Category: Article 29 WP
11. December 2017
The Working Party 29 (WP29), an independent European advisory body on data protection and privacy, has evaluated the Privacy Shield agreement (framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States, see also our report on One year of Privacy Shield).
In its joint review, the WP29 focusses on the assessment of commercial aspects and governmental access to personal data for national security purposes.
Though acknowledging progress, the WP29 still finds unresolved issues on both sides.
It criticizes the lack of guidance and clear information on the principles of the Privacy Shield, especially with regards to onward transfers, the rights of the data subject and remedies.
The US authorities are further requested to clearly distinguish the status of data processors from that of data controllers.
Another important issue to be tackled is the handling of Human Resource (HR) data and the rules governing automated-decision making and profiling.
Also, the process of self-certification for companies requires improvement.
In terms of access by public authorities, the WP 29 concludes that the US government has made effort to become more transparent.
However, some of the main concerns still are to be resolved by May 25th, 2018.
The WP 29 calls for further evidence or legally binding commitments to confirm non-discrimination and the fact that authorities don’t get access on a generalized basis to data transferred to the USA from the EU.
Aside from these matters, an Ombudsperson still needs to be appointed and her/his exact powers need to be specified. According to the WP 29, the existing powers to remedy non-compliance are not sufficient.
In case no remedy is brought to these concerns in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the Court of Justice of the European Union (CJEU) for a preliminary ruling.
11. July 2017
The Article 29 Working Party (WP) has released their opinion on data processing at work on the 8th of June 2017. The Opinion is meant as an amendment to the previous released documents on the surveillance of electronic communications (WP 55) and processing personal data in employment context (WP 48). This update should face the fast-changing technologies, the new forms of processing and the fading boundaries between home and work. It not only covers the Data Protection Directive but also the new rules in the General Data Protection Regulation that goes into effect on 25th of May 2018.
Therefore they listed nine different scenarios in the employment context where data processing can lead to a lack in data protection. These scenarios are data processing in the recruitment process and in-employment screening (especially by using social media platforms), using monitoring tools for information and communication technologies (ICT), usage at home/remote, using monitoring for time and attendance, use of video monitoring, use of vehicles by employees, the disclosure of data to third parties and the international transfer of employee data.
The Article 29 WP also pointed out the main risk for the fundamental rights of the employees. New technologies allow the employer tracking over a long time and nearly everywhere in a less visible way. This can result into chilling effects on the rights of employees because they think of a constant supervision.
As a highlight the Article 29 WP gives the following recommendations for dealing with data processing in the employment context:
- only collect the data legitimate for the purpose and only with processing taking place under appropriate conditions,
- consent is highly unlike to be a legal base for data processing, because of the imbalance in power between the employer and the employee,
- track the location of employees only where it is strictly necessary,
- communicate every monitoring to your employees effectively,
- do a proportionality check prior the deployment of any monitoring tool,
- be more concerned with prevention than with detection,
- keep in mind data minimization; only process the data you really need to,
- create privacy spaces for users,
- on cloud uses: Ensure an adequate level of protection on every international transfer of employee data.
22. February 2017
There still exists a European data protection authorities´ concern on the data collection practices in Windows 10. Even though the letter to Microsoft has been sent by the Article 29 Working Party (or WP29), the UK Information Commissioner’s Office (ICO) has expressed its serious worries.
Microsoft was therefore asked to explain in a very clear way the purposes and kinds of personal data, which are under processing, as this is still an issue, which remains unclear.
Last July even France`s CNIL has demanded Microsoft to “halt the excessive collection of data and the tracking of users’ browsing without their consent”, as it accused Microsoft of numerous data protection laws infractions, such as too wide personal data collection under the telemetry programme and tracking tool default activation (intended to the targeted advertising delivery) without consent or user knowledge.
As a response Microsoft has released to the market (in January) a new Windows 10 update – so called “Creators Update”. It includes a dashboard based on web, which allows users to choose the desired data-sharing level.
At the conference in Australia, which took place this Monday, Microsoft has also announced a second major Windows 10 release this year (with the Neon user-interface design elements project).
According to the WP29 though: “Even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data”.
“Microsoft should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid.”
Apart from Windows, the WP29 has also taken Facebook, WhatsApp and Yahoo under its magnifier, which are being suspected of data-protection laws violations.
16. December 2016
Background
On the 22nd November, the Administrative Court of the Hague confirmed the fine imposed by the Dutch DPA to WhatsApp. In 2012, the Dutch DPA investigated WhatsApp because it had not yet appointed a representative in the Netherlands, according to current Dutch Data Protection legislation. As WhatsApp had still not complied with its obligation to appoint a representative in the EU in 2014, it imposed a fine of 10.000€ for each day of non-compliance.
The Dutch DPA remarked that WhatsApp had the obligation to appoint a representative in The Netherlands because it acted as Data Controller, as it was processing personal data of Dutch citizens. When a user searched for a contact in order to send a WhatsApp message to this contact, WhatsApp accessed this information and stored it in its U.S. servers. Therefore, WhatsApp had to be considered as a data controller in terms of the EU Directive on Data Protection and the Dutch Data Protection Act.
Current situation according to the EU Directive
The Dutch Administrative Court based its argumentation on the following key aspects:
- WhatsApp is a controller, as already admitted by the company at oral argument.
- The equipment used by Dutch data subjects, this is the mobile device, is located in Dutch territory. Moreover, according to previous positions of the WP 29 and other EU Courts, mobile devices are also considered as equipment in terms of data processing.
- WhatsApp argued that Dutch Data Protection Act imposes additional requirements than those imposed by the EU Directive, so that a representative appointed by a data controller has also to comply with the Dutch Data Protection Act. However, the Dutch Court clarified that the extension of the responsibility of the Data Controller to the representative aims at filling legal gaps regarding the application of the data protection principles. The Court also specified that an agreement between the data controller and the representative may be needed in these cases, in order to agree on liability issues.
- WhatsApp also argued that it should have been requested to appoint just one representative in the EU, as foreseen in the GDPR. The Dutch Administrative Court pointed out that WhatsApp had no representative in any other EU Member State.
- Finally, WhatsApp alleged that it could not find a party willing to asume this role, but the Court rejected this argument as it has no legal basis.
Will this change with the GDPR?
With the GDPR the requirement to appoint a representative in the EU will change in two ways:
- Also processors will be subject to this obligation
- it will be possible to appoint one single representative for all the EU operations.
Under the GDPR it will be mandatory to appoint a representative for those controllers or processors who are based in a third country and they offer goods or services to data subjects in the EU or if behavior monitoring of these data subjects takes place in the EU.
Moreover, the GDPR distinguishes between the representative and the role of the DPO. The requirements to appoint each of them are different but it may occur that a company is obliged to appoint both, only a representative, or a DPO.
26. October 2016
As Bloomberg reports, the Article 29 WP will provide guidance on the GDPR soon. Isabelle Falque-Pierrotin, Chairwoman of the CNIL as well as of the Article 29 WP, acknowledged that the GDPR text is ambiguous in some aspects. Therefore, these guidelines aim at serving as an operational toolbox.
Amongst others, the guidance to the GDPR shall refer to the following aspects:
- The designation of the leading Supervisory Authority in case of complaints or in relation to other procedures. Moreover, aspects of the bilateral cooperation and competence to resolve disputes by the Supervisory Authorities and the European Data Protection Board shall be clarified.
- Guidance on the figure of Data Protection Officers is one of the priorities of the Article 29 WP, as it will play an essential role in companies on achieving GDPR compliance.
- The right to data portability has been regulated for the first time in the GDPR. This right will allow data subjects to access their data and transfer data to other data controllers, for example upon the change of telephone provider. The guidance should focus on its scope and implementation.
- The standard by which the proof of consent will take place, will have to be specified. This is especially important for small and medium-sized companies, for which a “simple pedagogical tool” will be developed.
- A formal guidance on the Privacy Shield will not take place until the EU Commission has reviewed its functioning after the first year, this is summer or early fall 2017.
At the moment, the Article 29 WP remains neutral with regard to the Brexit. However, Falque-Pierrotin remarked that the Privacy Shield may be also useful in UK regarding international data flows with the U.S.A.
Further guidance is also expected in 2017, especially regarding topics such as the EU-U.S. Privacy Shield and the implication of the Brexit in privacy issues.
6. October 2016
Last month, the CIPL held its second workshop in Paris as part of its two-year GDPR implementation project.
During this workshop almost 120 business delegates as well as 12 data protection authorities, four European Member State governments both the European Commission and the European Data Protection Supervisor, a non-DPA regulator and several academics and on top of all of the named above the IAPP participated in order to develop best practices and to build a bridge between authorities and economy.
This time, the workshop mainly focused both on the role of the data protection officers and on the privacy impact assessment, also called PIA.
In this context it was also announced that the Article 29 Working Party is going to release its first guidelines concerning the GDPR either before the end of the year or at the beginning of 2017. These guidelines will include advise on data portability and the role of the DPO. Furthermore, the Article 29 Working Party will also release guidance on risk, PIAs and certifications later on.
1. September 2016
The concern due to WhatsApp sharing user information with Facebook is rising, especially in Europe.
As the Wall Street Journal reported, European privacy regulators are investigating WhatsApp’s plan to share the information of their users with its parent company Facebook.
The Article 29 Working Party representing the 28 national data protection authorities released a statement at the beginning of this week saying that its members were following “with great vigilance” the upcoming changes to the privacy policy of WhatsApp due to the fact that the new privacy policy allows WhatsApp to share data with Facebook, whereas the privacy policy only gives existing WhatsApp users the right to opt out of part of the data sharing. Therefore, the Article 29 Working Party concluded “What’s at stake is individual control of one’s data when they are combined by internet giants”.
Furthermore,
- the ICO also issued a statement last week raising concerns due to the “lack of control”,
- at the beginning of this week the consumer privacy advocates in the U.S. filed a complaint with the Federal Trade Commission due to the fact that WhatsApp promised that “nothing would change” when Facebook acquired WhatsAPP two years ago and on top of that
- the Electronic Privacy Information Center and the Center for Digital Democracy turned to the Federal Trade Commission in order to get the confirmation that the upcoming changes to the privacy policy can be seen as “marketing practices” that are “unfair and deceptive trade practices”.
5. August 2016
Having in mind that the European Court of Justice declared Privacy Shield’s predecessor, Safe Harbor, invalid, the Head of the Hamburg data protection authority, Prof. Dr. Johannes Caspar, would like to ask the European Court of Justice whether it thinks that the Commission’s decision to strike the data-transfer deal was valid.
Due to the fact that there might be upoming legal changes in Germany Caspar hopes that those will make it possible for the country’s DPAs to challenge adequacy decisions.
An E-Mail was published quoting Caspar saying that “The decision of the EU Commission concerning the Privacy Shield constitutes a new legal ground for data subjects, which is a binding document for all members of the [Article 29 Working Party of data protection authorities],” and going on “On the other hand, I have serious doubts whether this adequacy decision meets the legal requirements of the principle of proportionality and judicial redress in the [CJEU’s] Safe Harbor judgement.” Caspar went on commenting that “It is expected that sooner or later the CJEU will assess whether the access by public U.S. authorities to personal data transferred under the Privacy Shield is limited to what is strictly necessary and proportionate in a democratic society. If there is a legal way to seek reference to the CJEU – and we hope that the national lawmaker will enact a law for national DPAs soon – we will take all appropriate steps for getting a ruling on the validity of the Commission’s decision.”
Due to the fact that the GDPR is a regulation rather than a directive, it does not require transposition into national laws. However, the German government debates about new legislation in order to make German data protection law compliant with the GDPR. However, in July the German government issued a statement saying it is working on the new legislation but not mentioning whether this also includes that DPAs are able to challenge adequacy decisions.
Furthermore, Caspar commented that the Article 29 Working Party’s next opportunity to question the Privacy Shield will come in a year’s time, “if the Shield will still be in force”.
However, not only Caspar shows a sceptical point of view towards the Privacy Shield, Thomas Jansen, a partner with DLA Piper in Munich stated that “Many [European] data protection and privacy experts see a high risk that the Privacy Shield will be invalidated”.
27. July 2016
The Article 29 WP issued on the 26th July a statement about the adopted EU-U.S. Privacy Shield. After its previous opinion on the Privacy Shield (opinion WP 238), the WP 29 welcomes the improvements brought by the final draft, but it remarks that there are still some concerns, already addressed in the Opinion WP 238, that have not been clarified yet.
Regarding commercial aspects, the Privacy Shield does not specifically address issues related to automated decision making or the general right to object. Furthermore, it is not clear the impact that the Privacy Shield shall have on data processors.
A further concern relates to the access to personal data by American public authorities. The WP 29 had expected stricter assurances that the institution of the Ombudsman is independent. Additionally, there are neither enough assurances, that a massive collection of EU citizens’ personal data will not take place.
Despite the lack of clarity in some aspects of this new framework, the WP 29 will wait until the first annual review takes place to assess the effectiveness of the EU-U.S. Privacy Shield. The result of the first annual joint review may also involve considering the effectiveness of Binding Corporate Rules and Standard Contractual Clauses.
