Article 29 Working Party: Latest Opinions

April 11, 2011

The Article 29 Working Party (now sensibly easing towards calling itself the Data Protection Working Party) has adopted four new Opinions dealing with the following matters:

  • WP 181 – Opinion 10/2011 on the proposal for a Directive of the European Parliament and of the Council on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime
  • WP 182 – Opinion 11/2011 on the level of protection of personal data in New Zealand
  • WP 183 – Opinion 12/2011 on smart metering
  • WP 184 – Opinion 13/2011 on the current EU personal data breach framework and recommendations for future policy developments. 

The four Opinions can be accessed in full in English here 

The last mentioned (WP 184) is essential reading for data protection practitioners. 

PNR Data 

The passenger name Opinion (WP 181 – 10/2011) is a devastating critique of the proposal from the Commission for the use of passenger name record data across the EU. It concludes:

‘The Working Party considers that the necessity of an EU PNR system has not yet been proven and the measures proposed are not in line with proportionality principle, in particular as the system envisages the collection and retention of all data on all travellers on all flights. The Working Party also has serious doubts about the proportionality of systematic matching of all passengers against pre-determined criteria. 

The Working Party recommends first evaluating the existing systems and methods of cooperation and how they fit together to identify security gaps. If any exist, then the next step should be to analyse the best way to fill these gaps, which does not necessarily mean introducing a whole new system. The existing mechanisms could be further exploited and improved. 

If this proposed Directive comes into force it should ensure appropriate and adequate data protection measures and safeguards. The Commission should also consider whether any existing systems could be repealed as a result, such as the API Directive, to avoid overlapping measures.’ 

The Opinion also has some interesting criticisms of detail, eg highlighting the confusion in the proposal between the masking personal information and anonymisation. 

New Zealand 

The provision for data protection in New Zealand is analysed in Opinion 11/2011 (WP 182). Not surprisingly, it is considered by the Working Party to ensure adequate protection. But the Working Party ‘encourages the New Zealand authorities to take the necessary steps to address weaknesses in the current legal framework. In particular, the Working Party encourages the Privacy Commissioner to continue her call for strengthening the law in relation to direct marketing; and to maintain effective oversight of transfers from New Zealand to third countries which are not themselves subject to an adequacy finding.’ 

Smart Metering 

Smart meters enable functionalities such as providing detailed information about energy consumption, the ability to remotely read the meter, the development of new tariffs and services based on energy profiles and the ability to remotely deactivate supply. The Working Party does not attempt to present a comprehensive view on all specific aspects of smart metering programmes across member states because of the disparity between the States. It simply attempts to clarify the legal framework applicable to the operation of smart metering technology within the energy sector. 

The effect of the very varied situations in different Member States is that the Opinion is weak on specifics and vague in many of its generalities. Perhaps the main message of importance is that data protection law does indeed apply to smart metering (in the view of the Article 29 WP at least). The Opinion concludes that one point of real importance is that ‘Data subjects must be properly informed about how their data is being processed, and be aware of the fundamental differences in the way that their data is being processed so that when they give their consent it is valid’. 

Personal Data Breach Framework 

Opinion 13/2011 (WP 184) takes stock of the status and the way in which Member States are transposing the personal data breach provisions of the ePrivacy Directive in their national laws. It states that ‘pinpointing any developing differing national approaches might, even at this late stage, enable Member States to align their views and avoid fragmented implementation.’ The exercise has also given the Article 29 Working Party an opportunity to further reflect reach some conclusions as to future policy developments in the area of personal data breach notification. 

The Opinion puts forward various actions to be carried out by competent authorities and by the Working Party itself towards developing internal processes and setting forth cooperation procedures. It also focuses on new policy developments by recalling the overall scope and procedures for the expected policy actions regarding personal data breach and providing policy recommendations.  

A careful reading of this Opinion, and certainly its latter sections, is recommended.