RSS CNIL in english CNIL's latest news (EN) fr 250 44 TYPO3 - get.content.right Fri, 25 Jul 2014 14:30:00 +0200 [Press release WP29] European DPAs meet with search engines on the " right to be forgotten " Following the CJEU ruling in case C-131/12, EU data protection authorities (DPAs), united in the Article 29 Working Party, met yesterday with representatives of Google, Microsoft, and Yahoo!.]]> The objective of this meeting was to ask search engines about their practical implementation of the ruling, and to provide input to future WP29 guidelines. These guidelines will aim at ensuring a consistent handling of complaints by European DPAs facing requests lodged by individuals following delisting refusals by search engines. The guidelines should also frame the action of search engines ensuring the consistent and uniform implementation of the ruling. The questions listed below were addressed during the meeting and the representatives of the three companies explained their views. They questions dealt mainly with the modalities of their delisting process (e.g. the scope of application of the ruling, the particular reasons for which there would be a preponderant interest of the general public in having access to the information, the notification of the delisting to third parties, and the justification for refusal). DPAs have also asked search engines to answer some questions in writing by the end of July.
Additional meetings may be organized in the future with other stakeholders. The WP29 guidelines are expected in the autumn. Questions asked during the meeting
  1. What information do you request from a data subject prior to considering a delisting request e.g. URLs, justification? Do you ask further motivation from the data subjects to substantiate their request?

  2. Do you filter out some requests based on the location, nationality, or place of residence of the data subject? If so, what is the legal basis for excluding such requests?

  3. Do you delist results displayed following a search:

    a.    Only on EU / EEA domains?
    b.    On all domains pages accessible from the EU / EEA or by EU/EEA residents?
    c.  On all domains on a global basis?

  4. What criteria do you use to balance your economic interest and/or the interest of the general public in having access to that information versus the right of the data subject to have search results delisted?

  5. What explanations / grounds do you provide to data subjects to justify a refusal to delist certain URLs?

  6. Do you notify website publishers of delisting? In that case, which legal basis do you have to notify website publishers?

    Additional questions to be answered in writing by July 31

  7. Do you provide proper information about the delisting process on an easily accessible webpage? Have you developed a help center explaining how to submit a delisting claim?

  8. Can data subjects request delisting only using the electronic form that you provide, or can other means be used?

  9. Can data subjects request delisting in their own language?

  10. If you filter out some requests based on the location, nationality, or place of residence, what kind of information must be provided by the data subject in order to prove his nationality and / or place of residence?

  11. Do you ask for a proof of identify or some other form of authentication and if yes, what kind? For what reason? What safeguards do you put in place to protect any personal data that you process for the purpose of processing delisting requests?

  12. Do you accept general claims for delisting (e.g. delist all search results linking to a news report)?

  13. When you decide to accept a delisting request, what information do you actually delist?  Do you ever permanently delist hyperlinks in response to a removal request, as opposed to delisting?

  14. Do you delist search results based only on the name of the data subject or also in combination of the name with another search term (i.e. Costeja and La Vanguardia)

  15. How do you treat removal requests with regard to hyperlinks to pages that do not (no longer) contain the name of the data subject? [Examples: hyperlink to anonymised ruling, hyperlink to page where name of data subject was removed]. Do you immediately recrawl the sites after a removal request?

  16. Does your company refuse requests when the data subject was the author of the information he/she posted himself/herself on the web? If so, what is the basis for refusing such requests?

  17. Do you have any automated process defining if a request is accepted or refused?

  18. What technical solution do you use to ensure that links to material to which a removal agreement applies are not shown in the search results?

  19. Which of your services do you consider delisting requests to be relevant to? 

  20. Do you notify users through the search results’ page information that some results have been removed according to EU law? In that case, which is the legal basis for this? What is the exact policy?  In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by data subjects. Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?

  21. Have you considered sharing delisted search results with other search engines providers?

  22. What is the average time to process the requests?

  23. What statistics can you share at this stage (percentage of requests accepted / partially accepted / refused)? How many have you answered in total? How many per day?

  24. Will you create a database of all removal requests or removal agreements?

  25. What particular problems have you faced when implementing the Court’s ruling? Are there particular categories of requests that pose specific problems?

  26. Could you please provide us with contact details in case we need to exchange on a specific case?
News EN Fri, 25 Jul 2014 14:30:00 +0200
[Press release WP29] CJEU’s Judgment on the Right to Be Forgotten: the WP29 Will Meet with Search Engines on July 24th On July 15th, the European data protection authorities came together in Brussels to exchange views over the consequences of the Court of Justice of the European Union’s (CJEU) judgment regarding the right to be forgotten on the internet, which was rendered on May 13th, 2014.]]> The objective was to elaborate coordinated and coherent guidelines on the handling of individuals' complaints that may be submitted to the authorities in the case of negative responses from search engines to the request for removal from indexing. Within the perspective of having a unified European implementation of this judgment, the data protection authorities analysed the different legal bases allowing individuals-regardless of their nationality, their residency and the harm suffered-to invoke the right to request search engines to remove them from indexing. The precise methods of exercising this right to be forgotten as well as search engines' potential refusals to execute this right were also studied in an in-depth manner. This discussion led, amongst other things, to the highlighting that in order to effectively exercise this right, it is necessary for individuals to understand thoroughly the precise reasons a search engine, subject to European Union law, can legally refuse this right. The data protection authorities also addressed the criteria allowing to take into consideration, in certain cases, the public interest in accessing the said information. The data protection authorities have invited search engines to discuss with them, on July 24th, the practical implementation of the key principles in this CJEU case in order to finalise the WP29's guidelines foreseen for autumn 2014. ]]> News EN Thu, 17 Jul 2014 18:07:00 +0200 [Press release WP29] The WP29 reminds cloud computing providers of their obligations under Directive 95/46/EC upon its partial assessment of Microsoft’s data processing agreement One of the Article 29 Working Party's (WP29) mission is to contribute to the uniform application of EU data protection rules. To this aim, the WP29 supported, during its last plenary meeting, the implementation of a generic approach, including as to the definition of an appropriate legal framework for the provision of cloud computing services.]]> The WP29 assessed a number of contractual documents submitted by Microsoft to several EU data protection authorities. These documents provide a legal framework for the international data transfers taking place in the context of the cloud services which Microsoft offers in different Member States. The aim of the WP29's review was to evaluate whether these documents strictly meet the requirements on international data transfers contained in the Standard Contractual Clauses 2010/87/EU (the so-called "controller-to-processor" clauses). The WP29 found the documents to meet the EU requirements laid out in these clauses. The positive outcome of this limited analysis does not entail that the WP29 has found that Microsoft's contractual arrangements overall comply with all EU data protection requirements, neither that Microsoft comply in practice with EU data protection rules. It is only acknowledged that Microsoft has taken the sufficient contractual commitments to legally frame international data flows, in accordance with Article 26 of Directive 95/46/EC. Furthermore, the WP29 did not assess the Appendixes to Microsoft's contractual documents which specifically describe the transfers covered by the agreement (e.g., categories of data, security and confidentiality measures implemented by the data importer, etc.), the content of which may vary from a client to another. Microsoft and its clients will need to assess on a case-by-case basis how these Annexes can suit their specific data protection needs and legal requirements. These Annexes may have to be analyzed separately by the Data Protection Authorities. Beyond this specific case, the WP29 reminds all cloud computing providers which offer services to clients subject to EU laws of their duty to assess the compliance of their contractual arrangements with EU data protection requirements, as well as with its Opinion 05/2012 on cloud computing (WP196).  ]]> News EN Thu, 24 Apr 2014 16:56:00 +0200 EU Regulation and citizens’ surveillance : steps forward at the European Parliament On 12 March, the European Parliament adopted its position in plenary on the draft EU Regulation as well as on the draft ‘Police and Justice’ Directive. It also adopted a resolution on the mass surveillance of European citizens by the NSA.]]> The Albrecht report on the draft data protection Regulation was adopted at a large majority, as well as the Droutsas report. By adopting simultaneously both reports, the European Parliament confirms its attachment to a package approach to legislation in the area of data protection. By voting before the European elections of May 2014, the European Parliament consolidates the work it has achieved since the European Commission presented its proposals in January 2012, before the renewed assembly takes over and negotiations start with the EU Council. The CNIL shall continue to monitor the legislative process and in particular progress in the Council on the draft Regulation. In doing so, the CNIL shall promote an ambitious approach to the protection of the data of European citizens. Moreover, at the Plenary of 12 March, the European Parliament also adopted a resolution warning that its approval of the EU-US free trade agreement (TTIP) would be linked to a ceasing of the NSA activities of mass surveillance of European citizens. The fight against terrorism cannot justify such practice, the members of the European Parliament said. The same resolution calls for a suspension of Safe Harbor. The WP29, the group of the European data protection authorities, is actually assessing the safeguards offered by Safe Harbor in response to a Communication of the European Commission. The WP29 is also preparing an opinion on mass surveillance activities which should be published in May. Already, the CNIL welcomes the introduction by the Parliament in the text of the Regulation of prior control by data protection authorities of requests made to companies by administrative or judicial authorities of third countries to access the data of European citizens.]]> News EN Tue, 18 Mar 2014 17:03:00 +0100 International data transfers: the WP29 and the APEC developed a practical tool for multi-national organisations On 27 February 2014, the WP29 adopted a favourable opinion on a practical referential mapping the requirements of BCR and CBPR. This document was also endorsed by APEC Member Economies on 27 and 28 February 2014.]]> The Article 29 Working Party (“WP29”) developed Binding Corporate Rules (“BCR”) to govern international data transfers within companies or groups of companies. These rules can be seen as a code of conduct which defines the company policy on data transfers. This framework aims at adducing adequate safeguards to data transferred from the European Union to third countries within a same company or group of companies.  Recently, the Member Economies of the Asia-Pacific Economic Cooperation (“APEC”) have developed a policy framework for international transfers of personal information, called the Cross-Border Privacy Rules (“CBPR”), and designed to provide guarantees to data transfers. Such guarantees are based in particular on certifications by APEC recognized accountability agents. The EU BCR system and the APEC CBPR system are based on a similar approach, namely codes of conduct for international transfers developed by companies and approved a priori by EU Data Protection Authorities (for BCR) or by APEC recognized accountability agents (for CBPR). The WP29 analysed the CBPR system in order to identify their similarities and differences with the BCR system. On the basis of such comparison, the WP29 and APEC Member Economies developed a referential on the personal data protection and privacy requirements of BCR and CBPR (WP212). This practical tool is aimed at helping multi-national organisations that operate both in Europe and the Asia-Pacific and identifies in a single document the elements both required in the BCR and CBPR systems. This useful tool lists all of the elements that are required in both systems, as well as the respective additional elements that are specific to each system. In any case, such additional elements must be taken into account by multi-national organisations applying for a BCR approval with data protection authorities in the EU on the one hand, and for a CBPR certification by an APEC CBPR recognized Accountability Agent on the other hand. The WP29 welcomes the result of this joint work with APEC Member Economies, which is the first one with the APEC, and is a great example of cooperation. Indeed, this practical tool sets out global solutions for multi-national organisations wishing to develop personal data protection and privacy policies compliant with both BCR and CBPR systems, and thereby obtain both certifications.]]> News EN Fri, 07 Mar 2014 12:04:00 +0100