On February 15, 2017, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted two sets of formal comments to the Article 29 Working Party (the “Working Party”). CIPL commented on the Guidelines for identifying a controller or processor’s lead supervisory authority (“Lead Authority Guidelines”), and on the Guidelines on the right to data portability (“Data Portability Guidelines”). Both were adopted by the Working Party on December 13, 2016, for public consultation.
CIPL’s comments on the Lead Authority Guidelines follow a November 2016 CIPL white paper with initial input to the Working Party, and the comments on the Data Portability Guidelines represent the first CIPL intervention on this new individual right that will be introduced by the EU General Data Protection Regulation (“GDPR”).
CIPL’s comments on the Lead Authority Guidelines underline that a fully functioning cooperation mechanism among data protection authorities (“DPAs”), based on the concept of a one-stop-shop (“OSS”) and a lead DPA, is an essential prerequisite for the consistent and effective implementation of the GDPR. Additionally:
- Any guidelines on the OSS should keep the principle of harmonization as a main guiding thread.
- CIPL commends the Working Party’s Lead Authority Guidelines as generally well-balanced and pragmatic. Guidance provided at this early stage makes it possible for companies to prepare for the new legal regime.
- CIPL also approves that the Lead Authority Guidelines provide for a central role for organizations in the process of designating the lead DPA, because the controller/processor is in the best position to identify where its central administration is located, where decisions on the purposes and means of processing are taken or where its main processing activities take place.
- The Lead Authority Guidelines should be regarded only as a first step towards a fully functioning OSS; CIPL suggests that the Working Party consider the Lead Authority Guidelines as a living document and regularly update them.
CIPL’s comments on the Lead Authority Guidelines also emphasize several key issues that it believes were insufficiently addressed by the Working Party, including:
- The functioning of the OSS should be based on the identification of the lead DPA by the organization itself (the controller or the processor), subject to review by the DPA based on all relevant facts.
- The different realities of controllership within groups of undertakings should be taken into account.
- Cooperation between the lead DPA and concerned DPAs should be fully transparent and organizations should be involved in the procedure of referring a matter to the European Data Protection Board.
- Processors should fully benefit from the OSS.
- The assessment of data transfers based on due diligence, as required in the Schrems judgment of the Court of Justice of the European Union, should be primarily a task of the lead DPA.
- The identification of a lead authority carried out in the context of BCRs should play a role in identifying the main establishment and lead DPA under the GDPR.
The right to data portability is laid down in Article 20 of the GDPR as a new right of individuals. CIPL’s comments on the Data Portability Guidelines commend that the Working Party has developed practical guidance on how to implement it. CIPL’s comments must be seen in light of the double objective of the right to data portability: providing individuals with an additional tool for control over their personal data and contributing to competition and innovation, which is beneficial to individuals, businesses and society at large. The right to data portability must be implemented in a way that effectively supports both objectives.
- The data portability right should effectively provide added value to individuals, in addition to the other rights of the individuals in the GDPR. Data portability should not replace or recalibrate these other rights.
- CIPL has doubts about the added value of the data portability right with respect to employees’ data or personal data in the context of B2B activities. The data portability right should not extend to the employment context, but only be applied to a narrow subset of such data.
- An overly broad implementation of the data portability right may stifle competition and innovation and impose unnecessary burdens on organizations.
- In many instances, controllers will have to make a significant technical investment. This should not lead to disproportionate efforts, especially in areas where the right does not present added value to individuals.
- Processors may also be significantly impacted by the data portability right.
- Organizations need to have full legal certainty about the scope of application of the data portability right, as envisioned in the GDPR. Therefore, CIPL suggests clarifications to:
- The definition of data that may be subject to a data portability request, focusing on data actively provided by the data subject and recognizing that data portability cannot necessarily work for pseudonymized data.
- The responsibilities of the sending and receiving parties, limiting the responsibilities of receiving parties.
- The status of shared and third-party data.
- The requirement and feasibility of technical formats.
Finally, CIPL proposes to facilitate a roundtable with key stakeholders, which could be instrumental in reaching the right outcomes.
CIPL’s comments were developed based on input by the private sector participants in CIPL’s ongoing GDPR Implementation Project, which includes more than 85 individual private sector organizations.