Today, May 25, 2018, we have come to the last GDPR Update of the current series. During the past 16 months, we have discussed various important topics with regard to the GDPR. For an overview, please see the end of this update.
There has been much public debate surrounding the implementation of the new privacy legislation. The abbreviation ‘GDPR,’ the date of May 25, 2018 and the prospect of €20 million fines have been all over the media, leading to anxiety within many organizations, from globally operating enterprises to local sports clubs.
We have not been the only ones to publish updates on the GDPR; during the past months, the Article 29 Working Party (the WP29) has not been silent either. The WP29 is an overarching data protection body consisting of local supervisory authorities. It regularly publishes guidelines and opinions on (the interpretation of) various data protection concepts. Although these documents are not legally binding, they do give useful and important insights as to how the supervisory authorities interpret important provisions and principles of the GDPR.
The WP29 has published guidelines on consent, transparency, data breaches, data protection officers, the lead supervisory authority, privacy impact assessments, the right to data portability, profiling and automated decision-making and application and setting of administrative fines. (A guideline on the territorial scope of the GDPR is in the making, but it would have been welcome if the WP29 had issued this earlier.)
The transparency guidelines and the guidelines on consent have proven to be of particular significance for our clients’ operations.
Looking at WP29’s consent guidelines, it becomes clear that controllers should avoid relying on consent as the legal basis for data processing as much as possible, as obtaining valid consent is not at all straightforward. The definition of consent consists of a number of criteria, and the controller should comply with all of them. The WP29 explicitly states that relying on consent should be avoided in the employment context in particular. (However, we understand that certain EU member states do in fact require employers to obtain consent, hindering a harmonized approach across the EU.)
The WP29’s non-binding guidelines and opinions are not always in alignment with common business practices. Moreover, the guidelines are sometimes stricter than the GDPR’s wording. Our experience is that supervisory authorities tend to follow these guidelines closely. In addition, Dutch case law on data protection matters (under the Directive) shows that the Dutch courts attach significant importance to WP29 guidance and opinions.
Enforcement activities by supervisory authorities
A large part of the abovementioned public debate focused on potential enforcement activities by supervisory authorities. Organizations seem to be most worried about being fined, accompanied by negative publicity risks.
This anxiety is strengthened by the Dutch supervisory authority’s (and other local supervisory authorities’) silence with regard to its envisaged enforcement activities. To date, the Dutch supervisory authority (Autoriteit Persoonsgegevens) has not publicized any policies with regard to GDPR enforcement and the imposition of fines in The Netherlands.
We have been receiving many questions from clients who want to understand whether supervisory authorities will start imposing administrative fines immediately after 25 May. As discussed in our GDPR Update on sanctions, we believe this is not to be expected. Organizations that are well underway with implementation of the GDPR today, will likely be subject to other corrective measures prior to being fined. However, supervisory authorities do have the authority to impose fines without warning, and they have clearly left open this possibility.
When looking to implement the GDPR properly, creativity is key: There is little guidance on how various newly introduced requirements should work in practice. The guidance that is available can be found in the recitals of the GDPR, WP29 guidelines, existing policies and guidelines of supervisory authorities and parliamentary documents.
Enforcement activities and binding decisions of supervisory authorities in the coming period will provide additional insight in the interpretation and implementation of the GDPR.
We will continue to provide you with regular updates on the GDPR and the way it is enforced, as well as with relevant developments in the field of personal data protection (e.g. the draft e-Privacy Regulation). Stay tuned!
Overview of subjects