The European Data Protection Board (EDPB) recently issued guidance documents agreed upon at its mid-December 2020 plenary meeting. The entity charged with articulating the General Data Protection Regulation (GDPR) published two documents on aspects of the European Union’s data protection regime, including case studies of how controllers and processors should handle data breaches and another on the limits on how far data protection rights may be restricted temporarily under EU or member state law. The EDPB articulated its view on how the GDPR and the recently enacted payment directive interrelate. The EDPB also shared its view on the EU’s plan to revamp its anti-money laundering laws, which may well inform how the bloc moves forward, especially with respect to data protection aspects of the issue.
The EDPB issued a draft “Guidelines 01/2021 on Examples regarding Data Breach Notification” for consultation that would ultimately complement data breach guidance under the GDPR the EDPB’s predecessor published in 2018. The EDPB’s draft guidance provides data breach cases that it thinks are timely and relevant. In particular, the EDPB explained:
- The GDPR introduces the requirement for a personal data breach to be notified to the competent national supervisory authority (hereinafter “SA”) and, in certain cases, to communicate the breach to the individuals whose personal data have been affected by the breach (Articles 33 and 34).
- The Article 29 Working Party already produced a general guidance on data breach notification in October 2017, analysing the relevant Sections of the GDPR (Guidelines on Personal data breach notification under Regulation 2016/679, WP 250) (hereinafter “Guidelines WP250). However, due to its nature and timing, this guideline did not address all practical issues in sufficient detail. Therefore, the need has arisen for a practice-oriented, case-based guidance that utilizes the experiences gained by SAs since the GDPR is applicable.
- This document is intended to complement the Guidelines WP 250 and it reflects the common experiences of the SAs of the EEA since the GDPR became applicable. Its aim is to help data controllers in deciding how to handle data breaches and what factors to consider during risk assessment.
- Though the cases presented below are fictitious, they are based on typical cases from the SA’s collective experience with data breach notifications. The analyses offered relate explicitly to the cases under scrutiny, but with the goal to provide assistance for data controllers in assessing their own data breaches. Any modification in the circumstances of the cases described below may result in different or more significant levels of risk, thus requiring different or additional measures. These guidelines structure the cases according to certain categories of breaches (e.g. ransomware attacks). Certain mitigating measures are called for in each case when dealing with a certain category of breaches. These measures are not necessarily repeated in each case analysis belonging to the same category of breaches. For the cases belonging to the same category only the differences are laid out. Therefore, the reader should read all cases relevant to relevant category of a breach to identify and distinguish all the correct measures to be taken.
The consultation ends on 2 March 2021.
The EDPB also issued for consultation “Guidelines 10/2020 on restrictions under Article 23 GDPR” which aims to elucidate a provision of the GDPR that allows EU member states to restrict some of the data protection rights under certain, limited circumstances. The EDPB explained:
This document seeks to provide guidance as to the application of Article 23 GDPR. These Guidelines provide a thorough analysis of the criteria to apply restrictions, the assessments that need to be observed, how data subjects can exercise their rights once the restriction is lifted and the consequences for infringements of Article 23 GDPR.
The EDPB explained elsewhere in the guidance:
Article 23 GDPR allows under specific conditions, a national or Union legislator to restrict, by way of a legislative measure, the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 GDPR in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard, inter alia, important objectives of general public interest of the Union or of a Member State.
The EDPB summarized the requirements under Article 23:
- [Article 23] is entitled ‘restrictions’ and it provides that, under Union or Member State law, the application of certain provisions of the Regulation, mainly relating to the rights of the data subjects and controllers’ obligations, may be restricted in the situations therein listed. Restrictions should be seen as exceptions to the general rule of allowing the exercise of rights and observing the obligations enshrined in the GDPR. As such, restrictions should be interpreted narrowly, only be applied in specifically provided circumstances and only when certain conditions are met.
- Even in exceptional situations, the protection of personal data cannot be restricted in its entirety. It must be upheld in all emergency measures, as per Article 23 GDPR thus contributing to the respect of the overarching values of democracy, rule of law and fundamental rights on which the Union is founded: any measure taken by Member States shall respect the general principles of law, the essence of the fundamental rights and freedoms and shall not be irreversible and data controllers and processors shall continue to comply with data protection rules.
- In all cases, where Union or Member State law allows restrictions to data subjects’ rights or to the obligations of the controllers (including joint controllers) and processors, it should be noted that the accountability principle, as laid down in Art. 5(2) GDPR, is still applicable. This means that the controller is responsible for, and shall be able to demonstrate to the data subjects his or her compliance with the EU data protection framework, including the principles relating to the processing of their data.
- When the EU or national legislator lays down restrictions based on Art. 23 GDPR, it shall ensure that it meets the requirements set out in Art. 52(1) of Charter, and in particular conduct a proportionality assessment so that restrictions are limited to what is strictly necessary.
The EDPB issued the second version of the “Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR” and explained its background and purpose:
The second Payment Services Directive (hereinafter “PSD2”) has introduced a number of novelties in the payment services field. While it creates new opportunities for consumers and enhances transparency in such field, the application of the PSD2 raises certain questions and concerns in respect of the need that the data subjects remain in full control of their personal data. The GDPR applies to the processing of personal data including processing activities carried out in the context of payment services as defined by the PSD2. Thus, controllers acting in the field covered by the PSD2 must always ensure compliance with the requirements of the GDPR, including the principles of data protection set out in Article 5 of the GDPR, as well as the relevant provisions of the ePrivacy Directive. While the PSD2 and the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication (hereinafter “RTS”) contain certain provisions relating to data protection and security, uncertainty has arisen about the interpretation of these provisions as well as the interplay between the general data protection framework and the PSD2.
The EDPB continued:
- On July 5 2018, the EDPB issued a letter regarding the PSD2, in which the EDPB provided clarifications on questions concerning the protection of personal data in relation to the PSD2, in particular on the processing of personal data of non-contracting parties (so called ‘silent party data’) by account information service providers (hereinafter “AISPs”) and payment initiation service providers (hereinafter “PISPs”), the procedures with regard to giving and withdrawing consent, the RTS and the cooperation between account servicing payment services providers (hereinafter “ASPSPs”) in relation to security measures. Whereas the preparatory work of these guidelines involved the collection of inputs from stakeholders, both in writing and at a stakeholder event, in order to identify the most pressing challenges.
- These guidelines aim to provide further guidance on data protection aspects in the context of the PSD2, in particular on the relationship between relevant provisions on the GDPR and the PSD2. The main focus of these guidelines is on the processing of personal data by AISPs and PISPs. As such, this document addresses conditions for granting access to payment account information by ASPSPs and for the processing of personal data by PISPs and AISPs, including the requirements and safeguards in relation to the processing of personal data by PISPs and AISPs for purposes other than the initial purposes for which the data have been collected, especially when they have been collected in the context of the provision of an account information service9. This document also addresses different notions of explicit consent under the PSD2 and the GDPR, the processing of ‘silent party data’, the processing of special categories of personal data by PISPs and AISPs, the application of the main data protection principles set forth by the GDPR, including data minimisation, transparency, accountability and security measures. The PSD2 involves cross- functional responsibilities in the fields of, inter alia, consumer protection and competition law. Considerations regarding these fields of law are beyond the scope of these guidelines.
Moreover, he EDPB weighed in on the “Action plan for a comprehensive Union policy on preventing money laundering and terrorism financing,” which the EDPB characterized thusly:
- According to the Action Plan, the Commission aims to present new legislative proposals in the first quarter of 2021, inter alia, establishing a single rulebook on these topics (i.e. a Regulation or a more detailed revised Directive), ensuring EU level supervision (either by granting new powers to an existing EU Agency or by establishing a new dedicated body), and creating a support and coordination mechanism for Financial Intelligence Units.
- The applicable anti-money laundering measures include very broad and far-reaching obligations on financial services providers and other obliged entities to identify and know their customers, to monitor transactions undertaken using their services, and to report any suspicious transactions. Furthermore, the legislation stipulates long retention periods. These measures cover the entire European financial services industry, and therefore affect, in a comprehensive manner, all persons using financial services, each time that they use these services.
The EDPB called on the European Commission (EC) to keep data protection in mind when drafting AML legislation:
- The EDPB, and before it the Article 29 Working Party, has repeatedly noted the privacy and data protection challenges related to these measures in the past. The upcoming update to the legislation is an opportunity to address the interplay between the protection of privacy and personal data and the anti-money laundering measures, as well as their concrete application on the ground.
- In this context, the EDPB stresses that the intended update to the anti-money laundering framework shall not be undertaken without a review of the relationship between the anti-money laundering measures and the rights to privacy and data protection. In this discussion, relevance and accuracy of the data collected plays a paramount role. The EDPB is indeed convinced that a closer articulation between the two sets of rules would benefit both the protection of personal data and the efficiency of the AML framework. In this respect, the EDPB would like to reiterate the need for a clear legal basis for the processing of personal data and stating the purposes and the limits of such processing, in line with Article 5(1) GDPR, in particular regarding information sharing and international transfers of data, as noted by the EDPS in its opinion on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.