The Article 29 Working Party of the European Data Protection Authorities (DPAs) has published a report on the public consultations held inside the Working Group in particular regarding critical aspects of the Privacy Regulation such as the concept of “consent”, compliance with notification of data breach and the profiling process.
As we know, the European Regulation 2016/679 on the processing of personal data, which has been in force since 24th May 2016, will take full effect from 25th May 2018. So, with the aim of taking prompt action to put in place the implementation of the GDPR, the Article 29 Working Party has organized a number of Fablab workshops with the objective of opening up dialogue with representatives of European industry, the civil society, relevant associations and the academic world. More than 90 participants took part in the last Fablab session, which took place on April 5th and 6th in Brussels, where they discussed the priority issues of the European Regulation with the European DPAs.
With regard to the subject of “consent”, which constitutes the main legal basis for the processing of personal data, it emerged from the workshop that in certain cases the definition of “consent” contained in the Regulation might not in fact be a reliable basis for the use of personal data. Specific concerns have been raised about the processing of the personal data of a minor, since there is currently no way to either verify the exact age of individuals who give their consent online, or to confirm the identity of persons who declare online that they have parental responsibility.
With regard to consent for the processing of personal data for scientific research purposes, uncertainty was expressed about the secondary use of these data.
Participants also expressed uncertainty about the possibility of the withdrawal of already given consent and the possible consequences faced by those who refuse to grant it. Specific concerns were expressed about the situations in which those individuals who do not give their consent are not able to avail themselves of a particular service.
Further issue concerns have been raised about deals with data breach notifications. Participants asked for greater flexibility on the contents of notifications given the damage to their reputations companies which are victims of such attacks might suffer. They also asked for greater clarity both about methods of notification and the recipients of the notification in cases concerning data of data subjects from different Member States. Is notification required to be given to the Authorities of each Member State involved?
In addition, the workshop participants discussed the question of profiling as a particular form of processing of personal data. There are numerous types of profiling which differ from sector to sector and which cannot be subject to the same provision. For this reason, specific guidelines for each type of profiling have been requested. In addition the guidelines will have to take into account the different objectives for which profiling is made. On this subject, doubts have been expressed about whether there should be limitations to the types of data that can be used. In particular regarding the personal data of minors. Participants also raised objections about there being no clear distinction between profiling processes based on human intervention and those which are completely automated.
The complete meeting report is available on the European Commission webpage dedicated to WP29.