Privacy & Information Security Law Blog

On September 16, 2014, the Article 29 Working Party (the “Working Party”) adopted a Statement on the impact of the development of big data on the protection of individuals with regard to the processing of their personal data in the EU (“Statement”). This two-page Statement sets forth a number of “key messages” by the Working Party on how big data impacts compliance requirements with EU privacy law, with the principal message being that big data does not impact or change basic EU data protection requirements.

On September 22, 2014, the Article 29 Working Party (the “Working Party”) released an Opinion on the Internet of Things (the “Opinion”) that was adopted during the last plenary session of the Working Party in September 2014. With this Opinion, the Working Party intends to draw attention to the privacy and data protection challenges raised by the Internet of Things and to propose recommendations for the stakeholders to comply with the current EU data protection legal framework.

On September 18, 2014, the Article 29 Working Party (the “Working Party”) announced its decision to establish a common approach to the right to be forgotten (the “tool-box”). This tool-box will be used by all EU data protection authorities (“DPAs”) to help address complaints from search engine users whose requests to delete their search result links containing their personal data were refused by the search engines. The development of the tool-box follows the Working Party’s June 2014 meeting discussing the consequences of the European Court of Justice’s judgment in Costeja of May 13, 2014.

The Article 29 Working Party (the “Working Party”) recently released its August 1, 2014 statement providing recommendations on the actions that EU Member States should take in light of the European Court of Justice’s April 8, 2014 ruling invalidating the EU Data Retention Directive (the “Ruling”).

On July 28, 2014, the UK Information Commissioner’s Office (“ICO”) released a comprehensive report on Big Data and Data Protection (the “Report”). This is the first big data guidance prepared by a European data protection authority. The Report describes what is meant by “big data,” the privacy issues big data raises, and how to comply with the UK’s Data Protection Act in the context of big data.

On August 6-10, 2014, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Beijing, China, for another round of negotiations, meetings and workshops. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was again on the further implementation of the APEC Cross-Border Privacy Rules (“CBPR”) system and related work relevant to cross-border interoperability. The following is a summary of highlights and outcomes from the meetings:

On July 15, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program covered a number of privacy and data protection topics, including the recent judgment in the Costeja case, the Centre for Information Policy Leadership’s work on a risk-based approach to privacy, the new Canadian anti-spam legislation that went into effect on July 1, and other developments in the U.S. and EU.

On June 26, 2014, the European Commission issued guidelines on the standardization of service level agreements for cloud services providers (the “Guidelines”). In the context of the European Cloud Computing Strategy, launched by the European Commission in September 2012, the Guidelines focus on security and data protection in the cloud. They are based on the understanding that standardization will improve the clarity of service level agreements (“SLAs”) for cloud services in the European Union.

On June 23, 2014, the Article 29 Working Party (the “Working Party”) published its Opinion 7/2014 on the protection of personal data in Québec (the “Opinion”). In this Opinion, the Working Party provides its recommendations to the European Commission on whether the relevant provisions of the Civil Code of Québec and the Québec Act on the Protection of Personal Information in the Private Sector (the “Québec Privacy Act”) ensure an adequate level of protection for international data transfers in accordance with the EU Data Protection Directive 95/46/EC (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an adequate level of data protection.

In response to increasing interest in a “risk-based” approach among privacy experts, including policymakers working on the proposed EU General Data Protection Regulation, the Article 29 Working Party (the “Working Party”) published a statement on the role of a risk-based approach in data protection legal frameworks (the “Statement”).

On June 3 and 4, 2014, the Article 29 Working Party held a meeting to discuss the consequences of the European Court of Justice’s May 13, 2014 judgment in Costeja, which is widely described as providing a “right to be forgotten.” Google gave effect to the Costeja decision by posting a web form that enables individuals to request the removal of URLs from the results of Google searches that include that individual’s name. The Working Party announced that it welcomed Google’s initiative, but pointed out that it is “too early to comment on whether the form is entirely satisfactory.” The Working Party also announced that it will prepare guidelines to ensure a common approach to the implementation of Costeja by the national data protection authorities. Finally, the Working Party called on search engine operators to implement user-friendly processes that enable users to exercise their right to deletion of search result links containing their personal data.

On May 30, 2014, Google posted a web form that enables individuals to request the removal of URLs from the results of searches that include that individual’s name. The web form acknowledges that this is Google’s “initial effort” to give effect to the recent and controversial decision of the Court of Justice of the European Union in Costeja, widely described as providing a “right to be forgotten.” That Google has moved quickly to offer individuals a formal removal request process will be viewed favorably, but the practicalities of creating a removals process that satisfies all interested parties will remain challenging, and not just for Google.

On May 14, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program provided a global overview of some of the most debated topics in data protection and privacy, including cross-border data flows, global data breach issues and the EU Cybersecurity Directive. In addition, we highlighted the latest information regarding the GPEN enforcement sweep.

On April 16, 2014, the Article 29 Working Party (the “Working Party”) sent a letter (the “Letter”) to Lilian Mitrou, Chair of the Working Group on Information Exchange and Data Protection (the “DAPIX”) of the Council of the European Union, to support a compromise position on the one-stop-shop mechanism within the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On April 9, 2014, the Article 29 Working Party (the “Working Party”) issued an Opinion on using the “legitimate interests” ground listed in Article 7 of the EU Data Protection Directive 95/46/EC as the basis for lawful processing of personal data. Citing “legitimate interests” as a ground for data processing requires a balancing test, and it may be relied on only if (1) the data processing is necessary for the legitimate interests of the controller (or third parties), and (2) such interests are not overridden by the interests or fundamental rights and freedoms of the data subject. With the Opinion, the Working Party aims to ensure a common understanding of this concept.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) adopted Opinion 04/2014. The Opinion analyzes the implications of electronic surveillance programs on the right to privacy and provides several recommendations for protecting EU personal data in the surveillance context.

On April 10, 2014, the Article 29 Working Party (the “Working Party”) issued a letter (the “Letter”) to Viviane Reding, Vice-President of the European Commission and Commissioner for Justice, Fundamental Rights and Citizenship, expressing its views on the European Commission’s ongoing revision of the EU-U.S. Safe Harbor Framework.

On March 21, 2014, the Article 29 Working Party (the “Working Party”) issued a Working Document containing draft ad-hoc contractual clauses for transfers of personal data from data processors in the EU to data sub-processors outside the EU (the “Working Document”).

On April 3, 2014, Markus Heyder published an opinion piece on global privacy interoperability in the International Association of Privacy Professionals’ Privacy Perspectives blog, entitled Getting Practical and Thinking Ahead: ‘Interoperability’ is Gaining Momentum. Heyder recently left the Federal Trade Commission to join the Centre for Information Policy Leadership at Hunton & Williams as Vice President and Senior Policy Counselor. During his tenure at the FTC, Heyder spent a significant amount of time working on EU-U.S. Safe Harbor and APEC Cross-Border Privacy Rules (“CBPRs”) issues.

On March 25, 2014, the Article 29 Working Party adopted Opinion 03/2014 (the “Opinion”) providing guidance on whether individuals should be notified in case of a data breach.

The Opinion goes beyond considering the notification obligations contained in the e-Privacy Directive 2002/58/EC, which requires telecommunications service providers to notify the competent national authority of all data breaches. The Directive also requires notification (without undue delay) to the affected individuals when the data breach is likely to adversely affect the personal data or privacy of individuals, unless the service provider has satisfactorily demonstrated that it has implemented appropriate technological safeguards that render the relevant data unintelligible to unauthorized parties and that these measures were applied to the data concerned by the security breach.

On March 18, 2014, Hunton & Williams’ Global Privacy and Cybersecurity practice group hosted the latest webcast in its Hunton Global Privacy Update series. The program focused on some of the recent developments in privacy, including observations from the International Association of Privacy Professionals’ Global Privacy Summit in Washington, D.C., earlier this month, the National Institute of Standards and Technology final Cybersecurity Framework and the Article 29 Working Party’s recent Opinion on Binding Corporate Rules and Cross-Border Privacy Rules.

On March 6, 2014 the Article 29 Working Party (the “Working Party”) published a comprehensive Opinion: Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross-Border Privacy Rules submitted to APEC CBPR Accountability Agents. This blog post provides an overview of the Opinion.

On February 27, 2014, Chairwoman of the French Data Protection Authority (the “CNIL”) Isabelle Falque-Pierrotin was elected Chairwoman of the Article 29 Working Party effective immediately. Ms. Falque-Pierrotin succeeds Jacob Kohnstamm, Chairman of the Dutch Data Protection Authority, who chaired the Article 29 Working Party for four years. The Working Party also elected two new Vice-Chairs: Wojciech Rafal Wiewiórowski of the Polish Data Protection Authority, and Gérard Lommel of the Luxembourg Data Protection Authority.

On October 2, 2013, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU legal requirements (“Working Document”).

In a recording prepared for the Centre for Information Policy Leadership at Hunton & Williams LLP’s (“Centre’s”) annual retreat, former UK Information Commissioner and Centre Global Strategy Advisor Richard Thomas discussed some of the challenges facing Big Data with respect to the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC. In April 2013, the Article 29 Working Party adopted an Opinion on this topic, focusing on how to apply the purpose limitation principle in the Big Data context. Richard Thomas ...

On June 3, 2013, the French Data Protection Authority (“CNIL”) published an article outlining the importance of binding corporate rules (“BCRs”) for data processors, and describing how to use them.

On May 13, 2013, the Article 29 Working Party (the “Working Party”) adopted an Advice Paper on profiling (the “Advice Paper”). The Advice Paper serves as the national data protection authorities’ contribution to the ongoing legislative debate before the European Parliament and the Council of the European Union on the proposed EU General Data Protection Regulation (the “Proposed Regulation”).

On May 20, 2013, the Estonian Data Protection Inspectorate issued its Annual Report 2012 (the “Report,” summary available in English). The number of inquiries, complaints and supervision proceedings have remained the same over the last few years. The main topics of complaints include employment relations, CCTV, electronic direct marketing and social media. The Inspectorate stated that its primary goal is to stop violations of the law, not to impose sanctions. According to the Report, the Inspectorate issued orders regarding compliance in 48 cases and imposed fines in 39 cases.

On April 22, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the proposed data protection impact assessment template for smart grid and smart metering systems (“DPIA Template”). Expert Group 2 of the European Commission’s Smart Grid Task Force submitted the DPIA Template to the Working Party following the European Commission’s March 9, 2012 recommendation regarding preparation for the roll-out of smart metering systems.

On April 2, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) that elaborates on the purpose limitation principle set out in Article 6(1)(b) of the current EU Data Protection Directive 95/46/EC (the “Data Protection Directive”). The Opinion analyzes the scope of this principle under the Data Protection Directive, clarifies its limits and makes recommendations to strengthen it in the proposed General Data Protection Regulation (the “Proposed Regulation”). It also focuses on how to apply this principle in the context of Big Data and open data.

On March 26, 2013, the Article 29 Working Party issued a press release on the recent developments concerning cooperation between the EU and the Asia-Pacific Economic Cooperation group (“APEC”) on cross-border data transfer rules. A joint EU-APEC committee, which includes the French and German data protection authorities as well as the European Data Protection Supervisor and the European Commission, has been studying similarities and differences between the EU’s binding corporate rules (“BCRs”) framework and APEC Cross-Border Privacy Rules. The committee’s goal is to facilitate data protection compliance in this area for international businesses operating in the EU and the APEC region, including by creating a common frame of reference for both sets of cross-border data transfer rules.

On March 1, 2013, the Irish Presidency published a note to the European Council of Ministers regarding its progress on the European Commission’s proposed General Data Protection Regulation (“Proposed Regulation”). The Note details the Irish Presidency’s work to bring a more risk-based approach to the Proposed Regulation.

On March 20, 2013, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) held legislative deliberations regarding the European Commission’s proposed General Data Protection Regulation (”Proposed Regulation”). The LIBE Committee Chair, Juan Fernando López Aguilar, noted that 2,783 amendments to the Proposed Regulation and 504 amendments to the proposed Police and Criminal Justice Directive (“Proposed Directive”) have been tabled.

On March 15, 2013, European Data Protection Supervisor Peter Hustinx sent a letter to Juan Fernando López Aguilar, Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), with his comments regarding certain aspects of the European Commission’s proposed revised data protection framework. On March 20, 2013, Peter Hustinx was invited to present his comments during a LIBE Committee meeting, together with the President of the Article 29 Working Party, Jacob Kohnstamm.

On February 27, 2013, the Article 29 Working Party (the “Working Party”) adopted an Opinion (the “Opinion”) addressing personal data protection issues related to the development and use of applications on mobile devices. The Opinion identifies the key data protection risks associated with mobile apps and clarifies the legal framework and obligations applicable to the various parties involved in the development and distribution of mobile apps, including app stores, app developers, operating system and device manufacturers and advertisers.

The French Data Protection Authority (the “CNIL”) reports that in late January 2013, representatives of the Article 29 Working Party and the Asia-Pacific Economic Cooperation group (“APEC”) met in Jakarta, Indonesia, to discuss interoperability between EU Binding Corporate Rules and APEC Cross-Border Privacy Rules governing international data transfers. The U.S. Department of Commerce also is participating in the process to develop a roadmap for future progress toward establishing tools companies can use to facilitate true interoperability ...

On February 27, 2013, the Article 29 Working Party (the “Working Party”) issued a statement on the European Commission’s proposed revised data protection framework (“Statement”), including the proposed General Data Protection Regulation (“Proposed Regulation”). The Working Party offered amendments to the Proposed Regulation in the form of two Annexes to the Statement on the topics of competence and lead data protection authority (“DPA”) and the exemption for household or personal activities.

On January 22, 2013, the Article 29 Working Party released Opinion 01/2013 (the “Opinion”) on the implementing acts contained in the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”).

On January 10, 2013, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), Jan Philipp Albrecht, presented his draft report (the “Report”) on the proposed amendments to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”) to the LIBE Committee.

On December 21, 2012, the Article 29 Working Party issued a press release announcing the launch of Binding Corporate Rules (“BCRs”) for processors effective January 1, 2013. This announcement follows the Article 29 Working Party’s adoption of a Working Document (WP 195) on June 6, 2012, which set forth requirements for BCRs for processors, and an application form for submitting BCRs for processors issued on September 17, 2012.

On December 19, 2012, the European Commission announced its formal recognition of personal data protection in New Zealand. The European Commission approved New Zealand’s status as a country that provides “adequate protection”  of personal data under the European Data Protection Directive 95/46/EC. This determination means that personal information from Europe may flow freely to New Zealand.  Although the law in New Zealand has been modernized over the years, it is not new.  New Zealand will be celebrating the 25th anniversary of its data protection law in 2013. Furthermore, New Zealand has been very active in the development of international standards at the OECD and APEC, and has participated in initiatives such as the Global Accountability Project. New Zealand’s request to be deemed adequate has been pending for several years. This determination follows the positive Opinion of the Article 29 Working Party issued on April 4, 2011, concerning the level of protection under New Zealand’s law.

On November 20, 2012, the European Network and Information Security Agency (“ENISA”) published a new report entitled “The Right to Be Forgotten – Between Expectations and Practice.” The report complements two earlier papers which focused on data collection and storage and online behavioral advertising, and focuses on the technical implications of the proposed General Data Protection Regulation’s new right to be forgotten.

On November 27, 2012, the International Chamber of Commerce of the United Kingdom (“ICC UK”) released the second edition of its cookie guidance (the “Guidance”). The ICC UK released the first edition of the Guidance in April of this year, and has produced this latest version to take into account updated guidance released by the UK Information Commissioner’s Office (“ICO”), the Article 29 Working Party Opinion 04/2012 on cookie consent exemption and new UK advertising rules on online behavioral advertising.

This year, the International Conference of Data Protection and Privacy Commissioners takes place in Punta del Este, Uruguay. On October 22, 2012, Article 29 Working Party President Jacob Kohnstamm kicked off the conference with the Public Voice session, sending a clear message that the Article 29 Working Party will resist EU data protection reform proposals involving the use of consent and legitimate business interests as legal bases for data processing.

Governance for next generation data applications increasingly will depend less on individual consent, and more on ...

In the opening session of the 34th International Conference of Data Protection and Privacy Commissioners, Conference Executive Committee Chair and Article 29 Working Party President Jacob Kohnstamm introduced this year’s conference. He noted that the topic of this year’s closed session will be profiling. Kohnstamm also indicated that future DPA conferences would focus on the closed session, which typically is comprised of current and former data protection authorities. Among the speakers in the 2012 closed session is Professor Fred H. Cate, Senior Policy Advisor for the Centre for Information Policy Leadership at Hunton & Williams LLP.

On October 5, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion providing further input on the recent data protection reform discussions in the EU. The Opinion follows the Working Party’s first Opinion on the EU data protection reform proposals issued on March 23, 2012.

On September 27, 2012, the European Commission presented its new strategy on cloud computing, entitled “Unleashing the Potential of Cloud Computing in Europe.” The Commission’s strategy is outlined on a new webpage that includes a communication document and a more detailed staff working paper.

On July, 19, 2012, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that the Principality of Monaco ensures an “adequate level of protection” for personal data within the meaning of the European Data Protection Directive (Article 25 of Directive 95/46/EC) (the “Directive”). Under the Directive, strict conditions apply to personal data transfers to countries outside the European Economic Area that are not considered to provide an “adequate” level of data protection.

On August 21, 2012, the European Commission formally approved Uruguay’s status as a country providing “adequate protection” for personal data within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC). This follows the Article 29 Working Party’s earlier favorable Opinion issued in 2010, and takes into account certain interpretative assurances and clarifications provided by Uruguay. Accordingly, transfers of personal data from the EU to Uruguay may now take place without additional intergovernmental guarantees and in accordance with applicable data protection provisions.

On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel has approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority. The next step will be for the United States to nominate one or more accountability agents for the panel’s approval. Accordingly, the Department of Commerce will publish a Federal Register Notice in the coming days to provide guidance on how potential accountability agents may seek recognition. Once a U.S. accountability agent has been approved, American companies will be able to submit their cross-border privacy rules to be recognized as meeting the APEC standard.

On July 12, 2012, the National Telecommunications and Information Administration (“NTIA”) of the U.S. Department of Commerce initiated a multistakeholder process to develop guidance for transparency in the mobile environment. The NTIA has announced that they will schedule a second meeting in August, and encouraged small group discussions in the interim. This is not the first multistakeholder process to wrestle with transparency in the mobile environment, and those previous efforts – which date back almost a decade – may prove useful to such discussions.

On July 1, 2012, the Article 29 Working Party (the “Working Party”) adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both data controllers and data processors in the European Economic Area (the “EEA”). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: (1) lack of control over the data and (2) lack of information on data processing. Cloud computing and the range and geographical dispersion of the various parties involved also have raised significant uncertainty in terms of applicable law, which the Working Party previously analyzed in its Opinion 8/2010. Below is an overview of the different topics covered in the Opinion issued on July 1.

On June 6, 2012, the Article 29 Working Party (the “Working Party”) adopted WP 195 (the “Opinion”) setting out the requirements for Binding Corporate Rules (“BCRs”) for processors. Similar to WP 153, the Opinion lists the requirements to be covered in the processor BCRs application form and the BCRs document itself. The Opinion likely will be welcomed by processors, in particular those that provide large-scale, multinational data processing services.

On May 3, 2012, Viviane Reding, Justice Commissioner and European Commission Vice-President, delivered a speech during the European data protection authorities’ (“DPAs’”) Spring Conference, which was held in closed sessions in Luxembourg. In her speech, Commissioner Reding discussed how the proposed EU Data Protection Regulation aimed to empower the DPAs and addressed some of the DPAs’ primary concerns with the reform.

On March 22, 2012, the Article 29 Working Party (the “Working Party”), adopted an Opinion analyzing the privacy and data protection law framework applicable to the use of facial recognition technology in online and mobile services, such as social networks and smartphones. The Working Party defines facial recognition as the “automatic processing of digital images which contain the faces of individuals for the purpose of identification, authentication/verification or categorization of those individuals.”

On March 23, 2012, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Commission’s data protection law reform proposals, including the draft Regulation that is of particular importance for businesses. The Working Party’s Opinion serves as the national data protection authorities’ contribution to the legislative process before the European Parliament and the European Council.

On March 22, 2012, the 83rd Conference of the German Data Protection Commissioners came to an end in Potsdam. The attendees indicated their general support for the European Commission’s proposed reform package aimed at modernizing and harmonizing data protection laws in the EU, but insist that Member States should have the authority to implement more stringent data protection measures for the area of public administration.

Join us at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit in Washington, D.C., March 7-9, 2012. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

• Mending Fences after a Breach Thursday, March 8, 12:15 p.m. Speakers include: Lisa J. Sotto, partner and head of the Global Privacy and Data Security practice, Hunton & Williams LLP; Susan Grant, Director of Consumer Protection, Consumer Federation of America; and Joanne B. McNabb, Chief, California Office of Privacy Protection.

The American Bar Association’s (“ABA’s”) House of Delegates adopted a non-binding resolution urging courts to consider foreign data protection and privacy laws when resolving discovery issues. The full text of the resolution is as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

On January 25, 2012, the Article 29 Working Party (the “Working Party”) issued a Working Document providing guidance on data protection issues relating to the European Patients Smart Open Services (“epSOS”) project. epSOS is a pilot project focused on developing an information and communications technology infrastructure that enables access to patient health information (i.e., Patient Summaries) among different EU Member States for the purpose of providing medical treatment. The project also aims to facilitate the cross-border use of electronic prescriptions (i.e., ePrescriptions). epSOS involves the collaboration of a significant number of health care provider organizations and companies that contribute their knowledge and expertise to the project.

As reported in BNA’s Privacy Law Watch, EU Member States are working on an overarching privacy framework agreement with the United States. The framework agreement, which may be used as a starting point for future negotiations, aims to reduce the amount of time and resources required to prepare new agreements between the European Union and the United States.

On January 25, 2012, the European Commission published its long-awaited legislative package to reform EU data protection rules. The package includes a regulation that covers data processing in the private sector and by public authorities and a directive covering data processing for criminal justice purposes, as well as a communication, a report on the protection of personal data processed in the framework of police and judicial cooperation, and an impact assessment with a summary.

On December 8, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the European Advertising Standards Alliance (“EASA”) and IAB Europe best practice recommendations for the online behavioral advertising (“OBA”) industry to comply with Article 5.3 of the revised e-Privacy Directive 2002/58/EC (the “cookie clause”). The cookie clause requires a user’s informed consent for the use of cookies and similar technologies that store and access information in the user’s terminal device. Finding practical ways of complying with the cookie clause has proven challenging for the OBA industry, which relies heavily on these kinds of tracking mechanisms.

In early December 2011, drafts of two legal instruments prepared by DG Justice of the European Commission to reform the EU data protection framework entered interservice consultation. This process will give other Directorates-General of the Commission the opportunity to comment on the drafts before they are formally released as legislative proposals; accordingly, changes to the drafts are likely. Following this comment period, the drafts will enter the EU legislative process, which is likely to take at least two to three years before they become law. It is believed that Justice Commissioner and Commission Vice-President Viviane Reding will formally announce final versions of the drafts at an appearance at the World Economic Forum in late January 2012.

On November 2-3, 2011, Mexico’s Federal Institute for Access to Information and Data Protection (“IFAI”) will host the 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Marty Abrams, President of the Centre for Information Policy Leadership at Hunton & Williams LLP, is the chairman of the Conference’s advisory panel and principal advisor to Conference organizers on program content. Hunton & Williams is a proud sponsor of the event which will feature Hunton representatives as speakers or moderators on multiple panels and plenary sessions, including the following:

On September 14, 2011, the Article 29 Working Party (the “Working Party”) met with representatives of the European Advertising Standards Alliance (“EASA”) and IAB Europe, to discuss the industry’s new self-regulatory code of conduct for online behavioral advertising (the “Code”), which was released on April 14, 2011.

On July 13, 2011, the Belgian Privacy Commission (the “Belgian DPA”) signed a Protocol with the Ministry of Justice which significantly simplifies the authorization procedure for binding corporate rules (“BCRs”) under Belgian law.  The Protocol was just made public on the Belgian DPA's website. 

On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework.  The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent.  In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

Recent developments involving the use of facial recognition technology have raised privacy concerns in the United States, Europe and Canada.  As we reported earlier this month, the Electronic Privacy Information Center (“EPIC”) and several other consumer privacy advocacy groups filed a complaint with the Federal Trade Commission against Facebook for its use of facial recognition technology.  According to EPIC’s complaint, Facebook’s Tag Suggestions feature recognizes individuals’ faces based on photographs already on Facebook, then suggests that users “confirm Facebook’s identification of facial images in user photos” when they upload new photos to their Facebook profiles.

On June 13, 2011, the Polish Data Protection Authority (Generalny Inspektor Ochrony Danych Osbowych or “GIODO”) hosted a conference in Warsaw on the use of binding corporate rules (“BCRs”) for international data transfers.  The conference was notable as the first on this topic in Poland, and was designed to introduce BCRs to a Polish audience and to promote their use.  The audience of approximately 70 people heard presentations by the Polish Inspector General for Data Protection, Wojciech Rafał Wiewiórowski, as well as representatives of the Belgian, French, Polish ...

On May 16, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on geolocation services on smart mobile devices (the “Opinion”).  The Opinion clarifies the legal framework and obligations applicable to geolocation services such as maps and navigation tools, geo-personalized services, geotagging of content on the Internet, child control and location-based advertising.

On April 18, 2011, the European Commission (the “Commission”) adopted an Evaluation Report on the EU Data Retention Directive 2006/24/EC (the “Data Retention Directive”).

The Data Retention Directive requires that, for law enforcement purposes, telecommunications service and network providers (“Operators”) must retain certain categories of telecommunications data (excluding the content of the communication) for not less than six months and not more than two years.  To date, most of the EU Member States have implemented the Data Retention Directive, but Czech Republic, Germany and Romania no longer have implementing laws in place because their constitutional courts have annulled the implementing laws as unconstitutional.

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion to clarify the legal framework applicable to smart metering technology in the energy sector (the “Opinion”).

Smart meters are digital meters that record energy consumption and enable two-way remote communication with the wider network for purposes such as monitoring and billing, and to forecast energy demand.  Smart meters are intended to allow the industry to better regulate energy supply, and to help individuals reduce consumption.  According to the Working Party, however, the analysis and exchange of smart metering information has the potential to be privacy-invasive.

On April 5, 2011, the Article 29 Working Party (the “Working Party”) adopted an Opinion on the current EU personal data breach framework and recommendations for future policy developments (the “Opinion”).

In 2009, the revised e-Privacy Directive 2002/58/EC (the “e-Privacy Directive”) introduced a mandatory data breach notification regime for the telecommunications sector.  Pursuant to the e-Privacy Directive, telecommunications and internet service providers are required to report certain data breaches to their national regulator and to affected individuals.

On April 4, 2011, the Article 29 Working Party (the “Working Party”) issued an Opinion finding that New Zealand ensures an adequate level of data protection within the meaning of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”).  The Working Party’s assessment in the Opinion focuses on the New Zealand Privacy Act 1993 and is based primarily on a comparison of the Act and relevant case law, against the provisions of the Data Protection Directive.

On April 6, 2011, the European Commission (“the Commission”) signed a voluntary agreement with private and public stakeholders to establish data protection guidelines for companies that use radio frequency identification device (“RFID”) technology within Europe.

The agreement, entitled “Privacy and Data Protection Impact Assessment Framework for RFID Applications” (the “Framework”) requires companies to conduct privacy impact assessments for all RFID applications they implement and to take measures to address identified data protection risks before those applications are deployed in the market.  Reports of the completed privacy impact assessments must be made available to the national data protection authorities.  The Framework, which was designed in close cooperation with the European Network and Information Security Agency after consultation with the Article 29 Working Party, provides the first clear, comprehensive methodology that can be applied across all industry sectors to assess and mitigate RFID-related privacy risks.  It is intended both to assure companies that their use of RFID technology is compatible with European data protection legislation, and to enhance privacy protections for European citizens and consumers.

The Council of the European Union (the “Council”) released its conclusions following meetings held on February 24 and 25, 2011, regarding the European Commission’s November 4, 2010 Communication proposing “a comprehensive approach on personal data protection in the European Union” which we reported on last November.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On January 31, 2011, the European Commission formally approved Israel’s status as a country providing “adequate protection” for personal data under the European Data Protection Directive.  The decision is restricted to automated international data transfers from the EU, as well as to non-automated data transfers that are subject to further automated processing in Israel.  It will allow unrestricted transfers of personal data from the EU to Israel, for example between corporate affiliates or from European companies to data centers in Israel.

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling.  View the press release.

The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles.  It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”  The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual.  Interestingly, Members States may decide to exclude the public sector under certain conditions.

On November 4, 2010, the European Commission (the “Commission”) released a draft version of its Communication proposing “a comprehensive approach on personal data protection in the European Union” (the “Communication”) with a view to modernizing the EU legal system for the protection of personal data.  The Communication is the result of the Commission’s review of the current legal framework (i.e., Directive 95/46/EC), which started with a high-level conference in Brussels in May 2009, followed by a public consultation and additional targeted stakeholders’ consultations throughout 2010.  Although the Commission considers the core principles of the Directive to still be valid, the Communication equally acknowledges that the existing legal framework for data protection in the European Union is no longer able to meet the challenges of rapid technological developments and globalization.

On October 11, 2010, the French Data Protection Authority (the “CNIL”) released guidance (the “Guidance”) on data protection issues related to the outsourcing of data processing activities to non-EU countries (Les questions posées pour la protection des données personnelles par l’externalisation hors de l’Union européenne des traitements informatiques).

The Guidance was prepared following interviews held in 2009 by the CNIL’s international affairs department with consultancy groups, law firms advising on outsourcing deals, and companies actively engaged in offshore activities.  The interviews were conducted to provide the CNIL with insight regarding the impact of data protection requirements on outsourcing activities.  The Guidance is part of a broader analysis of the concepts of data controller and data processor carried out by the Article 29 Working Party (see the Working Party’s Opinion on the concepts of controller and processor).

On October 15, 2010, the Article 29 Working Party published an Opinion finding that Uruguay ensures an adequate level of protection within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC).

This Opinion was issued pursuant to an official request Uruguay filed with the European Commission in October 2008.  While the Article 29 Working Party’s Opinion is an important step toward adequacy, the European Commission must now make a formal decision that the Uruguayan legal framework provides an adequate level of data protection under EU data protection law.  The European Commission will take the Article 29 Working Party’s Opinion into account when determining whether to issue an “adequacy decision” in the coming months.  As recently illustrated by the adequacy procedure for Israel, this process may prove to be difficult.

On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK.  The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly.  Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.

On July 14, 2010, the Article 29 Working Party issued a press release regarding its findings on the implementation of the European Data Retention Directive (Directive 2006/24/EC).  The findings, compiled in a report to be contributed to the European Commission’s forthcoming evaluation of the Directive, indicate that the obligation to retain all telecom and Internet traffic data is not being applied correctly or uniformly across the EU Member States.  Specifically, the Working Party’s press release states that service providers retain and share data in ways contrary to the Directive.  The Working Party further noted that Member States’ reluctance to provide statistics on the use of retained data limits the ability to verify the value of data retention practices.

On July 7, 2010, the German Federal Office for Information Security, the Bundesamt für Sicherheit in der Informationstechnik (“BSI”), published a basic paper on data security and data protection for radio-frequency identification (“RFID”) applications.  The paper, Technical Guidelines RFID as Templates for the PIA-Framework, describes how to use RFID in compliance with data protection requirements, and explains the relationship between the BSI’s technical guidelines for the secure use of RFIDs and the European Commission’s Privacy Impact Assessment (“PIA”) Framework.

On July 19, 2010, the Article 29 Working Party published a new set of frequently asked questions aimed at addressing some of the issues raised by the European Commission’s new Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU).  Among other things, the FAQs address the scope of the new model clauses and whether they can be used for intra-EEA data transfers.  The FAQs also clarify certain issues related to sub-processing.

The European Union’s Article 29 Working Party adopted a detailed recommendation on accountability which was submitted to the European Commission on July 13, 2010.  Opinion 3/2010 elaborates on the Working Party’s 2009 recommendation to include a new principle on accountability in the revised EU Data Protection Directive.  The Opinion’s executive summary states:

“EU data protection principles and obligations are often insufficiently reflected in concrete internal measures and practices.  Unless data protection becomes part of the shared values and practices of an organization, and responsibilities for it are expressly assigned, effective compliance will be at considerable risk, and data mishaps are likely to continue.

…this Opinion puts forward a concrete proposal for a principle on accountability which would require data controllers to put in place appropriate and effective measures to ensure that principles and obligations set out in the Directive are complied with, and to demonstrate so to supervisory authorities upon request.”

On July 6, 2010, the Irish government formally objected to the adequacy procedure initiated by the European Commission that would have allowed the free flow of European personal data to Israel, over concerns of the possible use of the information by Israeli officials.  This political move follows recent revelations regarding forgery of European passports, including several from Ireland, and their alleged use by Israel’s intelligence services.

On June 24, 2010, the Article 29 Working Party adopted Opinion 2/2010 (the “Opinion”) providing further clarification on online behavioral advertising.  The Working Party also issued a press release on this topic.  Although the scope of the Opinion is limited to online profiling, its interpretation of Article 5(3) of the amended e-Privacy Directive provides some useful clarifications regarding the legal framework applicable to online behavioral advertising and the use of cookies.  We provide a short analysis of the Opinion below.

Opt-in?  Browser setting as opt-in?  Opt-out?  The Opinion clarifies the Working Party’s interpretation of the new Article 5(3) and Recital 66 of the e-Privacy Directive.  According to the Working Party, Article 5(3) and Recital 66, along with the General Data Protection Directive (“Directive 95/46/EC”), require prior opt-in consent since “prior opt-in consent mechanisms are better suited to deliver informed consent.”

On June 17, 2010, the French data protection authority (the “CNIL”) published its Annual Activity Report for 2009 (the “Report”) in which it outlines some of its priorities for the upcoming year.

In February 2009, the CNIL published a report on online targeted advertising. Among other things, the CNIL voiced its concern regarding online behavioral and advertising activities and analyzed the risks of increasing user profiling.  In 2010, the CNIL is expected to issue a joint opinion with the Article 29 Working Party on targeted advertising and behavioral analysis.  The CNIL also will open a dialogue with several stakeholders from the marketing sector to work on adopting a code of best practices.

In a letter to the U.S. Federal Trade Commission dated May 26, 2010, the Article 29 Working Party expressed concerns regarding the retention and anonymization policies of Google, Yahoo! and Microsoft.  Specifically, the Working Party requested that the FTC examine the compatibility of the three search engine providers’ actions with provisions of Section 5 of the FTC Act which prohibits unfair or deceptive trade practices.

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.

On January 5, 2010, the Article 29 Working Party published an opinion dated December 1, 2009, finding that Israeli data protection law largely provides an "adequate level of data protection" under the European Union Data Protection Directive 95/46.  The European Commission will now take this opinion into account when determining whether to issue an "adequacy decision" for Israel in the coming months.  Such a decision would provide that data transfers to Israel from the EU are adequately protected for purposes of compliance with the Directive ...

On December 1, 2009, the Article 29 Working Party adopted a contribution (the “Contribution”) to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data (the “Consultation”).  The Consultation was launched on July 9, 2009, to explore the challenges to personal data protection presented by new technologies and globalization.  The Consultation was also motivated by the recent adoption by the EU of the Lisbon Treaty, which will necessitate a reworking of structure of the EU legal framework for data protection.  The Contribution’s thoughtful examination of several important data protection issues makes it one of the most significant documents that the Working Party has issued in recent years.

Every year since 2005, the United States, the European Commission and the Article 29 Working Party on Data Protection meet to review the latest developments in the U.S.-EU Safe Harbor Framework, as well as changes in privacy compliance, information security and data protection.  This year’s  International Conference on Cross Border Data Flows, Data Protection and Privacy occurs November 16 - 18 and features leading experts who will examine these issues and others, as well as changes made to the approval process for binding corporate rules.  Join our privacy professionals, Martin ...

On September 23, 2009, the Information Commissioner's Office (the "ICO"), the UK's data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation's binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.

Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State's DPA acts as the lead authority on a company's BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.

In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”