Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong. Privacy laws in each jurisdiction differ, including on the definition of "personal data," and on the degree of user consent that is required. The article also examines the WP Art. 29 opinion 13/2011 on "Geolocation services on smart mobile devices." See the full article here.
Quentin Archer in the Hogan Lovells London office prepared this entry.
Few topics in the world of EU data protection have generated so much debate, and so little understanding, as the change to the law on cookies. On 9 May the UK Information Commissioner issued some guidance on the new law, but anyone expecting clear instructions on how to achieve compliance will be very disappointed.
In essence, the change in the law is simple. The Privacy and Electronic Communications Directive of 2002 provided that users should be given clear information about cookies as well as an opportunity to opt out of them. Under the 2009 amendment to the Directive, which Member States are to implement by 26 May, users must give their consent to the storage of the cookie on their terminal equipment. Cookies employed for the sole purpose of carrying out the transmission of a communication over an electronic network, or which are strictly necessary for the provision of a service requested by a user, are exempt.
But how can consent be given? The Directive suggests in a recital that browser settings may be used, but does not mandate this, and largely leaves the question of the method of obtaining consent up to Member States. In recent months there has appeared to be a degree of brinkmanship amongst EU regulators, with everyone wanting to see how others would achieve implementation in practice. The UK regulations published last week (snappily titled the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) state that consent may be signified by browser settings, but the problem is that at present most browser settings are not sophisticated enough to allow a website owner to ensure that consent has been given.
In his guidance the Information Commissioner says that it is the responsibility of the website owner to determine how consent will be achieved. He expects owners to review cookie use. Some cookies may be “strictly necessary” for the receipt of a service being provided by means of a website, so will not require specific consent. Some will not intrude on the user’s privacy, so while they may fall under the terms of the new law they may not deserve priority attention. Potentially intrusive cookies should be examined to determine whether they are really necessary for the business of the website owner and, if they are, plans should be drawn up for obtaining the necessary consent from each user.
If browser settings cannot be used, then the website might be modified so that a pop-up window with a tick-box appears the first time a cookie is used, although the Commissioner recognises that this could be irritating. As an alternative, terms and conditions could be changed, allowing a whole set of cookies to be accepted at the same time, but there would need to be clear information provided to the user as well as a clear mode of giving consent – previous consent to future changes (e.g. the ubiquitous provisions allowing website owners to make changes to their terms from time to time) would not be enough. Other times for obtaining consent are where the user is setting up preferences for use of a site, or selecting features that he or she wishes to enjoy.
Nothing more specific than this is likely to emerge in the short term. The Commissioner says that he will be keeping the situation under review and will consider issuing more detailed advice, if appropriate, in the future. His message to website owners is that “we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.”
The Commissioner has not yet published his guidance on enforcement of the new law, but his current policy is clear. If an organisation has considered the new law and has drawn up a realistic plan to achieve compliance then it will be treated with much more leniency in the event of a complaint than an organisation which (for whatever reason) has done nothing.
There are other changes coming on the 26 May in the UK, some of which are caused by amendments to existing EU Directives. The Commissioner’s powers to serve monetary penalties of up £500,000 are extended to cover direct marketing activities. The Commissioner will be able to require telecommunications companies and ISPs to provide him with information that he needs to investigate breaches of the Privacy and Electronic Commerce Regulations. The same bodies will also be required to notify the Commissioner and their customers in certain circumstances when a data breach occurs (the first time such laws have become compulsory in the UK). But it’s cookies which continue to grab the headlines.
Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.
On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.
The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business.
The Article 29 working party comes at this from the angle of protecting European citizens, and complains that the lack of harmonization creates different levels of protection of personal data between different Member States, defeating the Data Retention Directive’s objective of harmonization. In this particular case, however, the interests of communications providers and EU citizens converge, because different rules on data retention create additional costs for communications providers, as well as different risks for citizens. The directive currently allows Member States to apply data retention periods of between 6 and 24 months. Several of the large EU Member States have chosen a period of 12 months, and the Article 29 working party recommends that the directive be amended to impose a single harmonized period instead of giving Member States a choice.
The legislation of Member States is fairly consistent regarding the kind of data to be retained for traditional voice communications, but for IP-based communications the practices vary. On this point, the Article 29 working party emphasizes that the only data that Member States can require service providers to retain are those listed in Article 5 of the Directive. In particular, the destination IP address and the URLs of web sites cannot be retained, because those data provide information on the content of the communication, which is prohibited. The working party deplores that many operators do not apply automatic erasure procedures at the end of the legally mandated retention period, and that many operators do not conduct security audits. Finally, the report complains that Member States have different definitions of what a “serious crime” is that would justify the communication of data to law enforcement personnel. The report recommends harmonization on this point too.
Although not specifically mentioned by the working party, the question of whether illegal downloading of copyrighted material is a “serious crime” is obviously a key issue, because several European countries are putting into place graduated response mechanisms that rely on the ISP communicating traffic data to a court or administrative body for the purpose of identifying the alleged infringer. On that front, BT and Talk Talk have lodged a complaint in the UK claiming that the Digital Economy Act, which allows OFCOM to send warning letters to individual infringers, violates fundamental privacy laws http://www.guardian.co.uk/technology/2010/jul/08/bt-talktalk-challenge-digital-economy-act .
Some courts are also questioning the constitutionality of national data retention laws enacted to transpose the Data Retention Directive. Last March, the German Supreme Court held that the implementation of a German law on data retention violated fundamental privacy rights, and ordered that the application of the law be suspended until such time as the government narrows its scope http://news.cnet.com/8301-13578_3-10462117-38.html .
The UK government has announced plans to launch a new website www.data.gov.uk , which will allow public access to official data, and has called on web-founder Sir Tim Berners-Lee, to assist. The website aims to improve transparency and will be similar to the US site 'data.gov', which already includes information from the US defense department and NASA.
The plan, initiated by PM Gordon Brown last year, is to develop a website for the public to find information and to make reports to public service providers, including traffic and crime statistics. In addition, various applications will be available to enable users to discover details of planning applications (in PlanningAlerts), or report potholes (in FillThatHole).
So far, the site has been in test mode, for developers to try out its features and provide feedback, but once 'live', it is hoped that public users will benefits from having the information and services in one place and see it as an alternative to requesting disclosure under the Freedom of Information Act, as BBC News reports - http://news.bbc.co.uk/1/hi/technology/8470797.stm
Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller. Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply. It also sets out the procedure for monetary penalties to be imposed. Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court. However, cases leading to substantial fines are rare.
The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted. Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.
If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court). This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
The United Kingdom Information Commissioner's Office ("ICO") has announced that with effect from 1 October 2009, a new notification fee of £500 will be payable by some larger organizations. This is the first change to the fee structure since the Data Protection Act 1998 became law in 2000.
Notification is the process by which data controllers register with the ICO. It is a mandatory requirement for organizations which process personal information in the UK.
The new £500 per annum fee will apply to a higher tier of:
• data controllers in the private sector with a turnover of £25.9 million and 250 or more members of staff; and
• data controllers in the public sector with 250 or more members of staff.
The standard notification fee is otherwise £35 per year and this will remain so for organizations in the lower tier category. The ICO has also confirmed that registered charities will not pay the higher fee, regardless of their size.
The increase in fees for larger organizations will, according to the ICO, help increase activity in terms of audits and investigations. An interesting comment, which should be noted by data controllers.
UPS Ltd has joined the ever-increasing number of companies featuring in the ‘Enforcement’ section of the UK Information Commissioner’s website, for failing to ensure the adequate security of personal data, which was held on an unencrypted laptop.
Security is one of the key data protection principles set out in Schedule 1, Part 1, of the Data Protection Act 1998 (the “DPA”) and although organizations are familiar with the principle, the basic elements of protecting data can still be overlooked. As a reminder, the DPA requires all ‘data controllers’ (such as UPS Ltd in this case) to comply with the eight data protection principles. The seventh principle deals with the security of personal data and provides that data controllers must take “appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”. This means, for example, using password protection and encryption on portable hardware, such as laptops and memory devices. Of course, such measures are only effective if everyone knows about them and uses them appropriately.
This recent decision involved the loss of personal data when a UPS employee’s laptop was stolen, whilst on business abroad last year. The laptop was unencrypted and was never recovered.
Unfortunately (but as is often the case) it held personal data belonging to some 9,150 UK-based employees. Worse still, the data was payroll-related and so contained information relating to employees’ names, dates of birth, National Insurance numbers, salary and bank details.
Whilst there is no legal requirement to inform the Information Commissioner’s Office (ICO) of a DPA breach, UPS Ltd’s lawyers made the notification for their client, presumably recognizing the harm that could result from the loss of such data, for the employees themselves and also for the company’s reputation.
By this time, UPS Ltd had endeavored to remedy the breaches and could therefore submit evidence of improvements it had made, to the ICO. Helpfully, in reaching its decision, the ICO noted such remedial steps as:
The ICO also recognized UPS Ltd’s understanding of the seriousness of the event and its efforts to comply with the DPA. Rather than issuing an Enforcement Notice, UPS Ltd were able to sign an undertaking to comply with the DPA and put in place these promises within 6 months.
This case demonstrates that although mistakes happen, there are ways to limit the exposure and organizations in breach of the DPA should act purposefully to rectify the damage as soon as possible.
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
Enter keywords:
