PL&B International E-news, Issue 72

1. Article 29 WP announces 9-country mutual recognition BCR club

After its meeting on 1 October, the EU Article 29 Data Protection Working Party announced that nine countries have agreed to give mutual recognition to approval of Binding Corporate Rules for Data Protection. The countries are France, Germany (federal and Länder), Ireland, Italy, Latvia, Luxembourg, the Netherlands, Spain the UK. The countries have agreed to recognise BCRs sent to them through the BCR coordination procedure.

Mutual recognition is a policy commitment rather than a legal change, as the countries’ legislative systems are all based on the Directive. The essence of mutual recognition is that the DPAs commit themselves that once the Lead Authority circulates a consolidated draft with a positive opinion that it meets the required standard, other DPAs accept this opinion as sufficient basis for providing their own permit or authorisation for the BCR or for giving positive advice to the body which provides that authorisation.

2. French tax searches breach European Convention on Human Rights, again

The European Court of Human Rights, in Strasbourg, ruled on 18 September for the second time that French searches and seizures of documents by tax authorities on a suspicion of involvement in fraud violated the European Convention on Human Rights. The Court said that it had already ruled that such searches violate the Convention in a previous case, and held that there had been a violation in this case of the right of access to a court to appeal against a search and that it was not necessary to consider whether there had also been a violation of the right to privacy. (Kandler v. France (no. 18659/05)

3. Article 29 Data Protection Working Party has many doubts about US electronic visas

The EU Article 29 Data Protection Working Party has many doubts and questions about the US electronic system for travel authorisation (ESTA), which was launched in August 2008 on a voluntary basis and will become mandatory in January 2009. It will replace the paper form I-94W now filled in by travellers on board transatlantic planes to the US, and is in addition to information provided by the airlines under the EU-US PNR agreement. More data, such as telephone numbers and email addresses are being required, and the retention period will be extended to 75 years. The EU Privacy Commissioners collectively think that many questions need to be answered before the system becomes compulsory. It is, for example, not clear how sensitive data are dealt with, how travellers can keep track of their data in particular when they have filled them in erroneously or data change over time, and what happens in cases where the travel authorisation has been lost or stolen, given that ESTA does not include an electronic signature.

4. Google reduces data retention period to 9 months; Article 29 WP says Google refusing to obey EU

In April, the EU Article 29 Data Protection Working Party said that search engines’ data should be retained for no more than six months and that web users must be able to consent to the use of their data for profiling. Google answered in September by saying that IP addresses associated with search requests will be anonymized after 9 months, instead of the present 18, and that a link to Google’s privacy policy appears on its homepage.

Alex TÜRK, Chairman of the Article 29 Working Party and France’s Data Protection Authority (CNIL) noted this improvement with satisfaction, but also says that Google “considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe; that it wishes to retain personal data of users beyond the 6 months period requested by the Article 29 Working Party, without any justification; that it does not make any improvement to its anonymization mechanisms, which are still insufficient; that it considers that IP addresses are confidential data but not personal data, which prevents granting certain rights to its users; and that it does not express the willingness to improve and clarify the methods that are used to gather the consent of its users.”

More detailed reports will appear in the next issue of the PL&B International Newsletter.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2008