JOURNAL ADDRESSES

Personal data | Privacy | Data protection | Law, regulation and caselaw | The new DPO profession | Compliance |

Independence and conflict | Resources | Records | GDPR | Ethics | Security incidents and notifications | Breach

notification | Pre-problem solving | PbD/DPbD | Audits and assessment | Education, training and programmes |

Solutions and systems | Resource update review |

ISSUE INCLUDES

2019 VOLUME 3 ISSUE 5

Beware of Potential Confl icts: Should Your Organization Appoint an IT Director as a Data Protection Officer? Jordan L. Fischer and Michael A. Shapiro, XPAN Law Group, LLC

GDPR Review One Year InEuropean Data Protection Board

Online Services: EDPB Guidelines 2/2019 on the Processing of Personal Data Under Article 6(1)(b)Giovanna Fragalà, Morri Rossetti e Associati

IDPP Profi le Spotl ight: Andrew Farquhar, SkyscannerAndrew Farquhar, Skyscanner

Casenote: Enforcement Notice Successful ly Challenged

“The best way to overcome the data-trust gap is with Greater Than X’s Data Trust by Design.”— Ann Cavoukian, Ph.D., LL.D. (Hon.), M.S.M. Privacy by Design Centre of Excellence, Ryerson University

With trust at an all time low, data trust is the new business metric.

How will you earn it?

Visit greaterthanexperience.design to get started

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

1

Contents

Beware of Potential Conflicts: Should Your Organization Appoint an IT Director as a Data Protection Officer? Jordan L. Fischer and Michael A. Shapiro, XPAN Law Group, LLC 7-9

GDPR Review One Year In European Data Protection Board 10-11

Online Services: EDPB Guidelines 2/2019 on the Processing of Personal Data Under Article 6(1)(b) Giovanna Fragalà, Morri Rossetti e Associati 12-14

IDPP Profile Spotlight: Andrew Farquhar, Skyscanner Andrew Farquhar, Skyscanner 15-16

Casenote: Enforcement Notice Successfully Challenged 17-19

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

2

Subscriptions Subscriptions are available by contacting: lex@mydistillex.com. Submissions Submissions are invited and should be sent to lex@mydistillex.com.

Advertising Advertising opportunities are available and requests should be sent to lex@mydistillex.com. Disclaimer The views expressed in the content submitted are those of the authors and do not necessarily reflect the views of the IDPP, its editors or publishers. Contributions and views contained in the journal are not intended as, and do not constitute, legal advice and are not a substitute for same.

Contact IDPP, 7 Dunbo Hill, Howth, D13, Ireland. w: www.idpp.info. e: lex@mydistillex.com

Editor in Chief Adj. Prof. Dr PAUL LAMBERT ▲ London, Dublin Advisory Panel THE RT. HON. PROFESSOR SIR ROBIN JACOB ▲ Judge, Professor, UCL Faculty of Laws, London DAVID HARVEY ▲ Judge, Director, New Zealand Centre for ICT Law, Auckland PAUL MCGARRY SC ▲ Former Chairman, Council of the Bar of Ireland, Dublin PROFESSOR SONIA K. KATYAL ▲ Co-Director, Berkeley Center for Law and Technology, University of California, Berkeley ANN CAVOUKIAN PH.D ▲ Executive Director, Privacy & Big Data Institute, Ryerson University, Former Information and Privacy Commissioner of Ontario, world’s Privacy by Design expert, Toronto JAN PHILIPP ALBRECHT ▲ MEP, Vice Chair LIBE Committee, Brussels PROFESSOR JOHN CROSS ▲ Louis D. Brandeis School of Law, University of Louisville, Louisville PROFESSOR DAVID ROLPH ▲ University of Sydney Faculty of Law, Sydney PROFESSOR DR. JOS DUMORTIER ▲ Professor, Law Faculty University of Leuven, Partner, time.lex, Brussels PROFESSOR SIMONE VAN DER HOF PHD LLM ▲ Leiden Law School, Leiden SUSAN SINGLETON ▲ Singletons, Solicitors, London DANIEL B. GARRIE, ESQ. ▲ Co-founder, Head of Forensic and E-Discovery, Law & Forensics LLC, Arbitrator, Mediator, JAMS, CSO and Partner, Zeichner Ellman & Krause LLP, Professor MIRIAM EVERETT ▲ Head of Data Protection and Privacy, Herbert Smith Freehills, London DR TOBIAS GRÄBER ▲ LLM, Director International Privacy Strategy, Chief Privacy Officer, PwC Europe MIRENA TASKOVA, CIPP/E ▲ Fieldfisher, Palo Alto Copyright Copyright: International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel. All rights reserved. No part of this publication or part thereof may be copied, reproduced or transmitted in any form or by any means or stored in any retrieval mechanism or system of any nature, without the prior written permission received in writing. Applications for permission for use of copyright materials including permission to reproduce extracts in other published works should be addressed to lex@mydistillex.com. Full acknowledgement of the author, journal and publisher must be given. If any when any electronic copy is furnished an individual such use is personal to that individual (unless by other arrangement in writing) and must not be forwarded, furnished or otherwise sent on to any other individuals or organisations whatsoever). All rights are expressly reserved including names, trade marks, copyright, design, layout and databases. The trade marks International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel, IDPP and all logos are expressly reserved.

© IDPP 2017-2019

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

3

EDITOR IN CHIEF Adj. Prof. Dr PAUL LAMBERT ▲ London, Dublin ASSISTANT EDITOR Dr RONAN KENNEDY ▲ Galway ADVISORY PANEL THE RT. HON. PROFESSOR SIR ROBIN JACOB ▲ Judge, Professor, UCL Faculty of Laws, London DAVID HARVEY ▲ Judge, Director, New Zealand Centre for ICT Law, Auckland PAUL MCGARRY SC ▲ Former Chairman, Council of the Bar of Ireland, Dublin PROFESSOR SONIA K. KATYAL ▲ Co-Director, Berkeley Center for Law and Technology, University of California, Berkeley ANN CAVOUKIAN PH.D ▲ Executive Director, Privacy & Big Data Institute, Ryerson University, Former Information and Privacy Commissioner of Ontario, world’s Privacy by Design expert, Toronto JAN PHILIPP ALBRECHT ▲ MEP, Vice Chair LIBE Committee, Brussels PROFESSOR JOHN CROSS ▲ Louis D. Brandeis School of Law, University of Louisville, Louisville PROFESSOR DAVID ROLPH ▲ University of Sydney Faculty of Law, Sydney PROFESSOR DR. JOS DUMORTIER ▲ Professor, Law Faculty University of Leuven, Partner, time.lex, Brussels PROFESSOR SIMONE VAN DER HOF PHD LLM ▲ Leiden Law School, Leiden SUSAN SINGLETON ▲ Singletons, Solicitors, London DANIEL B. GARRIE, ESQ ▲ Co-found, Head of Forensic and E-Discovery, Law & Forensics LLC, Arbitrator, Mediator, JAMS, CSO and Partner, Zeichner Ellman & Krause LLP, Professor MIRENA TASKOVA, CIPP/E ▲ Fieldfisher, Palo Alto EU Correspondent DENIS KELLEHER ▲ Senior Legal Counsel, CIPP/E, Institute of Banking, LLD, Barrister, Dublin and Brussels Middle East and Africa Correspondent SHAHAB AHMED ▲ JD, MBA, Managing Counsel, Lead Group Privacy Counsel, Etihad Airways, Dubai South and Central America Correspondent ROBERTO FRAGALE ▲ Socio-Legal Researcher, PPGSD-UFF, Judge, Niterói ANA SOFIA FERRÃO ▲ Specialist Compliance Officer, BMW Bank GmbH, Sucursal, Portugal COUNTRY CORRESPONDENTS Albania SARA CUNGU ▲ CLO Legal Solutions, Tirana Argentina PROFESSOR PABLO A. PALAZZI ▲ Allende & Brea, Buenos Aires Australia PETER LEONARD ▲ Partner, Gilbert + Tobin, Sydney OLGA GANOPOLSKY ▲ General Counsel, Privacy and Data, Legal and Governance, Macquarie Austria EVA HAJICEK ▲ DPO, TRB Chemedica GmbH, Vienna Belarus TATIANA EMELIANOVA ▲ Vlasova Mikhel & Partners, Minsk Belgium PROFESSOR DR. JOS DUMORTIER ▲ Professor, Law Faculty University of Leuven, Partner, time.lex, Brussels Bolivia RIGOBERTO PAREDES ▲ Rigoberto Paredes Ayllón, La Paz Brazil EVY MARQUES ▲ Felsberg Advogados, São Paulo Bulgaria PROFESSOR DR DENITZA TOPTCHIYSKA ▲ Department of Law, New Bulgarian University, Sofia Canada

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

4

STEVEN MORGAN ▲ Managing Consultant, Osler, Hoskin & Harcourt LLP, Ottawa China JASON MENG ▲ Data Privacy Officer, Bayer China, Beijing XIAOYAN ZHANG ▲Counsel, Reed Smith PROFESSOR DR SHENKUO WU ▲ CCLS & Law School, Beijing Normal University, Senior Consultant of United Nations for Cybersecurity and Cybercrime Issues, Consultant of Supreme Court of People's Republic of China, Head of Research Centre of Internet Society of China Columbia DANIEL PEÑA ▲ Partner, Peña Mancero Abogados, Carerra Croatia DAMIR OSTERMAN ▲ IT project coordinator, Digitalization of work process, European Privacy Seal technical expert, Zagreb Czech Republic EVA ŠKORNIČKOVÁ ▲ Legal Advisor for Personal Data Protection and Cybersecurity, DPO services Skornickova.eu, GDPR.cz, Prague Denmark TORSTEN BJØRN LARSEN ▲ Attorney-at-law LL.M PhD, LEAD Advokatpartnerselskab, Copenhagen El Salvador MORENA ZAVALETA ▲ Regional Partner, Arias, San Salvador Estonia PROFESSOR KATRIN MERIKE NYMAN-METCALF ▲ Head of the Chair of Law and Technology, Tallinn University of Technology, Tallinn Finland MARKUS MYHRBERG ▲ Lexia Attorneys, Helsinki France ASHLEY SLAVIK ▲ CIPP/E, Senior Counsel and Data Protection Officer, Veeva Systems, Paris Germany PROFESSOR DR HEINRICH WOLFF ▲ Professor, Chair of Teaching, Faculty for Law and Economics, Universität Bayreuth, Bayreuth DR INGO SCHÖTTLER ▲ Risk, Compliance, Security Management and Rights Law, Insurances and Data Protection, Fiducia & GAD IT AG, Frankfurt Greece DR MARINA PERRAKI ▲ Partner, Tsibanoulis & Partners, Athens JOHN E. GIANNAKAKIS ▲ CIPP/E, CIPM, CFE, GDPR/F, Regional Counsel Southern Europe, G4S RMS Ltd Hong Kong

XIAOYAN ZHANG 张晓燕 ▲ Counsel (New York, USA), Reed Smith, Hong Kong Hungary ANDRÁS JÓRI PhD ▲ Consultant, Former Data Protection and Freedom of Information Commissioner of Hungary India Bhumesh Verma ▲ Managing Partner, Corp Comm Legal, New Delhi Indonesia SIMON BUTT ▲ Professor of Indonesian Law, ARC Future Fellow, University of Sydney School of Law, Sydney Ireland KATE COLLEARY ▲ Principal, Colleary & Co, Founder, Frontier Privacy, Dublin Israel ARIEL YOSEFI ▲ Herzog Fox & Neeman, Tel Aviv DAVID COHEN ▲ Senior Legal Counsel and Privacy Officer, CodeFuel at Perion Network, Holon Italy GIOVANNI MARIA RICCIO ▲ Professor of Comparative and Media Law, Università di Salerno, Partner, E-Lex Law Firm, Rome SILVIA MARTINELLI ▲ Legal technology expert and author, Turin and Milan Japan TAKAHIRO NONAKA ▲ DLA Piper, Tokyo Kenya ALEX B. MAKULILO ▲ Author Cyber Law in Kenya, Faculty of Law, Open University of Tanzania

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

5

Latvia SINTIJA DERUMA ▲ Cybersecurity Leader, ISACA, Latvia Luxembourg MATTHIEU AUBIGNY ▲ Security Consultant, itrust, Niederanven OVIDIU GABRIEL GHISA ▲ DPO, CISA, CIPM, MCT, IT Project Manager, Luxemburg Macedonia PROFESSOR DR BORCE DAVITKOVSKI ▲ PROFESSOR DR ANA PAVLOVSKA DANEVA ▲ Faculty of Law “Iustinianus Primus,” Ss. Cyril and Methodius University, Skopje Malta ANTONIO GHIO ▲ Partner, Fenech & Fenech Advocates, Valletta DR HANS WOLFRAMKESSLER ▲ KS Consultants, St. Julians Netherlands ILINA GEOGIEVA LLM ▲ Institute of Security and Global Affairs, Leiden New Zealand PROFESSOR LECH JANCSEWSKI ▲ Auckland University; New Zealand Information Security Forum, Auckland Peru SANDRO O. MONTEBLANCO ▲ Monteblanco & Associates, LLC, Lima Philippines JEROME BONSOL ▲ General Counsel, Coca-Cola FEMSA Philippines, National Capital Region EMMA THERESA (MAGLAQUE) CABOCHAN ▲ Vice President, Legal Officer and Chief Data Protection Officer, Asia United Bank Corporation Poland MICHAEL PAPKE ▲ Senior Investment Compliance Analyst, State Street, Gdansk Portugal ANA SOFIA FERRÃO ▲ Specialist Compliance Officer, BNP Paribas, Lisbon DOMINGOS SOARES FARINHO ▲ Professor, Alameda da Universidade, Lisbon Romania ROXANA IONESCU ▲ Partner, Nestor, Nestor, Diculescu, Kingston, Petersen, Bucharest OANA CRACIUN (POPESCU) ▲ Senior Legal Counsel and Data Privacy Officer, Deutsche Bank, Bucharest Russia KHAYRYUZOV VYACHESLAV ▲ Head of IT, Outsourcing & Data Privacy, Noerr, Moscow Saudi Arabia BRIAN MEENAGH ▲OMAR M. ELSAYED ▲ Partner, Latham & Watkins, Riyadh Scotland DAVID GOURLAY ▲ Partner, Mac Roberts, Edinburgh Senegal BOUBACAR DIAKITE ▲ Counsel, GSK Law, Dakar Singapore LIM CHONG KIN ▲ Head of Telecommunications, Media & Technology, Drew & Napier, Singapore Slovenia KLARA MILETIČ ▲ Partner, Wolf Theiss, Ljubljana South Africa DANIE STRACHAN ▲ Adams and Adams, Pretoria Spain JOSÉ M BAÑO FOS ▲ Baño Leon Abogados, Madrid Switzerland François Charlet ▲ DPO, Data Privacy Lawyer, MLaw in legal issues, crime and security of information technologies, blogger, author, speaker, Cofounder of DPO Association Switzerland, Groupe Mutuel, Lausanne Taiwan VINCENT HUANG ▲ Deknow Technology Services, Taipei Tanzania ALEX B. MAKULILO ▲ Faculty of Law, Open University of Tanzania, Dar es Salaam Turkey

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

6

LEYLA KESER ▲ Director, IT Law Institute, İstanbul Bilgi University, Istanbul UAE SHAHAB AHMED ▲ JD, MBA, Managing Counsel, Lead Group Privacy Counsel, Etihad Airways, Dubai BRIAN MEENAGH ▲ OMAR M. ELSAYED ▲ Partner, Latham & Watkins, Riyadh UK SUSAN SINGLETON ▲ Singletons, Solicitors, London SARAH ARMSTRONG-SMITH ▲ Head Continuity & Resilience, Fujitsu Distinguished Engineer and Diversity Champion, Swindon Uruguay SOFÍA ANZA GUERRA ▲ Guyer & Regules, Montevideo US VICTORIA L. SCHWARTZ JD ▲ Professor of Law, Co-Director, LLM and Certificate Programs in Entertainment, Media & Sports Law Pepperdine SEAN M. SOLON ▲ Consultant, Colorado AMANDA O'KEEFE ▲ Senior Vice President and Assistant General Counsel at Citi CIPP/US, CIPM, FIP Tampa/St. Petersburg, Florida

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

7

Beware of Potential Conflicts: Should Your Organization Appoint an IT Director as a Data

Protection Officer?

Jordan L. Fischer and Michael A. Shapiro Introduction Since the enactment of the European Union’s General Data Protection Regulation (the “Regulation”), the Data Protection Officer (“DPO”) requirement has been discussed ad nauseum. Professionals from numerous disciplines (legal, compliance, IT, etc.) all rushed to fill these now numerous roles across organizations of all sizes and shapes in Europe and the United States. But, what does it really mean to be a DPO? And, is your IT Director the best position to fulfil that role? This article explores these questions. The Role of the DPO The Regulation requires that a DPO perform a number of tasks within an organization including (i) informing and advising company’s employees who carry out processing of their obligations pursuant to the Regulation, (ii) monitoring compliance with the Regulation in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits, (iii) providing advice regarding data protection impact assessments and monitoring its performance, (iv) cooperating with the supervisory authority; and (v) acting as the contact person for the supervisory authority on the issues relating to processing.1 Furthermore, in performing these tasks, the DPO must have “due regard for the risk associated with processing operations, taking into account the nature, scope, context, and purposes of processing.”2 As part of the DPO requirement, the Regulation mandates that the DPO “be in a position to perform [his or her] duties and tasks in an independent manner.”3 Thus, the DPO cannot receive instructions from the organization regarding exercise of his or her tasks, and cannot be dismissed or penalized for performing these tasks.4 Additionally, it is the organization’s responsibility to ensure that the DPO’s performance of his or her duties does not result in a conflict of interest, therefore jeopardizing the DPO’s independence.5 Potential DPO Conflicts The DPO’s oversight and enforcement responsibilities coupled with the requirement for the DPO’s independence, place the DPO in a position of a quasi-regulator and a conduit of a Supervisory Authority. Unlike other company officers who are obligated to act in the best interest of a corporation and its shareholders, the DPO’s primary fiduciary responsibility is

1 See EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the

European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, Art. 39(1)(a)-(c)

2 See id. at Art. 39(2). 3 See GDPR Recital 97; see also European Data Protection Supervisor, “Data Protection Officer

(DPO)” [hereinafter, “EDPS, DPO”], available at https://edps.europa.eu/data-protection/data-protection/reference-library/data-protection-officer-dpo_en (last visited Apr. 15, 2019).

4 See GDPR, Art. 38(3). 5 See id. at Art. 38(6).

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

8

arguably to the principles stipulated by the Regulation, and to upholding the Regulation above and beyond the interests of the company. The European Data Protection Supervisory (the “EDPS”) expressly states that “[t]here must not be a conflict of interest between the duties of the individual as a DPO and her other duties, if any.”6 Further, the EDPS provides a list of recommendations to minimize the risk of a conflict, including that: ● the DPO should not also be a controller of processing activities (for example if he or

she is head of Human resources); ● the DPO should not be an employee on a short or fixed term contract; ● the DPO should not report to a direct superior (rather than top management); ● theDPO should have responsibility for managing his or her own budget.7 As part of the independence provided to the DPO, there must be sufficient resources provided to the DPO (personnel, financial, and investigatory) that will support the DPO’s role. IT Director as a DPO As required by the Regulation, the DPO is responsible for monitoring decisions and activities of an IT director for compliance with the Regulation and cooperating with the Supervisory Authority in investigating security breaches and regulatory violations. Inviting an IT director to self-regulate as a Data Protection Officer is a classic “fox guarding the henhouse” conflict of interest, and in itself a likely violation of the Regulation. In October of 2016, the Bavarian Data Protection Authority (BayLDA) found such a conflict under the German Federal Data Protection Act (FDPA)8. Pursuant to the FDPA, a DPO is an independent authority who works in the company to comply with data protection and must not have duties which conflict with his or her obligations under the Act. The BayLDA concluded that the position of an IT manager conflicts with the DPO’s monitoring obligations because the DPO would be required to monitor himself, i.e. to self-regulate. In the BayLDA’s view, “[t]he DPO cannot fulfill [his responsibilities under the FDPA] if he also has significant responsibility for data processing process.”9 In its Guidelines on Data Protection Officers adopted on December 13, 2016, the Article 29 Working Party similarly concluded that the DPO “cannot hold a position within the organization that leads him or her to determine the purposes and the means of processing of personal data.”10 The Article 29 Working Party listed a head the IT department as a “rule of thumb” position which may conflict with the DPO’s responsibilities but cautioned that a conflict of interest issue must be considered on a case-by-case basis in each organization.11 Another potential tension point arises from the fact that the scope of data protection, the DPO’s domain, is much broader than data security, the area of IT’s responsibility. In addition to data security, GDPR-compliant data management requires an organization to consider issues of data collection, use, sharing and handling. The DPO must have a perspective 6 EDPS, DPO. 7 Id. 8 Germany: Data Protection Officer Must Not Have a Conflict of Interests, Baker McKenzie

Global Compliance News, available at https://globalcompliancenews.com/germany-data-protection-officer-conflict-of-interest-20161121/ (last visited April 15, 2019).

9 BayLDA Press Release, dated October 20, 2016, available at https://www.lda.bayern.de/media/pm2016_08.pdf (German only) (last visited April 15, 2019).

10 Article 29 Working Party, ‘Guidelines on Data Protection Officers (‘DPOs’) (WP 243, 13 Dec. 2016), at 15, available at https://ec.europa.eu/information_society/newsroom/image/document/2016-51/wp243_en_40855.pdf (last visited April 15, 2019).

11 Id. at fn. 34.

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

9

beyond technical data protection to guide the organization in making decisions on these matters. For example, the organization and the DPO performing a data protection impact assessment would need to consider the nature, scope, context, and purpose of processing before addressing specific technical safeguards within the purview of the IT department. Conclusion In light of the requirements of the DPO position, and its potential conflict with the responsibilities of a traditional IT Director, an organization should carefully consider whether an IT Director can sufficiently and effectively serve both roles within an organization. With the distinct independence requirements of the DPO, it is likely that an IT Director would not sufficiently be able to remove herself from the day-to-day operations to provide the oversight required to appropriately assess the data protection compliance infrastructure required by the Regulation.

Jordan L. Fischer, Managing Partner, XPAN Law Group, LLC

and Michael A. Shapiro, Attorney, XPAN Law Group, LLC

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

10

GDPR Review One Year In

Just a few days short of the GDPR’s first anniversary, the European Data Protection Board surveyed the Supervisory Authorities (SAs) of the EEA and takes stock of the Board’s achievements.

From the very first day of application, the first cross-border cases were logged in the EDPB’s IMI case register, leading to a current total of 446 cross-border. 205 of these have led to One-Stop-Shop (OSS) procedures. So far, there have been 19 final OSS outcomes.

At a national level, most Supervisory Authorities (SAs) report an increase in queries and complaints received compared to 2017. Over 144.000 queries and complaints* and over 89.000 data breaches have been logged by the EEA Supervisory Authorities. 63% of these have been closed and 37% are ongoing.

Based on information provided by SAs from 27 EEA countries

Germany: Based on information provided by The Federal and 17 Regional SAs

The increase in queries and complaints confirms the perceived rise in awareness about data protection rights among individuals, as shown in the Eurobarometer of March 2019. 67% of EU citizens polled indicated that they have heard of the GDPR, 36% of them indicated that they are well aware of what the GDPR entails. In addition,57% of EU citizens polled indicated that they are aware of the existence of a public authority in their country responsible for protecting their data protection rights. This result shows an increase of 20 percentage points compared to 2015 Eurobarometer results**.

The EEA SAs have reported that, while the cooperation procedures are robust and efficient works, they are time and resource intensive: SAs need to carry out investigations, observe procedural rules, coordinate and share information with other supervisory authorities.

Looking back on the first 12 months of the EDPB’s work, Andrea Jelinek, Chair of the EDPB, comments:

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

11

It has been a challenging first year, but we have reached the goals that we set out to achieve, and we intend to keep up both the work and the pace. Earlier this year, the EDPB adopted its work program for 2019 and 2020. We will also see several cross-border cases carried out by SAs leading to a final outcome in the coming months. Last but not least, we want to continue to listen to and to work together with the people who can give us the best insights into the day-to-day practice of data processing. An ambitious programme, but I am certain that we, as European data protection authorities will find more and more synergies, which will increase our effectiveness.

European Data Protection Board

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

12

Online Services: EDPB Guidelines 2/2019 on the Processing of Personal

Data Under Article 6(1)(b)

Giovanna Fragalà

Introduction The EDPB released a set of guidelines on the contractual legal basis for processing of personal data in the context of provision of online services.1 The scope of these guidelines is to outline the boundaries and the limits to be placed on the legal basis of article 6 (1) (b) of the GDPR, i.e. where processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject2.

Without prejudice to the application of all the fundamental principles of article 5 of the GDPR and the rules on contracts, the guidelines analyse the various purposes of the processing activities in order to help information society services in selecting the most appropriate legal basis and avoid to make everything pass as an activity necessary for the performance of the contract with the data subject.

This is particularly true considering that fair and transparent processing and especially purpose limitation and data minimization principles are relevant in contracts for online services, which are generally not negotiated on an individual basis and include general processing terms. In fact, as already stated by WP29: “the purpose of the collection must be clearly and specifically identified: it must be detailed enough to determine what kind of processing is and is no included within the specified purpose and to allow that compliance with the law can be assessed and data protection safeguards applied. For these reasons, a purpose that is vague or general, such as for instance “improving users’ experience, “marketing purposes”, “IT-security purposes” will-without more detail-usually not meet the criteria of being “specific”.”3

Article 6 (1) (b) and the Necessity Assessment For the application of Article 6 (1) (b) GDPR, it must be first assessed whether, in relation to a given purpose, processing is necessary, i.e. whether there are less intrusive and realistic alternatives to achieve the objective. If this is the case, the processing is not necessary.

1 EDPB guidelines 2/2019 available at

https://edpb.europa.eu/sites/edpb/files/consultation/edpb_draft_guidelines-art_6-1-b-final_public_consultation_version_en.pdf

2 As EDPB points out in the present guidelines, it should be noted that the performance of pre-contractual measures means that a preliminary processing of personal data may be necessary to facilitate the entering into the contract, however, this provision would not cover unsolicited marketing or other processing which is carried out solely on the initiative of the data controller, or at the request of a third party.

3 Article 29 Working Party Opinion 03/2013 on purpose limitation (WP203), page 15–16, available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp203_en.pdf

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

13

Should the processing be useful but not objectively necessary it will not be covered by this rule. Nonetheless, this does not imply that the processing activity cannot be lawfully carried out. Rather, it means that the controller shall select another legal basis, such as consent or legitimate interest, and that the processing activity has to be carried out accordingly.

Hence, where the controller cannot demonstrate that a contract exists, the contract is valid under applicable contract laws and that the processing is objectively necessary for the performance of the contract, the controller should resort to another legal basis for processing.

In order to carry out the necessity assessment, the EDPB’s guidelines suggested some questions that can be of guidance according to which, the controller shall evaluate:

• the distinctive features of the online services; • the exact rational of the contract and its essential elements; • the mutual perspectives and expectation of the parties; • how the service is promoted or advertised to the data subject.

Termination of Contract and Right to Erasure The guidelines also address the issue of termination of contract and the right to erasure. While the legal basis of article 6 (1) (b) is clearly much more difficult to apply (e.g. where there are still relevant claims or pending payments) as the contract is terminated, certain processing activities, such as storage, can still be legitimate on the basis of legal obligations, pursuant to article 6 (1) (c).In this case, a possible request for erasure pursuant to article 17 (1) may not be followed up, if two conditions are fulfilled: (i) compliance with legal obligations pursuant to article 17 (1) (b) or, (ii) the establishment, exercise or defence of legal claims, pursuant to article 17 (1) (e). Article 6 (1) (b) in Specific Cases Furthermore, the guidelines analyze the applicability of article 6 (1) (b) in specific processing purposes that are strictly related to the performance of a contract: service improvement, fraud prevention, online behavioural advertising and personalization of content. While service improvement and fraud prevention can be easily linked to a legitimate interest of the controller, behavioural advertising cannot be carried out on the basis of article 6(1)(b) and is unlikely to be legitimate without the explicit content of the data subject.4 Processing for personalization of content, according to EDPB, may be considered necessary for the performance of contractual obligations, such as in the case of an online news aggregation service based on the users’ interests. On the other hand, profiling that is not linked to the request of the service as such and is not an integral part of using the service, could hardly be based on the contractual legal basis of article 6 (1) (b), meaning that alternative legal basis will apply (e.g. an online search engine that monitors users’ past bookings to create a profile). This obviously has a relevant practical impact because it results in the obligation for controllers to consider whether and how to request consent. Conclusion 4 As WP29 already stated: “[contractual necessity] is not a suitable legal ground for building a

profile of the user’s tastes and lifestyle choices based on his clickstream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example.”

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

14

The guidelines represent a useful tool in order to analyze the purposes of the processing activities in the context of online services which nonetheless require that controllers implement appropriate measures to guarantee the respect of data protection principles. The above considerations will need to reflected, by way of example but not limited to, in the privacy policy, which often contain vague and general terms for processing which cannot be easily reconnected to the corresponding legal basis by the data subject. The guidelines are still open for public consultation until May 24 and will be interesting to see if there will be relevant amendments or not.

Giovanna Fragalà Morri Rossetti e Associati.

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

15

IDPP Profile Spotlight: Andrew Farquhar, Skyscanner

IDPP with Andrew Farquhar

Does Growing Data Regulation Require More Resources in Your Department? Yes. Growing data regulation is happening at the same time as privacy compliance is becoming an increasing point of focus for mainstream media and ever more important in the eyes of the general public. As a global business that serves travellers worldwide, these changing dynamics mean that at the same time as the privacy stakes are rising, so too is the complexity of the work we are dealing with in our team. So, not only do we need to be on top of the latest developments in the EU and understand what those mean for our product and for our travellers, we must equally be on top of and across the latest developments in jurisdictions all across the Americas and throughout the APAC. Meeting these requirements has meant a fairly rapid increase in work for our team, which we are primarily seeking to address at the moment through a process of external hires that will enable us to scale our capabilities in the most efficient way possible. What Are the Most Interesting Changes and Challenges Concerning Customer Data? The most interesting changes in play at the moment are those relating to the increasing requirements and expectations around transparency obligations and data subject rights. While we welcome these changes at Skyscanner on the basis that they align closely with the ‘traveller-first’ approach that informs everything we do, they do also present a welcome challenge both to us and to the wider travel sector in general. This is particularly true given the inherent complexities that underpin many of the booking processes involved in international travel and fact that they were originally developed in the pre-digital/pre-internet world. Can You Think of a Lesson to Your Younger Self? Don’t worry about the things that you can’t control or influence and focus instead on the things that you can. What Inspired You to Pursue a Career in Data Protection and Privacy? I’ve always been interested in issues arising at the intersection between law and technology and was attracted to data protection and privacy work early on during my legal traineeship at DLA Piper. I found it an exciting area to be involved in as it combines the technical and academic with the practical and commercial; not only do you need to have a strong grip on legal developments, you also need to be able to understand the underlying technologies and practical impacts on data subjects in order to advise on the optimum approach from a privacy perspective. It’s a very fresh and rapidly evolving area of law, with new technologies continuing to push new regulations around the world, so there’s never a dull moment! How Do You Deal With More and More Employee Data? Employee data is something that a lot of businesses have traditionally overlooked or de-prioritised in favour of ‘higher-risk’ external-facing customer data. However, the increased awareness of employees regarding their rights and interest in understanding how their information is being used has meant that that these traditional prioritisations are being rebalanced somewhat. At Skyscanner we primarily sought to deal with this through investing a significant amount of time as part of our GDPR project in revisiting our approach to

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

16

employee data as a whole and making sure that the processes we had in place were sufficiently robust and effective. However, it has actually been the gradual fostering of an internal culture of trust and openness when it comes to privacy issues that has proven to have been the most impactful thing for us in this space. In particular, we have found that the more upfront and honest we can be with our employees as to the data we are collecting and how that is being used, the more comfortable our employees are with those use cases and the less risk there is of them developing concerns or feeling the need to resort to formal data subject rights requests. Did the GDPR Go-Live Greatly Impact Your Department and Organisation? As with most businesses we experienced a big spike in activity in the run up to GDPR, but in many ways it wasn’t too different to the experience of working on any big project with a hard deadline. While there were undoubtedly some long hours worked and the need for folks to juggle a few more balls than normal, everyone that was involved across the business was bought into the underlying goal that GDPR represented to us (namely doing the right thing for our travellers) and this helped maintain motivation levels. From a business-awareness perspective, the GDPR project was also a really useful tool for us to help the business understand more about privacy and when/how to most effectively engage with our team. Although we have always been a very privacy-conscious organisation, another impact we have observed is that privacy issues are now being discussed far earlier and more frequently within projects, and often in the context of privacy as a competitive differentiator. Biographical Description Andrew has over 10 years experience advising on data protection and privacy issues in both private practice and in-house environments. Andrew is currently a Director within the award-winning legal and privacy team at Skyscanner, where he also acts as the group’s Data Protection Officer. Alongside his data protection responsibilities Andrew advises Skyscanner on a broad range of multi-jurisdictional legal issues, with a particular focus on IP, travel law and the intersection between law and technology. Andrew sits as a committee member on the Law Society of Scotland’s Technology Law and Practice Committee.

Andrew Farquhar Director

Legal and Privacy (DPO) Skyscanner

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

17

Casenote: Enforcement Notice Successfully Challenged,

Doorstep v ICO

Introduction The following is an edited extract of the recent decision in the case of Doorstep Dispensaree Ltd v Information Commissioner (EA/2018/0265). This was a case decided on 24 January 2019 at the First Tier Tribunal, General Regulatory Chamber, Information Rights, the new appeals mechanism post the GDPR established in the UK under the new Data Protection Act 2018 (UK). The Tribunal agreed with the appellant company appealing the validity of the enforcement notice issued by the Information Commissioners Office (ICO). Decision Extract This appeal concerns an Information Notice served by the Information Commissioner (“the Commissioner”) on the Appellant company on 25 October 2018. The Commissioner’s power to serve an Information Notice, and the right of appeal to this Tribunal, were introduced by the Data Protection Act 2018 (“DPA 2018”). This is the first appeal to reach final determination under the new regime. We are grateful to Mr Lockley on behalf of the Information Commissioner and to Mr Hayden on behalf of the Appellant for their helpful oral submissions. The Information Commissioner is currently investigating the Appellant’s compliance with the General Data Protection Regulation (“GDPR”), in relation to which she is the UK supervisory authority. The Commissioner’s investigation was opened following a report to her office from the Medicines and Healthcare Products Regulatory Agency (“MHRA”) in July 2018 about the manner in which the Appellant company was apparently processing personal data. The Commissioner requested in correspondence certain information from the Appellant in connection with her investigation. The Appellant in correspondence refused to provide the requested information and so the Commissioner decided to serve the Information Notice. The Appellant appealed to the Tribunal. The lodgement of the Notice of Appeal has the effect of suspending the Appellant’s obligation to comply with the Information Notice, pending determination of this appeal. If the appeal is dismissed, the Commissioner may bring enforcement proceedings in a court. The Tribunal heard submissions from both counsel and, by agreement, rose to decide a preliminary issue as to whether the Information Notice was invalid if compliance with its terms involved a risk of self-incrimination by the recipient. We concluded that the Information Notice was not invalid on this basis .... The Appellant’s Notice of Appeal dated 28 November 2018 relied on two grounds of appeal, as follows. Firstly, that “there are criminal investigations into the company by MHRA, as such the proper way to question the company is via the criminal proceedings by way of interview of its representatives under the Police and Criminal Evidence Act. To do otherwise would be in contravention of the criminal code and the Human Rights Act …The questions are intended to assist the MHRA’s criminal investigation and in effect MHRA were using the ICO

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

18

to assist them without recourse to due process and under the guise of requesting information under the Data Protection Act …” . Secondly, “Non-Disclosure. The ICO stated that its questioning arose as a result of the MHRA contacting them, but failed to provide, although requested, disclosure as to the root of its concerns or as appropriate disclosure …”. At the hearing, Mr Hayden refined the Appellant’s case. He submitted that the Information Notice was not in accordance with in law, as it was void for breach of s. 143(6) DPA 2018 which provides that the recipient of an Information Notice may not be compelled to incriminate him/herself. Although the section had not been referred to expressly in the Notice of Appeal or correspondence, he submitted that the question of the Appellant’s right not to self-incriminate had been raised in the grounds of appeal and that, as the Commissioner had been aware that a criminal investigation was on foot, it had been wrong in principle for her to compel the Appellant to answer questions which might provide evidence which could be used against it in criminal proceedings. The Appellant filed witness evidence including a statement from the Appellant’s solicitor confirming that the company’s superintendent had made no comment when interviewed under caution by MHRA. Mr Hayden’s secondary submission was that, if the Information Notice was not void, then the Tribunal should amend it to remove certain questions in the Notice which he submitted would have the effect of compelling self-incrimination. The offending parts were some or all of questions 2, 3, 6 and 7 of the Information Notice. He confirmed he did not pursue the grounds that disclosure and/or PACE compliance were required. The Commissioner’s Response dated 18 December 2018 opposed the appeal on the following grounds. Firstly, that the MHRA’s investigation is entirely separate from that of the Commissioner, whose concern (and duty) is to monitor and enforce the application of the GDPR. It is commonplace for the Commissioner to conduct an investigation at the same time as other statutory agencies, but the Commissioner’s focus is on GDPR/DPA only, and not on the criminal investigation being undertaken by MHRA. Secondly, that ground two is based on a misunderstanding of the Commissioner’s role and the Appellant’s duty to co-operate with her investigation. Further, that there is no requirement for disclosure by the Commissioner before requiring an answer to an Information Notice .... In response to the Appellant’s case as put at the hearing, Mr Lockley submitted that Parliament had provided the necessary safeguards in DPA 2018, such that the Appellant was at liberty to raise the issue of s. 143(6) and the risk of self-incrimination in correspondence or in response to the service of an Information Notice. The Commissioner would then have to consider whether to seek to enforce the Information Notice through a court or to cancel the Notice. In summary, his submission was that s. 143(6) DPA 2018 was relevant to the Appellant’s obligation to comply with the Information Notice but did not affect the validity of a Notice which had been served .... We agree with Mr Lockley’s analysis of the new legal framework, which we find to be as follows. The Commissioner may serve an Information Notice in circumstances where she requires a data controller or processor to provide her with information which she reasonably requires for the purpose of carrying out her functions. The Information Notice must meet certain procedural requirements. An Information Notice “does not require” a person to provide information which would expose them to criminal proceedings. The Act does not say that the Commissioner may not serve an Information Notice in such circumstances, or that it is invalid if she does so. It is difficult to see how Parliament could have intended such an

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

19

interpretation given that the Commissioner would not generally be privy to the relevant information to allow her to make that prospective judgement. We are satisfied that the effect of s. 143 (6) DPA 2018 is to permit the recipient of an Information Notice to raise the issue of risk of self-incrimination with the Commissioner on receipt of the Notice. The Commissioner must then take those submissions into account in deciding whether to apply to a court to enforce the Information Notice or to cancel the Information Notice (possibly serving an amended Notice in its stead). In this case, the Appellant has provided very limited information to the Commissioner and to the Tribunal about the scope of the criminal investigation and thus the scope for self-incrimination. The Appellant claims to have little information itself at this stage of those proceedings. However, it is clear from the information provided to the Commissioner by MHRA, and placed before the Tribunal, that whatever else may follow there is an issue as to GDPR compliance which warrants further investigation. We accept that the information requested was reasonably required for the Commissioner’s investigation. The role of the Tribunal is to consider whether the Commissioner’s Notice is not in accordance with the law and/or whether she should have exercised her discretion to serve it differently. The Tribunal has power to substitute a fresh Information Notice if it allows the appeal. We are satisfied in this case that the Information Notice is in accordance with the law and that the Appellant has shown no basis for finding that the Commissioner should have exercised her discretion differently. For these reasons, we dismiss the appeal. We noted at the hearing that we had received no evidence from the Commissioner as to the factors taken into account in making the decision to serve the Notice. Mr Lockley submitted that they were obvious from the correspondence, but we would have found it helpful to have received a short witness statement from the case officer. We also noted that neither the Notice itself nor the accompanying letter specifically referred the Appellant to the effect of s. 143(6) DPA 2018, notwithstanding the fact that the Commissioner was aware of a parallel criminal investigation. We suggest that it would be fair for the standard information given to recipients of Information Notices to refer expressly to s. 143 DPA 2018.

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel 2019 (3:4)

20

Contact Subscriptions and submissions should contact the

International Journal for the Data Protection Officer, Privacy Officer and Privacy Counsel at:

lex@mydistillex.com www.idpp.info

Osler, Hoskin & Harcourt llp Toronto Montréal Calgary Ottawa Vancouver New York accessprivacy.com

You need a law firm that’s ready for what’s next. Changing privacy laws and increasing data security challenges are putting every organization on notice. How do you keep up? Access Privacy by Osler has the unique blend of consulting and legal expertise to help you navigate the shifting landscape of privacy and data governance – with innovative and practical solutions to help you stay ahead of change and be prepared for whatever comes next.

You are over 40% more likely to be a victim of cyber crime than a burglary. If you do fall victim, Hiscox will get you back up and running fast.

Specialist business insurance.

Hiscox Underwriting Ltd is authorised and regulated by the Financial Conduct Authority. 05/18 19030