_Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications
On 10 January 2017, the European Commission adopted a proposal for a Regulation(1) to modernise rules on privacy protection in electronic communications. It will repeal Directive 2002/58/EC on privacy and electronic communication(2).
With the adoption of this proposal, the European Commission intends to accomplish the following:
- render confidential all electronic communications.
- guarantee confidentiality of users’ online behaviour and devices: In principle, it would be impossible to either access information stored on the computer of a user or to store data to track their online behaviour unless the user explicitly agreed or one of the exceptions defined in the proposal applied. For example, the storage of internet cookies without the consent of the user would be prohibited unless they would not impact privacy (e.g. web-audience measuring cookies).
- impose consent to process electronic communication data: Consent will apply to all electronic communications data, meaning content of the communication as well as the metadata of the communication. Metadata are data used to trace and identify both the source and destination of a communication (date, time, duration and the type of communication).
- impose prior consent for direct marketing communications: The only exception would be when data are collected in the context of sales of products and/or services. In this case, the customer should always be given the opportunity to object to the processing of data.
Because it complements the General Data Protection Regulation (GDPR), this proposal of Regulation and the GDPR should be applicable at the same time: 25 May 2018.
1. Proposal for a Regulation of The European Parliament and of The Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) – 10 January 2017 - COM(2017) 10 final
2. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201 , 31/07/2002, p. 37-47
_Guidelines on Data Protection Officers (DPOs) Adopted by the Article 29 Working Party
The Article 29 Working Party, gathering all the National Data Protection Authorities in the European Union, has adopted on 13 December 2016 the Guidelines on Data Protection Officers (DPOs).
Pursuant to Article 37 of the GDPR dated 27 April 2016, both the data controller and the data processor shall designate DPOs in the following cases:
- the processing is carried out by either a public authority or body; or
- the core activities of either the data controller or the data processor require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of either the data controller or the data processor consist of large-scale processing of special categories of data (medical or criminal convictions and offences).
Consequently, the Guidelines detail the conditions for the mandatory designation of a DPO and provide some explanation regarding terms used in the legal provisions:
- ‘Core activities’ can be considered as the key operations necessary to achieve the controller’s or processor’s goals’1.
- ‘Large scale processing’ criteria:
- ‘the number of data subjects concerned - either as a specific number or as a proportion of the relevant population;
- the volume of data and/or the range of different data items being processed;
- the duration, or permanence, of the data processing activity;
- the geographical extent of the processing activity’2.
- ‘Regular and systematic monitoring’3 : ‘Monitoring’ is defined by Recital 24 of the regulation as ‘potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes’.
‘Regular’ means one or more of the following:
- ‘Ongoing or occurring at particular intervals for a particular period
- Recurring or repeated at fixed times
- Constantly or periodically taking place’
‘Systematic’ means one or more of the following:
- ‘Occurring according to a system
- Pre-arranged, organised or methodical
- Taking place as part of a general plan for data collection
- Carried out as part of a strategy’
1. Extracts of Article 29 WP Guidelines, p. 6.
2. Extracts of Article 29 WP Guidelines, p. 7.
3. Extracts of Article 29 WP Guidelines, p. 8.
_Dedicated FAQs Related to the EU-US Privacy Shield Adopted by the Article 29 Working Party
The Article 29 Working Party, gathering all the National Data Protection Authorities in the European Union, has adopted on 13 December 2016 ‘Frequently Asked Questions’ related to the EU-U.S. Privacy Shield.
The EU-U.S. Privacy Shield intends to replace the previous system of the ‘Safe Harbor’ Agreement (invalidated by the decision ‘Schrems’ dated 6 October 2015 and rendered by the European Court of Justice) by the implementation of a ‘self-certification mechanism for U.S.-based companies that has been recognised by the European Commission as providing an adequate level of protection for personal data transferred from an EU country to U.S- based self-certified companies’ (Q.1 of the FAQs).
The FAQs issued by the Article 29 Working Party, among others, accomplish the following:
- specify which U.S. companies are eligible for the EU-U.S. Privacy Shield;
- explain both the investigatory and enforcement powers of the Federal Trade Commission (FTC) and the Department of Transportation (DOT);
- provide the link to the Privacy Shield list, which is published on the U.S. Department of Commerce’s website (https://www.privacyshield.gov/welcome), and contains lists of the following: U.S.-based companies that have successfully completed the self-certification process, the types of personal data for which a U.S- based company has been certified, the companies that are no longer members of the list etc.;
- explain the legal rules for transfers of personal data to a U.S.-based company by an EU company acting as controller (legal basis of the transfer, fulfilment of general requirements and principles, information on the data subject etc.) as well as acting as processor (obligation to conclude a data processing contract in any case).
_For any additional information on the above topics, please contact Emmanuelle Ragot, IP/TMT Partner