EU provides GDPR guidance in Christmas message

The Article 29 Working Party (WP29) is an advisory group within the EU whose functions include promoting the uniform application of the Data Protection Directive 95/46/EC and providing expert data protection advice.  It is composed of representatives from the national data protection authorities, the European Data Protection Supervisor and the European Commission.  Their advice is generally seen as a good indicator of how the EU expects organisations to deal with various areas of data protection law, including the new GDPR.

In December 2016 the WP29 met to discuss various data protection issues, such as preparation for the GDPR, as well as its own evolution into the soon-to-be-created European Data Protection Board.  While the WP29 probably wasn’t intending to compete with the Queen in issuing a message perilously close to the Christmas season, they did issue advice in three areas which will be crucial to organisations that will be subject to the GDPR: Identification of a lead supervisory authority, Data Protection Officers (DPOs) and the Right to Data Portability.   In this blog, we review and summarise key aspects of the WP29 advice in these areas.

Data Protection Officers (DPO)

The primary purpose of a DPO is to be the organisational representative and overseer for compliance with data protection law.   The GDPR requires that a DPO is involved in all issues relating to the protection of personal data.

The GDPR makes the appointment of a DPO mandatory in certain cases and prescribes certain protections to be in place for the nominated DPO.  The WP29 advice reiterates the importance of the DPO “acting in an independent manner” in the performance of data protection duties and the need for the DPO to be invited to participate in meetings – including at board level - where there are data protection implications.  The DPO role has safeguards within the GDPR to this end, prohibiting the data controller or processor from exercising control over the DPO’s tasks or dismissal as a consequence of the DPO's performance of data protection tasks.  The DPO must, however, have the expertise to advise on data protection matters both at national and European level, as well as in-depth knowledge of the GDPR.

In terms of appointment of a DPO, public authorities are obliged to make such an appointment under the GDPR.  However, in a private-sector organisation, appointment is required where the “core activities of the data controller or the processor consist of processing operations, which require the regular and systematic monitoring of data subjects on a large scale”.   

A particularly troublesome issue which has caused confusion following the publication of the GDPR text, relates to the meaning of “large scale”.  It had been hoped that the quantity of data subjects would be the key to interpretation.  However, the WP29 makes it clear that the quantity of data subjects being processed is a factor only.  Interpretation of “large scale” requires consideration of volumes of data processed (even if for a smaller set of data subjects), duration and permanence of processing as well as its geographical extent.  While the advice excludes “individuals”, such as a lawyer or doctor processing information about their clients, there remains uncertainty when processing is of, say a thousand data subjects.  The WP29 advice itself recognises “a large grey zone” between the extremes.

“Regular and systematic” monitoring has a low threshold and may occur even if the processing occurs for a particular period, employs some system or strategy, and incorporates any sort of tracking or profiling on the internet.

The end result may well be that organisations which fall within the grey area may want to avoid the potential risk and designate a DPO just in case to avoid potential enforcement action.  Costs may be mitigated, however, via a well-managed outsourced arrangement or by sharing a single DPO resource within a group of companies.  The WP29 confirms that outsourcing or sharing of a DPO resource is possible.  Sharing of a DPO resource is allowed amongst providing that the DPO is “easily accessible from each establishment”.  Accessibility is not limited to physical accessibility, and clear contact details, mechanisms for getting in touch (for employees and data subjects) and the ability for the DPO to communicate in the language(s) of the supervisory authorities concerned with the organisation will be needed.   External DPO outsourcing, for example via a service contract, is acceptable providing that there is no conflict of interest. Therefore, your usual lawyers will probably not be able to undertake this role.

Identification of the lead supervisory authority

One of the biggest changes under the GDPR from its predecessor is its attempt to harmonize via a single law what was seen as a divergent set of 28 different Member State implementations of the Directive.  This is not an easy administrative task.  The “One stop shop” principle requires that where there is cross-border processing of data subjects’ data, one supervisory authority is designated the “lead supervisory authority” to regulate all activity through the EU.  So, for example, if Germany was the lead authority for an organisation’s data processing activity, it would need to coordinate its responses with other supervisory authorities in the EU where processing was taking place.

The lead supervisory authority mechanism is activated only when “cross-border processing” is taking place.  This means the processing takes place where an organisation – a data controller or data processor - has more than one establishment in the EU or the processing “substantially affects” data subjects in more than one EU Member State.  As a general rule, where an organisation has more than one processing location in the EU, the lead authority should be the Member State in which the organisation has its place of central administration.  However, a complicating factor is if the decision making for processing, that is, deciding its purpose and means and the implementation of those decisions, takes place in another or several other Member States.  In this case, it is not the central administration that is the lead authority for that processing but the location(s) where the purpose and means is decided upon.

While the WP29 advice offers criteria for deciding a data controller’s lead supervisory authority, its advice is to move decision-making to a single location in order to reduce the likelihood of more than one supervisory authority potentially being the lead.  Ultimately, organisations will need to make an assessment as to whether they are prepared to engage with supervisory authorities in more than one location in the EU.

The right to Data Portability

This is a new right and, while related, it is distinct from the right to subject access.  The principle right is that a data subject is entitled to receive the personal data they have provided to the data controller concerned along with any data produced (excluding analysis of that data), in a “structured, commonly used and machine readable format” for transmission to another data controller “within one month of receipt of the request”.  It is aimed at facilitating the transfer of services from one supplier to another – “without hindrance” - in line with the European Commission’s Digital Single Market Agenda (and the policy pillar, “Better online access to digital goods and services”). 

In respect of facilitating requests under this right, the WP29 recommends that service suppliers begin providing download tools and APIs.  Secure and documented APIs would technically allow greater possibility of tailoring the information obtained to match the destination service provider, however, this is a complex task and not one that the usual data subject will be able to do without third party assistance.  The WP29 is encouraging third party suppliers to act as a “go-between” to assist data subjects to transfer data between the source to the destination service providers.

The right to data portability is intended to foster greater transferability and competition between various service providers.  However, for companies that are likely impacted and needing to service this right, this may not be easy as, while the advice does not expect organisations to make their IT environments compatible, the WP29 clearly are pushing service suppliers to facilitate interoperability of datasets between themselves.  The WP29 have left the onus on service providers within their own industries to work this out and it will be an interesting challenge to see how datasets (incorporating metadata and data) will interoperate between one supplier and another.  The WP29 encourages suppliers to utilise the “European Interoperability Framework”, but it remains to be seen how this can work in practice.   In terms of an API, the idea would likely be along the same lines as the APIs provided by social media service providers, such as LinkedIn and Facebook.  By hooking into APIs provided by a social media supplier, a data subject could populate the necessary fields without personally mapping any fields.  In order for this right to have greatest benefit to data subjects, the issue appears to be how willing competing suppliers (for example, video streaming services such as Netflix and Amazon or email service providers, such as Gmail or Outlook), or third party intermediaries, are to utilise such APIs which would streamline account transfers.