EU - Welcome clarity? Guidance on data protection officers, portability and lead authorities
European privacy regulators have now finalised their guidance on three key aspects of the General Data Protection Regulation; the role of data protection officer, the new data portability right and the identification of a lead supervisory authority.
While the provision of timely guidance is helpful for businesses preparing for the Regulation, some of the content of that guidance will be less welcome, such as the very broad scope given to the data portability right. We consider these three pieces of guidance, and the role of guidance more generally.
The General Data Protection Regulation will come into force in May next year. While many of the core concepts are familiar, there are a number of new obligations for businesses to grapple with. The effect of these new rights and obligations is not always clear, so regulators are busy preparing guidance to explain their interpretation of these new requirements. A summary of the General Data Protection Regulation is set out in our Survival Guide.
On the one hand this guidance is very welcome for businesses preparing for these changes because it explains what they need to do to comply in practice. On the other is the concern that some requirements might be interpreted in an overly broad and burdensome manner.
Guidance from regulators will also be more important under the General Data Protection Regulation than it was under the Data Protection Directive. The Article 29 Working Party’s guidance under the Directive was little more than soft law, but the guidance from the soon-to-be-constituted European Data Protection Board will carry much greater weight. In particular:
- the Regulation applies the same law across the EU and is intended to have a strongly harmonising effect. Contrast this to the Data Protection Directive which allowed guidance to be distinguished on the basis the Directive was implemented in a different way in different Member States;
- on the whole guidance remains guidance. However, in some cases the guidance is embedded into the General Data Protection Regulation, e.g. the Board has a statutory obligation to produce guidance (see table here). This mandated guidance will not have the power of a delegated regulation from the Commission but may well become more than a pure soft law instrument; and
- the Board will have real teeth. For example, national supervisory authorities must take the “utmost account” of the opinions of the Board and can be forced to comply with the opinion through the dispute resolution mechanism.
The Article 29 Working Party has now finalised its guidance on the role of the data protection officer, the new data portability right and the identification of a lead supervisory authority. It has also issued draft guidance on mandatory privacy impact assessments and intends to issue guidance in many other areas. The current state of play is summarised in the table here.
The assumption is that the Working Party’s guidance will be adopted by the European Data Protection Board when it is constituted, and that the Board will then turn its mind to the other guidance it is required to produce under the General Data Protection Regulation (again, see the table here).
This is further supplemented by a stream of guidance issued by national regulators, such as the UK Information Commissioner’s guidance on consent (here) or the French CNIL’s guidance on profiling. This provides a lot to keep track of, though hopefully much of this national guidance will be consolidated at an EU level in time.
The portability right - The first piece of final guidance relates to the data portability right. This gives individuals the right to receive personal data “concerning” them that they have “provided” to a controller. That data should be provided in a structured, commonly used and machine-readable format, and should be free of charge, unless the request is manifestly unfounded or excessive. Individuals should be told about this right.
This new right to “data portability” enhances the existing subject access, by giving individuals control and ownership of their personal data, allowing them to play a more active role in the data ecosystem and to more easily move their data between online service providers.
Key guidance - The final guidance includes the following key points:
- That the right to data portability is limited to personal data processed by automated means where the legal basis is either: (i) the data subject’s consent; or (ii) a contract to which the data subject is party. The guidance confirms it does not extend to data processed on other legal grounds such as legal compulsion or legitimate interests. This means that information such as AML/KYC information is unlikely to be subject to the portability right.
- The scope of information “provided” by the data subject is broad. It includes both data actively and knowingly provided by the data subject and personal data generated by his or her activity. This would therefore include information provided on an online form and history of website usage or search activities. However, it does not include inferred or derived data created by the controller when analysing data subject data or behaviour. The European Commission has expressed concerns about this approach in the draft guidance, but this position has been retained in the final guidelines.
- Controllers should not take an overly restrictive approach to their interpretation of “personal data concerning” the individual as this might exclude information containing the personal data of several data subjects (for example, telephone records).
- The format of the data should facilitate interoperability – as a minimum, the data should be provided in such a way that it is “structured, commonly used and machine-readable”. Where no formats are in common use for a given industry or context, controllers should use open formats such as XML, JSON and CSV along with useful metadata to make the function and reuse of data possible (but without revealing trade secrets).
- Controllers are encouraged to develop means to respond to data portability requests, such as tools and APIs. However, there is no obligation for controllers to adopt or maintain processing systems which are technically compatible.
- Ideally, controllers should provide tools to enable data subjects to select the relevant data they wish to transmit and to enable use of consent mechanisms for any third party data subjects involved in the transfer.
- Controllers should ensure they authenticate the individual’s identity before disclosing information to them. They should take appropriate risk-mitigation measures such as using additional authentication measures, suspending or freezing transmission if there is a suspicion that an account has been compromised.
Position of receiving controller - The guidance also focuses on the position of the controller to whom the personal data is transferred. The receiving controller is responsible for ensuring there is a legal basis for any processing they carry out. In many cases, it may be difficult for the receiving controller to establish an appropriate legal basis and they should only use the data on the instructions of the individual who made the portability request. For example, the guidance suggests that where email addresses in a contact directory are transferred, the receiving controller should make no independent use of that information.
In practice - Organisations should carefully consider if the personal data they hold is subject to this right, whether it is likely they will receive portability requests and how they will deal with those requests. However, perhaps the biggest question is whether individuals will actually use this right in practice or if it will just be a regulatory white elephant.
Mandatory appointment - Another significant change under the General Data Protection Regulation is the appointment of data protection officers. This will be mandatory where:
- The controller is a public authority or body (other than a court).
- The controller’s core activities consist of regular and systematic monitoring of data subjects on a large scale. The guidance suggests that “core activities” are the key operations necessary to achieve the controller or processor’s goals, and include activities in which processing of data forms an inextricable part (such as hospitals providing healthcare, which would be impossible without processing patients’ medical records). By contrast, ancillary processing of personal data, such as for payment of employee salaries or other support functions, does not constitute a “core activity”. Whether the processing is “large scale” will depend on a range of factors and the regulators plan to share examples of the relevant thresholds in due course.
- The controller’s activities consist of processing sensitive personal data on a large scale (including processing information about criminal offences).
- National law requires the appointment of a data protection officer. Germany’s new data protection law will require a data protection officer to be appointed if the controller has 10 or more employees.
The guidance sets out examples of when it will be mandatory to appoint a data protection officer including operating a telecommunications network, location tracking and profiling and scoring for the purposes of risk assessment. The final guidance also suggests that “data-driven” marketing may constitute regular and systematic monitoring and so trigger the mandatory appointment of a data protection officer.
A single data protection office can be appointed for the whole of a corporate group and the officer can either be internal (an employee) or external (appointed on the basis of a service contract).
Necessary qualities - The data protection officer must also have a level of expertise that matches the sensitivity, complexity and amount of data the organisation processes. The guidance suggests this means expertise in national and EU data protection laws, an in-depth understanding of the General Data Protection Regulation, and a good understanding of the processing operations carried out by the organisation, as well as its information systems and data security needs.
This should be coupled with integrity and high professional ethics, and the data protection officer cannot hold a position that creates a conflict of interests, such as acting as the CEO, head of IT, head of marketing or head of HR. The guidance suggests this means a data protection officer on a service contract (such as a lawyer) should not represent the controller in court on data protection matters.
The data protection officer must report into the highest level of management. In this respect the guidance suggests that where the data protection officer provides an opinion on a data protection law issue which is then not followed by the organisation, the dissenting opinion should be made clear to the highest management level to ensure they are aware of this disagreement.
Other points - The final guidelines contain the following further clarifications about this role:
- When an organisation designates a data protection officer on a voluntary basis, the same requirements will apply as if such designation had been mandatory. Job titles should therefore be considered carefully to avoid an “accidental” statutory appointment.
- Controllers should document their decision whether to appoint a data protection officer. This should be updated when necessary, e.g. where new processing activities are undertaken.
- The data protection officer is designated for all processing operations carried out by the controller or processor, not just those activities triggering their appointment.
- The name of the data protection officer is communicated to the supervisory authority.
- Data protection officers are not personally liable for non-compliance with the General Data Protection Regulation – compliance is ultimately the responsibility of the processor or controller.
The guidance also suggests the data protection officer should preferably be located within the EU, even when the controller or processor is not established there. However, it is acknowledged that there are some circumstances in which it may be more efficient to carry out their activities from outside the EU. In practice, it seems hard to think of any circumstances in which an EU-based data protection officer could fulfil their obligations when they are physically distant from the non-EU processing activities.
In practice – The International Association of Privacy Professionals has estimated that as many as 75,000 data protection officers will be needed. It is not clear there are sufficient candidates with the necessary expertise to take on this role, so businesses that are required to appoint such a candidate should start the appointment process soon.
One-stop-shop - To help create a single market for data processing across the EU, the General Data Protection Regulation contains the concept of a lead supervisory authority who will be primarily responsibility for “cross-border” data processing activity by a controller. In essence, this creates a regulatory one-stop-shop.
Cross-border processing - Cross-border processing is the processing of personal data: (i) in the context of the activities of an establishment in more than one Member State where the controller or processor is established in more than one Member State, or (ii) in the context of a single establishment of a controller or processor in the EU which substantially affects or is likely to substantially affect data subjects in more than one Member State.
The guidance considers that “substantial effect” should be interpreted on a case-by-case basis taking into account the context and purpose of the processing, type of data, and factors such as whether the processing is likely to cause damage or distress to individuals. This means that entities established in one Member State that are processing information about individuals in other Member States in such a way that it does not have a substantial effect on those individuals will not benefit from the one-stop-shop – in other words, low-risk processing will continue to be separately regulated in each Member State.
Identifying the lead supervisory authority: Where cross-border processing occurs, it is necessary to identify the lead supervisory authority. This is the jurisdiction of the main establishment or single establishment of a controller or processor in the EU. The guidance sets out a range of factors to consider when making this assessment including:
- Where decisions about processing are given the final sign-off.
- Where decisions about business activities concerning data processing are made.
- Where the power to have these decisions implemented lies.
- The location of the director with overall managerial responsibility for cross-border processing.
- Where the organisation is registered as a company, if in a single territory.
The guidance contains further clarification on these issues, including that:
- Where processing is carried out by a group of undertakings with its headquarters in the EU, the establishment of the undertaking with overall control is presumed to be the decision-making centre, unless the decisions about the purposes and means of processing are taken by another establishment. This means that where the processing decisions are clearly made by one entity within a group, the whole group will benefit from the one-stop shop.
- Joint controllers should designate which establishment will have the power to implement decisions about data processing with respect to all joint controllers. This will then be considered the main establishment.
- A lead supervisory authority can rebut a controller’s identification of their lead supervisory authority.