Data Protection & Privacy Update - March 2018
This month brought the following interesting data protection developments:
Update home market: The Netherlands, Belgium, Luxembourg, Switzerland
GDPR and Brexit: Status update
Please find a brief summary of the relevant developments in three of our home markets these being The Netherlands, Belgium and Luxembourg.
Referendum regarding trawling law allowing spy agencies to carry out mass tapping of Internet traffic
In the Netherlands, a consultative referendum took place on Wednesday March 21 2018 with regard to the intelligence and security act (Wet op de inlichtingen- en veiligheidsdiensten, Wiv). This act is better known as the ‘Sleepwet’, which translates to English as the ‘trawling law’, i.e. non-selective sweeping. On March 29 2018, the final outcome of the referendum, announced by the National Electoral Council (Kiesraad centraal stembureau), confirmed that the majority voted against the act: 49,44% voted against, 46,53% voted in favor and 4,03% was blank.
The Sleepwet aims to extend the powers of the Dutch general safety and intelligence agency (Algemene Inlichtingen- en Veiligheidsdienst, AIVD) and of the military intelligence and safety agency (Militaire Inlichtingen- en Veiligheidsdienst, MIVD) allowing them to, inter alia, install wire taps targeting an entire geographic region or avenue of communication, as well as to store this information for up to three years, and to share it with allied spy agencies.
Whilst the law has already been approved by both houses of parliament, and despite the fact that the outcome of a consultative referendum is not binding, the Minister for internal affairs (Minister Ollongren) has announced to reconsider the Sleepwet and to welcome a debate with the Second Chamber in order to reevaluate the Sleepwet.
Several campaigns have made their voices heard with regard to potential privacy violations and have urged for significant improvements in the law.
We will closely monitor this subject and will update you accordingly.
Dutch GDPR implementation bill approved by the Second Chamber
On March 13, 2018, the Second Chamber agreed upon the GDPR Implementation Bill (Uitvoeringswet Algemene verordening gegevensbescherming, UAVG), as was presented to the Parliament on 13 December 2017.
In total, 7 amendments and 7 motions were discussed, including in relation to the age for consent for minors, which according to some members of the Second Chamber should be lowered to the age of 13 (from 16 as it stands right now). Another question raised concerned the derogation with regard to the exception for data breach notifications for financial institutions.
Two amendments were adopted, one of which urges the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) to give leeway to smaller organizations, and the second concerning the composition of the AP, which requires to consist of three members; one chairman and two members. In addition to this, the Second Chamber adopted a motion urging the AP to initially focus on providing guidance with regard to the implementation of the UAVG, rather than immediately and stringently taking enforcement actions.
There is acknowledgement for the importance of discussing various concerns, however the current priority of the parliament is to adopt the UAVG prior to the implementation date of the GDPR coming May 25, 2018. This is also why the UAVG takes a policy neutral approach, meaning that where derogations allow for current legislation to be implemented, this has been done so.
The UAVG still needs to be adopted by the First Chamber, but the First Chamber can no longer put forward amendments. On April 3 2018, the preliminary study to be conducted by the parliamentary commission for justice and safety (eerste Kamercommissie voor Justitie en Veiligheid) will commence. If the First Chamber adopts the UAVG, the legislative text will required to be signed and published in the gazette (Staatsblad) upon which the UAVG can enter into force on a by royal decree designated date.
This will of course be a very important development in the Netherlands and we will keep our readers fully updated on this matter.
The full report of the votes that took place in the Second Chamber, as presented to the standing committee of justice and security, can be read here (in Dutch only).
There have been several relevant developments in Belgium in the month of March: A new law on surveillance cameras has been adopted. The Privacy Commission published a recommendation on Data Protection Impact Assessments. It also published a GDPR-brochure for SME’s (NL/FR). On 16 March, the Council of Ministers adopted a preliminary proposal of law on personal data protection (implementing amongst others the GPDR). We will update you on the latter issue when more information is made available to the public.
New law on surveillance camera’s
On 8 March 2018, the Parliament adopted the new law on surveillance cameras, replacing the law of 2007. The primary goal is to create a more adequate legal framework for the use of surveillance cameras. Whilst the law has not been published in the official journal yet, it is scheduled to enter into force on 25 May 2018.
The use of surveillance cameras by police or intelligence services will fall under the respective laws regulation them. Use of surveillance cameras governed by specific legislation (such as surveillance at the workplace) remains excluded from the new law.
The camera law of 2018 will thus regulate the use by other public authorities (such as the communities and cities) and by private individuals or entities. If surveillance cameras cover different needs (other than surveillance), the camera law prevails in case of a conflict of law.
Furthermore, use of surveillance cameras is subject to a Data Protection Impact Assessment (DPIA). If you make changes to your existing surveillance activities or are starting a new one, you will be required to perform a data protection impact assessment. Each controller will have to inform data subjects of the use of surveillance cameras using the well-known sign/pictogram. In accordance with the GDPR, the controller needs to maintain a register of camera use. This register has to be made available to the Data Protection Authority upon request. In addition to this, the use of surveillance cameras has to be notified to the local police authority (the previous law required notification to the Privacy Commission). Again in line with the GDPR, surveillance cameras used for purely household or domestic purposes are exempt from the law.
A new element is that in the vicinity of a surveillance camera, a screen can show the real-time video feed of that camera. This practice was contested until now, but has now been legitimized.
In preparation of the implementation date of the GDPR coming 25 May, the Privacy Commission has published a recommendation on DPIAs.
The DPIA is a novelty of the GDPR (even though risk assessments are commonplace in today’s business processes) but the text of the GDPR arguably left much to be desired. Similarly, the Opinions of the Article 29 Working party (WP29) also did not fully eliminate uncertainty on this issue.
A primary issue is the question of when a DPIA is triggered. The GDPR states that a DPIA is required when (modifications to) a personal data processing operation under consideration presents a potential high risk for the rights and freedoms of the data subject. But what constitutes a high risk? The Privacy Commission has tried to answer that question by defining 9 criteria that could imply a risk:
- Evaluation of scoring
- Automated decision making with legal consequences
- Structured monitoring
- Processing of sensitive data or data of a highly personal nature
- Large-scale processing
- Matching or combining of datasets
- Data on vulnerable persons
- Innovative use or application of new technologies or organizational applications
- Data subjects would be denied execution of their rights or would not be able to benefit from a service or contract
Any combination of two or more of these criteria requires a DPIA to be carried out. For some processing operations, one of the criteria can trigger a DPIA as well.
The Privacy Commission also describes the required elements of a DPIA but it refrains from defining a methodology. For the latter it refers to existing risk analysis methodologies. It also addresses the notification requirement of a DPIA under the GDPR, which it considers is also required if the outcome of a DPIA suggest a high risk to the rights and freedoms of the data subject, despite the risk mitigating measures put in place. In other words, the residual risk triggers the notification.
The Recommendation also addresses finer details such as the different parties and their respective roles in a DPIA, criteria for exemption from the DPIA requirement, and their maintenance. On this last element, the Privacy Commission considers that DPIAs must be reviewed at least every three years and that changes to processing operations existing on 25 May 2018 require a complete DPIA of the processing operation and not just in relation to the modifications.
The recommendation concludes with annexes concerning data processing activities which always require a DPIA as well as processing activities that are exempt from this requirement. These annexes are subject to the adoption by the Data Protection Authority.
While the Recommendation does not put an end to all discussions, it does provide welcome clarification on the DPIA process. It will be interesting to see if the Data Protection Authority will adopt the annexes and / or will add any modifications.
Data protection basics training
On 13 April 2018, the National Commission for Data Protection (CNPD) will organize new courses on the basics of data protection. These courses are aimed at those who wish to learn the basic elements of data protection law.
The topics will include: basic concepts (personal data, processing, data controller / data processor, sensitive data, etc.), the rights of data subjects, the obligations of data controllers, the role of the CNPD, and the new aspects introduced by the GDPR.
The Federal Council answers questions about the applicability of the GDPR in Switzerland
On 2 March 2018, the Swiss Federal Council published answers to questions raised by a member of the National Council with respect to the applicability of the GDPR in Switzerland and the coordination between the European and Swiss legal frameworks (see here all questions and answers, available in German, French and Italian). The position of the Swiss Federal Council is particularly interesting with regard to the adequacy decision and the enforcement of the GDPR with respect to Swiss based companies.
The decision to split the revision of the Swiss data protection act (see our newsletter on this topic for more information) may delay the revision process. The Swiss Federal Council has therefore decided to postpone discussing the adequacy of the act with the European Commission (EC). It is not clear yet when the EC will reevaluate the adequacy of the Swiss data protection legislation. If the Swiss act has not been revised at the moment of the reevaluation, it could lead to the EC denying such adequacy. In that case, personal data could no longer be readily transmitted from the EU to Switzerland and additional security measures would have to be put in place. For instance, Swiss companies would have to contractually agree to comply with the European regulation framework.
Enforcement of the GDPR in Switzerland
With regard to the question raised concerning investigations by the European supervisory authorities and the enforcement of their decisions with respect to Swiss based companies: The Federal Council stated that since no cooperation agreement is in place between Switzerland and the EU, the European supervisory authorities will not be able to act directly in Switzerland. Such investigations and decisions will have to be directed against any Swiss company via their representative in the EU (art. 27 GDPR).
The GDPR will enter into force as from 25 May 2018. As Brexit will in principle only take place on 30 March 2019, this means that on 25 May 2018, the UK will still be a EU Member State and that the GDPR will thus have direct effect on the UK.
Since its decision to withdraw from the EU, the UK has transparently shared its intent to adopt a regime which will be considered by the EC and the EU Court of Justice as providing an “adequate” level of protection in order to allow UK businesses to continue sharing personal data with the EU and the EEA countries.
On 13 September 2017, the UK government made an important step forward in this direction by introducing a draft Data Protection Bill (the Bill).
Until the UK leaves the EU, the Bill (once final and granted royal assent) will therefore apply in parallel to the GDPR and should be read alongside the GDPR. After Brexit, the GDPR will be incorporated into UK’s domestic law via the EU (Withdrawal) Bill.
The Draft Data Protection Bill
To say the least: the Bill is a long and complex piece of legislation (consisting of seven parts, each sub-divided into chapters with additional 18 schedules). Its scope is also much broader than that of the GDPR. In addition to filling the gaps permitted under the GDPR, the Bill mainly aims at (1) implementing the Law Enforcement Directive into UK law and (2) providing data protection rules for UK intelligence services’ processing activities.
The UK government took the opportunity of the Bill to implement a number of flexibilities and derogations, within the boundaries set out by the GDPR. These include:
- Children’s consent
- Processing of special categories of data
- Processing of personal data relating to criminal convictions and offences
- Automated individual decision making
- National security and defence exemption
The Bill is currently being reviewed by the House of Lords. Its date of royal assent cannot be precisely determined at this stage.
Data transfers: UK seeking for early “adequacy decision” from the EC
In August 2017, prior to the publishing of the draft Data Protection Bill, the UK Government was already inviting the EC to grant the UK an “adequacy decision” (i.e. a decision taken by the EC to determine whether a third country ensures an adequate level of protection based on its domestic law, or on the international commitments it has entered into) to allow for the transfer of personal data from the EU to the UK without additional measures. The UK Government expressed itself as follows:
“The UK’s data protection law will fully implement the most up-to-date EU framework, and this will remain the case at the point of the UK’s withdrawal from the EU. On this basis, the Government believes it would be in the interest of both the UK and EU to agree early in the process to mutually recognise each other’s data protection frameworks as a basis for the continued free flows of data between the EU (and other EU adequate countries) and UK from the point of exit until such time as new and more permanent arrangements come into force.”
At the moment, the discussions around this potential data-flow deal have not yet started. It is thus unsure whether they will be completed prior to the date of withdrawal (taking into account for instance that it took nearly three years for the EU to reach a data transfer deal with the U.S. and that Japan’s pending data agreement with the EU is expected to take 18 months).
Brexit should in principle not cause major issues within the context of the subject at case as the EC is, according to the main stakeholders, likely to adopt such an adequacy decision. For UK-based companies: keep in mind that the GDPR will in any case apply to UK-based companies that process personal data of EU data subjects where the processing is related to the offering of goods or services to individuals in the EU or to the monitoring of their behaviour in the EU.
We hope that you enjoyed this month’s issue and we welcome any questions that you may have regarding the topics. Make sure to keep an eye out for our April issue, in which we will discuss the Article 29 Working Party’s approach on the opinions that it has published regarding the GDPR. In addition to this, we will of course update you on relevant developments within our home markets.
For more information, please get in touch with your trusted adviser at Loyens & Loeff, or any member of our Data Protection & Privacy Team.