Busy Week for Article 29 Working Party

April 13, 2014

The plenary meeting of 9 and 10 April 2014 marked the launch of an internal consultation on possible improvements in the Article 29 Working Party’s methods and organisation. This no doubt reflects the new Chair’s commitment to a more pro-active stance. The following documents were adopted:

·        an opinion on surveillance following the recent revelations on surveillance programmes;

·        a response to the Communication from the European Commission regarding the functioning of Safe Harbor;

·        a statement on the one-stop shop in the draft EU data protection regulation;

·        an opinion on legitimate interest;

·        an opinion on anonymisation techniques.

The full text of all the relevant documents is not yet available on the Working Party’s web site but the Opinion on surveillance is here, the letter re Safe Harbor is here, the Opinion on anonymisation is here and the Opinion on legitimate interests is here.

Surveillance

Following the recent revelations on surveillance programmes, the Working Party (WP29) adopted an opinion on surveillance calling for, inter alia, greater transparency and more meaningful oversight over the activities of intelligence services. The Working Party refers to ‘a strong expectation from citizens in Europe’ that their concerns will be addressed.

In its opinion, the Working Party state that, under the current legislation, massive, indiscriminate and systematic surveillance is illegal. The WP29 firmly recalls that in no case the fight against terrorism and other important threats on national security could justify such massive, indiscriminate and systematic surveillance on EU citizens and that restrictions to their fundamental rights may only be accepted if the measure is strictly necessary in a democratic society and proportionate to its goal.

The WP29 recommends the following:

·        EU Member States should ensure greater transparency and control over surveillance activities of their intelligence services. This includes a right for individuals to be informed and granted adequate data protection safeguards when their personal data are being collected and transferred.

·        To ensure that no abuse of surveillance programmes will happen again, there should be an effective and independent external oversight on the intelligence services, which implies a genuine involvement of the data protection authorities.

·        EU institutions should finalize the negotiations on the data protection reform package, and retain in particular the proposal of the European Parliament for a new article 43a providing for mandatory information to individuals when access to data has been given to a public authority in the last twelve months.

An enforceable international agreement should be adopted to provide strong guarantees for individuals in the context of surveillance activities.

The WP29 further recalls that the current EU data protection legal framework should be fully applied, that controllers subject to EU jurisdiction may be subject to sanctions and that data protection authorities may suspend data flows.

The adoption of this opinion coincides with the ruling of the European Court of Justice on 8 April 2014 which declared the Directive 2006/24/EC (the ‘Data Retention Directive’) to be invalid.

The WP29 will organise a conference on surveillance in the second half of 2014, bringing together all relevant stakeholders, with the aim of improving the information available to individuals on the consequences of the use of electronic communication services and how to protect themselves.

Safe Harbor

In its response to the Commission Communication of 27 November 2013, the Working Party agrees that restoring trust in EU-US transfers cannot take place without strengthening the safeguards provided by Safe Harbor. In the context of the current discussions between the Commission and the US authorities to adapt the Safe Harbor framework, the Working Party supports the view that, under the current circumstances, the ‘possibility for Safe Harbor to provide adequate protection for EU citizens is questionable’ and recognises that if the revision process currently undertaken by the Commission does not lead to a positive outcome, the Safe Harbor agreement should be suspended. The Working Party also recalls that data protection authorities may suspend data flows according to their national competence and EU law. The Working Party further points out some additional elements that should be improved in the Safe Harbor Decision, for use in ongoing negotiations with the US, in order to efficiently protect EU data subjects whose personal data are transferred to the US under the Safe Harbor framework.

Draft EU regulation – One-stop shop

In its statement on the one-stop shop, the Working Party proposes a possible compromise between the European Parliament’s position and the ideas actually being debated within the EU Council as regards the governance in cross-border cases. The Working Party aims to highlight the core elements of a one-stop shop that will meet the needs of businesses as well as those of citizens.

Legitimate interest

The Opinion on this topic specifies the conditions that the data controller must satisfy, and the steps that he must follow, when relying on legitimate interest under Article 7(f) of Directive 95/46/EC as a legal ground for processing. Article 7(f) requires a balancing of the legitimate interests of the controller, or any third parties to whom the data are disclosed, against the interests or fundamental rights of the data subject. Appropriate use of Article 7(f) may help prevent over-reliance on other legal grounds such as consent. However, its use should not be unduly extended on the basis of a perception that it is less constraining than the other grounds. To help ensure legal certainty, the Working Party recommends inserting a recital into the draft EU data protection EU regulation to specify the criteria the controller should take into account when carrying out the necessary ‘balancing test’. The Working Party invites written comments from stakeholders within six weeks of the opinion’s publication, that is, by 27 May 2014.

Anonymisation techniques

Recalling that anonymised data fall outside the scope of data protection legislation, the opinion assesses the effectiveness and limits of existing anonymisation techniques. On that basis, practical recommendations are made to help data controllers choose how to design an adequate anonymisation process. Data controllers are however invited not to consider anonymisation as a one-off exercise and to reassess the risks regularly, considering that anonymisation and re-identification are active fields of research and new discoveries are regularly published. Incidentally, the opinion clarifies that pseudonymisation is not a method of anonymisation, but merely a useful security measure to reduce the linkability of a dataset with the original identity of a data subject.