European Union

Subscribe to European Union via RSS

This past month, the European Union’s Article 29 Data Protection Working Party (the “Working Party”) issued the Working Document 02/2013 providing new guidance on obtaining consent for cookies (“Working Document”). The Working Document sets forth various mechanisms which can be utilized by websites to obtain consent

In a recent decision (deliberation CNIL May 30, 2013 n°2013-139), the French Data Protection Agency (CNIL) sanctioned a company for implementing a CCTV system without informing employees and because the CCTV enabled the constant monitoring of one employee making the recording disproportionate to the goal pursued.  The CNIL also sanctioned the company because it failed to implement an adequate level of security of the data housed on its systems.

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal the identity of its users in France who posted racist tweets.  In Germany, on the other hand, an administrative court held that Facebook, also based in California, was not subject to a German law that would have prohibited Facebook from requiring users to register under their real names. 

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

It has been reported that Google will give EU businesses the opportunity to store personal data exclusively on servers in the EU. This appears to have been prompted by compliance difficulties with the current EU data protection Directive when cloud computing service providers store personal data on servers or in data centres based outside the EU. Such compliance difficulties encountered by cloud clients were highlighted by Peter Hustinx, the European Data Protection Supervisor (EDPS), in his opinion issued on November 16, 2012 (http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-11-16_Cloud_Computing_EN.pdf).

On June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58 of the European Parliament (the E-Privacy Directive).

 

Article 5.3 of the E-Privacy Directive requires that websites must obtain informed consent from users prior to storing cookies on users’ equipment.  The E-Privacy Directive provides for two exemptions to this rule: (a) when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and (b) when the cookie is strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service.