The “one-stop-shop” EU data protection regulator was originally presented as one of the fundamental pillars of the future Data Protection Regulation, but now hangs in the balance of the EU legislative process. This post provides the latest on the status of one-stop-shop in the Council of the EU, where it currently is being debated.
The Article 29 Working Party’s new opinion on anonymization techniques provides a useful primer on randomization and generalization (i.e., data aggregation) techniques used to anonymize data sets. The opinion analyzes each technique based on three ways that data can be re-identified: the ability to single out individuals after the anonymization technique has been applied; the linkability of the anonymized data sets to other data sets; and finally the ability of the data sets to resist inference attacks after application of the anonymization technique. Organizations depending on anonymization for compliance with the Data Protection Directive would be well advised to review their anonymization processes to determine if they comport with the standards set out in the opinion.
Isabelle Falque-Pierrotin, the recently reelected president of the French Data Protection Authority, the CNIL, was elected today to head the Article 29 Working Party for two years effective immediately.
On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”
In an August 13 letter to Commissioner Viviane Reding, Article 29 Working Party Chair Jacob Kohnstamm requested more information regarding the United States’ national security surveillance program, including the widely-publicized PRISM program.
On April 19, the European Union’s Article 29 Working Party adopted Explanatory Document WP204 on processor Binding Corporate Rules (BCRs). Processor BCRs provide a new avenue for data controllers to transfer EU personal data to processors (such as cloud service providers) located in third countries not considered to ensure an adequate level of protection under the 1995 EU Data Protection Directive. The Article 29 Working Party, noting the success of controller BCRs and citing the “growing interest of industry in such a tool,” provided initial guidance on processor BCRs in June 2012 through Working Document WP195 (which we previously covered here). WP195 presented a “toolbox” that laid out the criteria for approval of processor BCRs, as well as explanatory notes on the content expected in the processor BCRs. As of January 1, 2013, the EU began accepting applications for approval of processor BCRs.
The European Union’s Article 29 Data Protection Working Party (“WP29”), which consists of the 27 data protection authorities of the EU Member States, has published the “Opinion 03/2013 on purpose limitation” (Working Paper WP203), adopted on 2 April 2013 (the “Opinion”). The WP29 analyzes and interprets the elements of this principle, and gives numerous examples with […]
The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“). Applicability of EU laws According to WP29, the 1995 Data Protection Directive applies to all […]
At a meeting of civil society in Uruguay today, Article 29 Working Party Chair Jacob Konstamm decried the “fierce lobbying” by the US government and IT companies on the pending EU Regulation and spoke directly to the issue of the explicit consent requirement in the proposed Regulation; the definition of personal data; and the issue of purpose limitation.
On the 1st July, the Article 29 data Protection Working Party adopted an opinion on cloud computing. The Working Party Opinion analyses the “hot topics” on data protection arising from cloud computing services .It also provides guidelines for providers of cloud computing services and their clients. The Opinion is summarized (and linked to) in this blog entry drafted by Hogan Lovells privacy lawyers in London and Madrid.
The Article 29 Working Party on 6 June 2012 adopted Working Paper WP 195 as a new “toolbox” with recommendations for Binding Corporate Rules (BCRs) for data processors.
The Article 29 Working Party released on March 29, 2012 its opinion on the European Commission’s proposed new data protection Regulation and Directive (WP191 – Opinion 01/2012 on the data protection reform proposals). The Working Party expresses strong reservations about the proposed Directive on data processing for police and criminal justice matters, criticizing the Commission’s […]
In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising industry’s self-regulatory proposal, continuing to hold firm that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. The Working Party broke down the OBA industry proposal, and then–in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows–offered up a number of methods of obtaining consent not involving pop-ups.
Although the European Commission was expected to release its overhaul of the 1995 Data Protection Directive (95/46/EC) next month, some of the details of those changes emerged earlier than expected this week. In this post, we summarize the many key changes between the Data Protection Directive and the Commission’s draft Data Protection Regulation.
On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.
The Article 29 Working Party in the EU has thrown cold water on proposals by the OBA industry to avoid the literal application of the so-called Cookie Directive for specific opt-in consent to the placement of tracking cookies, whether personal data is tracked or not. In a letter sent in advance of a September meeting between the parties, the Working Party rejects a range of proposals from the OBA industry.
Europe’s group of data protection authorities, the Article 29 Working Party, issued an opinion on smart meters, which goes into surprising detail on points such as the size of the display for the user interface, the need for a ‘push button’ consent module for consumers, the need to keep load graph data stored locally whenever possible. The Art 29 WP stresses the need for energy suppliers and third party energy service companies to develop detailed data retention policies to ensure smart meter data are deleted as soon as no longer needed.
As recently reported by the data protection authority of the German Federal State of Bavaria in its annual review, a US court recently accepted the data protection authority’s limitation on the scope of discovery involving documents with personal information. The issue of EU data protection rules conflicting with US discovery requests is a recurring one, and this episode demonstrates an instance of international comity worth noting.
The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing three opinions, one report and one set of FAQs. In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party’s internal approvals process than any indication of unusual activity.
Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry. On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national […]
On 16 February 2010, the Article 29 Working Party adopted an opinion on the concepts of data “controller and “processor”, which are crucial for determining who is responsible for compliance with EU data protection rules. The opinion provides a comprehensive analysis as well as practical examples and rules of thumb on how to approach the concepts pragmatically.
The Article 29 working party of European data protection authorities published a roadmap listing areas of future reform of privacy legislation in the EU. “Privacy by design,” increased accountability and a reduction in administrative filing obligations are among the WP29’s proposals.