Privacy & Information Security Law Blog

On March 23, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Commission’s data protection law reform proposals, including the draft Regulation that is of particular importance for businesses. The Working Party’s Opinion serves as the national data protection authorities’ contribution to the legislative process before the European Parliament and the European Council.

The Opinion indicates that the Working Party welcomes many aspects of the proposed regulation, including the proposal’s emphasis on:

• the preventative use of privacy controls (e.g., though privacy impact assessments, privacy by design, privacy by default);
• new responsibility and accountability requirements that apply throughout the information life cycle;
• the legal recognition of Binding Corporate Rules (“BCRs”);
• specific security measures for data processors; and
• considering data processors to be data controllers if act outside the scope of the data controller’s instructions.

The Opinion sets forth the Working Party’s position that IP addresses and cookies relate to identifiable persons and should therefore be considered “personal data” in most cases. According to the Working Party, the current wording in Recital 24 of the Regulation appears to create uncertainty as to the circumstances under which IP addresses and cookies qualify as personal data.

The Opinion also provides a number of suggestions for clarifying and improving certain aspects of the Regulation. For example:

• The breach notification obligation should include a two-step process in which an initial, simple notification is made within the proposed 24 hours following discovery of the breach, then a more complete notification is provided when the entity has more information. Also, the breach notification obligation should exclude notifications for minor breaches that are unlikely to adversely affect individuals and would unnecessarily burden the DPAs.
• Derogations to the legal basis for data transfers (e.g., consent) should be narrowed to ensure that they will not be used for massive and frequent data transfers for which there are other, more appropriate data transfer mechanisms available (i.e., model contracts, BCRs, Safe Harbor).
• The right to be forgotten should be narrowed to take into consideration cases in which the data is in the possession of a third party or the data controller no longer exists or cannot be identified, especially in the Internet context.
• The Working Party believes that profiling measures that are viewed “significantly affect[ing]” individuals should include web analyzing tools, tracking for assessing user behavior, the creation of motion profiles by mobile applications, and the creation of personal profiles by social networks.
• Because the exceptions that are aimed at reducing the administrative burdens on SMEs may have an impact on the protection of individuals’ rights, the Working Party advocates using a threshold that takes into account the nature and extent of the processing as a more suitable alternative.
• The Working Party believes that the lack of guidance regarding the timing for the adoption of “delegated” and “implementing” acts by the European Commission may create legal uncertainty.
• The DPAs should have discretionary power to impose fines, particularly in the case of first time violations or small, unintentional breaches.

View a copy of the full Opinion.