It was a busy week in the Commercial IP team last week as the number of clients wanting information about GDPR increases. We ran seminars to the recruitment sector and to our Charity Forum. If you would like to attend one of our future sessions, please email Sandy Waters or visit the training arm on our website.
It has also been a busy time at the Information Commissioner’s Office.
Given that our minds are currently firmly focused on GDPR matters and we are all aware that you cannot export personal data outside of the EEA unless the recipient country has an adequate level of protection in respect of the personal data, we thought you might like to know that the EC has published its report on the first review of the EU-US Privacy Shield. You may be aware that the ‘Safe Harbour’ with the US was found to be failing in its compliance with data protection and the EU-US Privacy Shield was introduced as its successor.
Now, one year old, the EU data protection authorities conclude that there is room for improvement.
First annual review of EU-US Privacy Shield finds adequate data protection but room for improvement
On 18 October 2017, the European Commission published its report and staff working document on the first annual review of the EU-US Privacy Shield (the Report) (COM(2017) 611 final). This follows discussions on 18 and 19 September 2017 between officials from the US government, the European Commission and EU data protection authorities (DPAs). On the whole, the Report shows that the Privacy Shield continues to ensure an adequate level of data protection for personal data transfers for commercial purposes from the EU to the 2,400 participating companies in the US.
However, there is room for improvement and the Commission has drawn up a list of recommendations for US authorities. These include that the US Department of Commerce should more regularly and proactively monitor companies’ compliance with their Privacy Shield obligations and conduct regular searches for companies making false claims about their participation in the Privacy Shield; increasing awareness for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints; closer co-operation is required between privacy enforcers such as the US Department of Commerce, the Federal Trade Commission and the DPAs, notably to develop guidance for companies and enforcers; and the urgent appointment of a permanent Privacy Shield Ombudsperson, as well as filling the empty posts on the Privacy and Civil Liberties Oversight Board.
The Report will now be sent to the European Parliament, the Council, the Article 29 Working Party and US authorities. The Commission will continue to work with US authorities in the coming months on the follow-up of its recommendations and will monitor compliance.
Despite this general overall good bill of health and positive support from EU Commissioners, the Privacy Shield remains subject to a challenge in the ECJ by two privacy groups.
Data Protection Impact Assessments (DPIAs) are also a focus under GDPR and we have been discussing them at our seminars. DPIAs are only required where a business’s processing activities are likely to result in a high risk to the rights of individuals. But it is interesting to read that even where not mandatory, a data controller is still under an obligation to implement organisation measures to manage risk.
Article 29 Working Party adopts revised Guidelines on Data Protection Impact Assessment
On 4 October 2017, the Article 29 Working Party (WP29) adopted revised Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 (WP 248 rev.01).
In line with the risk-based approach in the General Data Protection Regulation ((EU) 2016/679) (GDPR) a DPIA is not mandatory for all data processing activities. It is only mandatory where processing is likely to result in a high risk to the rights of individuals and is particularly relevant where new data processing technology is being introduced.
The WP29 stresses the fact that where conditions triggering the obligation to carry out a DPIA are not met, this does not diminish data controllers’ general obligation to implement measures to appropriately manage risks for individuals. In practice, this means that controllers must continuously assess the risks created by their processing activities in order to identify when a type of processing is likely to result in a high risk to individuals.
In order to ensure a consistent interpretation of the circumstances in which a DPIA is mandatory, the guidelines seek to promote the development of common EU lists of processing operations for which a DPIA is mandatory and for when one is unnecessary; common criteria on the methodology for carrying out a DPIA; common criteria for specifying when a supervisory authority shall be consulted; and recommendations building on EU member states’ experience.
If you would like further information on data protection issues, please contact me.