The EU Article 29 Working Party (comprising the EU’s member state data protection authorities) (WP29) will be holding a third Fablab in Brussels on 18 October 2017 to consult with stakeholders on the topics of transparency and international data transfers under the General Data Protection Regulation (GDPR). The purpose of the Fablab is to seek the views of stakeholders in order to further inform (1) the preparation of new guidelines on transparency under the GDPR and (2) the updating of existing guidelines on international data transfers.
Ahead of the Fablab, the Irish Data Protection Commissioner (DPC) is conducting an online consultation on the topics of transparency and international data transfers under the GDPR. The submissions received by the DPC from this consultation will be shared with the presidency team, and other members, of WP29, for the purposes of conducting the Fablab and preparing new and updated WP29 GDPR guidelines. The submissions may also be used by the DPC for the purposes of any future GDPR guidance materials which the DPC may produce. However, there should be no expectation by any party making submissions to the DPC that any issue, position or view raised in submissions during this consultation will be addressed in any new or updated GDPR guidelines which may be produced by WP29 or the DPC. The DPC will not be summarising or preparing a report of the submissions received.The DPC’s consultation will run from Wednesday 6 September 2017 until Friday 13 October 2017. The DPC now invites submissions from interested parties on the specific issues set out below concerning transparency and international data transfers under the GDPR. Submissions should be emailed to firstname.lastname@example.org .
Consultation on Transparency under the GDPR
The concept of transparency appears in the GDPR as an element of one of the six principles which must be adhered to when processing data. Under Article 5(1)(a) of the GDPR, personal data must be processed in a “transparent manner”, in addition to the other requirements in that sub-article that personal data must be processed lawfully and fairly. Transparency is also intrinsically linked to the new principle of accountability under the GDPR. It follows from Article 5(2) of the GDPR that the data controller must be able to demonstrate that personal data are processed in a transparent manner in relation to the data subject.
Transparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights. Transparency, when adhered to by data controllers, empowers data subjects to hold data controllers and processors accountable and to exercise control over their personal data by, for example providing or withdrawing informed consent and actioning their data subject rights.
Relevant articles relating to transparency under the GDPR include: 5.1(a), 12, 13, 14,
Relevant recitals relating to transparency under the GDPR include: 39, 58, 59, 60, 61,62
The DPC seeks submissions on the following issues:
1. There is no definition of transparency under the GDPR, although Recitals 39 and 58, amongst others, are informative as interpretative guides. How should transparency be defined/ interpreted?
2. Article 12.1 of the GDPR requires a data controller to take “appropriate measures” to provide the information required under Articles 13 and 14 and any communications under Articles 15 – 22 and 34 relating to processing, in accordance with the transparency requirements set out in that Article. In other words, the information/ communication in question should be concise, transparent, intelligible, easily accessible and use clear and plain language.
a. What factors should be taken into consideration when determining what may be “appropriate measures” for these purposes?
b. What sorts of transparency tools/ techniques/ mechanisms/ approaches might constitute “appropriate measures” for these purposes?
3. Recital 58 and Article 12.1 of the GDPR in particular indicate that there should be a higher transparency threshold when the data subject is a child. How should the higher level of transparency that is required when addressing child data subjects be achieved?
4. Article 12.1 also states that the information which must be provided to data subjects, as referred to in that article, should be provided “in writing, or by other means, including, where appropriate, by electronic means”.
a. What factors are relevant in determining whether the information might be provided in writing, or alternatively by other means, or by a combination of both?
b. What tools/ techniques/ mechanisms/ approaches might constitute “by other means”, in a non-electronic environment, for these purposes?
c. What tools/ techniques/ mechanisms/ approaches might constitute “by other means”, in an electronic environment, for these purposes?
5. Article 12.7 provides that the information which is to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons. Article 12.8 provides that the European Commission is empowered to adopt delegated acts under Article 92 for the purposes of standardising the use of icons. What categories of information, to be presented by the use of icons, should be prioritised for the standardisation of icons?
6. Article 13 sets out the information which must be provided to a data subject where personal data “are collected from the data subject” while Article 14 sets out the information which must be provided to a data subject “where personal data have not been obtained from the data subject”. Which of Article 13 or 14 should apply (and why) where:
a. Personal data is collected remotely/ passively from a data subject i.e. it is collected from, or on, the data subject but without the data subject actively providing it to the data controller e.g. it has been collected by way of observation, CCTV recording, bluetooth “beacons” or wifi tracking of the data subject?
b. Further personal data is inferred, derived or generated by a data controller from a set of personal data which was originally provided directly by a data subject to a data controller?
7. Article 13.3 and 14.4 both cover a situation where a data controller intends to further process the personal data for a purpose other than that for which it was collected/ obtained respectively. In such a situation, the data controller is required to provide the data subject with information on that other purpose “prior to that further processing”.
a. How far in advance of that further processing should this information be provided?
b. What factors should affect the determination of the timeframe between the provision of this information and the commencement of the further processing?
8. Recital 39 refers to the provision of certain information which is not explicitly covered by Articles 13 and 14 of the GDPR and specifically that “natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data..” What information (other than that set out in Articles 13 and 14) should be provided by data controllers to data subjects in connection with the “risks, rules, safeguards and rights”?
9. The exceptions to the information requirements under Article 14.1, 14.2 and 14.4 are set out in Article 14.5. These include: where “the provision of such information proves impossible or would involve a disproportionate effort..”(Article 14.5(b)); and where obtaining or disclosure of the personal data is expressly laid down by EU or national law to which the data controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests (Article 14.5(c)).
a. How should the concept of “impossibility” be interpreted in accordance with Article 14.5(b)?
b. What should constitute a “disproportionate effort” in accordance with Article 14.5(b)?
c. Should the reference to the EU or national law referred to in Article 14.5(c) be interpreted as meaning that (i) the law requires the data controller to obtain or disclose the personal data on a mandatory basis or (ii) the law allows for - but does not make obligatory - the obtaining or disclosure of personal data?
d. What should constitute “appropriate measures to protect the data subject’s legitimate interests” in the EU or national law referred to in Article 14.5(c)?
10. How can information “fatigue” (which would undermine the positive benefits of transparency for the data subject) be avoided by data controllers while still ensuring compliance with all of the transparency requirements in the GDPR?
Consultation on Transfers of Personal Data to Third Countries or International Organisations under the GDPR
Relevant articles under the GDPR include: 44 - 50
Relevant recitals under the GDPR include: 101 - 116
Chapter V of the GDPR (Articles 44 – 50) sets out the rules applicable to the transfer of personal data to third countries or international organisations, including the transfer mechanisms which may be utilised for such transfers. The general principle for such transfers is established in Article 44, namely that such a transfer shall take place only if (subject to the other provisions of the GDPR) the conditions laid down in Chapter V are complied with by the data controller and processor, and that the provisions in Chapter V are applied in order to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined.
Chapter V of the GDPR permits transfers under the following legal bases:
A. Transfers which take place on the basis of an adequacy decision (Article 45.1), in other words, where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country or the international organisation in question ensures an adequate level of protection. In such a case, a transfer covered by the adequacy decision does not require any specific authorisation.
B. In the absence of an adequacy decision, Article 46.1 permits a transfer to be made to a third country or international organisation only if appropriate safeguards are provided by the data controller or processor, and on condition that enforceable data subject rights and effective legal remedies are available for data subjects.
The appropriate safeguards referred to in Article 46.1 may be provided for by way of the following mechanisms, without requiring any specific authorisation from a supervisory authority:
i. A legally binding and enforceable instrument between public authorities/bodies (Article 46.2(a));
ii. binding corporate rules (“BCRs”) (in accordance with Article 47);
iii. standard contractual clauses, either adopted by the European Commission, or adopted by a supervisory authority and approved by the European Commission (“SCCs”) (Article 46.2(c) and (d) respectively);
iv. an approved code of conduct together with binding an enforceable commitments from the data controller/ processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights (pursuant to Article 40); or
an approved certification mechanism together with binding an enforceable commitments from the data controller/ processor in the third country to apply the appropriate safeguards including as regards data subjects’ rights (pursuant to Article 42).
The appropriate safeguards referred to in Article 46.1 may also be provided for by way of the following mechanisms, subject to authorisation from the competent supervisory authority in accordance with the consistency mechanism referred to in Article 63:
i. contractual clauses between the controller or processor, or between the controller, processor or the recipient of the personal data in the third country or international organisation (Article 46.3(a)); or
ii. provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights (Article 46.3(b)).
C. In the absence of, an adequacy decision under Article 45, or, appropriate safeguards under Article 46, a transfer, or set of transfers, of personal data to a third country or international organisation, may take place only on condition of one of the derogations for specific situations set out in Article 49.1, including, amongst other conditions, the explicit informed consent of the data subject to the proposed transfer (Article 49.1(a)).
The DPC seeks submissions on the following issues:
1. Which legal bases/ mechanisms for conducting personal data transfers to third countries or international organisations under the GDPR are likely to be most commonly relied on by your organisation?
2. What are the challenges to conducting personal data transfers to third countries or international organisations under each of the available legal bases/ mechanisms set out in the GDPR?
3. What specific actions might the Article 29 Working Party and/ or national data protection authorities take to help organisations address or alleviate such challenges?
4. What aspects of international personal data transfers under the GDPR should be prioritised for the purposes of guidelines which may be produced by the Article 29 Working Party and/ or national data protection authorities?
5. If there are other aspects of international personal data transfers under the GDPR on which you have specific comments, proposals or questions (whether legal, practical, interpretative or otherwise), please provide us with this feedback.