RSS CNIL in english CNIL's latest news (EN) fr 250 44 TYPO3 - get.content.right Thu, 17 Jul 2014 18:07:00 +0200 [Press release WP29] CJEU’s Judgment on the Right to Be Forgotten: the WP29 Will Meet with Search Engines on July 24th On July 15th, the European data protection authorities came together in Brussels to exchange views over the consequences of the Court of Justice of the European Union’s (CJEU) judgment regarding the right to be forgotten on the internet, which was rendered on May 13th, 2014.]]> The objective was to elaborate coordinated and coherent guidelines on the handling of individuals' complaints that may be submitted to the authorities in the case of negative responses from search engines to the request for removal from indexing. Within the perspective of having a unified European implementation of this judgment, the data protection authorities analysed the different legal bases allowing individuals-regardless of their nationality, their residency and the harm suffered-to invoke the right to request search engines to remove them from indexing. The precise methods of exercising this right to be forgotten as well as search engines' potential refusals to execute this right were also studied in an in-depth manner. This discussion led, amongst other things, to the highlighting that in order to effectively exercise this right, it is necessary for individuals to understand thoroughly the precise reasons a search engine, subject to European Union law, can legally refuse this right. The data protection authorities also addressed the criteria allowing to take into consideration, in certain cases, the public interest in accessing the said information. The data protection authorities have invited search engines to discuss with them, on July 24th, the practical implementation of the key principles in this CJEU case in order to finalise the WP29's guidelines foreseen for autumn 2014. ]]> News EN Thu, 17 Jul 2014 18:07:00 +0200 [Press release WP29] The WP29 reminds cloud computing providers of their obligations under Directive 95/46/EC upon its partial assessment of Microsoft’s data processing agreement One of the Article 29 Working Party's (WP29) mission is to contribute to the uniform application of EU data protection rules. To this aim, the WP29 supported, during its last plenary meeting, the implementation of a generic approach, including as to the definition of an appropriate legal framework for the provision of cloud computing services.]]> The WP29 assessed a number of contractual documents submitted by Microsoft to several EU data protection authorities. These documents provide a legal framework for the international data transfers taking place in the context of the cloud services which Microsoft offers in different Member States. The aim of the WP29's review was to evaluate whether these documents strictly meet the requirements on international data transfers contained in the Standard Contractual Clauses 2010/87/EU (the so-called "controller-to-processor" clauses). The WP29 found the documents to meet the EU requirements laid out in these clauses. The positive outcome of this limited analysis does not entail that the WP29 has found that Microsoft's contractual arrangements overall comply with all EU data protection requirements, neither that Microsoft comply in practice with EU data protection rules. It is only acknowledged that Microsoft has taken the sufficient contractual commitments to legally frame international data flows, in accordance with Article 26 of Directive 95/46/EC. Furthermore, the WP29 did not assess the Appendixes to Microsoft's contractual documents which specifically describe the transfers covered by the agreement (e.g., categories of data, security and confidentiality measures implemented by the data importer, etc.), the content of which may vary from a client to another. Microsoft and its clients will need to assess on a case-by-case basis how these Annexes can suit their specific data protection needs and legal requirements. These Annexes may have to be analyzed separately by the Data Protection Authorities. Beyond this specific case, the WP29 reminds all cloud computing providers which offer services to clients subject to EU laws of their duty to assess the compliance of their contractual arrangements with EU data protection requirements, as well as with its Opinion 05/2012 on cloud computing (WP196).  ]]> News EN Thu, 24 Apr 2014 16:56:00 +0200 EU Regulation and citizens’ surveillance : steps forward at the European Parliament On 12 March, the European Parliament adopted its position in plenary on the draft EU Regulation as well as on the draft ‘Police and Justice’ Directive. It also adopted a resolution on the mass surveillance of European citizens by the NSA.]]> The Albrecht report on the draft data protection Regulation was adopted at a large majority, as well as the Droutsas report. By adopting simultaneously both reports, the European Parliament confirms its attachment to a package approach to legislation in the area of data protection. By voting before the European elections of May 2014, the European Parliament consolidates the work it has achieved since the European Commission presented its proposals in January 2012, before the renewed assembly takes over and negotiations start with the EU Council. The CNIL shall continue to monitor the legislative process and in particular progress in the Council on the draft Regulation. In doing so, the CNIL shall promote an ambitious approach to the protection of the data of European citizens. Moreover, at the Plenary of 12 March, the European Parliament also adopted a resolution warning that its approval of the EU-US free trade agreement (TTIP) would be linked to a ceasing of the NSA activities of mass surveillance of European citizens. The fight against terrorism cannot justify such practice, the members of the European Parliament said. The same resolution calls for a suspension of Safe Harbor. The WP29, the group of the European data protection authorities, is actually assessing the safeguards offered by Safe Harbor in response to a Communication of the European Commission. The WP29 is also preparing an opinion on mass surveillance activities which should be published in May. Already, the CNIL welcomes the introduction by the Parliament in the text of the Regulation of prior control by data protection authorities of requests made to companies by administrative or judicial authorities of third countries to access the data of European citizens.]]> News EN Tue, 18 Mar 2014 17:03:00 +0100 International data transfers: the WP29 and the APEC developed a practical tool for multi-national organisations On 27 February 2014, the WP29 adopted a favourable opinion on a practical referential mapping the requirements of BCR and CBPR. This document was also endorsed by APEC Member Economies on 27 and 28 February 2014.]]> The Article 29 Working Party (“WP29”) developed Binding Corporate Rules (“BCR”) to govern international data transfers within companies or groups of companies. These rules can be seen as a code of conduct which defines the company policy on data transfers. This framework aims at adducing adequate safeguards to data transferred from the European Union to third countries within a same company or group of companies.  Recently, the Member Economies of the Asia-Pacific Economic Cooperation (“APEC”) have developed a policy framework for international transfers of personal information, called the Cross-Border Privacy Rules (“CBPR”), and designed to provide guarantees to data transfers. Such guarantees are based in particular on certifications by APEC recognized accountability agents. The EU BCR system and the APEC CBPR system are based on a similar approach, namely codes of conduct for international transfers developed by companies and approved a priori by EU Data Protection Authorities (for BCR) or by APEC recognized accountability agents (for CBPR). The WP29 analysed the CBPR system in order to identify their similarities and differences with the BCR system. On the basis of such comparison, the WP29 and APEC Member Economies developed a referential on the personal data protection and privacy requirements of BCR and CBPR (WP212). This practical tool is aimed at helping multi-national organisations that operate both in Europe and the Asia-Pacific and identifies in a single document the elements both required in the BCR and CBPR systems. This useful tool lists all of the elements that are required in both systems, as well as the respective additional elements that are specific to each system. In any case, such additional elements must be taken into account by multi-national organisations applying for a BCR approval with data protection authorities in the EU on the one hand, and for a CBPR certification by an APEC CBPR recognized Accountability Agent on the other hand. The WP29 welcomes the result of this joint work with APEC Member Economies, which is the first one with the APEC, and is a great example of cooperation. Indeed, this practical tool sets out global solutions for multi-national organisations wishing to develop personal data protection and privacy policies compliant with both BCR and CBPR systems, and thereby obtain both certifications.]]> News EN Fri, 07 Mar 2014 12:04:00 +0100 Isabelle Falque-Pierrotin elected Chair of the WP29, group of the EU national data protection authorities On 27 February 2014, the CNIL President, Isabelle Falque-Pierrotin, was elected to chair the Article 29 Working Party (WP29) for two years, starting from now. ]]> The WP29 groups the representatives of the data protection authorities of the 28 Member States of the European Union and the European Data Protection Supervisor, as well as other European data protection authorities as observers. Isabelle Falque-Pierrotin takes over as Chair from Jacob Kohnstamm, the President of the Dutch data protection authority, who chaired for the four years. Also elected today by the WP29 Plenary are two new Vice-Chairs: Wojciech Rafal Wiewiórowski (Poland) and Gérard Lommel (Luxembourg). They replace Christopher Graham (United Kingdom) and Igor Němec (Czech Republic). Isabelle Falque-Pierrotin represents the French data protection authority in the WP29 since her election as President of the CNIL on 21 September 2011. Under Isabelle Falque-Pierrotin's mandate, the WP29 will face two major challenges: preparing the transition toward the new governance contemplated in the draft EU data protection regulation and developing co-operation between data protection authorities in the wider international scene.]]> News EN Thu, 27 Feb 2014 15:05:00 +0100