On February 15, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted two sets of formal comments to the Article 29 Working Party (the “Working Party”). CIPL commented on the Guidelines for identifying a controller or processor’s lead supervisory authority (“Lead Authority Guidelines”), and on the Guidelines on the right to data portability (“Data Portability Guidelines”). Both were adopted by the Working Party on December 13, 2016, for public consultation.
CIPL’s comments on the Lead Authority Guidelines follow a November 2016 CIPL white paper with initial input to the Working Party, and the comments on the Data Portability Guidelines represent the first CIPL intervention on this new individual right that will be introduced by the EU General Data Protection Regulation (“GDPR”).
CIPL’s comments on the Lead Authority Guidelines underline that a fully functioning cooperation mechanism among data protection authorities (“DPAs”), based on the concept of a one-stop-shop (“OSS”) and a lead DPA, is an essential prerequisite for the consistent and effective implementation of the GDPR. Additionally:
- Any guidelines on the OSS should keep the principle of harmonization as a main guiding thread.
- CIPL commends the Working Party’s Lead Authority Guidelines as generally well-balanced and pragmatic. Guidance provided at this early stage makes it possible for companies to prepare for the new legal regime.
- CIPL also approves that the Lead Authority Guidelines provide for a central role for organizations in the process of designating the lead DPA, because the controller/processor is in the best position to identify where its central administration is located, where decisions on the purposes and means of processing are taken or where its main processing activities take place.
- The Lead Authority Guidelines should be regarded only as a first step towards a fully functioning OSS; CIPL suggests that the Working Party consider the Lead Authority Guidelines as a living document and regularly update them.
CIPL’s comments on the Lead Authority Guidelines also emphasize several key issues that it believes were insufficiently addressed by the Working Party, including:
- The functioning of the OSS should be based on the identification of the lead DPA by the organization itself (the controller or the processor), subject to review by the DPA based on all relevant facts.
- The different realities of controllership within groups of undertakings should be taken into account.
- Cooperation between the lead DPA and concerned DPAs should be fully transparent and organizations should be involved in the procedure of referring a matter to the European Data Protection Board.
- Processors should fully benefit from the OSS.
- The assessment of data transfers based on due diligence, as required in the Schrems judgment of the Court of Justice of the European Union, should be primarily a task of the lead DPA.
- The identification of a lead authority carried out in the context of BCRs should play a role in identifying the main establishment and lead DPA under the GDPR.
The right to data portability is laid down in Article 20 of the GDPR as a new right of individuals. CIPL’s comments on the Data Portability Guidelines commend that the Working Party has developed practical guidance on how to implement it. CIPL’s comments must be seen in light of the double objective of the right to data portability: providing individuals with an additional tool for control over their personal data and contributing to competition and innovation, which is beneficial to individuals, businesses and society at large. The right to data portability must be implemented in a way that effectively supports both objectives.
More specifically:
- The data portability right should effectively provide added value to individuals, in addition to the other rights of the individuals in the GDPR. Data portability should not replace or recalibrate these other rights.
- CIPL has doubts about the added value of the data portability right with respect to employees’ data or personal data in the context of B2B activities. The data portability right should not extend to the employment context, but only be applied to a narrow subset of such data.
- An overly broad implementation of the data portability right may stifle competition and innovation and impose unnecessary burdens on organizations.
- In many instances, controllers will have to make a significant technical investment. This should not lead to disproportionate efforts, especially in areas where the right does not present added value to individuals.
- Processors may also be significantly impacted by the data portability right.
- Organizations need to have full legal certainty about the scope of application of the data portability right, as envisioned in the GDPR. Therefore, CIPL suggests clarifications to:
- The definition of data that may be subject to a data portability request, focusing on data actively provided by the data subject and recognizing that data portability cannot necessarily work for pseudonymized data.
- The responsibilities of the sending and receiving parties, limiting the responsibilities of receiving parties.
- The status of shared and third-party data.
- The requirement and feasibility of technical formats.
Finally, CIPL proposes to facilitate a roundtable with key stakeholders, which could be instrumental in reaching the right outcomes.
CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 85 individual private sector organizations.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code