Data Protection and Privacy Update – December 2017

This year brought the following interesting data protection developments:

  1. European developments
  2. Updates home markets: 
  3. The Netherlands, Belgium, Luxembourg and Switzerland
  4. GDPR Toolkit

1. European developments 

Following its recent November plenary meeting, the WP29 adopted more than ten key documents, including the Privacy Shield report. Below, we have summarized the Privacy Shield report and have outlined the various relevant guidance documentation that the WP29 has released in 2017 that aim to clarify the (new) provisions introduced in the GDPR. Where relevant, we have included a link to summaries provided by us previously.  

1.1 Privacy Shield update

On 18 and 19 September 2017, representatives of the WP29 participated in the first joint review conducted by the European Commission (EC) to assess the robustness of the EU – U.S. Privacy Shield adequacy decision (Privacy Shield). Although the WP29 recognizes the progress of the Privacy Shield in comparison with the invalidated Safe Harbor decision, the WP29 has a number significant concerns (in particular more about the cooperation between the privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commision, and the EU Data Protection Authorities, and the appointment of an independent Privacy Shield Ombudsperson). The WP29 expects their recommendations to be addressed during the second joint review, but in any case prior to 25 May 2018. In case no remedy is brought within this time frame, the WP29 has announced its intention to take appropriate action, including bringing the Privacy Shield to national courts in order to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.

The full text of the ‘EU – U.S. Privacy Shield – First annual Joint Review’ can be read here.

1.2. Overview (relevant) WP29 guidance documents

Working document on Adequacy Referential
This working document revisits the WP29’s previous publication on transfers of personal data to third countries and updates it in the context of the GDPR and recent relevant case law (i.e. the CJEU Schrems judgment in 2015), specifically relating to adequacy decisions. 

Click here to read more.

Working document on Binding Corporate Rules  and Working document on Processor Binding Corporate Rules
Both the working document regarding Binding Corporate Rules for Controllers (BCR-C) as well as the working document regarding Binding Corporate Rules for Processors (BCR-P) update the previous P29 guidelines on these topics. 

Click here to read more.

Guidelines on consent
The WP29 guidelines on consent expand and complete the earlier opinions. 

Click here to read more.

Guidelines on transparency 
In these guidelines, the WP29 describes transparency as an overarching obligation applying to three central areas; 1) the provisions of information to data subjects related to fair processing, 2) how data controllers communicate with data subjects regarding their rights under the GDPR, and 3) how data controllers facilitate the exercise by data subjects of their rights.

Click here to read more.

Guidelines on Automated individual decision-making and Profiling
The WP29 provided guidelines on Automated individual decision-making and Profiling and provide for (among others) explanation of the definitions of profiling and automated decision-making.

Click here to read more.

Guidelines on Personal data breach notification
These guidelines explain the mandatory breach notification and communication requirements under the GDPR, and provides examples of steps that controllers and processors can take to meet these obligations. 

Click here to read more.

Guidelines on Data Protection Impact Assessment (DPIA) 
In these guidelines, the WP29 confirms that carrying out a DPIA is not mandatory for every processing operation, but only when it is likely to involve a high risk for the rights and freedoms of the natural persons whose data is being processed. These guidelines clarifies this notion.

Click here to read more.

Guidelines on a controller or processor’s lead supervisory authority
Guidelines on the right to data portability
Guidelines on the Data Protections Officers (DPOs)

Click here to read our previous newsletter on these guidelines.

Opinion on data processing at work 

Click here to read our previous newsletter on these guidelines. 

2. Home Markets 

This year was a year full interesting data protection and privacy news and developments. Please find a brief summary of the relevant developments in all our four ‘home markets’ the Netherlands; Belgium; Luxembourg and Switzerland. 

2.1 The Netherlands

GDPR Implementation Bill 
In the Netherlands, the Council of State (Raad van State) presented the GDPR Implementation Bill (Uitvoeringswet Algemene verordening gegevensbescherming, Bill) to the Parliament on 13 December 2017. The GDPR has been implemented in a policy-neutral manner, meaning that the existing Dutch Data Protection Act (Wet bescherming persoonsgegevens, DDPA) has been upheld, insofar as this is in coherence with the GDPR. For instance, the Bill reiterates the age of 16 for the applicability of Article 8,  as is currently the case under the DDPA. Furthermore, all exceptions that allow specific types of special categories of data to be processed by a specific category of controllers (e.g. employers, insurers and hospitals), or for specific purposes (e.g. identification purposes or sick leave management) have been maintained in the Bill (under chapter 3). Additions to these exceptions are the exception for the processing of genetic data for prevailing substantial medical interests or for academic research with consent of the data subject and the exception for the processing of biometric data for authentication and security purposes. The Bill needs to be decided upon by the Second Chamber (Tweede Kamer), followed by the Upper Chamber (Eerste Kamer). We will of course keep you informed on the status of this Bill.

The full text, as well as the explanatory memorandum, can be read here (in Dutch only).

The data processing and reporting cybersecurity law 
On 1 October 2017, the data processing and reporting cybersecurity law (Wet gegevensverwerking en meldplicht cybersecurity, Wgmc) entered into force. The reporting obligation under this law will take force as per 1 January 2018. The notification obligation applies only to what are known as ‘vital operators’: public bodies and private legal entities providing products or services whose availability and reliability are of vital importance to Dutch society (such as electricity, gas, nuclear, water, telecom, transportation (main ports of Rotterdam and Schiphol), finance and government (including primary defenses)). Security incidents should be reported to the National Cyber Security Centre (NCSC) of the Ministry of Security and Justice.

Eighty percent of companies and government agencies not prepared for the GDPR
Following the National Privacy Benchmark, a recent survey conducted by a consultancy company in collaboration with an independent information society platform (Platform voor de informatieSamenleving, ECP), it appeared that 80% of companies and government agencies in the Netherlands are not prepared for the entry into force of the GDPR. 60% is not even sure where personal data of their customers or citizens have been stored. The People's Party for Freedom and Democracy (Volkspartij voor vrijheid en Democratie, VVD) and the Democrats 66 (D66) are of the opinion that the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) should initially focus on smaller organizations as it is too big of a hassle for bigger companies to adequately and timely implement the GDPR into their organizations. Judging from the recent investigations by the AP into companies like Uber and Airbnb, we believe that it is fair to say that the AP will not distinguish between small or large companies when carrying out its task as the supervisory authority in the Netherlands.


2.2 Belgium

GDPR readiness
For Belgium, the biggest news so far for 2017 is the reform of the data protection authority in order to meet the GDPR requirements. The Belgian legislator has adopted a law transforming the current Belgian Privacy Commission into the Data Protection Authority (Gegevensbeschermingsautoriteit/ Autorité de protection des données). The proposal was submitted to Parliament on 23 August 2017 and the law was approved on 16 November 2017.

The successor to the Privacy Commission will change the face of personal data protection in Belgium through a thoroughly revised structure. The Authority should become a full-fledged regulator when it takes office on 25 May 2018. In the meanwhile, the current Belgian Privacy Commission has also been quite active and has issued various publications (NL/FR) and guidance notes:

  • on the recordkeeping obligation, including a template ‘data processing register’ in excel format (NL/FR),
  • on the DPO, focusing in particular on conflict of interest issues and the overlap with other functions within an undertaking (NL/FR),
  • on the DPIA requirement (NL/FR), and
  • on Big Data (NL/FR).

However, the Belgian GDPR implementation is not complete yet. A framework (implementation) law is still in the works and is hopefully presented in Parliament soon.

Facebook litigation (cont.)
The new Data Protection Authority may inherit a high-profile litigation with Facebook, a case on which we already reported last year. Hearings took place on 12 October 2017 (NL/FR) and judgement is now awaited. This case may still be influenced by an opinion of EU Advocate-General Bot of 24 October 2017 (in Case C-201/16 Schlesswig Holstein), where he acknowledged the right for national authorities to act against Facebook outside of Ireland and under their national law instead of Irish law. This may seem a battle of the past under the GDPR, but this issue will still be relevant for Member State as a result of the national implementations acts of the GDPR.

Preventive policing and its flaws
A number of persons was denied access to the 2017 edition of the world-famous Tomorrowland festival, based on the results of a preventive screening by the police. The Privacy Commission intervened (NL/FR) in the procedures for summary judgement initiated by three data subjects, who all saw the decision to deny their access to the festival grounds overruled. Further investigation by Committee P (the regulator for the Belgian police) uncovered a multitude of flaws in the screening procedure used, leading to erroneous assessments and thus unjustified refusals of access (twenty-eight out of thirty-three). This raised serious questions on both the screening process and the personal data used. Clearly, it also called into question the practice of preventive policing, also criticized by the Privacy Commission in its recent report on Big Data (NL/FR). Promises were made that this would not happen again. Next year’s wrap-up will tell if the parties involved made good on their promise.

2.3 Luxembourg

The Luxembourg data protection regulatory framework is currently being amended by Draft Bill n°7184. This draft bill forms the basis for the creation of the Commission nationale pour la protection des données (the Luxembourg data protection supervisory authority, CNPD), for the implementation of the GDPR, and for the abolishment of the Law of 2 August 2002 on the protection of persons with regard to the processing of personal data. The draft bill was lodged on 12 September 2017 and a final text is expected to be published by the end of 2017 or by the beginning of 2018.

The CNPD has published several guidelines throughout 2017 to inform companies, public authorities and associations about their data protection obligations and to guide them in their efforts to be compliant with the GDPR. These include:

  • animated videos on the GDPR (January 2017);
  • information sessions (18th-19th October 2017); and
  • new Brochure data protection obligations (published in November 2017).

2.4 Switzerland  

We expect 2018 to be an eventful year for data protection in Switzerland. Not only will Swiss entities doing business in the EU need to apply the General Data Protection Regulation (GDPR) in 2018, but it is also likely that the new Swiss Data Protection Act (DPA) will enter into force in 2018. A draft of the law, which is currently in the legislative process, is available here. We will follow the developments closely and keep you up to date on the impact it may have for your business. Follow our articles related to Switzerland on our website or sign up for our newsletter here.

3. GDPR Toolkit

As is also evident from numerous reports and news articles, our extensive experience with GDPR implementation projects also confirms that many organizations are finding it a challenge to comprehend what must be done in practice in order to adequately prepare for the GDPR. We understand that this is a challenge, and we have therefore created the GDPR Toolkit. The primary aim of this GDPR Toolkit is to assist you in that journey by providing you with the tools that your organization will need in order to structure and execute your GDPR compliance plan. We have translated the applicable laws into practical and accessible tools. With these tools, you can set up your own compliance program and work towards achieving a sufficient and sustainable level of GDPR compliance at your own speed. In addition to these tools, the GDPR Toolkit also includes an advisory part which allows you to obtain our tailored advice regarding GDPR compliance. The toolkit is furthermore supported by a secured interactive e-Platform.

If you would like to receive more information regarding our GDPR Toolkit, a demo for instance, then please get in touch with your contact at Loyens & Loeff, or any member of our Data Protection & Privacy Team.