HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The European Data Protection Directive 95/46/EC contains certain restrictions on the export of personal data to a country outside the European Economic Area (“third country”). Whether personal data may be transferred from the EU to a data importer located in a third country has to be assessed on the basis of a two-step test. First, the transfer must be justified on the basis of an explicit legal permission or the data subjects’ consent. Second, the third country where the data importer is located must ensure an adequate level of data protection.

With decision of 31 January 2011 (2011/61/EU), Israel – in addition to Argentina, Canada, Guernsey, Isle of Man and Switzerland – has now formally been recognized by the European Commission as a country which provides an adequate level of protection of personal data. The Israeli Law, Information and Technology Authority ("ILITA") will be the responsible supervisory authority.

Without such formal recognition a data transfer to a third country may only take place on specific conditions or where additional adequate safeguards are adduced (e.g. the conclusion of an appropriate transfer agreement based on the EU standard contractual clauses for the transfer of personal data to third countries).

Against this background, Israel’s formal recognition by the European Commission as a country providing an adequate level of data protection will help to reduce legal uncertainties and administrative efforts. However, before transferring data from the EU to Israel, data exporters should still be aware that the formal recognition only fulfills the second prerequisite of the two-step test outlined above. In any case, the data transfer itself requires a legal justification.

The EU Commission’s decision is available at the Commission's website.

• Email This
• Print
• Share Link

The Hong Kong financial services industry (as represented by the Consumer Credit Forum (the "CCF") with support from Hong Kong's financial regulator, the Hong Kong Monetary Authority ("HKMA"), have recently issued proposals to widen the scope of the current credit data sharing scheme in Hong Kong, in order to allow additional mortgage data of consumers to be shared among credit providers (the "Proposals"). If the Proposals are accepted, it will be necessary to amend the Code of Practice on Consumer Credit Data (the "Code of Practice") issued by the Privacy Commissioner for Personal Data (the "Commissioner") under the Personal Data (Privacy) Ordinance (the "Ordinance").

On 5 January 2011, the Commissioner issued a consultation paper to seek public comment on the Proposals. The public are invited to submit comments on the Proposals and the related privacy implications by 8 February 2011. 

• Email This
• Print
• Share Link

The beginning of the New Year gives us an opportunity to reflect on the evolution of privacy in France over the past twelve months and also to consider the new challenges and opportunities that will develop in 2011.

2010 was a year of evolution for the French data protection authority, the Commission Nationale de l'Informatique et des Libertés - "CNIL" and 2011 promises to bring further changes and evolutions. Formal changes came with evolution in the management of formalities with a new online platform for the completion of formalities, which seems to bring a much needed improvement in the delays for management of files. Policy evolutions also resulted from the adoption of documents providing guidance to data controllers with regards to the security of data or with the amendment of the general authorization of certain whistleblowing systems, which although it was needed could be regarded as slightly disappointing. 

In France, 2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high profile cases such as the Google StreetView controversy or the decision acknowledging the legitimacy of the dismissal of an employee on the basis of comments posted on his Facebook page.

The review of the past year also allows us to anticipate some of the CNIL's points of focus for 2011. Firstly, the evolution of technologies will still be at the forefront of data protection discussions during the coming year. In 2010, the CNIL approved a number of processes involving biometric data and the development of these technologies will continue to raise questions and issues this year. In 2011, the CNIL will also focus on the development and implentation of a major project: certification labels for products and services, which could become an important and discriminating factor to attract customers in the short and long term.

• Email This
• Print
• Share Link

Dr. Stefan Schuppert in the Hogan Lovells Munich office prepared this entry.  Stefan is a member of the Hogan Lovells Privacy practice and the  IP, Media & Technology group and advises companies in the fields of information technology and new media concerning intellectual property, contract law and data protection.

On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a €200,000 fine [link in German] against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent.   The case – which attracted much negative publicity in Germany, including page 1 headlines and "top spots" in television news – may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany. 

• Email This
• Print
• Share Link

European Data Protection Supervisor Peter Hustinx traveled in frigid, snowy conditions from Brussels to London on 2 December for an interview presentation at the London Offices of Hogan Lovells attended by lawyers from the Hogan Lovells global Privacy and Information Management Practice as well as clients and friends of the firm. 

The interview coincided with visits to Europe of US Hogan Lovells privacy partners Barbara Bennett, Marcy Wilder and Chris Wolf, who participated in the IAPP Privacy Congress in Paris earlier in the week, and meetings with EU Hogan Lovells privacy colleagues in London, including: 

Quentin Archer (London)

Roger Tym (London)

Mac Macmillan (London)

Winston Maxwell (Paris)

Stefan Schuppert (Munich)

Hanno Timner (Berlin)

Marco Berliri (Rome)

Gonzalo Gállego (Rome)

Lionel de Souza (Paris)

Massimiliano Masnada (Rome)

Messrs. Maxwell and Schuppert and Ms. Wilder presented in Paris on Binding Corporate Rules and Mr. Wolf presented on the balancing of fundamental rights of privacy and anti-piracy. The London meetings were organized by Barbara Bennett and Quentin Archer and focused on global developments in privacy law and how best to provide seamless privacy law services to clients around the world with multi-jurisdictional needs.

The session with Mr. Hustinx, conducted by Hogan Lovells practice leader Chris Wolf, started with the observation that the firm’s practice is now the largest privacy practice in the world, and thus what happens in the EU with respect to privacy has great significance for clients of the firm. The focus of the interview was on the recently-issued draft agenda of the European Commission on privacy. 

Mr. Hustinx spent about an hour discussing many of the details of the draft agenda, including the process for its consideration, the concepts of the “right to be forgotten,” changes to the ways in which notice and choice are implemented, how national privacy laws might be harmonized across the EU, how cross-border transfers outside the EU might be facilitated, and the efficacy of increased enforcement and penalties.

Two observations by Mr. Hustinx stand out:

• The current EU data protection framework will stay in place for the next 4 to 5 years, as the process for consideration and implementation of the changes embodied in the Commission’s draft agenda will be lengthy and thorough.
• The day will come when the United States privacy framework will be recognized by the EU as providing “adequate protection” and thus allowing cross-border transfers without the employment of auxillary legal tools. Mr. Hustinx concurred in the observation that the FTC Report issued on 1 December contained concepts now present under the EU Directive and paralleled in significant ways the Commission’s draft privacy agenda. Mr. Hustinx declined to say when the time for the EU adequacy recognition for the US would come, but suggested it was not in the immediate future. He applauded the closer working relationship between the US and the EU on privacy matters, following a mention of greater US governmental attention to privacy issues, and said there are privacy protection concepts from around the world that may be adopted in the EU – that global exchanges of best practices is in everyone’s interests.

Hogan Lovells expresses enormous appreciation to Mr. Hustinx for meeting with us, and especially for the arduous travel to and from London he endured to be with us.

• Email This
• Print
• Share Link

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

• Email This
• Print
• Share Link

The UK data protection authority has issued its first monetary penalties for serious data protection breaches. The two cases highlighted in the ICO press release reveal that a county council has been fined £100,000 for faxing highly sensitive information relating to child sexual abuse cases and care proceedings to the wrong recipients, on two separate occasions. The second case involves an employment services company, which has been issued with a fine of £60,000 for the loss of an unencrypted laptop. 

These are the first substantial fines imposed by the ICO, following the introduction of the new monetary penalties in April this year and the cases will attract huge attention as a result. The ICO has the power to award fines of up to £500,000 for serious breaches of the Data Protection Act, but until now, no major fines have been levied and it has been difficult to give real examples of the likely amounts for serious breaches.

The ICO has issued guidance on the new monetary penalties regime, which includes further details of the Commissioner's approach to these cases of serious data protection breach. The decision making process followed by the Commissioner is set out in a flowchart within the guidance, as follows:

The Commissioner has to be satisfied that –

a) There has been a serious contravention of section 4(4) of the Data Protection Act by the
data controller; and
b) The contravention was of a kind likely to cause substantial damage or
substantial distress; and either,
c) The contravention was deliberate; or,
d) The data controller knew or ought to have known that there was a risk that
the contravention would occur, and that such a contravention would be of a
kind likely to cause substantial damage or substantial distress, but failed to
take reasonable steps to prevent the contravention.

Once satisifed, the Commissioner will consider the level of fine to impose. The cases contained within the new press release may not be at the upper end of the scale, but they are not insignificant and should be noted by data controllers.

• Email This
• Print
• Share Link

The European Commission has just released a document setting forth its proposed strategy for revisions to EU data protection rules previewed in this blog recently.

The proposed changes were introduced this way in the Commission's news release:

What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.

 The Commission then explained:

Today's strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:

• Strengthening individuals' rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.

• Enhancing the Single Market dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.

• Revising data protection rules in the area of police and criminal justice so that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.

• Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.

• More effective enforcement of the rules, by strengthening and further harmonising the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

Finally, the Commission described "the way forward" which allows input from affected stakeholders and interested persons:

The Commission's policy review will serve as a basis for further discussion and assessment. The Commission is calling on all stakeholders and the public to comment on the review's proposals until 15 January 2011. Submissions can be made on the Commission’s public consultation web site 

Building on this, the Commission will present proposals for a new general data protection legal framework in 2011, which will then need to be negotiated and adopted by the European Parliament and the Council.

In addition, the Commission will examine other measures, such as encouraging awareness-raising campaigns on data protection rights and possible self-regulation initiatives by industry. 

• Email This
• Print
• Share Link

Out of Brussels comes the news that the European Commission has circulated a document containing a draft strategy for improvements in data protection, including a long-awaited set of proposals for revamping of the EU Data Protection Directive. The proposals are prompted by the changes in technology and changes in the ways in which people share information since the adoption of the Directive in the 1990’s. It appears that the Commission intends to propose changes in the law and non-legislative steps to bring about the changes that are being discussed.  

According to Bloomberg, "[c]hanges could be made to the document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011." 

The key components of the new EU strategy appear to include:

• The establishment of EU-wide registration forms for databases;
• Specific new rules on privacy notices, including the promulgation of EU “standard form privacy information notices” and special rules with respect to minors;
• New rules that strengthen and clarify the concept of consent to the collection, use and transfer of data;
• New rules on data minimization;
• The creation of a “right to be forgotten” by giving a right to demand deletion of data no longer needed for the purpose for which it was collected);
• The creation of a right of “data portability,” allowing individuals to take his/her photos, medical records or a list of friends from an application or service and transfer them into another one;
• New rules on what constitutes “sensitive data”;
• New remedies for violations of privacy, including expanded criminal sanctions and  empowering data protection authorities with the right to go to court;
• The establishment of security breach notification rules;
• Clarification on the legal rules that will attach to data stored in the cloud, regardless of the geographic location of the controller;
• The possible introduction of an “accountability” principle to ensure compliance with data protection laws;
• New rules that make the appointment of corporate Data Protection Officers mandatory, along with privacy impact assessments and the employment of privacy by design principles
• The encouragement of self-regulatory schemes and privacy seals;
• Improvements in current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations;
• Clarification of  the Commission’s adequacy procedure and improved specification of the criteria and standards for assessing the level of data protection in a  third countries;
• A re-definition of  standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments.
• Clarifying and strengthening the status and the powers of the national Data Protection Authorities in the new legal framework, including the concept of "complete independence";
• Exploration of ways to improve the cooperation and coordination between Data Protection Authorities and to ensure better enforcement of EU rules, particularly on issues having a cross-border dimension. This may include strengthening the role of the Article 29 Working Party and providing it with additional powers in order to give a European response to breaches of data protection rules at EU level, or to create a European Data Protection Authority.
• Enhancing international privacy enforcement in a cooperative fashion.

Any one of the proposed changes would be news, but taken together, they suggest a dramatic set of possible changes with respect to data protection in the EU. 

• Email This
• Print
• Share Link

The European Commission has filed a complaint against the United Kingdom in the European Court of Justice (ECJ) alleging a failure by the UK government to implement EU directives on privacy and data protection. The case arises out of the incident involving BT Group's testing of targeted advertising using technology from Phorm without the express consent of consumers. The European Commission started its investigation earlier this year, and was not persuaded by the responses it received from the UK authorities:

The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC in three specific areas:

There is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications

 

Current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as 'freely given, specific and informed indication of a person’s wishes

 

Current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not," 

 

In April, then-EU Telecoms Commissioner Viviane Reding drew a line in the sand:  "I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications." (Ms. Reding currently is European Commissioner for Justice, Fundamental Rights and Citizenship and presumably was influential in the decision of the Commission to sue the UK.)  The UK government is facing fines in the case just brought by the Commission.

• Email This
• Print
• Share Link

This post was provided by Gabriela Kennedy and Heidi Gleeson of Hogan Lovells' Hong Kong office.
 

The recent large scale sale of personal data by Hong Kong's Octopus Holdings Ltd. for the purposes of direct marketing is currently being investigated by the Hong Kong Privacy Commissioner and has prompted calls for reforms to the data protection regime.

The Octopus case

Octopus Holdings Ltd. operates the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets. The cards may also be used as a student card or as an access card for residential apartments or office buildings.

In addition to the electronic payment facilities, Octopus Rewards Limited, a company which is wholly owned by Octopus Holdings Ltd. (referred collectively as "Octopus") operates a rewards program linked to the Octopus card, whereby card holders earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). While the electronic payment facilities of the Octopus card may be used without registering and providing any personal data, card holders wishing to take advantage of the Rewards Program must first register with Octopus. Card holders are requested to supply a broad range of personal information on the registration form (some of which is required for the application to proceed), including name, identity card or passport number, gender, month and year of birth, contact details, marital status, education level, occupation, income and interests.

Octopus provided the personal information of almost 2 million card holders to six insurance companies for direct-marketing over a four and a half year period, earning the company HK$44 million in revenue.

The application form for the Rewards Program was drafted in such a way as to give Octopus very broad rights to deal with the personal information of card holders. In signing the application form for the Rewards Program, card holders automatically consented to their personal data being disclosed to any third party (at Octopus's discretion) and used for direct marketing purposes. The only way that card holders were able to opt-out from their personal information being sent to third parties was to first sign the form (thereby consenting to the distribution and sale of their data to any third party), and later call Octopus to opt-out, a process which Octopus conceded would take approximately three days. The application form cross-referred to a separate set of terms and conditions relating to data protection/privacy, making it unlikely that the card holder would fully understand the scope of their consent prior to signing the form. Even if card holders understood that by signing the registration form they consented to their personal information being sold to third parties, it is likely that given the inconvenient and time consuming opt-out procedure, they would be reluctant to take the necessary steps to protect their personal information.

Investigation by the Privacy Commissioner

On 21 July 2010, the Privacy Commissioner ordered a formal enquiry into Octopus's practices to ascertain whether the collection and disclosure of card holders' personal data for direct marketing purposes was in contravention of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Commissioner exercised his powers under the Ordinance to hold a hearing to summon witnesses to assist with the investigation.

The Privacy Commissioner is yet to issue the final report on the investigation. However, in response to the mounting public concern regarding the handling of personal data under the Rewards Program, on 30 July 2010 the Privacy Commissioner took the unusual step of issuing an interim report, containing his preliminary findings as well as interim recommendations to Octopus regarding its handling of personal data.

The Privacy Commissioner made 12 recommendations regarding Octopus's handling of personal data, including the following:

• Card holders should be able to submit their applications for the Rewards Program using only their names and Octopus card numbers.
• Consent to use personal data for direct marketing purposes should be expressly given and should not be deemed.
• The parties to whom personal data may be transferred should be clearly identified.
• Octopus should not disclose personal information other than name and contact information for direct marketing purposes, as any additional information is unnecessary and excessive.

The Privacy Commissioner is yet to issue a final determination on the matter. If Octopus is found to have breached the Ordinance it is likely to be because the scope of the information collected was arguably excessive for the purposes for which it was collected.

Calls for reform

As Octopus sold the personal information of almost 2 million people (almost a third of the population of Hong Kong) to third parties, the case received a fair amount of publicity and has generated debates in the media and has led to calls for reform of the data protection regime in Hong Kong.

Hong Kong's Personal Data (Privacy) Ordinance is currently under review by the Government. A number of amendments have been proposed, partly in response to the increasing concern of the public relating to protection of personal data. The Government published a consultation document on 28 August 28 2009, inviting public comment on the proposed amendments to the Ordinance. The consultation period ended on 30 November 2009. The Government is yet to make any further announcements in relation to the reforms, but given the profound impact that the proposed changes may have on various sectors of the community and the recent furore over the Octopus case, it is expected that further changes may be introduced when the bill is made public.

Gabriela Kennedy (Partner) (gabriela.kennedy@hoganlovells.com) and Heidi Gleeson (Foreign Legal Assistant), Hogan Lovells, Hong Kong.

• Email This
• Print
• Share Link

On September 21, 2010 Hogan Lovells privacy partners Marco Berliri and Winston Maxwell briefed the Italian smart metering consortium E-Cube on the practical aspects of privacy by design. The seminar commenced by a presentation of the E-Cube project by Telecom Italia Director of Public Policy, Lorenzo Pupillo. The e-Cube project involves leading Italian industrial companies and universities in Italy, and is funded by the Italian government. A full presentation of the e-Cube project can be found in Dr Pupillo’s paper here.

Seven pillars of privacy by design.

After Dr Pupillo’s introduction, Marco Berliri and Winston Maxwell presented the seven principles of privacy by design, contrasting the preventive and “positive sum game” approach with the current confrontational and “zero sum game” approach that is currently the norm when dealing with data protection authorities in some European countries. Marco Berliri gave an overview of the current legislative framework for privacy in Europe, while Winston focused on the June 2010 report of the smart grid task force at the European Commission. The report, submitted by the so-called Expert Group 2 (EG2), fully endorses the privacy by design approach, recommending that European standards organizations working on smart grid standards take privacy requirements into account. The EG2 report urges smart grid stakeholders to be inspired by security and privacy practices of other industries, particularly telecommunications and banking. The EG2 report also highlights a methodology developed by a consortium of electricity providers in the Netherlands to conduct privacy impact assessments of smart grids systems.

NIST report compared.

Marco and Winston then compared the European approach as outlined by the EG2 report with the August 2010 recommendations of the NIST in the U.S. The NIST’s report on privacy over smart grid contains a useful discussion of different concepts of personal data which go from the U.S. concept of “personally identifiable information” (PII) to data about behavior inside the home that can be developed using Non-intrusive Appliance Load Monitoring (NALM) which provides a very detailed individual fingerprint of a given household’s behavior. The NIST suggests that the traditional notion of PII in the U.S. may not be adequate to address the risks posed by granular use data. Marco compared PII with the European concept of personal data. In response to a question from an E-Cube consortium member, Winston and Marco described the process of developing privacy use cases, using the two examples presented in the NIST report, as well as a use case involving the Canadian electricity company Hydro-One. Each use case requires breaking a service into small individual parts. For each part of the service one must ask whether key privacy requirements are being addressed. For example, if a consumer brings home a smart thermostat from the store and plugs it in for the first time, that thermostat will first seek to communicate with the home area network, which will in turn communicate the details of the thermostat to a central server so that the thermostat can be authenticated and registered in the service. In a privacy use case, this seemingly simple process may be broken down into five or more individual parts and for each part one must ask the questions: Is the communication link encrypted? Is the device transmitting the minimum amount of data necessary? Are organizational measures in place to ensure that the data are accessible only by the right people in the organization? Does the process contemplate a date when the data would be deleted? It is by building these individual use cases that Privacy by Design can be built up, piece by piece. As aptly put by the EG2 report: “Security is a path, not a destination!”

Sharing consumption information.

Finally, Marco and Winston compared Italian legislation which obligates electric utilities to share consumer usage data with the similar requirement adopted in December 2009 by the California Public Utilities Commission. Winston mentioned that the U.S. FCC is placing a particular emphasis on innovations at the edges in the smart grid ecosystem but this policy creates a dilemma for regulators who may not have jurisdiction over the service providers to whom the data are supplied. Winston pointed out that the California PUC is expected to issue more detailed privacy requirements before the end of 2010 and that these requirements are expected to address the issue of transfers of data to a third party service providers.

Cloud computing.

Marco reminded participants of the rules regarding transfer of personal data outside the European Union, pointing out that some data may in fact be transferred outside the European Union if an electricity service provider outsources some of its data processing, or makes use of cloud computing.

A copy of Marco and Winston’s presentation can be found here.

• Email This
• Print
• Share Link

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print
• Share Link

Quentin Archer, a partner in the London Office of Hogan Lovells, provides this report

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing four opinions, one report and one set of FAQs.  In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party's internal approvals process than any indication of unusual activity. 

Behavioral Advertising

In June, the Working Party issued Opinion 2/2010 (WP171) on online behavioral advertising.  The Working Party notes that both the E-Privacy Directive and the Data Protection Directive are relevant to online behavioral advertising, and goes into some detail on the requirements of the E-Privacy Directive (amended in 2009) that cookies should be employed for this purpose only with the informed consent of users.  It recommends that advertising network providers should limit in time the scope of consents given by users, offer the possibility for consents to be revoked easily and create visible tools to be displayed where monitoring takes place.  In relation to general data protection obligations, it emphasizes the importance of transparency regarding processing of personal data and points out that the responsibility for ensuring transparency will be shared between different service providers in relation to behavioral advertising.  However, the Working Party does not prescribe how legal obligations should be fulfilled from a technological point of view, and instead invites industry to undertake a dialog with it to explore how the legal framework set out in the Opinion can be satisfied.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Controller-Processor Standard Clauses

On 12th July 2010, the Working Party issued FAQs (WP176) designed to address issues raised by the entry into force of the Commission Decision of 5th February 2010 on the new controller-processor standard clauses.  Several of the FAQs address the situation where personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based sub-processor, which is not specifically contemplated by the new clauses.  As the new clauses cannot be used to effect this, the Working Party suggests different solutions to address the problem.  The remainder of the FAQs answer a variety of questions which might arise where the processor to whom the data are transferred is located outside the EEA, such as whether a data exporter's consent to sub-processing must be specific or can be general, and whether sub-processing agreements can be made in respect of more than one data exporter.

Data Retention

On 13th July, the Article 29 Working Party issued Report 01/2010 (WP172) on its second joint enforcement action, which concerned the implementation of the Data Retention Directive (Directive 2006/24/EC).  The Data Retention Directive derogates from the provisions of the E-Privacy Directive by requiring Member States to ensure that certain categories of communications data are retained for periods of not less than six months and not more than two years.  This is in contrast to the general principle in Article 6 of the E-Privacy Directive, which requires such data to be erased or anonymised when it is no longer needed for the purposes of the transmission of a communication.

The data protection authorities of 25 EEA member states contributed to the joint enforcement action, circulating questionnaires and conducting onsite investigations in certain cases.  It was discovered that there were significant differences between Member States regarding retention of internet services traffic data, with variations in retention periods.  A more uniform picture emerged in relation to the retention of telephone traffic data.  The Working Party established that there was inconsistent implementation at domestic level as a result of differing views over the scope of the Directive, notably whether it was meant to be a derogation from the general obligation to erase traffic data upon conclusion of an electronic communication, or whether instead it affected only data which providers were already allowed to store for subscriber billing and interconnection payments purposes in accordance with Article 6(2) of the E-Privacy Directive.  The Working Party recalled its previous opinions on the Data Retention Directive and (awaiting the decision of the Commission as to whether or not to amend or repeal the Directive) it laid down specific recommendations to ensure increased harmonization, more secure data transmission and standardized handover procedures.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Accountability

Also on 13th July, the Working Party issued Opinion 3/2010 on the principle of accountability (WP173). The Opinion proposes that a new principle on accountability should be introduced (as part of amendments to the Data Protection Directive) which would require data controllers to put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with, and to demonstrate this to supervisory authorities upon request.  It is hoped that this will provide a practical means of ensuring the observance of data protection rules as well as helping data protection authorities in their supervision and enforcement tasks.

FEDMA

The third opinion, also adopted on 13th July was Opinion 4/2010 on the European Code of Conduct of FEDMA for the Use of Personal Data in Direct Marketing (WP174).  The approval of draft community codes of conduct is anticipated in Article 27(3) of the Data Protection Directive, and indeed the European Code of Conduct of FEDMA (the Federation of European Direct and Interactive Marketing) had been the subject of a previous favorable opinion of the Working Party in June 2003.  The subject matter of the present Opinion was an annex to the Code dealing with the specific problems created by the on-line world, with special reference to provisions designed to protect children.  The annex (which is exhibited to the Opinion) was approved by the Working Party and FEDMA was encouraged to promote it within the direct marketing sector.

RFID

The final July 13th opinion is the Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.  The opinion comments on an industry framework for RFID privacy impact assessments (PIA).  Although the Working Party agreed with the broad framework of the industry report, it indicated three concerns:  (1) no section of the PIA requires the RFID operator to identify risks associated with the RFID application; (2) the proposed framework fails to encourage the RFID operator to identify risks to individuals related to carrying RFID tags in everyday life; and (3) lack of clarity regarding RFID tag deactivation in the retail sector.  As a result of these concerns, the Working Party encouraged stated it could not endorse the proposed document.

• Email This
• Print
• Share Link

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

• Email This
• Print
• Share Link

In a speech to at Atlantic Council in Washington, DC on 9 July, Viviane Reding, Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship announced that she has begun exploratory talks with the United States for a comprehensive EU-US agreement for personal data protection standards to apply whenever personal data needs to be transferred across the Atlantic for the purposes of police and judicial cooperation in criminal matters.  Vice-President Reding said:  "The aim is clear: to provide legal certainty to data transfers by ensuring that all these transfers are subject to high standards of data protection on both sides of the Atlantic."

Also appearing at the Atlantic Council with Vice-President Reding was Department of Homeland Security Secretary Janet  Napolitano who, according to the Atlantic Council web site

noted that the United States has a long tradition of insisting on personal privacy — and is in some ways, such as a cultural antipathy to national identification cards and showing passports at hotel check-ins and the like, even more privacy conscious than Europe— the fact of the matter is that protection of personal data does not rise to the level of fundamental right in our society. 

That difference in approach in the US from the EU, with its Charter of Fundamental Rights which very specifically guarantees a right to personal data protection, suggests that the road to a bilateral treaty will be long.

Likewise, the path to the EU recognizing the US as a country with "adequate protections" allowing the cross-border flow of personal data without the encumbrances of model contract clauses, the EU-US Safe Harbor or Binding Corporate Rules seems distant.  Still, at a dinner this author had with Vice-President Reding with her delegation following her Atlantic Council (and her deposit of the new EU "Bill of Rights" a the National Archives), I was able to preview some of the themes of my upcoming presentation at the PLI Privacy Law Institute in Chicago on Monday, 19 July entitled "Is the Tide Turning? The Impact of the HITECH Act & Other Federal Regulation."  I conveyed to Ms. Reding that the time has come for the EU to reappraise the US level of protection given the FTC's "common law of consent decrees" through which specific rules on data protection have arisen, given the forty-six state data security breach notification laws which have prompted heightened attention to the protection of personal data, and given the application and enforcement of the many other sectoral and geographic privacy laws. 

• Email This
• Print
• Share Link

 Florian Unseld in the Hogan Lovells Munich office prepared this entry.  Florian specializes in data protection, information technology and intellectual property law. His work focuses on advising on all aspects of national and international data protection law including major cross-border projects. Florian also advises on the drafting and negotiating of contracts, software-licensing and the legal form and realization of IT-projects.

Introduction

The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States. 

This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed.  Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.

The Düsseldorfer Kreis is a working group of representatives from Germany's sixteen state data protection authorities that provides a uniform "German" approach to data protection questions.  It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes. 

The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.

The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant.  See our previous report on FTC enforcement activity.  It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.

What more is needed when the Safe Harbor is used for Germany-US personal data transfers?

German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:

(1) German companies exporting personal data must confirm that the US entity actually is registered  on the Safe Harbor, and is not just claiming that it is registered. 

(2) There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice  to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.    

(3) The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.

(4)  In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.

Perspective

European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose -- or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis.  It remains to be seen whether this additional level of Safe Harbor diligence will be required  by other European regulators.

• Email This
• Print
• Share Link

On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.

Behavioral Advertising is Regulated in the EU by Two Primary Sources

The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011. 

The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.

Opt-In Consent Requirement and Opt-Out Deficiencies Explained

The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.

Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.

The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes. 

Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.

Room for Innovation

While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”

Other Obligations

The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:

• Email This
• Print
• Share Link

This post was provided by Julia Peng of Hogan Lovells' Beijing office.

On 19 October 2010, the People’s Republic of China (“PRC”) State Administration of Industry and Commerce ("SAIC") issued the Second Revision of the PRC Consumer Protection Law (Draft for Comments) (the "Draft Consumer Law"). A significant addition to the Draft Consumer Law is a provision for the protection of consumers’ personal data.

According to Article 14 of the Draft Consumer Law, consumers enjoy the right to have their personal data protected when purchasing and using goods and services. The same article also clarifies the scope of the personal data which is protected. It includes a consumer's name, gender, age, profession, contact details, health condition, family, properties, purchase records and other information closely related to the consumer or their families 

• Email This
• Print
• Share Link

This post was provided by Gabriela Kennedy and Olivia Lennox-King Stewart of Hogan Lovells’ Hong Kong office.

The Constitutional and Mainland Affairs Bureau (the "CMAB") published a Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, inviting comments on the proposed amendments. The consultation period closed on 30 November 2009.

Prior to the Consultation Document being released, the Privacy Commissioner for Personal Data presented to CMAB and the Government the results of his own review of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Consultation Document included some but by no means all of the issues captured in the Commissioner’s review.

In November 2009, the Commissioner released his submissions on the Consultation Paper, responding to the proposals CMAB had formulated. The Commissioner states in his submissions that they were intended to "let the public know more about the issues before making their submissions", and noted that the Government's proposals were "more moderate and conservative than those made by the Commissioner".  

• Email This
• Print
• Share Link

by Lionel de Souza

On May 26th, the European working party on data protection established by article 29 of the 1995 European Directive on Data Protection (the "Working Party") sent letters to the three main search engine providers, Google, Microsoft and Yahoo!, to express its concern about how the search engine providers protect the online privacy of their users.

These letters follow a number of exchanges that have taken place over the past two years between the Working Party and the companies.  The process started with the Working Party's March 2008 opinion on search engines, which was later followed by a questionnaire to search engine providers and a hearing in February 2009.

In response to the Working Party's opinion, Google, Microsoft and Yahoo! all publicly announced amendments to their respective policies regarding the term of retention and anonymization of user data.  While these modifications generally have been welcomed as improvements of search engine practices, the Working Party still considers them insufficient.  Overall, the Working Party points to:

(1) the insufficient level of anonymization of data implemented by search engines or the lack of complete information to appreciate the appropriateness of such measures; and

(2) the excessive term of retention of user data (especially in consideration of possible cross-referencing).

Based on these elements, the Working Party states that it "cannot conclude that [these companies comply] with the European Data Protection Directive" and "urges" them "to review their anonymization claims and make the process verifiable."

To do so, the Working Party recommends that all three search engine providers implement and submit to an auditing process which would be conducted by external and independent third parties.  It is interesting to note that such an auditing procedure does not rely on any specific legal ground imposed by the European data protection legislation and that the search engines are therefore under no obligation to implement such a procedure.  If they did agree to an audit,  however, a number of questions would arise, such as the adequate frequency at which audits should be conducted or the publicity of the results of the audits. 

Finally, the Working Party, taking into account the "strong international component of this debate" sent copies of the three letters to the FTC (as well as the European Commission Vice-President in charge of Justice, Fundamental Rights and Citizenship - Viviane Reading) to share its concerns and to request an inquiry of the compliance of the behaviors with Section 5 of the Federal Trade Commission Act which prohibits "unfair or deceptive acts or practices in the marketplace".

In a general context of increased attention in the European general public with regards to issues of privacy, the reactions by the search engines and the FTC to the issues raised will be closely scrutinized.

The Working Party's letters to can be found here. 

• Email This
• Print
• Share Link

Special thanks to Lionel de Souza in the Hogan Lovells Paris Office for this entry.  Lionel specializes in issues relating to privacy and data protection, e-commerce, the liability of technical intermediaries, IT contracts, outsourcing, online compliance, the intellectual property aspects of information technology and the Internet and encryption. He has a masters degree in digital law and new technologies from the university of Paris and an LL.M from the University of Edinburgh.
 

The European Commission published its "Digital Agenda for Europe" on 19 May 2010. The document presents a number of future measures designed to "maximize the social and economic potential" of information and communication technologies ("ICT").   Unsurpirsingly, privacy is an important focus.

As a starting point, the Commission sets out seven areas which it regards as problematic and in need for revision to foster economic growth based on ICT.

These seven issues are (1) the existence of fragmented digital markets within the European Union;  (2)  the lack of interoperability on European markets;  (3)   the rise of cybercrime and the risk of low trust in networks;  (4)  the lack of investment in networks;  (5)   insufficient research and innovation efforts  (6)  the lack of digital literacy and skills; and the missed opportunities in addressing societal challenges (e.g. environmental concerns, etc.).

To make improvements in these areas, the Commission emphasizes that privacy and data protection will play an essential role.  Throughout the document, the Commission underlines the need to increase trust in the ICT and internet services and  that such trust necessarily includes confidence in the protection of privacy and personal data.

The  Commission set as one of its key actions to "review the European data protection regulatory framework with a view to enhancing individuals' confidence and strengthening their rights by the end of 2010". It has also set out its intention to promote and progressively impose on goods and services providers the concept and notion of "Privacy by Design", to include, in its review of the data protection framework, the possible "extension of the obligation to notify data security breaches" and to give guidance, by 2011, "for the implementation of a new telecoms framework with regards to the protection of individuals' privacy and personal data".

The document is ambitious and has the potential to have an important impact on operators and allow for the development of business using ICT in the few coming years.

The European Commission's Digital Agenda for Europe can be found here.

• Email This
• Print
• Share Link

  While the Hogan Lovells Chronicle of Data Protection primarily is designed for news and analysis of developments in the field of privacy and data protection, we want to take the opportunity of the recent combination of Hogan & Hartson with Lovells to inform our readers of the global breadth and depth of our practice. While each of the legacy firms was celebrated for its privacy and information management practices, the coming together of the lawyers from the two firms has created a practice group that is unparalleled in the world.  Hogan Lovells helps clients address privacy and data protection globally and in regard to specific national laws in countries around the world, through our 40 offices in the Americas, Europe, the Middle East and across Asia.

In the coming weeks, we will detail the privacy practices resident in various offices around the world.

Last week, selected partners from the global privacy and information management practice met in Geneva, Switzerland to discuss practice coordination and cooperation, and to focus on how we together can better serve our clients as a unified group.   (Regrettably, some of the partners scheduled to participate were grounded due to the Icelandic ash cloud including, notably, practice co-leader Marcy Wilder). Joining the discussion and pictured above are (from left to right)  Winston Maxwell (Paris), Quentin Archer (London), Steffan Schuppert (Munich), Gonzalo Gallego (Madrid), David Taylor (Paris), Marco Berliri (Rome), Wim Nauwelaerts (Brussels) and practice co-leader Christopher Wolf (Washington).

To provide an illustration of our global capabilities,  tomorrow (20 May 2010) the firm will host a webinar entitled “Hogan Lovells Trans-Atlantic Discussion on the Privacy Challenges Facing Multi-National Corporations”. This will be the first webinar by the Privacy and Information Management Group at Hogan Lovells, featuring privacy lawyers on both sides of the Atlantic from the former Hogan & Hartson and Lovells. Quentin Archer (London), Steffan Schuppert (Munich), Wim Nauwalaerts (Brussels), Lynda Marshall (Washington), Marcy Wilder (Washington) and Christopher Wolf (Washington) will explore contemporary privacy law challenges facing companies doing business in multiple jurisdictions around the world, such as:

• Cross-Border Transfers of Data Internationally
• Managing Employees in Multiple Jurisidctions
• Onine Marketing Issues Around the World
• Data Security and Data Breach Requirements
• The Obligations Concerning Health Data Around the World
• National Trends with International Ramifications

The panelists will explain how a coordinated international approach to privacy compliance is cost-

effective and is an optimal way to limit risk and protect privacy.

Readers of the Hogan Lovells Chronicle of Data Protection are cordially invited to attend our webinar.  Please register by clicking here.

• Email This
• Print
• Share Link

In an April 16, 2010 judgment, the High Court of Ireland decided that a settlement agreement entered into between Ireland's largest ISP Eircom and EMI, Sony Music, Universal Music, and Warner Music did not violate Ireland's data protection law.  The settlement agreement was signed after the record labels sued Eircom in connection with Eircom's failure to take action to discourage peer-to-peer copyright infringements on its network.  In the settlement, Eircom agreed to implement a graduated response mechanism with its customers, pursuant to which Eircom would send warnings to customers who had been detected as participating in unauthorized file sharing.  If the customers ignored Eircom's warnings, Eircom would cut off the subscriber's Internet access.  This sanction would be applied on a purely contractual basis, based on the subscriber's violation of Eircom's terms of use.  The subscribers' identity would never be shared with the record companies or with the police.  The detection of illegal file sharing would be conducted by a third party service provider, DetectNet, which would collect IP addresses and communicate them to Eircom.  

The Irish data protection authority believed that the settlement would violate Irish data protection laws.  The court was asked to answer three questions:

Whether the IP addresses collected by DetectNet are personal data before they are transferred to Eircom?

Whether Eircom's processing of personal data for implementation of the graduated response mechanism is legitimate?

Whether the personal data processed by Eircom are "sensitive" because they relate to a criminal offense.

For the first question, the court held that the IP addresses in the hands of DetectNet are not personal data because it is not "likely" that DetectNet would have the means or motivation to find out the names or addresses of the persons corresponding to the IP addresses.  The court said that the word "likely" as used in the Irish law means "probably."  

For the second question, the court found that the processing is justified because of the subscriber's consent to Eircom's terms of use, and also because the processing is necessary for the performance of a contract and for compliance with a legal obligation.  

For the third question, the court held that the graduated response mechanism deals solely with civil infringement, and not with alleged criminal infringement.  Alleged criminal infringement involves an intentional element that is absent from the mechanism implemented by Eircom.

On the IP address issue, I invite readers to look back at the Article 29 Working Party's opinion on the concept of personal data, particularly page 15.

Regarding "graduated response" in general I invite readers to review a previous update on the French Consitutional Court decision, and to Gerry Oberst's blog entry on Internet Freedom and Data Privacy.  

The Irish decision is creating controversy, particularly as European Member States are debating net neutrality and the proposed ACTA treaty.

• Email This
• Print
• Share Link

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.  

Last November in Madrid, when the 31^st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.                                                                   

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

• In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.

• The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.

• In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.

• A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).              

• Email This
• Print
• Share Link

On 22 February, the European Data Protection Supervisor (EDPS) released an unsolicited opinion on EU negotiations of an Anti-Counterfeiting Trade Agreement (ACTA). The EDPS expresses some strong opinions on the use of the “three strikes law” and other measures to control copyright violations by Internet users that might be in the ACTA. The EDPS is not subtle – he declares that “[s]uch practices are highly invasive in the individuals’ private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones.” The opinion describes how a “three strikes” or similar approach might be set up, as well as the applicable EU data protection and privacy legal framework (in paragraphs 23 to 26). It then issues harsh conclusions (paragraphs 81 to what should be 88 but is mis-numbered as 80). The EDPS “strongly encourages” the Commission to set up a public and transparent dialogue on ACTA (which so far has been secret). He insists that the Commission strike a correct balance between “demands for the protection of intellectual property rights and the right to privacy and data protection,” which should be taken into account at the beginning of the negotiations. In his view:

85. …three strikes Internet disconnection policies are not necessary to achieve the purpose of enforcing intellectual property rights. The EDPS is convinced that alternative, less intrusive solutions exist or, at least, that the envisaged policies can be performed in a less intrusive manner or at a more limited scope, notably through the form of targeted ad hoc monitoring.

In the last paragraph of the conclusion the EDPS insists on being consulted on the measures to be implemented. EDPS opinions have no legal binding status but can be influential indicators of how data privacy laws might be interpreted.

• Email This
• Print
• Share Link

This blog entry is provided by Hogan & Hartson litigators Trevor Jefferies in our Houston Office and Alvin F. Lindsay in our Miami Office:

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

European Union policies protecting personal privacy almost always conflict with United States policies that grant litigants full and complete discovery of documents and electronically stored information in U.S. court actions.  The conflict is particularly acute in France, where a French corporation participating in U.S. litigation may easily run afoul of the French Blocking Statute (Law No. 68-678, as amended), data processing laws (e.g. Law No. 78-17, as amended), and the EU Directive 95/46 on Personal Data (“Directive”), among others.

Indeed, after years of goading by U.S. courts, French authorities even prosecuted someone, a French lawyer, under the blocking statute.  His crime was attempting to comply with a U.S. court order compelling production of documents.  See In re Christopher X, Cour de Cassation, Chambre Criminelle, Paris, December 12, 2007, No. 07-83228 (French Supreme Court upholding conviction and €10,000 fine against French lawyer attempting to facilitate collection of evidence for use as ordered in a U.S. judicial proceeding).  Examples of U/S. goading include In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a “realistic risk of prosecution”) and Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987) (“this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"). 

With French and EU law acting to prevent a litigant engaged in the U.S. litigation discovery process even from collecting a relevant employees' e-mails for litigation purposes, let alone viewing the e-mails to see if they contain relevant information, French parties seem at a distinct disadvantage in a U.S. forum.  Failing to produce relevant documents is a direct path to an uncomfortable hearing before the U.S. judge and possibly severe sanctions such as a default judgment being entered against those parties for not complying with discovery orders.

Thus, Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 is a significant development.  In that case, an accounting firm fired Bruno after the firm discovered files on his work computer addressed to government regulators wherein Bruno disparaged the firm for alleged tax and related fraud as well as working conditions.

The documents held subject lines as “Essay 1”, “Essay 2”, and so on, which the firm discovered without Bruno’s permission or presence. Bruno sued the firm seeking damages for unjustified dismissal, arguing that the firm violated his rights under EU privacy (human rights) conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.  On appeal, the Cour de Cassation Chambre Sociale held for the accounting firm, finding that because Bruno failed to mark the documents as “private,” the firm justifiably assumed that the documents were work-related and could open them.

The Bruno B. case clearly refines the general rule set forth in an earlier case from the same court, Nikon France vs. Onof, Cass. Soc., No. 4164 (Oct. 2, 2001), where the French high labor court established that employees have a right to privacy in the workplace and held that an employer cannot search an employee’s files stored on a work computer without breaching the employee’s right to privacy.  The Nikon case’s broad ruling has been the subject of private criticism, especially from business interests in France, but now, after Bruno B., there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.  Simply labeling the documents as “personal” or “private” may have been enough to compel the Bruno B. court to rule in the employee’s favor, but the holding is still a far cry from the absolute presumption that any data with an employee’s name is private.

• Email This
• Print
• Share Link

International transfers of personal data are heavily restricted under EU data protection rules. As a general rule, transfers from an EU/EEA Member State to recipients in countries outside the EU/EEA are only permitted if the laws of the recipient country ensure an adequate level of data protection. There are only limited exceptions to this rule. For instance, organizations may transfer personal data to countries outside the EU/EEA that do not ensure an adequate level of data protection if they have entered into a data transfer agreement using one of the sets of EU approved standard contractual clauses. Up to now, the European Commission has approved three sets of contractual clauses: two of these sets apply to transfers from data controllers to other data controllers, while the third set has been drafted for transfers from data controllers to recipients who act as data processors only. In EU privacy parlance, if organizations hold or process personal data without taking responsibility for or control over the data (e.g., payroll service providers), they are viewed as “processors”.     

On February 5^th, the European Commission decided to modify the standard contractual clauses for ”controller to processor” transfers of personal data, repealing the original decision (Decision 2002/87/EU) that introduced these clauses back in 2002. The European Commission considered it necessary to adjust the existing standard contractual clauses to meet the growing challenges of global outsourcing.  As more and more organizations are not only transferring personal data to a “processor” but also to one or more “sub-processors” (and sometimes “sub-sub-processors”) outside the EU/EEA, the original standard contractual clauses were no longer suitable to deal with these complex onward transfers.   

So what’s new about the updated set of standard contractual clauses?  The most important novelty is the inclusion of a specific subcontracting clause, which imposes a number of requirements on parties wishing to use sub-processors. Sub-processing will, for example, require the prior written consent of the data controller, while the data processor must put in place a written agreement with each sub-processor that mirrors the terms of the “controller to processor” agreement. In some cases it may be possible to meet this requirement by having the sub-processor co-sign the data transfer agreement between the controller and processor including the standard contractual clauses.      

• Email This
• Print
• Share Link

The UK government has announced plans to launch a new website www.data.gov.uk , which will allow public access to official data, and has called on web-founder Sir Tim Berners-Lee, to assist.  The website aims to improve transparency and will be similar to the US site 'data.gov', which already includes information from the US defense department and NASA.

The plan, initiated by PM Gordon Brown last year, is to develop a website for the public to find information and to make reports to public service providers, including traffic and crime statistics.  In addition, various applications will be available to enable users to discover details of planning applications (in PlanningAlerts), or report potholes (in FillThatHole).

So far, the site has been in test mode, for developers to try out its features and provide feedback, but once 'live', it is hoped that public users will benefits from having the information and services in one place and see it as an alternative to requesting disclosure under the Freedom of Information Act, as BBC News reports - http://news.bbc.co.uk/1/hi/technology/8470797.stm

• Email This
• Print
• Share Link

The fifth edition of Hogan & Hartson’s Media & Communications Briefing, whose editor-in-chief is Hogan Partner Winston Maxwell , has arrived!  (Winston also is a member of the privacy and data security practice group.) This quarterly briefing updates our clients on legal and regulatory developments from around in the world in the Telecommunications, Media and Entertainment and High Technology sectors.  This edition features stories (bolded below) of particular privacy interest. 

The briefing includes articles on the following topics:

• New Commission, New Framework
• The Digital Dividend Auction in Germany
• Bloggers Beware: The FTC is Watching
• EU Reform Brings New Cookie Rules
• U.S. Universal Service Reform: Is 2010 the Year?
• Online Music Retailing: Towards Borderless Business
• French Government Releases Decree on Motion Picture Tax Credit
• Smart Grids
• Interview: French Copyright Law
• Digital Switchover
• Middle East International Film Festival and the Circle Conference

For a copy of the briefing, click here

• Email This
• Print
• Share Link

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

• Email This
• Print
• Share Link

By Jun Wei

On January 3, 2010, the Guangdong Provincial Higher People's Court announced the first enforcement action following the extension of Chinese criminal law to include the protection of personal information.  In that action, the Zhuhai Xiangzhou District Court sentenced an individual to one and a half years in prison and imposed a fine on him in the amount of  RMB 2,000 (approximately US $295) for the crime of illegally obtaining the personal information of citizens.  This is the first known case in China regarding the infringement of personal information security. 

The law upon which the action was based, the 7th Amendment to the PRC Criminal Law, was promulgated on February 28, 2009 by the Standing Committee of the National People’s Congress.  It includes provisions imposing criminal penalties for the infringement of personal information security, specifically targeting two types of infringement:  (i) the sale or illegal disclosure of information obtained by personnel in government agencies or financial, telecommunications, transportation, educational or medical institutions in the process of performing their duties; and (ii) the theft or illegal access of personal information by other individuals. 

In both types of conduct there are severe consequences for infringement, including imprisonment for less than three years, detention for less than six months, and/or the imposition of a fine (as a single penalty or concurrently with other penalties).   In the event that an entity is convicted of infringement, a monetary penalty shall be imposed on that entity, and the officer directly responsible and any other persons who may be directly responsible for such illegal acts shall be subject to the same criminal penalties that are applicable to natural persons.

According to news reports, in December 2008 the defendant in this case, Zhou Jianping, a resident of Zhuhai, Guangdong Province, illegally obtained the phone numbers and call history records of 14 government officials and sold these phone numbers and call histories for RMB 16,000 (approximately US $2,353).  The purchaser, in conspiracy with six other people, then used this information to impersonate the government officials and extract RMB 830,000 ( approximately US $122,060) from a variety of relatives.

The defendant did not appeal and the judgment took effect December 14, 2009.

• Email This
• Print
• Share Link

Hogan Privacy and Data Security Co-Chair Chris Wolf recently gave an interview on recent developments under the EU-US Safe Harbor to Nymity that was published in its free online newsletter.  In the interview, Chris discusses the recent FTC enforcement efforts under the Safe Harbor as well as alternative methods available to parties seeking to transfer data from the EU to the US other than through the Safe Harbor framework  The interview can be accessed here.

• Email This
• Print
• Share Link

In a letter to the European Commission dated 4 December 2009, the European data protection authorities gathered in the Article 29 Working Party claim that the US and Australia are violating their respective Passenger Name Record (PNR) agreements with the EU. The letter - a copy of which was recently published on the website of the Dutch data protection authority - urges the European Commission to take immediate action to halt the breach and to resolve the matter with its US and Australian counterparts.   

The EU/US PNR Agreement

The EU/US PNR Agreement, which has been in force since 26 July 2007, is already the third agreement between the EU and US establishing a legal framework for transferring EU-sourced PNR data to the US Department of Homeland Security (DHS). On the basis of assurances from DHS that the data will be safeguarded, the EU has agreed to the release by air carriers transporting passengers between the EU and the US of certain PNR data contained in their reservation systems. The 2007 Agreement changed the mode of data transmission from a “pull” system into a “push” system, at least for those air carriers complying with DHS’ technical requirements. However, the Article 29 Working Party has now found that the US authorities continue to “pull” PNR data through terminals based at their offices, even in cases where airlines are compliant with DHS’ technical requirements. According to the Article 29 Working Party, DHS currently has access to all PNR data for all flights by a particular airline, even if the flights have no connection with the US. The Article 29 Working Party further claims that the continued practice of pulling data is a clear breach of the Agreement, constituting ”a sound reason to terminate the Agreement”. Under the Agreement, the EU has an exclusive remedy if it finds that the US has committed a breach: the EU can terminate the Agreement and revoke its determination that DHS is ensuring an adequate level of data protection. If the EU applies this remedy, the practical ramifications for air carriers will be significant in terms of EU data protection law compliance.                       

The EU/Australia PNR Agreement         

The EU/Australia PNR Agreement was entered into on 30 June 2008 to provide a legal basis for the processing and transfer of EU-sourced passenger name record data by air carriers to the Australian Customs Service. The Agreement applies to airlines that have reservations systems and/or PNR data processed in the EU and operate flights between the EU and Australia. The Agreement allows for 19 different types of information - including travel itineraries and payment details but excluding sensitive personal data such as race or religion - to be shared with Australian Customs for the purpose of preventing and combating terrorism and other serious crimes.

According to the Article 29 Working Party, the Australian authorities are receiving all passenger PNR data from airlines rather than just the data specified in the Agreement. The Article 29 Working Party claims that Australia is violating the terms of the Agreement by demanding more information (than listed in the Agreement), which suggests that some EU-sourced PNR data are currently being processed by Australian Customs without adequate protection. The Agreement foresees the possibility to initiate a joint review of each party’s implementation of the Agreement, which appears to be the Article 29 Working Party’s preferred course of action to remedy this situation.

To be continued…   

• Email This
• Print
• Share Link

By Sarah Jacquier and Winston Maxwell

On December 8, 2009, the French Supreme Court found illegal a Code of Business Conduct put in place by the Dassault Group for compliance with Sarbanes-Oxley requirements.

Dassault’s Code of Business Conduct had two aspects: It (i) required employees to obtain an approval from their employer prior to using any information (not just confidential information but all information used for “internal purposes”) that employees could have knowledge of in the course of their employment and (ii) put in place a whistle-blowing policy whereby employees could - but had no obligation to - report any breach of the Code of Business Conduct, in accounting, financing, and anti-corruption matters. However, the policy also contemplated the possibility for employees to report any breach of the Code of Business Conduct in other matters (e.g. intellectual property rights, confidentiality, discrimination, harassment) to the extent the breach threatened Dassault Group’s vital interests or an individual’s physical or psychological integrity.

The Court ruled that requiring employees to obtain the prior approval of their employer before using any and all internal information infringed employees’ freedom of speech, which may be limited only in a proportionate manner. The prohibition was too broad, and therefore the proportionality test was not satisfied.

As far as the whistle-blowing policy is concerned, the Court ruled that the policy could not cover matters other than accounting, financing, and anti-corruption. In France, whistle blowing policies need to be approved by the French data privacy authority (“the CNIL”) because their enforcement may lead to sanctions of employees. In 2005, the CNIL published a blanket authorization which generally authorizes whistle blowing policies in France for Sarbanes-Oxley requirements compliance purposes, but this authorization is limited to pure accounting, financing and anti-corruption matters. If the whistle-blowing policy exceeds the scope of the blanket authorization, it needs to be authorized on an individual basis. Otherwise, the whole policy will be deemed invalid, as confirmed by the Supreme Court’s decision.

Most international groups are reviewing the French versions of their Codes of Conduct to ensure that they comply with this new ruling.

• Email This
• Print
• Share Link

ePrivacy:  On 9 November, the European Data Privacy Supervisor (EDPS) issued press release 09/13 on the ePrivacy Directive, which will be amended soon as part of the E-Communications Regulatory Framework.  The EDPS is an independent body responsible for data privacy within EU institutions.  As would be expected, it takes an expanded view of data privacy, because that is its sole focus and responsibility.  The EDPS titled its press release as “improvements on security breach, cookies and enforcement, and more to come.”  It expanded on this theme with the following: 

• For the first time in the EU, a framework for mandatory notification of personal data breaches.  Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.  Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation.  The notification will include recommended measures to avoid or reduce the risks.  The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
• Reinforced protection against interception of users’ communications through the use of - for example - spyware and cookies stored on a user’s computer or other device.  Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
• The possibility for any person negatively affected by spam, including ISPs, to bring effective legal proceedings against spammers; and
• Substantially strengthened enforcement powers for national data protection authorities.  They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

These provisions could impose substantial new requirements for industry.  The data breach requirement in particular could lead to heightened security for all companies – after a 26 October seminar on data breach protection, the EDPS stated: 

data controllers, together with other stakeholders, [must] adopt proper risk management in order to appropriately mitigate the risk of such breaches.  It was stressed that this will not only require technological solutions but also organisational measures, including increasing the responsibility of the highest management levels of entities concerned.  They should also promote the development of adequate safeguards and facilitate a more transparent distribution of responsibilities.

 In light of this emphasis on the new provisions, it will be necessary in the near term to consider company procedures on data protection and breach notification, to the extent that a company or its affiliates provide public electronic communications services.

• Email This
• Print
• Share Link

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

• Email This
• Print
• Share Link

On November 6, 2009, French Senators Détraigne and Escoffier introduced a bill that would impose new data breach obligations, as well as strengthen the sanctioning power of the French data protection authority, the CNIL.  Senators Détraigne and Escoffier delivered last May a report on privacy in the digital age on behalf of the Senate's committee on legislation, and the new bill is a follow-up on the measures recommended in the May report.  

The proposed new bill would:

• State that "any address or number identifying terminal equipment connected to a communications network" is personal data.  This provision is intended to end the debate in France on whether IP addresses are personal data.  Unfortunately, the effect of the proposed provision could be that in the future IP addresses of any device or object connected to the Internet, even a box of cereal, will be viewed as personal data;
• Require that government agencies and certain companies appoint a data protection officer;
• Increase notification obligations of data controllers before they process personal data;
• Impose an opt-in regime for cookies unless they are strictly needed for communication purposes or to permit access to an online service;
• Impose a broad security obligation on data controllers and an obligation to inform the CNIL of any data breaches.  The proposed language contains no minimum threshold after which a breach would be deemed significant enough to warrant a notification;
• Facilitate data subjects' ability to request deletion of personal data; and
• Increase the CNIL's sanctioning powers, and allow victims of privacy violations to bring suit before their own local court  instead of being obligated to sue in the court where the data controller is located.

The provisions facilitating data subjects' ability to access and delete personal data are part of a broader French government campaign to create a citizen's "right to be forgotten" on digital networks.  French Digital Minister Nathalie Kosciusko-Morizet organized a roundtable on the "right to be forgotten" on November 12, 2009, and indicated that the French government would raise the issue in Sharm El-Sheikh and the Internet Governance Forum.

Debates on the text will begin in March 2010.  It is not clear whether the proposed bill will be supported by the French government, which may prefer to defer legislation on some of the issues until final adoption of the revised ePrivacy Directive.  Given the recent statements of Digital Minister Nathalie Koscuisko-Morizet on the "right to be forgotten" on the Internet, it is likely that the provisions facilitating a citizen's right to access and delete personal information on the Internet will receive the immediate support of the French government, and this could result in legislation fairly soon.

• Email This
• Print
• Share Link

The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.”   But it is not quite as clear-cut as that quote suggests.  The consent requirement relates cookies that collect personal data  -- an important qualification -- and some cookies appear to fall outside of the consent requirement. 

Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.

The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party has earlier expressed the view that the “neutral” wording chosen is not limited to cookies but implies any other new technology that could be used to track users’ behavior using their browser.               

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.

As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to “prior” consent, but the use of the past tense (“has given”) suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users’ computers.

So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application”.

Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.                   

• Email This
• Print
• Share Link

Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.  Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply.  It also sets out the procedure for monetary penalties to be imposed.  Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court.  However, cases leading to substantial fines are rare.

The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted.  Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.

If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court).  This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
 

• Email This
• Print
• Share Link

On October 15, 2009, the French Data Protection Authority, the CNIL, issued a white paper regarding the privacy risks of nanotechnologies.  In its white paper, the CNIL attempts to identify the privacy risks associated with RFID tags which are so small they can be injected into the human body.   The CNIL mentions RFID tags used to trace Alzheimer patients, which the CNIL considers would satisfy the proportionality test set forth in French law.  Other tags, such as an RFID tag injected under the skin which permits nightclub users to pay for their drinks, are more problematic. 

The risks outlined in the CNIL document are not unlike those already identified in connection with RFID devices and the “Internet of things.”  Of particular concern are the small size and potential ubiquity of tracing devices, both of which make it difficult for citizens to control the personal data that is collected about them.  The CNIL recommends application of Privacy by Design methodology to nanotechnologies so that privacy is incorporated into nanotechnology applications from the time of their initial design.  The same recommendation applies to security associated with these devices.  In fact, the CNIL emphasizes the security risks of potential viruses or malware which could be introduced into nanotechnologies so as to permit them to be used for improper purposes.  To prevent such, the CNIL recommends integrating security by design in nanotechnologies in a multi-disciplinary and cooperative approach. 

The CNIL mentions several key principles that should guide any nanotechnology application, such as the right for citizens to “turn off” the device thereby guaranteeing the right to “be forgotten” and to remain anonymous. 

In its white paper the CNIL also recommends clear labeling of nanotechnology applications, comparing nanotechnologies to genetically modified foods for which France has required special labeling which informs consumers about the product being purchased before actual purchase.  The CNIL further suggests that French law should be broadened to ensure that the CNIL has responsibility to implement these general principles, although it does not suggest specific language or legislation.

In conclusion, the CNIL’s consultation document regarding nanotechnologies is not fundamentally different from the European Commission’s recommendations on RFIDs, except that the CNIL puts more emphasis on bio-ethic issues, undoubtedly due to the fact that many of the nanotechnology applications will somehow be linked to the human body, which obviously raises significant privacy issues.

The CNIL's paper was issued as part of a national debate on nanotechnologies, organized by the French government in the Spring of 2009.

• Email This
• Print
• Share Link

Lawyers from Hogan & Hartson offices in London, Paris, Brussels, Berlin and Washington recently presented a webinar in partnership with the Association of Corporate Counsel for Europe, entitled

Navigating the Privacy Challenges: Crossing the Line in Cross-Border Data Transfers

The program, now available in "on demand" format, provides an overview of the law governing international data transfers, as well as two case studies illustrating the practical issues involved in such data transfers.  The webinar concludes with a summary of "hot privacy topics" in  the US and Questions and Answers.  Complimentary attendance and access to the webinar, including the Powerpoint deck, is available by clicking here

• Email This
• Print
• Share Link

In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they are current with their Safe Harbor certifications.  In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program.

The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies’ misrepresentations are deceptive.  The scope of the FTC’s actions is limited to the companies’ lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.

The proposed settlement agreements, open for public comment until November 5^th, prohibits each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party.  In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC. 

The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program.  We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and likely further actions against companies with lapsed certifications.

The FTC complaints, proposed settlements and related documents are available at http://ftc.gov/opa/2009/10/safeharbor.shtm.

• Email This
• Print
• Share Link

On October 12, 2009 the CNIL issued ten recommendations for companies to help protect their data.  The recommendations are fairly basic, ranging from implementing a rigorous password policy to ensuring that only authorized personnel have access to the company’s computer room.  The recommendations have an important pedagogical role, however, and illustrate that the CNIL is broadening its scope of focus from its traditional role of defining under what conditions personal data can be processed in France to dealing with the results of that processing,  in particular focusing on the prevention of data breaches. 

For those familiar with the security recommendations issued by ENISA, the European Network and Information Security Agency, the CNIL’s recommendations may seem quite rudimentary in comparison.   ENISA has issued a number of detailed recommendations on data security, and it is unfortunate that the CNIL did not refer to the excellent ENISA work in this area.   See, for example, ENISA's 2009 papers "10 Security Awareness Good Practices" and "Information Security Awareness in Financial Organizations - Guidelines and Case Studies."   However, the CNIL's recommendations may only be a first step, and it will be interesting to see whether the CNIL's guidance evolves as concern about data breaches continues to grow. 

• Email This
• Print
• Share Link

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print
• Share Link

The United Kingdom Information Commissioner's Office ("ICO") has announced that with effect from 1 October 2009, a new notification fee of £500 will be payable by some larger organizations.  This is the first change to the fee structure since the Data Protection Act 1998 became law in 2000.

Notification is the process by which data controllers register with the ICO.  It is a mandatory requirement for organizations which process personal information in the UK.  

The new £500 per annum fee will apply to a higher tier of:

• data controllers in the private sector with a turnover of £25.9 million and 250 or more members of staff; and

• data controllers in the public sector with 250 or more members of staff.

The standard notification fee is otherwise £35 per year and this will remain so for organizations in the lower tier category.  The ICO has also confirmed that registered charities will not pay the higher fee, regardless of their size.

The increase in fees for larger organizations will, according to the ICO, help increase activity in terms of audits and investigations.   An interesting comment, which should be noted by data controllers.
 

• Email This
• Print
• Share Link

Uruguay may be on its way to become the second Latin-American country recognized by the European Commission as offering an adequate level of data protection. Last month, the Uruguayan government adopted a set of regulations implementing the country’s 2008 Personal Data Protection Act (Law 18331). The implementation of this new law, as well as the creation of a national data protection authority last May, are expected to have a positive impact on the European Commission’s assessment as to whether or not Uruguay’s data protection rules meet EU adequacy standards.

The EU Data Protection Directive (95/46/EC) provides that the transfer of personal data from EU member States to non-Member States may in principle only take place if the laws in the recipient country ensure an adequate level of data protection.  The European Commission can decide that a non-EU country has adequate protection if the country’s legal framework covers all the basic data protection principles (set out in the Directive) and if there is an enforcement system in place ensuring the effectiveness of that framework. To date the European Commission has issued adequacy decisions in favor of Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland, the U.S. Department of Commerce’s Safe Harbor Principles, and the transfer of air travelers' data to the U.S. Department of Homeland Security.

Uruguay filed a request for EU adequacy recognition in October 2008, and the preliminary reactions so far appear to be favorable. However, the recognition process is unlikely to be completed before the end of the year. An adequacy decision from the European Commission will allow personal data to flow freely from the EU to Uruguay, without the need for additional data privacy safeguards. EU recognition will help Uruguay boost its outsourcing industry and attract more EU-based companies looking for providers of administrative, financial and other data processing services in Latin America.

• Email This
• Print
• Share Link

This past June France enacted an Internet anti-piracy law commonly known as the "HADOPI" or "three strikes" law, because after a certain number of warnings an online infringer's Internet access would be cut off.   On June 10th, the French Constitutional Court found a portion of the law unconstitutional.  Specifically, the court held that because terminating an individual's Internet access affects that individual's right to free expression, a fundamental right, a decision to terminate access must be made by a court after a careful balancing of interests.  Because the HADOPI law gave Internet access termination power to an agency, the court held that grant of authority unconsitutional.  Further background on this decision can be found in our update on the HADOPI law and the French Consitutional Court's decision .

On September 22, 2009, the French parliament passed a bill intended to remedy the enforcement gap left by the court's decision.  This bill, known as HADOPI 2,  empowers French courts, instead of the HADOPI administrative agency, with the authority to cut off the Internet access of copyright infringers or of individuals who are manifestly negligent in their duty to protect their broadband access line against illegal downloading.

The cornerstone of the new law is an affirmative duty imposed on French broadband subscribers to take measures to ensure that their broadband access is not used for infringing file sharing.  If the subscriber ignores this duty and the broadband access is used for illegal downloading, the subscriber of the line may have his or her Internet access cut off for a limited time.  If the subscriber installs certain approved protection technologies (and no one is yet sure what those technologies will be), the subscriber will be deemed to have fulfilled his or her duty of care.

• Email This
• Print
• Share Link

On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009. 

The legal obligation of a data controller to notify data breaches to the affected individuals and to the relevant data protection authorities (usually, the state’s data protection commissioner – Landesdatenschutzbeauftragter) is restricted to the loss or unlawful transmission of sensitive data, i.e. personal data revealing (i) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and information on an individual’s health or sex life, (ii) information that constitutes a professional secret, (iii) information regarding criminal activities or administrative offenses, or (iv) information relating to bank accounts or credit card accounts.

In addition to the requirement that the personal data subject to the data breach must fall within one of the categories specified above, the loss or unlawful transmission of such personal data to a third party must constitute a severe threat to the rights or legitimate interests of the individuals involved. If these two requirements are met, the data controller must, first of all, immediately (“without undue delay”) inform the competent data protection commissioner of the data breach, providing (i) a precise description of the data breach itself, (ii) information regarding the potential consequences and risks of such breach, as well as (iii) measures that have been or will be taken by the data controller in order to mitigate the negative impacts of such breach. As a second step, the data controllers must notify the individuals involved without undue delay, provided, however, that the controller has located the leak which has lead to the data breach and taken all measures in order to avoid unlawful access of third parties using such leak (“responsible disclosure”). In case personal data relating to potential criminal acts or administrative offenses has been breached, the individuals involved will only be informed by the controller provided that such information does not put an ongoing criminal investigation at risk.

Generally, each individual whose personal data has been breached must be informed by the data controller. However, if the information duty would lead to extraordinary and unreasonable costs (i.e. if the data breach affects a large number of people), the data controller can meet its obligation by publishing a detailed notification (of at least half a page) in two newspapers which are published throughout Germany.

The amendment to the FDPA, which is clearly inspired by U.S. data breach notification laws, is an important contribution to the protection of consumers. It remains to be seen, however, how corporations and data protection authorities will deal with the fact that notification obligations only apply if a data breach poses a severe threat to important rights and legitimate interests of individuals.

• Email This
• Print
• Share Link

On August 19, 2009, the French Official Journal published the French Data Protection Authority's (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The CNIL’s Recommendations are particularly useful for companies that find it difficult to reconcile French data protection and blocking statute limitations with U.S. discovery demands.

It is perhaps no surprise that the Recommendations largely echo the views of the Article 29 Working Party, which provided EU-wide guidance on pre-trial discovery for cross-border civil litigation earlier this year. Like the guidance from the Article 29 Working Party, the Recommendations do not apply to investigations by U.S. federal authorities or criminal offenses in the U.S. relating to data destruction.

• Email This
• Print
• Share Link