On 10 April 2018, the Article 29 Working Party (WP29) published revised guidelines on consent under the General Data Protection Regulation (GDPR). Consent is one of the six GDPR bases for the lawful processing of personal data.

Technology Law Dispatch looked at the WP29’s draft guidelines on consent earlier this year. This article examines the differences between the draft and final guidelines.

Conditions for valid consent – freely given

Under the GDPR, consent must be freely given, specific, informed and unambiguous. Where a controller wants to process personal data for additional purposes other than the provision of a requested service, individuals should be given the option to separately consent to or reject such processing.

WP29 states that consent will not be freely given where a controller argues that a choice exists between: (1) its service that include processing for additional purposes; and (2) an equivalent service offered by a different controller.

WP29 states that an individual’s freedom of choice is dependent on: (1) the practices of market competitors; and (2) whether a data subject finds other controllers’ services to be genuinely equivalent. Such an approach would imply an obligation for controllers to monitor market developments to ensure continued validity of consent for their processing activities, as competitors could always alter their services. This would not be a realistic or pragmatic approach, and WP29 has now rejected it.Continue Reading Article 29 Working Party issues final guidelines on consent

The Article 29 Working Party (WP29) adopted, on 11 April 2018, finalized guidelines on transparency (the Guidelines) under the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), following its public consultation.

Technology Law Dispatch looked at the draft guidance on transparency earlier this year, so this blog focuses on the key issues and what is new in the final guidelines.

Information being “intelligible”

The updated guidelines link the requirement for information to be intelligible, using plain and clear language, and accountable. The guidelines now state that an “accountable data controller will have knowledge about the people they collect information about and it can use this knowledge to determine what that audience would likely understand.” This includes, for example, assuming working professionals have a higher understanding of certain issues than children or non-specialists. In other words, the data controller is expected to customize its notices and information as appropriate to the applicable audience. The final guidelines also suggest mechanisms by which controllers can test their interfaces, notices and policies for intelligibility and transparency – including the use of industry groups, consumer advocacy groups, readability tests and regulatory bodies.Continue Reading Article 29 Working Party adopts finalized guidelines on transparency under GDPR

The Article 29 Working Party (WP29) published a consultation on guidelines for the accreditation of certification bodies under the General Data Protection Regulation (GDPR), which closed at the end of March.

The consultation guidelines would require a certification body under the GDPR to be accredited by either the competent supervisory authority or the national accreditation body, or both. The guidelines aim to establish a harmonised baseline for certification.

General overview

In brief, the guidelines:

  • set out the purpose of accreditation and include a list of definitions;
  • explain routes to accredit certification bodies;
  • give a framework for additional accreditation requirements, when accreditation is handled on the national level;
  • stress they are not a procedural manual, or a new technical standard;
  • highlight that the final form document will include an annex outlining a framework for identifying accreditation criteria.

Continue Reading Article 29 Working Party consultation on guidelines for accrediting certification bodies under the GDPR

The Article 29 Working Party (WP29) discussed a number of important issues during its April plenary meeting on 17 April 2018. In its summary press release, the WP29 gave an update on the issues it discussed.

Implementation of the General Data Protection Regulation (GDPR) and adopted guidelines

WP29 formally adopted guidelines on consent and transparency following a public consultation of six weeks. WP29 additionally formally adopted revised Binding Corporate Rules application forms, an updated working document on the Binding Corporate Rules approval procedure and revised guidelines on the GDPR urgency procedure.

WP29 also highlighted that it had adopted a position paper on GDPR Article 30(5). GDPR Article 30(5) generally exempts organisations employing fewer than 250 people from having to keep records of personal data processing.

WP29 further stated that it will continue working on guidelines about GDPR certification, territorial scope and codes of conduct.

It was also stated that WP29 has been granted a mandate to develop guidance in relation to GDPR Article 6(1)(b) in the context of the provision of ‘free’ online services. GDPR Article 6(1)(b) enables organisations to process personal data where such processing is necessary for the performance of a contract to which a data subject is party.

A discussion was also had on the European Data Protection Board and how its rules of procedure, budget, technical set-up and meetings timetable in 2019 will be structured.
Continue Reading Article 29 Working Party update on GDPR implementation

On 23 February 2018, the Article 29 Working Party (WP29) sent a letter to Alban Schmutz, President of Cloud Infrastructure Services Providers in Europe (CISPE), in response to the organisation’s submission of a draft Code of Conduct for Cloud Infrastructure Service Providers.

In conducting its review, the aim of WP29 was to ensure that the draft Code would enable individuals to feel confident that their chosen cloud infrastructure services are compliant with the Data Protection Directive (Directive 95/46/EC) (the ‘Directive’) and the General Data Protection Regulation ((EU) 2016/679) (GDPR). It should be noted that the GDPR recommendations made by WP29 are non-binding for now, with a final assessment of the Code to be made once the GDPR is implemented on 25 May 2018.

In the annexes to the letter, a series of general and specific remarks are made to assist CISPE in re-evaluating and redrafting the Code.Continue Reading Article 29 Working Party makes recommendations following submission of Code of Conduct for Cloud Infrastructure Service Providers

The Article 29 Working Party (“WP29”) recently published an opinion on data processing at work (“Opinion”).

The Opinion restates the position and conclusions in WP29’s 2001 Opinion on processing personal data in the employment context (WP48), and its 2002 WP55 Working Document on the surveillance of electronic communications in the workplace. However, it addresses the need for a new assessment of the balance between legitimate interests of employers and the reasonable privacy expectations of employees, because of risks posed by advancements in modern technologies since the other documents were published.

The Opinion is primarily concerned with the Data Protection Directive 95/46/EC (“DPD”), so employers should continue to take account of the fundamental principles of the DPD when processing personal data in an employment context. Technological developments and new methods of processing have not changed this position.

The Opinion also looks towards the “new” obligations placed on all controllers, including employers, under the General Data Protection Regulation 2016/679 (“GDPR”) – including data protection by design, the need to carry out Data Protection Impact Assessments for high-risk processing, and any specific national rules that are introduced pursuant to Article 88 relating to processing employees’ personal data.

WP29 has considered various scenarios in the Opinion which describe how certain technologies might be used to process personal data in the workplace, and the points that employers should consider. Some of these include:
Continue Reading Article 29 Working Party releases detailed opinion on data processing in the workplace

On 26 July, the Article 29 Data Protection Working Party (WP29) released a statement outlining its opinion on the EU-U.S. Privacy Shield, which was adopted by the European Commission earlier this month. After praising the improvements implemented by the Commission and U.S. authorities since its last critical opinion, the WP29 outlined some remaining

The CNIL issued a press release February 4, setting expectations concerning the “EU-U.S. Privacy Shield” work-in-progress. In the same time, it has switched to enforcement mode concerning Safe Harbor remediation failure.

Click here to read more in the issued Client Alert.

Pursuant to their common decision 26 February 2013 to engage action in order to penalize Google Inc. for refusing to revise its global privacy policy, six of the European Working Party 29 regulators, led by the French CNIL, have now jointly started to act in their respective jurisdictions and according to their national laws against

We have previously reported on the different requests and repeated questionnaires the Commission nationale de l’informatique et des libertés (CNIL) has sent to Google over the past few months regarding the evaluation of Google’s compliance with applicable European Data Protection Regulation concerning its new integrated privacy policy, as well as the new integrated platform launched