Article 29 Working Party

The online world is increasingly shaped by forces beyond our control.  Algorithmic processing agents are used by a wide range of web publishers, online retailers and social media companies to determine the kinds of stories that are feature to online readers, the advertisements that are targeted to online shoppers, and the search results they see, to name just a few of the ways in which these hidden programs predict the shape and content of our online experience.

US and EU privacy regulators have developed different models for managing the potential negative impacts of online profiling. In a recent article for the ABA Journal of Media, Information and Communications Law, Ballard Partner Phil Yannella examines these differing approaches.

Among the more significant changes under the GDPR are new limitations on the use of consent to permit the processing of personal data. Recent WP29 guidelines on consent expand on previous opinions (for example Opinion 15/2011 regarding the definition of consent or Opinion 06/2014 regarding the legitimate interests of data controllers) and confirm that the use of consent must pass a very high bar to be effective under the GDPR.

Consent is one of six lawful bases to process personal data under the GDPR.  Article 4(11) of the GDPR defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Continue Reading Analysis: WP29 Guidelines on Consent Under the GDPR

With the May 2018 deadline for compliance with the General Data Protection Regulation (GDPR) inching closer, U.S. multinational companies have been eagerly awaiting guidance from the Article 29 Working Party on key provisions, such as the use of algorithms to make processing decisions, the new 72-hour response period for data breaches, the meaning of consent under the GDPR, and the appointment of a Data Protection Officer. Over the next few weeks, we will be providing our analysis of recent WP29 guidance.

Today, we begin with new guidelines addressing the use of algorithmic processing engines – what the GDPR calls “automated decision-making.” According to the Guidelines, profiling is an automated form of processing, carried out on personal data, the objective of which is to evaluate personal aspects about a natural person. Continue Reading Analysis: Article 29 Working Party Guidelines on Automated Decision Making Under GDPR