As the EU continues to buzz about the beginning of the trilogue negotiations and the final stage of the arduous process of bringing the General Data Protection Regulation (GDPR) to fruition, the Article 29 Working Party (WP29) has now weighed in with its thoughts on the final stages of what is likely to be historic legislation. Those thoughts include a hard line on government access to citizen data, a nuanced approach to a “one-stop shop,” a call for mandatory DPOs, general skepticism of the risk-based approach and an endorsement of a broad definition of personally identifying information.
In three letters, all with the same text and signed by Chair Isabelle Falque-Pierrotin, the WP29 addresses authorities at the head of negotiations for the three major players in the trilogue process: Ilze Juhansone, Ambassador Extraordinary and Plenipotentiary Permanent Representation of the Republic of Latvia to the EU (the Latvian presidency is currently at the head of the European Council); Jan Philipp Albrecht, Vice Chair of the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, and the Parliamentary rapporteur for the GDPR; and Vĕra Jourová, Commissioner for Justice, Consumers and Gender Equality, hailing from the Czech Republic.
The letters are an opportunity for the EU’s collected DPAs to share their “views on the texts that are now on the table, highlighting those issues that it feels are in need of further improvement.” In addition to the three letters, the WP29 has offered up a companion Appendix that further details their thinking in regards to the trilogue process.
Such as?
The three biggest concerns are in the opening text. Primarily, the WP29 wants to ensure that no portion of the GDPR lessens protections or reduces the rights of individuals within the EU. The Directive 95/46, they write, “has stood the test of time well.” In the Appendix, the WP29 further states,
“While recognizing the need for local customization in certain cases, the Working Party would like to strongly underline that such given flexibility should not undermine the level of protection brought by the Regulation and that harmonization of a high level of protection remains the goal.”
It is also paramount, they say, that the text of the GDPR should be simple and clearly written, and that compliance details be outside of the GDPR entirely. Those “should be issued under the form of guidance by the newly created European Data Protection Board (which would replace the WP29) and by DPAs.”
Finally, they state that “the objective of protecting personal data should be achieved without limiting innovation.” They endorse accountability as a mechanism for ensuring effective implementation and compliance and note that the GDPR should apply to any controller, but be flexible and scalable to account for the different ways in which different organizations operate.
The letters then go on to provide feedback on specific topics covered by the GDPR.
First and foremost is the relationship between the GDPR and the less-publicized Directive that would cover data-handling by public bodies. The DPAs feel it is imperative that the Directive cover data-handling by law-enforcement bodies exclusively, and that any broadening of the Directive to cover controllers, either public or private, for the general objective of “the safeguarding against and prevention of threats to public security” is totally unacceptable.
The Appendix goes on to state that “any processing activities performed for purposes not linked to the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties” should fall under the scope of the Regulation.
And while it should perhaps go without saying, they ask for consistency between the two documents “on the definitions, principles, individuals’ rights and powers of supervisory authorities.”
They also advocate for a broad definition of PII, noting recent European Court of Justice rulings on IP addresses and online identifiers, and strongly endorse purpose limitation—a concept the WP29 says “is one of the key data protection principles—allowing for further processing for archiving, scientific, statistical and historical research purposes, but no further “incompatible” processing. WP29 backs the concept of pseudonymisation as a security measure but does not want it to constitute a separate category in the Regulation.
The letter concludes with comments on their own powers.
While they welcome the new fining powers the GDPR would provide, they also hope that DPAs would be granted powers “to assist the data controllers and processors in their compliance efforts by providing guidelines and tools.
[quote]For data controllers and processors, the WP29 states that “accountability is an underlying principle of privacy and data protection that should not be undermined of its substance by an inappropriate application of the risk-based approach.”[/quote]
The WP29 calls for “a new governance model” that would combine “powerful DPAs, competent where their citizens are targeted,” along with increased cooperation, a lead DPA, and a European Data Protection Board with “real functional and financial independence” and ability to issue binding decisions. The WP29, in the Appendix, calls for “significant” fining authority for DPAs and the “right to prioritize their workflows” to “focus on matters which substantially impact the rights and freedoms of data subjects.”
Though they do not name the so-called “one-stop-shop” concept in their letters, they do examine it in their Appendix and specifically endorse some of the new language in the Council GDPR draft, including provisions that DPAs remain competent when individuals in their own jurisdictions are affected, no matter where the processor or controller is located. Further, citizens would retain a right of redress in their home member state.
Outside of the letter’s contents, the Appendix goes further into strict definitions of “consent” and “personal information,” legitimate interests using pseudonymous data as well as the rights of data subjects. For example, any additional processing of data, the retention of that data and international transfers should have security measures provided by the controller.
Data subjects should have the right to data portability, data access, object, certain restrictions and to find out for which purposes profiles are created and used. For data access, the WP29 notes that access rights must be balanced with the rights and freedoms of other data subjects. The WP29 says it does support the right for representatives to lodge a complaint on behalf of a data subject, but only if the subject’s rights are not compromised.
What about the contentious risk-based approach? While the letters don’t address it, the Appendix tackles it head on.
For data controllers and processors, the WP29 states that “accountability is an underlying principle of privacy and data protection that should not be undermined of its substance by an inappropriate application of the risk-based approach.” In addition, processors and controllers should document “their processing activities proportionately to ensure accountability and transparency.”
The WP29 notes that DPOs are “compliance orchestrators” and should be the go-between for all relevant stakeholders. As such, the WP29 backs the mandatory appointment of DPOs “subject to objective criteria” such as volume of data processed by an organization or the nature of its activities. A data protection officer is a “cornerstone of accountability and a real tool of competitiveness for companies.”
[quote]A data protection officer is a “cornerstone of accountability and a real tool of competitiveness for companies.”[/quote]
In data-transfer matters, the WP29 said it’s concerned about the removal of the BCR for Processor and calls for its reinsertion. In addition, the Appendix details its concerns about disclosure of personal data to foreign powers and “welcomes the principle of notification of such requests to DPAs.”
Finally, the Appendix addresses data breach notification. Controllers and processors should also be obligated to notify subjects of a data breach, but “supports different thresholds for notifications to the authority and the individuals.” In its Appendix, the WP29 backs data protection impact assessments and that consultations with data protection authorities should “be consistent with the principle of accountability.”
How will the trilogue process incorporate these recommendations? The EU, and the rest of the world, will be watching.
Top photo: WP29 Chairwoman Isabelle Falque-Pierrotin speaking at the IAPP Europe Data Protection Congress, November 19, 2014, in Brussels, Belgium.