February 15, 2018

Some Aspects of the EU’s New Framework for Personal Data Privacy Protection

Nicolò Ghibellini

I. INTRODUCTION

This survey will first briefly describe the role of the Data Protection Officer (“DPO”), introduced by the European Union’s new General Data Protection Regulation (“GDPR”), which will enter into force on May 25, 2018.1 The discussion of DPOs will draw from the Guidelines on Data Protection Officers (“Guidelines”)2 issued by the Article 29 Working Party (“Art. 29 WP”).3 Second, the survey will address the new Privacy Shield framework that governs data transfer from the EU to the United States.

II. THE DATA PROTECTION OFFICER

The new regulatory framework that the GDPR establishes emphasizes the principles of compliance and accountability. Within that framework, the DPO undoubtedly will be central, conceived of as an intermediary between companies (controllers and those responsible for data processing) and national Data Protection Authorities. In essence, the office of the DPO has as its special responsibilities the implementation and supervision of internal processes to ensure compliance with the GDPR.

A. APPOINTMENT OF THE DPO

The DPO is an officer appointed by a data “controller” or “processor.”4 The DPO may be an employee of the appointing entity or an independent consultant. In some situations, appointment of a DPO is mandatory, while in others it is voluntary. A controller or processor must appoint a DPO if:

(a)   the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;

(b)   the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or

(c)   the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.5

 

The Art. 29 WP recommends that a controller or processor document its analysis to determine whether to appoint a DPO.6 The adoption of this practice is certainly appropriate given that the analysis not only is part of the documentary evidence to be produced in accordance with the accountability principle, but it may also be requested by the supervisory authority, for example if the controllers or processors undertake new activities or provide new services that might fall within the cases listed in Article 37(1).7

The GDPR does not define the term “public authority or body” as used in subsection (a) of the provision of Article 37 quoted above. The Guidelines indicate that the term should be defined according to the member state’s national law.8 Although the GDPR does not require it, the Art. 29 WP considers it a good practice for a private organization charged with public functions (such as transport service providers, infrastructure operators, and utilities providers) to appoint a DPO.9

The term “core activities,” appearing in subsections (b) and (c), is glossed over in Recital 97, which says that “core activities of a controller relate to its primary activities and do not relate to the processing of personal data as ancillary activities.”10 In other words, core activities are those that are essential to the accomplishment of the company’s purposes.

The term “large scale,” appearing in subsections (b) and (c), is also undefined. Referencing the discussion of the term in GDPR Recital 91, the Art. 29 WP offers some examples of what it believes should qualify as “large scale” processing, including “processing of patient data in the regular course of business by a hospital” and “processing of travel data of individuals using a city’s public transport system.”11 It also gives examples of what it considers not to be “large scale”: “processing of patient data by an individual physician” and “processing of personal data relating to criminal convictions and offences by an individual lawyer.”12 Based on the Art. 29 WP’s discussion, it is possible to understand “large scale” as referring to data processing carried out in a massive and constant way.

The Guidelines suggest that the meaning of the term “regular and systematic monitoring,” appearing in subsection (b), may be derived from Recital 24 of the GDPR, which refers to “monitoring of the behaviour” of persons, suggesting that it embraces, in the first instance, all profiling and tracking activities on the Internet.13 But the Guidelines correctly state that the term is not limited to online activities.14 The Art. 29 WP suggests that “regular” should be understood to refer to ongoing or recurrent activities, and “systematic” to monitoring by a predetermined system, as part of a project or strategy.15

B. DPO’S KNOWLEDGE AND CAPABILITIES

The following briefly describes the qualifications of a DPO as set out in Article 37, paragraph 5, of the GDPR, and discussed in the Guidelines.16

Specialized knowledge. The level of expertise that a DPO should have will depend on the sensitivity and quantity of the data that the organization processes and on the frequency of the transfer of the same to countries outside the EU.

Professional qualities. The DPO must be knowledgeable about national data protection laws as well as the GDPR—not only in theory but also in practice. Moreover, the Art. 29 WP recommends that the DPO should be familiar with the company’s sector of activity and organization.

Ability to fulfill his duties. This requirement is related not only to personal characteristics (such as integrity) of the DPO, but also to his or her position in the organization, which should enable him to bring about “a data protection culture” among the organization’s employees.17

C. POSITION OF THE DPO

According to Article 38 of the GDPR, the DPO must be involved in all issues related to personal data protection. This confirms the centrality of the DPO’s role in the scheme of the GDPR: who is to be involved in all phases of the organization’s activities involving private data—not only when the rules specified in the GDPR come into play, but also in the conception of the organization’s procedures bearing on privacy, or “privacy by design.”18

Adequate support must be given to the DPO, in terms of both managerial backing and resources, to enable the DPO to operate autonomously. In particular, the DPO should not receive any “instructions” about performing his or her tasks and must not be subject to dismissal as a result of performing his or her functions.19

D. TASKS OF THE DPO

The principal functions of the DPO can be summarized as follow:

1. Monitoring Compliance with the GDPR

The tasks assigned to the DPO are specified in the Guidelines:

  • collect information to identify processing activities,
  • analyze and check the compliance of processing activities, and
  • inform, advise and issue recommendations to the controller or the processor.20

It is important to emphasize that the responsibility to monitor compliance does not imply that the DPO is personally responsible in case of non-compliance. In fact, compliance with the GDPR is the responsibility of the data controller.21

2. Participating in an Impact Assessment

The responsibility for carrying out a “data protection impact assessment” rests with the data controller, but, in doing so, the controller is to seek the DPO’s advice, for example, to determine whether to undertake an assessment or which methodology to adopt.22

3. Cooperating with the Supervisory Authority

The cooperation task is an element of the DPO’s “facilitator” role. The DPO serves as a link between the company and the supervisory authority and is the latter’s privileged interlocutor for all issues related to data protection.23

III. TRANSFER OF DATA TO THE UNITED STATES

The topic of data transfer from the EU to the United States is part of the general topic of data transfer from the EU to third countries, meaning countries outside the EU or the European Economic Area.

A. RULES FOR DATA TRANSFER TO THIRD COUNTRIES

Currently the rules governing the transfer of data to third countries are established by the 1995 Data Protection Directive,24 which prescribes that (1) the transfer of personal data from EU countries to third countries is forbidden unless the receiving country guarantees an “adequate level of protection” of the private data of European citizens;25 and (2) the European Commission has the duty and the power to ascertain whether a particular country outside the EU guarantees an adequate level of protection.26 In doing so, the Commission must give “particular consideration” to “the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.”27 Following its evaluation of a country’s privacy laws, the Commission may issue an authorization for the transfer of data, which is then implemented by the privacy supervisors in the EU states through their own general authorization. Even if a third country’s laws do not provide an “adequate level of protection,” a data transfer is allowed in certain special cases28 and also when contractual clauses offering guarantees of adequacy are adopted.29

The GDPR addresses data transfer to third countries in Articles 44–50, with a framework similar to the one provided by the Data Protection Directive. The general principle is still one of an authorization based on a finding that the third country offers “an adequate level of protection.”30

B. TRANSFER OF DATA TO THE UNITED STATES: THE SAFE HARBOR

The EU-U.S. Safe Harbor originated from the adequacy decision of the European Commission on July 26, 2000.31 The decision was implemented by the various national supervisors through the mechanism mentioned above.

The Safe Harbor was born from the need to “close the gap” between the EU and the United States regarding privacy protection, while not blocking or limiting the flow of personal data, which is a necessary concomitant of the huge trading relationship between the two markets. U.S. companies, interested in creating new trade agreements with EU companies providing for the transfer of European citizens’ personal data, had to certify that they adhered to the seven principles of the Safe Harbor.32 Compliance with the principles was enforced by the Federal Trade Commission (“FTC”) or in some cases the Department of Transportation.33

C. FROM SAFE HARBOR TO PRIVACY SHIELD

The Safe Harbor was invalidated by the Court of Justice of the EU on October 6, 2015, in the context of a referral for a preliminary ruling on the Safe Harbor sent by the Irish High Court.34 The court concluded that the Safe Harbor did not determine the limits of access and use of personal data by public authorities and did not provide individuals with legal remedies to access their personal data and exercise their rights.

In addition, the court declared that the Commission could not limit—as it purported to do with the Safe Harbor—the supervisory powers that the Data Protection Directive grants to the national Data Protection Authorities. Therefore the court invalidated the Safe Harbor with immediate effect. With the Safe Harbor unavailable, U.S. companies wishing to import personal data from the EU needed to use the legal instruments provided by the Data Privacy Directive— principally consent of the data subject and contractual clauses.

On July 12, 2016, the European Commission adopted a decision approving a replacement for the Safe Harbor, called the EU-U.S. Privacy Shield.35 Starting August 2016, a U.S. company could avail itself of the shield by self-certifying its compliance with specified privacy principles to the U.S. Department of Commerce, which maintains an updated list of those participating companies.36

The new regulatory framework ensures the personal rights of each EU citizen whose data are transferred to the United States, offers guarantees regarding the access to data by public authorities, and guarantees protection to the parties concerned.

Following is a summary of some key provisions of the Privacy Shield framework.

Supervision by the Department of Commerce. The U.S. Department of Commerce has the task of subjecting the participating companies to periodic checks in order to assess their compliance with the rules that they voluntarily accepted. Companies that are not in compliance can incur sanctions and be dropped from the list of adhering companies, obligating them to delete all of the data they collected.37

Clear guarantees and transparency requirements applicable to access by the U.S. government. The United States has given the EU an assurance that the access of public authorities to private data for law enforcement and national security purposes is subject to clear limitations, safeguards, and oversight mechanisms. An important novelty is that EU citizens will benefit from redress mechanisms in this area. The United States has ruled out indiscriminate mass surveillance based on personal data transferred under the Privacy Shield framework.38

Effective protection of individual rights. Any person who believes he or she has suffered harm in relation to his or her data may seek redress from the U.S. company that collected the data, an independent dispute resolution body, a national Data Protection Authority, or the FTC.39 Arbitration by a Privacy Shield Panel can be requested if the person is not satisfied with the results of these efforts.40

Common annual analysis. Ongoing monitoring of the Privacy Shield’s operation, including the commitments and guarantees relating to data access in order to fight crime and protect national security, are guaranteed by the mechanism. The European Commission and U.S. Department of Commerce are jointly responsible for the monitoring.41 These bodies must also produce an “annual joint review” of the functioning of the Privacy Shield, which the Commission will transmit to the European Parliament and Council.42

IV. CONCLUSION

The two topics discussed represent examples of how the protection of personal data is increasingly subject to global policies and not limited to individual national laws.

The DPO will play a strategic role not only within the company in which he or she operates, but also in relation to the Data Protection Authorities. The DPO will be a crucial interlocutor for U.S. companies that want to import data from Europe.

The adoption of the Privacy Shield framework is a positive development because it includes assessment instruments on the correct functioning of the transfer, as well as a rights protection mechanism that can be used by concerned data subjects.

1. Commission Regulation 2016/679 of 27 Apr. 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), art. 99, 2016 O.J. (L 119) 1, 87 (EU) [hereinafter GDPR], http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL&from=EN. For a detailed analysis of the GDPR, see W. Gregory Voss, European Union Data Privacy Law Reform: General Data Protection Regulation, Privacy Shield, and the Right to Delisting, 72 BUS. LAW. 221 (2016).

2. Art. 29 Data Protection Working Party, Guidelines on Data Protection Officers (“DPOs”) (Apr. 5, 2017) [hereinafter Guidelines], http://ec.europa.eu/newsroom/document.cfm?doc_id=44100.

3. The Article 29 Working Party is an advisory body composed of representatives of personal data protection authorities designated by each EU member State, the European Data Protection Supervisor, and a representative of the European Commission. For more information on the Art. 29 WP, see Art. 29 Working Party, EUR. COMMISSION (Nov. 22, 2016), http://ec.europa.eu/justice/data-protection/article-29/index_en.htm.

4. GDPR, supra note 1, arts. 4(7), 4(8), at 33 (defining “controller” as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data” and “processor” as “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”).

5. Id. art. 37(1), at 55.

6. Guidelines, supra note 2, at 5.

7. Id.; see GDPR, supra note 1, arts. 24(1), 37(1), at 47, 55.

8. Guidelines, supra note 2, at 6.

9. Id.

10. GDPR, supra note 1, para. 97, at 18.

11. Guidelines, supra note 2, at 8; see GDPR, supra note 1, para. 91, at 17.

12. Guidelines, supra note 2, at 8.

13. Id.; see GDPR, supra note 1, para. 24, at 5.

14. Guidelines, supra note 2, at 8.

15. Id. at 8–9.

16. Id. at 11–12; see GDPR, supra note 1, art. 37(5), at 55 (“The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfill the tasks referred to in Article 39.”).

17. Guidelines, supra note 2, at 12.

18. Id. at 13; see GDPR, supra note 1, art. 38, at 55–56.

19. GDPR, supra note 1, art. 38(3), at 56 (“The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”).

20. Guidelines, supra note 2, at 17.

21. Id.; see GDPR, supra note 1, arts. 24(1), 39(1), at 47, 56.

22. Guidelines, supra note 2, at 17; see GDPR, supra note 1, art. 39(1), at 56.

23. Guidelines, supra note 2, at 18; see GDPR, supra note 1, art. 39(1), at 56.

24. Council Directive 95/46, 1995 O.J. (L 281) 31 (EC), http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046.

25. Id. art. 25(1), at 45.

26. Id. art. 25(1)–(2), at 45–46.

27. Id. art. 25(2), at 45–46.

28. See id. art. 26(1), at 46 (setting forth, among other conditions, such transfer follows consent of the data subject, such transfer is necessary for performance of the contract, and such transfer is required on public interest grounds).

29. Id. art. 26(2), at 46.

30. Id. art. 45(1), at 61; see id. arts. 44–50, at 60–65.

31. Commission Decision 2000/520, 2000 O.J. (L 215) 7 (EC), http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32000D0520.

32. Id. Annex I, at 10–12 (setting forth the following principles: notice, choice (opt-in for sensitive information), onward transfer, security, data integrity, access, and enforcement).

33. Id. Annex I, at 12.

34. Case C-362/14, Schrems v. Data Prot. Comm’r, 2015 E.C.R. (Oct. 6, 2015), http://curia.europa.eu/juris/document/document.jsf?docid=169195&doclang=EN. The case was submitted to Irish judges by a Facebook user following the refusal of the Irish Data Protection Commissioner to examine a complaint filed against Facebook Ireland Ltd., which transferred personal data of its users to the United States and kept it stored on servers located in that country. Id.

35. Commission Decision 2016/1250, 2016 O.J. (L 207) 1 (EC) [hereinafter Commission Decision 2016/1250], http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32016D1250.

36. For the list of affiliated companies, see U.S. Dep’t of Commerce, Privacy Shield Framework: List, PRIVACY SHIELD, https://www.privacyshield.gov/list (last visited Aug. 31, 2017).

37. Commission Decision 2016/1250, supra note 35, para. 33, at 7.

38. Id. paras. 64–135, at 13–32. The collection of block data will be possible only under certain conditions, and in any case, the collection of data must be as focused and concentrated as possible. See id. para. 71, at 15 (collection shall be “as tailored as feasible,” and neither “mass” nor “indiscriminate”).

39. Id. para. 41, at 9.

40. Id. paras. 56–57, at 11–12.

41. Id. paras. 145–49, at 33–34.

42. Id.

Nicolò Ghibellini