Międzynarodowa Konferencja Computers, Privacy and Data Protection

Podczas 10 Międzynarodowej Konferencji Computers, Privacy and Data Protection – CPDP 2017 uczestniczyłem w panelu dyskusyjnym – The Regulation is Here! What Now? wspólnie z Janem Albrechtem, Marju Lauristin i Axlem Vossem. Ogólne rozporządzenie o ochronie danych zapewnia harmonizację i tworzy nowe ramy ochrony danych zbudowane na zaufaniu, co jest podstawą do dalszego rozwoju rynku cyfrowego. Przyjęcie rozporządzenia oznacza koniec trudnego i długotrwałego procesu legislacyjnego. Rozporządzenie przewiduje ogólne ramy, zasady, które pozostają niejasne i wymagają doprecyzowania zanim będzie funkcjonalne.

Poniżej moje wystąpienie w języku angielskim:

  • The Regulation is in place and the period of its implementation has started and has to be completed in May 2018. Some might think this is a lot of time but taking into account the amount of work that has to be done, I believe we should not waste any moment.
  • GDPR provides harmonisation and creates new data protection framework building on the trust of all involved parties. It is a basis for further development of the digital market.
  • The aim of the legislators was to create a legislation that will be technological neutral and future proved. This also means that some issues have to be implemented by delegated and implemented acts and on which the Commission is currently working. Apart of this, we need guidelines on how to understand and how to apply GDPR correctly. Article 29 Group is working on and still last year published guidelines on data protection officer, identification of the lead authority and data portability.
  • There are still some issues that we need our close attention on the EU level but we should not forget about issues that have to be dealt on the national level, for instance regarding the procedures and administrative or different fines. The administrative procedural law is not the same nor harmonised in the Member States and this will be a challenge for the data protection authorities and national governments to implement new procedures in a way to ensure the highest level of equal treatment.
  • Another “national” issue, a provision left for the Member States to be implemented or complemented is the provision on Age of children in relation with consent for information society services. The Regulation sets 16 years but allows that if in the MS law lower age exists this can remain unchanged but it has to be not lower than 13 years. There is a certain risk that it will lead to a sort of geoblocking. I do understand that there are differences in the Member States law in this respect but we should make sure that repercussion of this provision is minimal for harmonisation.
  • So these are just two examples of the pressing issues on the national level and how to make sure that the harmonised approach will be maintained.
  • We have other issues that need to be addressed and I believe that we wait for the guidelines on risk-based approach, and more specifically what should be considered as a risk and what as a “high risk” as on this understanding many issues will depend – for example data protection impact assessment. Another issue would be maybe more detailed guidelines on the whole one-stop-shop mechanism. I know we have guidelines on the lead authority already but I tend to think that we would need some direction on the mechanism as a whole.
  • I believe, we need to be especially careful about SMEs. The GDPR has introduced risk-based approach to several provisions, some refer directly to SMEs, and others differentiate obligations for low and high risk. It is necessary to make sure that there is a clear understanding about the obligations for SMEs. The least we can do is to make sure that in particular guidelines prepared there is a section dedicated to explain the obligation for SMEs and whether they have or not special provisions. The best would be to prepare guidelines dedicated to SMEs.
  • Another pressing issue in my opinion is the guidelines on certification and code of conducts. These two instruments are very important and could allow better compliance with the legislation. It should also allow better possibilities for companies to fulfil their obligations and possibly less administrative burden. We need guidelines on these issues as the text of the provisions dedicated to certification and code of conducts differ from the text of the Directive 95/46. There are some questions about the procedures, should the project of the code of conduct be submitted to one national data protection authority? Which one in case we are talking about the code of conduct on the EU level, dedicated for more than one Member States? Or maybe in this case, should it be submitted to the European Data Protection Board? Should it receive an opinion or be approved? Could it be created by the sector and for a specific sector? and finally what does it mean that “The specific needs of micro, small and medium-sized enterprises shall be taken into account”.
  • There are opinions that the self-certification on compliance with the EU data protection rules together with strengthen judicial cooperation through for instance mutual legal assistance treaties could be an answer to cooperation with third countries. Or the model of Privacy Shield. The article of GDPR on Code of conducts allows to adopt a code of conduct on the transfer of personal data to third countries or international organisations.
  • And finally as an issue we have to deal at the same time with the ePrivacy Regulation. In the Commission proposal, it should enter into force on May 25th, 2018. So exactly at the same time as GDPR. I believe we should do our best to meet this deadline indeed. The e-Privacy regulation should be analysed from two different points of view. We have to make sure that it is consistent with the GDPR and complements this instrument ensuring protection of data during electronic communication. On the other hand, it has to be consistent with the Electronic Communication Code as its scope concerns the data when they leave the end-user and before they get to the recipient of the communication. In that sense it covers much more the technological aspects of the communication.
  • From the data protection point of view, we will have an interesting debate on the issue of legal basis on which the processing can take place and in particular on consent. In the ePrivacy regulation, consent is the main, the only legal basis for processing. It is said that the definition of consent from the GDPR applies but article 9 paragraph 2 brings an exception to this rule stating that the consent could be expressed by technical settings of a software application that enable access to the internet.
  • I have presented many issues that need our attention. I am sure that the Article 29 Group and the Commission will work on the particular guidelines but I am launching also the idea to organise a common meeting of LIBE with the representatives of the national parliaments. During this meeting we could discuss where with stand with the implementation of the GDPR, but also Directive and possible in the connection with the ePrivacy Regulation, what are the most urgent issues left to be resolved. We could learn from national parliaments about specific situations and circumstances in the Member States. This would also allow us not to lose sight from the aim that we have to ensure harmonisation and equal rights and obligations throughout the EU.