Tag Archives: European Regulation on Data Protection

GDPR Cross-Border Complaints: a New Regulation Proposal Attempts to Harmonize the Procedural Rules Among the Member States

Legal news, , , , , , , , , , ,

On July 4, 2023, the European Commission has issued a proposal for a new EU regulation laying down additional procedural rules aimed at ensuring a better and uniform enforcement of the GDPR among the Member States, especially with regard to the handling of cross-border complaints (“Proposal”).

The Proposal has been inspired by the findings of the reports issued by the European Commission and the European Data Protection Board concerning the status of the application of the GDPR among the Member States. Such reports stressed the need to make the handling of cross-border complaints more efficient and levelled across the EU, since the proceedings followed by local data protection authorities (“LDPA”) have been found to be differently designed and may thus lead to different application of the GDPR provisions.

The main features of the Proposal may be summarized as follows:

  • Submission and handling of cross-border complaints: The Proposal aims at removing the existing differences among the procedural rules applied by different LDPAs, namely with regard to how complaints on cross-boarder issues should be filed and which contents they should have. In such respect, a template for the filing of cross-border complaints – including a standard pre-determined set of information to be provided – has been drafted. The Proposal further specifies procedural rules for the rejection of complaints in cross-border cases and clarifies the roles and rights of the lead LDPA and of any other concerned LDPAs. A system of amicable settlement of complaints is also encouraged.
  • Procedural rights of parties under investigation: The Proposal further aims at harmonizing and strengthening the rights of defence in the course of cross-border investigations and proceedings. Specifically, the Proposal recognizes an extended right of the parties to be heard at key stages of the proceedings and imposes the creation of an administrative file and the parties’ rights of access to it.
  • Tools for cooperation between LDPAs: New tools have been designed to ease the building of consensus between the involved LDPAs on the main features of cross-border proceedings since their preliminary phase, in order to limit the recourse to the (time consuming) dispute resolution mechanism provided by section 65 GDPR only in few exceptional cases. LDPAs that are called to handle a cross-border complaint are required to provide other involved LDPAs with a summary of key issues”, wherethe main findings of facts and legal grounds underlying each complaint are set out. Concerned LDPAs will be able to provide their views on such summary and to raise “relevant and reasoned objections”, in which case a specific fast-track procedure is designed in order to ensure that disagreements among LDPAs are settled at the beginning of the process.
  • Acceleration of cross-border proceedings: Lastly, the Proposal, by imposing strict deadlines, aims to prevent undue delays within the proceedings.

At the moment it is still unclear whether the Proposal will be officially adopted and become a binding regulation. Certainly, it has been welcomed by the European Data Protection Board and by the European Data Protection Supervisor and may be a good opportunity to level the difference among Member States and make the proceedings more efficient.

2017 New Year’s Privacy Resolution: Road to Compliance with the New European Privacy Framework

Legal news, , , , , , , , , , , ,

Year 2017 already brought to us some exciting change. The beginning of the year is also the perfect time for appraisals of the past and resolutions for the near future. Whether we see it as a welcome enhancement of personal data rights or simply as another burdensome European set of requirements, 2016 delivered the new European General Data Protection Regulation (Regulation EU 2016/679, “GDPR”). Already 233 days passed since GDPR entered into force and 498 days are left until the new Regulation will start to apply on May 25, 2018. Roughly, one third of the time given to comply with the new regulatory framework has already gone by. Then, perhaps, the beginning of 2017 can be a good chance to ask ourselves what has already been done in the first 233 days and what still needs to be done in the future 498 days in order not to miss May 2018’s deadline.

The GDPR imposes a much more burdensome level of compliance requirements to companies acting as data controllers and data processors.

Some of them require the assessment and preparation of organizational and implementing measures that need to be put in place well in advance of May 2018.

  • Data controllers and data processors must appoint a data protection officer (“DPO”). The controller and the processor shall ensure that the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. The controller and processor shall support the DPO in performing his/her tasks by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his/her expert knowledge. The controller and processor shall also ensure that the DPO does not receive any instructions regarding the exercise of those tasks. Furthermore, the DPO shall not be dismissed or penalized by the controller or the processor for performing his tasks and shall directly report to the highest management level of the controller or the processor.
  • Data protection by design and by default will have to be implemented. The data controller: (i) both at the time of the determination of the means for processing and at the time of the processing itself, must “implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of [the GDPR] and protect the rights of data subjects” and (ii) “to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”.
  • A data protection impact assessment must be carried out. Such impact assessment must contain: a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; an assessment of the necessity and proportionality of the processing operations in relation to the purposes; an assessment of the risks to the rights and freedoms of data subjects; the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with GDPR.
  • Data controllers must guarantee the effectiveness of the data subject’s right to be forgotten and right to portability. This requires an assessment of the adequacy of the technical and organizational instruments currently available and, possibly, their improvement. More specifically, data controllers must be able to fulfill: (i) in relation to the right to be forgotten, their obligation to “take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data”; (ii) as regards to the right to portability, their obligation to allow the data subjects to effectively exercise their right to “receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller”.
  • Data controllers shall notify personal data breaches to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. This imposes on controllers the preparation of appropriate notification forms, as well as organizational measures to guarantee adequate resources to complete such task.
  • The mandatory content of the written contract between the data controller and the data processor requires a revision of all such contracts. They shall include, inter alia, the obligations of the processor to: process the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization; ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; delete or return all the personal data to the controller after the end of the provision of services relating to processing, including copies; make available to the controller all information necessary to demonstrate compliance with the obligations under GDPR; allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
  • Information notice forms currently in use will need to be revised. In fact, information to be provided to data subjects must include, inter alia: the contact details of the DPO; the legal basis for the processing; the fact that the controller intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision by the Commission; the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; the existence of the right to data portability; the existence of the right to withdraw consent at any time for processing based on consent; the existence of the right to lodge a complaint with a supervisory authority; the existence of automated decision-making, including profiling.
  • Data controllers and data processors must keep record of processing activities under their responsibility. Records to be kept by data controllers shall contain all of the following information: the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the DPO; the purposes of the processing; a description of the categories of data subjects and of the categories of personal data; the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, the envisaged time limits for erasure of the different categories of data; where possible, a general description of the technical and organizational security measures. Records to be kept by data processors shall include: the name and contact details of the processor or processors and of each controller on behalf of which the processor is acting, and, where applicable, of the controller’s or the processor’s representative, and the DPO; the categories of processing carried out on behalf of each controller; where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and the documentation of suitable safeguards; where possible, a general description of the technical and organizational security measures. Data controllers and data processors shall therefore dedicate and organize resources to be able to start keeping such records.

All this may appear daunting. Nevertheless, 498 days are more than enough to take all necessary steps, if we let one of our New Year’s resolutions be to timely walk the road to compliance with the GDPR.

Legal Issues 4.0: what approach suits innovation better?

Legal news, , , , , , , , , , , , , , , , , ,

The fourth industrial revolution is undoubtedly on the bull’s eye of international and domestic economic discussions. To name just one of the major events that recently focused on the Industry 4.0 debate, one could mention the World Economic Forum 2016 Annual Meeting held in Davos on January 20-23 2016, together with its ambitious title: Mastering the Fourth Industrial Revolution.

Indeed, starting from Germany’s Industrie 4.0, European governments have been trying to master the demanding challenges that the fourth industrial revolution brought, taking co-ordinate actions with companies and research institutions in order to attract investments and be more competitive in the global manufacturing scene.

At a glance, Industry 4.0 consists in the transformation – or rather the evolution – of industrial manufacturing based on the new possibilities offered by:

  • The ability of machines, devices and sensors to connect and communicate with each other and analyze/process large amounts of data;
  • The ability of information systems to create a virtual copy of the physical world by enriching digital plant models with sensor data;
  • The ability of assistance systems to support humans by aggregating and visualizing information comprehensibly for making informed decisions and solving urgent problems on short notice;
  • The ability of cyber physical systems to physically support humans by conducting a range of tasks that are unpleasant, too exhausting, or unsafe for humans;
  • The ability of cyber physical systems to make decisions on their own and to perform their tasks as autonomous as possible.

The phenomenon hence embraces many fast-evolving fields such as Robotics, Internet of Things, Big Data and Smart Data.

After Germany, other European as well as oversea governments took actions aimed at exploiting, promoting and fueling with investments the research and development driven by such innovations. The United States started Manufacturing USA and France announced Industrie du Futur, to name just a few of such governmental programs.

Lastly, here in Italy, only a few days ago the Italian government announced the main features of its national Industria 4.0. The plan will make available public investments up to ten billion euro between 2017 and 2020, providing for tax incentives, as well as support for venture capital, ultra-broadband development, education and innovative research centers.

A number of legal issues are raised by the fourth industrial revolution.

  • The first and – one would say – more obvious one, is related to data protection. Intelligent and multi-linked objects continuously collect, generate and transmit data (including personal data) that are processed and analyzed, often across State’s boundaries, by both automated and manual means. It is hence fundamental that data protection laws and regulations offer appropriate legal instruments to control and limit what can potentially become an uncontrolled and automated leakage of personal data.
  • Property law is also at stake. In particular, in relation to non-personal data produced by machines and objects, ownership of such “products” seem to be mainly unregulated, with the exception of some specific instruments subject to database’s Moreover, moving towards more typical IP issues, it is clear that enhanced digitalization and connectivity both bring the risk of not being able to effectively keep trade and industrial secrets, as well as not being able to protect undisclosed know-how and business information.
  • Labour law will have to find instruments in order to manage the potential job loss deriving from automatization and innovation.
  • Product liability and, more in general, the legal framework of civil (and criminal) wrongs will have to face the fact that machines are more and more able to communicate, act and, in a way, “think” autonomously.

Can these challenges be tackled with existing legal instruments or do they require the adoption of tailor-made, brand new solutions?

The legal fields that have been mentioned here are, indeed, varied and do not allow one straightforward answer. Nevertheless, it may be worth noting that pushing for over-specific and unrealistically always-up-to-date legal instruments can be very risky. It can result, in fact, in a never-ending (but always late) frantic chase of fast-pacing technological developments, which can be more effectively tackled by adapting traditional flexible tools.

As it has been recently underlined by a study led by the European Parliament, “many of these issues have a cross-border and even pan-European element, e.g. migration of skilled labour, completing the digital single market and cybersecurity, cross-border research, standards etc”.

Perhaps, the success of the fourth industrial revolution from a legal point of view will largely depend on the ability and willingness to find harmonized and common solutions to global challenges, rather than create over-particular and specific new instruments. From this perspective, the new European Regulation on Data Protection can be seen as an encouraging legislative action providing for flexible but effective tools (such as, for example, data protection by design and data protection by default provisions) within the framework of the harmonizing strength of the European Regulation legal instrument.