Privacy & Cybersecurity Update Issue 3 | October 2014 - Europe, Middle East, And Africa

European Union

European Commission Designates Three New Members

The European Commission designated three new members of particular relevance to privacy and data security.

Read More

European Commission Promulgates Technical Standards to Make RFID Use Data Protection Compliant

The European Commission made available two new EU technical standards to help users of radio frequency identification ("RFID") tags comply with the requirements under the Data Protection Directive (95/46/EC). RFID tags are used to automatically identify and track objects by wirelessly exchanging electronically stored information with so-called readers. The illicit tracking of RFID tags poses a risk to personal location privacy as exact movement profiles can be generated. The first of the new standards provides for a checklist for retailers and other entities that supply goods with RFID tags, detailing how they should manage their use (EN 16571:2014). The second new standard is aimed at informing consumers that a product includes an RFID tag by attaching an EU-wide logo to the product (EN 16656:2014). The new standards are to be implemented by the EU member states at the national level by January 31, 2015, by publication of an identical national standard or by endorsement.

Article 29 Working Party

Article 29 Working Party Publishes Questions for Search Engines on Right to be Forgotten

The Article 29 Working Party (an independent advisory body composed of European data privacy authorities) met on July 24 with representatives of leading U.S.-based search engines to discuss the practical implementation of the ruling of the European Court of Justice regarding the right to be forgotten (case C-131/12, Costeja). The Article 29 Working Party also published a list of questions addressed to the search engines. The aim of the Article 29 Working Party's initiative is to publish guidelines, which are expected to be finalized in November.

Article 29 Working Party Releases Statement on Invalidation of Data Retention Directive

The Article 29 Working Party adopted a statement on the April 8 ruling of the European Court of Justice that invalidated the Data Retention Directive 2006/24/EC. The Working Party welcomed the ECJ decision, which was based on the fact that the data retention principles set forth by the Directive (i) entailed substantial interference with the fundamental rights to privacy and data protection, (ii) failed to limit such interference with what is necessary for the purpose of fighting "serious crime," and (iii) failed to define the guarantees applicable in connection with the data retention principles of the Directive. The Working Party pointed out that even though the national measures implementing the Directive are not directly affected by the invalidation of the Directive, member states should ensure that their national framework relating to data retention is in line with the grounds of the ECJ decision. In particular: (i) the national legal data retention obligations should...