The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.
This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here.
Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. Transparency applies in three central areas:
- The provision of information to data subjects related to the fair processing of their personal data.
- How data controllers communicate with data subjects in relation to their rights under the GDPR.
- How data controllers facilitate the exercise by data subjects of their rights.
Continue reading “Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR”
The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency in November. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP29 will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.
This blog post focuses on WP259, which is the guideline on consent. We have also written a companion blog on WP260, the guideline on transparency.
Guideline on Consent
The guideline provides a thorough analysis of the notion of consent, which is one of the six lawful bases to process personal data under the GDPR. Article 4(11) stipulates that consent of the data subject must be:
- Freely given.
- Unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Continue reading “Article 29 Working Party Releases Guideline WP259 on Consent under the GDPR”
An international human rights organization is urging the Chinese government to stop building big data policing technologies that aggregate and analyze citizens’ personal information. Though governments collecting information about its citizens is not new, China has begun pursuing newer and ambitious technologies, such as big data analytics, facial recognition, and cloud computing, to better and more quickly aggregate, mine, and leverage personal information.
Continue reading “Human Rights Watch Denounces China’s Big Data Policing”
The European Commission published its first annual report on the functioning of the EU-U.S. Privacy Shield, which protects the personal data transferred from the EU to companies in the U.S. for commercial purposes. The report was released on October 18, 2017.
The EU-U.S. Privacy Shield Framework provides a method for companies to transfer personal data to the U.S. from the EU in a way that is consistent with EU law. The framework is based on a certification system by which U.S. companies commit to adhere to a set of Privacy Shield Principles. To join the Privacy Shield Framework, a company must self-certify to the Department of Commerce that it complies with the Principles. A company’s failure to comply with the Principles is enforceable under Section 5 of the FTC Act, which prohibits unfair or deceptive acts. The key requirements for participating companies include:
- Informing individuals about data processing
- Providing free and accessible dispute resolution
- Cooperating with the Department of Commerce
- Maintaining data integrity and purpose limitations
- Ensuring accountability for data transferred to third parties
- Transparency related to enforcement actions
- Ensuring commitments are kept as long as data is held
Continue reading “First Annual Review of the Privacy Shield Framework”
Connected car data protection generated significant discussion amongst people at the International Conference of Data Protection and Privacy Commissioners. The 39th annual conference brought together privacy and data protection authorities (DPAs) from around the world in Hong Kong in September. Consistent with prior tradition, the “closed sessions” produced three separate nonbinding resolutions.
Continue reading “Connected Car Resolution adopted by the International Conference of Data Protection and Privacy Commissioners”
On October 3, 2017, the Irish High Court referred Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems to the Court of Justice of the European Union (CJEU), where the future of standard contractual clauses (SCCs) will be decided (here).
In December 2015—following the CJEU’s landmark decision in Maximillian Schrems v. Data Protection Commissioner invalidating the U.S.-EU Safe Harbor framework—Schrems amended his original complaint to the Irish Data Protection Commissioner (DPC), challenging the validity of data transfers to the U.S. based on the European Commission approved SCCs (available here). Based on the CJEU’s Schrems decision, the Irish DPC petitioned the Irish High Court asking to refer the matter to the CJEU for ruling on the question of whether the European Commission’s SCC decisions are valid under European law. Specifically, the Data Protection Commissioner questioned whether there is an effective remedy under U.S. law compatible with the requirements of Article 47 of the EU Charter of Fundamental Rights for an EU citizen whose data is transferred to the U.S., where such data is subject to electronic surveillance by U.S. agencies for national security purposes. EU citizens have a right guaranteed by Article 47 of the Charter to an effective remedy before an independent tribunal if their rights or freedoms are violated. These include the rights under Articles 7 and 8 to respect for private and family life and protection of personal data.
Continue reading “Irish High Court Refers Future of EU Model Clauses to CJEU”