Article 29 Working Party: Important New Guidance

December 3, 2014

Hot on the heels of its guidance on implementing the Google Spain judgment, the Article 29 Working Party has produced a formal Opinion on device fingerprinting and has published a working document with the catchy title of ‘Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on “Contractual clauses” Considered as compliant with the EC Model Clauses’.

Opinion 9/2014 on the application of Directive 2002/58/EC to device fingerprinting, which was adopted on 25 November, addresses what it describes as ‘serious data protection concerns for individuals’ arising from the use and proposed use of device fingerprinting. It gives the example of the use of device fingerprinting as an alternative to HTTP cookies for analytics and tracking. The Opinion indicates to third parties who process device fingerprints so as to gain access to the user’s ‘terminal device’ that valid consent is required unless an exemption applies. The same principle applies to the use of device fingerprinting for storing information on the user’s terminal device. The Opinion makes it clear that device fingerprints can constitute personal data. It is worth noting the broad definition of device fingerprint which is adopted by the Working Party for the purposes of its Opinion (see para 3 of the Opinion).

The Working Document, which was adopted on 26 November, sets out in its introduction the need for a new procedure and recognises some of the current difficulties faced by lawyers in seeking approval:

                    Article 26.2 of Directive 95/46/EC enables companies to make use of contractual clauses to adduce sufficient safeguards to legally frame international transfers of personal data from EU.

                    ? To facilitate the use of contractual clauses, the European Commission has previously issued three decisions on standard contractual clauses. Two of these said decisions regulate transfers from data controllers to data controllers, while the third regulates transfers from data controllers to data processors.

                    ? In many Member States, national authorisations are not only required for the use of ad hoc contracts but also for the use of Model Clauses. In practice, when a contract is compliant with the standard contractual clauses, it reduces the number of national authorizations required for the international transfer of data (depending on national legislation).

                    ? Most contracts currently used by companies to legally frame international transfers are either entirely based on the standard contractual clauses, or are mostly based on them with some divergences such as additional clauses. Some of these divergences, however, have no impact on whether the contract is considered as “compliant” with the set of standard contractual clauses adopted by the EU Commission.

                    ? In some situations, identical clauses are used in different Member States to frame the same type or similar transfers starting from those different Member States. For instance, in certain corporate groups, data systems are centralized outside the EEA; and subsequently, the same set of contractual clauses are signed by the different EU subsidiaries.

                    ? In those situations, different DPAs may be tasked with analysing the same contract in order to assess its compliance with a model clause. Therefore, there is a risk they do not come to the same conclusion.  

                    With this document, the Article 29 Working Party is creating a procedure enabling companies who are willing to make use of identical contractual clauses (which are based on Model Clauses with some divergences such as additional clauses) in different Member States, in order to: frame transfers from different EU Member States; obtain a coordinated position of the competent DPAs regarding the proposed contract; and decide in particular if the contract is still in conformity with a standard contractual clause.