Article 29 Working Party

On November 25, 2014, the Article 29 Working Party (“WP29”) issued an opinion paper on device fingerprinting (the “Opinion”).  The Opinion builds on existing guidance on cookies (Opinion 04/2012) and confirms that organizations wishing to generate “device fingerprints” by storing or accessing information on a user’s device must obtain user consent (unless an exemption applies).  This is because Article 5(3) of the European e-Privacy Directive 2002/58/EC, known as the “cookie rule”, also applies to device fingerprints.  The real-life impact of the new Opinion on technology businesses is difficult to predict at this stage, but the WP29’s motivation is clear — it aims to prevent companies from using device fingerprinting technology for data analytics or tracking purposes as an alternative to cookies and without the need to obtain consent under Article 5(3).
Continue Reading Have EU Privacy Regulators Just Spelled the End of Web Tracking?

Late last week, the Article 29 Working Party released a short press statement announcing that it had agreed guidance for the implementation of the May 2014 CJEU ruling against Google on the “right to be forgotten.”  See our first post on the Working Party’s guidance here.  The Working Party
Continue Reading Article 29 Working Party Publishes Full Guidance On CJEU Right To Be Forgotten Ruling Against Google

On November 25, 2014, the Article 29 Working Party agreed guidelines for data protection authorities seeking to apply the Court of Justice of the European Union (CJEU) ruling reached earlier this year against Google, which has become known as the right to be forgotten or “RTBF” ruling.  The full guidelines have not yet been published, but the Working Party has now released a short statement that already addresses some important issues.

The Working Party guidelines are not legally binding, but will influence enforcement decisions made by Europe’s data protection authorities.

These clarifications are written for data protection authorities, but will also help Google and other search engines understand the requirements set out in the CJEU judgment in better detail; we’ll provide more information in a later blog post when the full guidance is released.Continue Reading Article 29 Working Party Agrees Right to Be Forgotten Guidance Following May 2014 CJEU Ruling Against Google

The Article 29 Data Protection Working Party (“Working Party”), the independent European advisory body on data protection and privacy, comprised of representatives of the data protection authorities of each of the EU member states, the European Data Protection Supervisor (the “EDPS”) and the European Commission, has identified a number of significant data protection challenges related to the Internet of Things. Its recent Opinion 08/2014 on the Recent Developments on the Internet of Things (the “Opinion”), adopted on September 16, 2014 provides guidance on how the EU legal framework should be applied in this context. The Opinion complements earlier guidance on apps on smart devices (see InsidePrivacy, EU Data Protection Working Party Sets Out App Privacy Recommendations, March 15, 2013).
Continue Reading Internet of Things Poses a Number of Significant Data Protection Challenges, Say EU Watchdogs

A recent statement from the Article 29 Working Party, the independent European advisory body on data protection and privacy, comprised of representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, finds that the EU data protection principles, outlined in the EU Data Protection Directive 95/46/EC, are still valid and appropriate for the development and use of big data analysis.

The statement responded to recent calls by stakeholders that certain data protection principles under EU law should be “substantially reviewed” to enable promising developments in big data operations. The Article 29 Working Party Statement, adopted on September 16, 2014, acknowledged that challenges presented by big data might require “innovative thinking” on how to address key data protection principles; but, the protection of personal data remains fundamentally engrained in building trust between companies and consumers.Continue Reading Article 29 Working Party Emphasizes Importance of Personal Data Protection for Big Data Operations and Development

Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed.

The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read into the Data Protection Directive (95/46/EC) in the May 2014 case, Google Spain v AEPD and Mario Costeja González (C-131/12).  At its heart, the right to be forgotten (RTBF) enables European Union residents to request that search engines to take down certain types of search results based on searches of the requestor’s individual name.  For example, the right enables requests to take down “irrelevant” or out of date search results.Continue Reading Article 29 Working Party Meets To Discuss The Right To Be Forgotten

On 9 April, the Article 29 Working Party (“WP29”) adopted an Opinion on the notion of legitimate interests of the data controller under Article 7(f) of the EU Data Protection Directive 95/46/EC (the “Opinion”).  The Opinion has two main objectives:  to ensure correct interpretation and implementation of the “legitimate interest” ground for data processing at present, and to provide policy recommendations as part of the ongoing data protection law reform. 

Article 7(f) is one of six alternate legal grounds for processing under the Data Protection Directive (other grounds include, for example, consent and the processing being necessary for the performance of a contract).  It allows processing of personal data for the legitimate interests of the data controller or third parties to which data are disclosed.  The seemingly flexible wording of Article 7(f) has resulted in great divergence in its application across Member States.  As the Opinion notes, the legitimate interest ground is seen by many as an “open door” and an easy way to avoid compliance with data protection law.  In light of this, the WP29 stresses that the legitimate interest ground should not be seen as less restrictive, or as a means to legitimize data processing for unusual situations or when other grounds do not apply. Continue Reading European Data Protection Regulators Clarify the Scope of the Balancing Test Required for Reliance on the “Legitimate Interests” Ground for Data Processing

By Kristof van Quathem and Dan Cooper

On April 10, 2014, the Article 29 Working Party adopted an Opinion on anonymization techniques.  The Working Party accepts that anonymization techniques can help individuals and society reap the benefits of “open data” initiatives – initiatives intended to make various types of data more freely available – while mitigating the privacy risks of such initiatives.  Yet, the standard for anonymization proposed by the Working Party is not an easy one to meet, and the Working Party reiterates its belief that data will remain regulated personal data in the event a party – not necessarily the recipient of the data – is capable of associating it with a living individual.Continue Reading European Regulators Set Out Data Anonymization Standards

Last week, the Article 29 Data Protection Working Party published a non-binding Opinion on data breach notifications, titled Opinion 03/2014 on Personal Data Breach Notification (the Opinion).  The Opinion provides helpful new guidance to companies seeking to understand whether or not notifications about a breach must be made to European privacy regulators and/or affected individuals in the wake of a data breach.  Although the Opinion’s guidance is non-binding, and is not based on clear legal requirements, it is nevertheless likely to shape enforcement practices both inside and outside the EU, given the standing and influence of the Article 29 Working Party.

This post discusses key aspects of the Opinion.Continue Reading EU Article 29 Working Party Publishes Guidance on Data Breach Notification

By Dan Cooper and Mark Young

This week, the Article 29 Working Party (the “WP29”) released an opinion paper on what constitutes “consent” for purposes of complying with the EU’s “cookie” rules — rules that were revised to include a consent requirement nearly four years ago.  The paper will be relevant to website providers that are subject to the EU’s cookie regime.

The timing of the paper is curious.  After EU Directive 2009/136, amending Directive 2002/58, was passed in 2009, the market was in a state of limbo as Member States worked out what the consent rules meant and how to implement them in national law (see here).  To everyone’s relief, a consensus slowly began to emerge, arguably spurred by guidance from the UK Information Commissioner’s Office (the “ICO”) in late 2011 and May 2012 (see here and here).  Now, the latest WP29 guidance — which is not legally binding but carries significant weight — threatens to revive the old debate and compel industry to revisit issues that many thought were resolved.

For example, the paper suggests that going forward websites “operating across all EU member states” — although it is not clear what this actually means — will need to adopt the following mechanisms to ensure that user consent is valid:

  • Specific information.  In addition to other relevant disclosures, operators will have to inform users about how to accept all, some or no cookies, and how they can change their preferences in the future.
  • Prior consent.  Website operators will be expected to obtain consent from users before deploying non-essential cookies, such as analytics or behavioral advertising cookies, on the user’s device.
  • Affirmative action.  Even more controversially, websites will have to capture affirmative user consent through the clicking of a button or a link, or the ticking of a box positioned near the relevant cookie notice (as opposed to passive pop-ups or banners, commonly used by industry at present).  The WP29 also points out that information on cookies should remain visible on the site until the user has expressed his or her consent; which again runs contrary to current practices.
  • Real choice.  Users should be given a real choice about the types of cookies deployed on their machine, which in practice would mean being allowed to access a website without accepting non-essential cookies.  Such granularity is only a recommendation and it remains to be seen how, and if, it will be adopted by websites.

Continue Reading European Regulators and the Eternal Cookie Debate