The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.
This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here.
Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. Transparency applies in three central areas:
- The provision of information to data subjects related to the fair processing of their personal data.
- How data controllers communicate with data subjects in relation to their rights under the GDPR.
- How data controllers facilitate the exercise by data subjects of their rights.
Continue reading “Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR”
The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency in November. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP29 will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.
This blog post focuses on WP259, which is the guideline on consent. We have also written a companion blog on WP260, the guideline on transparency.
Guideline on Consent
The guideline provides a thorough analysis of the notion of consent, which is one of the six lawful bases to process personal data under the GDPR. Article 4(11) stipulates that consent of the data subject must be:
- Freely given.
- Unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Continue reading “Article 29 Working Party Releases Guideline WP259 on Consent under the GDPR”
The European Union (EU) may soon decide whether Japan will have “adequate” status for transfers of personal data from the EU. Reuters reported on December 15, 2017 that the European Union is aiming to finalize a data transfer agreement with Japan by early 2018.
Set to be implemented in May 2018, the EU’s General Data Protection Regulation (GDPR) will require that EU citizens’ personal data be transferred to only countries with an adequate data protection status, forbidding companies from storing EU citizens’ personal data in foreign countries deemed to have an “inadequate” level of privacy protection.
Under the EU’s privacy framework, the European Commission has the power to determine, based on Article 25(6) of Directive 94/46/EC, whether a foreign country has an “adequate” level of data protection under that country’s domestic laws or international commitments. If a foreign country is deemed adequate, personal data can flow from the 28 EU countries (and three EEA member countries of Norway, Liechtenstein, and Iceland) to the foreign country without further safeguards.
The commission has so far deemed only 12 countries – Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, the United States (under the EU-US Privacy Shield), and Uruguay – as providing adequate protection. The EU does not include the United States among its adequate protection countries. But Decision 2016/1250 on the adequacy of protection of the EU-US Privacy shield, commonly known as the EU-US Privacy Shield, was designed as a program whereby participating US companies or companies doing business in the US are deemed to have adequate protection.
An adequacy determination for Japan would be monumental for Japanese companies and companies doing business in Japan, with EU Justice Commissioner Vera Jourova recently stating that”[a]n adequacy decision would be great news for business as it would allow for the transfer of personal data from the EU to Japan without the need for extra authorisations.”
In relation to the first annual Joint Review of the EU-U.S. Privacy Shield Framework, the Article 29 Data Protection Working Party (WP29), an independent European advisory body on data protection and privacy, issued its findings on November 28, 2017.
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU Law. As we discussed in a previous blog post, the framework is based on a certification system whereby U.S. companies commit to adhere to a set of Privacy Shield Principles. Other mechanisms for transferring personal data to the U.S. from the EU are through binding corporate rules, model contracts, or use of one of a number of derogations to the EU’s restrictions on cross-border data transfers.
The report reflects the Working Party’s views in relation to the first annual joint review of the Privacy Shield program. It acknowledges both the progress and the efforts to implement Privacy Shield, but it raises a number of concerns and calls on the European Commission and U.S. authorities to restart discussions to address those concerns by May 25, 2018, which is the date the General Data Protection Regulation (GDPR) takes effect.
Continue reading “First Annual Joint Review of EU – U.S. Privacy Shield Addresses Six Areas of Concern”
Providing data subjects with meaningful information regarding the processing of their personal data and their rights with respect to such processing is an axiom of privacy law—and a key requirement under the General Data Protection Regulation (GDPR).
The significance of this principle of transparency was recently highlighted by the European Court of Human Rights (ECHR) in Bărbulescu v. Romania where the court affirmed an employee’s right to privacy when using communications tools in the workplace due, in part, to the employer’s failure to provide adequate notice regarding its internet monitoring activities. This post briefly discusses the principle of transparency under GDPR and its application to the Bărbulescu case.
Continue reading “GDPR and ECHR Make One Thing Abundantly Transparent: The Significance of Transparency”