data it law April 2017: data protection officer rules revised & anonymisation techniques guides

The overview of interesting Data & IT Law articles and news in April 2017!

The WP29 revised opinion on Data Protection Officers

The Article 29 Working Group published a revised version of its opinion on Data Protection Officers and their position under the GDPR.

Among other things, the WP29 revised these issues:

• DPOs are responsible for all the processing activities, not only for a portion of activities
• Only one DPO can be appointed, but it can be supported by a team
• As an internal DPO, the companies can’t use senior managers, such as Heads of HR, IT or Marketing
• “data-driven marketing activities” are also an example of regular and systematic monitoring
• a great emphasis on the confidentiality of communications between DPOs and employees

However, the revised version does not include more specific information about the definitions of large scale of processing or core activities.

Best methods how to anonymise data

The people from various privacy forums from the US and the EU had met at the Brussels Symposium on De-identification – “Identifiability: Policy and Practical Solutions for Anonymisaiton and Pseudonymisation”. The authors Omer Tene and Gabriela Zanfir-Fortuna had published an article giving an overview of various approaches to anonymisation of personal data.

“The overview shows that there is a tendency to stop looking at anonymisation/identifiability in binary language, with the risk-based approach gaining the spotlight and the idea of a spectrum of identifiability already generating practical solutions, even under the General Data Protection Regulation. (…) One fundamental idea they have in common is that the assessment for identifying the most effective anonymisation technique should give more weight to the environment or context where that data is processed than to the content of the data itself.”

An article with a similar topic was published by Sophie Stalla-Bourdillon and Alison Knight.

Law and social media: e-discovery changes and jury selection process

The first article deals with the changes in the e-discovery processes due to cyber security threads.

1. Data security is an increasingly pivotal part of pretrial conferences
2. There’s more emphasis on best practices for data handling
3. Parties are looking for reassurances from every data custodian

The changes result from parties starting to understand their limitations and also the risks associated with the e-discovery process.

The second article deals with a jury selection procedure and to what extent it is possible to use social media to get information about a jury selection. It gives an overview of different approaches in different US states.

You read about different approaches in states such as Texas, Florida, California, New York or Pennsylvania. In the majority of cases, the research is allowed, but there are restrictions, such as contacting the jurors, etc.

The WP29 Opinion on a new ePrivacy Regulation

The Article 29 Working Group also published an Opinion 1/2017 on the Proposed Regulation for the ePrivacy Regulation (2002/58/EC).

WP29 comments include:

• emphasis on a consistency and alignment with the GDPR
• adding new providers into the scope of the regulation (“Over-the-top” providers, machine-to-machine interaction)
• concerned about not recognizing MAC addresses are personal data
• concerned about a potentially harmful effect of an analysis of metadata and content
• concerned about different issues with default settings of equipment and software
• accepting a removal of data breach notification rules
• stressing the importance of consent