The International Association of Privacy Professionals is holding its 2019 Europe Data Protection Conference in Brussels. Partner Odia Kagan, who is in attendance, shares some takeaways from day one of the event.

Irish Data Commission Plans Cookie Banner Guidance

Irish Data Protection Commissioner Helen Dixon says the commission has completed a search and sweep of website cookie banners and will publish guidance on the subject using examples from the field as best practices and examples of what not to do.

Regulators Predict Next Frontiers in Privacy Regulation

  • Ulrich Kelber, German Federal Commissioner for Data Protection and Freedom of Information: Artificial Intelligence.
  • Helen Dixon, IDPC: genomics and personal health and connected cars.
  • Marie Laure Denis, president of French Data Protection Authority, CNIL: facial recognition and the associated technological, societal and ethical risks.

Regulators List Enforcement Priorities

Helen Dixon, IDPC

  • Majority of resources is dedicated to handling individual complaints.
  • Key sectors in complaints are social media, banking and telcos.
  • Majority of complaints are regarding access requests ignored completely or only partially responded to.
  • There has been a big increase in erasure requests.
  • DPC has not been able to set its own enforcement priorities. NGOs like Quadrature du Net and NYOB are setting the tone.
  • Fines are only one aspect of enforcement, not the most important.

Wojciech Wiewiórowski, assistant supervisor, European Data Protection Supervisor

  • We try not to be only complaints driven.
  • Ban of operations is a more important tool than fines.

Mathias Moulin, director of the Protection of Rights and Sanctions Directorate at CNIL

  • 70% of the complaints are from private sector
  • The goal isn’t to sanction, it’s to obtain compliance. If infringement is substantial, then yes, but the first move is not to sanction.

Karolina Mojzesowicz, deputy head of data protection at the European Commission

  • Sanctions need to be proportionate but also dissuasive.
  • Fines are helpful and useful tool.

EPDB Revising WP29 Guidance on Data Controller, Data Processor Concepts

CNIL’s Nana Botchorichvilli provided an update that the EDPB is currently revising the WP29 guidance on the concepts of “data controller” and “data processor.”  The guidelines will:

  • define the concepts and address the consequences of the status.
  • explain what the Article 28 Data Processing Agreement should contain and how it should be implemented
  • describe how a joint controllership relationship should be formalized: the form, the allocation of responsibilities, how to address the data subject right and how to communicate this to data subjects
  • focus on practical examples and illustrations.

Draft guidelines are expected Q1 2020.