CNIL's latest news (EN)

RSS CNIL in english CNIL's latest news (EN) http://www.cnil.fr/ fr http://www.cnil.fr/fileadmin/templates/images/contenus/logo_CNIL.png http://www.cnil.fr/ 250 44 TYPO3 - get.content.right http://blogs.law.harvard.edu/tech/rss Tue, 02 Apr 2013 12:00:00 +0200 Google privacy policy: six European data protection authorities to launch coordinated and simultaneous enforcement actions http://www.cnil.fr/nc/linstitution/actualite/article/article/google-privacy-policy-six-european-data-protection-authorities-to-launch-coordinated-and-simultaneo/

From March to October 2012, the Article 29 Working Party investigated into Google’s privacy policy with the aim of checking whether it met the requirements of the European Data Protection Directive (95/46/CE). In view of the findings of this analysis which was published on 26 October 2012, the EU Data protection authorities asked Google to comply with their recommendations within 4 months. ]]>

After this period has expired, Google has not implemented any significant compliance measures. On 19 March 2013, representatives of Google Inc. were invited at their request to meet with the taskforce led by the CNIL and composed of data protection authorities of France, Germany, Italy, the Netherlands, Spain, and the United-Kingdom. Following this meeting, no change has been seen. The article 29 working party’s analysis is finalized. It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation. Consequently, all the authorities composing the taskforce have launched actions on 2 April 2013 on the basis of the provisions laid down in their respective national legislation (investigations, inspections, etc.) In particular, the CNIL notified Google of the initiation of an inspection procedure and that it had set up an international administrative cooperation procedure with its counterparts in the taskforce. ]]> News EN headline Tue, 02 Apr 2013 12:00:00 +0200 Google's privacy policy : G29 ready for coordinated enforcement actions http://www.cnil.fr/nc/linstitution/actualite/article/article/googles-privacy-policy-g29-ready-for-coordinated-enforcement-actions/

In October 2012, the Article 29 Working Party highlighted deficiencies in Google's privacy policy and gave some recommendations to Google on how to address these. To date, considering that Google has not taken any precise measures in response to those recommendations, the requirements of Directive 95/46/EC are still not complied with.]]>

Meeting in plenary session 26 February 2013, DPAs have decided to continue their investigations in close cooperation and to take all necessary actions according to their competences and powers. Significant progress on these actions will be made before summer. A taskforce led by the French DPA (CNIL) will help to coordinate these actions.

The taskforce will meet in the coming weeks and will invite Google for a hearing.]]> News EN Thu, 28 Feb 2013 10:32:00 +0100 International data transfers: towards an articulation of data flow systems between Europe and the Asia-Pacific area ? http://www.cnil.fr/nc/linstitution/actualite/article/article/international-data-transfers-towards-an-articulation-of-data-flow-systems-between-europe-and-the-as/ At the end of January 2013, representatives of the Article 29 Working Party (hereinafter WP29), and of the Asia-Pacific Economic Cooperation (hereinafter APEC), have met for the first time in Jakarta in order to develop a tool that would allow to govern data flows between Europe and the Asia-Pacific area. ]]> The European Union has developed Binding Corporate Rules (BCR) in order to govern international data transfers within companies or groups of companies. These rules can be seen as a code of conduct which defines the company policy on data transfers. This framework aims at adducing adequate safeguards to data transferred from the European Union to third countries.

Recently, the Member States of the APEC have developed a policy framework for international transfers of personal information, called the “Cross-Border Privacy Rules” (CBPR), and designed to provide guarantees to data transfers. Such guarantees are based in particular on certifications by APEC recognized accountability agents.

The EU BCR system and the CBPR are based on a similar approach, namely codes of conduct for international transfers developed by companies and approved a priori by Data Protection Authorities or by recognized accountability agents.

The WP29 (composed of representatives of the EU Data Protection Authorities) carried out a study of the CBPR system in order to identify its similarities and differences with the BCR system. Based on this comparison, the WP29 has launched a reflection in order to develop practical tools that would serve as a referential for multinational group of companies that have activities in both the European Union and the APEC area.

At the end of January 2013, the CNIL, which is rapporteur with the WP29 on this topic, as well as other EU Data Protection Authorities, met in Jakarta with the APEC BCR/CBPR Committee. A roadmap should be adopted in the upcoming months by the WP29 and the APEC in order to continue their cooperation and to materialise such practical tools for international group of companies. ]]> News EN Thu, 21 Feb 2013 15:37:00 +0100 Google's privacy policy: one step forward a coordinated repressive action by the European data protection authorities http://www.cnil.fr/nc/linstitution/actualite/article/article/googles-privacy-policy-one-step-forward-a-coordinated-repressive-action-by-the-european-data-prote/

On October 16, 2012 and after several months' investigation led by the CNIL, the European data protection authorities have published their joint conclusions on Google's new confidentiality rules. The authorities recommended to Google to improve data subjects' information and clarify the combination of data across Google's services. Lastly, they asked Google to provide precise retention periods for the personal data it processes. After a 4 months deadline that was granted to Google in order to...]]>

On February 18, European data protection authorities have noted that Google did not provide any precise and effective answers to their recommendations. In this context, the EU data protection authorities are committed to act and continue their investigations. Therefore, they propose to set up a working group, led by the CNIL, in order to coordinate their repressive action which should take place before summer.

This action plan was designed during a meeting that was hold in Paris at the end of January and will be submitted to the Article 29 Working Party for approval during the next plenary meeting on February 26.

]]> headline Mon, 18 Feb 2013 12:46:00 +0100 CNIL satisfied with draft European Parliament report on the Regulation proposed by the European Commission http://www.cnil.fr/nc/linstitution/actualite/article/article/cnil-satisfied-with-draft-european-parliament-report-on-the-regulation-proposed-by-the-european-comm/

CNIL welcomes the draft report tabled by Mr Albrecht, the rapporteur for the European Parliament's Committee on Civil Liberties, Justice and Home Affairs. This report, which was published on January 8, 2013, largely meets the concerns expressed by CNIL about the proposed EU regulation on data protection. ]]>

The amendments tabled by the rapporteur are real progress and an important stepping stone in improving the initial text proposed by the European Commission. Key aspects are:

Criterion of competence of the supervisory authorities: the draft report proposes to use also the place of residence of the citizen, thereby avoiding excessive distance between the citizen and the competent authority. Retaining such criterion also ensures better protection of the rights of the citizens and reduces legal uncertainty for businesses and forum-shopping.
Single point of contact: the rapporteur proposes to designate a lead-authority as single point of contact for controllers and processors who have activities in more than one Member State. This authority would not have exclusive competence but would have to instruct cross-border situations in the name and on behalf of all the competent authorities, and to ensure coordination before adopting a decision. This is a crucial point if there is to be a balanced co-operation between the supervisory authorities.
Role of the European Data Protection Board (EDPB): by establishing a consistency mechanism and by considerably strengthening the role and powers of the EDPB – namely by giving it decisional power in respect of the measures proposed by a supervisory authority – the proposals in the draft report create the conditions for a uniform implementation of the European rules.

Also noteworthy is the possibility for the EDPB to draft guidelines for the supervisory authorities, as well as to deliver opinions on the codes of conduct drafted at EU level. Moreover, the EDPB would have to be consulted by the European Commission in the preparation of delegated acts and implementing acts, the which number would be much reduced. On all these points, Mr Albrecht's proposals meet the recommendations made by CNIL. CNIL also welcomes the deletion in the draft report of the possibility to use non-binding legal instruments in the context of data transfers to non-EU Member States. Lastly, regarding the protection of citizens' rights, CNIL supports the improvements proposed by the rapporteur, namely the use of ‘pseudonymisation' and anonymisation of data, the free exercise of a right to object – which is to be proposed in clear and simple words by the controllers – and the clarification of what constitutes the expression of consent in the on-line environment. CNIL shall pursue its efforts to ensure that these key elements proposed in Mr Albrecht's draft report are reflected in the final position of the European Parliament and eventually in the EU Regulation. Also, CNIL will continue to promote the insertion of a delisting obligation as a corollary of the right to be forgotten.]]> News EN headline Wed, 16 Jan 2013 16:22:00 +0100