Policy Observatory
The judgment of the Court of Justice of European Union (CJEU) of 13 May 2014 Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (C-131/12) sets a milestone for EU data protection in respect of search engines and, more generally, in the online world.
It grants the possibility to data subjects to request to search engines, under certain conditions, the delisting of links appearing in the search results based on a person’s name.
On Wednesday 26 November, the European data protection authorities assembled in the Article 29 Working Party (WP29) have adopted guidelines on the implementation of the CJEU’s judgment. These guidelines contain the common interpretation of the ruling as well as the common criteria to be used by the data
protection authorities when addressing complaints.
The Dutch Department of Economic Affairs issued guidelines on net neutrality for the Authority for Consumers and Markets (ACM). These Net Neutrality Guidelines serve as a basis for the enforcement by ACM of the net neutrality rules in Article 7.4a of the Dutch Telecommunications Act (Net Neutrality Act).
On June 2, 2015 entered into force the general resolution of the Italian Data Protection Authority (DPA) No. 229/2014, "Simplified arrangements to provide information and obtain consent regarding cookies", of May 2014. Due to interpretative uncertainty, on June 5, the Italian DPA, issued a set of clarifications concerning the correct interpretation and the relevant implementation of the provisions provided. Although the DPA has tried to follow a transparent and open approach in adopting cookies rules, according to some there are significant difficulties in understanding the technical language used in the resolution and in the clarifications. As consequence, the requirements about the consent mechanism appear hard to be implemented in practice, especially by SMEs and bloggers.
On May 6, 2015 the Italian DPA published the Guidelines on online profiling activities, drafted on March 19, 2015. The Guidelines contain a definition of profiling activities and provide some indications about the management of data. On April 28, 2015 the DPA launched a public consultation on the Internet of Things. The consultation will remain open for 180 days.
On Monday, October 26, 2015, EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, gave a speech before the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs on the recent ruling by the Court of Justice of the European Union that invalidated the European Commission’s Safe Harbor Decision. The EU Commissioner welcomed the Article 29 Working Party’s statement and, in particular, its support for a new Safe Harbor framework by January 31, 2016. However, the EU Commissioner called for more clarity in the meantime. Accordingly, she announced that the European Commission will soon issue an explanatory document on the consequences of the CJEU’s ruling to provide guidance for businesses on international data transfers.
The Dutch Data Protection Authority (CBP) published a consultation document with draft guidelines on the breach notice obligation of data controllers in the Netherlands. Under the law, data controllers are required to provide notice of data breaches to the CBP and, under certain circumstances, to the affected individuals. This obligation will take effect on January 1, 2016.