: EU : HL Chronicle of Data Protection

Home > EU >

Posted on November 14, 2011 by Christopher Wolf

Cross-Border Data Flows Free from Overly Restrictive Rules Touted by Industry and Government

At a time when leaders in the EU are poised to propose privacy rules that could well restrict the activities of US businesses, Google , Microsoft , Citigroup, IBM , GE and other major American companies have urged the United States to push for trade rules that protect the free flow of information over the Internet. In particular, the group's Report available here urges that countries avoid "digital protectionism," and the report specifically addresses security and privacy:

Security and Privacy. The business community supports the right of governments to ensure the safety, security and privacy of its citizens and recognizes that approaches may differ between countries and across sectors. At the same time, as in any measure affecting international trade, governments must be able to communicate clearly the rules, rationale and compliance procedures governing these interests to businesses and individuals and make certain that those procedures are not overly disguised restriction to international trade. For example, some countries have discriminated in favor of local businesses by selectively applying filtering regimes which degrade service; by mandating the use of domestic products or intellectual property; by requiring product certifications to be carried out locally; by rerouting traffic from global Internet brands to local competitors; or by applying their laws in a manner that discriminates against foreign suppliers or services. In addition, governments often work outside of established legal frameworks or processes when seeking commercial, financial or personal data, which raises a host of concerns about privacy, safety and security.

US Deputy Chief Technology Officer Danny Weitzner, in a similar vein, warned today in a speech to the US Chamber of Commerce that EU rules may be too stringent and that the Obama Administration will work to convince European regulators that voluntary but enforceable industry codes of conduct are the way to go. Also, the FTC today applauded the approval by the forum on Asia-Pacific Economic Cooperation (APEC) of a new initiative to harmonize cross-border data privacy protection among members of APEC designed to enhance the protection of consumer data that moves between the United States and other APEC members.

Tags: APEC, EU, International/EU Privacy, cross-border, ftc, protectionism, trade

Posted on October 13, 2011 by Stefan Schuppert

German DPAs Issue Rules for Cloud Computing Use

The German data protection authorities on September 26, 2011 adopted an "Orientation guide – cloud computing." The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services (“customers”) and cloud computing service providers. It highlights the customer's responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.

Privacy and data protection compliance has been a challenging and unclear issue for cloud computing customers and service providers. The new German "orientation guide", adopted by the Munich conference of the German data protection authorities gives clear guidance to cloud computing service providers and their customers in the German market. Privacy practitioners can expect that German DPAs will refer to this guide when addressing situations that raise close questions about the application of data protection laws to cloud computing.

Full control by the customer

The guide emphasizes that German cloud computing customers are data controller and therefore are responsible for the "cloud's" compliance with all data protection requirements under German law. This means the customer needs to know the identity not only of his immediate cloud computing service provider, but of all sub-processors involved in the cloud computing services. The agreement with the immediate cloud computing service provider must contain duties to disclose these sub-processors, and certain core elements of compliance, such as technical and organizational security measures, audit and control rights vis-à-vis such sub-processors, and all locations of data processing. The customer is required to safeguard data subjects’ rights. Examples of how this is achieved include having liquidated damages and penalties in the cloud agreement, and ensuring that data subjects' rights (for instance the right to access, to correct or to have the data deleted) are observed by all cloud service providers. To the extent that the service also includes locations outside the European Economic Area (EEA), the customer may not only rely on using the EU Model Clauses, but must enter into an additional data processing agreement with control and audit provisions, which are mandatory under German data protection law.

Sensitive data in the cloud

The guide gives specific attention to sensitive data. Under German data protection law, the transfer of sensitive data like health data, trade union affiliation, or religious beliefs cannot be justified by a balance of interest test (see, e.g., Art. 7(f) of the EU Data Protection Directive, which provides a legal basis for processing non-sensitive data as necessary for a controller’s legitimate interests unless the interests are outweighed by the fundamental rights and freedoms of the data subject; see also § 28 of the German Federal Data Protection Act). Instead, the transfer of sensitive data can only be justified by the data subject's consent or other very specific exceptions. For any intra-EEA-cloud, this is not an issue since an EEA-located data processor following the data controller's instructions is not considered a third party to which data are transferred. The case is different for any provider located outside the EEA: This is a "third party" to whom the personal data are "transferred", and thus, any use of such cloud for sensitive data cannot be justified by a balance of interest.

Safe Harbor and the cloud

The German DPAs are repeating their careful approach to Safe Harbor certifications. A customer may not rely solely on the service provider's assurance with regard to any Safe Harbor certification. Instead, the customer needs to certify the validity and the applicability (for the relevant type of data) of the provider's Safe Harbor certification at least on the Safe Harbor website. If the customer wants to transfer employee data to the U.S. in the cloud computing environment, the customer also has to verify that the service provider has accepted to cooperate in investigations by, and to comply with the advice of, competent EU authorities. This requirement is reflected in the Safe Harbor FAQs (question 9, section 4).

Relevance of technical safeguards

The guide deals with technical issues and security measures and specific threats for data protection principals by cloud computing services in detail. The guide frequently addresses transparency for customers and data subjects regarding the location of the data processing, and the identity of the service providers involved (even as subcontractors). The guide highlights the problem of the reliable deletion of the data in the view of the vast storage resources of cloud computing services providers, regular back-up services, and the easy copying and global transferring of data in broadband networks. The guide emphasizes that personal data for different clients need to be securely separated. The guide also raises the concern of the potential access to personal data by state authorities beyond what is accepted in the EEA, and views this as a relevant consideration by a customer when deciding on the service provider. Customers need to address security against illegal access to the data, but also the portability of the data in case of their service provider's insolvency or in case of a termination of the contract.

Conclusion

The guide does not contain revolutionary approaches to the difficult question of how to harmonize the benefits of cloud computing with the legitimate objective to ensure compliance with German data protection requirements. However, it is a clear statement that German DPAs do not compromise on sometimes very strict requirements even for globally standardized services. The guide supports the role of intra-EU/EEA cloud computing service providers and those services that are reliable and highly transparent regarding to the location of the data processing and the identity of any subcontractors used in these services.

Both customer and providers of cloud computing services with an interest in the German market should now review their standard agreements for compliance with the requirements published by the German DPAs.

The paper is published in German can be found here.

Tags: DPAs, EEA, EU, EU Data Protection, EU Model Clauses, EU data privacy, European Economic Area, European Union, German Data Protection authorities, German privacy, International/EU Privacy, cloud, cloud computing, german data protection, personal data, safe harbor, sensitive personal data

Posted on July 19, 2010 by Timothy Tobin

EU Article 29 Working Party Report on ISP and Telecom Carrier Data Retention for Law Enforcement Purposes

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business.

The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice.

The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.

Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act .

Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .

Posted on March 8, 2010 by Wim Nauwelaerts

Article 29 Working Party Provides Guidance On Data Controller/Processor Concepts

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.

Last November in Madrid, when the 31^st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.

The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.

In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.

A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).

Tags: 29, Article, Data, Directive, EU, International/EU Privacy, Madrid, Party, Protection, Working, opinion

Posted on January 11, 2010 by Winston Maxwell

European DP authorities issue "Future of Privacy" roadmap

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU. Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years. After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites. WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector. Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy. Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

Tags: Article 29 Working Party, EU, European Commission consultation on data protection, European Union, International/EU Privacy, WP29, data breach notification, future of privacy, privacy by design

Posted on November 16, 2009 by Wim Nauwelaerts

EU ePrivacy Directive and Cookies: The Consent Requirement May Not Be as Broad as Believed

The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.” But it is not quite as clear-cut as that quote suggests. The consent requirement relates cookies that collect personal data -- an important qualification -- and some cookies appear to fall outside of the consent requirement.

Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.

The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party has earlier expressed the view that the “neutral” wording chosen is not limited to cookies but implies any other new technology that could be used to track users’ behavior using their browser.

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.

As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to “prior” consent, but the use of the past tense (“has given”) suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users’ computers.

So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application”.

Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.

Tags: EU, International/EU Privacy, consent, cookies

Posted on November 7, 2009 by Christopher Wolf

Reflections on the International Conference of Data Protection and Privacy Commissioners in Madrid

As the 31st annual International Conference of Data Protection and Privacy Commissioners wraps up in Madrid, capped by the announcement that next year’s conference will occur in Jerusalem, to be hosted by the Israeli Information and Technology Authority, some reflections:

• Security vs. Privacy There continues to be a tension between the need for security from terrorist and criminal attacks and the right to be free of excessive collection and retention of personal data by governments. This was the focus of the remarks of the Spanish Minister of the Interior and the US Secretary of Homeland Security, and a panel of experts from around the world who concluded that there needs to be greater focus on the need for all of the information that is harvested from citizens. The pre-conference session of The Public Voice organized by the Electronic Privacy Information Center resulted in a Madrid Declaration that warned that "privacy law and privacy institutions have failed to take full account of new surveillance practices."

• Corporate Accountability and New Privacy-Enhancing Technologies Presentations by corporate representatives of Google, Microsoft, eBay, Yahoo!, Procter & Gamble, Accenture and others showed that corporate accountability for privacy (a concept advanced enthusiastically by our friend Marty Abrams of the Center for Information Policy Leadership) is guided not only by the need to be legally compliant but also by the recognition that in our information society, responsible data management will build consumer trust. There was an impressive demonstration of various new technologies that provide greater transparency and more robust notice to individuals about the collection of data about them, and that give them greater control over the collection, use, transfer and retention of personal data. For example, Google unveiled new privacy tools and Jules Polonetsky, my co-chair at the Future of Privacy Forum, illustrated the array of technologies available to protect the privacy of children. The greater demonstration of such “self-regulation” through corporate accountability and the deployment of privacy-enhancing technology was recognized at the conference as an essential pillar of privacy protection.

• US Law and Enforcement In the panel on children’s privacy, John Avila of the Walt Disney Company, gave a compelling overview of the breadth and depth of US legal protections for privacy, which includes COPPA to protect kids, and which he pointed out focuses on the areas of greatest privacy concern (such as financial and health privacy). There were also presentations on the robust enforcement of US privacy laws by the FTC and other authorities, and the innovations in regulation that include, for example, data security breach notification laws which serve as a model for new regulation in Europe. My conversations with various EU Data Protection Commissioners indicated a growing respect for the US scheme of data protection, in stark contrast to the official EU position that the US lacks adequate protections for personal data which prohibit the cross-border transfer of data to the US absent special arrangements (such as Safe Harbor participation, model contracts or Binding Corporate Rules).

• Cloud Computing and the Smart Grid There was a focus on the privacy issues implicated by new technologies such as the next generation of cloud computing and the Smart Grid.

• Cross-Border Harmonization of Regulation Another important theme of the conference concerned cross-border harmonization of privacy regulation, even among countries in the EU that operate under the common principles of the EU Directive but whose laws often reflect differences in detail and application. In that regard, the European Commission is in the process of soliciting views on the new challenges for personal data protection in order to maintain an effective and comprehensive legal framework to protect individual’s personal data within the EU.

As with many such conferences, the value of the formal program was augmented by the opportunity of data protection regulators to meet informally with representatives of civil society, privacy advocates, privacy lawyers, and corporate privacy officials. The interactions over lunch and dinner, and at the wonderful art galleries of Madrid (where tours were made part of the official agenda), allowed for the sharing of perspectives and ideas, and a recognition that no matter which sector is involved, those gathering in Madrid share the commitment to the protection of personal privacy.

Next year in Jerusalem!

Tags: EU, Madrid, News & Events, data protection commissioners

Posted on November 3, 2009 by Christopher Wolf

Live Blogging from Madrid Privacy Confabs: EU-Wide Data Breach Notification Requirement a Real Possibility

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event, is that the European Commission is seriously considering new data security breach notification laws. Previously, the Commission and the European Council had focused only on breaches at telecom companies and ISPs.

The Commission’s Information Society Commissioner, Viviane Reding, now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

Tags: EU, IAPP, Madrid, News & Events, data security breach

Posted on October 21, 2009 by LexBlog

FTC Settles Safe Harbor Enforcement Actions with Six Companies

In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they are current with their Safe Harbor certifications. In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program.

The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies’ misrepresentations are deceptive. The scope of the FTC’s actions is limited to the companies’ lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.

The proposed settlement agreements, open for public comment until November 5^th, prohibits each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party. In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC.

The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program. We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and likely further actions against companies with lapsed certifications.

The FTC complaints, proposed settlements and related documents are available at http://ftc.gov/opa/2009/10/safeharbor.shtm.

Tags: EU, International/EU Privacy, enforcement, ftc, safe harbor

Posted on October 7, 2009 by Christopher Wolf

An Example of Behavioral Advertising Self-Regulation from Europe

In the United States, regulators and policy makers are taking a close look at the issues surrounding behavioral advertising and how to protect the privacy of consumers. A vigorous debate is occurring over self-regulation versus the asserted need for legislation or regulation. So it is interesting to see what is going on in Europe in the realm of self-regulation.

In the EU, a privacy and data protection certification seal for IT products and IT-based services is in place, called the EuroPrise Privacy Seal. The EuroPrise Privacy Seal recently was awarded to a new German behavioral targeting system called Predictive Targeting Networking (PTN) 2.0 and offered by a company called Nugg.ad. The Nugg.ad system addresses many of the privacy issues that regulators here and abroad have focused on, such as cookie expiration dates, logging of IP addresses, the notice given to consumers, and opt out.

For more details, see this blog entry from the Future of Privacy Forum.

Tags: Consumer Privacy, EU, Self-regulation

HL Chronicle of Data Protection

Copyright © Hogan Lovells. All Rights Reserved. "Hogan Lovells" or the "firm" refers to the international legal practice, including Hogan Lovells International LLP and Hogan Lovells US LLP, each of which is a separate legal entity. Attorney advertising. Prior results do not guarantee a similar outcome.

Hogan Lovells US LLP

555 Thirteenth Street, NW

Washington, DC 20004 | USA

Phone:

+1 202 637 5600

Fax:

+1 202 637 5910

Hogan Lovells International LLP

Atlantic House | Holborn Viaduct

London EC1A 2FG | United Kingdom