Posted on July 19, 2010 by Timothy Tobin

EU Article 29 Working Party Report on ISP and Telecom Carrier Data Retention for Law Enforcement Purposes

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

 

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice. 

The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.

 

Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act

 

Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .
Tags: , , , , , , , , , , , , , , , , , , , , , ,
  • Email This
  • Print
  • Share Link
Posted on June 30, 2010 by Bret Cohen

EU Article 29 Working Party Decrees Strict Opt-In Standards for Behavioral Advertising Data Collection

On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.

Behavioral Advertising is Regulated in the EU by Two Primary Sources

The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011. 

The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.

Opt-In Consent Requirement and Opt-Out Deficiencies Explained

The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.

Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.

The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes. 

Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.

Room for Innovation

While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”

Other Obligations

The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:

  • Ad networks should not create or use "interest categories" intended to track the Internet habits of children.
  • Ad networks should not offer or use interest categories that could reveal “sensitive data” about an individual (as defined in the EU) without explicit opt-in consent.
  • Information must be deleted if no longer needed for the purpose for which it was collected, meaning that ad networks must implement policies to ensure that information collected each time a cookie is read is immediately deleted or anonymized once the necessity for retaining it expires.
  • Individuals must be allowed to exercise their rights of access, rectification, erasure, and to object under the Data Protection Directive.
  • Data controllers and processors must also keep in mind data security, data transfer, and database registration obligations.

Who is Responsible?

Though it laid out specific obligations, the Working Party was not prescriptive when it came to determining what participants in the behavioral advertising ecosystem would be responsible for complying with the obligations. For example, it stated that while ad networks, as ultimate controllers of the targeting data, are obligated to obtain informed consent, in some instances publishers of targeted advertisements have “some responsibility” in obtaining consent as well because they transfer user IP addresses to ad networks to facilitate advertising transactions. And the Working Party noted that advertisers too can be considered independent data controllers if they capture certain information when their ads are clicked (for example, demographic profiles such as “young mothers” or interest categories such as “extreme sports fans” for whom specific ads are selected) and combine it with an individual’s web browsing behavior or registration data.

Conclusion

The guidelines released by the Working Party represent a major change to the current behavioral advertising regulatory landscape. Nevertheless, the Working Party held out a lifeline for proponents of industry self-regulation and innovation, conceding that industry progress in the provision of notice to Internet users about behavioral advertising could lead the Working Party to accept innovations that may be less restrictive than the opt-in regime it announced. In that way, the opinion may serve a similar purpose to the Federal Trade Commission’s 2009 report on behavioral advertising that set forth its expectations for industry along with the not-so-subtle undertone that if industry did not comply with its “suggestions,” the Commission would formally regulate in the area. While companies have made progress on this front in the U.S., and consequently have succeeded in staving off formal FTC regulation or enforcement so far, those engaging in behavioral advertising in the EU should implement the guidelines set forth in the Working Party opinion immediately and stay tuned for developments regarding the EU's enforcement strategy.
Tags: , , , ,
  • Email This
  • Print
  • Share Link
Posted on June 6, 2010 by Christopher Wolf

BNA Webinar: Legal Landmines in Europe for Internet-Based Businesses

Readers of the Hogan Lovells Chronicle of Data Protection may be interested in this upcoming webinar featuring Hogan Lovells attorneys from Europe and the United States, as well as Google's European Privacy Counsel, Peter Fleischer.  This event is being produced by Pike & Fischer, a Bureau of National Affairs (BNA) Company.  Here is the Pike & Fischer/BNA announcement with link to registration information:

BNA Webinar
Legal Landmines in Europe for Internet-Based Businesses
June 30, 12:30 p.m. to 2:00 p.m. ET

So you think your business practices are EU-compliant? You could be blindsided by European laws and regulations that are foreignin every sense of the wordto your accustomed way of doing business. The recent conviction of three Google executives by an Italian judge is one notable example. Don't be caught off guard. Join Pike & Fischer's panel of legal experts as they expose European laws (both enacted and proposed) that potentially render U.S.-based Internet businesses liable for intellectual property, privacy, e-commerce, speech, and other violations.

Peter Fleischer, Global Privacy Counsel, Google, and Winston Maxwell and David Taylor, both partners with Hogan Lovells in Paris, will cover a wide range of topics, including data retention obligations, collection of personal data, and liability for user-generated content. The session will be moderated by Christopher Wolf, Partner, Hogan Lovells in Washington, DC.  

For further information: http://www.pf.com/eventDetail.asp?id=105&type=1.
 

Tags: , , , ,
  • Email This
  • Print
  • Share Link
Posted on January 11, 2010 by Winston Maxwell

European DP authorities issue "Future of Privacy" roadmap

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

Tags: , , , , , , , ,
  • Email This
  • Print
  • Share Link