The Article 29 Working Party finalises key GDPR guidance and publishes draft guidelines on Article 49 derogations which deal with special conditions for transfers of personal data to third countries.
What's the issue?
The General Data Protection Regulation (GDPR) will apply in under three months' time. Regulators are working towards creating a pack of guidance to assist with understanding and ongoing compliance. The most influential guidance will come from your local regulator and/or your Lead Supervisory Authority (in many cases also your local regulator) and from the Article 29 Working Party (WP29), made up of European regulators.
What's the development?
The WP29 has finalised guidance on breach notification, fines (no changes) and automated decision making and profiling.
It has also published draft Article 49 GDPR for consultation. Article 49 deals with derogations for transfers of personal data to third countries.
What does this mean for you?
We covered the draft versions of the now finalised guidance here. In essence, not much has changed but we set out key changes between the draft and final version and newly highlighted points in the 'read more' section below.
The guidance on Article 49 will be welcomed. Data transfers outside the EEA continue to be a hot topic as challenges to Standard Contractual Clauses and, potentially the EU-US Privacy Shield, are on the horizon. Businesses may be tempted to seek to rely on other less common transfer routes. The draft guidance makes clear when these apply and highlights the fact that they can only be used as the exception rather than as the rule.
Key differences between draft and final versions of guidance:
- Technological and organisational measures have to be in place to establish "immediately" whether a breach has taken place (see below).
- Planned system maintenance will not be a breach of security under Article 4(12) even though there may be loss of availability.
- In accordance with guidance on fines, while fines are cumulative for different infringements committed in a single case, liability will be capped within the level of the highest infringement.
- Emphasis on Recital 87 – establishing that notification to an SA is made without undue delay should take into account the nature and gravity of the breach and its consequences and adverse effects for the data subject. This is slightly confusing. On the one hand, the guidance suggests that technical and organisational measures should enable the "immediate" establishment of a breach, on the other, it continues to allow for a window for investigation after a report of a breach, during which time the controller is not considered to be "aware" and the 72hr time limit is not engaged. It also says at a later stage that there should be ability to detect a breach "in a timely manner".
- Advice is to document breach as it develops.
- Processors should inform controllers immediately of a breach and not wait to investigate it. The controller may, in any event, want to carry out an investigation. Processor obligations in relation to assisting controllers should be provided for in the controller/processor contract.
- Where a complete SA notification cannot be made within the 72 hour time limit, the controller should inform the SA of the breach with as much information as possible. The SA may then agree when other information will be provided but the controller should feel free to provide information at other times where relevant.
- Clarification that the Lead SA who must be informed of the breach may not be in the same jurisdiction as the affected data subjects.
- A reminder that a controller/processor who is not established in the EU but to whom the GDPR applies, is bound by the notification obligations and will have to designate a representative in the EU. Where the controller needs to notify a data breach, it should make it to the SA in the Member State where its representative is situated.
- A reminder about Recital 88 which states that controllers should take the legitimate interests of law enforcement into account before informing data subjects. In some circumstances it may be appropriate to delay notification where advised to do so by a law enforcement authority or the relevant SA.
- Appropriately implemented pseudonymisation may reduce the likelihood of individuals being identified but cannot, alone, be regarded as making the data unintelligible.
- While there is a requirement to document even non-reportable data breaches, records containing personal data should be subject to retention reviews. The DPO should play a role in this.
- A reminder that other notification obligations may apply under legislation including eIDAS and NISD.
Automated individual decision making and profiling
- The guidance has been restructured somewhat and more practical examples have been included.
- A new Annex of good practice recommendations is included.
- Profiling involves some form of assessment or judgment about a person.
- Retention policies must take into account the rights and freedoms of the individuals and the controller should build in update mechanisms while data is retained.
- Necessity should be interpreted narrowly when considering whether profiling is necessary for the performance of a contract. This will be true even where controllers wish to use profiling and automated decision making for purposes which may benefit the data subject.
- Informing data subjects is particularly important where inferences about sensitive preferences are being drawn. The controller should make the data subject aware that not only do they process non-special data but that they derive special categories of data from it.
- The balancing test in relation to the right to object, between the controller's interests and the basis for the data subject's objection, is different from the one in Article 6(1)(f). It is sufficient for a controller to demonstrate that their earlier legitimate interest analysis was correct. The balancing test requires the legitimate interest to be compelling, implying a higher threshold for overriding objections.
- The Article 22 right applies as a general prohibition, regardless of whether or not the data subject has taken an action regarding the processing of their personal data in this way. It is not a right to be invoked by data subjects but applies automatically where the solely automated processing or profiling has a legal effect or a similarly significant effect.
- The list of examples of legal effects has changed and now includes: cancellation of a contract; entitlement to or denial of a social benefit; and refused admission to a country or denial of citizenship. Notably, subjection to increased security measures or surveillance has been deleted.
- There is an expanded set of examples of when data processing significantly affects someone.
- In relation to the right of access, the data subject should be provided with information about the envisaged consequences of the processing rather than with an explanation of a particular decision in accordance with Article 15(1)(h).
- If a controller envisages a solely automated decision process having a high impact on individuals based on profiles made about them and it cannot rely on the individual's consent, a contract with the individual, or a law authorising the profiling, it should not proceed. It may, however, be able to increase the level of human intervention to the point where the decision making process is no longer fully automated. There may still be risk which should be addressed.
- Controllers should also consider additional guidance on DPIAs in relation to carrying out automated individual decision making and profiling.
Article 29 Working Party draft guidelines on Article 49 GDPR derogations
The draft guidelines look at each of the Article 49 derogations in more detail.
Explicit consent of the data subject - the guidelines note the higher consent requirement of "explicit" consent in relation to Article 49 and cross refer to its consent guidance. The WP29 suggests consent is not a long-term solution for data exports because of the requirement that it be explicit and also because it can be withdrawn at any time so it may be impractical.
In addition, consent must be specific and informed so certain information must be provided to data subjects before the transfer takes place. Again, this may present practical difficulties as the specific circumstances may not have been known at the time the data was collected.
The guidance implies that specific consent to a particular transfer can be obtained after the data was collected and prior to the transfer taking place. This will be in addition to any consent to processing which may have been collected before the processing began if the specific information was unavailable at the time. In order for consent to a transfer to be "informed", the data subject must be told:
- the identity of the data controller;
- the purpose of the transfer;
- the type of data involved;
- the right to withdraw consent;
- the identities and categories of recipients;
- the countries to which the personal data is being transferred and the fact that they are not considered to have an adequate level of data protection;
- the fact that consent is the lawful grounds to the transfer; and
- the risks associated with the transfer (can be in standardised form but must be presented before the transfer takes place).
Transfer necessary for performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject's request - transfers based on this derogation must be occasional and necessary. This must be assessed on a case by case basis. The WP29 suggests that data transfers occurring within a stable relationship are more likely to be systematic and repeated rather than occasional. Necessity requires there to be a "close and substantial connection between the data transfer and the purposes of the contract".
Necessary for important reasons of public interest – although this derogation is chiefly intended to be relied on by public authorities, private bodies may also be able to do so, for example, services dealing with contact tracing for contagious diseases. While there is no requirement that the transfer be only occasional, the guidelines say this derogation should not be relied on where transfers are large scale or systematic. It should be engaged for transfers which are the exception rather than the rule.
Necessary for the establishment, exercise or defence of legal claims – reliance on this can only be where transfers are occasional and necessary. This may include during pre-trial discovery in civil litigation, or where a data controller is seeking to institute proceedings in a third country. The derogation:
- cannot be used where there is a mere possibility that legal proceedings or formal procedures may be brought;
- can apply to activities carried out by public authorities in the exercise of their functions;
- implies that the relevant procedure must have a basis in law but this is not necessarily limited to judicial or administrative procedures; and
- requires a close link between the data transfer and the legal issue.
Transfer necessary to protect vital interests of the data subject or other persons – this is likely to apply in the event of medical emergency, where the risk of serious harm outweighs the data protection risks. The WP29 says that this can only be relied on where the data subject is incapable of giving consent.
Transfer made from a public register – the WP29 clarifies that this derogation cannot be used to cover all the personal data or categories of personal data in the register.
Compelling legitimate interests which are not overridden by the interests or rights or freedoms of the data subject – this is a new derogation and the WP29 emphasises that it should only be used as a last resort. A data exporter seeking to rely on it must be able to demonstrate that it made every effort to transfer the data under Article 46 or under a different Article 49 derogation before it sought to rely on this.
Needing a "compelling" legitimate interest is a higher threshold than the legitimate interests basis for lawful processing – not all legitimate interests will be compelling. The derogation is also unavailable where the transfer is repetitive or made to an unlimited number of data subjects. The data controller will be required to engage in a balancing exercise between its interests and the rights of the data subjects.
Appropriate safeguards to minimise risk need to be introduced. Data subjects will have to be informed that the transfer is taking place on this basis and about the compelling legitimate interests on which the controller is relying.
The relevant supervisory authority must also be informed although permission is not required from the SA for the transfer. The WP29 recommends careful documentation of the process in order to comply with the accountability requirements.