The French Data Protection Authority, CNIL, made public last week the report of the public consultation it held between 16 and 19 July 2016 among professionals about the General Data Protection Regulation (GDPR). The public consultation gathered 540 replies from 225 contributors.
The main issues the CNIL focused on in the consultation were four:
- the data protection officer;
- the right to data portability;
- the data protection impact assessments;
- the certification mechanism.
These are also the four themes in the action plan of the Article 29 Working Party for 2016.
This post summarises the results and action plan for the last two themes. If you want to read about the results on the data protection officer and the right to data portability, check out Part I of this post. [Disclaimer: all quotations are translated from French].
1) On data protection impact assessments (DPIAs)
Article 35 GDPR obliges data controllers to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the processing, if it is likely to result in a high risk to the rights and freedoms of natural persons, taking into account the nature, scope, context and purposes of the processing, and in particular where that processing uses new technologies. According to Article 35(3), the supervisory authorities must make public a list of the kind of processing operations which are subject to this requirement.
Article 35(3) provides that there are three cases where DPIAs must be conducted:
a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing (including profiling);
b) where processing on a large scale sensitive data (e.g. health data, data disclosing race, political options etc.);
c) a systematic monitoring of a publicly accessible area on a large scale.
According to the report, the DPIA emerges as a dynamic compliance tool, which contributes to maintain data security, reduce the risks of processing, determine the suitable safeguards, prevent legal deficiencies and better implement Privacy by Design and Privacy by Default (p. 17). It was deemed by participants as a “new and useful tool”.
There were three main category of questions raised by the participants to the public consultation:
- When do controllers have to conduct a DPIA?
- How to conduct a DPIA?
- Who does what within the work for a DPIA?
The respondents requested the supervisory authority to be active in helping them prepare for DPIAs – “to clarify everything that is unclear, to involve companies [in discussions], to provide criteria and examples” and to help harmonise the criteria at European level (p. 14).
Several particular cases were brought up by the respondents, such as processing of HR data, processing of data by websites, processing of data by public administration or by hospitals. These scenarios raised questions such as: does the term “large scale” only refer to Big Data? Does it refer to the volume of data that will be processed or to the number of people whose data will be processed? Are “new technologies” all the technologies that are used for the first time by a controller? Is behavioural advertising “profiling” in the sense of the GDPR? (p. 14).
The participants also wanted to know whether a DPIA should be conducted as well for those processing operations that are already in place and that would qualify for one of the “compulsory” cases that require a DPIA.
As for the methodological approach, the respondents asked for a simple method. They also referred to other existent tools that could be used, such as ISO 29134 and EBIOS. In any case, they suggested that the method should be tested with controllers and should be harmonised at European level. There were also questions whether professional associations could create their own methodology for DPIAs based on sectors of activity (p. 15).
The conclusion of the CNIL was that the contributions to the public consultation showed a great need for clarification, but also revealed “interesting ideas” for the implementation of the DPIA requirements, which will be taken into account. The most difficult points revealed are the criteria to be taken into account when deciding if a DPIA must be conducted, the harmonisation of methodologies at European level and the prior consultation of supervisory authorities (p. 17).
The immediate action plan refers to guidance from the Article 29 Working Party on DPIA and what constitutes “high risks”, which will provide interpretations to vague requirements. The CNIL also aims to make some steps by themselves, such as updating their current guidance for Privacy Impact Assessments.
4) On the certification mechanism
Article 42 of the GDPR provides that the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with the Regulation of processing operations by controllers and processors shall be “encouraged” by Member States, DPAs, the European Data Protection Board and the European Commission. Article 42(3) clarifies that the certification is voluntary and must be available via a transparent process.
Surprisingly, the “certification” part of the public consultation was the one that provided more plain suggestions than questions, compared to the other three, as is apparent from the report. On another hand, the contributions seem to be smaller in volume, provided this indeed is a novel topic for the data protection world.
One of the questions dealt with in the consultation was “who should issue certifications/labels”? The respondents preferred the option of a certification issued at European level and only in the absence of such a possibility, a certification issued at national level that should be mutually recognised. They also underlined that the coexistence of certifications issued by DPAs and certifications issued by certification bodies will be difficult. Participants to the consultation suggested that drafting of standards should be carried out by regulators in consultation with companies and the future evaluators, with a view to homogenise the practices of the different certification bodies (p. 11).
To the question of what should be certified or labeled with priority, the respondents provided a list of suggestions (p. 11):
- online products and services processing health data;
- the solutions to monitor/surveil databases;
- the services provided by the state;
- anonymisation techniques;
- search engines;
- social media platforms.
As to which are the specific needs of small and medium enterprises, the replies referred to support for filing the requests for certification, the need of reduced costs and the need of a simple methodology (p. 12).
Another topic discussed was how to retrieve a label or a certification in case of misconduct – proposals ranged from creating an “alarm system” to signal non-compliance with the certification, to having an effective withdrawal after an adversarial procedure with a formal notice to the certification body, which could propose a corrective plan during the procedure (p. 12).
Finally, the point that certification under Article 42 GDPR should essentially focus on data protection and not data security was also raised (p. 13).
The report does not contain an action plan for certification.
Find what you’re reading useful? Please consider supporting pdpecho.