Working Party 29

On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at

Continue Reading Google Fined by the CNIL for Privacy Breaches as European Regulators Continue Investigation

On April 2, the Article 29 Working Party (the “Working Party”) approved a new Opinion on a principle of European data protection law known as the “purpose limitation”.  The principle (which stems from Article 6(1)(b) of the Data Protection Directive) requires that data controllers only collect data for “specific”, “explicit” and “legitimate” purposes, and not process the data for further purposes that are incompatible with the purposes for which data were originally collected.  As each of these terms have been interpreted differently in different Member States, causing potential confusion for data controllers operating in multiple jurisdictions, one of the main aims of the Working Party paper is to provide clearer, more harmonized interpretations of the principle.  The paper also aims to generally clarify the current legal framework and assist policy makers in drafting the new EU data protection legal framework, and offers guidance on specific scenarios (such as so-called “Big Data” processing).
Continue Reading Article 29 Working Party Releases New Opinion on Purpose Limitation

On Tuesday, June 12, the Article 29 Working Party (WP29), a group of European data protection authorities, published an opinion on the exemptions available to the new cookie rules introduced by the revised EU ePrivacy Directive.  The opinion provides guidance on the implementation of the available exemptions to the requirement to obtain internet users’ informed consent for the use of cookies.  Specifically, the WP29 explained the criteria for relying on one of the two available exemptions: 

  • A user’s informed consent is not required where the cookie is used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network”.  In other words, the transmission of the communication must not be possible without the use of the cookie.  Simply using a cookie to assist, speed up or regulate the transmission of a communication over an electronic communications network is not sufficient.   
  • A user’s informed consent is not required where the cookie is “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.  There must be a clear link between the strict necessity of the cookie, i.e., that the service would not work without the cookie, and the delivery of the service explicitly requested by the user.  The key is to examine what is strictly necessary from the view of the user, not the service provider.

Continue Reading Article 29 Working Party Publishes Guidance On Cookie Rule Exemptions

The Article 29 Working Party (WP29) yesterday published an opinion on facial recognition in online and mobile services.  The WP29 states this technology requires “specific attention” as it presents “a range of data protection concerns”. 

The opinion focuses on facial technology being used in three main contexts: identifying people in social networks; authenticating and verifying users to control access to services; and categorising individuals, e.g., in the gaming context to enhance the user experience, allow/deny access to age-related content, or to display in-game targeted advertising. 

The opinion places a heavy emphasis on the need to obtain the informed consent of individuals prior to processing their data in connection with facial recognition technologies.  Perhaps of most interest to social networks and the public, is the conclusion that facial recognition should not be used to automatically suggest names of people who are not registered users of social networks for the purpose of tagging them in photographs.Continue Reading Facial Recognition Opinion Targets Social Networks, Authentication Services and Games Consoles

On 26 August, 2011, the Article 29 Working Party, a group of European data protection authorities, published a letter to the Online Behavioural Advertising Industry regarding the proposed industry self-regulatory framework, known as the Best Practice Recommendation on Online Behavioural Advertising (the “Code”). The letter sets out the main data privacy concerns identified by the Working Party arising from the Code. The Working Party takes a strict view regarding the application of the European Data Protection and ePrivacy Directives to the use of cookies for purposes of tracking consumer behaviour online. The main issues discussed in the letter are set out below:
Continue Reading Article 29 Working Party Voices Concerns Over Behavioural Advertising Code

w consents can be given over Bluetooth advertising boards;
consents for employee pictures to be posted to company intranets; 
consents regarding electronic health records and full body security scanners; and
consents given during the use of an online social network; among others.
Written partly in response to a Commission request, the Opinion will no doubt play into the continuing reform of the Data Protection Directive.  Following the European Parliament’s plenary approval of Commission plans for reform of the Directive, in the past several days the Commission has clearly ramped up its activities in relation to specific proposed amendments — on July 14, the Commission launched a new consultation on the proposed data breach notification (link: http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/887&format=HTML&aged=0&language=EN&guiLanguage=en) (a flagship initiative for Commissioner Viviane Reding).  Responding to this atmosphere, the Working Party 29 makes several recommendations for legislative reform in the Opinion, including:
clarifying the meaning of “unambiguous” consent, i.e., explaining that valid consents require a statement or action that signifies agreement from the data subject; 
creating an “accountability obligation” on data controllers requiring them to show data subjects what they regard as valid consent; 
requiring specific language regarding the “quality and accessibility” of the information that forms the basis of the consent, and less ambiguity regarding how data subjects can withdraw their consent; and 
new suggestions regarding how minors (and others who lack legal capacity) can show consent. 

On 15 July, 2011, the Working Party 29 group of European data protection authorities released Opinion 187, on the definition of “consent” as used in the Data Protection Directive and the e-Privacy Directive.  Focusing on factors such as whether the consent is (i) informed, (ii) freely given, (iii) specific, (iv) unambiguous, and so on, the paper explores different scenarios in which consents provided by data subjects are sufficient or insufficient for data controllers and processors to rely on when processing relevant data. Continue Reading Working Party 29 Releases New Opinion on the Meaning of “Consent”

Earlier this week the European group of national data protection authorities, collectively the Working Party 29 (“WP 29”), released a new opinion on data protection issues relating to the prevention of money laundering and terrorist financing.  The new paper features a slew of new recommendations from the WP 29 that

Continue Reading Working Party 29 Issues New Opinion on Prevention of Money Laundering and Terrorist Financing

The EU Art 29. Working Party finished its 80th plenary meeting in Brussels last week.  This week, the Party released a series of new policy opinions produced during the plenary.  The highlights included:

  • A declaration that, in WP 29’s opinion, New Zealand’s data protection regime is now “adequate” for the purposes of international data


Continue Reading EU Working Party 29 Publishes New Series of Opinions