Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: Article 29 Working Party

Posted in International/EU Privacy

European Regulators Raise the Bar on Anonymization Techniques

The Article 29 Working Party’s new opinion on anonymization techniques provides a useful primer on randomization and generalization (i.e., data aggregation) techniques used to anonymize data sets. The opinion analyzes each technique based on three ways that data can be re-identified: the ability to single out individuals after the anonymization technique has been applied; the linkability of the anonymized data sets to other data sets; and finally the ability of the data sets to resist inference attacks after application of the anonymization technique. Organizations depending on anonymization for compliance with the Data Protection Directive would be well advised to review their anonymization processes to determine if they comport with the standards set out in the opinion.

Posted in Consumer Privacy, International/EU Privacy

Article 29 Working Party Issues Guidance on Cookie Consent

On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”

Posted in International/EU Privacy

Article 29 Working Party Issues Additional Guidance on BCRs for Data Processors

On April 19, the European Union’s Article 29 Working Party adopted Explanatory Document WP204 on processor Binding Corporate Rules (BCRs). Processor BCRs provide a new avenue for data controllers to transfer EU personal data to processors (such as cloud service providers) located in third countries not considered to ensure an adequate level of protection under the 1995 EU Data Protection Directive. The Article 29 Working Party, noting the success of controller BCRs and citing the “growing interest of industry in such a tool,” provided initial guidance on processor BCRs in June 2012 through Working Document WP195 (which we previously covered here). WP195 presented a “toolbox” that laid out the criteria for approval of processor BCRs, as well as explanatory notes on the content expected in the processor BCRs. As of January 1, 2013, the EU began accepting applications for approval of processor BCRs.

Posted in International/EU Privacy

Article 29 Working Party Gives New Guidance on the Principle of Purpose Limitation

The European Union’s Article 29 Data Protection Working Party (“WP29”), which consists of the 27 data protection authorities of the EU Member States, has published the “Opinion 03/2013 on purpose limitation” (Working Paper WP203), adopted on 2 April 2013 (the “Opinion”). The WP29 analyzes and interprets the elements of this principle, and gives numerous examples with […]

Posted in Consumer Privacy, International/EU Privacy

European Regulators State that Non-EU Mobile Apps Must Comply with EU Privacy Laws

The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“). Applicability of EU laws According to WP29, the 1995 Data Protection Directive applies to all […]

Posted in News & Events

Live Blogging from “The Public Voice” in Uruguay: WP 29 Chair Says Proposed EU Regulation is Not Tough Enough

At a meeting of civil society in Uruguay today, Article 29 Working Party Chair Jacob Konstamm decried the “fierce lobbying” by the US government and IT companies on the pending EU Regulation and spoke directly to the issue of the explicit consent requirement in the proposed Regulation; the definition of personal data; and the issue of purpose limitation.

Posted in International/EU Privacy

WP 29 Opinion on Cloud Computing Issued

On the 1st July, the Article 29 data Protection Working Party adopted an opinion on cloud computing. The Working Party Opinion analyses the “hot topics” on data protection arising from cloud computing services .It also provides guidelines for providers of cloud computing services and their clients. The Opinion is summarized (and linked to) in this blog entry drafted by Hogan Lovells privacy lawyers in London and Madrid.

Posted in International/EU Privacy

Article 29 Working Party Publishes Opinion on Cookie Consent Exemptions

On 7 June 2012, the Article 29 Data Protection Working Party issued an opinion on cookie consent exemptions. The Directive 2009/136/EC, amending Directive 2002/58/EC, introduced an opt-in regime which requires providers to request that users grant their express consent to the use of cookies, as opposed to the regime under which users are given the opportunity to opt-out. This opinion clarified when opt in consent is needed, and when it is not.

Posted in International/EU Privacy

Article 29 Working Party issues critical opinion of the Commission’s new proposed data protection framework

The Article 29 Working Party released on March 29, 2012 its opinion on the European Commission’s proposed new data protection Regulation and Directive (WP191 – Opinion 01/2012 on the data protection reform proposals). The Working Party expresses strong reservations about the proposed Directive on data processing for police and criminal justice matters, criticizing the Commission’s […]

Posted in Consumer Privacy, International/EU Privacy

Article 29 Working Party Rebuffs European OBA Industry… Again

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising industry’s self-regulatory proposal, continuing to hold firm that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. The Working Party broke down the OBA industry proposal, and then–in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows–offered up a number of methods of obtaining consent not involving pop-ups.

Posted in International/EU Privacy

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

Although the European Commission was expected to release its overhaul of the 1995 Data Protection Directive (95/46/EC) next month, some of the details of those changes emerged earlier than expected this week. In this post, we summarize the many key changes between the Data Protection Directive and the Commission’s draft Data Protection Regulation.

Posted in International/EU Privacy

France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers

On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.

Posted in International/EU Privacy

Article 29 Working Party to OBA Industry on Meeting Cookie Consent Requirement: “Nice try, but…”

The Article 29 Working Party in the EU has thrown cold water on proposals by the OBA industry to avoid the literal application of the so-called Cookie Directive for specific opt-in consent to the placement of tracking cookies, whether personal data is tracked or not. In a letter sent in advance of a September meeting between the parties, the Working Party rejects a range of proposals from the OBA industry.

Posted in International/EU Privacy

Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups

Article 29 WP has issued guidelines in which it recommends separate pop-ups and affirmative “check the box” consent options. Consent clauses buried in terms of use are not specific enough to meet European requirements, according to tthe guidelines. Consent requires an affirmative ‘click’ by the consumer. Browser settings alone may not be sufficient, which raises questions under new EU cookie regulations. Details are contained in this blog posting.

Posted in International/EU Privacy

Europe’s Article 29 Working Party issues smart meter guidelines

Europe’s group of data protection authorities, the Article 29 Working Party, issued an opinion on smart meters, which goes into surprising detail on points such as the size of the display for the user interface, the need for a ‘push button’ consent module for consumers, the need to keep load graph data stored locally whenever possible. The Art 29 WP stresses the need for energy suppliers and third party energy service companies to develop detailed data retention policies to ensure smart meter data are deleted as soon as no longer needed.

Posted in Consumer Privacy, International/EU Privacy

US Court and German Data Protection Authority in Accord on Discovery Limitations

As recently reported by the data protection authority of the German Federal State of Bavaria in its annual review, a US court recently accepted the data protection authority’s limitation on the scope of discovery involving documents with personal information. The issue of EU data protection rules conflicting with US discovery requests is a recurring one, and this episode demonstrates an instance of international comity worth noting.

Posted in International/EU Privacy

EU’s Article 29 Working Party Provides Substantial Guidance

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing three opinions, one report and one set of FAQs. In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party’s internal approvals process than any indication of unusual activity.

Posted in International/EU Privacy

EU Article 29 Working Party Report on ISP and Telecom Carrier Data Retention for Law Enforcement Purposes

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry. On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national […]

Posted in International/EU Privacy

Article 29 Working Party Provides Guidance On Data Controller/Processor Concepts

On 16 February 2010, the Article 29 Working Party adopted an opinion on the concepts of data “controller and “processor”, which are crucial for determining who is responsible for compliance with EU data protection rules. The opinion provides a comprehensive analysis as well as practical examples and rules of thumb on how to approach the concepts pragmatically.