RSS CNIL in english RSS feed (News EN) http://www.cnil.fr/ fr http://www.cnil.fr/fileadmin/templates/images/contenus/logo_CNIL.png http://www.cnil.fr/ 250 44 TYPO3 - get.content.right http://blogs.law.harvard.edu/tech/rss Thu, 02 Oct 2014 18:14:00 +0200 [Press release WP29] opinion on the Internet of Things http://www.cnil.fr/nc/linstitution/actualite/article/article/press-release-wp29-opinion-on-the-internet-of-things/ The European data protection authorities, assembled in the Article 29 Working Party (WP29) at its Plenary meeting of 16 and 17 September, adopted an opinion on the Internet of Things (IoT). Drawing the attention on the privacy and data protection challenges raised by “smart things” which are gradually entering our daily lives, the WP29 helps stakeholders acquire a strong competitive advantage by explaining them how to implement a sustainable IoT which complies with the data protection legal...]]> Privacy and data protection are the cornerstones of trust the society will place in the Internet of Things ecosystem. While recognising the significant prospects of growth for a great number of innovating and creative EU companies, the WP29 is keen that the expected benefits for businesses and citizens are not to the detriment of addressing the many privacy and security concerns that are also associated with the IoT. The opinion stresses that the EU legal framework is fully applicable to the processing of personal data through devices, applications or services used in the context of the IoT. Considering the complex ecosystem of the IoT, the opinion highlights with specific examples the essential data protection obligations weighing on stakeholders and the rights granted to data subjects by EU law in that context.  Also highlighted are the security issues that already emerged in the IoT and the practical measures that must be taken by data controllers. Focusing on recent developments of the IoT - Quantified Self, Wearable Computing and Home Automation - the opinion provides a comprehensive set of practical recommendations addressed to the various stakeholders involved in the development of the IoT (device manufacturers, application developers, social platforms, further data recipients, data platforms and standardisation bodies). The WP29 underlines the competitive advantage there is for stakeholders in the IoT to enable users to remain in complete control of the sharing of their data and to rely as much as possible on their consent. With this opinion, the WP29 intends to contribute to the uniform application of the EU legal framework, to help data controllers comply with their obligations under EU law and to contribute to the development of the IoT in full conformity with data protection principles. The WP29 also intends to contribute to the discussions on the IoT at the International Conference of Data Protection and Privacy Commissioners, in Mauritius on 13-16 October 2014. ]]> News EN Thu, 02 Oct 2014 18:14:00 +0200 Google privacy policy: WP29 proposes a compliance package http://www.cnil.fr/nc/linstitution/actualite/article/article/google-privacy-policy-wp29-proposes-a-compliance-package/ Following several sanctions imposed by the European national data protection authorities against Google, the WP29 has sent Google a package of practical measures to achieve compliance with the applicable legal framework.]]> In 2012, Google decided to merge the different rules of confidentiality for sixty of its services into a single policy. The different services included Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google Maps and others. Therefore, due to the number of services involved, almost all European Internet users were affected by this decision. From February 2012 to October 2012, the WP29-the group of European data protection authorities-conducted an analysis on the new rules under the European data protection legislation.
  • On 16 October 2012, the WP29 released its analysis, which concluded that said the privacy policy did not comply with the European legal framework. They then provided ​​several recommendations.
  • Given the fact Google Inc gave no effective response to the WP29 recommendations; six European authorities have initiated enforcement proceedings within their respective territories.
  • On January 3, 2014, the CNIL's Litigation Committee issued a €150,000 financial penalty, stating the company GOOGLE Inc did not meet several provisions of the French Data Protection Act. They also ordered Google Inc. to publish a statement on the decision on the https://www.google.fr site for 48 hours.
To aid the company Google Inc with its compliance efforts resulting from these decisions, the WP29 adopted a package of dedicated measures. This package aims to offer specific and practical measures that could be implemented quickly by Google to meet the requirements of the European data protection framework. ]]>
News EN Thu, 25 Sep 2014 10:22:00 +0200
Cookie Sweep Day : a European concerted action of on-line audits http://www.cnil.fr/nc/linstitution/actualite/article/article/cookie-sweep-day-a-european-concerted-action-of-on-line-audits/ From 15 to 19 September 2014, the French Data Protection Authority (the "CNIL") and its European counterparts carried out an audit of the main European websites in order to assess their practices with regard to cookies.]]>

What is a cookie?

Cookies are tracers placed on internet users' hard drives by the web hosts of the visited website. They allow the website to identify a single user across multiple visits with a unique identifier. Cookies may be used for various purposes: building up a shopping cart, storing a website's language settings, or targeting advertising by monitoring the user's web-browsing.

Obligation to receive internet user's prior consent

Since the adoption of the EU Directive 2009/136/EC, the so-called " Telecom Package ", internet users must be informed and provide their prior consent to the storage of cookies on their computer. Internet users must have the ability to choose not to be traced when they browse a website; furthermore, web editors must ask users if they agree to cookies before the site starts to use them. Some tracers, such as functional cookies, are exempted from this consent rule. Article 32-II of the French Data Protection Act of 6 January 1978 implements the said principles.

" Cookie Sweep Day ": A European coordinated action of on-line audits

In order to verify websites' compliance with the European legislation, the group gathering the European national data protection authorities (known as the " Article 29 Working Party ") decided to carry out a concerted on-line audit of the main European websites. From 15 to 19 September, each authority that wished to participate in this action devoted one or two days to the assessment of the most visited European websites in the fields of E-commerce and media. On the 18 and 19 September, the CNIL surveyed a hundred popular French websites. More precisely, the authority checked:
  • the number and type of cookies stored on the internet user's  computer;
  • the way the information on cookies is conveyed to the internet users;
  • the visibility and quality of the information;
  • the process of obtaining the internet user's consent;
  • the consequences for a user refusing cookies.
The CNIL and the other European participating authorities used a common analysis framework. This " Cookie Sweep " operation was an opportunity for the European national data protection authorities to carry out a joint assessment of the main European websites and to produce a comparative review of their practices with regard to cookies. The initiative was a continuation of the coordinated on-line audits, which have been undertaken by data protection authorities at the international level since 2013.]]>
News EN Mon, 22 Sep 2014 10:18:00 +0200
[Press release WP29] Right to be de-listed : European DPAs agreed on a common tool box to handle complaints http://www.cnil.fr/nc/linstitution/actualite/article/article/press-release-wp29-right-to-be-de-listed-european-dpas-agreed-on-a-common-tool-box-to-handle-com/ The European data protection authorities, assembled in the Article 29 Working Party (WP29) at its 97th Plenary, discussed the follow-up to the ruling of the Court of Justice of the EU of 13 May 2014. As data controllers, the search engines must meet their obligations with respect to the CJEU ruling acknowledging the right to be "de-listed". The European data protection authorities have agreed on a common 'tool-box' to ensure a coordinated approach to the handling of complaints resulting from...]]> At the WP29 Plenary meeting of 16-17 September, the European data protection authorities had an extensive exchange of views on the effects of the CJEU ruling recognising the right for an individual to have links removed from the list of results displayed following a search on the basis of a person's name. During the summer of 2014, data protection authorities in the EU have received complaints as a result of search engines' refusals to de-list complainants from their results. This illustrates that the ruling has addressed a genuine demand for data protection from data subjects. The WP29 feels it is necessary to have a coordinated and consistent approach in the handling of these complaints. Therefore, it was decided to put in place a network of dedicated contact persons in order to develop common case-handling criteria to handle complaints by the data protection authorities. This network will provide the authorities with:
  • a common record of decisions taken on complaints and
  • a dashboard to help identify similar cases as well as new or more difficult cases.
The WP29 has also pursued its consultation process with the stakeholders: after meeting the search engines in July, they met with media companies at the margin of the WP29 Plenary. The WP29 continues to analyse how search engines are complying with the ruling. ]]>
News EN Thu, 18 Sep 2014 12:31:00 +0200
[Press release WP29] European DPAs meet with search engines on the " right to be forgotten " http://www.cnil.fr/nc/linstitution/actualite/article/article/press-release-wp29-european-dpas-meet-with-search-engines-on-the-right-to-be-forgotten/ Following the CJEU ruling in case C-131/12, EU data protection authorities (DPAs), united in the Article 29 Working Party, met yesterday with representatives of Google, Microsoft, and Yahoo!.]]> The objective of this meeting was to ask search engines about their practical implementation of the ruling, and to provide input to future WP29 guidelines. These guidelines will aim at ensuring a consistent handling of complaints by European DPAs facing requests lodged by individuals following delisting refusals by search engines. The guidelines should also frame the action of search engines ensuring the consistent and uniform implementation of the ruling. The questions listed below were addressed during the meeting and the representatives of the three companies explained their views. They questions dealt mainly with the modalities of their delisting process (e.g. the scope of application of the ruling, the particular reasons for which there would be a preponderant interest of the general public in having access to the information, the notification of the delisting to third parties, and the justification for refusal). DPAs have also asked search engines to answer some questions in writing by the end of July.
Additional meetings may be organized in the future with other stakeholders. The WP29 guidelines are expected in the autumn. Questions asked during the meeting
  1. What information do you request from a data subject prior to considering a delisting request e.g. URLs, justification? Do you ask further motivation from the data subjects to substantiate their request?

  2. Do you filter out some requests based on the location, nationality, or place of residence of the data subject? If so, what is the legal basis for excluding such requests?

  3. Do you delist results displayed following a search:

    a.    Only on EU / EEA domains?
    b.    On all domains pages accessible from the EU / EEA or by EU/EEA residents?
    c.  On all domains on a global basis?

  4. What criteria do you use to balance your economic interest and/or the interest of the general public in having access to that information versus the right of the data subject to have search results delisted?

  5. What explanations / grounds do you provide to data subjects to justify a refusal to delist certain URLs?

  6. Do you notify website publishers of delisting? In that case, which legal basis do you have to notify website publishers?

    Additional questions to be answered in writing by July 31

  7. Do you provide proper information about the delisting process on an easily accessible webpage? Have you developed a help center explaining how to submit a delisting claim?

  8. Can data subjects request delisting only using the electronic form that you provide, or can other means be used?

  9. Can data subjects request delisting in their own language?

  10. If you filter out some requests based on the location, nationality, or place of residence, what kind of information must be provided by the data subject in order to prove his nationality and / or place of residence?

  11. Do you ask for a proof of identify or some other form of authentication and if yes, what kind? For what reason? What safeguards do you put in place to protect any personal data that you process for the purpose of processing delisting requests?

  12. Do you accept general claims for delisting (e.g. delist all search results linking to a news report)?

  13. When you decide to accept a delisting request, what information do you actually delist?  Do you ever permanently delist hyperlinks in response to a removal request, as opposed to delisting?

  14. Do you delist search results based only on the name of the data subject or also in combination of the name with another search term (i.e. Costeja and La Vanguardia)

  15. How do you treat removal requests with regard to hyperlinks to pages that do not (no longer) contain the name of the data subject? [Examples: hyperlink to anonymised ruling, hyperlink to page where name of data subject was removed]. Do you immediately recrawl the sites after a removal request?

  16. Does your company refuse requests when the data subject was the author of the information he/she posted himself/herself on the web? If so, what is the basis for refusing such requests?

  17. Do you have any automated process defining if a request is accepted or refused?

  18. What technical solution do you use to ensure that links to material to which a removal agreement applies are not shown in the search results?

  19. Which of your services do you consider delisting requests to be relevant to? 

  20. Do you notify users through the search results’ page information that some results have been removed according to EU law? In that case, which is the legal basis for this? What is the exact policy?  In particular, it appears that this notice is sometimes displayed even in the absence of removal requests by data subjects. Can you confirm or exclude that this is actually the case and, if so, could you elaborate on the applicable criteria?

  21. Have you considered sharing delisted search results with other search engines providers?

  22. What is the average time to process the requests?

  23. What statistics can you share at this stage (percentage of requests accepted / partially accepted / refused)? How many have you answered in total? How many per day?

  24. Will you create a database of all removal requests or removal agreements?

  25. What particular problems have you faced when implementing the Court’s ruling? Are there particular categories of requests that pose specific problems?

  26. Could you please provide us with contact details in case we need to exchange on a specific case?
]]>
News EN Fri, 25 Jul 2014 14:30:00 +0200