Data Protection Directive

The Article 29 Data Protection Working Party (“Working Party”), the independent European advisory body on data protection and privacy, comprised of representatives of the data protection authorities of each of the EU member states, the European Data Protection Supervisor (the “EDPS”) and the European Commission, has identified a number of significant data protection challenges related to the Internet of Things. Its recent Opinion 08/2014 on the Recent Developments on the Internet of Things (the “Opinion”), adopted on September 16, 2014 provides guidance on how the EU legal framework should be applied in this context. The Opinion complements earlier guidance on apps on smart devices (see InsidePrivacy, EU Data Protection Working Party Sets Out App Privacy Recommendations, March 15, 2013).
Continue Reading Internet of Things Poses a Number of Significant Data Protection Challenges, Say EU Watchdogs

A recent statement from the Article 29 Working Party, the independent European advisory body on data protection and privacy, comprised of representatives of the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, finds that the EU data protection principles, outlined in the EU Data Protection Directive 95/46/EC, are still valid and appropriate for the development and use of big data analysis.

The statement responded to recent calls by stakeholders that certain data protection principles under EU law should be “substantially reviewed” to enable promising developments in big data operations. The Article 29 Working Party Statement, adopted on September 16, 2014, acknowledged that challenges presented by big data might require “innovative thinking” on how to address key data protection principles; but, the protection of personal data remains fundamentally engrained in building trust between companies and consumers.Continue Reading Article 29 Working Party Emphasizes Importance of Personal Data Protection for Big Data Operations and Development

Yesterday, the Article 29 Working Party group of European privacy regulators released a short press release describing the results of its most recent plenary meeting, in which the right to be forgotten was discussed.

The “right to be forgotten” refers to a “new” right that the Court of Justice of the European Union (CJEU) read into the Data Protection Directive (95/46/EC) in the May 2014 case, Google Spain v AEPD and Mario Costeja González (C-131/12).  At its heart, the right to be forgotten (RTBF) enables European Union residents to request that search engines to take down certain types of search results based on searches of the requestor’s individual name.  For example, the right enables requests to take down “irrelevant” or out of date search results.Continue Reading Article 29 Working Party Meets To Discuss The Right To Be Forgotten

By Jacqueline Clover

The Court of Justice of the European Union (‘CJEU’) has ruled that an analysis produced by an administrative agency to inform and support the agency’s formal decisions (‘legal analysis’) is not of itself “personal data” as defined under Directive 95/46/EC (the ‘EU Data Protection Directive’).  This is the case even where the legal analysis contains information that is clearly “personal data”, such as an individual’s name, date of birth, nationality and gender.  The ruling of 17 July 2014 in Joined Cases C-141/12 and C-372/12 YS v. Minister voor Immigratie, Integratie en Asiel, and Minister voor Immigratie, Integratie en Asiel v. M, S, is available here.

It is an important decision for two reasons.  First, it clarifies the boundaries of what constitutes “personal data” under EU law. And, second, it clarifies that a data subject’s right of access under the EU Data Protection Directive does not necessarily require access to the actual records containing personal data. In some cases, a full summary of the personal data in an intelligible form suffices.Continue Reading EU Court of Justice clarifies the definition of personal data and scope of access requests

By Dan Cooper, Mark Young and Kristof van Quathem

On May 13, the European Court of Justice (the “Court”) handed down an important judgement in a referral from Spain’s National High Court involving Google, a Spanish national, and the Spanish data protection authority (Case C-131/12).  The decision has wide-ranging consequences regarding the application of EU data protection laws and the rights individuals are afforded under those laws.

In brief, the Court was asked to answer several questions about Google’s responsibility under EU data protection laws in relation to its online search engine.  The Court interpreted the applicable law rules under the EU Data Protection Directive 95/46/EC (the “Directive”) very broadly, holding that Google Inc. is directly subject to Spanish data protection law.  The Court also decided that Google is obliged, in certain circumstances – e.g., where information about an individual is inaccurate – to delete web search results that link to web pages containing information relating to that person.  Further, where an individual requests it, Google must delete search results that link to information about an individual where the information – even truthful information – is prejudicial to the individual or that he or she wishes to be “forgotten” due to the passage of time.  The Court appears to accept that providing access to such information for longer periods of time may be appropriate for high-profile individuals, such as celebrities.

The Court’s landmark decision has dominated headlines and is bound to spark a deluge of analysis and criticism, particularly in relation to issues concerning access to information and censorship.  For many international companies that process personal data and have affiliates in Europe, the most significant element of the judgement may prove to be the Court’s finding on applicable law rules, which undoubtedly presents a compliance challenge.Continue Reading Google, the CJEU, and the Long Arm of European Data Protection Law

On 9 April, the Article 29 Working Party (“WP29”) adopted an Opinion on the notion of legitimate interests of the data controller under Article 7(f) of the EU Data Protection Directive 95/46/EC (the “Opinion”).  The Opinion has two main objectives:  to ensure correct interpretation and implementation of the “legitimate interest” ground for data processing at present, and to provide policy recommendations as part of the ongoing data protection law reform. 

Article 7(f) is one of six alternate legal grounds for processing under the Data Protection Directive (other grounds include, for example, consent and the processing being necessary for the performance of a contract).  It allows processing of personal data for the legitimate interests of the data controller or third parties to which data are disclosed.  The seemingly flexible wording of Article 7(f) has resulted in great divergence in its application across Member States.  As the Opinion notes, the legitimate interest ground is seen by many as an “open door” and an easy way to avoid compliance with data protection law.  In light of this, the WP29 stresses that the legitimate interest ground should not be seen as less restrictive, or as a means to legitimize data processing for unusual situations or when other grounds do not apply. Continue Reading European Data Protection Regulators Clarify the Scope of the Balancing Test Required for Reliance on the “Legitimate Interests” Ground for Data Processing

Speaking at Berkeley’s Online Tracking Workshop today, Françoise Le Bail, Director-General of the European Commission’s DG Justice (the leading department regarding the EU data protection reforms) confirmed the European Commission’s vision that the EU needs stronger penalties in order to ensure effective enforcement of European data protection rules. Ms. Le Bail said that European privacy regulators should be able to impose “significant” sanctions on companies for violating EU privacy rules.

Under the current EU Data Protection Directive, dating back to 1995, each EU Member State autonomously decides on the sanctions for data protection violations, resulting in considerable differences throughout the EU. According to critics, the fines are “too small” in most Member States, particularly in comparison to the turn-over of the companies concerned. Frequently used examples are the fines imposed on Google last year by Spain and France (EUR 900,000 and EUR 150,000, respectively).Continue Reading Dissuading Companies from Violating Data Protection Rules: Senior European Commission Official Calls for ‘Significant’ Fines

On 25 June, the Advocate General (the “AG”) submitted an Opinion on a set of questions that a Spanish court referred to the Court of Justice of the European Union (the “Court”). This is the first time that the Court has been asked to interpret the European Data Protection Directive 95/46/EC (the ‘Directive’) in the context of internet search engines. The questions concern three main issues:

  • the territorial scope of and the applicable national law under the Directive;
  • whether search engine providers are data controllers; and,
  • whether there is a right to be forgotten.

The proceedings were triggered by an individual who was the subject of some press reports in a newspaper in early 1998. In 2010, he requested Google Spain not to show any links to the newspaper when users entered his name in the Google search engine. The publisher, whom the individual also contacted, refused to erase the relevant data. The individual therefore lodged a complaint with the Spanish data protection authority, which subsequently ordered Google Spain and Google Inc. to take the measures necessary to withdraw the data from their index and to render future access to the data impossible. Google appealed the decision to a Spanish court, which referred the aforementioned questions to the Court for a preliminary ruling.Continue Reading Advocate General Submits Opinion in Google Spain Case

On 16 October 2012, the Court of Justice of the European Union (“CJEU”) ruled in favour of the European Commission in its claim against Austria that the Austrian Data Protection Authority, the Datenschutzkommission (“DSK”), was not independent from the Austrian government as required under Article 28 of the EU’s Data Protection Directive. The Commission’s action was supported by the European Data Protection Supervisor (“EDPS”); Austria’s defence was supported by Germany.

Article 28, which was the focus of the case, requires data protection authorities to “act with complete independence in exercising the functions entrusted to them”. This principle is also made clear in the Charter of Fundamental Rights of the EU and in the Treaty on the Functioning of the EU (“TFEU”).Continue Reading The European Court of Justice Rules That Austria’s Data Protection Authority Is Not Sufficiently Independent

By Dan Cooper

On 16 October, 2012, the French data protection authority, the CNIL, released a report on behalf of the Article 29 Working Party that examines Google’s compliance with European data protection law.  The report marks a new stage in an investigation which began nine months ago, when Google
Continue Reading CNIL and Article 29 Working Party Release Report on Google Privacy Policy