requirements
 Principle: in the absence of an adequacy decision, data transfer

may only take place under appropriate safeguards or under
derogations allowed for in specific situations
 Requirements to implement appropriate safeguards:

• Enforceable rights and effective legal remedies for data subjects
• The safeguard used must provide those rights or the third country
guarantees that they are enforceable
• In certain cases (ad hoc clauses and administrative arrangements),
authorization of the transfer or approval of the appropriate
safeguards by the supervisory authority
McGuireWoods | 3
List of appropriate safeguards
 Those which do not require authorization from a supervisory
authority include, among other things:
• Binding Corporate Rules (BCR)
• Standard data protection clauses (SDPC):
– Adopted by the Commission, or
– Adopted by a supervisory authority and approved by the Commission
• Approved Code of conduct with binding commitments to apply the
appropriate safeguards, including data subjects’ rights
• Approved Certification mechanism with binding commitments to
apply the appropriate safeguards, including data subjects’ rights
 Standard Contractual Clauses (SCC, previous name) adopted and

the BCR implemented prior to the GDPR remain in due force
McGuireWoods | 4
List of appropriate safeguards
 Those which require authorization from a supervisory authority

include:
• Ad hoc Contractual Clauses (ACC) between the controller or
processor and the controller, processor or the recipient located in a
third country
• Administrative arrangements between public authorities or bodies
which include enforceable and effective data subject rights
McGuireWoods | 5
Binding Corporate Rules
 BCR are corporate rules allowing the whole transfers within an

international group of undertakings or a group of enterprises
engaged in a joint economic activity
 This possibility for undertakings with joint economic activity to

implement BCR results from the G29 practice and will have to
be detailed
 The Directive did not expressly recognize the BCR
McGuireWoods | 6
 BCRs must:
• Be binding upon involved undertakings, including their employees,
and
• Include all basic principles and enforceable rights to ensure
appropriate safeguards for transfers
 Solid means to implement data protection policy into the group,

but require a lot of effort to maintain and keep them up to date
 Can be implemented by either group of controllers, group of

processors, group of controllers and processors
McGuireWoods | 7
 BCRs shall, at minimum, specify:
• The structure and contact details of the group of undertakings and
of each of its members
• The data transfers characteristics, including categories of data, type
of processing and purposes, type of data subjects and the third
countries where data are transferred
• Their extent to which they are legally binding
• The application of the general data protection principles, e.g.
purpose limitation, data minimisation, limited storage periods, data
quality, data protection by design and by default, legal basis for
processing, data security, requirements for onward transfers
• The rights of data subjects and the means to exercise those rights
• Acceptance by the entities of liability for any breaches of the BCR
McGuireWoods | 8
• How information is provided to data subjects
• The tasks of the data protection officer
• The procedures for data subject’s complaint
• The mechanisms for ensuring the verification of compliance with the BCR
• The mechanisms for recording changes and reporting them to the

supervisory authority
• Cooperation mechanism with the supervisory authority
• The appropriate data protection training to personnel
McGuireWoods | 9
Contractual clauses
 Two types of SDPC:

• SDPC adopted by the Commission; and
• SDPC adopted by a supervisory authority and approved by the
Commission.
 ACC, requiring the authorization of the supervisory authority:

• ACC adopted between:
– An exporter (controller or processor); and
– An importer (controller, processor, or recipient).
McGuireWoods | 10
Contractual clauses (SCC, SDPC)
 To date, three sets of SCC (SDPC):

• Two sets for transfer from EU controller to non-EU controller, one
of the main differences being the liability mechanism toward the
data subject
• One set for transfer from an EU controller to a non-EU processor
• No set for EU processor to non-EU processor
• Recently modified to integrate the Schrems case on the power of

supervisory authority
McGuireWoods | 11
 Common means pre-drafted and enacted by the Commission:
transfer by contractual agreement concluded between the
exporter and the importer
 The importer commits itself to comply with the data protection

principles and specific mechanisms are provided for the data
subject to enforce its right against both parties and to seek their
liability
 The details of the transfer (types of data, purposes, types of data

subject, security requirements) are to be completed
McGuireWoods | 12
 May be external or internal, i.e. within the same group

 In practice, for internal clauses: intra-group processing
agreement with Contractual Clauses
 May be completed by not contradictory business clauses
 Previous SCC remain in due force: how to implement the new
GDPR express rules? Update?
McGuireWoods | 13
Contractual clauses (ACC)
 ACC are explicitly created by the GDPR (implementing an

existing practice), and needs supervisory authority’s approval
 ACC are agreements drafted by the parties: to be approved they

must include enforceable rights and effective legal remedies for
data subjects
 SCC already allows for additional clauses provided that they are
not contradictory with the mandatory clauses, so ACC are likely
not to be used a lot
McGuireWoods | 14
Codes of conduct
 Adherence of a data importer to a code of conduct coupled with a
binding and enforceable commitment by the controller or processor to
apply the appropriate safeguards
 Can be prepared by associations and other bodies representing the

controllers or processors: e.g. CISPE’s Code of Conduct by the cloud
computing industry
 Two levels of approval:

• If the Code relates to processing in one Member States: supervisory
authority;
• If the Code relates to processing in several Member States: Commission
may provide general validity to the Code in the EU; only those Codes
allow transfer to importers that are not subject to the GDPR
McGuireWoods | 15
Codes of conduct
 Does not only relate to transfer: intended to contribute to the proper

application of the GDPR, with methods of implementation and best
practices for the GDPR
 The Code must provide mechanisms enabling a body to carry out the
mandatory monitoring of compliance with its provisions
McGuireWoods | 16
Codes of conduct
 The monitoring of compliance with a Code may be carried out

by a body where this body has:
• Demonstrated its independence, absence of conflict of interest and
expertise in data protection
• Established procedures to assess eligibility to apply the Code, to
monitor compliance and to periodically review the operation
• Established procedures to handle complaints about infringements
of the Code, and to make those procedures transparent to data
subjects and the public
 The body must have been accredited by a supervisory authority
McGuireWoods | 17
Certification
 Set of rules and standards, legally binding by a binding and
enforceable commitment taken by the importer, including where
GDPR is not applicable to the importer
 Certifications are issued by approved certification bodies

• Certification bodies accredited by supervisory authority, or
• Certification bodies accredited in accordance with Regulation (EC)
No. 765/2008
 Does not only relate to transfer: intended to contribute to the

proper application of the GDPR, with methods of implementation
and best practices for the GDPR
McGuireWoods | 18
Certification
 To be accredited, certification bodies must:
• Be independent, have no conflict of interest and demonstrate expertise
in data protection
• Have procedures for the issuing, periodic review and withdrawal of
certification
• Have transparent procedures to handle complaints about infringements
of the certification
 Life of the certification:

• It is granted for a maximum period of three years, renewable provided
that certification requirements are still being met
• May be withdrawn at any time in the event of non-compliance
McGuireWoods | 19
Derogations for specific situations
 Derogations only relate to transfers which can be qualified as

not repetitive and that concern only a limited number of data subjects
 In the GDPR, these conditions are required only for one derogation:
the compelling legitimate interest.
 But following the G29, such conditions ("not repeated, massive,

structural"), should apply to all derogations
McGuireWoods | 20
 Derogations include:
• Explicit consent, with information on risks due to the absence of
adequacy decisions or appropriate safeguards
• Necessary for contract performance or precontractual measures
implementation at data subject’s request
• Necessary for conclusion of a contract between controller and third
party in the data subject’s interest
• Necessary for important reasons of public interest
• Necessary for the establishment, exercise or defense of legal claims
• Necessary for protection of data subject’s or other person’s vital
interest, where physically impossible of giving consent
McGuireWoods | 21
• Made from an official register providing information to the public
and open to consultation by the public or by any person having a
legitimate interest, to the extent that the conditions laid down by
Union or Member State law for consultation are fulfilled
• When no other means possible, necessary for the purposes of
compelling legitimate interests not overridden by the data subject’s
interests or rights and freedoms, provided that:
– Assessment of all circumstances surrounding the transfer and
provision of suitable safeguards (e.g. DPIA);
– Notification to supervisory authority; and
– Notification to data subject on the transfer and compelling legitimate
interests.
McGuireWoods | 22
 Union or Member State law may, for important reasons of public

interest, expressly set limits to the transfer of specific categories
of personal data to a third country or an international organisation
McGuireWoods | 23
Specific information of the data subject
 The GDPR requires the controller to inform data subjects of its

intention to transfer personal data to a third country and:
• Of the existence or absence of an adequacy decision given by the

Commission, or
• In the case of transfers under appropriate safeguards or

derogations: a reference to the appropriate safeguards (+ means of
obtaining a copy) or the derogations
McGuireWoods | 24
Redress and remedies
 Some are specific to the appropriate safeguard used:
• BCRs: commitment to render principles binding and enforceable
• SCC: e.g., joint liability between importer and exporter (Set I controller
to controller)
 Supervisory authority: Right to lodge a complaint
• Measures (non pecuniary): interdiction, enforcement of data subject’s
rights, etc., or
• Fines of up to EUR 20.000.000 or up to 4% of the total worldwide
annual turnover of the previous financial year, whichever is higher
NB: In Estonia and Denmark, no administrative fines possible
– Denmark: criminal fines imposed by courts
– Estonia: criminal fines imposed by supervisory authority but under a specific procedure
McGuireWoods | 25
Redress and remedies
 Courts: right to an effective judicial remedy against a controller or
processor:
• Measures: appeal from Supervisory Authority
• Liability and right to compensation:
– Controller and processor are liable for any damage caused by processing
infringing transfer requirement
– Exemption from liability if one proves that it is not responsible for the
event giving rise to the damage
– Where more than one controller or processor involved in the same
processing: each controller or processor is liable for the entire damage
toward the data subject
– If one paid full compensation: possibility to claim back for the part
corresponding to the actual part of responsibility
McGuireWoods | 26
Questions or Comments?
pvandenbulck@mcguirewoods.com
@Pbulck
T: +32 629 42 39
M: +32 475 52 84 08
McGuireWoods | 27
CASES
Case study n° 1
Facts
 X, a European trade union of workers, has decided to share personal data of its members with
Y, another trade union located in Brazil.
 At the time of the data collection, processing was based on explicit consent.
 Brazil does not ensure an adequate level of protection and X plans to justify the transfer on the
basis of consent.
 X sent an email to its members, stating that the transfer does not imply any privacy risk, with
a box to check and a sentence drafted as follow:
"By checking this box, I accept the transfer of my personal data from X to Y in Brazil."
Question: does this way of collecting consent comply with GDPR?

Case study n° 2
Facts
 X is a Belgian company organizing a sporting event.
 X has a marketing partnership with Y, a U.S. company organizing sport betting.
 Under this partnership, X transfers its clients’ data to Y in order for the latter to perform
marketing campaigns.
 X and Y entered into an agreement named "data processing and transfer agreement", drafted
by their legal counsel, providing enforceable means for the data subjects to exercise their
rights, and effective ways to obtain compensation in case of breach of the agreement or the
GDPR.
Question: is this "data processing and transfer agreement" sufficient for the international transfer
to be lawful?
Case Study n° 3
Facts
 X is an Italian based oil company.
 X has several subsidiaries in the EU and one commercial partner in the U.S., Y.
 X has entered into a joint venture agreement with Y to exercise a joint activity in the U.S.,
resulting in a joint entity named X/Y. X shares some of the data it processed as a controller
with Y and with X/Y.
 All personal data related to the employees of the group X, including X/Y's employees, are
stored by a cloud-computing provider, Z, located in China.
Questions:
1. First question: X, Y and X/Y want to implement a solid framework of data protection that
could render their internal transfer related to the joint activity legitimate. They want to avoid
the use of certification or codes of conduct. What instrument could they use?
2. Second question: Z wants to adhere to a Code of conduct recently issued by the cloud-
computing industry. How can X be sure that the application of this Code of conduct would
make the transfer legitimate?
Case study n° 4
Facts
 X is a franchisor of fast food restaurants located in Belgium.
 X has a network of franchised restaurants in several EU Member States.
 X processes personal data concerning employees and clients and is the controller for this
processing.
 This processing is carried out through an IT infrastructure managed by Y, a cloud-computing

provider, the headquarters of which is located in Australia.
 At the time of the conclusion of the Service Agreement, Y has already adhered to a certification
complying with all the GDPR requirements for international transfers. Three years later, Z
acquires Y.
Question: to what should X pay attention to continue transferring data to Z?

Case study n° 5
Facts
 X is a media company.
 X processes its employees’ data and is the controller for this processing.
 Y, another media company based in China, is considering acquiring X.
 A due diligence will be carried out by Y to review X’s assets and documents.
 During this due diligence, contractual documents containing all employees’ personal data will
be processed by Y in China.
Question: X believes that the data transfer to Y can be based on its compelling legitimate interest.
Is it true?
ANSWERS
Case study n° 1
Answer
 For processing: personal data concerning a trade union are sensitive data, so explicit consent
is a lawful legal basis (9.2.a, GDPR)
 For transfer: no, because:
o If transfer is repetitive or massive: appropriate safeguards;

o If transfer is not repetitive or massive, consent is possible but before giving it, data
subjects should have been informed of the risks resulting from the absence of an
adequacy decision and appropriate safeguards (49.1.a GDPR).
Case study n° 2
Answer
 It is possible to rely on ad hoc contractual clauses between controllers providing enforceable

rights and effective remedies (46.1, GDPR), and:
o The ad hoc contractual clauses must be approved by a supervisory authority prior to

the transfer (46.3.a, GDPR); and
o The data subjects must have been informed (1) of the absence of adequacy decisions,
(2) of the use of ad hoc contractual clauses and (3) the means to obtain a copy of them
(13.1.f, GDPR).
Case Study n° 3
Answers
1. The following instruments can be used:

 BCRs: group of enterprises engaged in a joint economic activity may implement BCRs
(approved by supervisory authority) (471.a, GDPR);
 Internal data processing agreement with:
i. Standard Data Protection Clauses (46.2.c or d, GDPR), or
ii. Ad hoc Contractual Clauses (approved by supervisory authority) (46.3.a,
GDPR);
 Privacy Shield certification.
2. Z should pay attention to the following:

 The Code must have been approved by a supervisory authority (40.5, GDPR);
 The Code must have been approved by the Commission (40.9 GDPR), in order to have
general validity in the Union and be used as an appropriate safeguard for transfer in a third
country (40.3, GDPR); and
 To apply to the Code, the compliance of Z with the Code must be monitored by an
accredited body (40.4, GDPR).
Case study n° 4
Answer
 In principle, certification remains after the acquisition, but only for the processing already
covered by the certification, not possible new processing resulting from the acquisition.
 Y or Z should renew the certification (42.7, GDPR: certification must be renewed after three
years).
Case study n° 5
Answer
Yes, provided that (49.1, GDPR):

 No appropriate safeguards are available (this seems to be the case in M&A because of legal
secrecy constraints);
 The transfer is not repetitive nor massive;
 The compelling legitimate interest is not overridden by the interests or rights and freedoms
of the data subject: case-by-case analysis;
 X has assessed all the circumstances surrounding the data transfer and has provided suitable
safeguards with regard to data protection: anonymization, different rooms (green/red),
different access rights, IT security, etc.;
 X has informed the supervisory authority of the transfer (under confidentiality); and
 In principle, X should inform the data subject of the transfer and of the compelling
legitimate interests (delayed, cf. WP29).
Diana Alonso Blas
DIANA ALONSO BLAS
Diana Alonso Blas, LL.M. in European Law, is the Data Protection Officer and Head of the Data
Protection Service at Eurojust, the European Union’s Judicial Cooperation Unit, in The Hague,
since November 2003. In this capacity she played a crucial role in the drafting of the data
protection rules of Eurojust. She has, according to article 17 of the Eurojust Decision, the task of
ensuring the compliance with the data protection rules in an independent manner.
She studied Law at the universities of San Sebastián (Spain), Pau et les Pays de l'Adour (France)
and Leuven (Belgium). Subsequently she followed a LL.M. European Law postgraduate
programme at the University of Leuven where she graduated magna cum laude in 1993. From
1994 to 1998 she worked as research fellow for the Interdisciplinary Centre for Law and
Information Technology (ICRI) of the Catholic University of Leuven (K.U.L.) where she carried
out several data protection comparative research projects for the European Commission. In this
same period she spent one year acting as privacy expert for the Belgian Data Protection Authority
in Brussels.
In April 1998 she joined the Dutch Data Protection Authority where she was a Senior
International Officer working under the direct supervision of Peter Hustinx until the end of
January 2002. During this period she dealt with the international cases and represented The
Netherlands in several international working groups, such as the article 29 Working Party and
many of its sub-groups, in Brussels and Strasbourg. She was a member of the Drafting Group of
the Consultative Committee on Convention 108 at the Council of Europe as well as one of the
vice-chairs. She acted as data protection expert in official missions of the Council of Europe and
was one of the driving forces of the Complaints Workshop for staff of the DPAs, leading their
network for exchange of information on international cases and information requests from its start
until she left the Dutch DPA to join the European Commission (1 February 2002).
From February 2002 to November 2003 she worked at the Data Protection Unit of Directorate
General Internal Market of the European Commission, in Brussels. She was closely involved in
the activities of the Article 29 Working Party and several of its subgroups as a member of the
secretariat and was responsible within this unit for topics such as Internet, e-commerce, privacy-
enhancing technologies, European codes of conduct, bilateral negotiation with several countries
(including USA) and so forth.
She is author of numerous articles and reports dealing with data protection at European level in
the first and third pillar and is often invited as speaker at European and international data
protection conferences. She has also performed as guest lecturer at the universities of Tilburg
(Netherlands) and Edinburgh (UK). She is a Spanish national and speaks five languages.
Contact details:
Eurojust
Johan de Wittlaan 9
NL-2517 JR The Hague
Tel: +31 70 412 5510
Fax: + 31 70 412 5515
dalonsoblas@eurojust.europa eu
INTERNATIONAL TRANSFERS OF
PERSONAL DATA, DATA RETENTION
AND SURVEILLANCE IN THE LAW
ENFORCEMENT AREA
Diana ALONSO BLAS

Data Protection Officer/Head of the DP service at Eurojust
1
Topics
• Introduction: the existing and future legal
framework in the law enforcement area
• International transfers: concept and basic
requirements
• Mechanisms/instruments for international
transfers in law enforcement field depending
on the actors involved
• Existing international agreements
• Data retention/surveillance in the EU after the
Digital Rights Ireland case
2
INTRODUCTION: THE EXISTING AND
FUTURE LEGAL FRAMEWORK IN
THE LAW ENFORCEMENT AREA
3
Exclusion from Directive 95/46/EC Scope/derogations
• Article 3.2. This Directive shall not apply to the processing of personal data:
– in the course of an activity which falls outside the scope of Community law, such
as those provided for by Titles V and VI of the Treaty on European Union and in
any case to processing operations concerning public security, defence, State
security (including the economic well-being of the State when the processing
operation relates to State security matters) and the activities of the State in
areas of criminal law
• Article 13.1. Member States may adopt legislative measures to restrict the scope of
the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when
such a restriction constitutes a necessary measures to safeguard:
– (a) national security;
– (b) defence;
– (c) public security;
– (d) the prevention, investigation, detection and prosecution of criminal
offences, or of breaches of ethics for regulated professions;
• Case law: PNR, Traffic data retention
• Transposition beyond article 3.2 in many countries
4
Treaty on the Functioning of the EU (Lisbon)
• Lisbon Treaty
* abolishment of the pillars structure;

* implications for data protection:
– Directive 95/46/EC will not automatically apply to the police and judicial
cooperation sector (Art. 3(2) excluded activities outside the scope of the Community
law and also activities of the State in the area of criminal law);
• EU Charter – data protection as a fundamental right;

Article 8 of Convention for the Protection of Human Rights and Fundamental
Freedoms (1950)
Right to respect for private and family life
1 Everyone has the right to respect for his private and family life, his home and his
correspondence.
2 There shall be no interference by a public authority with the exercise of this right
except such as is in accordance with the law and is necessary in a democratic society in
the interests of national security, public safety or the economic well-being of the country,
for the prevention of disorder or crime, for the protection of health or morals, or for the
protection of the rights and freedoms of others.
5
Article 16 TFEU
1. Everyone has the right to the protection of personal data

concerning them.
2. The European Parliament and the Council, acting in accordance
with the ordinary legislative procedure, shall lay down the rules
relating to the protection of individuals with regard to the
processing of personal data by Union institutions, bodies, offices and
agencies, and by the Member States when carrying out activities
which fall within the scope of Union law, and the rules relating to the
free movement of such data. Compliance with these rules shall be
subject to the control of independent authorities.
The rules adopted on the basis of this Article shall be without
prejudice to the specific rules laid down in Article 39 of the Treaty
on European Union.
6
Declaration 21 of the Lisbon Treaty
The Conference acknowledges that specific rules on the

protection of personal data and the free movement of
such data in the fields of judicial cooperation in criminal
matters and police cooperation based on Article 16 of
the Treaty on the Functioning of the European Union
may prove necessary because of the specific nature of
these fields.
7
Data Protection in the European JHA field: rules of
general character presently applicable
• Council of Europe Convention 108 (1981), ratified presently by 51

countries including recently Turkey as well as non CoE MS Uruguay,
Senegal, Mauritius and Tunesia.
• Additional Protocol to this convention of November 2001, ratified by

40 countries and signed by another 7
• CoE Recommendation No. R(87) 15 regulating the use of personal data

in the police sector (17 September 1987)
• Framework Decision on the protection of personal data processed in

the framework of police and judicial cooperation in criminal matters
2008/977/JHA of 27 November 2008
8
Framework Decision 2008/977/JHA, on data protection
• More specific DP regimes in other EU legislation are left untouched: Eurojust, Europol,
CIS, SIS
Article 1. Purpose and scope

2. In accordance with this Framework Decision, Member States shall protect the
fundamental rights and freedoms of natural persons, and in particular their right to
privacy when, for the purpose of the prevention, investigation, detection or
prosecution of criminal offences or the execution of criminal penalties, personal data:
(a) are or have been transmitted or made available between Member States;
(b) are or have been transmitted or made available by Member States to
authorities or to information systems established on the basis of Title VI of the
Treaty on European Union; or
(c) are or have been transmitted or made available to the competent authorities
of the Member States by authorities or information systems established on the
basis of the Treaty on European Union or the Treaty establishing the European
Community.
9
Data Protection in the European JHA field: sectoral rules
• Eurojust decision of 16 December 2008 (review ongoing)

• Regulation 2016/794 of 11 May 2016 on the EU Agency for Law Enforcement
Cooperation (Europol) entered into force in May 2017
• Schengen convention
• Council Decision 2009/917/JHA of 30 November 2009 on the use of information
technology for customs purposes
• Data retention directive 2006/24 annulled by ECJ
• Treaty of Prüm
• TFTP agreement
• Directive 2016/681 of 27 April 2016 on the use of PNR data
• Bilateral agreements between MS and Third States on exchange of personal data
• New “Police Directive”
• “Patchwork”/ Proliferation of rules issue…
10
Directive 2016/680 “Police Directive”
• Scope: processing of personal data by

competent authorities for the purposes of
prevention, investigation, detection or
prosecution of criminal offences or the
execution of criminal offences and free
movement of such data
• It repeals FD 2008/977
• It has entered into force the day after
publication in OJ but it has to be transposed by
MS by 6 May 2018
11
INTERNATIONAL TRANSFERS:
CONCEPT AND BASIC
REQUIREMENTS
12
Transfers of data to third
countries
• Possible definition of “Transfer”: making personal data

available to a person which is outside of the legal
jurisdiction of one of the countries of the EU
• Often the term “transfer of personal data” is associated
with the act of sending or transmitting personal data from
one country to another, for instance by sending paper or
electronic documents containing personal data by post or
e-mail. However, many more complex situation exist,
especially in the on-line world.
Conditions to make a transfer
legitimate
• A transfer is a kind of processing and will only be
legitimate if it complies with all the DP requirements:
having a legal ground for this processing operation,
processing the data for specified, legitimate and
determined purposes, in accordance with the law and in a
proper and careful manner, no further processing the data
for a purpose that is incompatible with the original
purpose and so on. A transfer of any kind, to a Member
State of the European Union or to a third country, needs to
comply with all the relevant DP requirements in order to
ensure legitimate processing.
• The rules on transfers to a third country additionally apply
to.
Present scheme to allow transfers
• General principle: adequate protection
– Adequacy concept
– Decisions on adequacy
• Exceptions: article 26
• Adequate safeguards
– Contractual clauses
– Binding corporate rules
• Schrems case: The word ‘adequate’ signifies that a third country cannot
be required to ensure a level of protection identical to that guaranteed
in the EU legal order. However, the term ‘adequate level of protection’
must be understood as requiring the third country in fact to ensure, by
reason of its domestic law or its international commitments, a level of
protection of fundamental rights and freedoms that is essentially
equivalent to that guaranteed within the EU by virtue of Directive
95/46 read in the light of the Charter.
15
Data transfers in the GDPR
• Same scheme as in Directive 95/46 in general: adequate level
of protection as main principle, based on a Commission
decision.
• Periodic reviews of the EC foreseen
• Adequate safeguards as second option, having BCRs now
specific regulation. Consistency mechanism applies.
• Derogations for specific situations as last resort
• No big changes although more aligment sought between DPAs
and more clarity.
• Specific provision re transfers or disclosures based on
judgments of a court or tribunal and decision of an
administrative authority of a third country: only recognised
or enforceable if based on international agreement such as
MLA treaty…
19/09/2017 Welcome to Eurojust 16

MECHANISMS/INSTRUMENTS FOR
INTERNATIONAL TRANSFERS IN LAW
ENFORCEMENT FIELD DEPENDING
ON THE ACTORS INVOLVED
17
General principles “Police Directive”
General principles for transfers of personal data
1. Member States shall provide for any transfer by competent authorities of personal data
which are undergoing processing or are intended for processing after transfer to a third
country or to an international organisation including for onward transfers to another third
country or international organisation to take place, subject to compliance with the national
provisions adopted pursuant to other provisions of this Directive, only where the conditions
laid down in this Chapter are met, namely:
(a) the transfer is necessary for the purposes set out in Article 1(1);
(b)the personal data are transferred to a controller in a third country or international
organisation that is an authority competent for the purposes referred to in Article 1(1);
(c)where personal data are transmitted or made available from another Member State, that
Member State has given its prior authorisation to the transfer in accordance with its
national law;
(d)the Commission has adopted an adequacy decision pursuant to Article 36, or, in the
absence of such a decision, appropriate safeguards have been provided or exist pursuant to
Article 37, or, in the absence of an adequacy decision pursuant to Article 36 and of
appropriate safeguards in accordance with Article 37, derogations for specific situations
apply pursuant to Article 38; and
(e)in the case of an onward transfer to another third country or international organisation, the
competent authority that carried out the original transfer or another competent authority of
the same Member State authorises the onward transfer, after taking into due account all
relevant factors, including the seriousness of the criminal offence, the purpose for which
the personal data was originally transferred and the level of personal data protection in the
third country or an international organisation to which personal data are onward
transferred.
2. Member States shall provide for transfers without the prior authorisation by another
Member State in accordance with point (c) of paragraph 1 to be permitted only if the transfer
of the personal data is necessary for the prevention of an immediate and serious threat to
public security of a Member State or a third country or to essential interests of a Member
State and the prior authorisation cannot be obtained in good time. The authority responsible
for giving prior authorisation shall be informed without delay.
3. All provisions in this Chapter shall be applied in order to ensure that the level of
protection of natural persons ensured by this Directive is not undermined.
18
General scheme
• Respect of general conditions Directive (legitimacy of
processing)
• Adequacy decision EC + periodic review
• Appropriate safeguards through legally binding
instrument or assessment of controller. In such case
DPA needs to be informed as to categories+
documentation
• Derogations for specific situations. Documentation.
– Interpretation will be the issue in practice
• Specific article on transfers provided in EU or MS law
or international agreements to recipients in third
countries in individual and specific cases. Subject to
conditions + documentation
19
Additional relevant provisions
• Article 60: Union legal acts already in force
The specific provisions for the protection of personal data in Union legal
acts that entered into force on or before 6 May 2016 in the field of
judicial cooperation in criminal matters and police cooperation, which
regulate processing between Member States and the access of
designated authorities of Member States to information systems
established pursuant to the Treaties within the scope of this Directive,
shall remain unaffected.
• Article 61: Relationship with previously concluded

international agreements in the field of judicial cooperation
in criminal matters and police cooperation
International agreements involving the transfer of personal data to
third countries or international organisations which were concluded by
Member States prior to 6 May 2016 and which comply with Union law as
applicable prior to that date shall remain in force until amended,
replaced or revoked.
20
EXISTING INTERNATIONAL
AGREEMENTS
21
Existing agreements between Eurojust and
third countries
• Norway: liaison magistrate
• Iceland
• US: liaison magistrate
• former Yugoslav Republic of Macedonia
• Switzerland: liaison magistrate
• Liechtenstein
• Moldova
• Montenegro
• Ukraine
• In the process: Albania…
22
Existing agreements between Europol
and third countries
• Operational • Strategic
 Albania  China
 Australia  Russia
 Bosnia Herzegovina  Turkey
 Canada
 Colombia
 fYROM
 Georgia
 Iceland
 Liechtenstein
 Moldova
 Monaco
 Montenegro
 Norway
 Serbia
 Switzerland
 Ukraine
 USA
23
EU US Umbrella agreement
• On 2 June 2016 EU-U.S. Justice and Home Affairs Ministers formerly
signed the "Umbrella Agreement“. It entered into force on 1
February 2017.
• It puts in place a comprehensive data protection framework for EU-
US law enforcement cooperation. It covers all personal data
exchanged between the EU and the US for the purpose of
prevention, detection, investigation and prosecution of criminal
offences, including terrorism.
• This agreement complements existing EU-US and Member State –
US agreements between law enforcement authorities. It
supplements where appropriate but does not replace existing
agreements
• The agreement is not in itself a legal basis for transfers! Always
required additionally!
• Issues regarding the Judicial Redress Act which is part of package
24
Content of the EU US Umbrella
Agreement
• Clear limitations on data use – Personal data may only be used for the purpose of
preventing, investigating, detecting or prosecuting criminal offences, and may not
be processed beyond compatible purposes.
• Onward transfer – Any onward transfer to a non-US, non-EU country or
international organisation must be subject to the prior consent of the competent
authority of the country which had originally transferred personal data.
• Retention periods - Individuals' personal data may not be retained for longer than
necessary or appropriate. These retention periods will have to be published or
otherwise made publicly available. The decision on what is an acceptable duration
must take into account the impact on people's rights and interests.
• Right to access and rectification - Any individual will be entitled to access their
personal data – subject to certain conditions, given the law enforcement context –
and will be able to request the data is corrected if it is inaccurate.
• Information in case of data security breaches – A mechanism will be put in place
so as to ensure notification of data security breaches to the competent authority
and, where appropriate, the data subject.
• Judicial redress and enforceability of rights - EU citizens will have the right to
seek judicial redress before US courts in case of the US authorities deny access or
rectification, or unlawfully disclose their personal data. This provision of the
Agreement depends on the adoption by US Congress of the US Judicial Redress Bill.
25
Other existing agreements
• EU/US agreements on MLA and Extradition: data protection is hardly mentioned anywhere
• PNR agreements:
Latest news: The envisaged EU-Canada PNR Agreement aimed at regulating the transfer and processing of
passenger name record data to Canada for the purpose of combatting terrorism and other serious
transnational crime under certain conditions and according to data protection safeguards. The agreement
was signed in 2014. The Council of the EU requested the European Parliament (EP)’s approval of the
agreement, and the EP decided to refer the matter to the CoJ in order to ascertain whether the PNR
Agreement is compatible with EU law and, in particular, with the provisions relating to the respect for
private life and the protection of personal data.
On 26 July 2017, the ECJ issued its opinion the PNR Agreement may not be concluded in its current form
because several of its provisions are incompatible with the fundamental rights recognised by the EU and
as a consequence must be modified.
• TFTP agreement
• …..
• Many bilateral agreements between individual MS and third countries
26
DATA RETENTION/SURVEILLANCE IN
THE EU AFTER THE DIGITAL RIGHTS
IRELAND CASE
(with thanks to Xavier Tracol!!)
27
Definition of surveillance
• The Court of Justice used but did not define the
term of surveillance in the three Digital Rights,
Schrems and Tele2 judgements
• Black’s Law Dictionary defines surveillance as

the “[c]lose observation or listening of a person
or place in the hope of gathering evidence.”
(Emphasis added)
28
Digital Rights judgment I
• The Grand Chamber considered that “the fact
that data are retained and subsequently used
without the subscriber or registered user being
informed is likely to generate in the minds of the
persons concerned the feeling that their private
lives are the subject of constant surveillance.”
(Para. 37)
• The Grand Chamber found that mass
surveillance breaches the fundamental right to
respect of private life (paras 57 to 61). It thus
prohibited generalised mass surveillance.
29
Digital Rights judgment II
• The Grand Chamber noted that “Article 6 of the
Charter lays down the right of any person not
only to liberty, but also to security” (para. 42 in
fine; see also opinion 1/15 of the Grand
Chamber on the draft PNR agreement with
Canada, 26 July 2017, para. 149).
• The considerations of the Grand Chamber on

the fundamental rights to security and liberty
based on Article 6 of the Charter are not
persuasive.
30
Digital Rights judgment III
• The Explanatory Note on this provision shows that
its scope covers both criminal proceedings and
administrative detention including deprivation of
liberty, prohibition of arbitrary detention,
immigration law, asylum law as well as detention
pursuant to an European Arrest Warrant.
• Article 6 of the Charter is not relevant to the fight
against serious crime and the protection of
personal data.
• The implications of this consideration by the
Grand Chamber are not clear and its interpretation
of this provision is rather concise.
31
Schrems case
• In his opinion, Advocate General Yves Bot assessed the
legitimacy of US surveillance and harshly criticised the safe
harbour scheme.
• The Advocate General referred to “a mass and indiscriminate
surveillance and interception” of personal data by the National
Security Agency (para. 155) and “the large scale collection of
the personal data of citizens of the Union, which is transferred
under the safe harbour scheme” (para. 158).
• The Advocate General considered that the “mass,
indiscriminate surveillance is inherently disproportionate and
constitutes an unwarranted interference with the rights
guaranteed” by Article 7 on the right to respect of private life
and Article 8 on the right to the protection of personal data of
the Charter (para. 200).
32
Schrems judgment I
• The Grand Chamber moved the focus from the
assessment of the legitimacy of US surveillance
in the opinion of Advocate General Bot to the
analysis in its judgment of the compliance by
Commission decision 2000/520 on safe
harbour with Article 25(6) of directive 95/46
of 24 October 1995 read in light of the Charter.
• Mass surveillance inherently and intrinsically
infringes upon Article 7 of the Charter,
regardless of the safeguards put in place to
limit the abuse (paras 93 and 94).
33
Schrems judgment II
The Grand Chamber ruled that the decision of the
Commission was invalid since Article 1 of the
decision failed to comply with the requirements
laid down in Article 25(6) of the directive read in
light of the Charter (para. 98).
34
Tele2 judgment I
• For the first time, the judgment of the Grand
Chamber set EU standards about the retention
of personal data for surveillance purposes that
Member States need to comply with.
• The Swedish legislation provides for
generalised mass processing and surveillance
of telecommunications meta-data which
infringes upon the fundamental right to respect
for private life and is outlawed in the EU (para.
105).
35
Tele2 judgment II
“Article 15(1) of Directive 2002/58, read in the light of
Articles 7, 8 and 11 and Article 52(1) of the Charter,
does not prevent a Member State from adopting
legislation permitting, as a preventive measure, the
targeted retention of traffic and location data, for the
purpose of fighting serious crime, provided that the
retention of data is limited, with respect to the
categories of data to be retained, the means of
communication affected, the persons concerned and
the retention period adopted, to what is strictly
necessary” (para. 108, emphasis added).
36
Tele2 judgment III
• The Grand Chamber did not question or challenge
the appropriateness and effectiveness of targeted
retention of traffic and location data which
remains a lawful purpose for both preventing and
fighting serious crime subject to compliance with
requirements to be met by domestic law.
• National data retention laws “must, in particular,
indicate in what circumstances and under which
conditions a data retention measure may, as a
preventive measure, be adopted, thereby ensuring
that such a measure is limited to what is strictly
necessary” (para. 109, emphasis added).
37
ECHR
• The ECHR will continue playing an essential role in limiting surveillance
powers in Europe
• The ECHR has already recognised that general surveillance programmes
represent a significant threat to the protection of privacy. See for instance
Roman Zakharov v. Russia, application no. 47143/06, 4 December 2015 in
which the Grand Chamber considered that given that the domestic system
did not afford an effective remedy to the person who suspected that he or
she was subjected to secret surveillance, the very existence of the
contested legislation amounted in itself to an interference with Mr
Zakharov’s rights under Article 8 of the European Convention
• Cross-fertilisation between the ECHR and the Court of Justice of the
EU: the two courts both refer to each other’s case law in their judgments,
thereby paving the way for developing minimum criteria and common
standards of European principles on the respect for private life and the
protection of personal data with which Member States must comply when
they adopt surveillance legislation. See for instance the Digital Rights
judgment and Szabó and Vissy v. Hungary, application no. 37138/14, 12
January 2016 in which the Court examined the Hungarian surveillance
legislation which allowed for the secret monitoring of electronic
communication.
38
Contact Information
Diana Alonso Blas

Head of DP service/Data Protection Officer
Eurojust
dalonsoblas@eurojust.europa.eu
+31 70 412 5510
www.eurojust.europa.eu
39
ERA Summer Course DP 14 September 2017
Case study international transfers in law enforcement field
Diana Alonso Blas
A French investigative judge is dealing with a case regarding drug trafficking

operating from Marseille but involving a number of collaborators in Spain,
Greece, Italy as well as Tunisia and Morocco. Possible more countries are
involved.
Through his contacts with the Spanish authorities he understands they are also
investigating some suspects operating there and they might also have some
useful information as to the further activities in Tunisia and Morocco.
Given the complexity of the file and the investigation he considers requesting
the assistance of Eurojust in order to coordinate the investigation and see if any
joint actions could be considered at a later stage. In order to do that he contacts
the French National desk at Eurojust and they agree a case will be opened at
Eurojust.
1. Can the French investigate judge provide the complete case file to
Eurojust (French National desk)?
2. Which legal framework applies to the transfer of personal data between
the French investigative judge and Eurojust?
3. Can the French National desk share all information with the National
Members of Spain, Greece and Italy?
4. Which legal framework applies to the provision of personal data from
the French National Member to the National Members of Spain, Greece
and Italy at Eurojust?
Following the meeting between the relevant desks at Eurojust they decide to
organise a coordination meeting at Eurojust and to invite the competent
authorities of Tunisia and Morocco.
5. Can Eurojust transfer personal data to Tunisia and Morocco? If so, which
legal instrument would apply to such transfer?
6. Can the French judge transfer personal data to Tunisia and Morocco? If
so, which legal instrument would apply to such transfer?
Following the exchange of information during the coordination meeting at

Eurojust it is concluded that one of the main suspects, a French national, has left
the country and there are indications that he might be in the United States now.
7. What would be the easiest channel to liaise with the US authorities at this
stage? Which legal provisions would apply to such exchange of
information?
8. Assuming that sufficient information exists to substantiate such request
and that it is confirmed that the suspect is in the US and the French
authorities would be in the position of prosecuting the person in France,
which legal basis could be used to initiate an extradition request? Which
parties would be involved in such legal transfer?
Johnny Ryan
Dr Johnny Ryan FRHistS
Dr Johnny Ryan FRHistS is Head of Ecosystem for PageFair, currently focussing on

GDPR, the ePrivacy Regulation, and media sustainability.
He is a Fellow of the Royal Historical Society, and a member of the World Economic
Forum’s expert network on media, entertainment and information.
His second book “A History of the Internet and the Digital Future” is on the reading
list at Harvard and Stanford. His expert commentary on adblocking, privacy, and
digital has appeared in The Financial Times, Le Monde, Wired, NPR, Advertising
Age, the BBC, Sky News, and many others. His writing has appeared in NATO
Review, Fortune, Business Week, Business Insider, Contagious, and Ars Technica.
He has a background in policy think tanks, academia, and media. His previous roles
include being Chief Innovation Officer of The Irish Times, Senior Researcher at the
Institute of International & European Affairs (IIEA). His first book, based on his work
at the IIEA, was the most cited source in the European Commission’s impact
assessment that decided against pursuing Web censorship across the European
Union.
As a PhD scholar at the University of Cambridge he studied the spread of terrorist

memes on the Web. He was supervised by MI5’s official historian, and his advisor
was the former Director of the Secret Intelligence Service (MI6).
He started his career as a designer, and returned to design thinking later as

Executive Director of The Innovation Academy at University College Dublin. He was
an associate on the emerging digital environment at the Judge Business School of
the University of Cambridge, and occasionally lectures at the Business School of
University College Dublin.
Recap...
General Data Protection
ePrivacy Regulation (ePR)
Regulation (GDPR)
Respect for private life and

Protection of personal data
communications (Article 7 of
Area of focus (Article 8 of the EU Charter of
the EU Charter of Fundamental
Fundamental Rights)
Rights)
Has entered in to force, and will

Current status Currently being negotiated.
soon be applied.
Date of 25 May 2018 (could be later -

25 May 2018
application Austrian Presidency?)
Geographic European Economic Area

Global
impact (may widen?)
“Personal data”
“any information relating to an identified or
identifiable natural person ('data subject'); an
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to the
physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person…”
-GDPR, Article 4
Directly identifiable: Indirectly identifiable:
IP addresses, where ISP Netflix users’ TV & movies
can identify the subscriber
“Single customer view”

“Behavioural” ad targeting
& “programmatic” trading.
What this jargon means is: automatic
auctions for the right people’s attention.
///
Visitor Site
$
Brand
“Supply side” “Demand side”
///
Visitor Site SSP Ad Exchange DSP DMP

$
Brand
///

$
Brand
store data
request segment
request page deliver segment
serve page
Ad request
cookie to SSP
ad request
request bid
deliver ad
sync
sync
1. Page loads.
The Daily Bugle

1. Page loads.
2. What ad
should we
show this The Daily Bugle
user?
1. Page loads.
Exchange
2. What ad
should we
show this The Daily Bugle
user? Exchange Exchange
3. Send details
of user to ad
Exchange
exchange(s) to
solicit bids
from
advertisers
DSP DSP
Exchange
DSP DSP
The Daily Bugle

Exchange Exchange
DSP DSP
DSP DSP
Exchange
DSP DSP
DSP DSP DSP
DSP DSP
Exchange
DSP DSP
The Daily Bugle

Exchange Exchange
DSP DSP
DSP DSP
Exchange
DSP DSP
DSP DSP DSP
DMP DSP DSP DMP
Exchange
DMP DSP DSP DMP
The Daily Bugle

Exchange Exchange
DMP DSP DSP DMP
DMP DSP DSP DMP

Exchange
DSP DSP
DSP DSP DSP
DMP DSP DSP DMP
Exchange
DMP DSP DSP DMP
The Daily Bugle

Exchange Exchange
DMP DSP DSP DMP
DMP DSP DSP DMP

Exchange
DSP DSP
DSP DSP DSP
DMP DSP DSP DMP
Exchange
DMP DSP DSP DMP
The Daily Bugle

ADVERTISEMENT
Exchange Exchange
DMP DSP DSP DMP
DMP DSP DSP DMP

Exchange
DSP DSP
DSP DSP DSP
? DMP DSP DSP DMP
?
Exchange
? DMP DSP DSP DMP
The Daily Bugle

ADVERTISEMENT
Exchange Exchange
? DMP DSP DSP DMP
DMP DSP DSP DMP

Exchange
?
? DSP DMP
DMP DMP DSP
DSP
Step 2. Step 3.
DSP
Ad server SSP selects an
selects an SSP exchange
DMP
Step 4.
Exchange sends DSP
Ad server SSP Ad exchange
bid requests to
hundreds of DMP
Ad server SSP partners
javascript javascript DSP
Step 5.
Exchange lets DMP
some DMPs/
DATA LEAKAGE DSPs to refresh DSP
Step 1. cookie sync
Legend User requests DMP
webpage
W
DSP DMP DSP DSP
inn
Channel of data leakage website.com
ADVERTISERS
ing
DMP
bid
DSP DMP DSP
Money DSP
AD
DSP DMP DMP DMP
Personal data
DSP
Verification
javascript
Ad server DSP DMP
javascript javascript
DSP
DMP
Verification Agency
CDN Winning DSP DSP
vendor ad server
DMP
Step 9. Step 8. Step 7.
Agency ad server Step 6.
Assets load DSP serves
loads verification Exchange serves DSP
from CDN agency creative
vendor winning bid
DMP
///

$
Brand
store data
request segment
request page deliver segment
serve page
Ad request
cookie to SSP
ad request
request bid
deliver ad
sync
sync
GDPR requires a chain of accountability
Contract Contract Contract

“Controller” “Processor” “Processor” “Processor”
Contracts required that determine the following:

• the nature of processing and its duration,
• the obligations of the “controller”,
• and a guarantee that the “processor” handles the data only as
dictated by documented instructions from the controller
Risk to
BRANDS
Risk (brands)
1 Holding first-party personal data that are now non-compliant
BROKER
2 Buying personal data (directly or indirectly identifiable) from other sources to augment
profiles
3 Buying behavioural ads online, which currently requires the sharing of personal data with
countless partners.
All potentially liable!
///

$
Brand
Supervisory Authority /// The Courts
Multiple controllers and processors “involved in the same processing”

can each be held liable for damages awarded in a case.
A person can complain to the regulator, and at the same time go to court. And
can take the regulator to court for inaction.
CONSENT
Consent
• Consent can not be disruptive. Must be obtained
freely, without detriment.
• Can not be buried in T&C. Must be specific and

informed.
Must inform in more detail
(while also being clearer),
and obtain specific consent
• Who or what type of party is receiving the data
• What are the purposes of processing, and legal basis for
that
• How long are the data stored (or what criteria determine
duration)
• If this giving that data is part of a contract what are the
consequences of not providing data
• If the data are being transferred to a third country, what
safeguards or binding corporate rules are in place?
• In cases of automated decision-making, including profiling,
what logic is applied and what is the significance of the
outcomes.
EXAMPLE OF A GDPR CONSENT REQUEST
Scenario: a website requests consent to share data with a brand for product offers
Purpose of processing,
Pop-up Dialog and notification of
Details of recipients and
profiling.
categories of recipients. We would like to share your browsing Article 13, para 1, c, and para 2, f.
Text links to contact habits on our site with Brand Name and
details of the their analytics partners, to understand
controller and their what offers may be of interest to you.
Text links to tool for
data protection officer.   withdrawing consent.  
Article 7, paragraph 3.
Article 13, para 1, a, b, and e. These data will be deleted
after 6 months. You can withdraw

Duration Text links to tool to
permission at any time in My Data.
Article 13, para 2, a.

Learn more? complain to supervisory
authority, and to access,
correct, and transfer
Can say no No OK
Recital 42. data, etc.  
Article 13, para 2, b, c, and d.
Thinking of yourself as a visitor to websites,
what would you select if shown this message?
Pop-up Dialog
79% We would like to share your browsing

habits on our site with Brand Name and
their analytics partners, to understand
what offers may be of interest to you.
These data will be deleted
after 6 months. You can withdraw

permission at any time in My Data.
21%
Learn more?
No OK
Might GDPR consent requests look like this?
Help us keep Example.com profitable
Please allow your browsing habits on our

sites to be shared with
“Ad choices” [Consortium] and

its participants
We will then be able to identify offers that
are more interesting to you, and process
business transactions with our partners.
(Alternatively, we will use generic ads,
which might be less interesting to you.)
duration
You can cancel at any time by clicking
the icon on any ad.
Learn more about your data.
No OK OK
6 months 12 months
Might GDPR consent requests look like this?
Help us keep Example.com profitable
Please allow your browsing habits on our

sites to be shared with
Open ID
[Consortium] participants
and
its participants
Each
We will then[Ad
beexchange]
able to identify
are more interesting

to you,
[Ad exchange]
offers
i that

and iprocess
controller.
business transactions with our partners.
[DMP]
and
i
(Alternatively,
[DMP]
we will use generic i ads,
which might be less interesting ito you.)
categories of
[DSP]
[DSP]
i
You can cancel at anyvendor]
[Verification time by clicking
i
the icon on any ad.
processors.
Learn more about your data.
No OK OK
6 months 12 months
My Data Done
Ad targeting
Browsing habits OFF
Ad networks ON
Social profile ON
Verification
This site All sites

My Data Back
Browsing habits
Today
Yesterday
This week
This month
This month
My Data Done
? Ad targeting
? Browsing habits OFF
? Ad networks ON
? Social profile ON
? Verification
This site All sites

My Data Done
? Ad targeting
? Verification
? Verification service ON
? Social profile ON
? Commenting
This site All sites

Do you believe that users will opt-in to tracking for the
purposes of advertising?
No Yes, if denied access to the site otherwise Yes
Article 7(2) prohibits conditionality.
1st party tracking on 13% 64% 23%

a website 51%
Can not deny access

0% 100% 200%

a website
3rd party tracking on 46% 51% 3%

a website
0% 100% 200%

a website
3rd party tracking on 46% 51% 3%

a website
Tracking by any
party, anywhere on 65% 32% 3%
the web
0% 100% 200%
Google and
Facebook
GDPR scale (digital advertising)
5 4 3 2 1 0
Needs “opt-in” Needs “opt-in” Needs “opt-in” Can show an Out of scope Already out of
consent, but is consent, but consent, and “opt-out” of Regulation if scope of the
unable to user has little may get it before using business is Regulation
communicate incentive to data modified
with users agree
GDPR scale: FACEBOOK
Needs “opt-in” consent, but is unable to
5 communicate with users
Needs “opt-in” consent, but user has little • Facebook Audience Network
4 incentive to agree • WhatsApp advertising (see assumption 1)
3 Needs “opt-in” consent, and may get it
• NewsFeed ads (based only on personal data with no “special” personal data (e.g.
ethnicity, political opinion, religious or philosophical beliefs, sexual orientation),
2 Can show an “opt-out” before using data unless marked “public” or visible to “friends of friends” (see assumptions 1 and 2)
• Instagram ads (see assumption 1)
Out of scope of the regulation, if business

1 is modified.
0 Already out of scope of the regulation.

Assumption 1. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6,
paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR
Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be
presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must
consider are “the impact of the further processing on the data subjects”.
Assumption 2. GDPR Article 6, paragraph 4, c, indicates a higher bar for “special categories of personal data” that reveal race, ethnicity, political opinion, religious or philosophical beliefs, trade union membership,
or related to a data subject’s sex life or sexual orientation. However, this does not apply if the data have been “manifestly made public by the data subject” (GDPR, Article 9, paragraph 2, (e)). This may mean that the
publicity settings that a user places on their post will prevent or enable those posts to be mined for advertising.
Assumption 1. … the Article 29 Working Party’s opinion
on purpose limitation notes that among the various
things that the compatibility assessment must consider
are “the impact of the further processing on the data
subjects”.
Until this week, when we asked Facebook about it,
the world’s largest social network enabled advertisers
to direct their pitches to the news feeds of almost
2,300 people who expressed interest in the topics of
“Jew hater,” “How to burn jews,” or, “History of ‘why
jews ruin the world.’”
To test if these ad categories were real, we paid $30
to target those groups with three “promoted posts” —
in which a ProPublica article or post was displayed in
their news feeds. Facebook approved all three ads
within 15 minutes.
GDPR scale: GOOGLE
Needs “opt-in” consent, but is unable to
5 communicate with users
• Most personalized AdWords ads on Google properties including Search,
Youtube, Maps, and the Google Network (including “remarketing”,“affinity
audiences” , “in-market audiences”, “demographic targeting”, "similar
Needs “opt-in” consent, but user has little
4 incentive to agree
audiences”, “Floodlight” cross-device tracking), “customer match”,
“remarketing” (see assumption 1)
• Gmail ads
• Programmatic services (DoubleClick)
3 Needs “opt-in” consent, and may get it
2 Can show an “opt-out” before using data • Location targeting in Maps (see assumption 2)
Out of scope of the regulation, if business • AdWords (if all personalized features are removed) on Google properties
1 is modified. including Search, Youtube, Maps
0 Already out of scope of the regulation. • “Placement-targeted” ads on Google properties.
Assumption 1. That the average user does not “sign in” to Google Search or Chrome. If, however, users did sign in then Google may be able to further process their data for other purposes.
Assumption 2. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6,
paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR
Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be
presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must
consider are “the impact of the further processing on the data subjects”.
Agency Sharing Data /
Agencies DSPs Exchanges Ad Networks
Trading Desks Social Tools
SSPs
P
M C
Vertical / Custom U
A O
B
R Creative Media Planning DMPs and Data
Publisher
N
Optimization and Attribution Aggregators
Tools
L
K Targeted Networks/AMPs S
I
E U
S
T M
H
E E
Performance
E
R
Tag Mgmt
Retargeting R
Ad Servers R
Measurement Data Suppliers
Verification / and Analytics
Ad Servers Privacy Mobile
Media Mgmt Systems and Operations

GDPR Agencies
Agency
Trading Desks
DSPs Exchanges Ad Networks
Sharing Data /
Social Tools
AND
THE
LUMA- SSPs
SCAPE M P C
A
Vertical / Custom
U O
Risk Legend B
Needs consent, R Creative Media Planning DMPs and Data
Publisher
Tools N
unlikely to get it
K
Targeted Networks/AMPs
L S
Needs consent,
may get it
E I U
OK, if users have
consented for
T S M
H
“compatible” uses,
E
and do not opt out
when notified. E
E
Performance
R
Tag Mgmt
Out of scope of
Regulation if Retargeting R
business is modified Ad Servers
R
Already out of
scope of the Measurement Data Suppliers
Regulation and Analytics
Verification /
Ad Servers Privacy Mobile

Outlook for Publishers
PUBLISHERS
USERS
BRANDS
Now: Agencies and adtech take 50% or more of brand spend. Publishers get what's left.
slide 23
Outlook for Publishers
PUBLISHERS
USERS
BRANDS
After 25 May: Publishers take control, and agencies and adtech must rely on them.
slide 24
PLAN “A”:
SEEK CONSENT (AND
END DATA LEAKAGE).
BUT... HOW CONFIDENT ARE YOU THAT
PEOPLE WILL OPT-IN TO TRACKING FOR ADS?
Not at all To a small degree Moderately Highly Very highly
4%
How confident are you
that the average user
will click ‘OK’ to share 32% 32% 21% 12%
data with other
companies?
5% 7%
How concerned are you
about your online 21% 35% 32%
behaviour being
tracked?
0% 100% 200%
PLAN “B”:
INTEREST-BASED ADS
WITHOUT
PERSONAL DATA.
RELEVANT ADVERTISING &
MEASUREMENT OUTSIDE THE SCOPE
OF THE REGULATION
SSPs
M P C
A
Vertical / Custom
U O
Risk Legend B
R Creative Media Planning DMPs and Data
Publisher
Tools N
K
L S
Needs “opt-in”
consent, but is unable
to ask E I U
Needs consent,
unlikely to get it T S M
Needs consent,
E H E
E
may get it Performance
R
Tag Mgmt
OK, if users have Retargeting R
consented for
Ad Servers
R
and do not opt out
when notified. Data Suppliers
Measurement
Out of scope of Verification / and Analytics
Regulation if business Ad Servers Privacy Mobile
is modified
Already out of scope

of the Regulation
SSPs
M P C
Ad Servers
A
Vertical / Custom
U O
Risk Legend B
R Creative Media Planning Consumer Brand N
K
Optimization and Attribution Loyalty Schemes
L S
Needs “opt-in”
consent, but is unable
to ask E I U
Publisher
Needs consent,
unlikely to get it T Tools S M
Needs consent,
E H E
E
may get it Performance
R
Tag Mgmt
OK, if users have Retargeting R
consented for
DMPs and Data
Aggregators
Data
Protection
R
and do not opt out
when notified. Platform
Measurement
Out of scope of Verification / and Analytics
Regulation if business Ad Servers Privacy Mobile
is modified
Already out of scope Data Suppliers

of the Regulation
ePrivacy Regulation
tracking choices that must be shown at installation
based on the draft text proposed by the European Commission, January 2017
This is the list of Tracking Preferences

options described in
Recital 23, and
required in Article Accept all cookies
10.
Article 10, para. 2,
Accept only first party cookies says that a user must
select an option
before installation
Reject all cookies
can continue.
SELECT AN OPTION TO CONTINUE

tracking choices that must be shown at installation
based on the text as amended by the European Parliament LIBE Committee’s Rapporteur’s draft report, June 2017
Tracking Preferences
this is proposed in
recital 23 as amended,
Accept all tracking (but it seems redundant,
Amended Recital 23
since recital 21 says that
makes rejection of
consent is not required
third party Accept only first party tracking
for “technical storage
trackers and
or access which is
cookies the default. Reject tracking unless strictly
strictly necessary and
necessary for services I request
proportionate for … the
use of a specific service
Reject all tracking explicitly requested by
the user”.)
OK
What will people click?
Tracking Preferences
5%
20% Accept all tracking
Accept only first party tracking
Reject tracking unless strictly

56%
necessary for services I request

19%
Reject all tracking
OK
NON-TRACKING COOKIES
Set-Cookie: path=/; count=1
Set-Cookie: path=/; currency=DK
Summary @johnnyryan
1. Much online ad tech exposes

personal data to unwarranted parties.
2. The consenting audience will be tiny.
3. Using non-personal data are the
answer.
johnny@pagefair.com
@johnnyryan
Sophie Kwasny
Sophie Kwasny
Sophie Kwasny is the Head of the Data Protection Unit of the Council of Europe and is
responsible for standard-setting (notably the current modernisation exercise of Convention
108) and policy on data protection and privacy, including with regard to new technologies
and the Internet. She is a graduate of the Strasbourg Law University and has been working
for the Council of Europe for nearly 20 years on a variety of topics ranging from prisons’
reforms to medical insurance, or from the independence of the judiciary to nationality law.
Data Protection
The wider legal framework of the

Council of Europe
Sophie Kwasny
ERA Summer course, Trier, 15 September 2017
Data Protection
Council of Europe ≠ EU
Data Protection
Conseil de l‘Europe
(Strasbourg - France)
Data Protection
Right to private life

Data protection
Data Protection
Data protection : an enabling right

ECHR
Article 1 – Obligation to respect human rights
Article 8 – Right to private life
Article 9 – Freedom of thought, conscience

and religion
Article 10 – Freedom of expression
Article 11 – Freedom of assembly and

association
Data Protection
Protecting the data ?

Protecting the persons ?
"Personal data" = any information relating to

an identified or identifiable individual
Data Protection
Convention 108 (28/01/1981)

UNIQUE (no other international legally
binding instrument in the field)
OPEN (any country in the world with a

complying data protection legislation can
request invitation to accede)
INFLUENTIAL (its principles = data

protection principles taken up in all
regions of the world)
Data Protection
Convention 108 today

currently 50 Parties (including Uruguay,
Mauritius, Senegal)
Pending: Morocco,Tunisia, Cape Verde
Burkina-Faso, Argentina, Mexico
+ observers (USA, Canada, Australia,

Korea, Indonesia, Japan and Philippines)
= TOTAL OF OVER 60 COUNTRIES

Data Protection
Convention 108 today

Based on ”Global Tables of Data Privacy Laws and Bills”, 5th Ed,
compiled by Graham Greenleaf, Privacy Laws & Business
International Report, February 2017
www.privacylaws.com/Publications/special_reports/
Data Protection
Convention 108
Definitions (personal data, processing…)
Scope (public and private sector)
Quality of data
Sensitive data
Security
Rights of data subjects
Exceptions
Transborder data flows
Supervisory authorities
Data Protection
Convention 108 Committee
Standard setting body (latest documents :

Guidelines on Big Data, Opinion on data
protection implications of PNR).
Open Forum of cooperation between 60

countries and non State actors.
Data Protection
Convention 108 - Modernisation

Current modernisation to:
 reinforce the individuals’ protection
Modernisation trends :
•promote as a universal standard
•preserve general, simple, flexible and
pragmatic character
•ensure coherence with other relevant
frameworks (EU, OECD, APEC)
Data Protection
Modernisation and the EU

May 2013 – mandate adopted by the
Council
Decision authorising COM to negotiate on
behalf of the EU and its member states:
 Negotiate the modernisation proposals
 Negotiate the conditions and
modalities of accession of the EU to
Convention 108 (see amending
protocol of 1999)
Data Protection
Convention 108 modernised
• Preamble
• “protect every individual, whatever his or

her nationality or residence with regard to
the processing of their personal data,
thereby contributing to respect for his or her
human rights and fundamental freedoms,
and in particular their right to privacy”
(article 1)
Data Protection
• definitions (article 2)
• “data processing subject to its jurisdiction
in the public and private sectors, thereby
securing every individual’s right to protection
of his or her personal data.
•1bis. This Convention shall not apply to data
processing carried out by an individual in the
course of purely personal or household
activities. (article 3)
Data Protection
• Article 4 – Duties of the Parties

« 3. Each Party undertakes:
•a. to allow the Convention Committee
provided for in Chapter V to evaluate the
effectiveness of the measures it has taken in
its law to give effect to the provisions of this
Convention; and
•b. to contribute actively to this evaluation
process.
Data Protection
• Article 5 - legitimacy of data processing and

quality of data
“… shall be proportionate in relation to the

legitimate purpose pursued and reflect at all
stages of the processing a fair balance
between all interests concerned and the
rights and freedoms at stake.”
Data Protection
• Article 5 - legitimacy of data processing and

quality of data
“… on the basis of the free, specific,

informed and unambiguous consent of the
data subject or of some other legitimate
basis laid down by law”.
Data Protection

• Sensitive data:
genetic data, biometric data uniquely
identifying a person,
“for the information they reveal” – only
allowed where appropriate safeguards are
enshrined in law, complementing those of
the Convention.
Data Protection

• Security
obligation to notify, without delay, at least the

competent supervisory authority, of those
data breaches which may seriously interfere
with the rights and fundamental freedoms of
data subjects.
Data Protection
• Transparency
obligation for the controller to provide a
detailed list of information, as well as any
necessary additional information in order to
ensure fair and transparent processing.
Data Protection

Rights of the data subject
“... not to be subject to a decision
significantly affecting him or her based solely
on an automated processing of data without
having his or her views taken into
consideration”
“…to obtain, on request, knowledge of the
reasoning underlying data processing where
the results of such processing are applied to
him or her”
Data Protection

Additional obligations
• “... take all appropriate measures to comply
with the obligations of this Convention and
be able to demonstrate…compliance”
• “examine the likely impact … prior to the
commencement … and design the
processing to prevent or minimise the risk”.
• “ implement technical and organisational
measures at all stages of the processing.
• Adapt, according to …
Data Protection

Exception, provided for by law, respects the
essence of the fundamental rights and
freedoms and constitutes a necessary and
proportionate measure in a democratic
society for:
the protection of national security, defence, public
safety, important economic and financial interests of
the State, the impartiality and independence of the
judiciary or the prevention, investigation and
prosecution of criminal offences and the execution of
criminal penalties, and other essential objectives of
general public interest.
Data Protection

Exception : processing activities for national
security and defence purposes
exceptions to Article 12.5 and 12.6
(transborder data flows) and Article 12bis.2
a, b, c and d (powers of the supervisory
authorities).
This is without prejudice to the requirement
that processing activities for national security
and defence purposes are subject to
independent and effective review and
supervision.
Data Protection

Transborder dataflows
• [Limitation to free flow between Parties where bound
by harmonised rules of protection shared by States
belonging to a regional international organisation.]
• Means to secure and approriate level of protection
(ad hoc or approved standardised safeguards
provided by legally binding instruments)
•Possibilities to transfer where consent, specific
interests of the data subject, prevailing legitimate
interests provided for by law and are necessary
Data Protection
• Supervisory authorities:
“shall co-operate with one another to the
extent necessary for the performance of their
duties and exercise of their powers, in
particular by:
co-ordinating their investigations or
interventions, or conducting joint actions;”
Data Protection
• Convention Committee:
“e. shall prepare, before any new accession
to the Convention, an opinion for the
Committee of Ministers relating to the level
of personal data protection… ;
h. shall review the implementation of this
Convention by the Parties and recommend
measures to take where a Party is not in
compliance with this Convention;”
Data Protection
Legal form of the instrument
Amending Protocol
Specific entry into force provisions

Data Protection
Committee of Ministers
Group of Rapporteurs on Legal

Co-operation (GR-J)
Consultation of the Parliamentary

Assembly
Data Protection
Convention 108 and the EU

95/46 EU Directive
Preamble, Recital 11:

“Whereas the principles of the protection of
the rights and freedoms of individuals,
notably the right to privacy, which are
contained in this Directive, give substance
to and amplify those contained in the
Council of Europe Convention”
Data Protection
Convention 108
Data Protection

GDPR Recital 105
the Commission should take account of

obligations arising from the third country's
[…] participation in multilateral or regional
systems […]. In particular, the third country's
accession to Convention 108 should be
taken into account.
Data Protection

Data Protection

Section 3.3.1 (page 11) second paragraph :
“In particular, the Commission encourages
accession by third countries to Council of
Europe Convention 108 and its additional
Protocol. […]
It is currently in the process of being revised
and the Commission will actively promote
the swift adoption of the modernised text
with a view to the EU becoming a Party.
standards.”
Data Protection
It will reflect the same principles as those

enshrined in the new EU data protection
rules and thus contribute to the convergence
towards a set of high data protection
standards.
Data Protection
The European Court of Human Rights

Data Protection
Selected case law
Fact sheet on data protection
http://www.echr.coe.int/Documents/FS_Data_ENG.pdf
Data Protection
Some ground-breaking ECHR cases
Klass and Others v. Germany (1978)

Leander v. Sweden (1987)
Amann v. Switzerland (2000)
Von Hannover v. Germany
S. and Marper v. the UK (2008)
K.U. v. Finland (2008)
Zakharov v. Russia (2015)
Barbulescu v. Romania (2017)
Data Protection
CASE OF BĂRBULESCU v. ROMANIA

(05/09/2017) – Grand Chamber
Data Protection
Barbulescu v. Romania
Dismissal of Mr Bărbulescu’s by his employer

for having used the company’s Internet for
personal purposes
The monitoring of an employee’s electronic

communications amounted to a breach of his
right to private life and correspondence
(article 8)
Data Protection
• national courts had failed to determine

whether Mr Bărbulescu had received prior
notice from his employer of the possibility
that his communications might be
monitored;
• nor had they had regard either to the fact
that he had not been informed of the nature
or the extent of the monitoring, or the
degree of intrusion into his private life and
correspondence.
Data Protection
In addition, the national courts had failed to
determine:
• firstly, the specific reasons justifying the
introduction of the monitoring measures;
• secondly, whether the employer could have
used measures entailing less intrusion into
Mr Bărbulescu’s private life and
correspondence;
• and thirdly, whether the communications
might have been accessed without his
knowledge.
Data Protection
(2016, 4th Section)
No violation of Article 8
Partly dissenting Opinion of Judge Pinto de

Albuquerque
Data Protection
Link with the standard-setting activities

Data Protection
Recommendation (2015)5
Recommendation 2015(5) on the processing

of personal data in the context of
employment
Data Protection
I - General principles
(scope, definitions, collection, internal use,

communication, sensitive data, transparency,
rights of data subjects, security of data,
preservation of data)
Data Protection
II – Particular forms of processing
- Internet and electronic communications

- Monitoring of employees
- Geolocation
- Internal reporting
- Biometric data
- Psychological tests
- Risk analysis
- Additional safeguards
Data Protection
Recent achievements of the Committee
Guidelines on big data (2017)
Opinion on Passenger Name Records

Data Protection
Current work of the Committee
Practical Guide on the use of data by police
Revision of the 1997 Recommendation on

Medical data
Health-related data
Work programme 2018-2019
Data Protection
Thank you for your attention
www.coe.int/dataprotection
dataprotection@coe.int

ERA SUMMER COURSE ON DATA PROTECTION - Updated Speakers Contributions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ERA SUMMER COURSE ON DATA PROTECTION - Updated Speakers Contributions

Uploaded by

Copyright:

Available Formats

Documentation

417B02 Trier, 11-15 September 2017

Frederik Zuiderveen Borgesius

Paul Van den Bulck

Diana Alonso Blas

1. Everyone has the right to the protection of

1. Everyone has the right to the protection of personal

(European Parliament LIBE Committee) (Council of Ministers JHA Council)

Lead negotiator: Lead negotiator:

Jan Philipp Albrecht MEP Felix Braz, Luxembourg Minister of

• EU Institutions (replacing 2001/45/EC)

• CJEU case law

Dr. Frederik Zuiderveen Borgesius is a researcher at the Institute for Information

The proposed ePrivacy Regulation

Summer Course on EU Data Protection Law, ERA, Trier, 11 September 2017

Proposal ePrivacy Regulation

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

(Text with EEA relevance)

Should replace current ePrivacy Directive

‘Everyone has the right to respect for his

‘Everyone has the right to respect for his

‘Everyone has the right to the protection of

Art 8 EU Charter, personal data:

- Implements art 7 EU Charter, and protects

- Regulation (not directive)

- Many rules: only for

≈ phone & internet access companies

Communications confidentiality applies to:

ePrivacy Regulation: wider scope

(i) The definition of ‘electronic communications services’ encompasses internet access

Use of processing and storage capabilities

Cookie prohibition + 4 exceptions:

European Data Protection Supervisor &

‘Ban tracking walls’

Art 8(2)(b) eP proposal

User consent (singular): art 6(2)(c); art 6(3)(a) eP proposal

Zuiderveen Borgesius, Van Hoboken, Fahy, Irion, Rozendaal,

Lawyer and Individual Specialist to UNESCO

In 2014 he founded the Association for Accountability and Internet

TRIER, 11-15 SEPTEMBER 2017

Speaker: Dan Shefet

• GDPR Art. 15 (Right of access)

1. The data subject shall have the right not to be subject to a

1. When the personal data breach is likely to result in a high risk

• Google Request Format

• Soft Law (Corporate Governance)

WORKSHOP SUMMER SCHOOL ERA, 11 SEPTEMBER 2017

CASE ON Automated Credit Scoring

1. Is this practice covered by Article 22 (1) GDPR? Is it allowed?

Chapter III, Section 4 GDPR

Other Relevant Provision

University of Oslo Faculty of Law Legal Studies Research Paper

EU and Member States share Responsibilities

One law for the whole Union, but …..

DPAs operate in between EU and Member

Lead DPA and One Stop Shop

EDPB and Consistency Mechanism (Art 63 +

Binding dispute resolution (Art 65)

Judicial control by CJEU and national courts

The role of the Commission

2. The weakness of the present system and the GDPR

3. The European dimension of the DPAs' task increases.

Moreover, the mechanism is triggered in situations of cross border processing, which