Limiting Legal Basis for Data Processing Under the DMA: Considerations on Scope and Practical ConsequencesMay 30, 2023
CIPL has been a leader in promoting the responsible use of data for more than 20 years. We support the goals of the European Union’s (“EU”) Digital Strategy fostering innovation, growth and competitiveness in the EU while establishing safe and trusted digital spaces for individuals. As part of our ongoing project examining the Digital Markets Act (“DMA”), we are publishing a series of papers taking a closer look at potential implementation challenges and remaining legal uncertainties across the complete EU digital legislation package. In the first paper, CIPL provided an overview of the data protection implications of the DMA.
This second paper will take an in-depth look at open questions regarding the seeming limitation by the DMA of legal bases available for certain processing of personal data and whether the DMA should consequently be considered as a lex specialis to the GDPR. Additionally, the paper examines ambiguities related to the scope of DMA in terms of personal data processing and lack of definitions of ‘data combination’ and ‘cross-use.’ |
Bridging the DMA and the GDPR - CIPL Comments on the Data Protection Implications of the Draft Digital Markets ActDecember 6, 2021
The EU digital strategy intends to establish a safe and trusted digital space for individuals and a level playing field for businesses that fosters innovation, growth, and competitiveness in the EU. Specifically, the draft Digital Markets Act (DMA) aims to enable open and fair digital and data markets by fostering competition. In particular, it seeks to promote data mobility by imposing obligations on online platforms, falling under the category of “gatekeepers,” to share or to provide access to data. The draft DMA also
intends to strengthen the ability of business and end-users to utilize software applications on gatekeepers’ core platforms without being confronted with technical restrictions. The objective of this paper is to: Analyze the relationship between the DMA’s data sharing obligations and the GDPR requirements; Identify the areas that require further assessment and clarification; and Inform and initiate necessary discussions on more practical aspects of the interplay between these two important legislative and policy pillars of the EU digital and data policy. |
Comments on the Draft ePrivacy Regulation for Trilogue DiscussionSeptember 29, 2021
On 10 January 2017, the Commission adopted its proposal for an ePrivacy Regulation (ePR). The ePR sets rules for the processing of electronic data and the protection of confidentiality of communications (Regulation on Privacy and Electronic Communications) and is intended to replace the existing Directive 2002/58/EC. The EU Parliament adopted a report on 20 October 2017 (Parliament Draft). On 10 February 2021, the Council of the EU reached a common position (Council Draft).
In the context of the trilogue discussions, CIPL welcomes the opportunity to provide comments on the different versions of the ePR. CIPL has been consistently advocating that the ePR to provide the flexibility necessary in the context of the changing digital environment while ensuring that individuals’ rights are effectively protected. |
GDPR Enforcement Cooperation and the One-Stop-Shop: Learning from the First Three YearsSeptember 24, 2021
In this paper, CIPL considers: How the OSS, as currently implemented, may be faring in delivering an integrated pan-EU enforcement mechanism for cross border processing activities; Whether the processes and procedures adopted are providing sufficient fairness, consistency and transparency for all those impacted by the OSS; How the OSS should be considered with the enforcement of other digital initiatives, such as e-Privacy; Whether, overall, the OSS may be delivering and/or supporting effective regulation for organizations and individuals; How the OSS is interfacing with the role and functions of individual SAs; and what could be proposed improvements to the working of the OSS.
|
How the "Legitimate Interests" Ground for Processing Enables Responsible Data Use and InnovationJuly 1, 2021
Following the European Data Protection Board’s (EDPB) Stakeholder Workshop on Legitimate Interests on 27 November 2020, the Centre for Information Policy Leadership (CIPL) published this white paper (Paper) as input for the EDPB’s future update of the guidelines on the legitimate interests legal basis (Guidelines). This Paper is also relevant for any jurisdiction where data protection law includes legitimate interests as a legal basis for processing personal data, as well as for policy makers in countries looking to adopt a data protection regime.
This paper explains the growing importance of the legitimate interests legal basis for organizations’ data processing activities and examines how it should be interpreted, used and applied to unlock the value of data in today’s global data-driven and connected world. The Paper also includes an Appendix which summarizes case studies on how organizations currently rely on the legitimate interests legal basis for both (i) routine data processing activities, and (ii) more complex, unique, or new data processing activities that are key for innovation and for the development of the EU digital economy). |
A Path Forward for International Data Transfers under the GDPR After the CJEU Schrems II DecisionSeptember 24, 2020
On July 16th 2020, the Court of Justice of the European Union (CJEU) confirmed, in the case known as “Schrems II”, that Standard Contractual Clauses (SCCs) are a valid mechanism for the transfer of personal data outside of the EU, while invalidating the EU Commission’s adequacy decision on the EU-US Privacy Shield. The Judgment substantially impacts organizations engaging in international data transfers under Chapter V of the GDPR (Transfer of Personal Data to Third Countries or International Organizations). Organizations are currently working hard to implement the requirements of the Judgment by assessing and revisiting current data transfer practices, switching or reinforcing data transfer mechanisms, introducing new organizational and technical controls and strengthening existing policies.
CIPL strongly believes that the EDPB guidelines must be informed by the reality of data transfers, global interconnected business processes and services, and best practices that companies are implementing to address the CJEU requirements. It is essential that the EDPB engages proactively with stakeholders and open these guidelines to public consultation during their development phase. This paper highlights that the Judgment impacts not only transfers to the US, but also all data transfers from the EU to the rest of the world. |
Data Subject Rights Under the GDPR in a Global Data Driven and Connected WorldJuly 8, 2020
In this paper, CIPL recommends that the EDPB take into account the following preliminary considerations: DSR must be interpreted in the context of our data driven economy: DSR must be interpreted, applied and enforced in a harmonized manner; DSR must go hand in hand with educational and digital literacy initiatives; The DPO should not have front-line and sole responsibility to deal with incoming DSR requests; Organizations should get credit for setting up effective DSR prosses; Certifications covering DSR processes must be a mitigating factor in enforcement; The DSR Guidelines should remain principles and risk-based; The DSR Guidelines should account for Article 23 of the GDPR; The DSR Guidelines should articulate a reasonable test for DSR requests and responses; and the DSR Guidelines should anticipate exceptional circumstances.
|
Key Issues Relating to Standard Contractual Clauses for International Transfers and the Way Forward for New Standard Contractual Clauses Under the GDPRAugust 7, 2019
The European Commission (Commission) is currently working on updated standard data protection clauses for international transfers (SCC) to serve as “appropriate safeguards” that are necessary to legitimize the transfer of personal data to a third country in the absence of an adequacy decision.
This Paper is intended to highlight the main challenges organizations face when relying on the existing SCC and to propose practical ways to overcome these challenges when updating the clauses to the GDPR and to the reality of current business relationships and data uses. |
GDPR One Year In - Practitioners Take Stock of the Benefits and ChallengesMay 31, 2019
The run up to 25 May 2018 was for organizations in the EU and many around the globe a race to GDPR compliance. Both large and small organizations, including those with existing and mature data protection programs in place, have invested significant time and resources to make unprecedented organizational and system changes in anticipation of the new data protection regime. With such great investment comes great expectation that organizations will not only achieve compliance and avoid high, GDPR fines and sanctions and potential reputational damage, but that they will garner the positive impacts associated with responsible data management and a more harmonized and consistent EU data protection framework.
In this report, the CIPL seeks to outline the positive impacts and benefits organizations have experienced as a result of their GDPR compliance efforts. We also describe the challenges and unfulfilled promises of the GDPR, where organizations feel the Regulation has not lived up to its objectives and has presented practical difficulties, despite their dedication to implementing the new requirements. |
ePrivacy Regulation and the EU Charter of Fundamental RightsNovember 9, 2018
An important focus in the legislative discussions on the proposed ePrivacy Regulation is the fact that the proposal (mainly the articles 5 and 6 thereof) aims to protect the confidentiality of communications of individuals and legal persons, and in particular addresses the confidentiality of content data and metadata, implementing Article 7 of the EU Fundamental Rights Charter (“right to privacy”). In contrast, the GDPR implements Article 8 of the Charter (“right to data protection”).
This legal note argues that the difference between Articles 7 and 8 of the Charter has limited relevance, in connection to the ePrivacy Regulation. |
Factsheet on the Key Issues Relating to the Relationship Between the Proposed ePrivacy Regulation (ePR) and the General Data Protection Legislation (GDPR)March 20, 2018
This factsheet provides a detailed outline of the relationship between the proposed ePrivacy Regulation and the General Data Protection Regulation, including definitions, context and purpose.
|
GDPR Implementation in Respect of Children's Data and ConsentMarch 6, 2018
This factsheet provides a detailed outline of the relationship between the proposed ePrivacy Regulation and the General Data Protection Regulation, including definitions, context and purpose.
|
Comments by CIPL on the Article 29 Data Protection Working Party's "Guidelines on Automated Individual Decision-Making and Profiling" Adopted on 3 October 2017December 1, 2017
This response recognizes that the irresponsible application of profiling and ADM can directly result in unfair discrimination, financial loss, damage to reputation, social disadvantages and potential legal
|
Copyright © 2024 by the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP.
|