Posted on December 16, 2011 by Bret Cohen

Article 29 Working Party Rebuffs European OBA Industry... Again

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.

What Went Wrong

Much of the opinion is dedicated to describing what elements of self-regulatory proposal, in the opinion of the Working Party, violate EU law, particularly in the areas of notice, choice, and data retention. Though some of these criticisms are not new, the Working Party crystallized its viewpoints on the issue, including the following.

(1)    An icon accompanying targeted ads that is linked to the information website www.youronlinechoices.eu does not provide adequate notice. 

In its June 2010 OBA opinion, the Working Party cited the use of contextual icons attached to ads that can be clicked to learn about cookies and express preferences as an example “which the Working Party finds both positive and necessary.” The current opinion, however, made clear that icons are not sufficient to provide notice because consumers today don’t know what they mean. That said, the Working Party recognized the usefulness of icons as a means to complement other forms of notice, but only after the user has provided consent to process data for OBA purposes (or if used to direct the user to a more fulsome mechanism to obtain consent). In that context, the Working Party suggested that the word “advertising” alongside the icon is not sufficient even to inform users that the ad uses cookies for OBA purposes, and stated “at minimum” the language should include the phrase “personalized advertising.”

The Working Party also took the opportunity to reiterate its position from its 2010 OBA opinion that at minimum, notice for OBA should include:

  • what entity is responsible for serving the cookie and collecting the related information;
  • that the cookie will be used to create profiles;
  • what type of information will be collected to build such profiles;
  • the fact that the profiles will be used to deliver targeted advertising; and
  • the fact that the cookie will enable the user’s identification across multiple websites.

(2)    The use of an opt-out cookie is not sufficient to provide consent.

The industry proposal would permit consumers who visit the www.youronlinechoices.eu website to download an opt-out cookie to record their refusal to participate in OBA. In addition to criticizing the proposal for not following an opt-in approach, the Working Party noted other aspects of the opt-out system that it believed violated EU law, including that:

  • “it has been demonstrated that” ad networks continue to collect information from users’ computers even after the opt-out cookie is downloaded;
  • the approach does not offer the possibility of managing and deleting previously installed tracking cookies; and
  • the www.youronlinechoices.eu website itself contains links to a number of JavaScript functions that collect personal data (such as IP addresses) without consent.

(3)    The notice to users lacks necessary provisions on the scope of data collection and data retention.

The Working Party took the position that notice to users about OBA must disclose how much data is collected by the different advertising networks, how long it is stored, and for what purposes it is processed. At minimum, the notice should address the period during which consent can be considered valid, and after which data must then be deleted.

What Went Right

The Working Party did commend the industry proposal in a couple areas. It noted the proposal’s “interesting approaches” on how to make consent mechanisms more effective, such as industry’s commitment to engaging in educational initiatives to inform individuals and businesses about OBA. The opinion also, unsurprisingly, welcomed the proposal’s principle that a user’s explicit consent is required prior to creating or targeting OBA segments that make use of sensitive data (i.e., data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life).

Suggestions for Consent

One of the most frequent complaints about the Working Party’s position on OBA has been that by requiring opt-in consent for targeted advertisements, users will be subjected to countless pop-up requests whenever a website wishes to place a cookie. The Working Party opinion attempted to dispel this notion by proposing a number of alternatives to or ways to mitigate the annoyance of pop-ups, including:

  • An opt-in cookie approach: Under such an approach, the first time a user visits a website served by an ad network, the ad network can display a message on the page prompting the user for consent to participate in OBA (the Working Party suggests that this message can be where the ad normally would appear). If the user then opts in, he or she can receive targeted advertising on all websites associated with that ad network without having to be prompted again for consent. If the user declines, the ad network should place an opt-out cookie.
  • A static information banner on the top of a website: Such a banner, like the one present on the website of the UK Information Commissioner Office, would request the user’s consent to set cookies, with a hyperlink to a privacy policy containing a full notice.
  • A splash screen upon entering a website: Users would be presented with the option to consent before entering the website, such as when breweries require users to confirm they are of age before they enter the site.
  • Click-to-consent: The Working Party singled out the method used by the German e-zine Heise that defaults a button associated with cookies to light grey. Only once the user clicks on and “activates” the button will the cookie be placed and the third party be able to send and receive user data. This process, however, would need to be transparent to users.
  • Browser plug-ins: Though the Working party repeatedly has said that browser settings permitting users to opt out of cookies are not sufficient to provide informed consent, it would support default opt-out browser settings accompanied by ad network plug-ins and extensions through which users would indicate their wish to opt in to online tracking. Interestingly, this is the polar opposite of the opt-out browser plug-ins available today, which assume tracking as the default and permit users to opt out of OBA.
  • Where a website uses several ad providers, group together all necessary consent requests in one presentation: This would the need for users to confront multiple, serial pop-ups. As an example, the Working Party cited the interface on www.youronlinechoices.eu, which provides a single interface to permit users to opt out of multiple ad networks.

The Working Party also noted that EU law does not require informed consent for certain cookies necessary to facilitate the user’s requested services, such as session cookies, shopping basket cookies, and security cookies (though notice is required before placing these cookies). Therefore, no additional consent mechanisms are required to place these cookies.

 
Tags: , , , , , ,
Posted on December 8, 2011 by Bret Cohen

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

EU privacy law is under scrutiny and proposals for change are coming.  The European Commission (EC) last year announced an upcoming reform of the EU Data Protection Directive (95/46/EC), which was a hot topic of last week’s IAPP Europe Data Protection Congress in Paris (in which Hogan Lovells privacy lawyers from around the world participated).  Changes are anticipated near the end of January. Some of the details of those changes, however, have emerged earlier than expected, as this week the EC circulated for comment two proposed legal instruments that likely will form the baseline of the EU’s data protection framework for years to come.

The first legal instrument is a draft General Data Protection Regulation, which sets forth a general framework for EU data protection and is intended to replace the 16-year-old Data Protection Directive with a region-wide regulation.  The fact that the instrument is fashioned as a regulation is significant. Under EU law, regulations have binding legal force as soon as they are passed, whereas directives must be enacted into law by each individual EU Member State.   A frequent criticism of the Data Protection Directive was that the EU Member States enacted and applied it differently, leading to uneven implementation and forum shopping. By changing the format to a regulation, there is less room for variation between the Member States, which in theory should lead to greater certainty for EU citizens and organizations. 

The draft Regulation contains a number of significant changes to the Data Protection Directive, particularly in the areas of (1) jurisdiction, governance, and cross-border transfers, (2) data subject rights, (3) data controller/processor obligations, and (4) remedies, liability, and sanctions. These changes include:

Jurisdiction / Governance / Cross-Border Transfers

  • The declaration that EU data protection law applies to data controllers outside of the EU when processing activities are “directed to” or “serve to monitor the behaviour of” EU data subjects, including for commercial or professional services such as offering products or services. Factors to be considered when determining whether processing activities are “directed to” EU data subjects include (a) the international nature of the activities; (b) the use of a language or a currency other than the language or currency generally used in the country in which the controller is established; and (c) the use of a top-level domain (e.g., “.co.uk” or “.com”) other than that of the country in which the controller is established.
  • The use of Binding Corporate Rules (BCRs) to legitimize intra-company cross-border data transfers to countries without data protection laws deemed “adequate” by the EC would be streamlined and extended, including the use of BCRs to cover data processors and groups of companies, and with an eye to covering cloud computing. Unlike the current process, in which BCRs must be reviewed by at least three DPAs (one “lead” and two “reviewers”) and some Member States require additional authorization, BCRs would be validated only by one lead DPA. Once a BCR is validated by the lead DPA, it would be valid for the whole EU without needing authorization from any other Member State.
  • Each data controller or processor only will be subject to the enforcement jurisdiction of the one data protection authority (DPA) of the Member State in which the organization has its “main establishment,” which is where the organization’s “central administration” in the EU is located. This usually will be where the organization makes its management decisions regarding the purposes, conditions, and means of processing personal data.
  • DPAs would be obligated to carry out investigations and inspections upon request from other DPAs and to mutually recognize each others’ decisions. Rules are provided for joint operations and operations by one Member State within another Member State’s territory.
  • To ensure consistent application of the directive, the Article 29 Working Party would be updated to an independent “European Data Protection Board” that, in addition to its current duties, would have the authority to issue official opinions regarding the interpretation of the Regulation. These opinions would be subject to the review of the EC.

Data Subject Rights

  • To process personal data for any commercial direct marketing purpose, organizations would need to obtain the explicit, opt-in consent of the data subject.
  • Where consent is used to legitimize data processing (even outside the marketing context), it would need to be explicit, opt-in consent. Moreover, consent would not be valid where there is a “significant imbalance” in power between the data subject and data controller. The prime example of this is in the employment relationship. These rules essentially would be a codification of parts of this past summer’s Article 29 Working Party opinion on consent.
  • The creation of a “right to be forgotten” that would permit data subjects to request that data controllers erase all personal data relating to them and abstain from further disseminating that information, unless there are legitimate grounds to retain the data. In a particularly controversial portion of this proposal, data controllers would be required to “ensure the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data.” This proposal is in line with recent statements made by EU authorities regarding the retention of data on social networking sites. Some have doubted the ability to “ensure” such complete erasure, especially when much of the content on the public Internet is shared and backed up.
  • The creation of a right to portability, through which data subjects would be able to request a copy of their stored data and move it from one service provider to another, without hindrance.

Data Controller/Processor Obligations

  • Data controllers would be required to notify data breaches to both the individuals concerned and data protection authorities within 24 hours of the breach being discovered (although notification to individuals would be required only when the breach "is likely to adversely affect the protection of the personal data or privacy" of the individual, a limitation not present in obligation to notify the data protection authority).  Currently, EU law only requires Member States to enact laws creating a breach notification obligation for telecommunications operators (which some Member States have yet to enact), although some Member States (such as Austria and Germany) do have security breach notification requirements for data controllers other than telecom operators.
  • Data controllers would be required to minimize the volume of personal data that they collect and process, and to set default settings so that user personal data will not be made public by default.
  • Data controllers and data processors would be required to appoint a data protection officer if (a) they employ over 250 employees or (b) their “core activities” require “regular and systematic” monitoring of data subjects.
  • Prior to processing personal data in a way that is “likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” organizations would be required to conduct a data protection impact assessment. The draft Regulation does not define exactly what processing would fall into this definition, though it does list a few examples that “likely” would, including (a) running automated models to analyze or predict a person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability, or behavior, where the result will affect the data subject; (b) the processing of certain types of sensitive data; (c) conducting video surveillance; and (d) utilizing large-scale filing systems containing genetic, biometric, or children’s data.
  • The elimination of the obligation of organizations to generally notify data protection authorities of any automatic processing of personal data, replacing it with an obligation to maintain documentation on processing operations under their responsibility.

Remedies, Liability, and Sanctions

  • Data subjects, and qualified public interest groups on behalf of data subjects or themselves, would have the right to lodge complaints either with DPAs or courts for violations of the Regulation. Currently, some Member States’ DPAs do not have such authority.
  • The creation of three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.

Besides the Regulation, the second legal instrument released is a draft Police and Criminal Justice Data Protection Directive. This directive sets forth rules relating to cross-border transfer and other processing of personal data for law enforcement purposes, with an eye toward facilitating the sharing of this information between law enforcement agencies while still complying with data protection law. Though this Directive is directed toward law enforcement and not the private sector, it does apply where personal data may be required and used by law enforcement authorities (e.g., data related to bank transfers, data collected when buying an airline ticket, traffic and telecommunications data), so it will have at least a tangential effect on the private sector.

Notably, these instruments are just preliminary drafts, and may differ when the EC releases the official drafts, which is still slated to happen in January. Even then, the drafts still will need to be debated and passed before coming into law, a process which is likely to at least a couple years. Therefore, there is still time for these legal instruments to be significantly modified before they are ultimately adopted.
Tags: , , , , , , , , , ,
Posted on August 29, 2011 by Winston Maxwell

France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers

This entry was drafted by Winston Maxwell and Lionel de Souza.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

Sanctions: The criminal sanction for failing to notify data breaches is up to 5 years in prison and three hundred thousand euro (300,000 €) fine. The sanction is in line with other criminal sanctions for failure to comply with French data protection legislation. With regards to the fine, it should be noted that the maximum sanction for companies is multiplied by five (5), thus bringing the maximum sanction to up to one and a half million euro (1,500,000 €).  

Security Audits. The Ordonnance empowers the French government to order security audits of any operator's networks, systems and services. The operator must bear the cost of the audit, and must give the government approved auditors access to all relevant equipment and to the operator's "documents relating to its security policy." A future decree will be adopted to provide details on these requirements. However, one takeaway from this new provision is that operators should probably conduct preventive data and network security audits and make sure their security policies are up to date and applied.

Cookies. Implementing the revised ePrivacy Directive, the Ordonnance provides that users of electronic communications services must not only receive clear information about the use of cookies and tools available to block them (this was already a requirement under French law), but also that users give their consent before the cookies or similar measures are implemented. The Ordonnance states that "the consent can result from appropriate parameters in [the user's or subscriber's] connection system or any other system under [the user's or subscriber's] control." This suggests that browser settings might constitute sufficient prior consent, although the recent Article 29 Working Party opinion on consent (Opinion 15/2011) appears to take a different view.

As before, an exception exists for cookies that are designed to facilitate the communication, or that are strictly necessary for the provision of the Internet application or service requested by the user.
Tags: , , , , , , , , , , , , , ,
Posted on August 26, 2011 by HL Chronicle of Data Protection

Article 29 Working Party to OBA Industry on Meeting Cookie Consent Requirement: "Nice try, but..."

The EU's Article 29 Working Party has just published a letter addressed to the Online Behavioural Advertising (OBA) Industry regarding the self-regulatory Framework proposed by industry to satisfy the requirement of the revised ePrivacy Directive for user consent before cookies may be placed on a computer for tracking (and targeted advertising) purposes.  The letter was sent in advance of a meeting apparently scheduled for sometime in September between the Working Party and industry representatives to discuss the proposals to satisfy the Cookie Directive.

Simply put, the Working Party has rejected every proposal put forward by industry to avoid the necessity of consumers affirmatively consenting to every placement of cookies by every party proposing to place such cookies.  OBA industry representatives have said that the specific, multiple consent arrangement will impede e-commerce and degrade the user's online experience, heralding a return to multiple pop-ups requiring choices before users may continue to see content.  So far, the Working Party's position is that there is no substitute for a form containing an explanation about the placement of cookies with a box for the consumer to check "I accept," provided by every entity proposing to place a cookie.

The Article 29 Working Party's specific complaints about the industry proposals:

  • A prominent opportunity to object to tracking by cookies can never be the same thing as a specific opt in.
  • The complaint that multiple ad network providers will lead to multiple pop-ups on web sites is not well-founded, since once consent has been given to a network, the pop-up need not appear subsequently.  (The Working Party did not address the issue of what happens before any consents are given and multiple pop-ups seeking consent in fact appear on a given web site except to suggest that perhaps a "centralized way" can be established to obtain consent.)
  • Browser settings rejecting cookies are insufficient since the default is to accept cookies.
  • Icons attached to ads that can be clicked to learn about cookies and express preferences are inadequate because consumers today don't know what the icons mean, and since the Directive applies whether the cookies track personal data or not, the information provided when the icon is clicked making such distinction is inconsistent with the notice requirement.  The icon also was criticized as providing too "indirect" a way to provide notice.

Attached to the Working Party's statement of reasons about the inadequacy of the OBA industry's proposals was a letter from the FTC's Director of Consumer Protection David Vladeck responding to an EU request for the FTC's position on transparency and consumer choice in connection with behavioral advertising.  Notably, the letter explains the value of targeted advertising (while, of course, citing the privacy concerns) and notes "the number of steps to improve transparency and consumer choice" the OBA industry has taken recently.  The letter also notes the guidance the FTC has provided on how to give consumers the "Do Not Track"  power.  The letter from Mr. Vladeck speaks of consumers having a "meaningful opportunity" to control data collection practices, but stops far short of anything resembling the requirements of the Cookie Directive, and the Working Party's reaffirmation, for express opt in for the placement of every tracking cookie.

Tags: , , , , ,
Posted on July 19, 2011 by Winston Maxwell

Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups

On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on the notion of consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee. 

What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. It is tempting in some cases to apply a “belt and suspenders” approach by asking data subjects for their consent even when another legal justification for the processing would suffice by itself. The guidelines point out that requesting consent in these circumstances might be a “false good solution”, and create awkward situations when a consent is withdrawn while the data controller still has legitimate grounds to pursue the processing of data.

Another important lesson that emerges from the consent guidelines is that consent must be sufficiently granular to show that the individual specifically gave his or her consent to each type of processing that is envisaged by the data controller. According to their Article 29 Working Party, a general consent to any and all transfers to unspecified third parties would not be sufficiently specific to constitute valid consent. The Article 29 Working Party pointed to the 2010 opinion of the Advocate General in a case involving agricultural funds in Europe, in which the Advocate General held that a broad consent in the fund’s terms and conditions was not sufficiently precise to conclude that the beneficiary of the fund had given unambiguous consent to the publication of his or her name. 

Another conclusion that we can draw from the guidelines is that silence or the failure to act can never be considered valid consent. The Article 29 Working Party heavily relies on the notion of "indication" of the data subject's wishes, which is featured in the definition of consent laid out by the 1995 Directive, to conclude that positive action would be required to demonstrate consent.  Consequently the sending of an e-mail to a consumer informing him or her of changes to the privacy policy or stating that the processing of his/her data will be undertaken unless he/she objects within a defined period of time would not be sufficient to constitute the consumer’s consent to the new policy or the contemplated processing. The consent would have to be evidenced by an affirmative clicking of a box or any other relevant positive act. Similarly, the Article 29 Working Party states that browser settings in themselves cannot constitute valid consent. This raises questions in the context of the new European rules requiring prior consent to cookies. Some Member States are studying the extent to which browser settings can be used as a manifestation of prior consent to cookies.

The guidelines helpfully remind us also that consent can, in some cases, be implicit. For example, if an online merchant asks a consumer to provide personal information and the consumer provides it, the consumer will have implicitly consented to the merchant’s use of that information in order to process orders and deliver the goods and services ordered by the consumer. There is no need for a separate consent because the purpose for which the consumer provided the information is obviously to permit the merchant to provide the online goods and services and such processing is therefore reasonably expected by the consumer. On the other hand, if the merchant wishes to use the data for another purpose, such as selling behavioural advertising, a separate specific consent would be needed. 

From a general and practical standpoint, implementing the rules as foreseen by the Article 29 Working Party will, in many instances, require companies to initiate a complete review of the conditions under which they use consent to evaluate whether other grounds are available to legitimize their processes and whether consents they have obtained present a sufficient level of granularity to provide accurate and satisfactory information for data subjects. For online service providers, European requirements for consent will lead necessarily to multiple pop-up windows and separate check-the-box consent options. The more granular and affirmative each consent is, the more likely it is to be valid. On the other hand, grouping all data protection consents together in the terms of use is likely to prove risky in light of the Article 29 Working Party guidelines and applicable case law.
Tags: , , , , , , , ,
Posted on April 18, 2011 by Winston Maxwell

Europe's Article 29 Working Party issues smart meter guidelines

By Winston Maxwell (Paris) and Marco Berliri (Rome)

The European Union's Article 29 Working Party published on April 11, 2011 an opinion on smart metering, recommending Privacy by Design, data minimization, and consumer interface options that give customers increased control over their data and privacy settings.

The opinion indicates that most data collected by smart meters will be considered "personal data" under the Data Protection Directive because the data will be associated with a unique identifier such as a meter identification number, which in turn can be linked to a living individual. The opinion states that the "data controller" will in most cases be the energy supplier, but that the grid operator may also be controller, as may be the third party service provider (so-called Energy Service Companies, or ESCOs). As mentioned in the Art 29 WP's opinion 1/2010 on data controllers and processors, it is not infrequent for there to be more than one controller.

Data collected by smart meters may be processed based on consent, but the opinion warns that consent must be made on a "fully-informed" basis. The Art 29 WP recommends that the household control panel for smart meters include a push button consent option to help consumers exercise their consent options, and change the options over time. 

The opinion goes into considerable detail on some issues, commenting for example that a smart meter with a small, text only, user interface would provide consumers with insufficient access to their own data, in particular to load graphs.  The opinion also describes how the collection of data from the smart meter should be minimized, for example by keeping load graph data within the smart meter until the data actually needed by the energy supplier.  Many of the recommendations resemble existing practices in the telecoms industry for the handling of traffic data and location data.  For example, smart meter data should be deleted as soon as they are no longer needed. Controllers should develop written policies on data retention and evaluate each purpose for which smart data are needed and ensure that only the minimum data necessary for that purpose are retained, while other data are deleted. For example, some customers may request historic year-to-year consumption comparisons. For those customers, and those customers only, the controller may retain historic consumption data.

The opinion strongly recommends the implementation of Privacy by Design, including privacy impact assessments, security and privacy audits.

See the authors' previous blog entry on smart meters and privacy on design.
Tags: , , , , , , , ,
Posted on March 30, 2011 by Florian Unseld

US Court and German Data Protection Authority in Accord on Discovery Limitations

As recently reported by the data  protection authority of the German Federal State of Bavaria in its annual review, a US court recently accepted the data protection authority's limitation on the scope of discovery involving documents with personal information.  The issue of EU data protection rules conflicting with US discovery requests is a recurring one, and this episode demonstrates an instance of international comity.

A German company was the subject of a non-party discovery request in a US civil action to produce company documents located in Germany.  The documents, including emails, were connected to the plaintiff and its business, as well as to the development and distribution of products of the German company. The German company itself was not a party to plaintiff's lawsuit. However, the German company belonged to the same group of companies as the defendant. The plaintiff claimed that the defendant and the German company had gained unauthorized access to business secrets of the plaintiff, and the discovery request was directed to this claim.   

The Bavarian data protection authority, in principle, accepted the need for discovery, but determined that personal data could only be transferred "to the extent this was necessary". For this purpose, the Bavarian data protection authority imposed restrictions on the German company, namely:

  • The German company could only transfer data which corresponded to the criteria of the disclosure request and which were relevant for clarifying the claims of the plaintiff.
  • The German company was obliged, in a first step, to review its documents by means of a keyword search in order to determine which of the documents would fulfill the criteria of the disclosure request. In a second step, the relevant documents needed to be filtered and separated from the other documents which were not relevant.
  • The "relevant documents", in addition, needed to be manually assessed against the criteria of the disclosure request.
  • These steps needed to be taken in Germany (unless the German company had proved that this would be unreasonable).
  • The German company was further only entitled to provide documents in which personal data had been pseudonymized. Only such documents could be sent to the US.
  • Only if a party to the proceedings or the court had established in detail that it was necessary to also review personal data on an identifiable basis, data could have been sent to the US in a non-pseudonymized form.

The German company submitted the opinion of the Bavarian data protection authority to the US court and provided documents only to the extent permitted by the Bavarian data protection authority.

The US court ruled that the plaintiff would not be unreasonable disadvantaged (or, at least, could not prove such disadvantage) if the German company complied with the provisions of German data protection law and the opinion of the Bavarian data protection authority. Therefore, the US court rejected the plaintiff's request for providing documents on a larger scale.

The case touches a hot topic. In practice, companies often are caught between complying with US discovery rules and European data protection rules. This leads to a situation of great uncertainty. Important bodies, such as the Article 29 Data Protection Working Party of the European Union in its "Working document 1/2009 on pre-trial discovery for cross border civil litigation", or the Sedona Conference, have assessed this predicament in detail and attempted to provide guidance to the practice. The approach taken by the Bavarian data protection authority, and supported by the US court, can now be taken as further guidance as to how to handle respective cases in practice, at least by German companies.

The Bavarian data protection authority and the German company had agreed that the authority should only publish a high level summary of the case, and should not provide any further details (including the identification of the US court).

 
Tags: , , , , , ,
Posted on July 22, 2010 by Bret Cohen

EU's Article 29 Working Party Provides Substantial Guidance

Quentin Archer, a partner in the London Office of Hogan Lovells, provides this report

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing four opinions, one report and one set of FAQs.  In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party's internal approvals process than any indication of unusual activity. 

Behavioral Advertising

In June, the Working Party issued Opinion 2/2010 (WP171) on online behavioral advertising.  The Working Party notes that both the E-Privacy Directive and the Data Protection Directive are relevant to online behavioral advertising, and goes into some detail on the requirements of the E-Privacy Directive (amended in 2009) that cookies should be employed for this purpose only with the informed consent of users.  It recommends that advertising network providers should limit in time the scope of consents given by users, offer the possibility for consents to be revoked easily and create visible tools to be displayed where monitoring takes place.  In relation to general data protection obligations, it emphasizes the importance of transparency regarding processing of personal data and points out that the responsibility for ensuring transparency will be shared between different service providers in relation to behavioral advertising.  However, the Working Party does not prescribe how legal obligations should be fulfilled from a technological point of view, and instead invites industry to undertake a dialog with it to explore how the legal framework set out in the Opinion can be satisfied.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Controller-Processor Standard Clauses

On 12th July 2010, the Working Party issued FAQs (WP176) designed to address issues raised by the entry into force of the Commission Decision of 5th February 2010 on the new controller-processor standard clauses.  Several of the FAQs address the situation where personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based sub-processor, which is not specifically contemplated by the new clauses.  As the new clauses cannot be used to effect this, the Working Party suggests different solutions to address the problem.  The remainder of the FAQs answer a variety of questions which might arise where the processor to whom the data are transferred is located outside the EEA, such as whether a data exporter's consent to sub-processing must be specific or can be general, and whether sub-processing agreements can be made in respect of more than one data exporter.

Data Retention

On 13th July, the Article 29 Working Party issued Report 01/2010 (WP172) on its second joint enforcement action, which concerned the implementation of the Data Retention Directive (Directive 2006/24/EC).  The Data Retention Directive derogates from the provisions of the E-Privacy Directive by requiring Member States to ensure that certain categories of communications data are retained for periods of not less than six months and not more than two years.  This is in contrast to the general principle in Article 6 of the E-Privacy Directive, which requires such data to be erased or anonymised when it is no longer needed for the purposes of the transmission of a communication.

The data protection authorities of 25 EEA member states contributed to the joint enforcement action, circulating questionnaires and conducting onsite investigations in certain cases.  It was discovered that there were significant differences between Member States regarding retention of internet services traffic data, with variations in retention periods.  A more uniform picture emerged in relation to the retention of telephone traffic data.  The Working Party established that there was inconsistent implementation at domestic level as a result of differing views over the scope of the Directive, notably whether it was meant to be a derogation from the general obligation to erase traffic data upon conclusion of an electronic communication, or whether instead it affected only data which providers were already allowed to store for subscriber billing and interconnection payments purposes in accordance with Article 6(2) of the E-Privacy Directive.  The Working Party recalled its previous opinions on the Data Retention Directive and (awaiting the decision of the Commission as to whether or not to amend or repeal the Directive) it laid down specific recommendations to ensure increased harmonization, more secure data transmission and standardized handover procedures.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Accountability

Also on 13th July, the Working Party issued Opinion 3/2010 on the principle of accountability (WP173). The Opinion proposes that a new principle on accountability should be introduced (as part of amendments to the Data Protection Directive) which would require data controllers to put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with, and to demonstrate this to supervisory authorities upon request.  It is hoped that this will provide a practical means of ensuring the observance of data protection rules as well as helping data protection authorities in their supervision and enforcement tasks.

FEDMA

The third opinion, also adopted on 13th July was Opinion 4/2010 on the European Code of Conduct of FEDMA for the Use of Personal Data in Direct Marketing (WP174).  The approval of draft community codes of conduct is anticipated in Article 27(3) of the Data Protection Directive, and indeed the European Code of Conduct of FEDMA (the Federation of European Direct and Interactive Marketing) had been the subject of a previous favorable opinion of the Working Party in June 2003.  The subject matter of the present Opinion was an annex to the Code dealing with the specific problems created by the on-line world, with special reference to provisions designed to protect children.  The annex (which is exhibited to the Opinion) was approved by the Working Party and FEDMA was encouraged to promote it within the direct marketing sector.

RFID

The final July 13th opinion is the Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.  The opinion comments on an industry framework for RFID privacy impact assessments (PIA).  Although the Working Party agreed with the broad framework of the industry report, it indicated three concerns:  (1) no section of the PIA requires the RFID operator to identify risks associated with the RFID application; (2) the proposed framework fails to encourage the RFID operator to identify risks to individuals related to carrying RFID tags in everyday life; and (3) lack of clarity regarding RFID tag deactivation in the retail sector.  As a result of these concerns, the Working Party encouraged stated it could not endorse the proposed document.

Tags: ,
Posted on July 19, 2010 by Timothy Tobin

EU Article 29 Working Party Report on ISP and Telecom Carrier Data Retention for Law Enforcement Purposes

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

 

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice. 

The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.

 

Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act

 

Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .
Tags: , , , , , , , , , , , , , , , , , , , , , ,
Posted on January 11, 2010 by Winston Maxwell

European DP authorities issue "Future of Privacy" roadmap

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

Tags: , , , , , , , ,