To assist organisations in their ongoing GDPR compliance journey, we held the second in our series of webinars on tracking the GDPR and how to keep up with national law developments.
State of Play – National Implementation
To date, 18 EU member states and 3 EEA (European Economic Area) countries have finalised their legislation accompanying the GDPR. Nine EU member states have not finalized their national legislation:
- Czech Republic
The European Commission is urging the remaining member states to speed up their processes, and recently, material laws from Belgium and Italy have been published.
The arrival of GDPR has created a lot of interest from a business perspective; new consultancies have cropped up across the EU, giving advice on how to deal with the new law or offering DPO-as-a-Service. But not every new GDPR company has the requisite expertise, as has become clear in France and the Netherlands. In France, the DPA warns against malpractice from companies claiming to help organizations address compliance on their behalf. At the same time, the Dutch DPA issued a warning against a company making calls on their behalf in order to levy fines that were never imposed in the first place. It is important to note that DPAs will always address organisations themselves, in case of an investigation.
National Law Updates
As mentioned above, Belgium and Italy have now published their material laws. In Denmark, the DPA has issued new guidelines on the use of encryption when transmitting personal data. Going forward, encryption will now be seen as an appropriate security measure for the transmission of confidential and sensitive personal data via e-mail. This is applicable to both the public and private sectors as of 1 January 2019.
In its last session before the summer break, the European Parliament adopted a non-binding resolution regarding the Privacy Shield, expressing its dissatisfaction with the US for not living up to its commitments. The EU-US and Swiss-US Privacy Shields were designed to provide companies in those countries with a mechanism to protect personal data when transferring it from the EU and Switzerland to the US. The fact that the Privacy and Civil Liberties Oversight Board (PCLOB) and the Ombudsperson function have not been filled with Senate-confirmed persons has been a cause for concern in the European Parliament. Also, the extension of US access to data of non-US persons, including the US Cloud Act, was heavily criticized. The Parliament asked the EU Commission to suspend the Privacy Shield effective September 1st. But that date has passed, and the Shield is still in place without any confirmed positions on the US side.
On the upside, the White House has nominated the new members of the PCLOB, but they have not yet been confirmed. In the meantime, the second review of the Privacy Shield has started, inviting written contributions from relevant stakeholders. A Joint Review will take place later this fall in both Brussels and Washington D.C. The resulting report, which may include recommendations on the way forward and a possible suspension of the Shield, is not expected until the end of the year, however.
On the other side of the world, there is a mutual recognition between the EU and Japan of each other’s privacy and data protection legal frameworks. This means the Japanese legislation will be considered essentially equivalent to the GDPR. Japan will implement additional safeguards for data originating in the EU, including the protection of sensitive data, onward transfers, and individual rights assurances on data used for law enforcement and national security purposes. The mutual recognition will facilitate trade between the two regions, especially in combination with the recently concluded economic partnership between the EU and Japan. Before the adequacy decision can apply however, an opinion will be sought from the EU Data Protection Board, together with the approval of the EU member states.
Complaints & Enforcement
As expected, the number of complaints have increased under the GDPR. Data Protection Authorities are busier than ever, drafting and issuing country-specific and EU-wide guidance, but also following up on questions and complaints received in the member states. Almost all DPAs are dealing with thousands of complaints, and all must be investigated. From most of these, we will likely never hear the results, but some larger investigations will certainly lead to public reports, some of which may already be released this fall. It is interesting to note that, so far, more than 250 complaints have been labelled as ‘EU-wide’. This means the cases will be discussed, and possibly decided, by the European Data Protection Board.
The European Data Protection Board (EDPB)
The EDPD held their second meeting in July. Privacy Shield figured prominently on the agenda, with a meeting held between the Board and the acting US Ombudsperson. The Board voiced concerns regarding the appointment of a permanent Ombudsperson and asked for clarity on the mechanism used to address complaints. It also asked to declassify procedural rules, particularly in relation to the review of information from the US Intelligence and Security Services. The concerns of the Board have not been satisfied, and will therefore be further addressed during the Joint Review.
Another matter on the EDPB’s agenda was the ICANN WHOIS register, which has been on both the Board’s and the WP29’s radar for many years. The WHOIS register allows anyone to learn who owns a domain name/website, and includes names, addresses, and email addresses, among other data. The EU DPAs recognise this information is recorded to be able to address malpractices, but that not all of this information should necessarily be in the public domain. ICANN has, therefore, been told to define clear and specific purposes for data, and not to mix those with third party interests (i.e., having information available in case of police investigations). In addition, the amount of data in the register needs to be minimised, and access logs need to be standardised to address potential data misuse.
Just recently (late September 2018), the European Data Protection Board adopted the national DPIA black and white lists that were submitted by the data protection authorities. According to Estonian Commissioner Viljar Peep, the Board declined to approve numeric guidance as to what should be considered large-scale processing. What this means in practice, also from an enforcement perspective, remains to be seen.
Nymity Research™ with Nymity GDPR Implementation Tracker™ were the privacy software tools used to derive this content. To learn more about national law developments to-date, view the pre-recorded webinar.
If you want to know more about how Nymity can support your privacy and data protection program, please do not hesitate to reach out to us. We look forward to hearing from you at firstname.lastname@example.org.