Professional Documents
Culture Documents
SUMMER COURSE
ON EUROPEAN DATA PROTECTION
LAW
417B02
Trier, 11 – 15 September 2017
Speakers’ contributions
Ralf Bendrath
CV
What’s new with the GDPR? Assessing key legal features
CV
The GDPR in its EU legislative context: focus on the proposed e-Privacy Regulation
Dan Shefet
CV
The GDPR: advancing citizens’ digital rights? Focus on remedies
PARALLEL SESSIONS: PRACTICAL WORKSHOPS
(I) The right to be forgotten
Hielke Hijmans
CV
PARALLEL SESSIONS: PRACTICAL WORKSHOPS
(II) The right not to be subject to Automated Decision Making
The public governance framework
Article
Georgia Skouma
CV
The private governance framework: how to design a corporate compliance strategy on
personal data protection?
PRACTICAL WORKSHOP III: How to build a Data Protection Impact Assessment (DPIA)?
Case Study 1
Case Study 2
Daniel Drewer
CV
The role of the Data Protection Officer (DPO): status, tasks and challenges – an insider
Perspective
PRACTICAL WORKSHOP IV: The role of the DPO in practice – a simulation exercise
Article
Julien Debussche
CV
Big data analytics, Cloud computing, The Internet of Things (IoT) and Artificial
Intelligence (AI)
Copyright ©
ERA Trier
SUMMER COURSE ON ALTERNATIVE DISPUTE RESOLUTION
417B02
Trier, 11 – 15 September 2017
CV
The EU toolkit for international transfers (I)
The EU toolkit for international transfers (II)
PARALLEL SESSIONS: PRACTICAL WORKSHOPS
(V) Case study with a focus on international data transfers for commercial purposes
CV
Data retention and mass surveillance in international and EU context
PARALLEL SESSIONS: PRACTICAL WORKSHOPS
(VI) Case study with a focus on international data transfers involving law enforcement
authorities
Johnny Ryan
CV
GDPR consent and online media and advertising
Sophie Kwasny
CV
The wider legal framework of the Council of Europe
Copyright ©
ERA Trier
Ralf Bendrath
Ralf Bendrath
Ralf Bendrath hacked the Commodore C-64 in the eighties, studied security policy
and information warfare in the nineties, and has been researching various aspects
of internet privacy in the 2000s. A graduate in political science from the Free
University of Berlin, he also worked at the University of Bremen, Columbia
University, George Washington University and Technical University of Delft before
moving on to Brussels. Since 2009 he has been policy advisor for Jan Philipp
Albrecht, Member of the European Parliament. Since 2012 he is Albrecht's senior
policy advisor and has worked mainly on the data protection reform since then.
Ralf Bendrath was a civil society member of the German delegation to the UN
World Summits on the Information Society in 2003 and 2005 and has coordinated
the related civil society activities on privacy and security. He is a member of the
advisory board of Privacy International.
What’s new with the GDPR?
Assessing key (legal) features
Ralf Bendrath
senior policy advisor to
Jan Philipp Albrecht
Member of the European Parliament
Rapporteur for the
General Data Protection Regulation
The EU‘s data protection reform
Why #EUdataP?
– Update of 1995 rules
– Digital Single Market
– Closing loopholes
– Stricter and harmonised enforcement
– Trust and legal certainty
– Setting and exporting an EU standard
EU Primary Law
Article 16 TFEU
Civil Liberties, Justice & Home affairs Justice & Home Affairs Council
Committee
ralf.bendrath@europarl.europa.eu
@bendrath
@janalbrecht
#EUdataP
Frederik Zuiderveen Borgesius
Bio Frederik Zuiderveen Borgesius
He obtained his Research Master’s degree in Information Law at IViR, and studied
for one semester at Hong Kong University. During his Master’s, he worked at SOLV
Attorneys, a law firm dedicated to technology, media and communications. He also
spent a semester at New York University for research.
His book ‘Improving Privacy Protection in the Area of Behavioural Targeting’ was
published in 2015. He is a member of the editorial committee of the European Data
Protection Law Review, of the Dutch journal Computerrecht, and of the Meijers
Committee, an independent group of experts in the field of European criminal,
migration, refugee, privacy, non-discrimination and constitutional law. Currently,
Frederik is working on the interdisciplinary Personalised Communication project, a
joint initiative of the Institute for Information Law and the Amsterdam School of
Communication Research (ASCoR). In 2017, he wrote a report on the European
Commission’s proposal for an ePrivacy Regulation for the European Parliament.
1 January 2018 Frederik starts a 2-year Marie Curie fellowship at the LSTS
interdisciplinary Research Group on Law Science Technology & Society, of the VUB
Free University Brussels. He will focus on machine learning and automated
profiling, and the risks of unfair and illegal discrimination in that context.
www.ivir.nl/employee/zuiderveen-borgesius
https://twitter.com/FBorgesius
***
Dr. Frederik Zuiderveen Borgesius
2017/0003 (COD)
Proposal for a
concerning the respect for private life and the protection of personal data in electronic
communications and repealing Directive 2002/58/EC (Regulation on Privacy and
Electronic Communications)
{SWD(2017) 3 final}
{SWD(2017) 4 final}
{SWD(2017) 5 final}
{SWD(2017) 6 final}
ePrivacy Regulation
- Communications confidentiality
- Traffic & location data (metadata)
- Spam
- Cookies, tracking, etc.
- Protecting user device
ePrivacy Regulation: main novelties
Outside scope:
Gmail, WhatsApp, Skype…
ePrivacy Regulation: wider scope
- Within scope:
Gmail, WhatsApp, Skype, Facebook chat…
wholly or mainly of the conveyance of signals, and (iii) interpersonal communications
services. There are two types of ‘interpersonal communications’: (iii(a)) number-based, and
(iii(b)) number-independent. These types of service may partly overlap.144
The illustration below may clarify the structure of the definition of ‘electronic communications
service’:
Internet access
Electronic
Conveyance of
communications
signals
service
Number-based
Interpersonal
communications
Number-
independent
Art 4(1)(b) ePrivacy proposal & art 2(4) EU Electronic Communications Code
+ exceptions
Art 8 web tracking & protecting devices
No consent:
No access
Tracking walls / take-it-or-leave-it choices
Suggestion:
• Privacy-friendly default settings
• Require firms to comply with Do Not Track?
Location tracking, wi-fi etc.
Art 8: allowed if firm hangs up poster:
‘Turn off wi-fi to stop being tracked’
Electronic
communications
Electronic content
communications
data Electronic
communications
metadata
We recommend that the EU lawmaker keeps in mind that the ePrivacy proposal
Communications confidentiality (art 5)
‘Any interference with electronic communications
data, such as by.. storing, monitoring, scanning or
other kinds of interception, surveillance or
processing of electronic communications data,
by persons other than the end-users,
shall be prohibited,
except when permitted by this Regulation.’
Communications confidentiality
Art 5 Prohibition of interception and surveillance
An assessment of the Commission’s proposal on Privacy and Electronic Communications
_________________________________________________________________________
Art 6 Exceptions
Electronic
communications
Electronic content
communications
data Electronic
communications
metadata
We recommend that the EU lawmaker keeps in mind that the ePrivacy proposal
does not only apply to typical communication services such as email, phone, Skype,
and WhatsApp, but also applies to machine-to-machine communications.186 For
instance, a computer might automatically send a security update to another computer. And
metering equipment or sensors might regularly communicate with a central data storage
facility.
We also recommend that the EU lawmaker clarifies whether the data exchanged
Communications confidentiality
Surveillance prohibition (art 5), unless (art 6)
(i) user’s consent, or
(ii) exception (billing etc.)
@Fborgesius
Dan Shefet
Dan Shefet
French lawyer born in Denmark, Dan Shefet holds a Philosophy Degree and a Law
Degree from the University of Copenhagen. Specialized in European Law, Competition
Law as well as Human Rights in general and in the IT environment in particular, he
participates in conferences in academic venues on IT Law, Data Privacy and Human
Rights on the internet.
2
GDPR Article 16
Right to rectification
The data subject shall have the right to obtain from the
controller without undue delay the rectification of inaccurate
personal data concerning him or her. Taking into account the
purposes of the processing, the data subject shall have the right
to have incomplete personal data completed, including by
means of providing a supplementary statement.
3
GDPR Article 17
Right to erasure (‘right to be
forgotten’)
1. The data subject shall have the right to obtain from the controller
the erasure of personal data concerning him or her without undue
delay and the controller shall have the obligation to erase personal
data without undue delay where one of the following grounds
applies:
(a) the personal data are no longer necessary in relation to the
purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent (…)
(c) the data subject objects (…)and there are no overriding
legitimate grounds for the processing (…)
(d) the personal data have been unlawfully processed;
4
GDPR Article 22
Automated individual decision-
making, including profiling
5
GDPR Article 34
Communication of a personal data
breach to the data subject
6
PROCEDURE / REMEDIES
7
ARTICLE 79
• Administrastive / Judicial
Reg. 1215/2012
”An establishment”
Suspensive effect
Choice of venne (recital 147)
8
ARTICLE 82
• Solidarity
• Controller
• Processor
9
• Unregulated remedies
• Google Request Procedure
• Online Dispute Resolution
10
CASES
• Fiona Sherill (C-68/93, 7 March 1995)
• E-date and Martinez (C-509/09 and C-161/90, 25 November
2011)
• Concurrence Sàrl v Samsung Electronics France SAS and
Amazon Services Europe Sàrl (ECJ, 21 December 2016, French
Supreme Court, 5 July 2017, Case No. 14 – 16.737)
11
JURISDICTION
• The problem
• Targeted jurisdiction
• Focused jurisdiction
• Territoriality
• Regulatory
• Adudicatory
• Enforcement
• Geo-blocking
12
CASES
• Yahoo
• CNIL v. Google
• Pipeda
• Equustek
• Hegglin
• Raphael (Forum Shopping)
• Lotus
• Die Grünen v. Facebook Ireland Limited (Appelate Court; May
5, 2017; 5 R 5/17t)
13
THANK YOU FOR YOUR ATTENTION!
13
Hielke Hijmans
Hielke Hijmans
Dr Hielke Hijmans works as independent legal advisor and researcher in the domains of
fundamental rights, EU law, privacy and data protection. He is based in Brussels.
His clients include the Centre for Information Policy Leadership (CIPL, a global think tank
based in Washington DC, London and Brussels), Considerati (a consultancy based in
Amsterdam), the Brussels Privacy Hub and the University of Luxembourg. He is member of
the Meijers Committee, an independent group of experts that researches and advises on
European criminal, migration, refugee, privacy, non-discrimination and constitutional law.
Until 1 October 2016, Hielke served for 12 years at the EDPS, e.g. as Head of Unit Policy &
Consultations. Before, he worked at the CJEU in Luxembourg and at the Ministry of Justice
in The Hague. He holds a double doctorate in law at the Vrije Universiteit Brussels and the
University of Amsterdam. He is the author of: “The European Union as Guardian of Internet
Privacy, The Story of Art 16 TFEU” (Springer International Publishing 2016).
He publishes on a wide range of issues in relation to the General Data Protection Regulation,
with a focus on governance and the role of independent data protection authorities and on
ethics.
1
Hielke Hijmans
ARTICLE 22 GDPR
Right not to be subject to automated individual decision-making
CASE:
A bank offers an on line service for a loan. Individuals can apply and
the application is approved or refused on the basis of an Automated
Credit Scoring.
QUESTIONS:
The group will be split up in three different subgroups that each will
have to prepare a 10 min presentation, looking at the questions from
different perspectives:
- A bank/insurance company.
- A consumers organisation.
- A data protection authority.
Timing:
- Start: 15.00-15.05
- Intro of case (HH): 15.00-15.15
- Preparation in subgroups: 15.15-16.10
- Presentation by subgroups: 16.10-16.40
- Debrief (HH): 16.40-17.00
3
[..]
Article 22
Automated individual decision-making, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on
automated processing, including profiling, which produces legal effects concerning him or
her or similarly significantly affects him or her.
2. Paragraph 1 shall not apply if the decision:
(a)is necessary for entering into, or performance of, a contract between the data subject and a
data controller;
(b)is authorised by Union or Member State law to which the controller is subject and which
also lays down suitable measures to safeguard the data subject's rights and freedoms and
legitimate interests; or
(c) is based on the data subject's explicit consent.
3. In the cases referred to in points (a) and (c) of paragraph 2, the data controller shall
implement suitable measures to safeguard the data subject's rights and freedoms and
legitimate interests, at least the right to obtain human intervention on the part of the
controller, to express his or her point of view and to contest the decision.
4. Decisions referred to in paragraph 2 shall not be based on special categories of personal
data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable
measures to safeguard the data subject's rights and freedoms and legitimate interests are in
place.
Relevant Recitals
(70)Where personal data are processed for the purposes of direct marketing, the data subject
should have the right to object to such processing, including profiling to the extent that it
is related to such direct marketing, whether with regard to initial or further processing, at
any time and free of charge. That right should be explicitly brought to the attention of the
data subject and presented clearly and separately from any other information.
(71)The data subject should have the right not to be subject to a decision, which may include
a measure, evaluating personal aspects relating to him or her which is based solely on
automated processing and which produces legal effects concerning him or her or
similarly significantly affects him or her, such as automatic refusal of an online credit
application or e-recruiting practices without any human intervention. Such processing
includes ‘profiling’ that consists of any form of automated processing of personal data
evaluating the personal aspects relating to a natural person, in particular to analyse or
predict aspects concerning the data subject's performance at work, economic situation,
health, personal preferences or interests, reliability or behaviour, location or movements,
where it produces legal effects concerning him or her or similarly significantly affects
him or her. However, decision-making based on such processing, including profiling,
4
should be allowed where expressly authorised by Union or Member State law to which
the controller is subject, including for fraud and tax-evasion monitoring and prevention
purposes conducted in accordance with the regulations, standards and recommendations
of Union institutions or national oversight bodies and to ensure the security and
reliability of a service provided by the controller, or necessary for the entering or
performance of a contract between the data subject and a controller, or when the data
subject has given his or her explicit consent. In any case, such processing should be
subject to suitable safeguards, which should include specific information to the data
subject and the right to obtain human intervention, to express his or her point of view, to
obtain an explanation of the decision reached after such assessment and to challenge the
decision. Such measure should not concern a child.
In order to ensure fair and transparent processing in respect of the data subject, taking
into account the specific circumstances and context in which the personal data are
processed, the controller should use appropriate mathematical or statistical procedures for
the profiling, implement technical and organisational measures appropriate to ensure, in
particular, that factors which result in inaccuracies in personal data are corrected and the
risk of errors is minimised, secure personal data in a manner that takes account of the
potential risks involved for the interests and rights of the data subject and that prevents,
inter alia, discriminatory effects on natural persons on the basis of racial or ethnic origin,
political opinion, religion or beliefs, trade union membership, genetic or health status or
sexual orientation, or that result in measures having such an effect. Automated decision-
making and profiling based on special categories of personal data should be allowed only
under specific conditions.
(72)Profiling is subject to the rules of this Regulation governing the processing of personal
data, such as the legal grounds for processing or data protection principles. The European
Data Protection Board established by this Regulation (the ‘Board’) should be able to
issue guidance in that context.
Article 14
Information to be provided where personal data have not been obtained from the data
subject
1. Where personal data have not been obtained from the data subject, the controller shall
provide the data subject with the following information: [..]
2. In addition to the information referred to in paragraph 1, the controller shall, at the
time when personal data are obtained, provide the data subject with the following
further information necessary to ensure fair and transparent processing: […]
g. the existence of automated decision-making, including profiling, referred to
in Article 22(1) and (4) and, at least in those cases, meaningful information
about the logic involved, as well as the significance and the envisaged
consequences of such processing for the data subject.
NB: The same information must be provided where personal data are collected from the
data subject (Art 13). The right of access by the data subject also applies to this type of
information (Art 12).
5
ABSTRACT FROM
1. Introduction
One of the most enigmatic, intriguing and forward-looking rights provided by European
Union (EU) law on the protection of personal data is a qualified right for a person not to be
subject to automated decisions based on profiling.
In general, profiling denotes the process of (i) inferring a set of characteristics about an
individual person or collective entity (i.e., the process of creating a profile), and/or (ii)
treating that person or entity (or other persons/entities) in light of these characteristics
(i.e., the process of applying a profile).
The above-mentioned right primarily affects the latter facet of profiling. It has the potential
to curtail the increasingly widespread use by businesses and government agencies of
automated methods for categorising, assessing and discriminating between persons. These
methods are instituted for a variety of ends, such as enhancing the impact of advertising,
screening applicants for jobs or bank loans, and creating differentiated pricing for services.
Examples include online behavioural advertising, erecruiting, and weblining.
Over the last two decades, the right under EU law not to be subject to automated decisions
based on profiling has chiefly inhered in Art. 15(1) of the 1995 Directive on data protection
(Data Protection Directive or DPD). [..], it is a complex right in its formulation. It is also, in
some ways, a second-class data protection right: it is rarely enforced, poorly understood
and easily circumvented. Its marginality is remarkable given that we live in an era when
decision making is increasingly the result of computer algorithms fed by ‘Big Data’-
analytics.
The Data Protection Directive will soon be replaced by the General Data Protection
Regulation (GDPR), which shall apply from 25 May 2018. Article 22 of the GDPR […]
replicates the right in DPD Art. 15(1), but with some changes. These changes raise several
questions. […]
04.09.2017
Public Governance of Data
Protection in the EU
Dr Hielke HIJMANS
Summer Course ERA on Data Protection
Trier, 13 September 2016
Dr Hielke HIJMANS
Summer Course ERA on Data Protection
Trier, 12 September 2017
STARTING POINTS FOR DATA PROTECTION
GOVERNANCE
Description of actor and its role eTaOne law (GDPR) and harmonised
iGeneral characteristics system:
• A shared responsibility between the EU and the Member States: executive
federalism.
• One law (GDPR) and harmonised interpretation and application (with exceptions).
• Heavy reliance on public enforcement with independent authorities.
Distinction of four tasks in EU data protection:
• Law making (GDPR, DPD and other instruments).
• Guidance/Interpretation of the law.
• Application and enforcement of the law (TFEU and Charter use term “control”).
• Judicial control.
1
04.09.2017
One law for EU, but ….
2
04.09.2017
Relying on public bodies
• The EU legislature: law making.
• Member States legislatures:
• Implementation GDPR; use discretionary powers
• Transposition Directive 2016/680.
• National data protection authorities and European Data Protection Supervisor: “control”.
• Concept of “Lead DPA”.
• Article 29 Working Party: interpretation.
• European Data Protection Board: control and interpretation.
• National courts and EU Court of Justice: judicial control.
• The Commission: law making, interpretation, but no control/enforcement in individual
cases.
• Not to forget: Controllers, processors and data protection officers. They are the
accountable actors that should make system work.
3
04.09.2017
Legislation
• Art 16 TFEU: An assignment for EP and Council to adopt the rules.
Ordinary legal procedure (PM Art 39 TEU).
• GDPR (Reg 2016/679) and Directive for police/justice (Dir 2016/680):
Key instruments from May 2018 on.
• In pipeline: new ePrivacy Regulation; Instrument for EU Institutions.
• International agreements (ex Art 216 and 218 TFEU).
• “Adequacy” and EU‐US Privacy Shield.
Independent Public Bodies: DPAs
• Art 8 (3) Charter and Art 16 (2) TFEU: Constitutional status, “control
as essential component data protection”.
• Case law strengthening/confirming role: Infringement cases (DE, AU,
HU), Schrems.
• GDPR specifying wide range of tasks and powers (Art 57‐58).
• More than control strictu sensu.
• Cooperation as essential element of control (although not laid down
at Treaty level).
4
04.09.2017
Variety of DPA roles
• Article 57 GDPR: Supervision, advice and awareness raising.
• Leader / advisor: Consultants, Educators, Policy advisors, Negotiators
• Policeman / enforcer: Enforcement of the Law; Use of “hard powers”.
• Complaint handler: Redress for Individual, “Ombudsman”.
• Authoriser: Where Prior Authorisation is Needed. EX: BCRs, Codes of
Conduct and Certification, Prior Consultation for DPIAs.
• SOURCE: CIPL
5
04.09.2017
Complete Independence
• Different to most other EU/National Agencies.
• COM/GER, COM/AUS, COM/HUN: No external influence, not bound
by “guidance” of governments.
• Organisational: distance to executive.
• Appointment procedure critical factor.
• Schrems (63), examine claims with due diligence.
• Weltimmo: use of investigative powers, even if law of another
Member State is applicable.
• However, COM/GER: “Not free from any parliamentary influence”.
Effectiveness
• 26 Effective powers distinguished in Art 58 GDPR.
• High sanctioning powers (Art 83): Up to 20 mln Euros and 4%
Worldwide Turnover.
• Resources remains problem.
• Proximity and effectiveness.
• DPAs free to set own agenda, but how about effective dealing with
complaints? Schrems; “Due diligence”.
6
04.09.2017
Due diligence
EDPS
• The DPA for the European institutions
• Three tasks:
• Supervision, Consultation, Cooperation
• Not expected to change after 25 May 2018
• Supervising the public sector; not an EU Agency
• Advice on all EU legislation and policies
• Cooperation on equal footing with national DPAs
• Under GDPR: provide EDPB Secretariat.
• Its own Legislative Framework, but brought in line with GDPR.
7
04.09.2017
Art 29 Working Party
• WILL BE REPLACED BY EDPB
• Consists of national DPAs, EDPS and European Commission
• The voice of the EU data protection community
• Strictly advisory, no enforcement
• Informal harmonisation through explanations main data protection
concepts
• Informal forum for enforcement cooperation (Google, Facebook).
• Preparation EDPB
8
04.09.2017
EDPB
• Successor of WP29:
• Advisory tasks, emphasis on guidelines
• Codes of conduct certification.
• The novelty: A consistency mechanism: An additional layer of
coordination (Artt 63‐66).
• Consistent application through opinions EDPB.
• In specific situations compulsory.
• Normal rule however: on voluntary initiative of a DPA.
• Binding dispute resolution by the EDPB.
9
04.09.2017
10
04.09.2017
EDPB as an EU Body
• EDPB (Artt 68‐76).
• New EU body with legal personality.
• Functionally separate, but organisationally integrated in EDPS.
• “Chinese walls”.
• Commission is not member; has right to participate.
• Strong role Chair.
• Independence, comparable to independence DPAs.
• Tasks and duties, comparable to DPAs.
11
04.09.2017
12
04.09.2017
• THANK YOU
• Hielke.hijmans@gmail.com
13
The DPAs and their cooperation: how far are we in making
enforcement of data protection law more European?
Hielke Hijmans1
1. Introduction
Regulation (EU) 2016/679, better known as the General Data Protection Regulation
(“GDPR”),2 has the intention of making the enforcement of EU data protection law by
independent data protection authorities (“DPAs”), first, stronger and, second, more European.
This paper focuses on the second development: as a result of the GDPR, the enforcement by
the DPAs is becoming more European.3 This is a significant change compared to the present
structure of enforcement of EU data protection law by the national DPAs, with limited
coordination.
The GDPR does not to create a system of European supervision, not even for the big internet
companies operating on a pan European or global scale. As will be explained below, the
provisions in the GDPR on DPA cooperation, on the one hand, envisage ensuring a level
playing field in the EU and, on the other hand, respect the general feature of the EU as a
mechanism of executive federalism4, where enforcement of EU law is a task of the Member
States. This dual purpose is reflected in the consistency mechanism5, which is set up more as
a mechanism for conflict solving than for proper harmonisation or consistent application of
EU law.
This paper shows that it is not easy to reconcile the purpose of creating a level playing field
with the respect of powers of national authorities. It takes the perspective that the existing
divergences in EU data protection enforcement of the Member States are not helpful to
1
The author works from 1 October 2016 on as independent consultant and researcher in the areas of EU law
and data protection, On a part time basis, he is senior policy advisor of the Centre for Informational Policy
Leadership. He thanks Herke Kranenborg and the independent reviewer for their comments on an earlier
draft.
2
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection
of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119/1.
3
The Europeanisation of EU data protection law, but not specifically dealing with DPA cooperation, is also a
main theme of Orla Lynskey, The Foundations of EU Data Protection Law, Oxford University Press 2015.
4
Koen Lenaerts and Piet van Nuffel, European Union Law, Third edition, Sweet & Maxwell 2010, at 17-002.
5
Articles 63-66 GDPR; See Section 5 below.
1
guarantee a high level of control,6 as intended by Article 8 (3) of the EU Charter of
Fundamental Rights (“Charter”) and Article 16 (2) TFEU. According to these provisions,
compliance with the rules on data protection shall be subject to the control of independent
authorities. The Court of Justice regards the control as an essential element of data
protection.7
This paper discusses the weakness of the present system and the GDPR (section 2), the
increasing European dimension of the DPAs' task (section 3), the one stop shop mechanism
and the cooperation with the lead DPA (section 4) and the consistency mechanism and the
European Data Protection Board (“EDPB”) (section 5). Section 6 contains conclusions.
The article builds on the doctorate thesis of the author, entitled: "The European Union as a
constitutional guardian of internet privacy and data protection: the story of Article 16
TFEU."8
The GDPR must remedy the situation where European citizens are dependent on the
protection by the DPA of the Member State where a controller has its establishment in the
EU. Presently, Article 4(1)(a) of Directive 95/469 provides that the applicable law is the law
of the Member State where the processing of personal data is carried out in the context of an
establishment of the data controller.10 In order to qualify as an establishment, there must be
an effective and real exercise of an activity through stable arrangements, meaning that virtual
6
Control by DPAs comprises in any event enforcement of the law, in the event of breaches, and also includes
other instruments DPAs use to promote compliance. In this paper focusing on enforcement, the concept of
control is not further elaborated.
7
Case C-518/07, Commission v Germany, EU:C:2010:125, at 23.
8
On-line version is available on http://hdl.handle.net/11245/1.511969. An updated and slightly modified
version is published by Springer International Publishing as: Hielke Hijmans, The European Union as Guardian
of Internet Privacy, ISBN 978-3-319-34089-0.
9
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31
(“Directive 95/46”).
10
See on Article 4(1)(a) also Paul de Hert and Michal Czerniawski, Expanding the European data protection
scope beyond territory: Article 3 of the General Data Protection Regulation in its wider context, International
Data Privacy Law 2016 (published online).
2
presence in a Member State is not enough.11 Article 28(6) of the Directive determines that a
DPA is competent to exercise powers within the territory of its own Member State.12
This establishment will in many cases not coincide and sometimes even be far away from the
country where an individual, who is affected by a data processing operation, has his or her
residence. Moreover, a company can, presently, also choose its main European establishment
in a country with a perceived low level of control by a DPA. This phenomenon of forum
shopping13 by a controller may prejudice the effectiveness of the EU system of data
protection.
These characteristics made the present legal system as strong as its weakest chain. The
example often mentioned in this context is Ireland. As McLaughlin observes, the presence of
the European headquarters of a number of multinational tech companies in Ireland 14 requires
a world class data protection regime.15 She describes an action by Digital Rights Ireland
challenging the independence of the Irish Data Protection Commissioner before the Irish
judiciary, casting doubts over the quality of the data protection regime in that Member State.
The Schrems-case is the main illustration of the dependency of EU citizens on a DPA in the
country where a controller has its EU establishment.16 The Austrian student Schrems, living
in Austria, had to make his claim concerning the processing of his personal data before the
Irish DPA. This DPA subsequently did not act, requiring Mr. Schrems to pursue his case
before an Irish Court. The case was - by way of preliminary questions of the Irish High Court
- brought before the EU Court of Justice, which ruled that it is incumbent upon a national
DPA to examine claims by individuals with “all due diligence”.17
By the way, these observations must not be seen as criticizing the effectiveness of data
protection provided in Ireland as such. On the contrary, the proactive approach of civil
society in that country resulted in another landmark case of the Court of Justice (Digital
11
Recital 19 of the Directive. See also Case C-230/14, Weltimmo, EU:C:2015:639, and Dan Jerker B.
Svantesson, The CJEU’S Weltimmo Data Privacy Ruling, Maastricht Journal of European and Comparative Law,
23 MJ 2 (2016).
12
The interpretation of Articles 4(1)(a) and Article 28(6) of Directive 95/46 is at stake in the pending Case C-
210/16, Wirtschaftsakademie Schleswig-Holstein.
13
As described by E. Chiti, An important part of the EU’s institutional machinery: Features, problems and
perspectives of European agencies, CMLR 46 (2009), pp. 1395–1442, at 1412.
14
Which includes Google, Facebook, LinkedIn and Twitter.
15
Sharon McLaughlin, Ireland -Independence of Data Protection Commissioner Challenged by Digital Rights
Ireland, EDPL Volume 2 (2016), Issue 1, at 114-116.
16
Case C-362/14, Schrems, EU:C:2015:650.
17
Case C-362/14, Schrems, EU:C:2015:650, at 63.
3
Rights Ireland and Seitlinger)18, which was – equally to the Schrems-case – instigated by the
Irish High Court. The preliminary questions of the Irish High Court in both cases made it
possible for the Court of Justice to deliver important judgements, also covering the tasks of
the DPAs19 under Directive 95/46.
The GDPR should also be to the benefit of economic actors and contribute to the digital
single market. With a one stop shop and a consistency mechanism, EU wide operating
providers of services and goods will have one DPA as interlocutor and will be confronted
with decisions on processing operations having effect in the territory of the entire Union.
They will no longer be confronted with divergent decisions in the different Member States.
The different ways in which EU DPAs dealt with Facebook’s privacy settings illustrate the
shortcomings of the present system quite well.20
Article 16 TFEU and Article 8 Charter provide, on the level of the EU Treaties, that everyone
has a right to data protection under EU law. Article 16 TFEU also provide that the EU
legislator must lay down the rules on data protection, whereas Article 8 Charter contains the
main elements of this right.
Moreover, and most relevant for this paper, both articles lay down the task of ensuring
control of the protection of the fundamental rights of privacy and data protection by the
DPAs at the level of primary EU law.
The DPAs are mostly national public authorities, established under national law.21 However,
the tasks of the DPAs are not strictly confined to the national jurisdictions, nor are their
duties and powers solely defined under national law.
Under the GDPR, the European dimensions of the role of DPAs increase. EU law will set the
standards for their establishment and functioning,22 and the cooperation mechanisms of DPAs
(e.g., within the framework of the EDPB) will also deal with enforcement of data protection
18
Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger (C-594/12).
19
See also Joined cases C-293/12 and C-594/12, Digital Rights Ireland (C-293/12) and Seitlinger (C-594/12), at
68.
20
See section 4 below and David Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and co-
operation between Data Protection Authorities”, www.phaedra-project.eu, at 39-44..
21
G. González Fuster, The Emergence of Personal Data Protection as a Fundamental Right of the EU, Law,
Governance and Technology Series 16, 2014, Chapter 3.
22
See the detailed provisions on DPAs in Chapter VI of the GDPR.
4
rules.23 Under current law, the main cooperation mechanism of DPAs - the Article 29
Working Party - only has an advisory role.
Moreover, the DPAs' task includes the obligation to contribute to a harmonised and effective
level of data protection within the wider territory of Union. This is particularly important in
an internet environment, where dealing with cross-border effects is an inherent element of the
protection that must be given. This obligation for DPAs is also the consequence of the
recognition in Article 16 TFEU that the European Union is the appropriate platform for
dealing with privacy and data protection. Article 51(2) of the GDPR makes this obligation
explicit.24 The obligation also exists – although in a more implicit manner – under current
data protection law.25
In other words, the position of the DPAs has a national as well as a European component.
This "hybrid position"26 of DPAs has legal dimensions (the interface between requirements
under EU law and national procedural law) and also practical dimensions (conflicting
priorities).
Legal dimensions
The DPAs are national bodies established according to national law. They operate within the
national frameworks of administrative law. However, they exercise the tasks attributed to
them by EU law. Currently, this attribution of tasks by instruments of EU law is rather
general. Article 28 (3) of Directive 95/46, for instance, lays down that the DPAs should have
investigative powers, effective powers of intervention and the power to engage in legal
proceedings, but is not prescriptive as far as the precise content of these powers is concerned.
This will significantly change under the GDPR. Articles 57 and 58 thereof distinguish a wide
range of tasks and powers of DPAs. These provisions describe precisely what the tasks and
powers of the DPAs should entail, leaving - a prima vista - little room for national law.
Recital 129 confirms this starting point where it is stated that "in order to ensure consistent
monitoring and enforcement of this Regulation throughout the Union, the supervisory
authorities should have in each Member State the same tasks and effective powers".
23
See, in particular, Article 64 GDPR, on opinions of the EDPB, and Article 65 GDPR, on dispute resolution
leading to decisions by the EDPB.
24
Article 51(2) GDPR reads as follows: “Each supervisory authority shall contribute to the consistent
application of this Regulation throughout the Union. [...].”
25
Recital 65 and Articles 29 and Article 30 (1) (a) of Directive 95/46.
26
Comparable to EU agencies and certain national agencies. See Michelle Everson, Cosimo Monda, and Ellen
Vos (eds), 2014, EU Agencies in between Institutions and Member States, Kluwer Law International 2014, Ch.
1.
5
A closer look at the GDPR nuances this starting point, to a certain extent. In a few cases, the
attribution of powers contains a reference to national law,27 particularly to specify the extent
of the DPAs' advisory role within the national parliamentary democracies and to ensure the
embedding of the DPAs' tasks and powers in national procedural law. Moreover, Article
58(6) of the GDPR lays down that the Member States may provide the DPAs with additional
powers. A similar provision is not included in Article 57 GDPR, on DPAs' tasks, but an
opening for giving additional tasks to the DPAs under national law can be found in recital
129. Recital 129 mentions that Member States may specify other tasks relating to data
protection.
The question arises how Articles 57 and 58 relate to one of the essential features of the Union
structure, more specifically to the decentralised implementation of EU law, in what can be
referred to as executive federalism28 or the principle of national procedural autonomy.29
Executive federalism means, in essence, that in the legal system of the EU legislative tasks
are exercised at EU level and executive tasks at national level, by authorities of the Member
States. These authorities operate primarily within the national jurisdiction, the modalities for
the exercise of their tasks being determined by national constitutional systems.30
The principle of national procedural autonomy, as explained by the CJEU, leaves it up to the
Member States to organise the procedures for implementing EU law, in accordance with
requirements of equivalence and effectiveness. They must, e.g., "designate the courts and
tribunals having jurisdiction", and "lay down the detailed procedural rules governing actions
for safeguarding rights which individuals derive from European Union law."31 In short, the
Member States enjoy a procedural autonomy, although they are under an obligation to give
effect to procedural rights of individuals under EU law. This autonomy will significantly
shrink in the area covered by the GDPR, because of the precise procedural rules included in
that instrument. The same applies more or less to data protection in the police and justice
sectors, excluded from the scope of application of the GDPR, but covered by the new Data
Protection Directive.32
27
Article 57(1)(c), Article 58 (1)(f), (3)(b), (3)(c) and (4) refer to national law, Article 58 (4) gives an assignment
to the national legislator.
28
A starting point for the GDPR (see Section 1 of this article); Term is used by Koen Lenaerts and Piet van
Nuffel, European Union Law, Third edition, Sweet & Maxwell 2010, at 17-002.
29
Case C-93/12, Agrokonsulting-04, EU:C:2013:432, at 35.
30
Further read: Carol Harlow, “Three Phases in the Evolution of EU Administrative Law”, in: Paul Craig and
Grainne de Búrca, The evolution of EU Law (second edition), (Oxford University Press, 2011), Chapter 15.
31
Case C-93/12 - Agrokonsulting-04, EU:C:2013:432, at 34 and 35.
32
Articles 46 and 47 of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data by competent authorities
6
In other words, the EU level (the “federal” level) intervenes in a domain that normally is
reserved to the national level (the “state” level). Arguably, this also delimits the applicability
of the principle of executive federalism in this area.
This intervention is not unique for data protection, since also in other areas EU law
determines tasks of national authorities. An example is the EU framework for the operation
of national regulatory authorities in the electronic communications sector.33 This framework
determines in quite detail the tasks of the national regulatory authorities, but remains general
as far as the powers of these authorities are concerned, leaving wide discretionary powers
with the Member States. Another example is the intervention by the EU legislator in the
exercise of powers by the national competition authorities. EU law gives precise rules on the
cooperation between the national authorities and the European Commission, in its role of
European competition authority.34However, it does not specify in detail the powers of the
national authorities.
The intervention by the GDPR raises legal questions which are not necessarily solved in other
areas. The DPAs operate in a pluralist legal context, with tasks and duties under EU law and
under national law. These tasks and duties are not necessarily always compatible.
Obviously, EU law has primacy over national law, in case of conflict of laws. However, it is
not evident to what extent a national law may complement the GDPR without breaching an
obligation under EU law. Recital 129 of the GDPR declares, as explained above, that
Member States may specify additional tasks and Article 58 (6) lays down that national law
may provide for additional powers of DPAs. Recital 129 and Article 58 (6) do not necessarily
mean that Member States are free to add elements to powers which are provided under the
GDPR, nor that the additional powers - to the extent they are compatible with the GDPR -
can be imposed on controllers across the border, established in other Member States.
This lack of clarity can be explained by a provision in present Dutch law which is not
necessarily compliant with the GDPR. In The Netherlands, the DPA will be bound by the
GDPR, but it is also an administrative authority that falls within the scope of the General
for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing Council Framework
Decision 2008/977/JHA, OJ L119/89.
33
Chapter II of Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a
common regulatory framework for electronic communications networks and services (Framework Directive),
OJ L 108, 24.4.2002, as amended by Directive 2009/140/EC and Regulation 544/2009. Article 3(2) of the
Directive lays down that powers must be exercised impartially, transparently and in a timely manner, without
specifying what these powers are.
34
Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition
laid down in Articles 81 and 82 of the Treaty, OJ (2003) L 1/1, mainly Chapter IV.
7
Administrative Law Act.35 This Act contains a Chapter with specific rules on enforcement.
An important instrument in this Chapter is a specific remedial sanction. Under Article 5.32 of
the Act, an administrative authority which is entitled to take enforcement action may instead
impose on the offender a duty backed by an astreinte. If the offender does not remedy the
offence he needs to pay a lump sum.
Such an alternative is not envisaged in the list of corrective powers of Article 58(2) GDPR.
The question arises whether this alternative, which plays a significant role in the practice of
the Dutch DPA will still be available under the GDPR. Arguably, this alternative strengthens
the enforcement and would therefore be in line with the objectives of the GDPR. However,
one could also defend that an essential element of consistency as envisaged by the GDPR, is
its exhaustive list of remedial sanctions.
An example of cross border enforcement can be found in the situation of Weltimmo,36 where
a controller targeted consumers in another Member State (Hungary) than where it was
registered (Slovakia).37 The Court accepted a flexible definition of establishment confirming
the competence of the Hungarian DPA because the controller specifically targeted Hungarian
residents. This would however, not necessarily mean that - after the GDPR has become
applicable - the Hungarian DPA could also use its additional investigative or enforcement
powers vis-à-vis a controller in the other Member State.
Practical dimensions
A DPA has, like any other public authority in times of austerity, scarce resources. As reported
by the EU's Fundamental Rights Agency in 2010, understaffing and lack of financial
resources resulted in a situation where European DPAs did not carry out all their tasks.38
Insufficient resources is a recurring issue in the policy debates in data protection and the
Article 29 Working Party even proposed to include a quantitative formula in the GDPR,
guaranteeing sufficient resources for a DPA in each Member State, e.g. based on the size of
the population.39
Hence, choices have to be made on how to use scarce resources in the most efficient way.
Obviously, the European dimension of the task of DPAs may collide with their tasks within
35
Algemene Wet Bestuursrecht (AWB), see:
https://www.rijksoverheid.nl/documenten/besluiten/2006/06/21/engelse-tekst-awb.
36
Case C-230/14, Weltimmo, EU:C:2015:639.
37
As explained by Dan Jerker B. Svantesson, The CJEU’S Weltimmo Data Privacy Ruling, Maastricht Journal of
European and Comparative Law, 23 MJ 2 (2016).
38
Fundamental Rights Agency, 2010, Data Protection in the European Union, the role of National Data
Protection Authorities, at 5.1.1.
39
Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals - WP
191, at 17.
8
the national jurisdiction. To put it simply, a DPA will be requested to investigate a case by
the authority in another Member State, for instance in the cooperation procedure between the
lead supervisory authority and other supervisory authorities laid down in Article 60 GDPR.
The requested DPA is under an obligation to provide assistance,40 also where the request will
require considerable resources. This obligation could, in a wider sense, also be based on the
principle of sincere cooperation,41 one of the founding principles of the EU project.
At the same time, the DPA should ensure a high level of data protection within its own
national territory. Since the DPAs are national authorities, their primary task is to ensure
protection for the residents within their respective Member States. For example, if a big
security breach occurs within the national territory, spending considerable resources in
investigating this breach would be most logical. A DPA would find it difficult to suspend this
investigation in order to be able to give assistance to a peer in another Member State.
Moreover, as far as DPAs are accountable vis-à-vis democratic institutions, this is primarily
accountability before national parliaments. As the Court of Justice underlined, although
DPAs should be completely independent, "the absence of any parliamentary influence over
those authorities is inconceivable."42
This accountability vis-à-vis the elected bodies in the Member States, and also the influence
of the public opinion in the Member State where a DPA is established, may be an incentive to
the DPAs to prioritise national cases.
In the absence of what Weiler calls a European demos,43 the primary loyalty of people - and,
hence, also of national authorities - will be national.
This incentive may be contrary to the objectives of the GDPR to enhance the European
dimension of the role of the DPAs and to encourage the consistent application of the
Regulation.
How far does the changing position of DPAs make the control more European?
It is beyond doubt that the European dimension of the position of DPAs becomes more
dominant, under the GDPR. The legal as well as the practical dimensions described above
demonstrate that much is still uncertain, but the trend seems clear. The DPAs will need to
operate more as European authorities and, hence, to a certain extent, give up their national
identities.
40
See, in particular, Article 60 GDPR.
41
Article 4(3) Treaty on European Union.
42
Case C-518/07, Commission v Germany, EU:C:2010:125, at 43.
43
As described by Paul Craig in Paul Craig and Grainne de Búrca (eds), 2011, The evolution of EU Law (second
edition), Oxford University Press, at 15.
9
However, the GDPR also confirms the situation where the national DPAs remain in the
driving seat, as responsible for the enforcement of EU data protection law within national
territory. Some tasks will be given to the EDPB, an EU body with legal personality,44 yet the
EU legislator ensured that the national DPAs are fully in charge of this new body.
This attitude of the EU legislator is illustrated by the fact that, where the Commission
proposal contained some provisions with a - limited! - centralising effect, these provisions did
not make it to the final text of the GDPR.
For instance, in order to ensure that the EU perspective would be sufficiently taken into
account, the Commission itself was given the possibility to provide an opinion in cases before
the EDPB. The EDPB had to take the utmost account of this opinion.45 Moreover, the
European DPA - the EDPS - was supposed to become the statutory vice-chair of the EDPB.46
However, these provisions did not survive the legislative procedure and, on the contrary,
Article 68(6) GDPR now even contains a limitation of the voting rights of the EDPS, in cases
where the EDPB will take a binding decision.47
It is against this background that this paper suggests the EDPB to bring clarity on the
consequences of the changing position of the DPAs by means of guidelines,
recommendations or best practices, in order to encourage consistent application of the GDPR,
as foreseen in Article 70 (e) thereof.
4. The one stop shop mechanism and the cooperation with the lead DPA
The structured cooperation mechanism of Chapter VII, Section 1, of the GDPR is the
example par excellence of the ambition of the EU legislator to reconcile two goals - a level
playing field and respect of powers of the national authorities - which are hardly fit for
reconciliation.
Where the processing of personal data takes place in more than one Member State, one single
DPA should act as a one stop shop for controllers and processors. This one single DPA will
be the DPA of the main establishment - or the single establishment - of the controller.48
This DPA will be the sole interlocutor for the cross-border processing carried out by a
controller or processor.49 This DPA, acting as lead supervisory authority, will have the
44
Article 68(1) GDPR; see Section 4 below.
45
Article 59 of Commission Proposal for a GDPR, COM (2012), 11 final.
46
Article 69(1) of Commission Proposal for a GDPR, COM (2012), 11 final
47
Article 68(6) GDPR, containing a reference to the dispute resolution mechanism of Article 65.
48
The concept of establishment was explained by the CJEU in Case C-230/14, Weltimmo, EU:C:2015:639. It is
characterized as a flexible concept, Dan Jerker B. Svantesson, The CJEU’S Weltimmo Data Privacy Ruling,
Maastricht Journal of European and Comparative Law, 23 MJ 2 (2016), at 336.
10
exclusively competence to take binding enforcement decisions.50 This is the first key element
of the one stop shop mechanism.
The mechanism has a second key element: close cooperation between this lead supervisory
authority and all other concerned authorities. Articles 56 and 60 GDPR specify in detail the
competences of the lead authority and how the cooperation of the lead authority with other
DPAs should be conducted.
This structured cooperation mechanism allows other concerned DPAs to raise objections, but,
at the end of the day, all DPAs concerned are bound by the decision of the lead DPA. 51 This
is a novelty compared to the current regime under Directive 95/46, where the same data
processing operation may be subject to diverging enforcement actions initiated by DPAs in
various Member States.52 An obvious ongoing example of divergence, already indicated
before, is the enforcement relating to Facebook's terms and policies of personal data and
cookies. Some DPAs cooperate within a contact group53, but the DPA of the country where
Facebook has its EU establishment (Ireland) is not part of this contact group. In Belgium, the
national privacy commission sued Facebook before a national court54 because of alleged
infringement of Belgian law. Also in Germany, a case is pending before the Federal
Administrative Court with involvement of a DPA of a German State. In this case, preliminary
questions were asked.55
The new rules, however, prevent the lead DPA from acting without considering the views of
other DPAs involved. This also responds to the criticism that the one-stop shop would lead to
an exclusive competence of one DPA and not to a structured system of cooperation between
DPAs.56
49
Article 56(6) GDPR.
50
See mainly Articles 56 (1) and 60 GDPR.
51
See mainly Articles 60 and 65 GDPR. The final decision of the lead DPA may result from dispute resolution by
the EDPB, in case a DPA raised a relevant and reasoned objection.
52
Some cases of enforcement cooperation – e.g. in relation to Google and WhatsApp - are explained in David
Barnard-Wills & David Wright, Deliverable 1 – “Co-ordination and co-operation between Data Protection
Authorities”, www.phaedra-project.eu.
53
See David Barnard-Wills & Vagelis Papakonstantinou, Deliverable 2.2, Best Practices for cooperation
between EU DPAs, www.phaedra-project.eu, at 2.1.2.
54
Ruling of the Dutch Speaking Court of First Instance in Brussels of 9 November 2015, Nr 15/57/C; Ruling of
Court of Appeal of Brussels of 29 June 2016, Nr. 2016/5747.
55
BVerwG 1 C 28.14 OVG 4 LB 20/13; CJEU, Case C-210/16, Wirtschaftsakademie Schleswig-Holstein.
56
E.g., European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection reform package,
at 237.
11
The Commission proposal mentioned the main reasons for this mechanism: to increase the
consistency in the application of the data protection rules, to provide legal certainty and to
reduce the administrative burden for the controllers and processors of personal data.57 In
essence, consistent enforcement of data protection rules across Europe should enhance legal
certainty of companies and reduce costs, also because it prevents multinational companies
from having to deal with divergent enforcement decisions. The strong emphasis on the
importance of the mechanism for companies is confirmed by the link the Commission makes
between the one stop-shop mechanism – and the consistency mechanism discussed below –
and the digital single market.58
The advantages for the protection of the individual
The consequences for the individual seem to be of less importance, at least in the justification
given by the Commission.
Of course, the one stop shop mechanism also strengthens the position of the data subject,
because of the following secondary effects: creating legal certainty, protection in an equal
way, and preventing forum shopping by data controllers and processors choosing the
perceived most lenient DPA.
57
Recital 97 of Proposal for a Regulation of the European Parliament and of the Council on the protection of
individuals with regard to the processing of personal data and on the free movement of such data (General
Data Protection Regulation), COM (2012), 11 final.
58
Communication from the Commission to the European Parliament, the Council, the European Economic and
Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World A European
Data Protection Framework for the 21st Century, COM (2012) 9 final, at 7-8.
59
Article 4(23) GDPR.
60
Article 77(1) GDPR, mentioning the habitual residence as well as the place of work.
61
Article 1(2) TEU.
12
on the GDPR and is set to enhance the effectiveness of the fundamental rights protection.62
However, at the end of the day proximity is not fully guaranteed by the GDPR. A decision on
a processing operation will be taken by the lead DPA and this decision will be subject to
judicial review in the Member State of the lead DPA.
It will be interesting how the combination of these various elements will work out in practice.
To be more concrete: a data subject may lodge a complaint before the DPA in the country of
residence. If his or her complaint is not upheld he or she can appeal before a tribunal in that
same Member State.63 It is not evident how this tribunal will deal with this appeal, when the
contested operation is subject to an enforcement decision of the lead DPA in the Member
State of establishment of the controller or processor. It will be even more complicated when
data subjects in several Member States bring cases before national courts concerning the
same breach of data protection law. This situation could, for instance, occur in connection
with privacy settings of EU wide operating service providers on the internet. Although recital
144 of the GDPR gives some indication how to deal with parallel proceedings in more than
one Member State, it does not give clarity on the outcome.
How far does the one stop shop and the cooperation with the lead DPA make the control
more European?
The essence of the one stop shop is to leave the responsibility for enforcement of data
protection with the national DPAs.64 It is not meant as centralizing enforcement. The
mechanism, however, could have a harmonising effect, because it strengthens the
enforcement cooperation between DPAs.
Moreover, the cooperation mechanism also provides for mutual assistance between DPAs and
for joint investigations and enforcement measures of DPAs of different Member States.65
These provisions should contribute to a more consistent approach within the EU.
The mechanism could have a harmonising effect, but this is not a priori evident. It will
depend how the lead authority will interpret its role. Would a lead authority, for instance,
give priority to cases where the effect of its enforcement actions will be mainly noticeable in
other Member States? The GDPR includes a correction mechanism - the dispute resolution by
the EDPB, as explained below -, but it has to be seen to what extent this correction will work
in practice.
62
Council of the European Union, various Council documents on Council Public Register, re Interinstitutional
file 2012/0011 (COD), e.g. 18031/13 (19 Dec 2013, full version on lobbyplag.eu), 14788/1/14 (13-11-2014).
63
Article 78(3) GDPR.
64
Paolo Balboni, Enrico Pelino and Lucio Scudiero, 2014, “Rethinking the one-stop-shop mechanism: Legal
certainty and legitimate expectation”, Computer Law & Security Review 30 (2014) 392–402.
65
Articles 61 and 62 GDPR.
13
Will, for instance, a policy of non-intervention prevail in the practices of the DPAs or would
DPAs indeed be prepared to draft relevant and reasoned objections to positions taken by their
peers?66 The GDPR contains incentives, yet no guarantees.
Articles 63-66 GDPR provide a consistency mechanism.67 The purpose of this consistency
mechanism is to contribute to the consistent application of the Regulation throughout the
Union, although one may question whether all elements of the consistency mechanism are fit
for purpose.68
The key player in the consistency mechanism is the EDPB that will be established by Article
68(1) of the GDPR as a body of the EU with legal personality.
The EDPB is the successor to the Article 29 Working Party and will consist of
representatives of the national DPAs and of the European Data Protection Supervisor
(EDPS). The EDPB must play a formal role in the enforcement of EU data protection law, in
contrast with the Article 29 Working Party, which only has an advisory role. This formal role
normally ends with a non-binding - but probably persuasive - opinion of the EDPB.
Sometimes, it may result in a binding decision, in cases where the EDPB resolves a dispute
between DPAs.69
Ensuring consistency is the first of a long list of tasks of the EDPB, specified in Article 70 (1)
of the GDPR. Whereas most of these tasks are of an advisory nature,70 in line with the
activities of the Article 29 Working Party under present law, the consistency mechanism is
intended to be a part of data protection enforcement. Recital 135 stipulates that the
mechanism "should in particular apply where a supervisory authority intends to adopt a
measure intended to produce legal effects as regards processing operations which
substantially affect a significant number of data subjects in several Member States". This
confirms that this mechanism relates to the enforcement of data protection law.
The consistency mechanism potentially extends to all activities on the internet within the
scope of European Union law, which includes the offering of services and goods and the
monitoring of behaviour by non EU based controllers.
66
Wording taken from Article 65(1)(a) GDPR.
67
See also Orla Lynskey, The Foundations of EU Data Protection Law, Oxford University Press 2015.
68
Particularly, the dispute resolution mechanism of Article 65 GDPR, as explained below.
69
Article 65 GDPR.
70
NB: not all of the other tasks have an advisory nature. See, e.g., Article 70 (1) (o), on the accreditation of
certification bodies.
14
This does not mean that all activities within this wide scope are finally scrutinised by the
EDPB or even less that the EDPB ultimately decides, but in all these cases the EDPB may be
informed and it may be called upon to act. Article 64 (2) GDPR provides that any DPA - and
also the Chair of the EDPB or the European Commission - may request that the Board
examines any matter of general application or producing effect in more than one Member
State.
This mechanism – which was substantially amended during the legislative process – is a
further instrument to regain control over data processing operations on the internet. The
consistency mechanism consists of two pillars, distinguished in Articles 64 and 65 GDPR. To
be complete, the mechanism also comprises an urgency procedure simplifying the procedural
rules, in exceptional circumstances (Article 66 GDPR).
The first pillar is the more genuine form of consistency. Where a DPA wishes to consult its
peers before taking an enforcement decision, it does the request to the EDPB, as mentioned
before, in accordance with Article 64 (2) GDPR. This request is a way to implement the
obligation of a DPA to contribute to harmonised and effective data protection in the EU. The
DPA verifies the positions of its peers in the EDPB and - normally - follows the position
taken by the EDPB. There is no obligation to follow the EDPB’s decision, yet a DPA should
take the utmost account.71
However, this first pillar has some ambiguous - or in stronger terms: weak - elements. First,
there is no obligation for a DPA to consult the EDPB. This obligation exists in a few specific
situations, notably acts in connection to data protection impact assessments, codes of
conduct, accreditation, standard data protection clauses or contractual clauses, or binding
corporate rules.72
However, there is no obligation to involve the EDPB in the normal enforcement context, in
individual cases of alleged breaches of data protection law. In this context, there is not even
an obligation to inform the EDPB. Although recital 135 stipulates that the mechanism should
apply where a DPA intends to adopt an enforcement measure that substantially affects a
significant number of data subjects in several Member States, the mechanism is presented as
optional in Article 64(2) GDPR.
Second, the EU legislator gives the impression that Article 64(2) is meant for the situation
where a DPA does not properly cooperate with a peer cross border, not where it has a
different view on substance.73 This impression follows from the references to mutual
71
Article 64(7) GDPR.
72
Article 64(1) GDPR.
73
Article 64 (2) reads, where relevant: " [....]:in particular where a competent supervisory authority does not
comply with the obligations for mutual assistance in accordance with Article 61 or for joint operations in
accordance with Article 62."
15
assistance and joint operations, but is not fully evident and not supported by the text of recital
135. However, it is nevertheless there.
The second pillar is the dispute resolution mechanism of Article 65 GDPR, which will lead to
a binding decision by the EDPB resolving disputes between DPAs. This dispute may arise on
the substance of a case handled within the one stop shop mechanism, on the competence of a
DPA in a specific case, or in cases where a DPA does not comply with some of the
obligations of Article 64 GDPR. The decision in the dispute resolution mechanism is,
primarily, binding upon the concerned DPAs. On the basis of this decision, the lead DPA (or,
in some situations, another involved national DPA) takes a "final decision".74 However, this
somehow ambiguous drafting does not mean that the initial decision of the EDPB cannot be
challenged by other concerned parties. As recital 143 explains, controllers, processors or
complainants can challenge the EDPB decisions before the Court of Justice, in accordance
with Article 263 TFEU.
How far does the consistency mechanism make the control more European?
The need for clear and uniform rules for businesses providing legal certainty and minimising
the administrative burden was a reason for the Commission to propose the reform of the legal
framework for data protection, which is expected to stimulate economic growth, create new
jobs and foster innovation.
The regulation as proposed by the Commission was supposed to do away with the fragmented
legal environment resulting not only from divergences between the rules themselves, but also
from the diverging control of the rules.76 A level playing field requires a uniform law as well
uniformity in the enforcement.
However, the outcome of the legislative process is less ambitious. Whereas the Commission
saw a level playing field as an important rationale of the consistency mechanism, 77 the
74
Article 65(6) GDPR.
75
Effectiveness is a general requirement of EU law, Koen Lenaerts, Ignace Maselis, and Kathleen Gutman,
2014, EU Procedural Law, Oxford University Press, at 4.05.
76
Communication from the Commission to the European Parliament, the Council, the European Economic and
Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World A European
Data Protection Framework for the 21st Century, COM (2012), 9 final, at 2, 7-9.
77
See in particular the procedure foreseen in Article 58(3) of the Commission proposal.
16
outcome is mainly a conflict-solving mechanism, to avoid problems where the views of the
DPAs in a specific case may possibly diverge. Also Article 64 (2), despite its ambiguity, can
be seen as a system for solving conflicts, and, possibly, a system encouraging DPAs to
effectively cooperate.
Hence, the consistency mechanism does not ensure the correct and uniform application of the
regulation within the wider territory of the European Union.78
The difference between the aspirational goal of the Commission and the outcome of the
legislative process is explained as follows. The Commission aimed at ensuring that a specific
processing operation – for instance an internet application – is not judged in divergent
manners in the Member States and that the supplier of this application is confronted with one
decision applicable in the whole European Union. In addition, a decision should also be
consistent with decisions taken in other cases and hence contribute to the uniform (and
correct) application of EU data protection law.79 The second purpose is connected to the
obligation of DPAs to contribute to a harmonised and effective level of protection in the
European Union, stipulated in Article 51 (2) GDPR and explained above.
The less ambitious outcome may be the result of other contributions to the legislative process
in reaction to the Commission proposal. To start with, the Article 29 Working Party was
critical of the Commission proposal: the “mechanism should ensure consistency in matters
only there where it is necessary, should not encroach upon the independence of national
supervisory authorities and should leave the responsibilities of the different actors where they
belong”.80 The Working Party considered that the consistency mechanism should only be
triggered where the DPAs do not reach consensus on the assessment of the case and/or
measures to be taken.81 This position underscores the more limited ambition. A harmonised
level of protection within the EU did not seem relevant for the Working Party. This was also
due to the fact that the Working Party is opposed to a role of the Commission in the
procedure82 and seeks to limit the caseload.83
78
See in particular the procedure foreseen in Article 58(4) of the Commission proposal.
79
To be complete, the Commission proposal also foresees a role for the consistency mechanism in procedures
not relating to individual cases, such as the adoption of a list of the processing operations subject to prior
consultation and various procedures relating to the transfer of personal data to third countries (Article 58 (2))
of the proposal.
80
Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals - WP
191 (23.03.2012), at 20.
81
Article 29 Data Protection Working Party, Opinion 01/2012 on the data protection reform proposals - WP
191 (23.03.2012), at 20.
82
In the same sense, European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection
reform package, at 248-255.
17
The view that the consistency mechanism should be limited to cases of disagreements
between authorities in a specific case seemed to be shared by the European Parliament. One
of the amendments of the European Parliament limited the consistency mechanism to cases of
serious objections of an authority to a draft measure of another authority, the ‘lead
authority’.84 A similar approach is taken by the Council. In individual cases, relevant and
reasoned objections and conflicting views may trigger the consistency mechanism.85
This paper submits that the consistency mechanism would only succeed in neutralising the
fragmented legal environmentif both aspirational goals, as intended by the Commission, are
achieved. This would allow the EDPB to grow into a centre of excellence of data protection
in the EU, operating in close cooperation with the EDPS and combining the European and the
national perspectives. It would also enable the EDPB to operate on the EU level as a focal
point for data protection enforcement and to become the main interlocutor for global
companies operating on the internet and, for instance, also for regulators in other domains.
For instance, the synergies between enforcement of EU data protection law and EU
competition law86 would be easier to deal with if the European Commission in its role as
enforcer of EU competition law had a strong interlocutor in the domain of data protection, at
EU level.
This all is not impossible under the GDPR, in view of the fact that the DPAs have a wide
discretion to decide what cases they step up to the consistency mechanism. They might have
good reasons to do so, if only because an opinion of the EDPB can be seen as a support of
good governance by DPAs, in compliance with the principle of sincere cooperation enshrined
in Article 4(3) of the Treaty on European Union.
In more pragmatic terms, the EDPB can be of help, where the resources of a DPA are limited.
Especially for DPAs in smaller Member States, it may be attractive to involve the EDPB.
6. Conclusions
The GDPR has only been adopted very recently. At this stage, it is not possible to give a
definitive answer to the question whether the GDPR successfully reconciles the ambition of
83
In the same sense, European Data Protection Supervisor, Opinion of 7 March 2012 on the data protection
reform package, at 245.
84
Amendment 167, introducing a new Article 58a, European Parliament legislative resolution of 12 March
2014 on the proposal for a GDPR (COM(2012)0011 – C7-0025/2012 – 2012/0011(COD)).
85
Article 57 (3) (a) and (b) of Council general approach (Council document 9565/15 of 11 June 2015).
86
See on this European Data Protection Supervisor, Preliminary Opinion of 26 March 2014 on “Privacy and
competitiveness in the age of big data: The interplay between data protection, competition law and consumer
protection in the Digital Economy”
18
creating a level playing field with the purpose of respecting the powers of the national data
protection authorities.
One thing is clear. The text of the GDPR leaves much room for discrepancies between the
enforcement practices of the Member States. This being said, the GDPR also presents the
opportunities for a genuine consistent approach on data protection in the EU. In this
perspective, there is no reason to conclude that the provisions in the GDPR on DPA
cooperation are a glass half empty. Based on several arguments in this paper, one should
rather state the opposite: the GDPR is a glass half full.
It is a further step towards better and more harmonised data protection enforcement in the
EU. The GDPR contains a number of incentives to become a success. Much will depend on
how the cooperation mechanisms of DPAs will be put into practice. Will this practice be
based on national reflexes and policies of non-intervention, or will the cooperation be
characterised by giving priority to consistency and mutual cooperation in view of the fact that
the huge challenges posed by the internet, big data and mass surveillance can only be faced
through common efforts?
As said, the GDPR contains incentives and creates the EDPB as a potentially strong and
effective body. This paper pointed before at Article 70 (e) GDPR which gives a basis to the
EDPB to issue guidelines, recommendations and best practices, in order to encourage
consistent application of the GDPR. It is suggested to use this provision as a concrete
instrument to stimulate the DPAs to use the cooperation mechanisms in a proactive manner
and, for instance, specify the situations where the DPAs should invoke the consistency
mechanism on the basis of Article 64 (2) GDPR.
Success should, of course, be measured by the impact the GDPR will have on the level of the
protection of the individual as envisaged by Article 8 Charter and Article 16 TFEU. The
future will tell.
19
Georgia Skouma
Georgia Skouma – Risk Advisory
Current Legal Director, Risk Advisory Services (working with Deloitte since October,
Position 2006)
Summary of Former member of the Brussels (Belgium) and Athens (Greece) Bars, I practised
Role and as lawyer specialised in Information Technology, Communications and Privacy
Qualifications Law until September 2006.
in the Data
Protection My role as business legal adviser with Deloitte is to help corporate clients and the
Area public sector develop and implement risk-based solutions and procedures to
meet their legal obligations in a number of areas, especially in the provision of
information society services, the gradual de-materialization of their business
through innovation and data governance.
(Personal) data protection and ICT law are the key areas of the consulting
services I have been providing with Deloitte over the last ten years. I assist
leading multinational companies, SMEs and the public sector in assessing their
level of compliance with the requirements of the data protection regulatory
framework and best business practices in this area. On top of that, I guide my
clients in designing business processes and data management practices which
align with the European and local prerequisites and the recommendations of local
regulators (i.e., local data protection authorities).
The geographic scope of the projects I am involved in with Deloitte is wider than
Belgium. Regarding my privacy-related assignments, I advise clients (if
necessary, with support of selected local legal advisors) with queries and project
implementation in many other countries all over the world, in Europe, Middle
East, Asia and Latin America.
For EU Institutions
For the EU Commission, DG Justice, project lead in the preparation of an
impact assessment of the e-Privacy Directive, with a view to assess the
need of revision of this legal instrument (study just published at:).
For ENISA, lead and main core expert in the preparation of a study on
personal data clouds (definition, legal requirements and best practices.
For ENISA, lead and main core expert in the preparation of a stock-
taking project on the initiatives and practices European countries have
been taken to foster information exchanges in the area of information
security.
For the European Commission, DG TAXUD, member of the core team
working on a feasibility study about the introduction of a Tax
Identification Number (TIN) to all European taxpayers (ongoing).
For the European Commission, DG Employment, leader of the legal track
working on a project relevant to the setting up of an automated platform
for the exchange of social security documents between social security
administrations of 30 countries (ongoing).
For the European Commission, DG Research and Innovation, legal expert
in a study looking into the deployment of an electronic researcher’s card
for all EU-based researchers.
For the European agency on Interoperability Solutions for European
Public Administrations (ISA), definition of the legal restrictions on the
creation of electronic base-registries and e-services portals available to
public administrations for cross-border use.
For the European Agency on Network and Information Security (ENISA),
quality control reviewer and legal expert to a study on the definition of
measurements and metrics on the assessment of the resilience of public
Georgia Skouma – Risk Advisory
For CEN
As CEN Workshop Manager: responsible for CEN’s standards-setting
initiatives in the areas of: electronic signatures/trust service providers,
privacy/data protection, e-commerce.
As external expert: Involvement in the DPP Workshop as reviewer of
deliverables: Model clauses to implement art. 17 of EU Data Protection
Directive (CWA 15292) and Baseline Audit Framework (CWA 15499-1).
For the operator of the electricity grid in Belgium, legal advice in the
design and implementation of an e-archiving program covering the
organization’s more critical and costly information systems and
applications.
For the incumbent e-communications operator in Belgium, assistance in
the design of a data retention strategy and email archiving guidelines to
company’s staff.
Previous DLA Piper Law Firm, Belgium: ICT and Media law, Associate (years:
work 2003-2006).
experience & Bogaert and Vandemeulebroeke law firm (Landwell): ICT and IP law,
Associate (years: 2000 to 2003)
trainings
European Standards Committee (Comité Européen de Normalisation,
CEN), Workshop Manager (years: 1998 to 2000).
1997-1998
Master in Maritime and Aviation Law
Law faculty, ULB, Belgium
1994-1995
Master in European law,
Institut d’Etudes européennes, ULB, Belgium
1989-1993
Law degree ; Cum Laude
Athens Law School, Greece
1
GDPR challenges & impact on
company’s governance
• To this end, the General Data Protection Regulation has been approved, harmonising
the current fragmented legal framework for data privacy across Europe and introducing a
high level of protection for individuals.
• Along with the opportunities, specific privacy challenges have surfaced for organisations
requiring robust privacy governance:
The GDPR has evocated a number of reactions amongst European companies. The major types of reaction
are listed below:
REACTION A REACTION B REACTION C
• Almost all companies try to • 80% and above are eager to • Only with regard to certain
understand GDPR requirements learn their degree of readiness to specific GDPR requirements, the
and seek for pragmatic comply with GDPR majority of companies adopt a
interpretation “wait and see” approach
• They have expressed their
• They are now preparing their willingness to carry out • This means waiting before
GDPR vision and solicit advice on implementing certain GDPR
the “to be” organizational model − High-level horizontal GDPR requirements until the moment
Impact Assessments additional guidance has been
provided from EU level or below
− GDPR Quick Scans & Gap (ex. data portability, codes of
Assessments conduct, seals)
Processes
Processes allow the company to deliver value to customers in a repeatable
and scalable manner
Processes
Data
Individuals and teams within the company tasked with data governance and
data management will be challenged to provide clearer, more proactive
Data oversight on data storage, journeys, and lineage
Technology
New GDPR requirements will mean changes to the ways in which technologies
Technology
are designed and managed, including a focus on profiling and security
• Even though the GDPR abolishes the need of notifying the supervisory authorities, it introduces the
explicit obligation to the controller as well as the processor to be able to demonstrate their
compliance to the GDPR (i.e. through performing data protection impact assessments, using
Accountability data protection by design and by default approaches, keeping records of processing
activities, …).
• Companies will have to appoint a Data Protection Officer in certain cases (public authorities, when
monitoring of data subjects on a large scale, when processing special categories of data…).
Recommended
solutions • Assess whether the company is obliged or may appoint a DPO
• Design alternative options for organizational model (i.e. Privacy office)
• Define prevailing model and fine-tune details of it
• Define how interacting and communicating with other business units & dpts (Legal, HR, IT)
• Define actions for formal adoption of model and execute those (e.g. need to document model
and responsibilities, if yes on which document, etc.)
• Even though the GDPR abolishes the need of notifying the supervisory authorities, it introduces the
explicit obligation to the controller as well as the processor to be able to demonstrate their
compliance to the GDPR (i.e. through performing data protection impact assessments, using
Accountability data protection by design and by default approaches, keeping records of processing
activities, …).
• Companies will have to appoint a Data Protection Officer in certain cases (public authorities, when
monitoring of data subjects on a large scale, when processing special categories of data…).
Recommended
solutions • Identify and review of checklists or other materials used for assessment exercises (audits)
internally
• (If missing) design of the conformity assessment template, questionnaires and relevant
checklists
• Organize conformity assessment plan (prioritization of processes subject to assessment,
timelines, scope, form of processes, e.g. combination of f2f assessment vs. QU-based
assessment)
• Even though the GDPR abolishes the need of notifying the supervisory authorities, it will introduce
the explicit obligation to the controller as well as the processor to be able to demonstrate their
compliance to the GDPR (i.e. through performing data protection impact assessments, using
Accountability data protection by design and by default approaches, keeping records of processing
activities, …).
• Companies will have to appoint a Data Protection Officer in certain cases (public authorities, when
monitoring of data subjects on a large scale and when processing special categories of data).
Recommended
solutions • Select 6-10 business processes to define a) business’ concrete data retention practices currently
followed; b) rationalized data retention requirements for both paper and on-line repositories and
c) business data retention expectations
• Design a Data Retention Framework (in alignment with technical work that has to be done in
tandem)
• Design an activities’ roadmap with the specific actions to be taken in short and longer term
• Design a Data Retention/Data Archiving Guideline with practical do’s and don’ts for business
on data deletion/retention
• Existing rights of individuals are reinforced and further specified, including the right of access,
rectification, restriction, erasure, objection to processing and the right not to be subject to automated
processing and data profiling.
Data subjects
rights • The GDPR introduces the rights to data portability.
Recommended
solutions • Define stakeholders to be involved in the task to confirm today’s practices and define needs for
the future (Marketing, Communications, Legal, Front Office, Customer Service, etc.)
• Design the relevant procedures (access, objection/blocking of data and rectification)
• Design the templates to be used by business and customers to ensure effective exercise of the
rights
• Design the internal procedure (back-office) to ensure that the company manages effectively
customer requests regarding their privacy rights
• Data Protection Authorities (DPAs) already have investigative, corrective, advisory and authorisation
powers.
Enforcement • Data Protection Authorities (DPAs) will soon be entitled to impose administrative fines ranging
between 2 to 4% of the groups worldwide annual turnover of the preceding financial year
or EUR 10 to 20 million, whichever is higher for infringements of data subject rights, non-
compliance with an order of the DPA or the obligations of the controller and processor.
Recommended
solutions • Sustain the communication and the implementation with appropriate level of sponsorship
• Document and enforce sustaining policies (Data management, privacy, security… )
• Conduct risk assessment and PIA and be ready to share the conclusions on demand with
authorities
• Take mitigation actions and follow them up
• Spelled out more clearly and focus on ability of individuals to distinguish a consent.
• Special regime for children under 16 where consent will have to be given or authorized by the holder
Consent of parental responsibility over the child. This age may be lowered to 13 by member states.
Recommended
solutions • Edit and publish new (General) Privacy Statement
• Synchronise changes in the “product-specific” privacy statements
• Update other privacy-related documentation
• Check & review data processing registrations’ work
• Check and update the specific cookie statement
• Checklist maintenance (determine owner of Privacy Statement Checklist and determine review
times & procedure, incl. periodical review of “points of improvement”)
Current-State Assessment
Scoping Methodology
“What processes or elements to assess?” “How to assess against a legal text?”
Roadmap
Work Package Structure Ownership Sizing
“Where to start and how to “Who is accountable for any “How much time and budget
‘slice’ intertwined tasks?” given work package?” to allocate to each issue?”
Case Studies 16
Conclusion 17
Annex 20
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 2
How to build a Data Protection
Impact Assessment (DPIA)
Introduction & building blocks
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 3
Introduction
What is a PIA? (art. 35 GDPR)
Content
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 4
Building blocks
Required information
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 5
Building blocks
Description of the envisaged processing
“A DPIA is a form of risk management. When conducting a PIA, an organisation is systematically considering how their project will affect
individuals’ privacy.” – ICO PIA Code of Practice
Recital 75 of GDPR refers to the risks of varying likelihood and severity related to “rights and freedoms of natural persons resulting from
personal data processing”. The WP29 has specified an even broader scope, including risks to freedom of speech, freedom of thought, freedom
of movement, prohibition of discrimination, right to liberty, conscience and religion.
Although these descriptions are rather broad in nature, they can practically be translated into a specific set of technological and organizational
measures such as encryption, access control and authorization.
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 7
Risk analysis
Risk management methodology
Organisations can leverage upon existing risk management and risk assessment methodologies. These assessment can for example be
built upon ISO/IEC 27005 risk management process embedded in the ISO/IEC 27001 information security management system.
Although existing risk management processes may provide a basis for a DPIA, attention should be paid that privacy requirements as
defined under GDPR are added to the scope of the assessment.
Develop/ refresh Identify and define the key risks faced by the company
(though interviews, monitoring KRIs and emerging risks,
risk universe
environmental scans, scenario analysis, etc. )
Every risk should be assessed using consistent and meaningful risk rating criteria in order to prioritize them and map adequate measures to
mitigate.
The risk is the product of the severity and likelihood. It can result in a specific impact, that can be:
1. Compliance impact / Reputational impact / Material impact (on business turnover, sales, competition, etc.) for both companies
and individuals
High High chances that the risk materialize and the impact on the individuals or the company is severe.
There are quite some chances that the risk materialize; however, even if it does, the negative impact on the
Medium individuals or the company is serious but can be circumvented with medium cost/effort.
It is unlikely that the risk materializes and even if it does, the negative impact on the individuals or the
Low company may be circumvented easily.
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 9
Measures and safeguards
Mitigation strategy
The measures and safeguards documented in a DPIA are the result of the risk assessment performed in an
earlier stage. Depending on the impact and likelihood of a certain risk, taking into account the risk
acceptance criteria and the cost/benefit analysis, organisations should determine a mitigation strategy.
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 10
Measures and safeguards
Mitigation strategy
Risk reduction
The level of risk should be managed by introducing, removing or altering controls so that the Risk is reduced by a
diminution of the Impact or the Likelihood.
Risk retention
The decision on retaining the risk without further action should be taken depending on risk evaluation. If the level
of risk meets the risk acceptance criteria, there is no need for implementing additional controls and the risk can
be retained.
Risk avoidance
The activity or condition that gives rise to the particular risk is avoided
Risk sharing
The risk is shared with another party that can most effectively manage the particular risk (e.g. insurance company)
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 11
Measures and safeguards
Risk reduction
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 12
How to build a Data Protection
Impact Assessment (DPIA)
The process
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 13
The process
High level DPIA steps
1 2 3
Scope Necessity Privacy risk
determination analysis assessment
6 5 4
Gap
Conclusion Risk treatment
assessment
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 14
Methodologies
Existing guidance and methodologies
Article 29 Data Protection DPA France (CNIL) DPA France (CNIL) DPA UK (ICO)
Working Party Privacy Risk Treatment – Conducting PIAs – Code
PIA guidelines
Guidelines on DPIA and Good Practices of practice
determining risk
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 15
Case Studies
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 16
Conclusion
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 17
Practical “to do’s” to take away
Case studies 1 & 2
• Learn as much as you can about the application / system / operation subject to PIA
• Involve all relevant stakeholders: operational and IT teams, application owners, business
users and 2nd line support team (IT, Legal, Compliance, DPO…)
• Request the company’s risk assessment methodology and if there isn’t, design one using
regulatory guidance and widely-acknowledged standards
• Have the PIA signed off by company’s management
• Review the PIA assessment and its findings at pre-defined intervals
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 18
Notification to the supervisory authority
When should the supervisory authority be notified?
“Whenever a data controller cannot find sufficient measures (i.e. when the residual risks are still high),
consultation with the supervisory authority will be necessary.” - WP29 DPIA Guidelines
1 2 3
Scope Necessity Privacy risk
determination analysis assessment
The residual risk will determine the
necessity to consult the
supervisory authority. The residual
risk is the risk score taking into
account the mitigating controls.
6 5 4
Gap
Conclusion Risk treatment
assessment
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 19
Annex:
Methodologies
ISO/IEC 29134 - Privacy Impact
Assessment
Framework
ISO 29100:2011 Privacy Reference List
Privacy (freely available)
Framework http://www.din.de/en/meta/jtc1sc27
Management
Technology
Controls
ISO 27002:2013 ISO 29151 ISO 27018:2014 ISO 29101:2013 ISO 29191:2012
Code of practice Code of practice Code of practice Privacy Req. for partially
for info. sec. for PII protection for PII protection Architecture anonymous,
management in public clouds Framework partially
acting as PII unlinkable auth.
processors
How to build a Data Protection Impact Assessment (DPIA) – ERA Summer course 21
ERA Summer School 2017
PIA
Case Study 1
In an effort to increase its market share and to offer truly personalized services to its clients, a renowned
German bank, member of a multinational retail banking group, wants to implement personalized
advertising on its website. Actually, the company’s Marketing and Communications team have created
an algorithm that enables the tracking of all the web-pages a web user has visited on the bank’s website.
This solution, called Agile, enables to identify and retrieve all the content a web user visited the last
times he logged on the company’s website and to target him with advertisements relating to this
content. For example, if a website user has looked at credit products the bank offers and even filled out
an on-line form for more information, Agile will target the visitor with customized advertising next time
he visits its website: for example, by offering the user a reduced interest rate for a credit he will use to
buy a car or house). Moreover, all data that will be collected through Agile will automatically feed a
global CRM application that is used by all customer services teams of the banking group and which is
hosted in the company’s headquarters in the US.
The management committee asks several questions to the IT & Compliance teams regarding data
protection; in particular, they would like to know under which conditions the company can implement
the tool and what measures it should take to make the implementation of Agile compliant with GDPR
rules.
Moreover, they are wondering whether they are obliged to conduct a PIA for this application and if yes,
to identify the relevant risks and mitigating measures.
--------------------------------------
1] What questions would you ask to define whether a PIA is mandatory in this case?
2] What questions would you ask to define the risks to the data subjects?
3] What questions would you ask to define the risks to the German bank, the group or other parties?
4] Can you help the Legal team to identify and risk-rank the related risks based on the table below?
1
ERA Summer School 2017
PIA
Data Protection Risk to Individuals Risk to company / Risk ranking (high, Mitigation
Requirement group, other medium, low) measure
persons
2
ERA Summer School 2017
PIA
Annex
3
ERA Summer School 2017
PIA
4
ERA Summer School 2017
PIA
Case Study 2
A big financial organization, with several affiliates and agencies worldwide, is concerned about cyber-
attacks and particularly leakage of information it considers strategically important and business sensitive.
Their IT team introduces to the group’s management the idea of implementation a new DLP (Data Loss
Prevention) application. The application can enable, after appropriate tailoring, the screening of all
incoming and outgoing emails transferred through the company’s corporate network, as well as the
screening of all “static” information (data and files kept in company’s folders, drives, incl. employee PC
hard drives, etc.).
The management committee asks several questions to the IT & Compliance teams regarding data
protection; in particular, they would like to know under which conditions the company can implement
the tool and what measures it should take to make the implementation of the DLP solution compliant
with GDPR rules.
Moreover, they are wondering whether they are obliged to conduct a PIA for this application and if yes,
to identify the relevant risks and mitigating measures.
--------------------------------------
1] What questions would you ask to define whether a PIA is mandatory in this case?
2] What questions would you ask to define the risks to the data subjects?
3] What questions would you ask to define the risks to the German bank, the group or other parties?
4] Can you help the Legal team to identify and risk-rank the related risks based on the table below?
Data Protection Risk to Individuals Risk to company / Risk ranking (high, Mitigation
Requirement group, other medium, low) measure
persons
1
ERA Summer School 2017
PIA
2
ERA Summer School 2017
PIA
Annex
3
ERA Summer School 2017
PIA
4
Daniel Drewer
Biographical Details – Daniel Drewer
July 2017
05.09.2017
1
05.09.2017
2
05.09.2017
3
05.09.2017
4
05.09.2017
5
05.09.2017
6
05.09.2017
7
05.09.2017
8
05.09.2017
9
05.09.2017
10
ERA Summer Course on Data Protection Law
1. Aim
The aim of the simulation exercise is to provide a practical example of the main challenges of the
function of Data Protection Officer. The simulation’s goal is to apply in practice the main data
protection principles as enshrined in the GDPR.
2. Case study
You are the Data Protection Officer of an organisation that would like to introduce an IT system
designed to collect and store information by automated means on working hours, supplementary
working hours (overtime), and absences of employees.
The proposal comes to you for assessment and evaluation on a Thursday afternoon. The colleague
from Human Resources stresses the importance of the file, since financial auditors requested the
organisation to implement such a system long time ago. Therefore Management gave its approval to
purchase the related IT soft- and hardware (Smartcards, Badge scanners etc.). The IT and Security
department signalised, that the system could be operational next Monday. Only the green light from
the DPO is missing. The Director invited the DPO for a meeting on Friday morning in order to discuss
the urgency of the file.
3. Considerations
What further procedural steps have to be undertaken before the implementation of the new
processing operation?
What measures are going to be taken to ensure that infringements of the rights to private life are
limited to a minimum?
How would you provide sufficient information about the monitoring that takes place to employees?
Daniel Drewer
Julien is a senior associate in the Bird & Bird Brussels office specialised in Technology, Media
& Telecommunications, Privacy & Data Protection and Intellectual Property.
He regularly undertakes both advisory work and litigation practices in a wide range of legal
areas including privacy and data protection, copyright, e-commerce, e-marketing and IT
contracts. Julien assists clients in information and technology related-matters such as cloud
computing, big data, the Internet of Things, 3D printing, cookies, electronic signatures,
intermediary liability and online gaming.
Moreover, Julien managed the legal aspects of the CoCo cloud EU-funded research and
innovation project on cloud computing until end-2016 and currently manages the entire legal
compliance of the 6M€ Toreador EU-funded research and innovation project on big data.
He recently co-authored the book "Vers un droit européen de la protection des données ?"
published by Larcier, where he focused on companies' compliance obligations.
Before being admitted to the Brussels Bar and joining Bird & Bird in 2011, Julien obtained his
Law degree at the University of Louvain. His international experience is strengthened through
his participation in the CBL International China Law School at Tongji University in Shanghai.
Admin\33174323.1
GDPR Challenges of New Technologies
Julien Debussche
Bird & Bird LLP
julien.debussche@twobirds.com
Senior Associate, Brussels office
September 2017
Page 2
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
About me
About me
Page 4
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
About
(Confidential and Compliant Cloud Computing)
Page 6
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
(TrustwOrthy model-awaRE Analytics Data platfORm)
Page 7
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Overview of key aspects of the GDPR
• Principles
• Accountability
• Roles of Actors
• Grounds for Processing
• Rights of Individuals
• International Data Transfers
• Security & Breach Notifications
• Anonymisation and Pseudonymisation
GDPR – Principles
Lawfulness,
fairness &
transparency
Purpose
Accuracy
limitation
7
Integrity principles
Data
&
minimisation
Confidentiality
Storage
Accountability
limitation
Page 9
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
GDPR – Accountability
Privacy-by-design
&
Privacy-by-default
Adherance to
Registers of
approved codes
Processing
of conduct,
Activities
certifications,
(RPA)
etc.
Facets of the
acountability
principle
Contractual
Privacy
organisation
Impact
(policies, contracts,
Assessments
procedures,
(PIAs)
etc.)
Data
Protection
Officer
(DPO)
Page 10
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
GDPR – Roles of Actors
A natural or legal person, public authority,
The natural or legal person, agency or other body which processes
public authority, agency or personal data on behalf of the controller
other body which, alone or
jointly with others,
determines the Data A natural or legal person,
purposes and means of
the processing of personal Data (sub-) public authority, agency or
another body, to which the
data (…)
(co-) Processor personal data are disclosed,
whether a third party or not.
controller (…)
Recipient
A natural or legal person, Data
public authority, agency or
body other than the data Third party subject
subject, controller,
processor and persons who,
under the direct authority of
the controller or processor,
An identified or identifiable
are authorised to process
natural person
personal data
Page 11
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
GDPR – Ground for Processing
Processing on the basis of consent
Processing is necessary:
Page 12
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
GDPR – Right of Individuals
Portability
Page 13
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
GDPR – International Data Transfers
EEA
Page 14
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
GDPR – Security
state of
the art
• Proportionality
risk for the Appropriate
rights and technical • Suggestions of (generic) measures in the
freedoms of and
costs of GDPR
implementation
natural organisational
persons measures
• Adherence to an approved code of conduct
or an approved certification mechanism
may be used as an element to demonstrate
compliance with the security requirements
nature,
scope,
context and
purposes of
processing
Page 15
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
GDPR – Breach Notifications
Notification obligations
Data controller
Notification is not required in certain
to notify affected Without undue delay
cases
individuals
Page 16
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Overview of "disruptive technologies"
Overview of "disruptive technologies"
Ability of
turning data
into value
Data
Big Data
Artificial Intelligence
Internet of Things
Cloud Computing
Page 18
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Taxonomy of types of data*
*Information Commissioner's Office, 'Big Data, Artificial Intelligence, Machine Learning and Data Protection' (ICO 2017) 1 <https://ico.org.uk/media/for-
organisations/documents/2013559/big-data-ai-ml-and-data-protection.pdf>
Page 19
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Multiplicity of Actors in the Data Value Cycle
Source: OECD, Data-driven Innovation: big data for Growth and Well-being [2015] OECD Publishing, Paris.
Page 20
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
A TOREADOR example
• Based on an asset management platform called the
"Lightsource Monitoring Platform"
• Aims to provide information on the operation of the
Lightsource solar farms and smart homes in order to
improve the functioning and the maintenance of those
farms/smart homes
• A considerable volume and variety of data is collected from
the solar farms and smart homes and subsequently
analysed
• The categories of data collected from the solar farms
include both data inherent to the solar installations as such
(energy-related data) and data related to the installations'
surroundings (ambient data); for example:
• Energy-related data: active and reactive energy; active and
reactive power; voltage, current and frequency levels; daily
energy produced; total energy produced; string combiner
details; etc.
• Ambient data: irradiance data; ambient temperature data;
photovoltaic module temperature data; wind speed/direction
data; humidity data; etc.
• The categories of data collected from the smart homes
include, among others: generated power/energy,
consumed power/energy, export-import power/energy,
frequency and voltage levels, etc.
Page 21
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Analysis of selected data protection issues
• Contractual arrangements between key actors
• Grounds for processing
• Purpose limitation and further processing
• Accountability: privacy-by-design & by-default
• Anonymisation & pseudonymisation
Overview of key aspects of the GDPR
International data Security & Breach
7 Key principles Accountability Actors Grounds for processing Rights of individuals
transfers notifications
Automated
Further processing
decision-making
limits
/ profiling
Page 23
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Contractual arrangements
between key actors
Contractual arrangements between key actors
Page 25
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Contractual arrangements between key actors
About the data processing:
Subject-matter of the processing
Duration of the processing
Engaging processors and sub-processors Nature and purpose of the processing
Type of personal data and categories of data subjects
• Controllers may only appoint data processors that The rights and obligations of the controller:
provide sufficient guarantees to implement The obligations and rights of the controller (in general)
appropriate technical and organisational The obligations of the data processor to:
measures to ensure processing meets the Process personal data only on documented instructions from the controller
requirements of the GDPR
Transfer personal data to a third country or an international organisation only on documented
instructions from the controller (unless required to do so by law)
• Processors are required to process personal data Ensure that persons authorised to process the personal data are bound by a confidentiality
in accordance with the controller's instructions
obligation
Implement appropriate technical and organisational measures to ensure a level of security
• The controller-processor relationship must be
appropriate to the risk
governed by a contract
Assist the controller, insofar as this is possible, for the fulfilment of the controller's obligation to
respond to requests for exercising the data subject's rights
• Engaging sub-processors is strictly regulated Assist the controller with the data breach notification requirements
• Prior written consent (which can be general) Assist the controller with data protection impact assessment (“DPIA”) requirements
Page 26
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Contractual arrangements between key actors
processor
Page 27
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Grounds for processing
Grounds for processing
Lawful processing
• Article 6(1) GDPR sets out the conditions for the processing of personal data to be lawful (from the outset
and throughout the activity)
• It must always be based on one of the 6 grounds exhaustively listed in the GDPR
• Broadly replicate those in the Data Protection Directive - but
– specified in several ways
– exemplified in some cases in the corresponding Recitals of the GDPR
• Such grounds can be difficult to rely on with new technologies – application to big data analytics
Processing on the basis of consent
Processing is necessary:
for the performance of a contract with the individual or to perform pre-contractual obligations
for compliance with a legal obligation
to protect the vital interests of the individual or of another natural person
for the performance of a task carried out in the public interest …
for the purposes of the legitimate interests of the controller
Page 29
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Grounds for processing
• However:
• Must exercise a balance between the interests of the organisation and those of individuals
• The processing must be “necessary” for the legitimate interests of the controller (or third party)
– a certain threshold must be met (the processing must be more than just potentially interesting)
– there must be no other way of meeting the legitimate interest that interferes less with people is privacy!
• The balance of interests should not be over-stretched so as to encompass any possible third-party interest
Page 33
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Purpose limitation
& further processing
Purpose limitation and further processing
Factors to consider when assessing whether any further processing
is for an (in)compatible purpose
• Personal data must Article 29 Working Party
Article 6(4) GDPR
• be collected for specified, explicit and Opinion 03/2013
legitimate purposes; the relationship between the any link between the purposes for
purposes for which the personal which the personal data have been
• not be further processed in a way data have been collected and the
=
collected and the purposes of the
incompatible with those purposes purposes of further processing intended further processing
• Distinguishing between compatible and the context in which the personal the context in which the personal
data have been collected and the data have been collected, in
incompatible processing is often a complex
reasonable expectations of the data = particular regarding the
and delicate exercise subjects as to their further use relationship between data subjects
• Compatibility must be assessed on a and the controller
case-by-case basis the nature of the personal data the nature of the personal data, in
and the impact of the further particular whether special
• Transparency towards individuals must be processing on the data subjects categories of personal data are
preserved in case of further processing (the ≈ processed, (…), or whether personal
aim of the processing and the manner in data related to criminal convictions
which it takes place) and offences are processed, (…)
the safeguards adopted by the the existence of appropriate
controller to ensure fair processing safeguards, which may include
=
and to prevent any undue impact encryption or pseudonymisation.
on the data subjects
the possible consequences of the
Page 35 ≠ intended further processing for data
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797) subjects
Purpose limitation and further processing
Scenario
Processing personal data for purpose 2 – permitted? Yes for purpose 2 can
purpose 2 based on
Based on consent
1
a new consent? test needed
take place
Processing personal data for purpose 1
No
Scenario
purpose 2 No compatibility
Yes GDPR for purpose 2 can
2
permitted by test needed
EU or MS law? ("restrictions") take place
Based on another ground
(e.g. legitimate interest)
No
Scenario
Yes
3B
Context based on same ground as purpose 1
Compatibility test
Nature Compatible?
required Liberal view: can process
Restrictive view:
Scenario
Safeguards
No for purpose 2 with new
3A
cannot process
Consequences ground
Page 36
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Privacy-by-design
&
Privacy-by-default
Adherance to
Registers of
approved codes
Processing
of conduct,
Activities
certifications,
(RPA)
etc.
Accountability: Facets of the
privacy-by-design & by-default acountability
principle
Contractual
Privacy
organisation
Impact
(policies, contracts,
Assessments
procedures,
(PIAs)
etc.)
Data
Protection
Officer
(DPO)
Accountability: privacy-by-design & by-default
Privacy-by-design
Page 38
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Accountability: privacy-by-design & by-default
Privacy-by-default
Page 39
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Sources: George Danezis and others, 'Privacy and Data
Protection by Design – from Policy to Engineering'
(December 2014)
Page 40
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Sources: George Danezis and others, 'Privacy and Data
Protection by Design – from Policy to Engineering'
(December 2014)
Control Collection
• Individuals should be provided agency over the processing of their data • Appropriate consent mechanisms • Sticky policies
• Opt-out mechanisms • Personal data stores
• Mechanisms to express privacy
preferences
Page 41
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Anonymisation & pseudonymisation
Anonymisation & pseudonymisation
Page 43
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Anonymisation & pseudonymisation
● Recital 26 GDPR
• Data protection principles should not apply to anonymous data
(data subject is no longer identifiable) as a means as a means
● WP29 Opinion 05/2014 to avoid the to avoid the
• Requires anonymisation as permanent as erasure (irreversible) applicability of applicability of
data protection specific
• Three key questions
law? obligations
– Is it still possible to single out an individual?
– Is it still possible to link records relating to an individual? as a means
– Can information be inferred concerning an individual? to comply with
Is still a risk:
Noise addition
Singling out
Yes
Linkability
May not
Inference
May not data protection
Substitution
Aggregation or K-anonymity
Yes
No
Yes
Yes
May not
Yes
law
L-diversity No Yes May not
Differential privacy May not May not May not
Hashing/Tokenization Yes Yes May not
Page 44
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Anonymisation & pseudonymisation
Page 46
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Data Ownership
Data Ownership
• Multitude of actors involved in the data value cycle • No civil law ownership over intangible assets such as
data
• No EU or national legislation regulates the
question of ownership in data
• CJEU case law does not recognise ownership
right in data
– Ownership in intangible assets (UsedSoft)?
• However: numerous legislations impact data
somehow
• Need to protect companies' assets engaged in the data
economy?
• To what extent can or will organisations claim
proprietary rights in data?
Page 48
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Ownership of data
Complex EU Legal Framework
Competition Data sharing obligations
Ownership-like Individuals' rights &
rights rights (non-exhaustive)
obligations
Life Sciences
Intellectual
Property Privacy
Trade secrets
undertakings
Privacy (GDPR)
Consumer rights
Agreements between
& acquisitions
Merger
Public sector
Food
Automotive
Copyright
Database rights
e-Privacy
Spatial
Transport
Utilities
Energy &
Aviation
services
Financial
Chemicals
Pharmaceuticals
Environment
Page 49
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Ownership of data
Page 50
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Ownership of data
Page 51
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Is privacy and data protection the main issue relating to data
discussed by scholars in your jurisdiction?
Ownership of data
Belgium France German Italy Spain UK
Privacy & Data Protection aspects Yes Yes Yes Yes Yes Yes
• Complex EU legal framework not fit for purpose • Dichotomy between the EU's strive for a data economy
• Data ownership not addressed and the flawed legal framework
• Maze of different possibly applicable
legislations
Reluctance to engage in data sharing initiatives Building a
EU
Hurdle to the uptake of data analytics European Data
legalframework
Economy
Page 53
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Ownership of data
Moving forward – our suggestion
https://www.twobirds.com/en/news/articl
es/2017/global/data-ownership-in-the-
• Creation - in favour of each processor - of a non-exclusive, flexible and extensible context-of-the-european-data-economy
"ownership" right in data(sets)
• Safeguards:
• Data traceability obligation (updated log file of each path of successive process)
• "FRAND" principle (in line with market evolution)
• Characteristics:
right in Traceability
ownership- individual obligation
non-exclusive type of right pieces of data
&
right (extending to
(not IP) the entire FRAND
datasets) principle
• The log file obligation shall match the GDPR accountability principle where
applicable
• Reinforcement of the concept of "independent creation" (log file as evidence)
Page 54
© Bird & Bird LLP 2017 This work was partly supported by the EU-funded project TOREADOR (contract n. H2020-688797)
Thank You!
Julien Debussche
Bird & Bird LLP
julien.debussche@twobirds.com
Senior Associate, Brussels office
September 2017
twobirds.com
Bird & Bird is an international legal practice comprising Bird & Bird LLP and its affiliated and associated businesses. Bird & Bird LLP is a limited liability partnership, registered in England and Wales with registered number
OC340318 and is authorised and regulated by the Solicitors Regulation Authority. Its registered office and principal place of business is at 12 New Fetter Lane, London EC4A 1JP. A list of members of Bird & Bird LLP and of
any non-members who are designated as partners, and of their respective professional qualifications, is open to inspection at that address.
Paul Van den Bulck
Paul Van den Bulck
Paul Van den Bulck’s practice focuses on legal issues around information technology
(IT), data privacy and security, intellectual property (IP), media and entertainment,
and fair trade practices. He counsels clients from a broad spectrum of industries on
day-to-day IT and IP issues. Paul provides strategic advice to clients on all aspects of
international and domestic data protection and security, including general
compliance (processing for HR purposes, CRM strategy, direct marketing compliance,
etc.), information security and cybercrime, international data transfers, processing
and cloud agreements, policy and procedure assistance. In addition, he assists clients
in their relationships with certain national data protection authorities. Paul holds
the CIPP/E certification as a Certified Information Privacy Professional from the
International Association of Privacy Professionals (IAPP).
Paul regularly serves as a mediator and arbitrator in information technology and
intellectual property disputes (WIPO, CMAP, b.Mediation; CEPANI; etc.). He also acts
as arbitrator for Pharma.be, the Belgian Pharmaceutical Industry Association.
Paul is a member of the Brussels and Paris Bars.
He was the recipient of a BAEF fellowship from the Hoover Foundation Brussels
(1992) and of a Wiener-Anspach fellowship from Cambridge University (1992).
Paul and his team are consistently ranked in The Legal 500 Europe, Middle East &
Africa. In the 2017 edition, The Legal 500 noted that “The firm has notable expertise
in cloud computing, data security and data breaches." The Brussels-based IT lawyers
at McGuireWoods LLP are valued for their "outstanding level of service" and
"sophisticated legal engineering". Practice head Paul Van den Bulck shows
“creativity and personal commitment.”
In previous years, The Legal 500 has described Paul as “a great listener and well
connected in Brussels and Paris,” and said “McGuireWoods LLP [in Belgium] has a
"highly dedicated team which gives concise advice". Paul has also been described as
having “excellent knowledge of legislation in privacy and data protection.”
Paul is also very active in non-profit associations.
The EU Toolkit
For International Transfers (I)
ERA
Trier, 14th September 2017
www.mcguirewoods.com
Plan
3. Adequacy decisions
McGuireWoods | 2
Third country transfer notion
McGuireWoods | 3
Third country transfer notion
Examples:
• Sent by post or email by an EU controller to a third country recipient
• Internet-based deliberate transfer: push
• Internet-based permitted access: pull
• Direct on-line collection in the EU by a non-EU processor, on behalf
of an EU controller
• Publication on the internet by an EU controller (But Lindqvist case
(2003) C-101/01): according to EDPS, must be limited to
"circumstances such as those in the case in the main proceedings"
McGuireWoods | 4
Conditions for international transfer
McGuireWoods | 6
Conditions for international transfer
• Necessary for protection of data subject’s or other person’s vital
interest, where physically impossible of giving consent
• Made from an official register providing information to the public
and open to consultation by the public or by any person having a
legitimate interest, to the extent that the conditions laid down by
Union or Member State law for consultation are fulfilled
• When no other means possible, necessary for the purposes of
compelling legitimate interests not overridden by the data subject’s
interests or rights and freedoms, provided that:
– Assessment of all circumstances surrounding the transfer and
provision of suitable safeguards;
– Notification to supervisory authority; and
– Notification to data subject on the transfer and compelling legitimate
interests.
McGuireWoods | 7
Adequacy decisions
McGuireWoods | 8
Adequacy decisions
McGuireWoods | 9
Adequacy decisions
McGuireWoods | 10
Adequacy decisions
McGuireWoods | 11
Adequacy decisions
McGuireWoods | 12
Adequacy decisions
• New criteria for the Commission to decide what will be the next
countries to assess:
• Extent of EU's commercial relation
• Extent of personal data flows
• Pioneering role of the third country in data protection ("model
for the region")
• Overall political relationship
McGuireWoods | 13
Adequacy decisions
McGuireWoods | 14
EU-U.S. Privacy Shield
McGuireWoods | 15
EU-U.S. Privacy Shield
McGuireWoods | 16
EU-U.S. Privacy Shield
The Privacy Shield tried to address the issues raised by the Safe
Harbor decision:
McGuireWoods | 17
EU-U.S. Privacy Shield
McGuireWoods | 18
EU-U.S. Privacy Shield - Oversight
McGuireWoods | 19
EU-U.S. Privacy Shield - Oversight
McGuireWoods | 20
EU-U.S. Privacy Shield - Oversight
McGuireWoods | 21
EU-U.S. Privacy Shield - Oversight
McGuireWoods | 22
EU-U.S. Privacy Shield - Oversight
McGuireWoods | 23
EU-U.S. Privacy Shield - Remedies
• Civil cause of action for money damages when data has been
unlawfully used or disclosed
• Suing officials in their personal capacity for money damages
• Challenging the legality of surveillance if the government intends
to use or disclose data obtained from electronic surveillance against
the individual in judicial or administrative proceedings
But those mechanisms do not cover all legal basis for surveillance
McGuireWoods | 24
EU-U.S. Privacy Shield – Remedies
McGuireWoods | 25
EU-U.S. Privacy Shield – Validity
McGuireWoods | 26
EU-U.S. Privacy Shield – Pending cases
• Action brought before CJEU on 16 September 2016 by Digital Rights
Ireland:
– U.S. law still allow secret agencies’ access on a generalized basis to the
content of electronic communications
– No complete transposition of the right to access, rectify, oppose and erase
– No authority with complete effective and binding redress power
McGuireWoods | 27
Annual Review
McGuireWoods | 28
Questions or Comments?
www.mcguirewoods.com
pvandenbulck@mcguirewoods.com
@Pbulck
T: +32 629 42 39
M: +32 475 52 84 08
McGuireWoods | 29
The EU Toolkit For International
Transfers (II)
ERA
Trier, 14th September 2017
www.mcguirewoods.com
Plan
1. Appropriate safeguards
2. Binding Corporate Rules
3. Contractual Clauses (Standard and Ad hoc)
4. Codes of conduct
5. Certification
6. Derogations
7. Specific information to data subjects
8. Redress and remedies
McGuireWoods | 2
Appropriate safeguards: principle and requirements
McGuireWoods | 3
List of appropriate safeguards
Those which do not require authorization from a supervisory
authority include, among other things:
• Binding Corporate Rules (BCR)
• Standard data protection clauses (SDPC):
– Adopted by the Commission, or
– Adopted by a supervisory authority and approved by the Commission
• Approved Code of conduct with binding commitments to apply the
appropriate safeguards, including data subjects’ rights
• Approved Certification mechanism with binding commitments to
apply the appropriate safeguards, including data subjects’ rights
McGuireWoods | 4
List of appropriate safeguards
McGuireWoods | 5
Binding Corporate Rules
McGuireWoods | 6
Binding Corporate Rules
BCRs must:
• Be binding upon involved undertakings, including their employees,
and
• Include all basic principles and enforceable rights to ensure
appropriate safeguards for transfers
McGuireWoods | 7
Binding Corporate Rules
BCRs shall, at minimum, specify:
• The structure and contact details of the group of undertakings and
of each of its members
• The data transfers characteristics, including categories of data, type
of processing and purposes, type of data subjects and the third
countries where data are transferred
• Their extent to which they are legally binding
• The application of the general data protection principles, e.g.
purpose limitation, data minimisation, limited storage periods, data
quality, data protection by design and by default, legal basis for
processing, data security, requirements for onward transfers
• The rights of data subjects and the means to exercise those rights
• Acceptance by the entities of liability for any breaches of the BCR
McGuireWoods | 8
Binding Corporate Rules
• How information is provided to data subjects
• The mechanisms for ensuring the verification of compliance with the BCR
McGuireWoods | 9
Contractual clauses
McGuireWoods | 10
Contractual clauses (SCC, SDPC)
McGuireWoods | 11
Contractual clauses (SCC, SDPC)
Common means pre-drafted and enacted by the Commission:
transfer by contractual agreement concluded between the
exporter and the importer
McGuireWoods | 12
Contractual clauses (SCC, SDPC)
McGuireWoods | 13
Contractual clauses (ACC)
SCC already allows for additional clauses provided that they are
not contradictory with the mandatory clauses, so ACC are likely
not to be used a lot
McGuireWoods | 14
Codes of conduct
Adherence of a data importer to a code of conduct coupled with a
binding and enforceable commitment by the controller or processor to
apply the appropriate safeguards
McGuireWoods | 15
Codes of conduct
The Code must provide mechanisms enabling a body to carry out the
mandatory monitoring of compliance with its provisions
McGuireWoods | 16
Codes of conduct
McGuireWoods | 17
Certification
Set of rules and standards, legally binding by a binding and
enforceable commitment taken by the importer, including where
GDPR is not applicable to the importer
McGuireWoods | 18
Certification
To be accredited, certification bodies must:
• Be independent, have no conflict of interest and demonstrate expertise
in data protection
• Have procedures for the issuing, periodic review and withdrawal of
certification
• Have transparent procedures to handle complaints about infringements
of the certification
McGuireWoods | 19
Derogations for specific situations
In the GDPR, these conditions are required only for one derogation:
the compelling legitimate interest.
McGuireWoods | 20
Derogations for specific situations
Derogations include:
• Explicit consent, with information on risks due to the absence of
adequacy decisions or appropriate safeguards
• Necessary for contract performance or precontractual measures
implementation at data subject’s request
• Necessary for conclusion of a contract between controller and third
party in the data subject’s interest
• Necessary for important reasons of public interest
• Necessary for the establishment, exercise or defense of legal claims
• Necessary for protection of data subject’s or other person’s vital
interest, where physically impossible of giving consent
McGuireWoods | 21
Derogations for specific situations
• Made from an official register providing information to the public
and open to consultation by the public or by any person having a
legitimate interest, to the extent that the conditions laid down by
Union or Member State law for consultation are fulfilled
• When no other means possible, necessary for the purposes of
compelling legitimate interests not overridden by the data subject’s
interests or rights and freedoms, provided that:
– Assessment of all circumstances surrounding the transfer and
provision of suitable safeguards (e.g. DPIA);
– Notification to supervisory authority; and
– Notification to data subject on the transfer and compelling legitimate
interests.
McGuireWoods | 22
Derogations for specific situations
McGuireWoods | 23
Specific information of the data subject
McGuireWoods | 24
Redress and remedies
Some are specific to the appropriate safeguard used:
• BCRs: commitment to render principles binding and enforceable
• SCC: e.g., joint liability between importer and exporter (Set I controller
to controller)
Supervisory authority: Right to lodge a complaint
• Measures (non pecuniary): interdiction, enforcement of data subject’s
rights, etc., or
• Fines of up to EUR 20.000.000 or up to 4% of the total worldwide
annual turnover of the previous financial year, whichever is higher
NB: In Estonia and Denmark, no administrative fines possible
– Denmark: criminal fines imposed by courts
– Estonia: criminal fines imposed by supervisory authority but under a specific procedure
McGuireWoods | 25
Redress and remedies
Courts: right to an effective judicial remedy against a controller or
processor:
• Measures: appeal from Supervisory Authority
• Liability and right to compensation:
– Controller and processor are liable for any damage caused by processing
infringing transfer requirement
– Exemption from liability if one proves that it is not responsible for the
event giving rise to the damage
– Where more than one controller or processor involved in the same
processing: each controller or processor is liable for the entire damage
toward the data subject
– If one paid full compensation: possibility to claim back for the part
corresponding to the actual part of responsibility
McGuireWoods | 26
Questions or Comments?
www.mcguirewoods.com
pvandenbulck@mcguirewoods.com
@Pbulck
T: +32 629 42 39
M: +32 475 52 84 08
McGuireWoods | 27
CASES
Case study n° 1
Facts
X, a European trade union of workers, has decided to share personal data of its members with
Y, another trade union located in Brazil.
At the time of the data collection, processing was based on explicit consent.
Brazil does not ensure an adequate level of protection and X plans to justify the transfer on the
basis of consent.
X sent an email to its members, stating that the transfer does not imply any privacy risk, with
a box to check and a sentence drafted as follow:
"By checking this box, I accept the transfer of my personal data from X to Y in Brazil."
Facts
Under this partnership, X transfers its clients’ data to Y in order for the latter to perform
marketing campaigns.
X and Y entered into an agreement named "data processing and transfer agreement", drafted
by their legal counsel, providing enforceable means for the data subjects to exercise their
rights, and effective ways to obtain compensation in case of breach of the agreement or the
GDPR.
Question: is this "data processing and transfer agreement" sufficient for the international transfer
to be lawful?
Case Study n° 3
Facts
X has several subsidiaries in the EU and one commercial partner in the U.S., Y.
X has entered into a joint venture agreement with Y to exercise a joint activity in the U.S.,
resulting in a joint entity named X/Y. X shares some of the data it processed as a controller
with Y and with X/Y.
All personal data related to the employees of the group X, including X/Y's employees, are
stored by a cloud-computing provider, Z, located in China.
Questions:
1. First question: X, Y and X/Y want to implement a solid framework of data protection that
could render their internal transfer related to the joint activity legitimate. They want to avoid
the use of certification or codes of conduct. What instrument could they use?
2. Second question: Z wants to adhere to a Code of conduct recently issued by the cloud-
computing industry. How can X be sure that the application of this Code of conduct would
make the transfer legitimate?
Case study n° 4
Facts
X processes personal data concerning employees and clients and is the controller for this
processing.
At the time of the conclusion of the Service Agreement, Y has already adhered to a certification
complying with all the GDPR requirements for international transfers. Three years later, Z
acquires Y.
Facts
X is a media company.
X processes its employees’ data and is the controller for this processing.
A due diligence will be carried out by Y to review X’s assets and documents.
During this due diligence, contractual documents containing all employees’ personal data will
be processed by Y in China.
Question: X believes that the data transfer to Y can be based on its compelling legitimate interest.
Is it true?
ANSWERS
Case study n° 1
Answer
For processing: personal data concerning a trade union are sensitive data, so explicit consent
is a lawful legal basis (9.2.a, GDPR)
Answer
Answers
Answer
In principle, certification remains after the acquisition, but only for the processing already
covered by the certification, not possible new processing resulting from the acquisition.
Y or Z should renew the certification (42.7, GDPR: certification must be renewed after three
years).
Case study n° 5
Answer
She studied Law at the universities of San Sebastián (Spain), Pau et les Pays de l'Adour (France)
and Leuven (Belgium). Subsequently she followed a LL.M. European Law postgraduate
programme at the University of Leuven where she graduated magna cum laude in 1993. From
1994 to 1998 she worked as research fellow for the Interdisciplinary Centre for Law and
Information Technology (ICRI) of the Catholic University of Leuven (K.U.L.) where she carried
out several data protection comparative research projects for the European Commission. In this
same period she spent one year acting as privacy expert for the Belgian Data Protection Authority
in Brussels.
In April 1998 she joined the Dutch Data Protection Authority where she was a Senior
International Officer working under the direct supervision of Peter Hustinx until the end of
January 2002. During this period she dealt with the international cases and represented The
Netherlands in several international working groups, such as the article 29 Working Party and
many of its sub-groups, in Brussels and Strasbourg. She was a member of the Drafting Group of
the Consultative Committee on Convention 108 at the Council of Europe as well as one of the
vice-chairs. She acted as data protection expert in official missions of the Council of Europe and
was one of the driving forces of the Complaints Workshop for staff of the DPAs, leading their
network for exchange of information on international cases and information requests from its start
until she left the Dutch DPA to join the European Commission (1 February 2002).
From February 2002 to November 2003 she worked at the Data Protection Unit of Directorate
General Internal Market of the European Commission, in Brussels. She was closely involved in
the activities of the Article 29 Working Party and several of its subgroups as a member of the
secretariat and was responsible within this unit for topics such as Internet, e-commerce, privacy-
enhancing technologies, European codes of conduct, bilateral negotiation with several countries
(including USA) and so forth.
She is author of numerous articles and reports dealing with data protection at European level in
the first and third pillar and is often invited as speaker at European and international data
protection conferences. She has also performed as guest lecturer at the universities of Tilburg
(Netherlands) and Edinburgh (UK). She is a Spanish national and speaks five languages.
Contact details:
Eurojust
Johan de Wittlaan 9
NL-2517 JR The Hague
Tel: +31 70 412 5510
Fax: + 31 70 412 5515
dalonsoblas@eurojust.europa eu
INTERNATIONAL TRANSFERS OF
PERSONAL DATA, DATA RETENTION
AND SURVEILLANCE IN THE LAW
ENFORCEMENT AREA
1
Topics
• Introduction: the existing and future legal
framework in the law enforcement area
• International transfers: concept and basic
requirements
• Mechanisms/instruments for international
transfers in law enforcement field depending
on the actors involved
• Existing international agreements
• Data retention/surveillance in the EU after the
Digital Rights Ireland case
2
INTRODUCTION: THE EXISTING AND
FUTURE LEGAL FRAMEWORK IN
THE LAW ENFORCEMENT AREA
3
Exclusion from Directive 95/46/EC Scope/derogations
• Article 3.2. This Directive shall not apply to the processing of personal data:
– in the course of an activity which falls outside the scope of Community law, such
as those provided for by Titles V and VI of the Treaty on European Union and in
any case to processing operations concerning public security, defence, State
security (including the economic well-being of the State when the processing
operation relates to State security matters) and the activities of the State in
areas of criminal law
• Article 13.1. Member States may adopt legislative measures to restrict the scope of
the obligations and rights provided for in Articles 6 (1), 10, 11 (1), 12 and 21 when
such a restriction constitutes a necessary measures to safeguard:
– (a) national security;
– (b) defence;
– (c) public security;
– (d) the prevention, investigation, detection and prosecution of criminal
offences, or of breaches of ethics for regulated professions;
• Case law: PNR, Traffic data retention
• Transposition beyond article 3.2 in many countries
4
Treaty on the Functioning of the EU (Lisbon)
• Lisbon Treaty
– Directive 95/46/EC will not automatically apply to the police and judicial
cooperation sector (Art. 3(2) excluded activities outside the scope of the Community
law and also activities of the State in the area of criminal law);
5
Article 16 TFEU
6
Declaration 21 of the Lisbon Treaty
7
Data Protection in the European JHA field: rules of
general character presently applicable
8
Framework Decision 2008/977/JHA, on data protection
• More specific DP regimes in other EU legislation are left untouched: Eurojust, Europol,
CIS, SIS
9
Data Protection in the European JHA field: sectoral rules
10
Directive 2016/680 “Police Directive”
12
Transfers of data to third
countries
• Exceptions: article 26
• Adequate safeguards
– Contractual clauses
– Binding corporate rules
• Schrems case: The word ‘adequate’ signifies that a third country cannot
be required to ensure a level of protection identical to that guaranteed
in the EU legal order. However, the term ‘adequate level of protection’
must be understood as requiring the third country in fact to ensure, by
reason of its domestic law or its international commitments, a level of
protection of fundamental rights and freedoms that is essentially
equivalent to that guaranteed within the EU by virtue of Directive
95/46 read in the light of the Charter.
15
Data transfers in the GDPR
• Same scheme as in Directive 95/46 in general: adequate level
of protection as main principle, based on a Commission
decision.
• Periodic reviews of the EC foreseen
• Adequate safeguards as second option, having BCRs now
specific regulation. Consistency mechanism applies.
• Derogations for specific situations as last resort
• No big changes although more aligment sought between DPAs
and more clarity.
• Specific provision re transfers or disclosures based on
judgments of a court or tribunal and decision of an
administrative authority of a third country: only recognised
or enforceable if based on international agreement such as
MLA treaty…
17
General principles “Police Directive”
General principles for transfers of personal data
1. Member States shall provide for any transfer by competent authorities of personal data
which are undergoing processing or are intended for processing after transfer to a third
country or to an international organisation including for onward transfers to another third
country or international organisation to take place, subject to compliance with the national
provisions adopted pursuant to other provisions of this Directive, only where the conditions
laid down in this Chapter are met, namely:
(a) the transfer is necessary for the purposes set out in Article 1(1);
(b)the personal data are transferred to a controller in a third country or international
organisation that is an authority competent for the purposes referred to in Article 1(1);
(c)where personal data are transmitted or made available from another Member State, that
Member State has given its prior authorisation to the transfer in accordance with its
national law;
(d)the Commission has adopted an adequacy decision pursuant to Article 36, or, in the
absence of such a decision, appropriate safeguards have been provided or exist pursuant to
Article 37, or, in the absence of an adequacy decision pursuant to Article 36 and of
appropriate safeguards in accordance with Article 37, derogations for specific situations
apply pursuant to Article 38; and
(e)in the case of an onward transfer to another third country or international organisation, the
competent authority that carried out the original transfer or another competent authority of
the same Member State authorises the onward transfer, after taking into due account all
relevant factors, including the seriousness of the criminal offence, the purpose for which
the personal data was originally transferred and the level of personal data protection in the
third country or an international organisation to which personal data are onward
transferred.
2. Member States shall provide for transfers without the prior authorisation by another
Member State in accordance with point (c) of paragraph 1 to be permitted only if the transfer
of the personal data is necessary for the prevention of an immediate and serious threat to
public security of a Member State or a third country or to essential interests of a Member
State and the prior authorisation cannot be obtained in good time. The authority responsible
for giving prior authorisation shall be informed without delay.
3. All provisions in this Chapter shall be applied in order to ensure that the level of
protection of natural persons ensured by this Directive is not undermined.
18
General scheme
• Respect of general conditions Directive (legitimacy of
processing)
• Adequacy decision EC + periodic review
• Appropriate safeguards through legally binding
instrument or assessment of controller. In such case
DPA needs to be informed as to categories+
documentation
• Derogations for specific situations. Documentation.
– Interpretation will be the issue in practice
• Specific article on transfers provided in EU or MS law
or international agreements to recipients in third
countries in individual and specific cases. Subject to
conditions + documentation
19
Additional relevant provisions
• Article 60: Union legal acts already in force
The specific provisions for the protection of personal data in Union legal
acts that entered into force on or before 6 May 2016 in the field of
judicial cooperation in criminal matters and police cooperation, which
regulate processing between Member States and the access of
designated authorities of Member States to information systems
established pursuant to the Treaties within the scope of this Directive,
shall remain unaffected.
20
EXISTING INTERNATIONAL
AGREEMENTS
21
Existing agreements between Eurojust and
third countries
• Norway: liaison magistrate
• Iceland
• US: liaison magistrate
• former Yugoslav Republic of Macedonia
• Switzerland: liaison magistrate
• Liechtenstein
• Moldova
• Montenegro
• Ukraine
• In the process: Albania…
22
Existing agreements between Europol
and third countries
• Operational • Strategic
Albania China
Australia Russia
Bosnia Herzegovina Turkey
Canada
Colombia
fYROM
Georgia
Iceland
Liechtenstein
Moldova
Monaco
Montenegro
Norway
Serbia
Switzerland
Ukraine
USA
23
EU US Umbrella agreement
• On 2 June 2016 EU-U.S. Justice and Home Affairs Ministers formerly
signed the "Umbrella Agreement“. It entered into force on 1
February 2017.
• It puts in place a comprehensive data protection framework for EU-
US law enforcement cooperation. It covers all personal data
exchanged between the EU and the US for the purpose of
prevention, detection, investigation and prosecution of criminal
offences, including terrorism.
• This agreement complements existing EU-US and Member State –
US agreements between law enforcement authorities. It
supplements where appropriate but does not replace existing
agreements
• The agreement is not in itself a legal basis for transfers! Always
required additionally!
• Issues regarding the Judicial Redress Act which is part of package
24
Content of the EU US Umbrella
Agreement
• Clear limitations on data use – Personal data may only be used for the purpose of
preventing, investigating, detecting or prosecuting criminal offences, and may not
be processed beyond compatible purposes.
• Onward transfer – Any onward transfer to a non-US, non-EU country or
international organisation must be subject to the prior consent of the competent
authority of the country which had originally transferred personal data.
• Retention periods - Individuals' personal data may not be retained for longer than
necessary or appropriate. These retention periods will have to be published or
otherwise made publicly available. The decision on what is an acceptable duration
must take into account the impact on people's rights and interests.
• Right to access and rectification - Any individual will be entitled to access their
personal data – subject to certain conditions, given the law enforcement context –
and will be able to request the data is corrected if it is inaccurate.
• Information in case of data security breaches – A mechanism will be put in place
so as to ensure notification of data security breaches to the competent authority
and, where appropriate, the data subject.
• Judicial redress and enforceability of rights - EU citizens will have the right to
seek judicial redress before US courts in case of the US authorities deny access or
rectification, or unlawfully disclose their personal data. This provision of the
Agreement depends on the adoption by US Congress of the US Judicial Redress Bill.
25
Other existing agreements
• EU/US agreements on MLA and Extradition: data protection is hardly mentioned anywhere
• PNR agreements:
Latest news: The envisaged EU-Canada PNR Agreement aimed at regulating the transfer and processing of
passenger name record data to Canada for the purpose of combatting terrorism and other serious
transnational crime under certain conditions and according to data protection safeguards. The agreement
was signed in 2014. The Council of the EU requested the European Parliament (EP)’s approval of the
agreement, and the EP decided to refer the matter to the CoJ in order to ascertain whether the PNR
Agreement is compatible with EU law and, in particular, with the provisions relating to the respect for
private life and the protection of personal data.
On 26 July 2017, the ECJ issued its opinion the PNR Agreement may not be concluded in its current form
because several of its provisions are incompatible with the fundamental rights recognised by the EU and
as a consequence must be modified.
• TFTP agreement
• …..
26
DATA RETENTION/SURVEILLANCE IN
THE EU AFTER THE DIGITAL RIGHTS
IRELAND CASE
27
Definition of surveillance
• The Court of Justice used but did not define the
term of surveillance in the three Digital Rights,
Schrems and Tele2 judgements
28
Digital Rights judgment I
• The Grand Chamber considered that “the fact
that data are retained and subsequently used
without the subscriber or registered user being
informed is likely to generate in the minds of the
persons concerned the feeling that their private
lives are the subject of constant surveillance.”
(Para. 37)
• The Grand Chamber found that mass
surveillance breaches the fundamental right to
respect of private life (paras 57 to 61). It thus
prohibited generalised mass surveillance.
29
Digital Rights judgment II
• The Grand Chamber noted that “Article 6 of the
Charter lays down the right of any person not
only to liberty, but also to security” (para. 42 in
fine; see also opinion 1/15 of the Grand
Chamber on the draft PNR agreement with
Canada, 26 July 2017, para. 149).
31
Schrems case
• In his opinion, Advocate General Yves Bot assessed the
legitimacy of US surveillance and harshly criticised the safe
harbour scheme.
• The Advocate General referred to “a mass and indiscriminate
surveillance and interception” of personal data by the National
Security Agency (para. 155) and “the large scale collection of
the personal data of citizens of the Union, which is transferred
under the safe harbour scheme” (para. 158).
• The Advocate General considered that the “mass,
indiscriminate surveillance is inherently disproportionate and
constitutes an unwarranted interference with the rights
guaranteed” by Article 7 on the right to respect of private life
and Article 8 on the right to the protection of personal data of
the Charter (para. 200).
32
Schrems judgment I
• The Grand Chamber moved the focus from the
assessment of the legitimacy of US surveillance
in the opinion of Advocate General Bot to the
analysis in its judgment of the compliance by
Commission decision 2000/520 on safe
harbour with Article 25(6) of directive 95/46
of 24 October 1995 read in light of the Charter.
• Mass surveillance inherently and intrinsically
infringes upon Article 7 of the Charter,
regardless of the safeguards put in place to
limit the abuse (paras 93 and 94).
33
Schrems judgment II
The Grand Chamber ruled that the decision of the
Commission was invalid since Article 1 of the
decision failed to comply with the requirements
laid down in Article 25(6) of the directive read in
light of the Charter (para. 98).
34
Tele2 judgment I
• For the first time, the judgment of the Grand
Chamber set EU standards about the retention
of personal data for surveillance purposes that
Member States need to comply with.
• The Swedish legislation provides for
generalised mass processing and surveillance
of telecommunications meta-data which
infringes upon the fundamental right to respect
for private life and is outlawed in the EU (para.
105).
35
Tele2 judgment II
“Article 15(1) of Directive 2002/58, read in the light of
Articles 7, 8 and 11 and Article 52(1) of the Charter,
does not prevent a Member State from adopting
legislation permitting, as a preventive measure, the
targeted retention of traffic and location data, for the
purpose of fighting serious crime, provided that the
retention of data is limited, with respect to the
categories of data to be retained, the means of
communication affected, the persons concerned and
the retention period adopted, to what is strictly
necessary” (para. 108, emphasis added).
36
Tele2 judgment III
• The Grand Chamber did not question or challenge
the appropriateness and effectiveness of targeted
retention of traffic and location data which
remains a lawful purpose for both preventing and
fighting serious crime subject to compliance with
requirements to be met by domestic law.
• National data retention laws “must, in particular,
indicate in what circumstances and under which
conditions a data retention measure may, as a
preventive measure, be adopted, thereby ensuring
that such a measure is limited to what is strictly
necessary” (para. 109, emphasis added).
37
ECHR
• The ECHR will continue playing an essential role in limiting surveillance
powers in Europe
• The ECHR has already recognised that general surveillance programmes
represent a significant threat to the protection of privacy. See for instance
Roman Zakharov v. Russia, application no. 47143/06, 4 December 2015 in
which the Grand Chamber considered that given that the domestic system
did not afford an effective remedy to the person who suspected that he or
she was subjected to secret surveillance, the very existence of the
contested legislation amounted in itself to an interference with Mr
Zakharov’s rights under Article 8 of the European Convention
• Cross-fertilisation between the ECHR and the Court of Justice of the
EU: the two courts both refer to each other’s case law in their judgments,
thereby paving the way for developing minimum criteria and common
standards of European principles on the respect for private life and the
protection of personal data with which Member States must comply when
they adopt surveillance legislation. See for instance the Digital Rights
judgment and Szabó and Vissy v. Hungary, application no. 37138/14, 12
January 2016 in which the Court examined the Hungarian surveillance
legislation which allowed for the secret monitoring of electronic
communication.
38
Contact Information
www.eurojust.europa.eu
39
ERA Summer Course DP 14 September 2017
Through his contacts with the Spanish authorities he understands they are also
investigating some suspects operating there and they might also have some
useful information as to the further activities in Tunisia and Morocco.
Given the complexity of the file and the investigation he considers requesting
the assistance of Eurojust in order to coordinate the investigation and see if any
joint actions could be considered at a later stage. In order to do that he contacts
the French National desk at Eurojust and they agree a case will be opened at
Eurojust.
1. Can the French investigate judge provide the complete case file to
Eurojust (French National desk)?
2. Which legal framework applies to the transfer of personal data between
the French investigative judge and Eurojust?
3. Can the French National desk share all information with the National
Members of Spain, Greece and Italy?
4. Which legal framework applies to the provision of personal data from
the French National Member to the National Members of Spain, Greece
and Italy at Eurojust?
Following the meeting between the relevant desks at Eurojust they decide to
organise a coordination meeting at Eurojust and to invite the competent
authorities of Tunisia and Morocco.
5. Can Eurojust transfer personal data to Tunisia and Morocco? If so, which
legal instrument would apply to such transfer?
6. Can the French judge transfer personal data to Tunisia and Morocco? If
so, which legal instrument would apply to such transfer?
7. What would be the easiest channel to liaise with the US authorities at this
stage? Which legal provisions would apply to such exchange of
information?
8. Assuming that sufficient information exists to substantiate such request
and that it is confirmed that the suspect is in the US and the French
authorities would be in the position of prosecuting the person in France,
which legal basis could be used to initiate an extradition request? Which
parties would be involved in such legal transfer?
Johnny Ryan
Dr Johnny Ryan FRHistS
He is a Fellow of the Royal Historical Society, and a member of the World Economic
Forum’s expert network on media, entertainment and information.
His second book “A History of the Internet and the Digital Future” is on the reading
list at Harvard and Stanford. His expert commentary on adblocking, privacy, and
digital has appeared in The Financial Times, Le Monde, Wired, NPR, Advertising
Age, the BBC, Sky News, and many others. His writing has appeared in NATO
Review, Fortune, Business Week, Business Insider, Contagious, and Ars Technica.
He has a background in policy think tanks, academia, and media. His previous roles
include being Chief Innovation Officer of The Irish Times, Senior Researcher at the
Institute of International & European Affairs (IIEA). His first book, based on his work
at the IIEA, was the most cited source in the European Commission’s impact
assessment that decided against pursuing Web censorship across the European
Union.
Visitor Site
$
Brand
“Supply side” “Demand side”
///
///
request segment
request page deliver segment
serve page
Ad request
cookie to SSP
ad request
request bid
deliver ad
sync
sync
1. Page loads.
2. What ad
should we
show this The Daily Bugle
user?
1. Page loads.
Exchange
2. What ad
should we
show this The Daily Bugle
3. Send details
of user to ad
Exchange
exchange(s) to
solicit bids
from
advertisers
DSP DSP
Exchange
DSP DSP
DSP DSP
Exchange
DSP DSP
DSP DSP DSP
DSP DSP
Exchange
DSP DSP
DSP DSP
Exchange
DSP DSP
DSP DSP DSP
DMP DSP DSP DMP
Exchange
DSP DSP
DSP DSP DSP
DMP DSP DSP DMP
Exchange
DSP DSP
DSP DSP DSP
DMP DSP DSP DMP
Exchange
DSP DSP
DSP DSP DSP
? DMP DSP DSP DMP
?
Exchange
?
? DSP DMP
DMP DMP DSP
DSP
Step 2. Step 3.
DSP
Ad server SSP selects an
selects an SSP exchange
DMP
Step 4.
Exchange sends DSP
Ad server SSP Ad exchange
bid requests to
hundreds of DMP
Ad server SSP partners
javascript javascript DSP
Step 5.
Exchange lets DMP
some DMPs/
DATA LEAKAGE DSPs to refresh DSP
Step 1. cookie sync
Legend User requests DMP
webpage
W
DSP DMP DSP DSP
inn
Channel of data leakage website.com
ADVERTISERS
ing
DMP
bid
DSP DMP DSP
Money DSP
AD
DSP DMP DMP DMP
Personal data
DSP
Verification
javascript
Ad server DSP DMP
javascript javascript
DSP
DMP
Verification Agency
CDN Winning DSP DSP
vendor ad server
DMP
Step 9. Step 8. Step 7.
Agency ad server Step 6.
Assets load DSP serves
loads verification Exchange serves DSP
from CDN agency creative
vendor winning bid
DMP
“Supply side” “Demand side”
///
request segment
request page deliver segment
serve page
Ad request
cookie to SSP
ad request
request bid
deliver ad
sync
sync
GDPR requires a chain of accountability
BROKER
2 Buying personal data (directly or indirectly identifiable) from other sources to augment
profiles
3 Buying behavioural ads online, which currently requires the sharing of personal data with
countless partners.
All potentially liable!
///
Purpose of processing,
Pop-up Dialog and notification of
Details of recipients and
profiling.
categories of recipients. We would like to share your browsing Article 13, para 1, c, and para 2, f.
Text links to contact habits on our site with Brand Name and
details of the their analytics partners, to understand
controller and their what offers may be of interest to you.
Text links to tool for
data protection officer.
withdrawing consent.
Article 7, paragraph 3.
Article 13, para 1, a, b, and e. These data will be deleted
Pop-up Dialog
No OK
Might GDPR consent requests look like this?
No OK OK
6 months 12 months
Might GDPR consent requests look like this?
Open ID
[Consortium] participants
and
its participants
Each
We will then[Ad
beexchange]
able to identify
are more interesting
to you,
[Ad exchange]
offers
i that
and iprocess
controller.
business transactions with our partners.
[DMP]
and
i
(Alternatively,
[DMP]
we will use generic i ads,
which might be less interesting ito you.)
categories of
[DSP]
[DSP]
i
You can cancel at anyvendor]
[Verification time by clicking
i
the icon on any ad.
processors.
Learn more about your data.
No OK OK
6 months 12 months
My Data Done
Ad targeting
Ad networks ON
Social profile ON
Verification
Browsing habits
Today
Yesterday
This week
This month
This month
My Data Done
? Ad targeting
? Ad networks ON
? Social profile ON
? Verification
? Ad targeting
? Verification
? Verification service ON
? Social profile ON
? Commenting
0% 100% 200%
Do you believe that users will opt-in to tracking for the
purposes of advertising?
No Yes, if denied access to the site otherwise Yes
Tracking by any
party, anywhere on 65% 32% 3%
the web
0% 100% 200%
Google and
Facebook
GDPR scale (digital advertising)
5 4 3 2 1 0
Needs “opt-in” Needs “opt-in” Needs “opt-in” Can show an Out of scope Already out of
consent, but is consent, but consent, and “opt-out” of Regulation if scope of the
unable to user has little may get it before using business is Regulation
communicate incentive to data modified
with users agree
GDPR scale: FACEBOOK
Needs “opt-in” consent, but is unable to
5 communicate with users
Needs “opt-in” consent, but user has little • Facebook Audience Network
4 incentive to agree • WhatsApp advertising (see assumption 1)
• NewsFeed ads (based only on personal data with no “special” personal data (e.g.
ethnicity, political opinion, religious or philosophical beliefs, sexual orientation),
2 Can show an “opt-out” before using data unless marked “public” or visible to “friends of friends” (see assumptions 1 and 2)
• Instagram ads (see assumption 1)
2 Can show an “opt-out” before using data • Location targeting in Maps (see assumption 2)
Out of scope of the regulation, if business • AdWords (if all personalized features are removed) on Google properties
1 is modified. including Search, Youtube, Maps
Assumption 1. That the average user does not “sign in” to Google Search or Chrome. If, however, users did sign in then Google may be able to further process their data for other purposes.
Assumption 2. That the use of personal data to target advertising will be accepted as a “compatible” purpose with the original purpose for which personal data were shared by users, under GDPR Article 6,
paragraph 4. GDPR Recital 61 says that if the further processing is compatible then the company must alert the data subject that it is using their data for this further purpose before it starts processing. GDPR
Article 21, paragraph 2 and 3 say that the data subject must be alerted about their right to object to their data being used for direct marketing, and can do so at any time. GDPR Recital 70 says this alert should be
presented clearly and separately from any other information. However, the Article 29 Working Party’s opinion on purpose limitation notes that among the various things that the compatibility assessment must
consider are “the impact of the further processing on the data subjects”.
Agency Sharing Data /
Agencies DSPs Exchanges Ad Networks
Trading Desks Social Tools
SSPs
P
M C
Vertical / Custom U
A O
B
R Creative Media Planning DMPs and Data
Publisher
N
Optimization and Attribution Aggregators
Tools
L
K Targeted Networks/AMPs S
I
E U
S
T M
H
E E
Performance
E
R
Tag Mgmt
Retargeting R
Ad Servers R
Measurement Data Suppliers
Verification / and Analytics
Ad Servers Privacy Mobile
AND
THE
LUMA- SSPs
SCAPE M P C
A
Vertical / Custom
U O
Risk Legend B
Needs consent, R Creative Media Planning DMPs and Data
Publisher
Tools N
unlikely to get it
K
Optimization and Attribution Aggregators
Targeted Networks/AMPs
L S
Needs consent,
may get it
E I U
OK, if users have
consented for
T S M
H
“compatible” uses,
E
and do not opt out
when notified. E
E
Performance
R
Tag Mgmt
Out of scope of
Regulation if Retargeting R
business is modified Ad Servers
R
Already out of
scope of the Measurement Data Suppliers
Regulation and Analytics
Verification /
Ad Servers Privacy Mobile
PUBLISHERS
USERS
BRANDS
Now: Agencies and adtech take 50% or more of brand spend. Publishers get what's left.
slide 23
Outlook for Publishers
PUBLISHERS
USERS
BRANDS
After 25 May: Publishers take control, and agencies and adtech must rely on them.
slide 24
PLAN “A”:
SEEK CONSENT (AND
END DATA LEAKAGE).
BUT... HOW CONFIDENT ARE YOU THAT
PEOPLE WILL OPT-IN TO TRACKING FOR ADS?
Not at all To a small degree Moderately Highly Very highly
4%
How confident are you
that the average user
will click ‘OK’ to share 32% 32% 21% 12%
data with other
companies?
5% 7%
How concerned are you
about your online 21% 35% 32%
behaviour being
tracked?
0% 100% 200%
PLAN “B”:
INTEREST-BASED ADS
WITHOUT
PERSONAL DATA.
RELEVANT ADVERTISING &
MEASUREMENT OUTSIDE THE SCOPE
OF THE REGULATION
Agency Sharing Data /
Agencies DSPs Exchanges Ad Networks
Trading Desks Social Tools
SSPs
M P C
A
Vertical / Custom
U O
Risk Legend B
R Creative Media Planning DMPs and Data
Publisher
Tools N
K
Optimization and Attribution Aggregators
Targeted Networks/AMPs
L S
Needs “opt-in”
consent, but is unable
to ask E I U
Needs consent,
unlikely to get it T S M
Needs consent,
E H E
E
may get it Performance
R
Tag Mgmt
OK, if users have Retargeting R
consented for
“compatible” uses,
Ad Servers
R
and do not opt out
when notified. Data Suppliers
Measurement
Out of scope of Verification / and Analytics
Regulation if business Ad Servers Privacy Mobile
is modified
SSPs
M P C
Ad Servers
A
Vertical / Custom
U O
Risk Legend B
R Creative Media Planning Consumer Brand N
K
Optimization and Attribution Loyalty Schemes
Targeted Networks/AMPs
L S
Needs “opt-in”
consent, but is unable
to ask E I U
Publisher
Needs consent,
unlikely to get it T Tools S M
Needs consent,
E H E
E
may get it Performance
R
Tag Mgmt
OK, if users have Retargeting R
consented for
“compatible” uses,
DMPs and Data
Aggregators
Data
Protection
R
and do not opt out
when notified. Platform
Measurement
Out of scope of Verification / and Analytics
Regulation if business Ad Servers Privacy Mobile
is modified
Tracking Preferences
this is proposed in
recital 23 as amended,
Accept all tracking (but it seems redundant,
Amended Recital 23
since recital 21 says that
makes rejection of
consent is not required
third party Accept only first party tracking
for “technical storage
trackers and
or access which is
cookies the default. Reject tracking unless strictly
strictly necessary and
necessary for services I request
proportionate for … the
use of a specific service
Reject all tracking explicitly requested by
the user”.)
OK
What will people click?
Tracking Preferences
5%
20% Accept all tracking
OK
NON-TRACKING COOKIES
Set-Cookie: path=/; count=1
Set-Cookie: path=/; currency=DK
Summary @johnnyryan
Sophie Kwasny
ERA Summer course, Trier, 15 September 2017
Data Protection
Council of Europe ≠ EU
Data Protection
Conseil de l‘Europe
(Strasbourg - France)
Data Protection
Convention 108
Definitions (personal data, processing…)
Scope (public and private sector)
Quality of data
Sensitive data
Security
Rights of data subjects
Exceptions
Transborder data flows
Supervisory authorities
Data Protection
Modernisation trends :
•promote as a universal standard
•preserve general, simple, flexible and
pragmatic character
•ensure coherence with other relevant
frameworks (EU, OECD, APEC)
Data Protection
• Preamble
• definitions (article 2)
• “data processing subject to its jurisdiction
in the public and private sectors, thereby
securing every individual’s right to protection
of his or her personal data.
•1bis. This Convention shall not apply to data
processing carried out by an individual in the
course of purely personal or household
activities. (article 3)
Data Protection
• Transparency
obligation for the controller to provide a
detailed list of information, as well as any
necessary additional information in order to
ensure fair and transparent processing.
Data Protection
• Supervisory authorities:
“shall co-operate with one another to the
extent necessary for the performance of their
duties and exercise of their powers, in
particular by:
co-ordinating their investigations or
interventions, or conducting joint actions;”
Data Protection
• Convention Committee:
“e. shall prepare, before any new accession
to the Convention, an opinion for the
Committee of Ministers relating to the level
of personal data protection… ;
h. shall review the implementation of this
Convention by the Parties and recommend
measures to take where a Party is not in
compliance with this Convention;”
Data Protection
Amending Protocol
Committee of Ministers
Convention 108
Data Protection
http://www.echr.coe.int/Documents/FS_Data_ENG.pdf
Data Protection
Barbulescu v. Romania
Barbulescu v. Romania
Barbulescu v. Romania
In addition, the national courts had failed to
determine:
• firstly, the specific reasons justifying the
introduction of the monitoring measures;
• secondly, whether the employer could have
used measures entailing less intrusion into
Mr Bărbulescu’s private life and
correspondence;
• and thirdly, whether the communications
might have been accessed without his
knowledge.
Data Protection
Barbulescu v. Romania
(2016, 4th Section)
No violation of Article 8
Recommendation (2015)5
Recommendation (2015)5
I - General principles
Recommendation (2015)5
Health-related data
Work programme 2018-2019
Data Protection
www.coe.int/dataprotection
dataprotection@coe.int