The Article 29 Working Party have conducted a brief consultation on draft guidance on Automated Processing that, surprisingly, reverses all previous legal interpretations I've found. GDPR Article 22 is one of several that begin "The data subject shall have the right", in this case:
In what sometimes seems like a polarised debate on the draft Data Protection Regulation, it’s good to see the Article 29 Working Party trying to find the middle ground. The subject of their latest advice note is the contentious topic of profiling, which has been presented both as vital to the operation and development of Internet services and as an extreme violation of privacy.
The Article 29 Working Party have published an interesting toolbox for Binding Corporate Rules (BCR) for Data Processors. BCRs for Data Controllers have been suggested for some time as a way that large multi-national companies can comply with European Data Protection law.
Having had my own concerns that the European Commission's draft e-Privacy Regulation might prevent some activities that are needed by security and incident response teams, it's very reassuring to see the Article 29 Working Party recommending an explicit broadening of the scope of permitted Network and Information Security (NIS) activities.
The Article 29 Working Party has published its draft guidelines on transparency. For those of us who have already been working on GDPR privacy notices, there don’t seem to be any surprises: this is largely a compilation of the relevant sections of the Regulation and other guidance.
The Article 29 Working Party has produced new guidance on data processing in the workplace, to account for the very significant changes that have occurred since their previous guidance in 2001. Although the focus is on "employee monitoring", it is likely to be relevant to other situations where an organisation has significant power over those who use its premises and equipment. The guidance considers the requirements under both the Data Protection Directive and, from next year, the GDPR.
Data Guidance reports that the Article 29 Working Party have agreed with the Commission that the World Wide Web Consortium (W3C)’s Do Not Track proposals are “one of the most promising initiatives” to make behavioural advertising comply with European laws on data protection and cookies.
The Article 29 Working Party of European Data Protection Supervisors has published draft guidance on consent under the General Data Protection Regulation. Since the Working Party has already published extensive guidance on the existing Data Protection Directive rules on consent, this new paper concentrates on what has changed under the GDPR.
Although its main concern is the more general application of consent to data processing a new Opinion from the Article 29 Working Party also provides the first positive hint I’ve seen from regulators on what they think an acceptable cookie interface might look like. Although this is a helpful development – statements from other regulators have mostly concerned what was not acceptable – their ideas still seem to raise significant technical and legal issues.
