On January 31, 2014, the Greek Presidency of the Council of the European Union issued four notes regarding the proposed EU Data Protection Regulation. These notes, discussed below, address the following topics: (1) one-stop-shop mechanism; (2) data portability; (3) data protection impact assessments and prior checks; and (4) rules applicable to data processors.
One-Stop-Shop Mechanism
The implementation of the one-stop-shop mechanism has led to a number of discussions regarding the European Data Protection Board’s powers versus those conferred to the data protection authority (“DPA”) where the entity maintains its headquarters. In a note addressing these concerns, the Presidency focuses on specific elements of the mechanism and suggests possible ways forward regarding the scope of application, the role and powers of the lead DPA, the cooperation between lead DPA and other concerned DPAs, the notification and enforcement of adopted measures, remedies for individuals, and the role of the European Data Protection Board.
For example, the Presidency suggests that the DPAs’ powers could be regrouped into three main categories (investigative powers, corrective powers and authorization powers) and offers two options with respect to the lead DPA’s role: either the lead DPA could make decisions for all three power categories, or the lead DPA’s decisions could be limited to corrective and authorization powers. Further, the Presidency suggests that any action to be taken within the territory of a Member State can only be carried out by the “local DPA” (including in the context of mutual assistance following a request from the “lead DPA” in certain cases, such as an audit). The Presidency also proposes to maintain the individual’s right under Directive 95/46/EC to complain to the DPA of his or her choice, and suggests clarifying that if the DPA rejects an unfounded complaint, the individual may bring proceedings in the courts of the same EU Member State.
Data Portability
Although the Presidency acknowledges that there is general support for a right to data portability, some delegations raised concerns regarding the risks for companies’ competitive positions, administrative burdens, and the scope of the “automated processing system” concept. Accordingly, the Presidency’s note suggests limiting portability rights to cases where personal data have been provided by the individual and the processing is based on consent or a contract and to Internet-related cases. The Council further recommends that controllers not be required to guarantee that they will directly transmit data to another entity that may be a competitor, and that controllers should have more flexibility with regard to the format they use to provide data portability (with a goal of reducing burden and costs for controllers). Finally, additional proposed provisions would ensure that data portability rights will not impinge on intellectual property rights, and the Council suggests clarifications regarding the controller’s right to retain data to the extent necessary to carry out contract obligations.
Data Protection Impact Assessment and Prior Checking
In a third note, the Presidency addresses issues relating to data protection impact assessments, which are intended to replace the current obligation to notify data protection authorities. Although there is a strong support for data protection impact assessments, discussions have revealed that Member States are concerned about burdens such as the cost associated with the mandatory assessment and other requirements. The Council now suggests only requiring the controller (not also the processor) to carry out the data protection impact assessment, and has prepared a list of processing activities that present specific risks (e.g., decisions based on profiling, making decisions using sensitive data, large-scale public monitoring and biometric and genetic systems). Further, the Presidency recommends clarifying the concept of processing concerning “a systematic and extensive evaluation of personal aspects relating to a natural person” and the reference to “filing systems.”
The same note contains proposals to respond to the uncertainties surrounding the “prior checking” requirement. Some Member States are concerned that data protection authorities will not have the capacity to handle these consultations, and question the practical effect of the consultation and the reasons for requesting that processors consult with the data protection authority. Accordingly, the Presidency offers several clarifications, including that only data controllers should be required to consult with the data protection authority, and that only residual risks cases should be subject to prior consultation.
Rules Applicable to Processors
In its note on rules for processors, the Presidency considers a number of improvements intended to clarify the framework governing the relationship between controllers and processors. The Presidency offers the following recommendations:
- controllers may only use processors that provide sufficient guarantees;
- the processor’s activities must be governed by a contract including a list of mandatory provisions; and
- the contract with the processor must detail the subject-matter and duration of the contract, the nature and purpose of the processing, the type of personal data and categories of data subjects.
The Presidency also specifies the comprehensive duties that the processor owes to the controller while processing personal data, and suggests including provisions to facilitate basing the contract on standard contractual clauses adopted by either the European Commission or a data protection authority.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- U.S. State Privacy
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- Disclosure
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition
- Facial Recognition Technology
- FACTA
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Legislature
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Online Behavioral Advertising
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Paul Tiao
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- WeProtect Global Alliance
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code