HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print
• Share Link

Quentin Archer, a partner in the London Office of Hogan Lovells, provides this report

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing four opinions, one report and one set of FAQs.  In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party's internal approvals process than any indication of unusual activity. 

Behavioral Advertising

In June, the Working Party issued Opinion 2/2010 (WP171) on online behavioral advertising.  The Working Party notes that both the E-Privacy Directive and the Data Protection Directive are relevant to online behavioral advertising, and goes into some detail on the requirements of the E-Privacy Directive (amended in 2009) that cookies should be employed for this purpose only with the informed consent of users.  It recommends that advertising network providers should limit in time the scope of consents given by users, offer the possibility for consents to be revoked easily and create visible tools to be displayed where monitoring takes place.  In relation to general data protection obligations, it emphasizes the importance of transparency regarding processing of personal data and points out that the responsibility for ensuring transparency will be shared between different service providers in relation to behavioral advertising.  However, the Working Party does not prescribe how legal obligations should be fulfilled from a technological point of view, and instead invites industry to undertake a dialog with it to explore how the legal framework set out in the Opinion can be satisfied.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Controller-Processor Standard Clauses

On 12th July 2010, the Working Party issued FAQs (WP176) designed to address issues raised by the entry into force of the Commission Decision of 5th February 2010 on the new controller-processor standard clauses.  Several of the FAQs address the situation where personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based sub-processor, which is not specifically contemplated by the new clauses.  As the new clauses cannot be used to effect this, the Working Party suggests different solutions to address the problem.  The remainder of the FAQs answer a variety of questions which might arise where the processor to whom the data are transferred is located outside the EEA, such as whether a data exporter's consent to sub-processing must be specific or can be general, and whether sub-processing agreements can be made in respect of more than one data exporter.

Data Retention

On 13th July, the Article 29 Working Party issued Report 01/2010 (WP172) on its second joint enforcement action, which concerned the implementation of the Data Retention Directive (Directive 2006/24/EC).  The Data Retention Directive derogates from the provisions of the E-Privacy Directive by requiring Member States to ensure that certain categories of communications data are retained for periods of not less than six months and not more than two years.  This is in contrast to the general principle in Article 6 of the E-Privacy Directive, which requires such data to be erased or anonymised when it is no longer needed for the purposes of the transmission of a communication.

The data protection authorities of 25 EEA member states contributed to the joint enforcement action, circulating questionnaires and conducting onsite investigations in certain cases.  It was discovered that there were significant differences between Member States regarding retention of internet services traffic data, with variations in retention periods.  A more uniform picture emerged in relation to the retention of telephone traffic data.  The Working Party established that there was inconsistent implementation at domestic level as a result of differing views over the scope of the Directive, notably whether it was meant to be a derogation from the general obligation to erase traffic data upon conclusion of an electronic communication, or whether instead it affected only data which providers were already allowed to store for subscriber billing and interconnection payments purposes in accordance with Article 6(2) of the E-Privacy Directive.  The Working Party recalled its previous opinions on the Data Retention Directive and (awaiting the decision of the Commission as to whether or not to amend or repeal the Directive) it laid down specific recommendations to ensure increased harmonization, more secure data transmission and standardized handover procedures.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Accountability

Also on 13th July, the Working Party issued Opinion 3/2010 on the principle of accountability (WP173). The Opinion proposes that a new principle on accountability should be introduced (as part of amendments to the Data Protection Directive) which would require data controllers to put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with, and to demonstrate this to supervisory authorities upon request.  It is hoped that this will provide a practical means of ensuring the observance of data protection rules as well as helping data protection authorities in their supervision and enforcement tasks.

FEDMA

The third opinion, also adopted on 13th July was Opinion 4/2010 on the European Code of Conduct of FEDMA for the Use of Personal Data in Direct Marketing (WP174).  The approval of draft community codes of conduct is anticipated in Article 27(3) of the Data Protection Directive, and indeed the European Code of Conduct of FEDMA (the Federation of European Direct and Interactive Marketing) had been the subject of a previous favorable opinion of the Working Party in June 2003.  The subject matter of the present Opinion was an annex to the Code dealing with the specific problems created by the on-line world, with special reference to provisions designed to protect children.  The annex (which is exhibited to the Opinion) was approved by the Working Party and FEDMA was encouraged to promote it within the direct marketing sector.

RFID

The final July 13th opinion is the Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.  The opinion comments on an industry framework for RFID privacy impact assessments (PIA).  Although the Working Party agreed with the broad framework of the industry report, it indicated three concerns:  (1) no section of the PIA requires the RFID operator to identify risks associated with the RFID application; (2) the proposed framework fails to encourage the RFID operator to identify risks to individuals related to carrying RFID tags in everyday life; and (3) lack of clarity regarding RFID tag deactivation in the retail sector.  As a result of these concerns, the Working Party encouraged stated it could not endorse the proposed document.

• Email This
• Print
• Share Link

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

• Email This
• Print
• Share Link

In a speech to at Atlantic Council in Washington, DC on 9 July, Viviane Reding, Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship announced that she has begun exploratory talks with the United States for a comprehensive EU-US agreement for personal data protection standards to apply whenever personal data needs to be transferred across the Atlantic for the purposes of police and judicial cooperation in criminal matters.  Vice-President Reding said:  "The aim is clear: to provide legal certainty to data transfers by ensuring that all these transfers are subject to high standards of data protection on both sides of the Atlantic."

Also appearing at the Atlantic Council with Vice-President Reding was Department of Homeland Security Secretary Janet  Napolitano who, according to the Atlantic Council web site

noted that the United States has a long tradition of insisting on personal privacy — and is in some ways, such as a cultural antipathy to national identification cards and showing passports at hotel check-ins and the like, even more privacy conscious than Europe— the fact of the matter is that protection of personal data does not rise to the level of fundamental right in our society. 

That difference in approach in the US from the EU, with its Charter of Fundamental Rights which very specifically guarantees a right to personal data protection, suggests that the road to a bilateral treaty will be long.

Likewise, the path to the EU recognizing the US as a country with "adequate protections" allowing the cross-border flow of personal data without the encumbrances of model contract clauses, the EU-US Safe Harbor or Binding Corporate Rules seems distant.  Still, at a dinner this author had with Vice-President Reding with her delegation following her Atlantic Council (and her deposit of the new EU "Bill of Rights" a the National Archives), I was able to preview some of the themes of my upcoming presentation at the PLI Privacy Law Institute in Chicago on Monday, 19 July entitled "Is the Tide Turning? The Impact of the HITECH Act & Other Federal Regulation."  I conveyed to Ms. Reding that the time has come for the EU to reappraise the US level of protection given the FTC's "common law of consent decrees" through which specific rules on data protection have arisen, given the forty-six state data security breach notification laws which have prompted heightened attention to the protection of personal data, and given the application and enforcement of the many other sectoral and geographic privacy laws. 

• Email This
• Print
• Share Link

 Florian Unseld in the Hogan Lovells Munich office prepared this entry.  Florian specializes in data protection, information technology and intellectual property law. His work focuses on advising on all aspects of national and international data protection law including major cross-border projects. Florian also advises on the drafting and negotiating of contracts, software-licensing and the legal form and realization of IT-projects.

Introduction

The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States. 

This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed.  Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.

The Düsseldorfer Kreis is a working group of representatives from Germany's sixteen state data protection authorities that provides a uniform "German" approach to data protection questions.  It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes. 

The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.

The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant.  See our previous report on FTC enforcement activity.  It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.

What more is needed when the Safe Harbor is used for Germany-US personal data transfers?

German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:

(1) German companies exporting personal data must confirm that the US entity actually is registered  on the Safe Harbor, and is not just claiming that it is registered. 

(2) There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice  to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.    

(3) The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.

(4)  In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.

Perspective

European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose -- or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis.  It remains to be seen whether this additional level of Safe Harbor diligence will be required  by other European regulators.

• Email This
• Print
• Share Link

On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.

Behavioral Advertising is Regulated in the EU by Two Primary Sources

The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011. 

The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.

Opt-In Consent Requirement and Opt-Out Deficiencies Explained

The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.

Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.

The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes. 

Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.

Room for Innovation

While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”

Other Obligations

The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:

• Email This
• Print
• Share Link

This post was provided by Julia Peng of Hogan Lovells' Beijing office.

On 19 October 2010, the People’s Republic of China (“PRC”) State Administration of Industry and Commerce ("SAIC") issued the Second Revision of the PRC Consumer Protection Law (Draft for Comments) (the "Draft Consumer Law"). A significant addition to the Draft Consumer Law is a provision for the protection of consumers’ personal data.

According to Article 14 of the Draft Consumer Law, consumers enjoy the right to have their personal data protected when purchasing and using goods and services. The same article also clarifies the scope of the personal data which is protected. It includes a consumer's name, gender, age, profession, contact details, health condition, family, properties, purchase records and other information closely related to the consumer or their families 

• Email This
• Print
• Share Link

This post was provided by Gabriela Kennedy and Olivia Lennox-King Stewart of Hogan Lovells’ Hong Kong office.

The Constitutional and Mainland Affairs Bureau (the "CMAB") published a Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, inviting comments on the proposed amendments. The consultation period closed on 30 November 2009.

Prior to the Consultation Document being released, the Privacy Commissioner for Personal Data presented to CMAB and the Government the results of his own review of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Consultation Document included some but by no means all of the issues captured in the Commissioner’s review.

In November 2009, the Commissioner released his submissions on the Consultation Paper, responding to the proposals CMAB had formulated. The Commissioner states in his submissions that they were intended to "let the public know more about the issues before making their submissions", and noted that the Government's proposals were "more moderate and conservative than those made by the Commissioner".  

• Email This
• Print
• Share Link

by Lionel de Souza

On May 26th, the European working party on data protection established by article 29 of the 1995 European Directive on Data Protection (the "Working Party") sent letters to the three main search engine providers, Google, Microsoft and Yahoo!, to express its concern about how the search engine providers protect the online privacy of their users.

These letters follow a number of exchanges that have taken place over the past two years between the Working Party and the companies.  The process started with the Working Party's March 2008 opinion on search engines, which was later followed by a questionnaire to search engine providers and a hearing in February 2009.

In response to the Working Party's opinion, Google, Microsoft and Yahoo! all publicly announced amendments to their respective policies regarding the term of retention and anonymization of user data.  While these modifications generally have been welcomed as improvements of search engine practices, the Working Party still considers them insufficient.  Overall, the Working Party points to:

(1) the insufficient level of anonymization of data implemented by search engines or the lack of complete information to appreciate the appropriateness of such measures; and

(2) the excessive term of retention of user data (especially in consideration of possible cross-referencing).

Based on these elements, the Working Party states that it "cannot conclude that [these companies comply] with the European Data Protection Directive" and "urges" them "to review their anonymization claims and make the process verifiable."

To do so, the Working Party recommends that all three search engine providers implement and submit to an auditing process which would be conducted by external and independent third parties.  It is interesting to note that such an auditing procedure does not rely on any specific legal ground imposed by the European data protection legislation and that the search engines are therefore under no obligation to implement such a procedure.  If they did agree to an audit,  however, a number of questions would arise, such as the adequate frequency at which audits should be conducted or the publicity of the results of the audits. 

Finally, the Working Party, taking into account the "strong international component of this debate" sent copies of the three letters to the FTC (as well as the European Commission Vice-President in charge of Justice, Fundamental Rights and Citizenship - Viviane Reading) to share its concerns and to request an inquiry of the compliance of the behaviors with Section 5 of the Federal Trade Commission Act which prohibits "unfair or deceptive acts or practices in the marketplace".

In a general context of increased attention in the European general public with regards to issues of privacy, the reactions by the search engines and the FTC to the issues raised will be closely scrutinized.

The Working Party's letters to can be found here. 

• Email This
• Print
• Share Link

Special thanks to Lionel de Souza in the Hogan Lovells Paris Office for this entry.  Lionel specializes in issues relating to privacy and data protection, e-commerce, the liability of technical intermediaries, IT contracts, outsourcing, online compliance, the intellectual property aspects of information technology and the Internet and encryption. He has a masters degree in digital law and new technologies from the university of Paris and an LL.M from the University of Edinburgh.
 

The European Commission published its "Digital Agenda for Europe" on 19 May 2010. The document presents a number of future measures designed to "maximize the social and economic potential" of information and communication technologies ("ICT").   Unsurpirsingly, privacy is an important focus.

As a starting point, the Commission sets out seven areas which it regards as problematic and in need for revision to foster economic growth based on ICT.

These seven issues are (1) the existence of fragmented digital markets within the European Union;  (2)  the lack of interoperability on European markets;  (3)   the rise of cybercrime and the risk of low trust in networks;  (4)  the lack of investment in networks;  (5)   insufficient research and innovation efforts  (6)  the lack of digital literacy and skills; and the missed opportunities in addressing societal challenges (e.g. environmental concerns, etc.).

To make improvements in these areas, the Commission emphasizes that privacy and data protection will play an essential role.  Throughout the document, the Commission underlines the need to increase trust in the ICT and internet services and  that such trust necessarily includes confidence in the protection of privacy and personal data.

The  Commission set as one of its key actions to "review the European data protection regulatory framework with a view to enhancing individuals' confidence and strengthening their rights by the end of 2010". It has also set out its intention to promote and progressively impose on goods and services providers the concept and notion of "Privacy by Design", to include, in its review of the data protection framework, the possible "extension of the obligation to notify data security breaches" and to give guidance, by 2011, "for the implementation of a new telecoms framework with regards to the protection of individuals' privacy and personal data".

The document is ambitious and has the potential to have an important impact on operators and allow for the development of business using ICT in the few coming years.

The European Commission's Digital Agenda for Europe can be found here.

• Email This
• Print
• Share Link

  While the Hogan Lovells Chronicle of Data Protection primarily is designed for news and analysis of developments in the field of privacy and data protection, we want to take the opportunity of the recent combination of Hogan & Hartson with Lovells to inform our readers of the global breadth and depth of our practice. While each of the legacy firms was celebrated for its privacy and information management practices, the coming together of the lawyers from the two firms has created a practice group that is unparalleled in the world.  Hogan Lovells helps clients address privacy and data protection globally and in regard to specific national laws in countries around the world, through our 40 offices in the Americas, Europe, the Middle East and across Asia.

In the coming weeks, we will detail the privacy practices resident in various offices around the world.

Last week, selected partners from the global privacy and information management practice met in Geneva, Switzerland to discuss practice coordination and cooperation, and to focus on how we together can better serve our clients as a unified group.   (Regrettably, some of the partners scheduled to participate were grounded due to the Icelandic ash cloud including, notably, practice co-leader Marcy Wilder). Joining the discussion and pictured above are (from left to right)  Winston Maxwell (Paris), Quentin Archer (London), Steffan Schuppert (Munich), Gonzalo Gallego (Madrid), David Taylor (Paris), Marco Berliri (Rome), Wim Nauwelaerts (Brussels) and practice co-leader Christopher Wolf (Washington).

To provide an illustration of our global capabilities,  tomorrow (20 May 2010) the firm will host a webinar entitled “Hogan Lovells Trans-Atlantic Discussion on the Privacy Challenges Facing Multi-National Corporations”. This will be the first webinar by the Privacy and Information Management Group at Hogan Lovells, featuring privacy lawyers on both sides of the Atlantic from the former Hogan & Hartson and Lovells. Quentin Archer (London), Steffan Schuppert (Munich), Wim Nauwalaerts (Brussels), Lynda Marshall (Washington), Marcy Wilder (Washington) and Christopher Wolf (Washington) will explore contemporary privacy law challenges facing companies doing business in multiple jurisdictions around the world, such as:

• Cross-Border Transfers of Data Internationally
• Managing Employees in Multiple Jurisidctions
• Onine Marketing Issues Around the World
• Data Security and Data Breach Requirements
• The Obligations Concerning Health Data Around the World
• National Trends with International Ramifications

The panelists will explain how a coordinated international approach to privacy compliance is cost-

effective and is an optimal way to limit risk and protect privacy.

Readers of the Hogan Lovells Chronicle of Data Protection are cordially invited to attend our webinar.  Please register by clicking here.

• Email This
• Print
• Share Link

In an April 16, 2010 judgment, the High Court of Ireland decided that a settlement agreement entered into between Ireland's largest ISP Eircom and EMI, Sony Music, Universal Music, and Warner Music did not violate Ireland's data protection law.  The settlement agreement was signed after the record labels sued Eircom in connection with Eircom's failure to take action to discourage peer-to-peer copyright infringements on its network.  In the settlement, Eircom agreed to implement a graduated response mechanism with its customers, pursuant to which Eircom would send warnings to customers who had been detected as participating in unauthorized file sharing.  If the customers ignored Eircom's warnings, Eircom would cut off the subscriber's Internet access.  This sanction would be applied on a purely contractual basis, based on the subscriber's violation of Eircom's terms of use.  The subscribers' identity would never be shared with the record companies or with the police.  The detection of illegal file sharing would be conducted by a third party service provider, DetectNet, which would collect IP addresses and communicate them to Eircom.  

The Irish data protection authority believed that the settlement would violate Irish data protection laws.  The court was asked to answer three questions:

Whether the IP addresses collected by DetectNet are personal data before they are transferred to Eircom?

Whether Eircom's processing of personal data for implementation of the graduated response mechanism is legitimate?

Whether the personal data processed by Eircom are "sensitive" because they relate to a criminal offense.

For the first question, the court held that the IP addresses in the hands of DetectNet are not personal data because it is not "likely" that DetectNet would have the means or motivation to find out the names or addresses of the persons corresponding to the IP addresses.  The court said that the word "likely" as used in the Irish law means "probably."  

For the second question, the court found that the processing is justified because of the subscriber's consent to Eircom's terms of use, and also because the processing is necessary for the performance of a contract and for compliance with a legal obligation.  

For the third question, the court held that the graduated response mechanism deals solely with civil infringement, and not with alleged criminal infringement.  Alleged criminal infringement involves an intentional element that is absent from the mechanism implemented by Eircom.

On the IP address issue, I invite readers to look back at the Article 29 Working Party's opinion on the concept of personal data, particularly page 15.

Regarding "graduated response" in general I invite readers to review a previous update on the French Consitutional Court decision, and to Gerry Oberst's blog entry on Internet Freedom and Data Privacy.  

The Irish decision is creating controversy, particularly as European Member States are debating net neutrality and the proposed ACTA treaty.

• Email This
• Print
• Share Link

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.  

Last November in Madrid, when the 31^st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.                                                                   

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

• In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.

• The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.

• In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.

• A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).              

• Email This
• Print
• Share Link

On 22 February, the European Data Protection Supervisor (EDPS) released an unsolicited opinion on EU negotiations of an Anti-Counterfeiting Trade Agreement (ACTA). The EDPS expresses some strong opinions on the use of the “three strikes law” and other measures to control copyright violations by Internet users that might be in the ACTA. The EDPS is not subtle – he declares that “[s]uch practices are highly invasive in the individuals’ private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones.” The opinion describes how a “three strikes” or similar approach might be set up, as well as the applicable EU data protection and privacy legal framework (in paragraphs 23 to 26). It then issues harsh conclusions (paragraphs 81 to what should be 88 but is mis-numbered as 80). The EDPS “strongly encourages” the Commission to set up a public and transparent dialogue on ACTA (which so far has been secret). He insists that the Commission strike a correct balance between “demands for the protection of intellectual property rights and the right to privacy and data protection,” which should be taken into account at the beginning of the negotiations. In his view:

85. …three strikes Internet disconnection policies are not necessary to achieve the purpose of enforcing intellectual property rights. The EDPS is convinced that alternative, less intrusive solutions exist or, at least, that the envisaged policies can be performed in a less intrusive manner or at a more limited scope, notably through the form of targeted ad hoc monitoring.

In the last paragraph of the conclusion the EDPS insists on being consulted on the measures to be implemented. EDPS opinions have no legal binding status but can be influential indicators of how data privacy laws might be interpreted.

• Email This
• Print
• Share Link

International transfers of personal data are heavily restricted under EU data protection rules. As a general rule, transfers from an EU/EEA Member State to recipients in countries outside the EU/EEA are only permitted if the laws of the recipient country ensure an adequate level of data protection. There are only limited exceptions to this rule. For instance, organizations may transfer personal data to countries outside the EU/EEA that do not ensure an adequate level of data protection if they have entered into a data transfer agreement using one of the sets of EU approved standard contractual clauses. Up to now, the European Commission has approved three sets of contractual clauses: two of these sets apply to transfers from data controllers to other data controllers, while the third set has been drafted for transfers from data controllers to recipients who act as data processors only. In EU privacy parlance, if organizations hold or process personal data without taking responsibility for or control over the data (e.g., payroll service providers), they are viewed as “processors”.     

On February 5^th, the European Commission decided to modify the standard contractual clauses for ”controller to processor” transfers of personal data, repealing the original decision (Decision 2002/87/EU) that introduced these clauses back in 2002. The European Commission considered it necessary to adjust the existing standard contractual clauses to meet the growing challenges of global outsourcing.  As more and more organizations are not only transferring personal data to a “processor” but also to one or more “sub-processors” (and sometimes “sub-sub-processors”) outside the EU/EEA, the original standard contractual clauses were no longer suitable to deal with these complex onward transfers.   

So what’s new about the updated set of standard contractual clauses?  The most important novelty is the inclusion of a specific subcontracting clause, which imposes a number of requirements on parties wishing to use sub-processors. Sub-processing will, for example, require the prior written consent of the data controller, while the data processor must put in place a written agreement with each sub-processor that mirrors the terms of the “controller to processor” agreement. In some cases it may be possible to meet this requirement by having the sub-processor co-sign the data transfer agreement between the controller and processor including the standard contractual clauses.      

• Email This
• Print
• Share Link

The UK government has announced plans to launch a new website www.data.gov.uk , which will allow public access to official data, and has called on web-founder Sir Tim Berners-Lee, to assist.  The website aims to improve transparency and will be similar to the US site 'data.gov', which already includes information from the US defense department and NASA.

The plan, initiated by PM Gordon Brown last year, is to develop a website for the public to find information and to make reports to public service providers, including traffic and crime statistics.  In addition, various applications will be available to enable users to discover details of planning applications (in PlanningAlerts), or report potholes (in FillThatHole).

So far, the site has been in test mode, for developers to try out its features and provide feedback, but once 'live', it is hoped that public users will benefits from having the information and services in one place and see it as an alternative to requesting disclosure under the Freedom of Information Act, as BBC News reports - http://news.bbc.co.uk/1/hi/technology/8470797.stm

• Email This
• Print
• Share Link

• Email This
• Print
• Share Link

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

• Email This
• Print
• Share Link

By Jun Wei

On January 3, 2010, the Guangdong Provincial Higher People's Court announced the first enforcement action following the extension of Chinese criminal law to include the protection of personal information.  In that action, the Zhuhai Xiangzhou District Court sentenced an individual to one and a half years in prison and imposed a fine on him in the amount of  RMB 2,000 (approximately US $295) for the crime of illegally obtaining the personal information of citizens.  This is the first known case in China regarding the infringement of personal information security. 

The law upon which the action was based, the 7th Amendment to the PRC Criminal Law, was promulgated on February 28, 2009 by the Standing Committee of the National People’s Congress.  It includes provisions imposing criminal penalties for the infringement of personal information security, specifically targeting two types of infringement:  (i) the sale or illegal disclosure of information obtained by personnel in government agencies or financial, telecommunications, transportation, educational or medical institutions in the process of performing their duties; and (ii) the theft or illegal access of personal information by other individuals. 

In both types of conduct there are severe consequences for infringement, including imprisonment for less than three years, detention for less than six months, and/or the imposition of a fine (as a single penalty or concurrently with other penalties).   In the event that an entity is convicted of infringement, a monetary penalty shall be imposed on that entity, and the officer directly responsible and any other persons who may be directly responsible for such illegal acts shall be subject to the same criminal penalties that are applicable to natural persons.

According to news reports, in December 2008 the defendant in this case, Zhou Jianping, a resident of Zhuhai, Guangdong Province, illegally obtained the phone numbers and call history records of 14 government officials and sold these phone numbers and call histories for RMB 16,000 (approximately US $2,353).  The purchaser, in conspiracy with six other people, then used this information to impersonate the government officials and extract RMB 830,000 ( approximately US $122,060) from a variety of relatives.

The defendant did not appeal and the judgment took effect December 14, 2009.

• Email This
• Print
• Share Link

Hogan Privacy and Data Security Co-Chair Chris Wolf recently gave an interview on recent developments under the EU-US Safe Harbor to Nymity that was published in its free online newsletter.  In the interview, Chris discusses the recent FTC enforcement efforts under the Safe Harbor as well as alternative methods available to parties seeking to transfer data from the EU to the US other than through the Safe Harbor framework  The interview can be accessed here.

• Email This
• Print
• Share Link

In a letter to the European Commission dated 4 December 2009, the European data protection authorities gathered in the Article 29 Working Party claim that the US and Australia are violating their respective Passenger Name Record (PNR) agreements with the EU. The letter - a copy of which was recently published on the website of the Dutch data protection authority - urges the European Commission to take immediate action to halt the breach and to resolve the matter with its US and Australian counterparts.   

The EU/US PNR Agreement

The EU/US PNR Agreement, which has been in force since 26 July 2007, is already the third agreement between the EU and US establishing a legal framework for transferring EU-sourced PNR data to the US Department of Homeland Security (DHS). On the basis of assurances from DHS that the data will be safeguarded, the EU has agreed to the release by air carriers transporting passengers between the EU and the US of certain PNR data contained in their reservation systems. The 2007 Agreement changed the mode of data transmission from a “pull” system into a “push” system, at least for those air carriers complying with DHS’ technical requirements. However, the Article 29 Working Party has now found that the US authorities continue to “pull” PNR data through terminals based at their offices, even in cases where airlines are compliant with DHS’ technical requirements. According to the Article 29 Working Party, DHS currently has access to all PNR data for all flights by a particular airline, even if the flights have no connection with the US. The Article 29 Working Party further claims that the continued practice of pulling data is a clear breach of the Agreement, constituting ”a sound reason to terminate the Agreement”. Under the Agreement, the EU has an exclusive remedy if it finds that the US has committed a breach: the EU can terminate the Agreement and revoke its determination that DHS is ensuring an adequate level of data protection. If the EU applies this remedy, the practical ramifications for air carriers will be significant in terms of EU data protection law compliance.                       

The EU/Australia PNR Agreement         

The EU/Australia PNR Agreement was entered into on 30 June 2008 to provide a legal basis for the processing and transfer of EU-sourced passenger name record data by air carriers to the Australian Customs Service. The Agreement applies to airlines that have reservations systems and/or PNR data processed in the EU and operate flights between the EU and Australia. The Agreement allows for 19 different types of information - including travel itineraries and payment details but excluding sensitive personal data such as race or religion - to be shared with Australian Customs for the purpose of preventing and combating terrorism and other serious crimes.

According to the Article 29 Working Party, the Australian authorities are receiving all passenger PNR data from airlines rather than just the data specified in the Agreement. The Article 29 Working Party claims that Australia is violating the terms of the Agreement by demanding more information (than listed in the Agreement), which suggests that some EU-sourced PNR data are currently being processed by Australian Customs without adequate protection. The Agreement foresees the possibility to initiate a joint review of each party’s implementation of the Agreement, which appears to be the Article 29 Working Party’s preferred course of action to remedy this situation.

To be continued…   

• Email This
• Print
• Share Link

By Sarah Jacquier and Winston Maxwell

On December 8, 2009, the French Supreme Court found illegal a Code of Business Conduct put in place by the Dassault Group for compliance with Sarbanes-Oxley requirements.

Dassault’s Code of Business Conduct had two aspects: It (i) required employees to obtain an approval from their employer prior to using any information (not just confidential information but all information used for “internal purposes”) that employees could have knowledge of in the course of their employment and (ii) put in place a whistle-blowing policy whereby employees could - but had no obligation to - report any breach of the Code of Business Conduct, in accounting, financing, and anti-corruption matters. However, the policy also contemplated the possibility for employees to report any breach of the Code of Business Conduct in other matters (e.g. intellectual property rights, confidentiality, discrimination, harassment) to the extent the breach threatened Dassault Group’s vital interests or an individual’s physical or psychological integrity.

The Court ruled that requiring employees to obtain the prior approval of their employer before using any and all internal information infringed employees’ freedom of speech, which may be limited only in a proportionate manner. The prohibition was too broad, and therefore the proportionality test was not satisfied.

As far as the whistle-blowing policy is concerned, the Court ruled that the policy could not cover matters other than accounting, financing, and anti-corruption. In France, whistle blowing policies need to be approved by the French data privacy authority (“the CNIL”) because their enforcement may lead to sanctions of employees. In 2005, the CNIL published a blanket authorization which generally authorizes whistle blowing policies in France for Sarbanes-Oxley requirements compliance purposes, but this authorization is limited to pure accounting, financing and anti-corruption matters. If the whistle-blowing policy exceeds the scope of the blanket authorization, it needs to be authorized on an individual basis. Otherwise, the whole policy will be deemed invalid, as confirmed by the Supreme Court’s decision.

Most international groups are reviewing the French versions of their Codes of Conduct to ensure that they comply with this new ruling.

• Email This
• Print
• Share Link

ePrivacy:  On 9 November, the European Data Privacy Supervisor (EDPS) issued press release 09/13 on the ePrivacy Directive, which will be amended soon as part of the E-Communications Regulatory Framework.  The EDPS is an independent body responsible for data privacy within EU institutions.  As would be expected, it takes an expanded view of data privacy, because that is its sole focus and responsibility.  The EDPS titled its press release as “improvements on security breach, cookies and enforcement, and more to come.”  It expanded on this theme with the following: 

• For the first time in the EU, a framework for mandatory notification of personal data breaches.  Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.  Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation.  The notification will include recommended measures to avoid or reduce the risks.  The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
• Reinforced protection against interception of users’ communications through the use of - for example - spyware and cookies stored on a user’s computer or other device.  Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
• The possibility for any person negatively affected by spam, including ISPs, to bring effective legal proceedings against spammers; and
• Substantially strengthened enforcement powers for national data protection authorities.  They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

These provisions could impose substantial new requirements for industry.  The data breach requirement in particular could lead to heightened security for all companies – after a 26 October seminar on data breach protection, the EDPS stated: 

data controllers, together with other stakeholders, [must] adopt proper risk management in order to appropriately mitigate the risk of such breaches.  It was stressed that this will not only require technological solutions but also organisational measures, including increasing the responsibility of the highest management levels of entities concerned.  They should also promote the development of adequate safeguards and facilitate a more transparent distribution of responsibilities.

 In light of this emphasis on the new provisions, it will be necessary in the near term to consider company procedures on data protection and breach notification, to the extent that a company or its affiliates provide public electronic communications services.

• Email This
• Print
• Share Link

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

• Email This
• Print
• Share Link

On November 6, 2009, French Senators Détraigne and Escoffier introduced a bill that would impose new data breach obligations, as well as strengthen the sanctioning power of the French data protection authority, the CNIL.  Senators Détraigne and Escoffier delivered last May a report on privacy in the digital age on behalf of the Senate's committee on legislation, and the new bill is a follow-up on the measures recommended in the May report.  

The proposed new bill would:

• State that "any address or number identifying terminal equipment connected to a communications network" is personal data.  This provision is intended to end the debate in France on whether IP addresses are personal data.  Unfortunately, the effect of the proposed provision could be that in the future IP addresses of any device or object connected to the Internet, even a box of cereal, will be viewed as personal data;
• Require that government agencies and certain companies appoint a data protection officer;
• Increase notification obligations of data controllers before they process personal data;
• Impose an opt-in regime for cookies unless they are strictly needed for communication purposes or to permit access to an online service;
• Impose a broad security obligation on data controllers and an obligation to inform the CNIL of any data breaches.  The proposed language contains no minimum threshold after which a breach would be deemed significant enough to warrant a notification;
• Facilitate data subjects' ability to request deletion of personal data; and
• Increase the CNIL's sanctioning powers, and allow victims of privacy violations to bring suit before their own local court  instead of being obligated to sue in the court where the data controller is located.

The provisions facilitating data subjects' ability to access and delete personal data are part of a broader French government campaign to create a citizen's "right to be forgotten" on digital networks.  French Digital Minister Nathalie Kosciusko-Morizet organized a roundtable on the "right to be forgotten" on November 12, 2009, and indicated that the French government would raise the issue in Sharm El-Sheikh and the Internet Governance Forum.

Debates on the text will begin in March 2010.  It is not clear whether the proposed bill will be supported by the French government, which may prefer to defer legislation on some of the issues until final adoption of the revised ePrivacy Directive.  Given the recent statements of Digital Minister Nathalie Koscuisko-Morizet on the "right to be forgotten" on the Internet, it is likely that the provisions facilitating a citizen's right to access and delete personal information on the Internet will receive the immediate support of the French government, and this could result in legislation fairly soon.

• Email This
• Print
• Share Link

The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.”   But it is not quite as clear-cut as that quote suggests.  The consent requirement relates cookies that collect personal data  -- an important qualification -- and some cookies appear to fall outside of the consent requirement. 

Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.

The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party has earlier expressed the view that the “neutral” wording chosen is not limited to cookies but implies any other new technology that could be used to track users’ behavior using their browser.               

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.

As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to “prior” consent, but the use of the past tense (“has given”) suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users’ computers.

So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application”.

Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.                   

• Email This
• Print
• Share Link

Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.  Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply.  It also sets out the procedure for monetary penalties to be imposed.  Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court.  However, cases leading to substantial fines are rare.

The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted.  Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.

If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court).  This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
 

• Email This
• Print
• Share Link

On October 15, 2009, the French Data Protection Authority, the CNIL, issued a white paper regarding the privacy risks of nanotechnologies.  In its white paper, the CNIL attempts to identify the privacy risks associated with RFID tags which are so small they can be injected into the human body.   The CNIL mentions RFID tags used to trace Alzheimer patients, which the CNIL considers would satisfy the proportionality test set forth in French law.  Other tags, such as an RFID tag injected under the skin which permits nightclub users to pay for their drinks, are more problematic. 

The risks outlined in the CNIL document are not unlike those already identified in connection with RFID devices and the “Internet of things.”  Of particular concern are the small size and potential ubiquity of tracing devices, both of which make it difficult for citizens to control the personal data that is collected about them.  The CNIL recommends application of Privacy by Design methodology to nanotechnologies so that privacy is incorporated into nanotechnology applications from the time of their initial design.  The same recommendation applies to security associated with these devices.  In fact, the CNIL emphasizes the security risks of potential viruses or malware which could be introduced into nanotechnologies so as to permit them to be used for improper purposes.  To prevent such, the CNIL recommends integrating security by design in nanotechnologies in a multi-disciplinary and cooperative approach. 

The CNIL mentions several key principles that should guide any nanotechnology application, such as the right for citizens to “turn off” the device thereby guaranteeing the right to “be forgotten” and to remain anonymous. 

In its white paper the CNIL also recommends clear labeling of nanotechnology applications, comparing nanotechnologies to genetically modified foods for which France has required special labeling which informs consumers about the product being purchased before actual purchase.  The CNIL further suggests that French law should be broadened to ensure that the CNIL has responsibility to implement these general principles, although it does not suggest specific language or legislation.

In conclusion, the CNIL’s consultation document regarding nanotechnologies is not fundamentally different from the European Commission’s recommendations on RFIDs, except that the CNIL puts more emphasis on bio-ethic issues, undoubtedly due to the fact that many of the nanotechnology applications will somehow be linked to the human body, which obviously raises significant privacy issues.

The CNIL's paper was issued as part of a national debate on nanotechnologies, organized by the French government in the Spring of 2009.

• Email This
• Print
• Share Link

Lawyers from Hogan & Hartson offices in London, Paris, Brussels, Berlin and Washington recently presented a webinar in partnership with the Association of Corporate Counsel for Europe, entitled

Navigating the Privacy Challenges: Crossing the Line in Cross-Border Data Transfers

The program, now available in "on demand" format, provides an overview of the law governing international data transfers, as well as two case studies illustrating the practical issues involved in such data transfers.  The webinar concludes with a summary of "hot privacy topics" in  the US and Questions and Answers.  Complimentary attendance and access to the webinar, including the Powerpoint deck, is available by clicking here

• Email This
• Print
• Share Link

In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they are current with their Safe Harbor certifications.  In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program.

The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies’ misrepresentations are deceptive.  The scope of the FTC’s actions is limited to the companies’ lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.

The proposed settlement agreements, open for public comment until November 5^th, prohibits each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party.  In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC. 

The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program.  We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and likely further actions against companies with lapsed certifications.

The FTC complaints, proposed settlements and related documents are available at http://ftc.gov/opa/2009/10/safeharbor.shtm.

• Email This
• Print
• Share Link

On October 12, 2009 the CNIL issued ten recommendations for companies to help protect their data.  The recommendations are fairly basic, ranging from implementing a rigorous password policy to ensuring that only authorized personnel have access to the company’s computer room.  The recommendations have an important pedagogical role, however, and illustrate that the CNIL is broadening its scope of focus from its traditional role of defining under what conditions personal data can be processed in France to dealing with the results of that processing,  in particular focusing on the prevention of data breaches. 

For those familiar with the security recommendations issued by ENISA, the European Network and Information Security Agency, the CNIL’s recommendations may seem quite rudimentary in comparison.   ENISA has issued a number of detailed recommendations on data security, and it is unfortunate that the CNIL did not refer to the excellent ENISA work in this area.   See, for example, ENISA's 2009 papers "10 Security Awareness Good Practices" and "Information Security Awareness in Financial Organizations - Guidelines and Case Studies."   However, the CNIL's recommendations may only be a first step, and it will be interesting to see whether the CNIL's guidance evolves as concern about data breaches continues to grow. 

• Email This
• Print
• Share Link

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print
• Share Link

The United Kingdom Information Commissioner's Office ("ICO") has announced that with effect from 1 October 2009, a new notification fee of £500 will be payable by some larger organizations.  This is the first change to the fee structure since the Data Protection Act 1998 became law in 2000.

Notification is the process by which data controllers register with the ICO.  It is a mandatory requirement for organizations which process personal information in the UK.  

The new £500 per annum fee will apply to a higher tier of:

• data controllers in the private sector with a turnover of £25.9 million and 250 or more members of staff; and

• data controllers in the public sector with 250 or more members of staff.

The standard notification fee is otherwise £35 per year and this will remain so for organizations in the lower tier category.  The ICO has also confirmed that registered charities will not pay the higher fee, regardless of their size.

The increase in fees for larger organizations will, according to the ICO, help increase activity in terms of audits and investigations.   An interesting comment, which should be noted by data controllers.
 

• Email This
• Print
• Share Link

Uruguay may be on its way to become the second Latin-American country recognized by the European Commission as offering an adequate level of data protection. Last month, the Uruguayan government adopted a set of regulations implementing the country’s 2008 Personal Data Protection Act (Law 18331). The implementation of this new law, as well as the creation of a national data protection authority last May, are expected to have a positive impact on the European Commission’s assessment as to whether or not Uruguay’s data protection rules meet EU adequacy standards.

The EU Data Protection Directive (95/46/EC) provides that the transfer of personal data from EU member States to non-Member States may in principle only take place if the laws in the recipient country ensure an adequate level of data protection.  The European Commission can decide that a non-EU country has adequate protection if the country’s legal framework covers all the basic data protection principles (set out in the Directive) and if there is an enforcement system in place ensuring the effectiveness of that framework. To date the European Commission has issued adequacy decisions in favor of Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland, the U.S. Department of Commerce’s Safe Harbor Principles, and the transfer of air travelers' data to the U.S. Department of Homeland Security.

Uruguay filed a request for EU adequacy recognition in October 2008, and the preliminary reactions so far appear to be favorable. However, the recognition process is unlikely to be completed before the end of the year. An adequacy decision from the European Commission will allow personal data to flow freely from the EU to Uruguay, without the need for additional data privacy safeguards. EU recognition will help Uruguay boost its outsourcing industry and attract more EU-based companies looking for providers of administrative, financial and other data processing services in Latin America.

• Email This
• Print
• Share Link

This past June France enacted an Internet anti-piracy law commonly known as the "HADOPI" or "three strikes" law, because after a certain number of warnings an online infringer's Internet access would be cut off.   On June 10th, the French Constitutional Court found a portion of the law unconstitutional.  Specifically, the court held that because terminating an individual's Internet access affects that individual's right to free expression, a fundamental right, a decision to terminate access must be made by a court after a careful balancing of interests.  Because the HADOPI law gave Internet access termination power to an agency, the court held that grant of authority unconsitutional.  Further background on this decision can be found in our update on the HADOPI law and the French Consitutional Court's decision .

On September 22, 2009, the French parliament passed a bill intended to remedy the enforcement gap left by the court's decision.  This bill, known as HADOPI 2,  empowers French courts, instead of the HADOPI administrative agency, with the authority to cut off the Internet access of copyright infringers or of individuals who are manifestly negligent in their duty to protect their broadband access line against illegal downloading.

The cornerstone of the new law is an affirmative duty imposed on French broadband subscribers to take measures to ensure that their broadband access is not used for infringing file sharing.  If the subscriber ignores this duty and the broadband access is used for illegal downloading, the subscriber of the line may have his or her Internet access cut off for a limited time.  If the subscriber installs certain approved protection technologies (and no one is yet sure what those technologies will be), the subscriber will be deemed to have fulfilled his or her duty of care.

• Email This
• Print
• Share Link

On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009. 

The legal obligation of a data controller to notify data breaches to the affected individuals and to the relevant data protection authorities (usually, the state’s data protection commissioner – Landesdatenschutzbeauftragter) is restricted to the loss or unlawful transmission of sensitive data, i.e. personal data revealing (i) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and information on an individual’s health or sex life, (ii) information that constitutes a professional secret, (iii) information regarding criminal activities or administrative offenses, or (iv) information relating to bank accounts or credit card accounts.

In addition to the requirement that the personal data subject to the data breach must fall within one of the categories specified above, the loss or unlawful transmission of such personal data to a third party must constitute a severe threat to the rights or legitimate interests of the individuals involved. If these two requirements are met, the data controller must, first of all, immediately (“without undue delay”) inform the competent data protection commissioner of the data breach, providing (i) a precise description of the data breach itself, (ii) information regarding the potential consequences and risks of such breach, as well as (iii) measures that have been or will be taken by the data controller in order to mitigate the negative impacts of such breach. As a second step, the data controllers must notify the individuals involved without undue delay, provided, however, that the controller has located the leak which has lead to the data breach and taken all measures in order to avoid unlawful access of third parties using such leak (“responsible disclosure”). In case personal data relating to potential criminal acts or administrative offenses has been breached, the individuals involved will only be informed by the controller provided that such information does not put an ongoing criminal investigation at risk.

Generally, each individual whose personal data has been breached must be informed by the data controller. However, if the information duty would lead to extraordinary and unreasonable costs (i.e. if the data breach affects a large number of people), the data controller can meet its obligation by publishing a detailed notification (of at least half a page) in two newspapers which are published throughout Germany.

The amendment to the FDPA, which is clearly inspired by U.S. data breach notification laws, is an important contribution to the protection of consumers. It remains to be seen, however, how corporations and data protection authorities will deal with the fact that notification obligations only apply if a data breach poses a severe threat to important rights and legitimate interests of individuals.

• Email This
• Print
• Share Link

On August 19, 2009, the French Official Journal published the French Data Protection Authority's (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The CNIL’s Recommendations are particularly useful for companies that find it difficult to reconcile French data protection and blocking statute limitations with U.S. discovery demands.

It is perhaps no surprise that the Recommendations largely echo the views of the Article 29 Working Party, which provided EU-wide guidance on pre-trial discovery for cross-border civil litigation earlier this year. Like the guidance from the Article 29 Working Party, the Recommendations do not apply to investigations by U.S. federal authorities or criminal offenses in the U.S. relating to data destruction.

• Email This
• Print
• Share Link