Article 29 Working Party

Spoiler Alert: Behavioral advertising companies will find some bad news in the guidance.

The Article 29 Working Party (WP29) advisory group, which will soon become the more transparently-named (and very powerful) European Data Protection Board, is busy drafting and issuing guidance documents to help organizations understand how European data protection authorities will interpret various requirements of the General Data Protection Regulation (GDPR).  WP29 recently issued draft guidance relating to automated decision-making and profiling that will be critical for all organizations that conduct those activities. The draft guidance is open for comments until Nov. 28, 2017.  This post recaps some of the particularly interesting aspects of the draft guidance, which can be found in full here (scroll down to the items just above the “Adopted Guidelines” section).

But first, what counts as automated decision-making under the GDPR?  And what is “profiling”? Continue Reading Key GDPR Guidance on Behavioral Advertising, Profiling and Automated Decision-Making

The Article 29 Working Party (WP29) has released a brief updated statement on the final form of the Privacy Shield adequacy decision and supporting annexes.  WP29 is an important advisory group made up of representatives of each of the EU’s national data protection authorities.   In a nutshell, WP29 has said that Privacy Shield isn’t perfect, but it will wait until the first annual review to raise specific objections, which gives the Privacy Shield program enough time to get up and running.  The WP29 statement promises  that, during the first annual review of Privacy Shield, “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”  WP29 goes on to say that “[t]he results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

While WP29’s statement has been interpreted by at least one legal news source as a one-year moratorium on Privacy Shield litigation,  that seems rather unlikely.  The WP29 does not have  the legal power to deprive any EU data subject of his or her right to challenge Privacy Shield on human rights grounds, or to materially delay such a challenge.  If a national DPA refused to hear a complaint on the basis of the putative WP29 moratorium, the national courts would most likely find against the DPA.

A more modest — and realistic- – interpretation of the WP29 opinion would be that the DPAs themselves won’t seek to scupper Privacy Shield during its first year.  Instead, they will leave that to Max Schrems and other individuals who remain skeptical of the EU-US privacy deal.

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.

 

UPDATE: The Article 29 Working Party has released surprisingly brief comments on Privacy Shield, available here.  Consistent with the press briefing held earlier today (see below), WP29 has concluded that Privacy Shield falls short without providing specific guidance as to what, exactly, an acceptable version of Privacy Shield would look like.

Earlier today, the Article 29 Working Party (“WP29”) held a press conference to give a preview of its assessment of the proposed EU-US Privacy Shield arrangements that were slated to replace the struck-down Safe Harbor program and bring much-needed certainty to companies that transfer personal data from the EU to the US.

While full comments will be available later today, we know now that WP29 has declined to give Privacy Shield its support.  It appears that WP29 has serious concerns about the limitations of US national security agencies to conduct mass surveillance.  WP29 is also skeptical about the rights of redress for EU residents and would prefer that EU residents be able to bring complaints immediately via their local EU data protection authorities.    We will cover the WP29 assessment more fully during our webinar on Thursday, April 14.  Register here.  In the meantime, for those who would like to listen to the press briefing, an audio recording is available here:  https://scic.ec.europa.eu/streaming/article-29-working-party

The so-called “Article 29 Working Party” of EU Data protection officials from the 28 EU member states today released a much-anticipated press release regarding the Court of Justice of the European Union (CJEU) landmark decision invalidating the US-EU Safe Harbor framework.

US companies hoping for some guidance on managing cross-border data transfers will be sorely disappointed.

Regarding the practical consequences of the CJEU judgment, the Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis of the European Commission adequacy decision 2000/520/EC (the so-called “Safe Harbour decision”). In any case, transfers that are still taking place under the Safe Harbour decision after the CJEU judgment are unlawful. 

Further, although the statement indicates that the Working Party considers that Model Contracts or binding corporate rules “can still be used,” the group reserves the right to investigate any privacy complaints that arise in relation to any such transfers.   In addition, unless the EU and US authorities agree on a Safe Harbor 2.0 or some other replacement, the statement says that the data protection authorities would consider taking “coordinated enforcement actions” against companies unlawfully transferring data.

The last paragraph of the statement sounds a warning to US businesses:

…in the context of the judgment, businesses should reflect on the eventual risks they take when transferring data and should consider putting in place any legal and technical solutions in a timely manner to mitigate those risks and respect the EU data protection acquis.

 

In case you missed it, our webinar regarding the CJEU decision and how to navigate a path forward in a world without a Safe Harbor data transfer framework can be accessed here.

 

Written by Susan Foster, Solicitor England & Wales/Admitted in California

 (LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.

The draft model clauses have the potential to bring greater certainty to the rules applicable to data transfers from a data processor that is located within the EEA to a sub-processor located outside of the EEA.  (The EEA, or European Economic Area, comprises the 28 EU members, plus Norway, Liechtenstein and Iceland.)  While the Art. 29 Working Party does not have authority to put the model clauses into effect, the European Commission routinely considers its advice, so the model clauses are worth a read.

The model clauses run to over fourteen pages of text.   Broadly speaking, the proposed model clauses would create a high level of transparency and accountability across various levels of sub-contracting of data processing.  This is particularly relevant to cloud computing arrangements

Continue Reading New Draft Processor to Sub-processor Model Clauses (Art. 29 Working Party)

On June 24, 2010, the European Union’s body that addresses data protection issues, the so-called Article 29 Working Party, adopted Opinion 2/2010 (the “Opinion”) providing further clarification on the amended e-Privacy Directive (below) as applied to online behavioral advertising. The Working Party also issued a press release on this topic.

Continue Reading Online Behavioral Advertising: The European Union Controversy