On 16 March 2017, the Irish Data Protection Commissioner ("DPC") announced a public consultation on certain aspects of the EU General Data Protection Regulation ("GDPR"). This consultation focuses on certain topics identified by the Article 29 Working Party ("Working Party") in its 2017 action plan. These are consent, profiling, data breach notification and certification.

The DPC's aim is to capture the views of stakeholders on these four topics, and provide those views to the Working Party. The overall goal is that these insights will inform the Working Party's discussions in advance of finalising its guidance on the interpretation and application of these key provisions of the GDPR. The consultation is open until 31 March 2017.

1. Consent

Under the GDPR, consent will continue to be a lawful basis upon which to process personal data. However, obtaining consent in accordance with the GDPR is likely to pose a greater challenge. In particular, consent will have to be given by a "clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement". Silence, pre-ticked boxes or inactivity will be inadequate.

The DPC has sought input on issues including:

  • how this consent should be interpreted and implemented in practice;
  • how organisations can demonstrate that consent has been validly obtained; and
  • the practical implications for organisations where consent is withdrawn.

2. Profiling

'Profiling' is a new concept introduced by the GDPR. It takes place when the automated processing of personal data is used to evaluate certain personal aspects relating to an individual. According to the GPDR, profiling also includes the monitoring of individuals and the subsequent use of data processing techniques in order to take decisions regarding those individuals or to predict their behaviours or preferences.

In particular, the GDPR aims to avoid individuals being subject to a decision based solely on automated processing, including profiling, "which produces legal effects concerning him or her or similarly significantly affects him or her." For example, the automatic refusal of an online credit application or e-recruiting practices without any human intervention.

The DPC has sought input on issues including:

  • how existing profiling activities will be impacted by the GDPR;
  • what limits should be applied to profiling; and
  • how an individual should be able to contest a decision made as a result of profiling.

3. Data Breach Notifications

While Irish law currently provides a voluntary code for dealing with personal data breaches, the GDPR will set down mandatory rules on the reporting of breaches. Under the GDPR, where there is a "risk" to the rights and freedoms of individuals, data controllers must notify the relevant supervisory authority, the DPC in Irish cases, no later than 72 hours after having become aware of the breach. Where a breach is likely to result in a "high risk" to those individuals, it will also be necessary to notify the affected individuals. Data processors will be required to notify data controllers after becoming aware of a personal data breach. The data controller must also record any personal data breaches and any actions that the data controller has taken.

The DPC has sought input on issues including:

  • the interpretation of the concepts of a "risk to the rights and freedoms of natural persons" and of "high risk";
  • the cases when it might not be feasible for a controller to report a data breach within 72 hours; and
  • in what circumstances it might not be necessary to notify affected individuals.

4. Certification

Certification is another new concept under the GDPR and will allow controllers and processors to demonstrate compliance in respect of specific types of data processing. Certification will be voluntary and available through a transparent process. The purpose is not to reduce the responsibility levels held by controllers and processors. Instead, certification will signal to data subjects and regulators a level of confidence in an organisation's processing of personal data and will offer third party oversight as a further check on data handling practices. 

The DPC has sought input on:

  • the practical implications for organisations in seeking certification, particularly in relation to data protection by design, the responsibilities of controllers, security requirements and international transfers;
  • the other types of processing, products or services, if any, that could be subject to certification; and
  • when it would be appropriate to withdraw a certification from an organisation.

What's Next?

The launch of this consultation mirrors a number of other such consultations issued in recent months by the DPC's EU counterparts. For instance, the UK regulator, the Information Commissioner's Office, recently launched a consultation on the concept of consent. Earlier this year, the Belgian regulator launched a consultation on its draft data protection impact assessment guidance.

These consultations will feed into the Working Party's second tranche of GDPR guidance. A second "Fablab", a consultation with interested stakeholders, will take place on 5 and 6 April 2017, with the aim of finalising the guidance in the coming months. This eagerly anticipated guidance will provide more insight into organisations' obligations under the GDPR and the expectations of regulators. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.