The Article 29 Working Party (WP29), at the April plenary meeting, examined certain critical matters with regards to the implementation of the General Data Protection Regulation (GDPR) and of the Privacy Shield and adopted several key documents such as an opinion on the draft e-privacy regulation and guidelines on data portability, data protection officers, lead authority and data protection impact assessment.
1. IMPLEMENTATION OF THE GDPR AND ADOPTION OF GUIDELINES
The WP29 adopted the final versions of the data protection officer (DPO), lead authority and data portability guidelines after having examined the comments received during the public consultation which ended on February 15, 2017.
The WP29 also adopted its guidelines on the data protection impact assessments (DPIAs) which will be open for public consultation for 6 weeks before their final adoption. The Party also continued its work on the certification guidelines, following the successful one day DPA workshop organized in Paris on March 30, 2017.
Each WP29 subgroup, provided a state of play of its works on the new priorities established under the 2017 GDPR Action Plan (consent, profiling, transparency, data breach notifications and data transfers).
The WP29 also worked on the organization and structure of the EDPB to be ready by May 25,
2018.
2. PRIVACY SHIELD – MEETINGS WITH THE US REPRESENTATIVES
The Chair of the WP29 informed the plenary of her visit to Washington with European Commissioner Vera Jourova (See relevant press release on the WP29 website).
The International Transfers Subgroup of the WP29 also briefed the plenary on its meeting with representatives from the Department of Commerce (DoC), the Federal Trade Commission (FTC) and the State Department (US mission to the EU) on March 14, 2017.
A specific individual form will be published on the website of the WP29 and on national DPA websites for submitting request on national security access by US intelligence agencies, to the US Ombudsperson via the EU Centralised Body.
Finally, the WP29 also started discussion with the European Commission on the organization of the joint annual review. This review aims to evaluate the effectiveness and robustness of the guarantees provided by the US on the Privacy Shield and will be scheduled in the autumn 2017.
3. ADOPTION OF OPINIONS AND LETTERS ON TRANSVERSAL ISSUES
The WP29 adopted opinions on:
(i) the draft e-privacy regulation proposed by the European Commission on January 10, 2017. In general, the Working Party welcomes the proposal for an ePrivacy ,Regulation. In particular, it appreciates the choice for a regulation as the regulatory instrument, the equalization of Over-The-Top (OTT) providers with telecom operators as regard confidentiality of communications as well as the attempt to modernize the rules applicable for tracking in the online world. However, the DPA's note 4 points of concern related to WiFi tracking, analysis of content and metadata, tracking walls, and privacy by default regarding terminal equipment and software.
(ii) the revised EU regulation 45/2001 on the processing of personal data by European institutions and bodies where the WP29 underlined the importance of ensuring a consistent articulation between the GDPR and the Regulation 45/2001 and in particular of recognizing the full competence of the EDPB to advise the Commission on any draft legislative acts or recommendations on the processing of personal data.
Moreover, the WP29 took a position on:
(i) the proposal for a Regulation on the new European Travel Information and Authorization System (ETIAS) and ;
(ii) the Code of Conduct ("Code") on privacy for mobile health applications. This letter provides a first set of comments regarding its compliance with the Data Protection Directive taking into account the GDPR requirements.
The WP29 also:
(i) adopted a letter on Yahoo! to the Director of National Intelligence (ODNI) asking for additional information regarding the legal basis and justifications for any surveillance activities concerning EU data subjects. A copy of this letter will also be sent to the Privacy Shield's Ombudsperson.
(ii) agreed to prepare a response to the consultation the European Commission will open between April and July 2017, on the Prototype Commission Regulation which would extend the competence of EU regulation to all drones below 150kg and currently regulated on national level. An opinion on employee monitoring is in preparation and will touch upon sensitive subjects such as use of professional social networks in a recruitment process or once an employee has left the company, data loss prevention (DLP) tools for IT security purposes, location tracking to monitor the transport of people or goods, and the increased blurring of the boundaries between home and work as employees increasingly work remotely or use BYOD.
4. Fablab
The 2017 GDPR Fablab, organized by the WP29, took place on April 5 & 6 in Brussels. This interactive workshop was an opportunity for DPAs and interested stakeholders (civil society and European federations) to discuss and receive feedback on the WP29's priorities of consent, profiling and data breach notifications. The outcomes of this session together with the results of national consultations initiated in some Member States will help DPAs prepare fruitful guidelines on these topics by the end of the year.