Category Archives: WP29

Article 29 Working Party (WP29)

Letter to WhatsApp of 27 October 2016 relating to WhatsApp’s Terms of Service and Privacy Policy

The Article 29 Working Party has asked WhatsApp to send it information on the data that will be shared and the sources of the data (“e.g. data from the users’ phones or data already stored on company servers”) and those who will receive the data. The Article 29 WP has severe concerns regarding the manner in which the information related to the Terms of Service and Privacy Policy users (updated in August 2016) and about the validity of the users’ consent.

WhatsApp had already been warned by a German DPA and the CNIL.

Article 29 Working Party (WP29)

WP29 issues Opinion on the evaluation and review of the ePrivacy Directive

On July 19th, 2016, the WP29 presented an Opinion on the evaluation and review of the e-Privacy Directive (2002/58/EC). For the WP29, a thorough revision of the rules in the e-Privacy Directive is necessary in order to take into account the technological developments in the digital market and the recent adoption of the General Data Protection Regulation (GDPR).

Background information

The revision of the e-Privacy Directive is part of the Digital Single Market Strategy, announced by the European Commission (EC) on May 2015. The EC started the review of the Directive in 2015 by requesting a study about the transposition and effectiveness of the privacy related articles of the e-Privacy Directive as well as about the relationship between the Directive and the GDPR. A report[1] was published in June 2015. The EC launched in April 2016 a public consultation, open to citizens, legal entities and public authorities. The Commission consulted stakeholders on both the retrospective evaluation and the possible changes to the current e-Privacy Directive. The Opinion of the WP29 responds to this call. The EC intends to use the feedback provided from the consultation to prepare a new legislative proposal, which is expected by the end of 2016.

Article 29 Working Party (WP29)

Opinion of Article 29 WP29 on the EU – Privacy Shield draft adequacy decision

The Article 29 Data Protection Working Party (WP29) adopted its opinion on the EU-US Privacy Shield draft adequacy decision on April 13, 2016. The Privacy Shield saw the light after the invalidation by the Court of Justice of the European Union or CJEU (Schrems judgement) of the previous Safe Harbor agreement. The Opinion is complemented by a Working Document on the justification of interferences with the fundamental rights to privacy and data protection through surveillance when transferring personal data (European Essential Guarantees).

Months before, on October 2015, the WP29 stated that an assessment of the consequences of the Schrems decision with respect to all mechanism permitting data transfers to the US will be carried out. The WP29 proceed then to inventor and examine the jurisprudence of the CJEU as regards to Articles 7, 8 and 47 of the European Union Charter of Fundamental Rights and the Jurisprudence as well as the of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights dealing with surveillance issues. The conclusions of this assessment led to the four European Essential Guarantees.

The Opinion of the WP29 includes an assessment of the Guarantees for data transfer to the US. According to it, the Privacy Shield includes significant improvements compared to the EU-US Safe Harbor framework. However, major points of concern remain and further clarification is needed in several aspects. The Working Party stressed the general complexity and lack of clarity regarding the Privacy Shield and expressed concerns with respect to both the commercial and national security aspects of the new framework.


Article 29 Working Party (WP29)

Statement of the Article 29 Working Party on the Safe Harbour Ruling

On 16 October 2015 the Article 29 Working Party issued a statement on the recent ruling of the Court of Justice of the EU in Schrems v. Facebook. Although the tone of the statement is quite general, it reflects the positions and views of European DPAs on the transfer of personal data to the US and on the consequences of the judgment. Moreover, apart from illustrating the next steps European institutions should take in their negotiations with the US, this statement provides a few guidelines for European businesses that would allow them to implement the Court’s judgment.