Article 29 Working Party

The CNIL announced in a press release on Thursday that it has issued a formal notice to Google Inc. that requires the search engine to provide clear and sufficient information to users about how their data is being used. In particular, the Paris based regulator wants Google to:

  • Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
  • Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
  • Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
  • Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
  • Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page; and
  • Inform users and then obtain their consent in particular before storing cookies on their terminal.

Continue Reading French Data Protection Authority: 3-Month Deadline for Google to Comply With Privacy Laws

On April 2, the Article 29 Working Party (the “Working Party”) approved a new Opinion on a principle of European data protection law known as the “purpose limitation”.  The principle (which stems from Article 6(1)(b) of the Data Protection Directive) requires that data controllers only collect data for “specific”, “explicit” and “legitimate” purposes, and not process the data for further purposes that are incompatible with the purposes for which data were originally collected.  As each of these terms have been interpreted differently in different Member States, causing potential confusion for data controllers operating in multiple jurisdictions, one of the main aims of the Working Party paper is to provide clearer, more harmonized interpretations of the principle.  The paper also aims to generally clarify the current legal framework and assist policy makers in drafting the new EU data protection legal framework, and offers guidance on specific scenarios (such as so-called “Big Data” processing).
Continue Reading Article 29 Working Party Releases New Opinion on Purpose Limitation

On 27 February 2013, the Article 29 Working Party published its latest statement regarding the draft General Data Protection Regulation (the “Regulation”), which continues to undergo revision in the European Parliament and Council.  (The latest European body to comment on the draft was the European Parliament’s Committee on Employment and Social Affairs (EMPL), which published its opinion on the draft Regulation late last week.)

The Working Party statement stakes out the Working Party’s position on six key areas of the reform, including rules on consent, regulation of the public sector, and data transfers.  The statement was also accompanied by in-depth discussions about an “exemption for personal or household activities” and about how the “one-stop shop” rules will work when a controller is processing data in multiple jurisdictions.Continue Reading Article 29 Working Party Releases Further Comments on EU Data Protection Reform

The Court of Justice of the European Union (“CJEU”) in Luxembourg heard argument yesterday concerning the “right to be forgotten”—specifically, whether search engines such as Google must block search results when asked by European citizens to remove references to themselves. 

This particular case—which is representative of approximately 200 similar cases in Spain—came before the CJEU when Google declined to comply with an order from the Spanish Data Protection Authority.  A Spanish citizen, Costeja, wanted Google to de-list references to a publication in a Spanish newspaper in 1998, which discussed the auction of Costeja’s house in connection with his failure to pay social insurance contributions.

Google has taken the position that search engines should not be obligated to remove links to valid (i.e., non-incorrect, defamatory, or otherwise illegal) material that exists online.  Rather, only the original publisher can make the decision to remove such content, at which point it will disappear from the search engine index once removed from source webpages. Continue Reading Must Google Forget You?

By Fredericka Argent

On 26 October, 2012, Commissioner Viviane Reding, the Vice President of the European Commission, gave a speech in Luxembourg following the conclusion of a meeting of the Justice Council (a body of ministers representing Member State justice and home affairs departments, and part of the European Council).  The speech covered a variety of topics, including an update on Commissioner Reding’s positions on the proposed new data protection regime. In particular, businesses may be interested to learn that Commissioner Reding offered to review the number of “delegated act” provisions in the legislation, potentially reducing the scope for future uncertainties.  The Commissioner acknowledged a variety of concerns raised by the Member States, and observed that the legislative  negotiations in the European Parliament and Council were now at a “crucial stage”.

The Commissioner used the speech as an opportunity to describe three “proposed solutions” to the criticisms of the bill levied to date.  Each solution represents a change from the Commission’s previous negotiating position, and also possibly a step towards compromise among the three law-making European institutions.Continue Reading Commissioner Reding Speaks to the European Council on the Proposed Data Protection Regime

By Dan Cooper

On 16 October, 2012, the French data protection authority, the CNIL, released a report on behalf of the Article 29 Working Party that examines Google’s compliance with European data protection law.  The report marks a new stage in an investigation which began nine months ago, when Google
Continue Reading CNIL and Article 29 Working Party Release Report on Google Privacy Policy

The Electronic Frontier Foundation and the Immigration Policy Center last week released an interesting report on law enforcement’s increasing efforts to gather biometric data, and associated risks of data inaccuracy, racial profiling, erroneous deportations, security breaches, and privacy invasions.  The report calls for greater accountability in the biometrics context, including collection and retention limitations; clear rules for collection, use, and sharing; robust security; notice requirements; and independent oversight. 

In recent months, a number of policymakers have raised concerns about both public and private collection of biometric data.  For example,Continue Reading Biometric Data Under the Privacy Microscope

The Korean Herald reports that the Korea’s Communications Commission (KCC) has opened an investigation into Google’s rollout of its new privacy policy in that country.  The investigation reportedly will focus on whether the company has received sufficient consent to the changes to Google’s existing policy and whether Google is collecting

Continue Reading Korean Regulators to Investigate Google’s Privacy Policy Changes

On Monday, the Article 29 Working Party released its new Opinion on geo-location data collection and processing in smart mobile devices.  The paper comes on the heels of a recent furor over the extent to which smart phones collect, process and transmit location data without the full knowledge and consent of

Continue Reading Article 29 Working Party Releases Opinion on Geo-Location Data for Smart Mobile Devices

The Article 29 Working Party recently released an opinion on data breach notification in the EU. The opinion addresses two main issues:

  • Experience to date with the existing breach notification rules in the ePrivacy Directive.

The breach notification obligation imposed by article 4.3-5 of the ePrivacy Directive (2002/58/EC) only applies to providers of electronic communications services. EU Member States are still in the process of transposing the rules into their national laws. However, as most of them are unlikely to meet the deadline of May 25, the Working Party had little to go on for its evaluation. The Working Party underscores the need for harmonization and highlights the areas where such harmonization may be threatened, in particular (i) divergences in the scope of the breach notification obligation; (ii) diverging national guidelines on the modalities of the notification; and (iii) diverging interpretation of what constitutes “protected data” (e.g., encrypted data) that is not subject to some aspects of the breach notification obligation. In order to help ensure harmonization and to increase coordination in cross border breaches, the Working Party has decided to set up a sub-group on breach notification.

  • Expansion of the breach notification obligation to other sectors.

The Working Party welcomes the European Commission’s intention to adopt a horizontal breach notification obligation as part of the revision of the Data Protection Directive. In particular, the Working Party stresses that the new regime should be similar to the one in the ePrivacy Directive; that is, with the same harm threshold, the same notification procedure and the same modalities. More so, the Working Party invites the Commission to propose secondary legislation under the ePrivacy Directive that could also serve under the expected general breach notification, once introduced in the Data Protection Directive.

While the Working Party’s position comes as no surprise, three points are worth highlighting:Continue Reading The Article 29 Working Party and Breach Notification in the EU