The body of European data protection regulators known as the Article 29 Working Party (WP29) has been exceptionally prolific lately. In April 2014, WP29 adopted no less than five opinions and issued a number of other statements and letters on various topics. While not directly binding, WP29’s publications offer insight into the regulators’ views, which are generally a good indication of how the regulators will seek to apply the law.
In this article, we provide an overview of the most important documents issued. We discuss Opinion 5/2014 on anonymization,1 Opinion 6/2014 on legitimate interests as a basis for processing,2 the letter to Commissioner Viviane Reding on data transfers from the EU to the U.S.,3 and the letter to the Council of the EU on the one-stop-shop mechanism.4
Opinion on Anonymization Techniques
The opinion5 stresses the difficulty of creating truly anonymous datasets under EU data protection law and provides recommendations on good anonymization practices. It is quite technical and goes into the details of selected anonymization techniques such as randomization and generalization (including certain forms of those techniques). The main takeaways from the opinion are as follows:
- The threshold for effective anonymization in the EU is high, as it requires that re-identification of an individual by the data controller or any third party (e.g., recipient or attacker) is excluded.
- Whether the data is actually anonymized requires a case-by-case analysis taking into account the available technology, the risks for individuals, and contextual elements.
- All anonymization techniques have advantages and disadvantages (such that the best solution is a combination of multiple techniques) and should be assessed in light of the following three criteria:
- When is it possible to identify an individual?
- When is it possible to link records that relate to an identified individual?
- When can information be inferred concerning an identified individual?
- Pseudonymization (i.e., replacing a unique attribute in a record with another) is not a method of anonymization; rather, it is a security measure that makes it harder to link back to an individual. Therefore, EU data protection law continues to apply to pseudonymized data. WP29 lists some commonly used pseudonymization techniques such as encryption, hash function, and tokenization.
- The use of anonymized datasets can still present residual risks to individuals (e.g., use anonymized statistics to enrich existing profiles) and requires regular risk evaluations, controls, and monitoring.
Opinion on Legitimate Interest as a Legal Basis
The opinion6 aims to clarify one of the key provisions of EU data protection law: Article 7(f) of the Data Protection Directive, which is often called the “legitimate interest” legal basis. This opinion is actually one of the most awaited and longest opinions from WP29. Under EU data protection law, a data controller must rely on a legal basis to legitimize the processing of personal data. Several grounds exist and are restrictively listed in Article 7 of the Data Protection Directive. Article 7(f) is one of them and legitimizes the processing of personal data when the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject […].”
As an introduction, WP29 clarifies that reliance on legitimate interest legal basis requires a case-by-case analysis and should not be treated as a “last resort” for rare or unexpected situations where other legal bases are deemed not to apply. In addition, that legal basis should not be automatically chosen with the thought that it is less constraining than other legal bases.
Further, WP29 explains how to apply the legitimate interest legal basis in practice and that this legal ground requires a balancing test. The purpose of the balancing test is to review the interest of a controller (or of a third party) and to balance it with the rights and freedoms of the data subject, while taking into consideration the following:
- The nature and source of legitimate interest of the controller or third party, and whether the processing is necessary for the exercise of a right by the controller
- The impact on individuals and their reasonable expectations about what will happen to their data
- Additional safeguards (e.g., data minimization, opt-out mechanism, transparency, data aggregation and anonymization, privacy-enhancing technologies, privacy by design, or privacy impact assessments)
In addition, WP29 recommends considering the following factors when conducting the balancing of interest test: the sensitivity of the data; the possible prejudice suffered by the controller or third parties if the data processing does not take place; the status of the individual (e.g., minor or employee) and of the controller (e.g., market shares); and the way in which the data will be processed (e.g., large-scale processing, data mining, profiling, disclosure to a large number of people, or publication).
Finally, WP29 provides a large number of scenarios where the legitimate interest can be used as a legal ground (however, without making determinations as to whether the rights of individuals or data controllers would prevail): direct marketing and advertisement; freedom of expression or information, including in the media; prevention of fraud, misuse of services, or anti-money laundering; employee monitoring for safety or management purposes; whistleblowing schemes; physical security, IT security, and network security; processing for historical, scientific, or statistical purposes; processing for research purposes (including marketing research).
EU-U.S. Data Transfers
On April 10, 2014, WP29 sent a letter to Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, on the European Commission’s 13 recommendations to rebuild trust in EU-U.S. data transfers7 following the revelations of intelligence collection programs. WP29 welcomes the commission’s initiatives but also voices some criticisms and makes further recommendations.
According to WP29, the U.S.-EU Safe Harbor program should be suspended if the European Commission’s revision efforts “[do] not lead to a positive outcome.” Such an outcome cannot be reached without improving the safeguards provided by safe harbor. To that end, WP29 makes a large number of recommendations relating to, among other things, applicable law, transparency, redress, fees, access by U.S. authorities, choice, access, onward transfer, security, proportionality, and accountability. It is unlikely that the European Commission will be able to incorporate all of WP29’s recommendations and concerns, but this illustrates the current thinking of EU regulators regarding the future of the U.S.-EU Safe Harbor framework.
The One-Stop-Shop Mechanism
On April 16, 2014, WP29 issued a short statement supporting a compromise between the current positions in the Council Working Group on Data Protection on the one-stop-shop and the consistency mechanisms. The one-stop-shop and consistency mechanisms are two of the key principles that will likely be included in the future EU data protection legal framework.
In a nutshell, if the one-stop-shop mechanism is enacted, there will be one data protection authority responsible for all processing activities of a company at a pan-EU level. The consistency mechanism would provide the rules regarding how authorities must cooperate among themselves. These concepts and their exact scope have been at the center of intense discussions among the EU institutions involved in the legislative process, including the EU data protection authorities, and are still highly debated. The statement describes what WP29 considers to be effective one-stop-shop and consistency mechanisms and will certainly be taken into account in the upcoming political discussions.
It has been a busy time for WP29 and EU privacy practitioners keeping up with the various developments in EU data protection law. The opinions on anonymization and legitimate interest are key documents under EU data protection law and will certainly prove useful for companies seeking to comply with EU data protection law. However, it remains to be seen how these opinions can actually be applied in practice, as they set the bar extremely high.
The letter on the EU-U.S. data flows and the one-stop-shop mechanism touches upon several difficult issues and makes important recommendations, but it is unclear whether the European Commission will be able to incorporate all of the WP29 demands when negotiating the U.S.-EU Safe Harbor framework with its U.S. counterpart, or the text of the future EU Data Protection Regulation with the other EU institutions. In any event, the recent intensity of the WP29 activities demonstrates that it is determined to play a central and proactive role regarding both interpreting the current EU data protection legal framework and defining the future of U.S.-EU data transfers and the key principles of the upcoming EU data protection framework.
1 Article 29 Working Party, Opinion 05/2014 on “Anonymization Techniques onto the web” (WP216).
2 Article 29 Working Party, Opinion 06/2014 on the “Notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC” (WP217).
3 Article 29 Working Party, Letter from the Article 29 Working Party to Vice President Viviane Reding on the actions set out by the European Commission in order to restore trust in data flows between the EU and the U.S.
4 Article 29 Working Party, Letter from the Article 29 Working Party to Lilian Mitrou, Chair of the Council’s Working Party on Information Exchange and Data Protection (DAPIX), on the One-Stop-Shop mechanism, and Annex 1: Statement of the WP29 – Main points for a one-stop-shop and consistency mechanism for businesses and individuals.
5 Article 29 Working Party, Opinion 05/2014 on “Anonymization Techniques onto the web” (WP216).
6 Article 29 Working Party, Opinion 06/2014 on the “Notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC” (WP217).