The Article 29 Working Party, which is composed of representatives of DPA’s from every European country, has recently rendered an opinion (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf ) on data privacy issues surrounding the development of the “Internet of Things” (IoT), which includes wearable computing, quantified self devices, and domotics. Although such data is generated by “things” or devices, it is considered personal data because it may enable the life pattern of a specific individual to be discerned. After identifying the major privacy issues raised by such devices, the Article 29 Working Party made a series of recommendations to IoT stakeholders.
The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law, especially following the results of the recent vote of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. The following is meant to help determine the current state of affairs regarding the issue of the territorial (and extraterritorial) scope of the future EU law following this vote of the European Parliament.
It has been reported that Google will give EU businesses the opportunity to store personal data exclusively on servers in the EU. This appears to have been prompted by compliance difficulties with the current EU data protection Directive when cloud computing service providers store personal data on servers or in data centres based outside the EU. Such compliance difficulties encountered by cloud clients were highlighted by Peter Hustinx, the European Data Protection Supervisor (EDPS), in his opinion issued on November 16, 2012 (http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-11-16_Cloud_Computing_EN.pdf).
The French Data Protection Authority (“CNIL”) has recently issued its activity report for 2011. It provides us with some interesting data and allows us to reflect on the ever-growing importance of privacy and data protection in France. Video-surveillance, the right to be forgotten on the Internet, data breaches and abusive data collection by companies were the key highlights of 2011 and have remained dominant issues in 2012.
On June 7, 2012, the Article 29 Working Party, an independent advisory body composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission, issued Opinion 04/2012 regarding which types of cookies are exempted from the informed user-consent requirement under Directive 2002/58 of the European Parliament (the E-Privacy Directive).
Article 5.3 of the E-Privacy Directive requires that websites must obtain informed consent from users prior to storing cookies on users’ equipment. The E-Privacy Directive provides for two exemptions to this rule: (a) when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and (b) when the cookie is strictly necessary in order for the provider of an information society service explicitly requested by the user to provide the service.