The last WP29 plenary meeting was busy as the Article 29 Working Party (WP29) (Group of EU data protection authorities) went through different matters with regard to:
the implementation of the General Data Protection Regulation (GDPR) and of the Privacy Shield
the adoption of key documents such as an opinion on the draft e-privacy regulation and (final version) of guidelines on data portability, data protection officers, lead authority as well as a draft data protection impact assessment guideline.
It also adopted opinions on other documents (code of conduct for privacy on mobile health application, letter on Yahoo! To the director of national intelligence etc.)
IMPLEMENTATION OF THE GDPR AND ADOPTION OF GUIDELINES
The WP29 adopted :
- the final versions of the data protection officer (DPO), lead authority and data portability guidelines.
- guidelines on the data protection impact assessments (DPIAs) which will be open for public consultation for 6 weeks before their final adoption.
The WP29 will continue working on certification guideline and a state of play of its works on the consent, profiling, transparency, data breach notifications and data transfers was provided during the meeting (we assume that guidelines should be coming by the end of the year).
The WP29 also worked on the organization and structure of the EDPB to be ready by May 25, 2018.
An opinion on employee monitoring is also in preparation and will concern the use of professional social networks in a recruitment process or once an employee has left the company, data loss prevention (DLP) tools for IT security purposes, location tracking to monitor the transport of people or goods, and the increased blurring of the boundaries between home and work as employees increasingly work remotely or use BYOD.
PRIVACY SHIELD – MEETINGS WITH THE US REPRESENTATIVES
Meeting with US representatives. The International Transfers Subgroup of the WP29 met the representatives of the Department of Commerce (DoC), the Federal Trade Commission (FTC) and the State Department (US mission to the EU) on March 14, 2017. The Chair of the WP29 (the current president of the CNIL) also went to Washington with the European Commissioner (Vera Jourova).
Privacy Shield Complaints Form to be released. A specific individual form is to be published on the website of the WP29 and on national DPA websites for submitting request on national security access by US intelligence agencies, to the US Ombudsperson via the EU Centralised Body.
Privacy Shield Annuel Review. The WP29 started discussion with the European Commission on the organisation of the joint annual review in order to evaluate the effectiveness and robustness of the guarantees provided by the US on the Privacy Shield. First review will be scheduled in the autumn 2017.
ADOPTION OF OPINIONS AND LETTERS ON TRANSVERSAL ISSUES
The WP29 adopted opinions on:
(i) the draft e-privacy regulation proposed by the European Commission on January 10, 2017. In general, the Working Party welcomes the proposal for an ePrivacy Regulation but raised 4 points of concern related to WiFi tracking, analysis of content and metadata, tracking walls, and privacy by default regarding terminal equipment and software.
(ii) the revised EU regulation 45/2001 on the processing of personal data by European institutions and bodies. According to the WP29, it is important to ensure a consistent articulation between the GDPR and the Regulation 45/2001 and in particular of recognising the full competence of the EDPB to advise the Commission on any draft legislative acts or recommendations on the processing of personal data.
(iii) the proposal for a Regulation on the new European Travel Information and Authorization System (ETIAS) ;
(iv) the Code of Conduct (“Code”) on privacy for mobile health applications. This letter provides a first set of comments regarding its compliance with the Data Protection Directive taking into account the GDPR requirements.
It also agreed :
(v) on a letter on Yahoo! to the Director of National Intelligence (ODNI) asking for additional information regarding the legal basis and justifications for any surveillance activities concerning EU data subjects. A copy of this letter will also be sent to the Privacy Shield’s Ombudsperson.
(vi) to prepare a response to the consultation on the Prototype Commission Regulation which would extend the competence of EU regulation to all drones below 150kg and currently regulated on national level.