HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The pending proposal from the European Commission for revision of the EU Directive (expected in early 2012) raises questions about the efficacy under a revised Directive of the EU-US Safe Harbor framework, which permits the legal cross-border transfer of personal data from the EU to the US for companies enrolled in the Safe Harbor and committed to the requisite privacy protections.  That's the recent observation in Europolitics, the European Affairs daily:

It is not clear what impact a revamp of the EU and US data privacy legal frameworks would have on Safe Harbour. According to the Commerce Department official, "we have been assured by the European Commission that Safe Harbour will not be affected by changes in the Data Protection Directive". The official adds, however, that they do have concerns about US firms lacking the clarity they need should new terms like 'privacy by design' and 'right to be forgotten' be introduced without their precise meaning being spelled out. A Commission proposal is due to be unveiled in early 2012.

The article goes on to speculate about and comment on pending US privacy legislation and its effect on cross-border transfers, concluding that passage of a new US law is not likely:

Meanwhile, the US Congress is considering several bills that could move the US from its current sector-based system to a more comprehensive framework. If this happens, Washington could ask the Commission to adopt a so-called adequacy finding on the US data privacy framework, which would permit an automatic free flow of personal data from the EU to the US. This could effectively render Safe Harbour obsolete. But there is no guarantee that the Commission would adopt such a finding even if Congress does enact comprehensive data privacy legislation. Moreover, with the Obama administration not yet strongly pushing these bills and some Republicans on Capitol Hill opposing them on the grounds that they will stifle innovation in the digital environment, their passage looks far from certain.  

On the efficacy of the Safe Harbor arrangement, Peter Fleischer, Google's Global Privacy Counsel offered a rousing defense in a recent blog: "I cannot think of a single international privacy framework that has done more to raise the standards of privacy practices by US companies over the last decade than Safe Harbor."

• Email This
• Print

The EU's Article 29 Working Party has just published a letter addressed to the Online Behavioural Advertising (OBA) Industry regarding the self-regulatory Framework proposed by industry to satisfy the requirement of the revised ePrivacy Directive for user consent before cookies may be placed on a computer for tracking (and targeted advertising) purposes.  The letter was sent in advance of a meeting apparently scheduled for sometime in September between the Working Party and industry representatives to discuss the proposals to satisfy the Cookie Directive.

Simply put, the Working Party has rejected every proposal put forward by industry to avoid the necessity of consumers affirmatively consenting to every placement of cookies by every party proposing to place such cookies.  OBA industry representatives have said that the specific, multiple consent arrangement will impede e-commerce and degrade the user's online experience, heralding a return to multiple pop-ups requiring choices before users may continue to see content.  So far, the Working Party's position is that there is no substitute for a form containing an explanation about the placement of cookies with a box for the consumer to check "I accept," provided by every entity proposing to place a cookie.

The Article 29 Working Party's specific complaints about the industry proposals:

• A prominent opportunity to object to tracking by cookies can never be the same thing as a specific opt in.
• The complaint that multiple ad network providers will lead to multiple pop-ups on web sites is not well-founded, since once consent has been given to a network, the pop-up need not appear subsequently.  (The Working Party did not address the issue of what happens before any consents are given and multiple pop-ups seeking consent in fact appear on a given web site except to suggest that perhaps a "centralized way" can be established to obtain consent.)
• Browser settings rejecting cookies are insufficient since the default is to accept cookies.
• Icons attached to ads that can be clicked to learn about cookies and express preferences are inadequate because consumers today don't know what the icons mean, and since the Directive applies whether the cookies track personal data or not, the information provided when the icon is clicked making such distinction is inconsistent with the notice requirement.  The icon also was criticized as providing too "indirect" a way to provide notice.

Attached to the Working Party's statement of reasons about the inadequacy of the OBA industry's proposals was a letter from the FTC's Director of Consumer Protection David Vladeck responding to an EU request for the FTC's position on transparency and consumer choice in connection with behavioral advertising.  Notably, the letter explains the value of targeted advertising (while, of course, citing the privacy concerns) and notes "the number of steps to improve transparency and consumer choice" the OBA industry has taken recently.  The letter also notes the guidance the FTC has provided on how to give consumers the "Do Not Track"  power.  The letter from Mr. Vladeck speaks of consumers having a "meaningful opportunity" to control data collection practices, but stops far short of anything resembling the requirements of the Cookie Directive, and the Working Party's reaffirmation, for express opt in for the placement of every tracking cookie.

• Email This
• Print

The European Commission has just released a document setting forth its proposed strategy for revisions to EU data protection rules previewed in this blog recently.

The proposed changes were introduced this way in the Commission's news release:

What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.

 The Commission then explained:

Today's strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:

• Strengthening individuals' rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.

• Enhancing the Single Market dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.

• Revising data protection rules in the area of police and criminal justice so that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.

• Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.

• More effective enforcement of the rules, by strengthening and further harmonising the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

Finally, the Commission described "the way forward" which allows input from affected stakeholders and interested persons:

The Commission's policy review will serve as a basis for further discussion and assessment. The Commission is calling on all stakeholders and the public to comment on the review's proposals until 15 January 2011. Submissions can be made on the Commission’s public consultation web site 

Building on this, the Commission will present proposals for a new general data protection legal framework in 2011, which will then need to be negotiated and adopted by the European Parliament and the Council.

In addition, the Commission will examine other measures, such as encouraging awareness-raising campaigns on data protection rights and possible self-regulation initiatives by industry. 

• Email This
• Print

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.  

Last November in Madrid, when the 31^st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.                                                                   

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

• In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.

• The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.

• In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.

• A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).              

• Email This
• Print