by João Marques, member of the Portuguese Data Protection National Commission and member of CEDU
Although merely advisory in its nature, the Article 29 Working Party (WP 29) has been a major force in guaranteeing a minimum of consistency in the application of the Directive 95/46/CE, allowing member states’ public and private sectors to know what to expect from their supervisory authorities perspectives on various data protection subjects. Its independence has played a major role in the definition of its views and opinions, focusing on the fundamental rights at stake and delivering qualified feedback to the difficult issues it has faced.
The new European legal framework on data protection has produced a step forward on this regard by instituting a new formal EU Body – the European Data Protection Board – EDPB (Art. 68 of the General Data Protection Regulation – GDPR). This will represent a significant step forward in the European institutional landscape concerning data protection but it does not mean that the WP 29 is already dead and buried, quite the opposite.
As it is already known, the EDPB will have far reaching powers designed to guarantee consistency and effectiveness to the rules of the regulation across the EU. One of the said powers translates into the issuance of guidelines in several matters [Art. 70 (1)(d), (f), (g), (h), (i), (j), (k), (m) of the GDPR].
The problem is, of course, that this new EU Body will only exist from May 2018 onwards, leaving a gap of two years (from May 2016, when the regulation entered into force) to be filled by the current legal and institutional frameworks. As such the WP29 took it into its hands to materialize these particular tasks of the EDPB during this transitional phase, fully aware that the guidelines it may issue for the time being could still be rebutted by the EDPB members. Nevertheless this is a calculated risk as the members currently sitting in the WP 29 will almost certainly be the ones who’ll be sitting in the EDPB.
With this in mind the members of the WP 29 have been fully at work on the issuance of guidelines on matters as diverse as the ones pertaining Data Protection Officers, Data Portability, Lead Supervisory Authorities and, the latest to be approved, Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk”, just to mention the ones that have been adopted in their final versions.
Given the paradigm change led by the regulation, by which the data controllers are charged with much more responsibilities regarding the full lifespan of the data processing activities, the newly finalised guidelines on DPIA[i] take centre stage and help data controllers manage one of the most innovative aspects of the new rules.
Article 35 of the GDPR does not determine what a DPIA is but rather what a DPIA should enable data controllers to do, namely being aware of the risks that a given processing activity or combination of such activities may pose to “the rights and freedoms of natural persons” [Art. 35 (1) of the GDPR].
That is why the guidelines are particularly important in defining what a DPIA is, through the combined reading of Article 35(7) and recital 84 of the GDPR: “A DPIA is a process designed to describe the processing, assess its necessity and proportionality and help manage the risks to the rights and freedoms of natural persons resulting from the processing of personal data by assessing them and determining the measures to address them”.
From here on, the guidelines focus on clarifying pivotal notions such as the one of “risks to the rights and freedoms of natural persons”, stating that the rights and freedoms at risk entail not only privacy and data protection as such but others that may arise from the processing activities.
It also stresses the fact that one or several data processing activities combined may be subject to only one DPIA, as long as there is a common “nature, scope, context, purpose and risks” at stake (Point III.A of the guidelines).
Notwithstanding such liaisons, the guidelines also offer clear guidance on when a DPIA should or shouldn´t be mandatory (Point III. B). It does so by detailing nine different criteria that may help to assess whether a DPIA is in order: is the data processing used to evaluate or score the data subject; are there automated-decision making with legal or similar significant effect?; is systematic monitoring of data subjects taking place?; are there sensitive data or data of a highly personal nature being processed?; is data being processed on a large scale?; are there matching or combining datasets?; does the data being used concern vulnerable data subjects such as children or migrants?; is there an innovative use or application of new technological or organisational solutions?; does the data processing in itself prevents data subjects from exercising a right or using a service or a contract?
The WP 29 members also point to the fact that a case by case evaluation is essential and may even lead to the finding that even when one or several of the criteria mentioned above apply, a DPIA may not be required, but in such cases data controllers should document their findings enabling supervisory authorities to monitor the decision making process and decide whether a fining action is in order.
Another very important question addressed by the WP 29 guidelines is the one regarding existing processing operations. Must these operations be subject to DPIA’s regardless of the fact that they have already been evaluated by the competent supervisory authorities? Generally no, in fact the WP 29 considers this particular situation one of the reasons to waiver the DPIA obligation, albeit not in perpetuity. As with any processing activity, over time, the technological landscape, the constant evolution of processing activities tied to relevant concepts such as data protection by design and the mere need to continuously monitor data processing activities play a detrimental role in finding the answer to whether a DPIA is or becomes a requirement by data controllers.
These aspects, particularly the ones linked to the need to constantly monitor data processing activities, seen as some sort of organic lifeforms that evolve over the course of time, are further detailed in the penultimate point of the guidelines where it is explained how a DPIA should be carried out. In this Point III.D guidance is offered on the need to carry out the DPIA prior to the processing while defining the responsibility of the controller irrespective of the existence of outside processors and even external DPIA carriers.
Finally, Point III.E of the guidelines allow controllers to fully understand if and when should the supervisory authority be consulted, reaffirming the idea that only when the DPIA leads to the conclusion that the high risks posed by the processing to the rights and freedoms of natural persons are unsurpassable through the measures put forward by the said controllers shall those authorities be consulted.
All in all, this new set of guidelines is of clear added value to the data protection community, notably because it sheds light to a new obligation set out by the regulation and allows all parties involved (data subjects, data controllers, processors, DPO’s and supervisory authorities) to address the DPIA from a common point of view. Let’s hope that the practice follows the theoretical grounds on which we can all now feed upon.
[i] Available at http://ec.europa.eu/newsroom/document.cfm?doc_id=47711.
Picture credits: 3D data security, by Chris Potter.