RSS CNIL in english CNIL's latest news (EN) fr 250 44 TYPO3 - get.content.right Mon, 22 Sep 2014 10:18:00 +0200 Cookie Sweep Day : a European concerted action of on-line audits From 15 to 19 September 2014, the French Data Protection Authority (the "CNIL") and its European counterparts carried out an audit of the main European websites in order to assess their practices with regard to cookies.]]>

What is a cookie?

Cookies are tracers placed on internet users' hard drives by the web hosts of the visited website. They allow the website to identify a single user across multiple visits with a unique identifier. Cookies may be used for various purposes: building up a shopping cart, storing a website's language settings, or targeting advertising by monitoring the user's web-browsing.

Obligation to receive internet user's prior consent

Since the adoption of the EU Directive 2009/136/EC, the so-called " Telecom Package ", internet users must be informed and provide their prior consent to the storage of cookies on their computer. Internet users must have the ability to choose not to be traced when they browse a website; furthermore, web editors must ask users if they agree to cookies before the site starts to use them. Some tracers, such as functional cookies, are exempted from this consent rule. Article 32-II of the French Data Protection Act of 6 January 1978 implements the said principles.

" Cookie Sweep Day ": A European coordinated action of on-line audits

In order to verify websites' compliance with the European legislation, the group gathering the European national data protection authorities (known as the " Article 29 Working Party ") decided to carry out a concerted on-line audit of the main European websites. From 15 to 19 September, each authority that wished to participate in this action devoted one or two days to the assessment of the most visited European websites in the fields of E-commerce and media. On the 18 and 19 September, the CNIL surveyed a hundred popular French websites. More precisely, the authority checked:
  • the number and type of cookies stored on the internet user's  computer;
  • the way the information on cookies is conveyed to the internet users;
  • the visibility and quality of the information;
  • the process of obtaining the internet user's consent;
  • the consequences for a user refusing cookies.
The CNIL and the other European participating authorities used a common analysis framework. This " Cookie Sweep " operation was an opportunity for the European national data protection authorities to carry out a joint assessment of the main European websites and to produce a comparative review of their practices with regard to cookies. The initiative was a continuation of the coordinated on-line audits, which have been undertaken by data protection authorities at the international level since 2013.]]>
News EN Mon, 22 Sep 2014 10:18:00 +0200
[Press release WP29] Right to be de-listed : European DPAs agreed on a common tool box to handle complaints The European data protection authorities, assembled in the Article 29 Working Party (WP29) at its 97th Plenary, discussed the follow-up to the ruling of the Court of Justice of the EU of 13 May 2014. As data controllers, the search engines must meet their obligations with respect to the CJEU ruling acknowledging the right to be "de-listed". The European data protection authorities have agreed on a common 'tool-box' to ensure a coordinated approach to the handling of complaints resulting from...]]> At the WP29 Plenary meeting of 16-17 September, the European data protection authorities had an extensive exchange of views on the effects of the CJEU ruling recognising the right for an individual to have links removed from the list of results displayed following a search on the basis of a person's name. During the summer of 2014, data protection authorities in the EU have received complaints as a result of search engines' refusals to de-list complainants from their results. This illustrates that the ruling has addressed a genuine demand for data protection from data subjects. The WP29 feels it is necessary to have a coordinated and consistent approach in the handling of these complaints. Therefore, it was decided to put in place a network of dedicated contact persons in order to develop common case-handling criteria to handle complaints by the data protection authorities. This network will provide the authorities with:
  • a common record of decisions taken on complaints and
  • a dashboard to help identify similar cases as well as new or more difficult cases.
The WP29 has also pursued its consultation process with the stakeholders: after meeting the search engines in July, they met with media companies at the margin of the WP29 Plenary. The WP29 continues to analyse how search engines are complying with the ruling. ]]>
News EN Thu, 18 Sep 2014 12:31:00 +0200
[Press release WP29] European DPAs meet with search engines on the " right to be forgotten " Following the CJEU ruling in case C-131/12, EU data protection authorities (DPAs), united in the Article 29 Working Party, met yesterday with representatives of Google, Microsoft, and Yahoo!.]]> The objective of this meeting was to ask search engines about their practical implementation of the ruling, and to provide input to future WP29 guidelines. These guidelines will aim at ensuring a consistent handling of complaints by European DPAs facing requests lodged by individuals following delisting refusals by search engines. The guidelines should also frame the action of search engines ensuring the consistent and uniform implementation of the ruling. The questions listed below were addressed during the meeting and the representatives of the three companies explained their views. They questions dealt mainly with the modalities of their delisting process (e.g. the scope of application of the ruling, the particular reasons for which there would be a preponderant interest of the general public in having access to the information, the notification of the delisting to third parties, and the justification for refusal). DPAs have also asked search engines to answer some questions in writing by the end of July.
Additional meetings may be organized in the future with other stakeholders. The WP29 guidelines are expected in the autumn. Questions asked during the meeting
  1. What information do you request from a data subject prior to considering a delisting request e.g. URLs, justification? Do you ask further motivation from the data subjects to substantiate their request?

  2. Do you filter out some requests based on the location, nationality, or place of residence of the data subject? If so, what is the legal basis for excluding such requests?

  3. Do you delist results displayed following a search:

    a.    Only on EU / EEA domains?
    b.    On all domains pages accessible from the EU / EEA or by EU/EEA residents?
    c.  On all domains on a global basis?

  4. What criteria do you use to balance your economic interest and/or the interest of the general public in having access to that information versus the right of the data subject to have search results delisted?

  5. What explanations / grounds do you provide to data subjects to justify a refusal to delist certain URLs?

  6. Do you notify website publishers of delisting? In that case, which legal basis do you have to notify website publishers?

    Additional questions to be answered in writing by July 31

  7. Do you provide proper information about the delisting process on an easily accessible webpage? Have you developed a help center explaining how to submit a delisting claim?

  8. Can data subjects request delisting only using the electronic form that you provide, or can other means be used?

  9. Can data subjects request delisting in their own language?

  10. If you filter out some requests based on the location, nationality, or place of residence, what kind of information must be provided by the data subject in order to prove his nationality and / or place of residence?

  11. Do you ask for a proof of identify or some other form of authentication and if yes, what kind? For what reason? What safeguards do you put in place to protect any personal data that you process for the purpose of processing delisting requests?

  12. Do you accept general claims for delisting (e.g. delist all search results linking to a news report)?

  13. When you decide to accept a delisting request, what information do you actually delist?  Do you ever permanently delist hyperlinks in response to a removal request, as opposed to delisting?

  14. Do you delist search results based only on the name of the data subject or also in combination of the name with another search term (i.e. Costeja and La Vanguardia)

  15. How do you treat removal requests with regard to hyperlinks to pages that do not (no longer) contain the name of the data subject? [Examples: hyperlink to anonymised ruling, hyperlink to page where name of data subject was removed]. Do you immediately recrawl the sites after a removal request?

  16. Does your company refuse requests when the data subject was the author of the information he/she posted himself/herself on the web? If so, what is the basis for refusing such requests?

  17. Do you have any automated process defining if a request is accepted or refused?

  18. What technical solution do you use to ensure that links to material to which a removal agreement applies are not shown in the search results?

  19. Which of your services do you consider delisting requests to be relevant to? 

  20. Do you notify users through the search results’ page information that some results have been removed according to EU law? In that case, which is the legal basis for this? What is the exact policy?  In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by data subjects. Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?

  21. Have you considered sharing delisted search results with other search engines providers?

  22. What is the average time to process the requests?

  23. What statistics can you share at this stage (percentage of requests accepted / partially accepted / refused)? How many have you answered in total? How many per day?

  24. Will you create a database of all removal requests or removal agreements?

  25. What particular problems have you faced when implementing the Court’s ruling? Are there particular categories of requests that pose specific problems?

  26. Could you please provide us with contact details in case we need to exchange on a specific case?
News EN Fri, 25 Jul 2014 14:30:00 +0200
[Press release WP29] CJEU’s Judgment on the Right to Be Forgotten: the WP29 Will Meet with Search Engines on July 24th On July 15th, the European data protection authorities came together in Brussels to exchange views over the consequences of the Court of Justice of the European Union’s (CJEU) judgment regarding the right to be forgotten on the internet, which was rendered on May 13th, 2014.]]> The objective was to elaborate coordinated and coherent guidelines on the handling of individuals' complaints that may be submitted to the authorities in the case of negative responses from search engines to the request for removal from indexing. Within the perspective of having a unified European implementation of this judgment, the data protection authorities analysed the different legal bases allowing individuals-regardless of their nationality, their residency and the harm suffered-to invoke the right to request search engines to remove them from indexing. The precise methods of exercising this right to be forgotten as well as search engines' potential refusals to execute this right were also studied in an in-depth manner. This discussion led, amongst other things, to the highlighting that in order to effectively exercise this right, it is necessary for individuals to understand thoroughly the precise reasons a search engine, subject to European Union law, can legally refuse this right. The data protection authorities also addressed the criteria allowing to take into consideration, in certain cases, the public interest in accessing the said information. The data protection authorities have invited search engines to discuss with them, on July 24th, the practical implementation of the key principles in this CJEU case in order to finalise the WP29's guidelines foreseen for autumn 2014. ]]> News EN Thu, 17 Jul 2014 18:07:00 +0200 [Press release WP29] The WP29 reminds cloud computing providers of their obligations under Directive 95/46/EC upon its partial assessment of Microsoft’s data processing agreement One of the Article 29 Working Party's (WP29) mission is to contribute to the uniform application of EU data protection rules. To this aim, the WP29 supported, during its last plenary meeting, the implementation of a generic approach, including as to the definition of an appropriate legal framework for the provision of cloud computing services.]]> The WP29 assessed a number of contractual documents submitted by Microsoft to several EU data protection authorities. These documents provide a legal framework for the international data transfers taking place in the context of the cloud services which Microsoft offers in different Member States. The aim of the WP29's review was to evaluate whether these documents strictly meet the requirements on international data transfers contained in the Standard Contractual Clauses 2010/87/EU (the so-called "controller-to-processor" clauses). The WP29 found the documents to meet the EU requirements laid out in these clauses. The positive outcome of this limited analysis does not entail that the WP29 has found that Microsoft's contractual arrangements overall comply with all EU data protection requirements, neither that Microsoft comply in practice with EU data protection rules. It is only acknowledged that Microsoft has taken the sufficient contractual commitments to legally frame international data flows, in accordance with Article 26 of Directive 95/46/EC. Furthermore, the WP29 did not assess the Appendixes to Microsoft's contractual documents which specifically describe the transfers covered by the agreement (e.g., categories of data, security and confidentiality measures implemented by the data importer, etc.), the content of which may vary from a client to another. Microsoft and its clients will need to assess on a case-by-case basis how these Annexes can suit their specific data protection needs and legal requirements. These Annexes may have to be analyzed separately by the Data Protection Authorities. Beyond this specific case, the WP29 reminds all cloud computing providers which offer services to clients subject to EU laws of their duty to assess the compliance of their contractual arrangements with EU data protection requirements, as well as with its Opinion 05/2012 on cloud computing (WP196).  ]]> News EN Thu, 24 Apr 2014 16:56:00 +0200