HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

On February 13, 2012, Paris Office partner Winston Maxwell published in the French trade journal Edition Multimedi@.  His article examines the European Commission's proposed regulation on data protection, focusing on:

•  the Commission's choice of a Regulation as opposed to a Directive,
•  the new obligations that would be imposed on companies including
  • the accountability principle;
  • Privacy by Design; and
  • the obligation to conduct privacy impact assessments (PIA) for certain kinds of processing. 

The article describes:

•  the proposed changes to the rules on applicable law, which are designed to bring certain non-European websites within the scope of European privacy rules;
•  the proposed "right to be forgotten";
• and the right to data portability. 

The original French version of the article, published in Edition Multimedi@, is available here.

• Email This
• Print

This blog post was provided by Quentin Archer, a partner in the London office of Hogan Lovells

The European Commission today published its proposal for a new Data Protection Regulation. The Regulation, which is not likely to come into force before 2014, is intended to harmonise data protection law in all 27 EU Member States and thus remove current differences which have proved problematic for business and individuals. Upon final passage of the Regulation, the current 1995 Data Protection Directive will be repealed.

• Email This
• Print

Despite suggestions that the European Commission proposal for a comprehensive reform of EU data protection rules would be delayed until the Spring, an announcement is scheduled for this Wednesday, January 25 at 12:30 PM CET (6:30 AM EST).  The press conference with Viviane Reding, Vice-President of the European Commission in charge of Justice will be live streamed here.

It appears that the requirement for notice within 24 hours of a data security breach will be part of the proposal despite objections based on experience with the 49 jurisdictional data security laws in the United States that it is often impossible to assess much less notify within such a short time-period.  Also, the potential financial penalty of up to 5% of an entity's global world-wide turnover for violations of the privacy regulation was a subject of enormous controversy when leaked; it now appears that the upper limit of the financial penalty will be 2%, which is still a very significant amount.

In a speech on Saturday to the Digital Life Design conference in Munich, Ms. Reding previewed what the Commission's proposals will include.  (A link to a video of her speech is here.) 

Some excerpts, as reported by the Wall Street Journal Tech Europe blog --  Here, Ms. Reding speaks of the change to a regulation from a directive:

A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the member state in which the company has its main establishment. It will not matter anymore which data protection authority deals with a case. All data protection authorities in whatever EU country will have the same adequate tools and powers to enforce EU-law.

• Email This
• Print

By Pablo Rivas in our Madrid Office

Following the example of the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés or CNIL), the Spanish Data protection Authority (Agencia Española de Protección de Datos or AEPD) has opened a public consultation on cloud computing to learn the opinions and experiencse of service providers and users.

Interested parties have until January 27 to submit their comments. This public consultation is an good opportunity to enhance the AEPD's understanding of problems on data protection arising from cloud computing and may also help the AEPD find viable solutions and alternatives for data protection compliance within the cloud computing encironment.   

Interested parties can participate in the public consultation by fulfilling and online form (in Spanish) accessible by the AEPD's website, www.agpd.es.

We will keep you posted on the conclusions of this public consultation of the AEPD.

• Email This
• Print

On January 10, Peter Hustinx, the European Data Protection Supervisor (EDPS), released his annual "Inventory" of issues of strategic importance for 2012, along with an annex of the relevant Commission proposals and other documents that have been recently adopted or otherwise require the attention of the EDPS.  The strategic proposals can be grouped into four main categories:

• Email This
• Print

Federal Trade Commissioner Julie Brill frequently has commented that when it comes to privacy enforcement, more "cops on the beat" is better.  In today's guest blog, reprinted with permission from the blog of Google's Global Privacy Counsel Peter Fleischer, the spectre of multiple privacy enforcement authorities with substantial fining authority is raised:

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros.

And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year.

And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.

(emphasis supplied)

• Email This
• Print

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.

• Email This
• Print

EU privacy law is under scrutiny and proposals for change are coming.  The European Commission (EC) last year announced an upcoming reform of the EU Data Protection Directive (95/46/EC), which was a hot topic of last week’s IAPP Europe Data Protection Congress in Paris (in which Hogan Lovells privacy lawyers from around the world participated).  Changes are anticipated near the end of January. Some of the details of those changes, however, have emerged earlier than expected, as this week the EC circulated for comment two proposed legal instruments that likely will form the baseline of the EU’s data protection framework for years to come.

• Email This
• Print

By David Taylor, Partner, Paris

In what is both a highly anticipated and expected ruling issued on 24 November 2011, the Court of Justice of the European Union (the "ECJ") has held that under EU law, a national court cannot impose an injunction requiring an ISP to install a wide ranging filtering system in order to tackle illegal downloading since such an injunction is incompatible with EU law and the associated limitations on intermediary liability.

The ECJ judged that European directives on E-Commerce, Copyright Harmonisation, Enforcement of Intellectual Property Rights and Data Protection can prevent National Courts from imposing general filtering measures on internet service providers ("ISPs") to block illegal downloading using peer to peer ("P2P") networks.

• Email This
• Print

Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong.  Privacy laws in each jurisdiction differ, including on the definition of "personal data," and on the degree of user consent that is required.  The article also examines the WP Art. 29 opinion 13/2011 on "Geolocation services on smart mobile devices."  See the full article here. 

• Email This
• Print

At a time when leaders in the EU are poised to propose privacy rules that could well restrict the activities of US businesses, Google , Microsoft , Citigroup, IBM , GE and other major American companies have urged the United States to push for trade rules that protect the free flow of information over the Internet.  In particular, the group's Report available here urges that countries avoid "digital protectionism," and the report specifically addresses security and privacy:

Security and Privacy. The business community supports the right of governments to ensure the safety, security and privacy of its citizens and recognizes that approaches may differ between countries and across sectors. At the same time, as in any measure affecting international trade, governments must be able to communicate clearly the rules, rationale and compliance procedures governing these interests to businesses and individuals and make certain that those procedures are not overly disguised restriction to international trade. For example, some countries have discriminated in favor of local businesses by selectively applying filtering regimes which degrade service; by mandating the use of domestic products or intellectual property; by requiring product certifications to be carried out locally; by rerouting traffic from global Internet brands to local competitors; or by applying their laws in a manner that discriminates against foreign suppliers or services. In addition, governments often work outside of established legal frameworks or processes when seeking commercial, financial or personal data, which raises a host of concerns about privacy, safety and security.

US Deputy Chief Technology Officer Danny Weitzner, in a similar vein, warned today in a speech to the US Chamber of Commerce that EU rules may be too stringent and that the Obama Administration will work to convince European regulators that voluntary but enforceable industry codes of conduct are the way to go.  Also, the FTC today applauded the approval by the forum on Asia-Pacific Economic Cooperation (APEC) of a new initiative to harmonize cross-border data privacy protection among members of APEC designed to enhance the protection of consumer data that moves between the United States and other APEC members.

• Email This
• Print

This entry comes from Elisabethann Wright, a Partner in our Brussels Office, who presented at the 33d International Congress of Data Protection and Privacy Commissioners in Mexico City last week. Elisabethhann focuses on EU law relating to life sciences, with particular emphasis on pharmaceutical law, medical devices, food law, and the environment. In Mexico, she drew upon her experience assisting clients in clinical trial agreements, adverse event reporting, product withdrawals and challenges to national authority and EU Institution decisions concerning classification and marketing of medicinal products and medical devices.

At the Mexico City gathering of international Data Commissioners, officials from a number of EU Member States expressed disappointment at the low levels of compliance with their data privacy obligations demonstrated by data controllers in their territory. One Data Commissioner estimated that a depressing 95% of data controllers failed to comply with their obligations.

One consequence of this failure will be an apparent change in approach by Data Commissioners. While Commissioners and their officials previously have sought to advise and support data controllers in understanding and fulfilling their role and obligations, the future approach, influenced at least in part by the ambivalence displayed by data controllers, will focus on compliance. Several Commissioners expressed an intention to make enforcement of obligations their priority in the future.

The possibility of a single approach to the protection and use of data generated in relation to clinical trials was the subject of my panel during the Congress. Similarities of approach evidently exist between territories in relation to some aspects of data privacy in clinical trials. This includes the nature and content of patient informed consent forms. However, the suitability of basing secondary investigation on initial informed consent varies widely, as do the restrictions imposed on transfer of clinical data from one territory to another. The possibility that a single acceptable approach to these issues could be found was discussed. However, the general consensus was that, at least from a legislative perspective, a single approach is unlikely to evolve in the near future.

Among the snippets of information demonstrating the evolution of official approaches to data collection that I gathered from the Congress was the fact that, when Neil Armstrong brought back soil and rock samples from the moon in 1969, he was required to complete an import form to bring them on to US territory. “One large step for mankind but still subject to regulation."  Future uses of data to benefit mankind likely will be met with similar regulation, and as it appears from the comments of regulators meeting in Mexico, disregard and non-compliance will increasingly be met with enforcement. 

• Email This
• Print

By Pablo Rivas and Marta Jaureguizar in our Madrid Office

On October 20th, the Spanish Data Protection Authority, the Agencia Espanola de Protecccion de Datos (AEPD), announced an unprecedented decision against an individual who impersonated someone on a social networking site and thus engaged in identity theft.  The AEPD fined the individual who had created a profile in a sexually-oriented social network using personal details of a third person, including that person's name, surname, phone number, and photo.  Notably, the AEPD did not  proceed against the online host of the impersonator's content.

The impersonation was found to be a processing of the impersonated individual's personal data without his/her consent, constituting an infringement of the Spanish Data Protection Act 15/1999, of 13 December 1999.  While online impersonation has been the subject of judicial actions in Spain, this was the first exercise of the regulator's authority under the data protection law. 

• Email This
• Print

By Dan Brenner, Technonology, Media and Telecoms Practice

The network neutrality debate in the U.S. has moved to the appeal courts as the 2010 FCC Order, which becomes effective on Nov. 20, awaits review.  Meanwhile, two E.U. developments presage more regulatory steps forward. The result is movement away from the European Commission’s wait-and-see communique announced just last April. 

On Oct. 7, the European Data Protection Supervisor Opined on network neutrality and protection of privacy. The decision represents a relatively balanced review of the need for internet service providers (ISPs) to manage traffic and the impulse for “function creep where the initial purposes could easily evolve into commercial or other exploitation of information collected.” The Opinion recognizes that both the content and the traffic data processed by ISPs are protected by the right of confidentiality of correspondence of the E.U. Charter.   Use of either requires “free, specific and informed indication of wishes”.

• Email This
• Print

The French Data Protection Authority (the Commission Nationale de l'Informatique et des Libertés or CNIL) opened a public consultation on cloud computing, citing the growing significance of the cloud computing market: "already €6 billion at the European level, with a yearly growth of approximately 20%". The CNIL believes that the opacity inherent in cloud computing raises data protection concerns.

The CNIL’s consultation focuses on five areas: definition of cloud computing, role of the parties, applicable law, international transfers of data outside the European Union and data security.

The consultation process opened on 17 October 2011 and input is sought from the public.

• Email This
• Print

The German data protection authorities on September 26, 2011 adopted an "Orientation guide – cloud computing."  The guide sets out mandatory and recommended content for any agreement between German users of cloud computing services (“customers”) and cloud computing service providers. It highlights the customer's responsibility for full compliance with German data protection requirements for the cloud. Based on this orientation guide, customers and providers will have to review existing agreements in the German market.

Privacy and data protection compliance has been a challenging and unclear issue for cloud computing customers and service providers. The new German "orientation guide", adopted by the Munich conference of the German data protection authorities gives clear guidance to cloud computing service providers and their customers in the German market. Privacy practitioners can expect that German DPAs will refer to this guide when addressing situations that raise close questions about the application of data protection laws to cloud computing.

• Email This
• Print

A French Court of Appeals in Caen recently confirmed a lower court's order for the suspension of a whistleblowing system implemented by French company Benoist Girard, a subsidiary of American group Stryker. The decision comes as a surprise as it rejects the approval of the whistleblower system by French data protection authority (the "CNIL"). 

Under French law, the implementation of whistleblowing systems is subject to prior authorization by the CNIL. To reduce the burden of such formalities, the CNIL issued, in 2005, a general authorization for whistleblowing systems limited to the reporting of accounting, financial, banking and corruption misconducts (the "General Authorization"). Benoist Girard decided to implement their whistleblowing system in 2008 by relying on the General Authorization, regardless of three negative opinions on the system issued by the company's Works Council (the "CE").

In 2009, Benoist Girard's CE and Hygiene and Security committee (the "CHSCT") contested the validity of the whistleblowing system before the Caen Tribunal of First Instance, arguing that it allowed the reporting of alleged misconducts which exceeded the scope of those covered by the General Authorization. The CE and CHSCT therefore argued that the system required the obtaining of a prior specific authorization from the CNIL. The Tribunal ruled in favour of the CE and CHSCT, considering that the system, as implemented, was therefore in breach of French data protection legislation and posed an immediate and substantial threat to the rights and freedoms of the employees. Benoist Girard appealed this decision.

In its analysis of the matter, the Caen Appeal Court first held that the CE and the CHSCT had to be consulted prior to the implementation or modification of the whistleblowing system and then moved on to it analyse in detail to evaluate its compliance with French law.

• Email This
• Print

The pending proposal from the European Commission for revision of the EU Directive (expected in early 2012) raises questions about the efficacy under a revised Directive of the EU-US Safe Harbor framework, which permits the legal cross-border transfer of personal data from the EU to the US for companies enrolled in the Safe Harbor and committed to the requisite privacy protections.  That's the recent observation in Europolitics, the European Affairs daily:

It is not clear what impact a revamp of the EU and US data privacy legal frameworks would have on Safe Harbour. According to the Commerce Department official, "we have been assured by the European Commission that Safe Harbour will not be affected by changes in the Data Protection Directive". The official adds, however, that they do have concerns about US firms lacking the clarity they need should new terms like 'privacy by design' and 'right to be forgotten' be introduced without their precise meaning being spelled out. A Commission proposal is due to be unveiled in early 2012.

The article goes on to speculate about and comment on pending US privacy legislation and its effect on cross-border transfers, concluding that passage of a new US law is not likely:

Meanwhile, the US Congress is considering several bills that could move the US from its current sector-based system to a more comprehensive framework. If this happens, Washington could ask the Commission to adopt a so-called adequacy finding on the US data privacy framework, which would permit an automatic free flow of personal data from the EU to the US. This could effectively render Safe Harbour obsolete. But there is no guarantee that the Commission would adopt such a finding even if Congress does enact comprehensive data privacy legislation. Moreover, with the Obama administration not yet strongly pushing these bills and some Republicans on Capitol Hill opposing them on the grounds that they will stifle innovation in the digital environment, their passage looks far from certain.  

On the efficacy of the Safe Harbor arrangement, Peter Fleischer, Google's Global Privacy Counsel offered a rousing defense in a recent blog: "I cannot think of a single international privacy framework that has done more to raise the standards of privacy practices by US companies over the last decade than Safe Harbor."

• Email This
• Print

France's Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) announced on September 23, 2011 that it had found the French provider of universal telephone directory services, “Pages Jaunes,” guilty of violating several provisions of the French data protection law. The CNIL did not fine Pages Jaunes, but published a detailed warning, listing each privacy violation that the CNIL had identified during its investigation of Pages Jaunes’s activities. 

At issue was Pages Jaunes’s web crawler function, which Pages Jaunes has discontinued. The crawler captured information contained in Facebook, Twitter and LinkedIn profiles of persons having the same name as the person being looked up in the directory service. For example, if someone were to look up the telephone number of Pierre Dupont. Pages Jaunes would show Mr. Dupont’s phone number, and would also show information on social media sites relating to persons named Pierre Dupont. The information may include photos, the name of Dupont’s employer, the schools he attended, his geographic location, his profession, etc.

• Email This
• Print

By Gabriela Kennedy (Partner) and Heidi Gleeson (Registered Foreign Lawyer) Hogan Lovells, Hong Kong.

The Personal Data (Privacy) Amendment Bill (the "Bill") was introduced into the Legislative Council on 13 July 2011.  The Bill is the culmination of a lengthy consultation process into the reform of the Personal Data (Privacy) Ordinance (the "Ordinance") which commenced in 2009.  The Bill aims to bring the Ordinance in line with technological and other advancements that have occurred since the Ordinance was enacted 15 years ago, and is in part a response to the mounting public concern in relation to a number of high profile instances of misuse of personal data in Hong Kong.  

The most significant amendments relate to direct marketing and the sale of personal information, data processing and the powers of the Privacy Commissioner for Personal Data (the "Privacy Commissioner").  The Bill also introduces increased penalties for breaches of the Ordinance. These key amendments are discussed below.

• Email This
• Print

The European Commission’s Vice-President for a Digital Agenda, Neelie Kroes earlier this week indicated that the EC is aiming for a 2012 Cloud strategy that reflects the EU focus on human rights. She has recruited former federal Chief Information Officer Vivek Kundra to be an adviser in the creation of the strategy.

As reported in the Washington Internet Daily, Kroes and Kundra were speaking at Salesforce.com’s Dreamforce conference in San Francisco where Kroes said that because "this is by definition a global issue," Europe should work with the U.S. and Asia in setting policy. But she also said that privacy and other human rights considerations are central to the way Europe approaches issues like this, "even if it's taking more time" to complete policymaking, "the human rights system ... is the basis of our democracy," Kroes is reported to have said.

In this connection, recall that Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner has proclaimed that as essential "pillar" of EU citizens' privacy rights is "protection regardless of location" which has obvious implications for the Cloud.

"[P]rotection regardless of data location" [] means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries' service providers controlling our citizens' data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.

(The EU also generally takes the position that its privacy laws cover nationals from countries outside the EU whose data is processed in the EU, but France's data protection authority, the CNIL recently exempted certain outsourcing services performed in France, a move followed by India with respect to its new privacy law, to the relief of companies performing outsourcing services in India.)

Presumably, Mr. Kundra's involvement in Vice-President Kroe's efforts to develop a Cloud strategy will help temper the rigid application of EU privacy laws to data stored in the Cloud.

• Email This
• Print

This entry was drafted by Winston Maxwell and Lionel de Souza.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

• Email This
• Print

The EU's Article 29 Working Party has just published a letter addressed to the Online Behavioural Advertising (OBA) Industry regarding the self-regulatory Framework proposed by industry to satisfy the requirement of the revised ePrivacy Directive for user consent before cookies may be placed on a computer for tracking (and targeted advertising) purposes.  The letter was sent in advance of a meeting apparently scheduled for sometime in September between the Working Party and industry representatives to discuss the proposals to satisfy the Cookie Directive.

Simply put, the Working Party has rejected every proposal put forward by industry to avoid the necessity of consumers affirmatively consenting to every placement of cookies by every party proposing to place such cookies.  OBA industry representatives have said that the specific, multiple consent arrangement will impede e-commerce and degrade the user's online experience, heralding a return to multiple pop-ups requiring choices before users may continue to see content.  So far, the Working Party's position is that there is no substitute for a form containing an explanation about the placement of cookies with a box for the consumer to check "I accept," provided by every entity proposing to place a cookie.

The Article 29 Working Party's specific complaints about the industry proposals:

• A prominent opportunity to object to tracking by cookies can never be the same thing as a specific opt in.
• The complaint that multiple ad network providers will lead to multiple pop-ups on web sites is not well-founded, since once consent has been given to a network, the pop-up need not appear subsequently.  (The Working Party did not address the issue of what happens before any consents are given and multiple pop-ups seeking consent in fact appear on a given web site except to suggest that perhaps a "centralized way" can be established to obtain consent.)
• Browser settings rejecting cookies are insufficient since the default is to accept cookies.
• Icons attached to ads that can be clicked to learn about cookies and express preferences are inadequate because consumers today don't know what the icons mean, and since the Directive applies whether the cookies track personal data or not, the information provided when the icon is clicked making such distinction is inconsistent with the notice requirement.  The icon also was criticized as providing too "indirect" a way to provide notice.

Attached to the Working Party's statement of reasons about the inadequacy of the OBA industry's proposals was a letter from the FTC's Director of Consumer Protection David Vladeck responding to an EU request for the FTC's position on transparency and consumer choice in connection with behavioral advertising.  Notably, the letter explains the value of targeted advertising (while, of course, citing the privacy concerns) and notes "the number of steps to improve transparency and consumer choice" the OBA industry has taken recently.  The letter also notes the guidance the FTC has provided on how to give consumers the "Do Not Track"  power.  The letter from Mr. Vladeck speaks of consumers having a "meaningful opportunity" to control data collection practices, but stops far short of anything resembling the requirements of the Cookie Directive, and the Working Party's reaffirmation, for express opt in for the placement of every tracking cookie.

• Email This
• Print

This post was contributed by Gabriela Kennedy, a Partner, and Zuzana Hecko, a Summer Intern, both of the Intellectual Property, Media and Technology Group of Hogan Lovells Hong Kong

On July 7, the Hong Kong Privacy Commissioner for Personal Data (“the Commissioner”) issued a consultation document setting out the mechanism for a Data User Return Scheme (“the Scheme”).  Provisions allowing the Commissioner to request returns from specific data users are already present in Part IV of the Personal Data (Privacy) Ordinance ("the Ordinance").  So far, the Commissioner has not exercised this right, but following a survey of practices in other jurisdictions and taking into account the heightened awareness of privacy rights and corporate sensitivity about personal data, the Commissioner is now of the view that it is time to introduce the Scheme in Hong Kong.

The consultation document (PDF) seeks views on the implementation and operational framework for  the Scheme in Hong Kong.

Benefits of the Scheme

The Scheme aims to provide better protection of personal data among corporate data users.  Once the Scheme is implemented data users will be required to submit an annual return detailing the personal data they control and the purposes of collection or processing of such data.  Data users may provide more information than prescribed by the Commissioner if they so wish in order to show their commitment to the protection of personal data of their customers.  It is hoped that the Scheme will lead to greater accountability and transparency of data protection practices of corporations as well as an enhancement of their data privacy protection standards.  Companies required to submit Data User Returns will need to take care when filling them in and provide correct information as the intentional provision of false or misleading information constitutes an offense under the Ordinance (attracting a fine of HK$10,000 and imprisonment for up to 6 months).  It is also an offense not to submit a return or to submit it late (although a penalty will be applied for the late submission of a return this will not rule out a prosecution for late submission).

The Commissioner will keep a Register of Data Users, in effect a database of data users, which would contain all the information submitted annually by data users.  The register will be available to the public for inspection, thus giving data subjects an opportunity to understand data users' privacy practices and compare them with the practices of other data users.  Data subjects will have a single point of access to information about how Data Users handle their personal data.

• Email This
• Print

The advocate general of the European Court of Justice issued his long awaited opinion in the SABAM case, a case that discusses the ability of ISPs to filter Internet content in order to detect illegal copyright infringements.  The advocate general highlights the tension between privacy rights and copyright, and the criteria that must be satisfied in order for a filtering measure to be constitutionally valid in Europe.  In the SABAM case, the advocate general found that one of the constitutional criteria was lacking, because Belgium had not enacted a specific law that would permit the kind of filtering that had been ordered by the court in the SABAM case.   The opinion is summarized by Hogan Lovells privacy lawyer Winston Maxwell in a recent article.  The article also discusses the TalkTalk case in the United Kingdom.

• Email This
• Print

In a recent article Christopher Wolf looks back at the eG8 conference and pleads for better transatlantic cooperation on privacy matters, explaining the tension between U.S. First Amendment traditions, and certain European proposals including the right to be forgotten.

• Email This
• Print

Hogan Lovells privacy lawyers from five European jurisdictions have published an overview of privacy rules applicable to Internet cookies in Europe .  The new rules, which flow from a recent amendment to the European E-Privacy Directive, are not yet settled in all European Member States.  This overview provides practical guidance on how to comply with the new prior consent rules that will apply in the United Kingdom, France, Germany, Italy and Spain.

• Email This
• Print

On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on the notion of consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee. 

What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. It is tempting in some cases to apply a “belt and suspenders” approach by asking data subjects for their consent even when another legal justification for the processing would suffice by itself. The guidelines point out that requesting consent in these circumstances might be a “false good solution”, and create awkward situations when a consent is withdrawn while the data controller still has legitimate grounds to pursue the processing of data.

• Email This
• Print

The anti-piracy efforts of the content industry in France recently resulted in a warning from French authorities that, when policing online piracy through use of a third-party contractor, privacy must be respected and enforced. 

The French agency entrusted with fighting online copyright infringement, the HADOPI, sends warning letters to suspected online infringers after receiving IP addresses collected by right holders. Right holders use a service provider, TMG, to collect these IP addresses. Before putting the system in place, right holders obtained an authorization from the French data protection authority, the CNIL, allowing them to collect IP addresses for this purpose.

• Email This
• Print

This report on Canada's new Anti-Spam law comes to us from our friend Mark Hayes, one of Canada's leading privacy and Internet lawyers.

While unofficially known as the “Fighting Internet and Wireless Spam Act” (FISA), Canada’s new anti-spam legislation is officially titled:

“An Act To Promote The Efficiency And Adaptability Of The Canadian Economy By Regulating Certain Activities That Discourage Reliance On Electronic Means Of Carrying Out Commercial Activities, And To Amend The Canadian Radio-Television And Telecommunications Commission Act, The Competition Act, The Personal Information Protection And Electronic Documents Act And The Telecommunications Act” 

The Act was enacted on December 15, 2010, but will not come into force until sometime in the fall of 2011. Regulations have not yet been enacted in connection with the Act, but are expected to be passed in the fall of 2011.

The stated purpose of the Act is to promote efficiency of the Canadian economy by regulating conduct that discourages use of electronic means for commercial activity. In particular, the Act sets out a number of prohibitions relating to the control and prevention of unsolicited electronic messages, malware and spyware, as well as provisions providing remedies against prohibited electronic practices and amending a number of other pieces of legislation in line with the Act.

• Email This
• Print

Florence Raynal, Head of the International Division of the French Commission Nationale de l'Informatique et des Libertés (CNIL) recently said at an American Chamber of Commerce in France (AmCham) that the European Commission's legislative proposals for revision of the 1995 EU Privacy Directive would be released before the end of 2011, and that the new legislative package should be adopted by 2014.  Raynal said the new package might include a regulation, which unlike a directive  would have direct effect, and thereby avoid some of the harmonisation problems encountered in connection with the 1995 Directive.

Raynal was joined at the AmCham roundtable by Christian Pardieu, Head of Privacy Policy for GE in Europe.  Pardieu and Raynal agreed on the main topics that would be covered by the future EU reform package:

• simplification of notification formalities;
• the 'right to be forgotten';
• accountability principle;
• applicable law.

When discussing the accountability principle, Pardieu pointed out that corporations should receive a benefit from voluntarily implementing audit and other accountability measures, whereas Raynal said the CNIL did not view accountability as "trade-off" for other benefits.  For the CNIL, accountability is part of compliance with a data controller's legal obligations, although she said that accountability measures may not be appropriate for all kinds of businesses.

Raynal concluded with a discussion on BCRs, including the new timeframes applicable to multi-jurisdictional applications, useful tips on drafting BCRs.

The full summary of the AmCham meeting is available here: CNIL AmCham meeting on Revision of EU Privacy Directive

Hogan Lovells partner Winston Maxwell co-chairs the AmCham's New Media, IT and Privacy Committee, which hosted this event.

• Email This
• Print

Social media has been a hot topic of late.  Companies are debating the official use of social media for marketing purposes, social networking privacy has been the subject of recent (failed)  legislation, and the EU has been ratcheting up pressure on prominent social networking sites to enhance privacy protections.  Social media was even a topic of discussion at this May's "eG8" in Paris, an event blogged about recently by Chris Wolf.

The Hogan Lovells Chronicle of Data Protection have covered social media developments over the past year or so, and provide a summary of our coverage for you here in one place, allowing you to take stock:

• Email This
• Print

After a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly covers a broad range of issues linked to data protection, including specific recommendations on EU privacy law reform. Hogan Lovells partner Winston Maxwell testified before the parliamentary commission and the commission cited Winston's testimony in connection with the commission's recommendations on the "right to be forgotten," privacy by design, and net neutrality. 

The parliamentary commission found that the "right to be forgotten," while an attractive concept, covers a broad range of different situations, and that the key element of the "right to be forgotten," i.e. that individuals have a right to access and to require the deletion of personal data about them, is already covered by existing law. Citing Maxwell's testimony, the commission concluded that the creation of a new "right to be forgotten" does not appear necessary from a legal standpoint. On the issue of privacy by design, the commission recommended that Europe invest heavily in privacy-enhancing technology, and use privacy by design to create competitive edge for European industry.

• Email This
• Print

Twitter unmasks anonymous British user in landmark legal battle

California court forces site to reveal personal details of user accused of libelling local authority in north-east England

Thus read a headline in The Guardian (UK).
 
The Guardian was reporting on a recent California ruling ordering Twitter to unmask an anonymous critic of a UK local government council.  The ruling raises the question of whether foreign privacy law will be applied in the US. In this case, the ruling deprived someone of privacy (the anonymous online critic), but the outcome seeks to suggest that a US company may be subject to foreign privacy law, even if it conflicts with First Amendment principles. 

In the EU, one element of privacy law is the right to know who is making anonymous criticisms. This has made it difficult for US companies operating in the EU to use anonymous whistleblower hotlines (deemed useful in corporate governance). In the US, of course, the right to criticize anonymously has a strong degree of First Amendment protection.
 

• Email This
• Print

This week, Germany started a new Volkszählung - the first count and registration of Germany's, its federal states' and communities' population since 1987.  The census 2011 has precititated  privacy concerns and legal challenges.

The census has its basis in the EU Regulation 763/2008, which provides that such census be conducted by the Member States in 2011, the Federal Census Act 2011 (Zensusgesetz 2011), and implementation laws enacted by the federal states.  Approximately one third of the people living in Germany are asked questions related to age, registered residence, nationality, relationships, education, employment, and residential property.  People that refuse to answer could forfeit monetary fines up to 1,500 Euro.  The data gathered shall be used for "important political and economical decisions", such as the re-calculation of the financial compensation scheme of Germany's federal states or of the distribution of seats in the Bundesrat (the representation of the federal states on the federal level).

• Email This
• Print

Quentin Archer in the Hogan Lovells London office prepared this entry.  

Few topics in the world of EU data protection have generated so much debate, and so little understanding, as the change to the law on cookies. On 9 May the UK Information Commissioner issued some guidance on the new law, but anyone expecting clear instructions on how to achieve compliance will be very disappointed.

In essence, the change in the law is simple. The Privacy and Electronic Communications Directive of 2002 provided that users should be given clear information about cookies as well as an opportunity to opt out of them. Under the 2009 amendment to the Directive, which Member States are to implement by 26 May, users must give their consent to the storage of the cookie on their terminal equipment. Cookies employed for the sole purpose of carrying out the transmission of a communication over an electronic network, or which are strictly necessary for the provision of a service requested by a user, are exempt.

• Email This
• Print

By Winston Maxwell (Paris) and Marco Berliri (Rome)

The European Union's Article 29 Working Party published on April 11, 2011 an opinion on smart metering, recommending Privacy by Design, data minimization, and consumer interface options that give customers increased control over their data and privacy settings.

The opinion indicates that most data collected by smart meters will be considered "personal data" under the Data Protection Directive because the data will be associated with a unique identifier such as a meter identification number, which in turn can be linked to a living individual. The opinion states that the "data controller" will in most cases be the energy supplier, but that the grid operator may also be controller, as may be the third party service provider (so-called Energy Service Companies, or ESCOs). As mentioned in the Art 29 WP's opinion 1/2010 on data controllers and processors, it is not infrequent for there to be more than one controller.

• Email This
• Print

Gastón Fernández (Associate), Hogan Lovells, Beijing, PRC, contributed this entry

While personal data privacy law has been developing in many jurisdictions with the increasing prevalence of internet usage, the People's Republic of China has not yet enacted comprehensive laws or regulations governing the collection, use and transfer of personal data. However, this may change soon, as indicated by the recent issuance of the draft Information Security Technology -- Guide of Personal Information Protection (the "Guidelines", issued jointly by the General Administration of Quality Supervision Inspection and Quarantine and the Standardization Administration of the PRC on 30 January 2011). The draft Guidelines were developed in consultation with the Ministry of Industry and Information Technology, the government agency charged with regulating the telecoms and internet industries, and would create broadly applicable rules and principles for handling and transferring personal information. Although the draft Guidelines could be revised before implementation and have not yet been enacted, upon entering into force they could significantly impact business practices relating to storage, processing and transfer of information.

• Email This
• Print

On 15 March 2011, the Commissioner issued his inspection report.  Whilst the Report noted that TransUnion had in place comprehensive and detailed policies regarding the handling of consumer credit data it also noted areas where there was room for improvement and made twenty recommendations for TransUnion to enhance its personal data system. 

• Email This
• Print

Hogan Lovells has organized two programs over the past year to discuss developments in "NAFTA privacy" (privacy laws in Canada, the US and Mexico).  The most recent program was a panel at the IAPP Global Privacy Summit moderated by Hogan Lovells Privacy and Information Management Practice Director Chris Wolf, along with the Chief Privacy Leader at General Electric Nuala O'Connor Kelly.  Participating were FTC Commissioner Julie Brill, Ontario Privacy Commissioner Ann Cavoukian and Deputy Commissioner Ken Anderson, and Mexico's Privacy (IFAI) President Commissioner Jacqueline Peschard Mariscal. 

Courtesy of BNA, here is a report on the update provided by Mexico's Privacy (IFAI) President Commissioner Peschard Mariscal:

Data Protection

Mexico Will Not Rush to Compliance Review, Enforcement of New Law, DPA Chief Assures

Mexico's data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country's new data protection law begin taking effect in July, the head of the DPA, the Instituto Deral De Acceso a la Información Pública (IFAI), said March 10 at a conference.

As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline Peschard Mariscal said.

But the government will not immediately begin verification activity, she said. Instead, the IFAI will focus on training and education of covered entities in the requirements of the rules, Mariscal said at a session of the International Association of Privacy Professionals Global Privacy Summit.

Mexico's Federal Law Protecting Personal Data in Private Possession regulates for the first time on a federal level how businesses and individuals handle personal data. It technically took effect July 6, 2010 (9 PVLR 1016, 7/12/10), but the implementing rules are not expected before this July, according to the IFAI (10 PVLR 368, 3/7/11).

Enforcement of the new law is slated to begin in January 2012, Mariscal confirmed at the conference panel entitled "Privacy: What You Need to Consider When Doing Business in North America."

Sufficient DPA Funding for Enforcement?

In July, the Public Information Institute of the Federal District (InfoDF), the Mexico City agency that handles transparency and data protection for the city, warned in July 2010 that the IFAI needed a larger budget for the new data protection law to function properly (9 PVLR 1016, 7/12/10).

Panel moderator Christopher Wolf, director of Hogan Lovells LLP's privacy and information management practice in Washington, asked Mariscal if the IFAI has sufficient funding and enforcement staff to carry out its data protection duties.

"The office has received the necessary budget to carry out its mission," Mariscal responded.

Mexico has a federal system of government with both a national government and regional government in the 31 states and the federal district in Mexico City, she said. But unlike the Canadian model, in which the provinces may pass laws to supplant the federal Personal Information Protection and Electronic Documents Act (PIPEDA) for all or some categories of data (see related report in this issue), the Mexico federal law will remain the primary law in the country. In that scenario, funding the national IFAI is built into the law, she said.

Preventative Approach Is Goal

Nevertheless, "our aim is to have a preventative approach,"in part to control costs, by using approaches such as privacy-by-design, rather than focus on adverse enforcement actions, Mariscal said.

Fellow panelists Ann Cavoukian and Ken Anderson, respectively the privacy commissioner and assistant privacy commissioner for the Canadian Province of Ontario, applauded Mexico's focus on privacy–by-design, a method that works to protect privacy at the front end of the design and implementation process for new information systems and technology rather than through after-the-fact enforcement.

Cavoukian has been a leader in developing privacy-by-design and sees it as a tool that every data protection authority should employ (see related report in this issue).

Mariscal also noted that under the new law, there are opportunities for covered entities to work toward a resolution of privacy concerns raised by the IFAI before the filing of any formal enforcement action through an administrative appeal process.

The law authorizes fines of up to ₱16 million ($1.3 million) for companies misusing personal data, and provides for doubling the fines to about ₱32 million ($2.6 million) when the personal data is deemed sensitive.

But Mariscal reminded the audience that implementing privacy law in Mexico will require a "cultural shift for a people that are not used to protecting personal data." In that environment, taking a preventative, educational approach is necessary before taking the next steps to implement stricter, more specific sectoral protection rules, and take enforcement action, she said.

Commissioner Julie Brill of the U.S. Federal Trade Commission agreed that educating and working with businesses towards privacy solutions is normally preferable to simply setting rules and then engaging in strict enforcement.

By Donald G. Aplin

 

Full text (in Spanish) of Mexico's Federal Law Protecting Personal Data in Private Possession  

Reproduced with permission from Privacy & Security Law Report, 10 PVLR 455 (Mar. 21, 2011).

Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033)

• Email This
• Print

As recently reported by the data  protection authority of the German Federal State of Bavaria in its annual review, a US court recently accepted the data protection authority's limitation on the scope of discovery involving documents with personal information.  The issue of EU data protection rules conflicting with US discovery requests is a recurring one, and this episode demonstrates an instance of international comity.

A German company was the subject of a non-party discovery request in a US civil action to produce company documents located in Germany.  The documents, including emails, were connected to the plaintiff and its business, as well as to the development and distribution of products of the German company. The German company itself was not a party to plaintiff's lawsuit. However, the German company belonged to the same group of companies as the defendant. The plaintiff claimed that the defendant and the German company had gained unauthorized access to business secrets of the plaintiff, and the discovery request was directed to this claim.   

• Email This
• Print

In a decision published on 2 March 2011, the French data protection authority (the “CNIL”)  announced a simplification of the formalities regarding data processing in France done on behalf of non-EU entities.

Under French data protection law, the general rule is that a data controller processing personal data in France is required to either file a notification or obtain an authorization from the CNIL prior to the implementation of the processing. Such obligations apply not only to French entities or entities having local presence in France but also to entities located outside the EU but which use “processing means” (such as servers, third party service providers, etc.) on the French territory.

In order to comply with this requirement, foreign entities wishing to use the services of French companies to process their personal data in France are required to appoint a representative in France which acts as their local point of contact with the CNIL and completes the required formalities on their behalf.

In consideration of the development of such services in the fields of human resources or client and prospect management, the CNIL, using its regulatory powers for data protection formalities in France, has decided to exempt non-EU companies using service providers located in France to process their human resources and/or their client and prospects data from the completion of formalities. In such cases, the appointment of a local representative is therefore no longer required either.

Finally, it should also be noted that this exemption from formalities also applies to the “return transfer” of data from the French service provider to the non-EU based data controller. While international transfers of data from France to a jurisdiction not regarded as providing an adequate level of protection to personal data generally are subject to prior authorization from the CNIL, the exemption expressly indicates that such “return transfers” would be justified and dispensed from prior authorization on the basis of the “performance of an agreement” exceptions provided for in sections 69 (5°) and 69 (6°) of the French law, which implement into French law the provisions of sections 21(5) and 21(6) of the 1995 European Directive on data protection.

The full text of this exemption (exemption #15) can be found here (in French).

• Email This
• Print

This report comes to us from Gonzalo Gallego a partner in the Hogan Lovells privacy practice resident in Madrid: 

Spain has a new penalty regime for violations of privacy, with many minimum and maximum fines lowered. This is viewed as a business-friendly development  at a time when the Spanish Data Protection Agency (“SPDA” or “Agency”) has earned a reputation as one of the more enforcement-oriented DPAs in the EU, and when one of its high-visibility enforcement efforts is under scrutiny.  This new regime entered into force on 6 March 2011 and is applicable to all data controllers and data processors processing personal data under the Spanish laws.

The modifications were announced just as Europe’s highest court is set to rule on the propriety of the SPDA ordering Google to remove links to web content that allegedly infringed the privacy of individuals, which Google has challenged as a violation of free expression.

These are the main modifications in the penalties now available to the SPDA under Spanish law:

• Email This
• Print

The European Data Protection Directive 95/46/EC contains certain restrictions on the export of personal data to a country outside the European Economic Area (“third country”). Whether personal data may be transferred from the EU to a data importer located in a third country has to be assessed on the basis of a two-step test. First, the transfer must be justified on the basis of an explicit legal permission or the data subjects’ consent. Second, the third country where the data importer is located must ensure an adequate level of data protection.

With decision of 31 January 2011 (2011/61/EU), Israel – in addition to Argentina, Canada, Guernsey, Isle of Man and Switzerland – has now formally been recognized by the European Commission as a country which provides an adequate level of protection of personal data. The Israeli Law, Information and Technology Authority ("ILITA") will be the responsible supervisory authority.

Without such formal recognition a data transfer to a third country may only take place on specific conditions or where additional adequate safeguards are adduced (e.g. the conclusion of an appropriate transfer agreement based on the EU standard contractual clauses for the transfer of personal data to third countries).

Against this background, Israel’s formal recognition by the European Commission as a country providing an adequate level of data protection will help to reduce legal uncertainties and administrative efforts. However, before transferring data from the EU to Israel, data exporters should still be aware that the formal recognition only fulfills the second prerequisite of the two-step test outlined above. In any case, the data transfer itself requires a legal justification.

The EU Commission’s decision is available at the Commission's website.

• Email This
• Print

The Hong Kong financial services industry (as represented by the Consumer Credit Forum (the "CCF") with support from Hong Kong's financial regulator, the Hong Kong Monetary Authority ("HKMA"), have recently issued proposals to widen the scope of the current credit data sharing scheme in Hong Kong, in order to allow additional mortgage data of consumers to be shared among credit providers (the "Proposals"). If the Proposals are accepted, it will be necessary to amend the Code of Practice on Consumer Credit Data (the "Code of Practice") issued by the Privacy Commissioner for Personal Data (the "Commissioner") under the Personal Data (Privacy) Ordinance (the "Ordinance").

On 5 January 2011, the Commissioner issued a consultation paper to seek public comment on the Proposals. The public are invited to submit comments on the Proposals and the related privacy implications by 8 February 2011. 

• Email This
• Print

The beginning of the New Year gives us an opportunity to reflect on the evolution of privacy in France over the past twelve months and also to consider the new challenges and opportunities that will develop in 2011.

2010 was a year of evolution for the French data protection authority, the Commission Nationale de l'Informatique et des Libertés - "CNIL" and 2011 promises to bring further changes and evolutions. Formal changes came with evolution in the management of formalities with a new online platform for the completion of formalities, which seems to bring a much needed improvement in the delays for management of files. Policy evolutions also resulted from the adoption of documents providing guidance to data controllers with regards to the security of data or with the amendment of the general authorization of certain whistleblowing systems, which although it was needed could be regarded as slightly disappointing. 

In France, 2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high profile cases such as the Google StreetView controversy or the decision acknowledging the legitimacy of the dismissal of an employee on the basis of comments posted on his Facebook page.

The review of the past year also allows us to anticipate some of the CNIL's points of focus for 2011. Firstly, the evolution of technologies will still be at the forefront of data protection discussions during the coming year. In 2010, the CNIL approved a number of processes involving biometric data and the development of these technologies will continue to raise questions and issues this year. In 2011, the CNIL will also focus on the development and implentation of a major project: certification labels for products and services, which could become an important and discriminating factor to attract customers in the short and long term.

• Email This
• Print

Dr. Stefan Schuppert in the Hogan Lovells Munich office prepared this entry.  Stefan is a member of the Hogan Lovells Privacy practice and the  IP, Media & Technology group and advises companies in the fields of information technology and new media concerning intellectual property, contract law and data protection.

On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a €200,000 fine [link in German] against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent.   The case – which attracted much negative publicity in Germany, including page 1 headlines and "top spots" in television news – may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany. 

• Email This
• Print

European Data Protection Supervisor Peter Hustinx traveled in frigid, snowy conditions from Brussels to London on 2 December for an interview presentation at the London Offices of Hogan Lovells attended by lawyers from the Hogan Lovells global Privacy and Information Management Practice as well as clients and friends of the firm. 

The interview coincided with visits to Europe of US Hogan Lovells privacy partners Barbara Bennett, Marcy Wilder and Chris Wolf, who participated in the IAPP Privacy Congress in Paris earlier in the week, and meetings with EU Hogan Lovells privacy colleagues in London, including: 

Quentin Archer (London)

Roger Tym (London)

Mac Macmillan (London)

Winston Maxwell (Paris)

Stefan Schuppert (Munich)

Hanno Timner (Berlin)

Marco Berliri (Rome)

Gonzalo Gállego (Rome)

Lionel de Souza (Paris)

Massimiliano Masnada (Rome)

Messrs. Maxwell and Schuppert and Ms. Wilder presented in Paris on Binding Corporate Rules and Mr. Wolf presented on the balancing of fundamental rights of privacy and anti-piracy. The London meetings were organized by Barbara Bennett and Quentin Archer and focused on global developments in privacy law and how best to provide seamless privacy law services to clients around the world with multi-jurisdictional needs.

The session with Mr. Hustinx, conducted by Hogan Lovells practice leader Chris Wolf, started with the observation that the firm’s practice is now the largest privacy practice in the world, and thus what happens in the EU with respect to privacy has great significance for clients of the firm. The focus of the interview was on the recently-issued draft agenda of the European Commission on privacy. 

Mr. Hustinx spent about an hour discussing many of the details of the draft agenda, including the process for its consideration, the concepts of the “right to be forgotten,” changes to the ways in which notice and choice are implemented, how national privacy laws might be harmonized across the EU, how cross-border transfers outside the EU might be facilitated, and the efficacy of increased enforcement and penalties.

Two observations by Mr. Hustinx stand out:

• The current EU data protection framework will stay in place for the next 4 to 5 years, as the process for consideration and implementation of the changes embodied in the Commission’s draft agenda will be lengthy and thorough.
• The day will come when the United States privacy framework will be recognized by the EU as providing “adequate protection” and thus allowing cross-border transfers without the employment of auxillary legal tools. Mr. Hustinx concurred in the observation that the FTC Report issued on 1 December contained concepts now present under the EU Directive and paralleled in significant ways the Commission’s draft privacy agenda. Mr. Hustinx declined to say when the time for the EU adequacy recognition for the US would come, but suggested it was not in the immediate future. He applauded the closer working relationship between the US and the EU on privacy matters, following a mention of greater US governmental attention to privacy issues, and said there are privacy protection concepts from around the world that may be adopted in the EU – that global exchanges of best practices is in everyone’s interests.

Hogan Lovells expresses enormous appreciation to Mr. Hustinx for meeting with us, and especially for the arduous travel to and from London he endured to be with us.

• Email This
• Print

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

• Email This
• Print

The UK data protection authority has issued its first monetary penalties for serious data protection breaches. The two cases highlighted in the ICO press release reveal that a county council has been fined £100,000 for faxing highly sensitive information relating to child sexual abuse cases and care proceedings to the wrong recipients, on two separate occasions. The second case involves an employment services company, which has been issued with a fine of £60,000 for the loss of an unencrypted laptop. 

These are the first substantial fines imposed by the ICO, following the introduction of the new monetary penalties in April this year and the cases will attract huge attention as a result. The ICO has the power to award fines of up to £500,000 for serious breaches of the Data Protection Act, but until now, no major fines have been levied and it has been difficult to give real examples of the likely amounts for serious breaches.

The ICO has issued guidance on the new monetary penalties regime, which includes further details of the Commissioner's approach to these cases of serious data protection breach. The decision making process followed by the Commissioner is set out in a flowchart within the guidance, as follows:

The Commissioner has to be satisfied that –

a) There has been a serious contravention of section 4(4) of the Data Protection Act by the
data controller; and
b) The contravention was of a kind likely to cause substantial damage or
substantial distress; and either,
c) The contravention was deliberate; or,
d) The data controller knew or ought to have known that there was a risk that
the contravention would occur, and that such a contravention would be of a
kind likely to cause substantial damage or substantial distress, but failed to
take reasonable steps to prevent the contravention.

Once satisifed, the Commissioner will consider the level of fine to impose. The cases contained within the new press release may not be at the upper end of the scale, but they are not insignificant and should be noted by data controllers.

• Email This
• Print

The European Commission has just released a document setting forth its proposed strategy for revisions to EU data protection rules previewed in this blog recently.

The proposed changes were introduced this way in the Commission's news release:

What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.

 The Commission then explained:

Today's strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:

• Strengthening individuals' rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.

• Enhancing the Single Market dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.

• Revising data protection rules in the area of police and criminal justice so that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.

• Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.

• More effective enforcement of the rules, by strengthening and further harmonising the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

Finally, the Commission described "the way forward" which allows input from affected stakeholders and interested persons:

The Commission's policy review will serve as a basis for further discussion and assessment. The Commission is calling on all stakeholders and the public to comment on the review's proposals until 15 January 2011. Submissions can be made on the Commission’s public consultation web site 

Building on this, the Commission will present proposals for a new general data protection legal framework in 2011, which will then need to be negotiated and adopted by the European Parliament and the Council.

In addition, the Commission will examine other measures, such as encouraging awareness-raising campaigns on data protection rights and possible self-regulation initiatives by industry. 

• Email This
• Print

Out of Brussels comes the news that the European Commission has circulated a document containing a draft strategy for improvements in data protection, including a long-awaited set of proposals for revamping of the EU Data Protection Directive. The proposals are prompted by the changes in technology and changes in the ways in which people share information since the adoption of the Directive in the 1990’s. It appears that the Commission intends to propose changes in the law and non-legislative steps to bring about the changes that are being discussed.  

According to Bloomberg, "[c]hanges could be made to the document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011." 

The key components of the new EU strategy appear to include:

• The establishment of EU-wide registration forms for databases;
• Specific new rules on privacy notices, including the promulgation of EU “standard form privacy information notices” and special rules with respect to minors;
• New rules that strengthen and clarify the concept of consent to the collection, use and transfer of data;
• New rules on data minimization;
• The creation of a “right to be forgotten” by giving a right to demand deletion of data no longer needed for the purpose for which it was collected);
• The creation of a right of “data portability,” allowing individuals to take his/her photos, medical records or a list of friends from an application or service and transfer them into another one;
• New rules on what constitutes “sensitive data”;
• New remedies for violations of privacy, including expanded criminal sanctions and  empowering data protection authorities with the right to go to court;
• The establishment of security breach notification rules;
• Clarification on the legal rules that will attach to data stored in the cloud, regardless of the geographic location of the controller;
• The possible introduction of an “accountability” principle to ensure compliance with data protection laws;
• New rules that make the appointment of corporate Data Protection Officers mandatory, along with privacy impact assessments and the employment of privacy by design principles
• The encouragement of self-regulatory schemes and privacy seals;
• Improvements in current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations;
• Clarification of  the Commission’s adequacy procedure and improved specification of the criteria and standards for assessing the level of data protection in a  third countries;
• A re-definition of  standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments.
• Clarifying and strengthening the status and the powers of the national Data Protection Authorities in the new legal framework, including the concept of "complete independence";
• Exploration of ways to improve the cooperation and coordination between Data Protection Authorities and to ensure better enforcement of EU rules, particularly on issues having a cross-border dimension. This may include strengthening the role of the Article 29 Working Party and providing it with additional powers in order to give a European response to breaches of data protection rules at EU level, or to create a European Data Protection Authority.
• Enhancing international privacy enforcement in a cooperative fashion.

Any one of the proposed changes would be news, but taken together, they suggest a dramatic set of possible changes with respect to data protection in the EU. 

• Email This
• Print

The European Commission has filed a complaint against the United Kingdom in the European Court of Justice (ECJ) alleging a failure by the UK government to implement EU directives on privacy and data protection. The case arises out of the incident involving BT Group's testing of targeted advertising using technology from Phorm without the express consent of consumers. The European Commission started its investigation earlier this year, and was not persuaded by the responses it received from the UK authorities:

The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC in three specific areas:

There is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications

 

Current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as 'freely given, specific and informed indication of a person’s wishes

 

Current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not," 

 

In April, then-EU Telecoms Commissioner Viviane Reding drew a line in the sand:  "I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications." (Ms. Reding currently is European Commissioner for Justice, Fundamental Rights and Citizenship and presumably was influential in the decision of the Commission to sue the UK.)  The UK government is facing fines in the case just brought by the Commission.

• Email This
• Print

This post was provided by Gabriela Kennedy and Heidi Gleeson of Hogan Lovells' Hong Kong office.
 

The recent large scale sale of personal data by Hong Kong's Octopus Holdings Ltd. for the purposes of direct marketing is currently being investigated by the Hong Kong Privacy Commissioner and has prompted calls for reforms to the data protection regime.

The Octopus case

Octopus Holdings Ltd. operates the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets. The cards may also be used as a student card or as an access card for residential apartments or office buildings.

In addition to the electronic payment facilities, Octopus Rewards Limited, a company which is wholly owned by Octopus Holdings Ltd. (referred collectively as "Octopus") operates a rewards program linked to the Octopus card, whereby card holders earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). While the electronic payment facilities of the Octopus card may be used without registering and providing any personal data, card holders wishing to take advantage of the Rewards Program must first register with Octopus. Card holders are requested to supply a broad range of personal information on the registration form (some of which is required for the application to proceed), including name, identity card or passport number, gender, month and year of birth, contact details, marital status, education level, occupation, income and interests.

Octopus provided the personal information of almost 2 million card holders to six insurance companies for direct-marketing over a four and a half year period, earning the company HK$44 million in revenue.

The application form for the Rewards Program was drafted in such a way as to give Octopus very broad rights to deal with the personal information of card holders. In signing the application form for the Rewards Program, card holders automatically consented to their personal data being disclosed to any third party (at Octopus's discretion) and used for direct marketing purposes. The only way that card holders were able to opt-out from their personal information being sent to third parties was to first sign the form (thereby consenting to the distribution and sale of their data to any third party), and later call Octopus to opt-out, a process which Octopus conceded would take approximately three days. The application form cross-referred to a separate set of terms and conditions relating to data protection/privacy, making it unlikely that the card holder would fully understand the scope of their consent prior to signing the form. Even if card holders understood that by signing the registration form they consented to their personal information being sold to third parties, it is likely that given the inconvenient and time consuming opt-out procedure, they would be reluctant to take the necessary steps to protect their personal information.

Investigation by the Privacy Commissioner

On 21 July 2010, the Privacy Commissioner ordered a formal enquiry into Octopus's practices to ascertain whether the collection and disclosure of card holders' personal data for direct marketing purposes was in contravention of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Commissioner exercised his powers under the Ordinance to hold a hearing to summon witnesses to assist with the investigation.

The Privacy Commissioner is yet to issue the final report on the investigation. However, in response to the mounting public concern regarding the handling of personal data under the Rewards Program, on 30 July 2010 the Privacy Commissioner took the unusual step of issuing an interim report, containing his preliminary findings as well as interim recommendations to Octopus regarding its handling of personal data.

The Privacy Commissioner made 12 recommendations regarding Octopus's handling of personal data, including the following:

• Card holders should be able to submit their applications for the Rewards Program using only their names and Octopus card numbers.
• Consent to use personal data for direct marketing purposes should be expressly given and should not be deemed.
• The parties to whom personal data may be transferred should be clearly identified.
• Octopus should not disclose personal information other than name and contact information for direct marketing purposes, as any additional information is unnecessary and excessive.

The Privacy Commissioner is yet to issue a final determination on the matter. If Octopus is found to have breached the Ordinance it is likely to be because the scope of the information collected was arguably excessive for the purposes for which it was collected.

Calls for reform

As Octopus sold the personal information of almost 2 million people (almost a third of the population of Hong Kong) to third parties, the case received a fair amount of publicity and has generated debates in the media and has led to calls for reform of the data protection regime in Hong Kong.

Hong Kong's Personal Data (Privacy) Ordinance is currently under review by the Government. A number of amendments have been proposed, partly in response to the increasing concern of the public relating to protection of personal data. The Government published a consultation document on 28 August 28 2009, inviting public comment on the proposed amendments to the Ordinance. The consultation period ended on 30 November 2009. The Government is yet to make any further announcements in relation to the reforms, but given the profound impact that the proposed changes may have on various sectors of the community and the recent furore over the Octopus case, it is expected that further changes may be introduced when the bill is made public.

Gabriela Kennedy (Partner) (gabriela.kennedy@hoganlovells.com) and Heidi Gleeson (Foreign Legal Assistant), Hogan Lovells, Hong Kong.

• Email This
• Print

On September 21, 2010 Hogan Lovells privacy partners Marco Berliri and Winston Maxwell briefed the Italian smart metering consortium E-Cube on the practical aspects of privacy by design. The seminar commenced by a presentation of the E-Cube project by Telecom Italia Director of Public Policy, Lorenzo Pupillo. The e-Cube project involves leading Italian industrial companies and universities in Italy, and is funded by the Italian government. A full presentation of the e-Cube project can be found in Dr Pupillo’s paper here.

Seven pillars of privacy by design.

After Dr Pupillo’s introduction, Marco Berliri and Winston Maxwell presented the seven principles of privacy by design, contrasting the preventive and “positive sum game” approach with the current confrontational and “zero sum game” approach that is currently the norm when dealing with data protection authorities in some European countries. Marco Berliri gave an overview of the current legislative framework for privacy in Europe, while Winston focused on the June 2010 report of the smart grid task force at the European Commission. The report, submitted by the so-called Expert Group 2 (EG2), fully endorses the privacy by design approach, recommending that European standards organizations working on smart grid standards take privacy requirements into account. The EG2 report urges smart grid stakeholders to be inspired by security and privacy practices of other industries, particularly telecommunications and banking. The EG2 report also highlights a methodology developed by a consortium of electricity providers in the Netherlands to conduct privacy impact assessments of smart grids systems.

NIST report compared.

Marco and Winston then compared the European approach as outlined by the EG2 report with the August 2010 recommendations of the NIST in the U.S. The NIST’s report on privacy over smart grid contains a useful discussion of different concepts of personal data which go from the U.S. concept of “personally identifiable information” (PII) to data about behavior inside the home that can be developed using Non-intrusive Appliance Load Monitoring (NALM) which provides a very detailed individual fingerprint of a given household’s behavior. The NIST suggests that the traditional notion of PII in the U.S. may not be adequate to address the risks posed by granular use data. Marco compared PII with the European concept of personal data. In response to a question from an E-Cube consortium member, Winston and Marco described the process of developing privacy use cases, using the two examples presented in the NIST report, as well as a use case involving the Canadian electricity company Hydro-One. Each use case requires breaking a service into small individual parts. For each part of the service one must ask whether key privacy requirements are being addressed. For example, if a consumer brings home a smart thermostat from the store and plugs it in for the first time, that thermostat will first seek to communicate with the home area network, which will in turn communicate the details of the thermostat to a central server so that the thermostat can be authenticated and registered in the service. In a privacy use case, this seemingly simple process may be broken down into five or more individual parts and for each part one must ask the questions: Is the communication link encrypted? Is the device transmitting the minimum amount of data necessary? Are organizational measures in place to ensure that the data are accessible only by the right people in the organization? Does the process contemplate a date when the data would be deleted? It is by building these individual use cases that Privacy by Design can be built up, piece by piece. As aptly put by the EG2 report: “Security is a path, not a destination!”

Sharing consumption information.

Finally, Marco and Winston compared Italian legislation which obligates electric utilities to share consumer usage data with the similar requirement adopted in December 2009 by the California Public Utilities Commission. Winston mentioned that the U.S. FCC is placing a particular emphasis on innovations at the edges in the smart grid ecosystem but this policy creates a dilemma for regulators who may not have jurisdiction over the service providers to whom the data are supplied. Winston pointed out that the California PUC is expected to issue more detailed privacy requirements before the end of 2010 and that these requirements are expected to address the issue of transfers of data to a third party service providers.

Cloud computing.

Marco reminded participants of the rules regarding transfer of personal data outside the European Union, pointing out that some data may in fact be transferred outside the European Union if an electricity service provider outsources some of its data processing, or makes use of cloud computing.

A copy of Marco and Winston’s presentation can be found here.

• Email This
• Print

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print

Quentin Archer, a partner in the London Office of Hogan Lovells, provides this report

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing four opinions, one report and one set of FAQs.  In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party's internal approvals process than any indication of unusual activity. 

Behavioral Advertising

In June, the Working Party issued Opinion 2/2010 (WP171) on online behavioral advertising.  The Working Party notes that both the E-Privacy Directive and the Data Protection Directive are relevant to online behavioral advertising, and goes into some detail on the requirements of the E-Privacy Directive (amended in 2009) that cookies should be employed for this purpose only with the informed consent of users.  It recommends that advertising network providers should limit in time the scope of consents given by users, offer the possibility for consents to be revoked easily and create visible tools to be displayed where monitoring takes place.  In relation to general data protection obligations, it emphasizes the importance of transparency regarding processing of personal data and points out that the responsibility for ensuring transparency will be shared between different service providers in relation to behavioral advertising.  However, the Working Party does not prescribe how legal obligations should be fulfilled from a technological point of view, and instead invites industry to undertake a dialog with it to explore how the legal framework set out in the Opinion can be satisfied.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Controller-Processor Standard Clauses

On 12th July 2010, the Working Party issued FAQs (WP176) designed to address issues raised by the entry into force of the Commission Decision of 5th February 2010 on the new controller-processor standard clauses.  Several of the FAQs address the situation where personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based sub-processor, which is not specifically contemplated by the new clauses.  As the new clauses cannot be used to effect this, the Working Party suggests different solutions to address the problem.  The remainder of the FAQs answer a variety of questions which might arise where the processor to whom the data are transferred is located outside the EEA, such as whether a data exporter's consent to sub-processing must be specific or can be general, and whether sub-processing agreements can be made in respect of more than one data exporter.

Data Retention

On 13th July, the Article 29 Working Party issued Report 01/2010 (WP172) on its second joint enforcement action, which concerned the implementation of the Data Retention Directive (Directive 2006/24/EC).  The Data Retention Directive derogates from the provisions of the E-Privacy Directive by requiring Member States to ensure that certain categories of communications data are retained for periods of not less than six months and not more than two years.  This is in contrast to the general principle in Article 6 of the E-Privacy Directive, which requires such data to be erased or anonymised when it is no longer needed for the purposes of the transmission of a communication.

The data protection authorities of 25 EEA member states contributed to the joint enforcement action, circulating questionnaires and conducting onsite investigations in certain cases.  It was discovered that there were significant differences between Member States regarding retention of internet services traffic data, with variations in retention periods.  A more uniform picture emerged in relation to the retention of telephone traffic data.  The Working Party established that there was inconsistent implementation at domestic level as a result of differing views over the scope of the Directive, notably whether it was meant to be a derogation from the general obligation to erase traffic data upon conclusion of an electronic communication, or whether instead it affected only data which providers were already allowed to store for subscriber billing and interconnection payments purposes in accordance with Article 6(2) of the E-Privacy Directive.  The Working Party recalled its previous opinions on the Data Retention Directive and (awaiting the decision of the Commission as to whether or not to amend or repeal the Directive) it laid down specific recommendations to ensure increased harmonization, more secure data transmission and standardized handover procedures.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Accountability

Also on 13th July, the Working Party issued Opinion 3/2010 on the principle of accountability (WP173). The Opinion proposes that a new principle on accountability should be introduced (as part of amendments to the Data Protection Directive) which would require data controllers to put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with, and to demonstrate this to supervisory authorities upon request.  It is hoped that this will provide a practical means of ensuring the observance of data protection rules as well as helping data protection authorities in their supervision and enforcement tasks.

FEDMA

The third opinion, also adopted on 13th July was Opinion 4/2010 on the European Code of Conduct of FEDMA for the Use of Personal Data in Direct Marketing (WP174).  The approval of draft community codes of conduct is anticipated in Article 27(3) of the Data Protection Directive, and indeed the European Code of Conduct of FEDMA (the Federation of European Direct and Interactive Marketing) had been the subject of a previous favorable opinion of the Working Party in June 2003.  The subject matter of the present Opinion was an annex to the Code dealing with the specific problems created by the on-line world, with special reference to provisions designed to protect children.  The annex (which is exhibited to the Opinion) was approved by the Working Party and FEDMA was encouraged to promote it within the direct marketing sector.

RFID

The final July 13th opinion is the Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.  The opinion comments on an industry framework for RFID privacy impact assessments (PIA).  Although the Working Party agreed with the broad framework of the industry report, it indicated three concerns:  (1) no section of the PIA requires the RFID operator to identify risks associated with the RFID application; (2) the proposed framework fails to encourage the RFID operator to identify risks to individuals related to carrying RFID tags in everyday life; and (3) lack of clarity regarding RFID tag deactivation in the retail sector.  As a result of these concerns, the Working Party encouraged stated it could not endorse the proposed document.

• Email This
• Print

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

• Email This
• Print

In a speech to at Atlantic Council in Washington, DC on 9 July, Viviane Reding, Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship announced that she has begun exploratory talks with the United States for a comprehensive EU-US agreement for personal data protection standards to apply whenever personal data needs to be transferred across the Atlantic for the purposes of police and judicial cooperation in criminal matters.  Vice-President Reding said:  "The aim is clear: to provide legal certainty to data transfers by ensuring that all these transfers are subject to high standards of data protection on both sides of the Atlantic."

Also appearing at the Atlantic Council with Vice-President Reding was Department of Homeland Security Secretary Janet  Napolitano who, according to the Atlantic Council web site

noted that the United States has a long tradition of insisting on personal privacy — and is in some ways, such as a cultural antipathy to national identification cards and showing passports at hotel check-ins and the like, even more privacy conscious than Europe— the fact of the matter is that protection of personal data does not rise to the level of fundamental right in our society. 

That difference in approach in the US from the EU, with its Charter of Fundamental Rights which very specifically guarantees a right to personal data protection, suggests that the road to a bilateral treaty will be long.

Likewise, the path to the EU recognizing the US as a country with "adequate protections" allowing the cross-border flow of personal data without the encumbrances of model contract clauses, the EU-US Safe Harbor or Binding Corporate Rules seems distant.  Still, at a dinner this author had with Vice-President Reding with her delegation following her Atlantic Council (and her deposit of the new EU "Bill of Rights" a the National Archives), I was able to preview some of the themes of my upcoming presentation at the PLI Privacy Law Institute in Chicago on Monday, 19 July entitled "Is the Tide Turning? The Impact of the HITECH Act & Other Federal Regulation."  I conveyed to Ms. Reding that the time has come for the EU to reappraise the US level of protection given the FTC's "common law of consent decrees" through which specific rules on data protection have arisen, given the forty-six state data security breach notification laws which have prompted heightened attention to the protection of personal data, and given the application and enforcement of the many other sectoral and geographic privacy laws. 

• Email This
• Print

 Florian Unseld in the Hogan Lovells Munich office prepared this entry.  Florian specializes in data protection, information technology and intellectual property law. His work focuses on advising on all aspects of national and international data protection law including major cross-border projects. Florian also advises on the drafting and negotiating of contracts, software-licensing and the legal form and realization of IT-projects.

Introduction

The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States. 

This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed.  Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.

The Düsseldorfer Kreis is a working group of representatives from Germany's sixteen state data protection authorities that provides a uniform "German" approach to data protection questions.  It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes. 

The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.

The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant.  See our previous report on FTC enforcement activity.  It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.

What more is needed when the Safe Harbor is used for Germany-US personal data transfers?

German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:

(1) German companies exporting personal data must confirm that the US entity actually is registered  on the Safe Harbor, and is not just claiming that it is registered. 

(2) There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice  to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.    

(3) The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.

(4)  In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.

Perspective

European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose -- or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis.  It remains to be seen whether this additional level of Safe Harbor diligence will be required  by other European regulators.

• Email This
• Print

On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.

Behavioral Advertising is Regulated in the EU by Two Primary Sources

The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011. 

The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.

Opt-In Consent Requirement and Opt-Out Deficiencies Explained

The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.

Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.

The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes. 

Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.

Room for Innovation

While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”

Other Obligations

The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:

• Email This
• Print

This post was provided by Julia Peng of Hogan Lovells' Beijing office.

On 19 October 2010, the People’s Republic of China (“PRC”) State Administration of Industry and Commerce ("SAIC") issued the Second Revision of the PRC Consumer Protection Law (Draft for Comments) (the "Draft Consumer Law"). A significant addition to the Draft Consumer Law is a provision for the protection of consumers’ personal data.

According to Article 14 of the Draft Consumer Law, consumers enjoy the right to have their personal data protected when purchasing and using goods and services. The same article also clarifies the scope of the personal data which is protected. It includes a consumer's name, gender, age, profession, contact details, health condition, family, properties, purchase records and other information closely related to the consumer or their families 

• Email This
• Print

This post was provided by Gabriela Kennedy and Olivia Lennox-King Stewart of Hogan Lovells’ Hong Kong office.

The Constitutional and Mainland Affairs Bureau (the "CMAB") published a Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, inviting comments on the proposed amendments. The consultation period closed on 30 November 2009.

Prior to the Consultation Document being released, the Privacy Commissioner for Personal Data presented to CMAB and the Government the results of his own review of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Consultation Document included some but by no means all of the issues captured in the Commissioner’s review.

In November 2009, the Commissioner released his submissions on the Consultation Paper, responding to the proposals CMAB had formulated. The Commissioner states in his submissions that they were intended to "let the public know more about the issues before making their submissions", and noted that the Government's proposals were "more moderate and conservative than those made by the Commissioner".  

• Email This
• Print

by Lionel de Souza

On May 26th, the European working party on data protection established by article 29 of the 1995 European Directive on Data Protection (the "Working Party") sent letters to the three main search engine providers, Google, Microsoft and Yahoo!, to express its concern about how the search engine providers protect the online privacy of their users.

These letters follow a number of exchanges that have taken place over the past two years between the Working Party and the companies.  The process started with the Working Party's March 2008 opinion on search engines, which was later followed by a questionnaire to search engine providers and a hearing in February 2009.

In response to the Working Party's opinion, Google, Microsoft and Yahoo! all publicly announced amendments to their respective policies regarding the term of retention and anonymization of user data.  While these modifications generally have been welcomed as improvements of search engine practices, the Working Party still considers them insufficient.  Overall, the Working Party points to:

(1) the insufficient level of anonymization of data implemented by search engines or the lack of complete information to appreciate the appropriateness of such measures; and

(2) the excessive term of retention of user data (especially in consideration of possible cross-referencing).

Based on these elements, the Working Party states that it "cannot conclude that [these companies comply] with the European Data Protection Directive" and "urges" them "to review their anonymization claims and make the process verifiable."

To do so, the Working Party recommends that all three search engine providers implement and submit to an auditing process which would be conducted by external and independent third parties.  It is interesting to note that such an auditing procedure does not rely on any specific legal ground imposed by the European data protection legislation and that the search engines are therefore under no obligation to implement such a procedure.  If they did agree to an audit,  however, a number of questions would arise, such as the adequate frequency at which audits should be conducted or the publicity of the results of the audits. 

Finally, the Working Party, taking into account the "strong international component of this debate" sent copies of the three letters to the FTC (as well as the European Commission Vice-President in charge of Justice, Fundamental Rights and Citizenship - Viviane Reading) to share its concerns and to request an inquiry of the compliance of the behaviors with Section 5 of the Federal Trade Commission Act which prohibits "unfair or deceptive acts or practices in the marketplace".

In a general context of increased attention in the European general public with regards to issues of privacy, the reactions by the search engines and the FTC to the issues raised will be closely scrutinized.

The Working Party's letters to can be found here. 

• Email This
• Print

Special thanks to Lionel de Souza in the Hogan Lovells Paris Office for this entry.  Lionel specializes in issues relating to privacy and data protection, e-commerce, the liability of technical intermediaries, IT contracts, outsourcing, online compliance, the intellectual property aspects of information technology and the Internet and encryption. He has a masters degree in digital law and new technologies from the university of Paris and an LL.M from the University of Edinburgh.
 

The European Commission published its "Digital Agenda for Europe" on 19 May 2010. The document presents a number of future measures designed to "maximize the social and economic potential" of information and communication technologies ("ICT").   Unsurpirsingly, privacy is an important focus.

As a starting point, the Commission sets out seven areas which it regards as problematic and in need for revision to foster economic growth based on ICT.

These seven issues are (1) the existence of fragmented digital markets within the European Union;  (2)  the lack of interoperability on European markets;  (3)   the rise of cybercrime and the risk of low trust in networks;  (4)  the lack of investment in networks;  (5)   insufficient research and innovation efforts  (6)  the lack of digital literacy and skills; and the missed opportunities in addressing societal challenges (e.g. environmental concerns, etc.).

To make improvements in these areas, the Commission emphasizes that privacy and data protection will play an essential role.  Throughout the document, the Commission underlines the need to increase trust in the ICT and internet services and  that such trust necessarily includes confidence in the protection of privacy and personal data.

The  Commission set as one of its key actions to "review the European data protection regulatory framework with a view to enhancing individuals' confidence and strengthening their rights by the end of 2010". It has also set out its intention to promote and progressively impose on goods and services providers the concept and notion of "Privacy by Design", to include, in its review of the data protection framework, the possible "extension of the obligation to notify data security breaches" and to give guidance, by 2011, "for the implementation of a new telecoms framework with regards to the protection of individuals' privacy and personal data".

The document is ambitious and has the potential to have an important impact on operators and allow for the development of business using ICT in the few coming years.

The European Commission's Digital Agenda for Europe can be found here.

• Email This
• Print

  While the Hogan Lovells Chronicle of Data Protection primarily is designed for news and analysis of developments in the field of privacy and data protection, we want to take the opportunity of the recent combination of Hogan & Hartson with Lovells to inform our readers of the global breadth and depth of our practice. While each of the legacy firms was celebrated for its privacy and information management practices, the coming together of the lawyers from the two firms has created a practice group that is unparalleled in the world.  Hogan Lovells helps clients address privacy and data protection globally and in regard to specific national laws in countries around the world, through our 40 offices in the Americas, Europe, the Middle East and across Asia.

In the coming weeks, we will detail the privacy practices resident in various offices around the world.

Last week, selected partners from the global privacy and information management practice met in Geneva, Switzerland to discuss practice coordination and cooperation, and to focus on how we together can better serve our clients as a unified group.   (Regrettably, some of the partners scheduled to participate were grounded due to the Icelandic ash cloud including, notably, practice co-leader Marcy Wilder). Joining the discussion and pictured above are (from left to right)  Winston Maxwell (Paris), Quentin Archer (London), Steffan Schuppert (Munich), Gonzalo Gallego (Madrid), David Taylor (Paris), Marco Berliri (Rome), Wim Nauwelaerts (Brussels) and practice co-leader Christopher Wolf (Washington).

To provide an illustration of our global capabilities,  tomorrow (20 May 2010) the firm will host a webinar entitled “Hogan Lovells Trans-Atlantic Discussion on the Privacy Challenges Facing Multi-National Corporations”. This will be the first webinar by the Privacy and Information Management Group at Hogan Lovells, featuring privacy lawyers on both sides of the Atlantic from the former Hogan & Hartson and Lovells. Quentin Archer (London), Steffan Schuppert (Munich), Wim Nauwalaerts (Brussels), Lynda Marshall (Washington), Marcy Wilder (Washington) and Christopher Wolf (Washington) will explore contemporary privacy law challenges facing companies doing business in multiple jurisdictions around the world, such as:

• Cross-Border Transfers of Data Internationally
• Managing Employees in Multiple Jurisidctions
• Onine Marketing Issues Around the World
• Data Security and Data Breach Requirements
• The Obligations Concerning Health Data Around the World
• National Trends with International Ramifications

The panelists will explain how a coordinated international approach to privacy compliance is cost-

effective and is an optimal way to limit risk and protect privacy.

Readers of the Hogan Lovells Chronicle of Data Protection are cordially invited to attend our webinar.  Please register by clicking here.

• Email This
• Print

In an April 16, 2010 judgment, the High Court of Ireland decided that a settlement agreement entered into between Ireland's largest ISP Eircom and EMI, Sony Music, Universal Music, and Warner Music did not violate Ireland's data protection law.  The settlement agreement was signed after the record labels sued Eircom in connection with Eircom's failure to take action to discourage peer-to-peer copyright infringements on its network.  In the settlement, Eircom agreed to implement a graduated response mechanism with its customers, pursuant to which Eircom would send warnings to customers who had been detected as participating in unauthorized file sharing.  If the customers ignored Eircom's warnings, Eircom would cut off the subscriber's Internet access.  This sanction would be applied on a purely contractual basis, based on the subscriber's violation of Eircom's terms of use.  The subscribers' identity would never be shared with the record companies or with the police.  The detection of illegal file sharing would be conducted by a third party service provider, DetectNet, which would collect IP addresses and communicate them to Eircom.  

The Irish data protection authority believed that the settlement would violate Irish data protection laws.  The court was asked to answer three questions:

Whether the IP addresses collected by DetectNet are personal data before they are transferred to Eircom?

Whether Eircom's processing of personal data for implementation of the graduated response mechanism is legitimate?

Whether the personal data processed by Eircom are "sensitive" because they relate to a criminal offense.

For the first question, the court held that the IP addresses in the hands of DetectNet are not personal data because it is not "likely" that DetectNet would have the means or motivation to find out the names or addresses of the persons corresponding to the IP addresses.  The court said that the word "likely" as used in the Irish law means "probably."  

For the second question, the court found that the processing is justified because of the subscriber's consent to Eircom's terms of use, and also because the processing is necessary for the performance of a contract and for compliance with a legal obligation.  

For the third question, the court held that the graduated response mechanism deals solely with civil infringement, and not with alleged criminal infringement.  Alleged criminal infringement involves an intentional element that is absent from the mechanism implemented by Eircom.

On the IP address issue, I invite readers to look back at the Article 29 Working Party's opinion on the concept of personal data, particularly page 15.

Regarding "graduated response" in general I invite readers to review a previous update on the French Consitutional Court decision, and to Gerry Oberst's blog entry on Internet Freedom and Data Privacy.  

The Irish decision is creating controversy, particularly as European Member States are debating net neutrality and the proposed ACTA treaty.

• Email This
• Print

Who is in “control” of personal data and who merely processes personal data on behalf of a data “controller”? These are essential questions for purposes of compliance with EU data protection requirements, yet answering them can be quite problematic in practice. The EU Data Protection Directive defines the controller as the person or entity that determines, alone or jointly with others, the purposes and the means of the processing of personal data. The processor, on the other hand, is the person or entity that processes personal data on behalf of the controller. Applying these concepts to a practical case may have been straightforward in the early days of the Directive, but in today’s Web 3.0, RFID and cloud computing environments many are perceiving the controller and processor distinction as archaic and, most importantly, unworkable in practice. At the same time, under the current legal regime the distinction is crucial in order to determine who is responsible for compliance with EU data protection rules, what Member State laws apply, and which data protection authorities are competent to supervise data processing operations.  

Last November in Madrid, when the 31^st International Conference of Data Protection and Privacy Commissioners adopted the “International Standards on the Protection of Personal Data and Privacy”, there was a sparkle of hope that the controller and processors concepts would not survive the upcoming review of the EU data protection framework. The Standards use the more pragmatic concepts of “responsible person” (instead of “controller”) and “processing service provider” (as opposed to “processor”).

However, on 16 February 2010, the Article 29 Working Party (WP) adopted an opinion (Opinion 1/2010) on the concepts of “controller and “processor”, in which it takes the position that there is no reason to assume that the current distinction between controllers and processors would no longer be relevant and workable. The Article 29 WP acknowledges that applying these concepts to concrete situations can be complex, which is why it is providing specific guidance in its opinion to ensure a consistent and harmonized approach throughout the EU.                                                                   

The Article 29 WP’s opinion includes a comprehensive analysis of the controller and processor concepts as well as practical examples and rules of thumb on how to approach the concepts pragmatically. Without going into any level of detail, here are just a few of the Article 29 WP’s pearls of wisdom that can be found in the Opinion:

• In many cases the responsibility of data controller can be attributed on the basis of an assessment of the factual circumstances. Contractual terms can often clarify the issue, although they are not decisive under all circumstances. Even if a contract is silent on who is the controller, it can still contain sufficient elements to assign the responsibility of controller to the party that apparently exercises a dominant role in that regard.

• The data controller must determine the purposes and the means, i.e., the “why” and the “how” of certain processing activities. The crucial question, however, is to which level of detail somebody should determine purposes and means in order to be considered as a data controller. According to the Article 29 WP, whoever decides on the “purposes” of a data processing operation should be the controller. The data controller can delegate the determination of the “means” of the data processing, as far as technical or organizational measures are concerned. Substantial decisions that may affect the lawfulness of the data processing (e.g., how long will the data be stored) are reserved to the data controller.

• In some cases, there may be several persons or entities that determine the purposes and means of a particular data processing operation and that therefore qualify as “joint controllers”. Although contractual arrangements can be useful in assessing joint control, they should always be checked against the factual circumstances of the parties’ relationship. Parties acting jointly also have a certain degree of flexibility in sharing and allocating data protection obligations and responsibilities, as long as they are compliant.

• A data processor is a separate legal person or entity with respect to the data controller and processes personal data on the data controller’s behalf. The data processor is called on to implement the data controllers’ instructions at least with regard to the purposes and the essential means of the processing. The lawfulness of the processors’ data processing therefore depends on the specific mandate given by the controller. A data processor exceeding that mandate could be viewed as assuming the responsibilities of a (joint) controller.

The Article 29 WP’s opinion provides useful explanations and guidance in general, and its analytical approach is helpful. It is perhaps regrettable that the many examples in the opinion do not always include in-depth discussions of the specific issues raised (for instance, data processing by recruitment agencies or in the context of clinical trials).              

• Email This
• Print

On 22 February, the European Data Protection Supervisor (EDPS) released an unsolicited opinion on EU negotiations of an Anti-Counterfeiting Trade Agreement (ACTA). The EDPS expresses some strong opinions on the use of the “three strikes law” and other measures to control copyright violations by Internet users that might be in the ACTA. The EDPS is not subtle – he declares that “[s]uch practices are highly invasive in the individuals’ private sphere. They entail the generalised monitoring of Internet users’ activities, including perfectly lawful ones.” The opinion describes how a “three strikes” or similar approach might be set up, as well as the applicable EU data protection and privacy legal framework (in paragraphs 23 to 26). It then issues harsh conclusions (paragraphs 81 to what should be 88 but is mis-numbered as 80). The EDPS “strongly encourages” the Commission to set up a public and transparent dialogue on ACTA (which so far has been secret). He insists that the Commission strike a correct balance between “demands for the protection of intellectual property rights and the right to privacy and data protection,” which should be taken into account at the beginning of the negotiations. In his view:

85. …three strikes Internet disconnection policies are not necessary to achieve the purpose of enforcing intellectual property rights. The EDPS is convinced that alternative, less intrusive solutions exist or, at least, that the envisaged policies can be performed in a less intrusive manner or at a more limited scope, notably through the form of targeted ad hoc monitoring.

In the last paragraph of the conclusion the EDPS insists on being consulted on the measures to be implemented. EDPS opinions have no legal binding status but can be influential indicators of how data privacy laws might be interpreted.

• Email This
• Print

This blog entry is provided by Hogan & Hartson litigators Trevor Jefferies in our Houston Office and Alvin F. Lindsay in our Miami Office:

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

European Union policies protecting personal privacy almost always conflict with United States policies that grant litigants full and complete discovery of documents and electronically stored information in U.S. court actions.  The conflict is particularly acute in France, where a French corporation participating in U.S. litigation may easily run afoul of the French Blocking Statute (Law No. 68-678, as amended), data processing laws (e.g. Law No. 78-17, as amended), and the EU Directive 95/46 on Personal Data (“Directive”), among others.

Indeed, after years of goading by U.S. courts, French authorities even prosecuted someone, a French lawyer, under the blocking statute.  His crime was attempting to comply with a U.S. court order compelling production of documents.  See In re Christopher X, Cour de Cassation, Chambre Criminelle, Paris, December 12, 2007, No. 07-83228 (French Supreme Court upholding conviction and €10,000 fine against French lawyer attempting to facilitate collection of evidence for use as ordered in a U.S. judicial proceeding).  Examples of U/S. goading include In re Vivendi Universal S.A. Secs. Litig., No. 02 Civ. 5571, 2006 WL 3378115 at *3 (S.D.N.Y. 2006) (French blocking statute did not subject parties to a “realistic risk of prosecution”) and Minpeco S.A. v. Conticommodity Servs., Inc., 116 F.R.D. 517 at 528 (S.D.N.Y. 1987) (“this is not a situation in which the party resisting discovery has relied on a sham law such as a blocking statute to refuse disclosure"). 

With French and EU law acting to prevent a litigant engaged in the U.S. litigation discovery process even from collecting a relevant employees' e-mails for litigation purposes, let alone viewing the e-mails to see if they contain relevant information, French parties seem at a distinct disadvantage in a U.S. forum.  Failing to produce relevant documents is a direct path to an uncomfortable hearing before the U.S. judge and possibly severe sanctions such as a default judgment being entered against those parties for not complying with discovery orders.

Thus, Bruno B. vs. Giraud et Migot, Cour de Cassation, Chambre Sociale, Paris, 15 Dec. 2009, No. 07-44264 is a significant development.  In that case, an accounting firm fired Bruno after the firm discovered files on his work computer addressed to government regulators wherein Bruno disparaged the firm for alleged tax and related fraud as well as working conditions.

The documents held subject lines as “Essay 1”, “Essay 2”, and so on, which the firm discovered without Bruno’s permission or presence. Bruno sued the firm seeking damages for unjustified dismissal, arguing that the firm violated his rights under EU privacy (human rights) conventions, as well as several provisions of the French labor code, claiming the documents were his personal data.  On appeal, the Cour de Cassation Chambre Sociale held for the accounting firm, finding that because Bruno failed to mark the documents as “private,” the firm justifiably assumed that the documents were work-related and could open them.

The Bruno B. case clearly refines the general rule set forth in an earlier case from the same court, Nikon France vs. Onof, Cass. Soc., No. 4164 (Oct. 2, 2001), where the French high labor court established that employees have a right to privacy in the workplace and held that an employer cannot search an employee’s files stored on a work computer without breaching the employee’s right to privacy.  The Nikon case’s broad ruling has been the subject of private criticism, especially from business interests in France, but now, after Bruno B., there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.  Simply labeling the documents as “personal” or “private” may have been enough to compel the Bruno B. court to rule in the employee’s favor, but the holding is still a far cry from the absolute presumption that any data with an employee’s name is private.

• Email This
• Print

International transfers of personal data are heavily restricted under EU data protection rules. As a general rule, transfers from an EU/EEA Member State to recipients in countries outside the EU/EEA are only permitted if the laws of the recipient country ensure an adequate level of data protection. There are only limited exceptions to this rule. For instance, organizations may transfer personal data to countries outside the EU/EEA that do not ensure an adequate level of data protection if they have entered into a data transfer agreement using one of the sets of EU approved standard contractual clauses. Up to now, the European Commission has approved three sets of contractual clauses: two of these sets apply to transfers from data controllers to other data controllers, while the third set has been drafted for transfers from data controllers to recipients who act as data processors only. In EU privacy parlance, if organizations hold or process personal data without taking responsibility for or control over the data (e.g., payroll service providers), they are viewed as “processors”.     

On February 5^th, the European Commission decided to modify the standard contractual clauses for ”controller to processor” transfers of personal data, repealing the original decision (Decision 2002/87/EU) that introduced these clauses back in 2002. The European Commission considered it necessary to adjust the existing standard contractual clauses to meet the growing challenges of global outsourcing.  As more and more organizations are not only transferring personal data to a “processor” but also to one or more “sub-processors” (and sometimes “sub-sub-processors”) outside the EU/EEA, the original standard contractual clauses were no longer suitable to deal with these complex onward transfers.   

So what’s new about the updated set of standard contractual clauses?  The most important novelty is the inclusion of a specific subcontracting clause, which imposes a number of requirements on parties wishing to use sub-processors. Sub-processing will, for example, require the prior written consent of the data controller, while the data processor must put in place a written agreement with each sub-processor that mirrors the terms of the “controller to processor” agreement. In some cases it may be possible to meet this requirement by having the sub-processor co-sign the data transfer agreement between the controller and processor including the standard contractual clauses.      

• Email This
• Print

The UK government has announced plans to launch a new website www.data.gov.uk , which will allow public access to official data, and has called on web-founder Sir Tim Berners-Lee, to assist.  The website aims to improve transparency and will be similar to the US site 'data.gov', which already includes information from the US defense department and NASA.

The plan, initiated by PM Gordon Brown last year, is to develop a website for the public to find information and to make reports to public service providers, including traffic and crime statistics.  In addition, various applications will be available to enable users to discover details of planning applications (in PlanningAlerts), or report potholes (in FillThatHole).

So far, the site has been in test mode, for developers to try out its features and provide feedback, but once 'live', it is hoped that public users will benefits from having the information and services in one place and see it as an alternative to requesting disclosure under the Freedom of Information Act, as BBC News reports - http://news.bbc.co.uk/1/hi/technology/8470797.stm

• Email This
• Print

The fifth edition of Hogan & Hartson’s Media & Communications Briefing, whose editor-in-chief is Hogan Partner Winston Maxwell , has arrived!  (Winston also is a member of the privacy and data security practice group.) This quarterly briefing updates our clients on legal and regulatory developments from around in the world in the Telecommunications, Media and Entertainment and High Technology sectors.  This edition features stories (bolded below) of particular privacy interest. 

The briefing includes articles on the following topics:

• New Commission, New Framework
• The Digital Dividend Auction in Germany
• Bloggers Beware: The FTC is Watching
• EU Reform Brings New Cookie Rules
• U.S. Universal Service Reform: Is 2010 the Year?
• Online Music Retailing: Towards Borderless Business
• French Government Releases Decree on Motion Picture Tax Credit
• Smart Grids
• Interview: French Copyright Law
• Digital Switchover
• Middle East International Film Festival and the Circle Conference

For a copy of the briefing, click here

• Email This
• Print

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

• Email This
• Print

By Jun Wei

On January 3, 2010, the Guangdong Provincial Higher People's Court announced the first enforcement action following the extension of Chinese criminal law to include the protection of personal information.  In that action, the Zhuhai Xiangzhou District Court sentenced an individual to one and a half years in prison and imposed a fine on him in the amount of  RMB 2,000 (approximately US $295) for the crime of illegally obtaining the personal information of citizens.  This is the first known case in China regarding the infringement of personal information security. 

The law upon which the action was based, the 7th Amendment to the PRC Criminal Law, was promulgated on February 28, 2009 by the Standing Committee of the National People’s Congress.  It includes provisions imposing criminal penalties for the infringement of personal information security, specifically targeting two types of infringement:  (i) the sale or illegal disclosure of information obtained by personnel in government agencies or financial, telecommunications, transportation, educational or medical institutions in the process of performing their duties; and (ii) the theft or illegal access of personal information by other individuals. 

In both types of conduct there are severe consequences for infringement, including imprisonment for less than three years, detention for less than six months, and/or the imposition of a fine (as a single penalty or concurrently with other penalties).   In the event that an entity is convicted of infringement, a monetary penalty shall be imposed on that entity, and the officer directly responsible and any other persons who may be directly responsible for such illegal acts shall be subject to the same criminal penalties that are applicable to natural persons.

According to news reports, in December 2008 the defendant in this case, Zhou Jianping, a resident of Zhuhai, Guangdong Province, illegally obtained the phone numbers and call history records of 14 government officials and sold these phone numbers and call histories for RMB 16,000 (approximately US $2,353).  The purchaser, in conspiracy with six other people, then used this information to impersonate the government officials and extract RMB 830,000 ( approximately US $122,060) from a variety of relatives.

The defendant did not appeal and the judgment took effect December 14, 2009.

• Email This
• Print

Hogan Privacy and Data Security Co-Chair Chris Wolf recently gave an interview on recent developments under the EU-US Safe Harbor to Nymity that was published in its free online newsletter.  In the interview, Chris discusses the recent FTC enforcement efforts under the Safe Harbor as well as alternative methods available to parties seeking to transfer data from the EU to the US other than through the Safe Harbor framework  The interview can be accessed here.

• Email This
• Print

In a letter to the European Commission dated 4 December 2009, the European data protection authorities gathered in the Article 29 Working Party claim that the US and Australia are violating their respective Passenger Name Record (PNR) agreements with the EU. The letter - a copy of which was recently published on the website of the Dutch data protection authority - urges the European Commission to take immediate action to halt the breach and to resolve the matter with its US and Australian counterparts.   

The EU/US PNR Agreement

The EU/US PNR Agreement, which has been in force since 26 July 2007, is already the third agreement between the EU and US establishing a legal framework for transferring EU-sourced PNR data to the US Department of Homeland Security (DHS). On the basis of assurances from DHS that the data will be safeguarded, the EU has agreed to the release by air carriers transporting passengers between the EU and the US of certain PNR data contained in their reservation systems. The 2007 Agreement changed the mode of data transmission from a “pull” system into a “push” system, at least for those air carriers complying with DHS’ technical requirements. However, the Article 29 Working Party has now found that the US authorities continue to “pull” PNR data through terminals based at their offices, even in cases where airlines are compliant with DHS’ technical requirements. According to the Article 29 Working Party, DHS currently has access to all PNR data for all flights by a particular airline, even if the flights have no connection with the US. The Article 29 Working Party further claims that the continued practice of pulling data is a clear breach of the Agreement, constituting ”a sound reason to terminate the Agreement”. Under the Agreement, the EU has an exclusive remedy if it finds that the US has committed a breach: the EU can terminate the Agreement and revoke its determination that DHS is ensuring an adequate level of data protection. If the EU applies this remedy, the practical ramifications for air carriers will be significant in terms of EU data protection law compliance.                       

The EU/Australia PNR Agreement         

The EU/Australia PNR Agreement was entered into on 30 June 2008 to provide a legal basis for the processing and transfer of EU-sourced passenger name record data by air carriers to the Australian Customs Service. The Agreement applies to airlines that have reservations systems and/or PNR data processed in the EU and operate flights between the EU and Australia. The Agreement allows for 19 different types of information - including travel itineraries and payment details but excluding sensitive personal data such as race or religion - to be shared with Australian Customs for the purpose of preventing and combating terrorism and other serious crimes.

According to the Article 29 Working Party, the Australian authorities are receiving all passenger PNR data from airlines rather than just the data specified in the Agreement. The Article 29 Working Party claims that Australia is violating the terms of the Agreement by demanding more information (than listed in the Agreement), which suggests that some EU-sourced PNR data are currently being processed by Australian Customs without adequate protection. The Agreement foresees the possibility to initiate a joint review of each party’s implementation of the Agreement, which appears to be the Article 29 Working Party’s preferred course of action to remedy this situation.

To be continued…   

• Email This
• Print

By Sarah Jacquier and Winston Maxwell

On December 8, 2009, the French Supreme Court found illegal a Code of Business Conduct put in place by the Dassault Group for compliance with Sarbanes-Oxley requirements.

Dassault’s Code of Business Conduct had two aspects: It (i) required employees to obtain an approval from their employer prior to using any information (not just confidential information but all information used for “internal purposes”) that employees could have knowledge of in the course of their employment and (ii) put in place a whistle-blowing policy whereby employees could - but had no obligation to - report any breach of the Code of Business Conduct, in accounting, financing, and anti-corruption matters. However, the policy also contemplated the possibility for employees to report any breach of the Code of Business Conduct in other matters (e.g. intellectual property rights, confidentiality, discrimination, harassment) to the extent the breach threatened Dassault Group’s vital interests or an individual’s physical or psychological integrity.

The Court ruled that requiring employees to obtain the prior approval of their employer before using any and all internal information infringed employees’ freedom of speech, which may be limited only in a proportionate manner. The prohibition was too broad, and therefore the proportionality test was not satisfied.

As far as the whistle-blowing policy is concerned, the Court ruled that the policy could not cover matters other than accounting, financing, and anti-corruption. In France, whistle blowing policies need to be approved by the French data privacy authority (“the CNIL”) because their enforcement may lead to sanctions of employees. In 2005, the CNIL published a blanket authorization which generally authorizes whistle blowing policies in France for Sarbanes-Oxley requirements compliance purposes, but this authorization is limited to pure accounting, financing and anti-corruption matters. If the whistle-blowing policy exceeds the scope of the blanket authorization, it needs to be authorized on an individual basis. Otherwise, the whole policy will be deemed invalid, as confirmed by the Supreme Court’s decision.

Most international groups are reviewing the French versions of their Codes of Conduct to ensure that they comply with this new ruling.

• Email This
• Print

ePrivacy:  On 9 November, the European Data Privacy Supervisor (EDPS) issued press release 09/13 on the ePrivacy Directive, which will be amended soon as part of the E-Communications Regulatory Framework.  The EDPS is an independent body responsible for data privacy within EU institutions.  As would be expected, it takes an expanded view of data privacy, because that is its sole focus and responsibility.  The EDPS titled its press release as “improvements on security breach, cookies and enforcement, and more to come.”  It expanded on this theme with the following: 

• For the first time in the EU, a framework for mandatory notification of personal data breaches.  Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.  Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation.  The notification will include recommended measures to avoid or reduce the risks.  The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
• Reinforced protection against interception of users’ communications through the use of - for example - spyware and cookies stored on a user’s computer or other device.  Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
• The possibility for any person negatively affected by spam, including ISPs, to bring effective legal proceedings against spammers; and
• Substantially strengthened enforcement powers for national data protection authorities.  They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

These provisions could impose substantial new requirements for industry.  The data breach requirement in particular could lead to heightened security for all companies – after a 26 October seminar on data breach protection, the EDPS stated: 

data controllers, together with other stakeholders, [must] adopt proper risk management in order to appropriately mitigate the risk of such breaches.  It was stressed that this will not only require technological solutions but also organisational measures, including increasing the responsibility of the highest management levels of entities concerned.  They should also promote the development of adequate safeguards and facilitate a more transparent distribution of responsibilities.

 In light of this emphasis on the new provisions, it will be necessary in the near term to consider company procedures on data protection and breach notification, to the extent that a company or its affiliates provide public electronic communications services.

• Email This
• Print

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

• Email This
• Print

On November 6, 2009, French Senators Détraigne and Escoffier introduced a bill that would impose new data breach obligations, as well as strengthen the sanctioning power of the French data protection authority, the CNIL.  Senators Détraigne and Escoffier delivered last May a report on privacy in the digital age on behalf of the Senate's committee on legislation, and the new bill is a follow-up on the measures recommended in the May report.  

The proposed new bill would:

• State that "any address or number identifying terminal equipment connected to a communications network" is personal data.  This provision is intended to end the debate in France on whether IP addresses are personal data.  Unfortunately, the effect of the proposed provision could be that in the future IP addresses of any device or object connected to the Internet, even a box of cereal, will be viewed as personal data;
• Require that government agencies and certain companies appoint a data protection officer;
• Increase notification obligations of data controllers before they process personal data;
• Impose an opt-in regime for cookies unless they are strictly needed for communication purposes or to permit access to an online service;
• Impose a broad security obligation on data controllers and an obligation to inform the CNIL of any data breaches.  The proposed language contains no minimum threshold after which a breach would be deemed significant enough to warrant a notification;
• Facilitate data subjects' ability to request deletion of personal data; and
• Increase the CNIL's sanctioning powers, and allow victims of privacy violations to bring suit before their own local court  instead of being obligated to sue in the court where the data controller is located.

The provisions facilitating data subjects' ability to access and delete personal data are part of a broader French government campaign to create a citizen's "right to be forgotten" on digital networks.  French Digital Minister Nathalie Kosciusko-Morizet organized a roundtable on the "right to be forgotten" on November 12, 2009, and indicated that the French government would raise the issue in Sharm El-Sheikh and the Internet Governance Forum.

Debates on the text will begin in March 2010.  It is not clear whether the proposed bill will be supported by the French government, which may prefer to defer legislation on some of the issues until final adoption of the revised ePrivacy Directive.  Given the recent statements of Digital Minister Nathalie Koscuisko-Morizet on the "right to be forgotten" on the Internet, it is likely that the provisions facilitating a citizen's right to access and delete personal information on the Internet will receive the immediate support of the French government, and this could result in legislation fairly soon.

• Email This
• Print

The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.”   But it is not quite as clear-cut as that quote suggests.  The consent requirement relates cookies that collect personal data  -- an important qualification -- and some cookies appear to fall outside of the consent requirement. 

Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.

The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party has earlier expressed the view that the “neutral” wording chosen is not limited to cookies but implies any other new technology that could be used to track users’ behavior using their browser.               

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.

As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to “prior” consent, but the use of the past tense (“has given”) suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users’ computers.

So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application”.

Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.                   

• Email This
• Print

Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.  Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply.  It also sets out the procedure for monetary penalties to be imposed.  Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court.  However, cases leading to substantial fines are rare.

The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted.  Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.

If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court).  This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
 

• Email This
• Print

On October 15, 2009, the French Data Protection Authority, the CNIL, issued a white paper regarding the privacy risks of nanotechnologies.  In its white paper, the CNIL attempts to identify the privacy risks associated with RFID tags which are so small they can be injected into the human body.   The CNIL mentions RFID tags used to trace Alzheimer patients, which the CNIL considers would satisfy the proportionality test set forth in French law.  Other tags, such as an RFID tag injected under the skin which permits nightclub users to pay for their drinks, are more problematic. 

The risks outlined in the CNIL document are not unlike those already identified in connection with RFID devices and the “Internet of things.”  Of particular concern are the small size and potential ubiquity of tracing devices, both of which make it difficult for citizens to control the personal data that is collected about them.  The CNIL recommends application of Privacy by Design methodology to nanotechnologies so that privacy is incorporated into nanotechnology applications from the time of their initial design.  The same recommendation applies to security associated with these devices.  In fact, the CNIL emphasizes the security risks of potential viruses or malware which could be introduced into nanotechnologies so as to permit them to be used for improper purposes.  To prevent such, the CNIL recommends integrating security by design in nanotechnologies in a multi-disciplinary and cooperative approach. 

The CNIL mentions several key principles that should guide any nanotechnology application, such as the right for citizens to “turn off” the device thereby guaranteeing the right to “be forgotten” and to remain anonymous. 

In its white paper the CNIL also recommends clear labeling of nanotechnology applications, comparing nanotechnologies to genetically modified foods for which France has required special labeling which informs consumers about the product being purchased before actual purchase.  The CNIL further suggests that French law should be broadened to ensure that the CNIL has responsibility to implement these general principles, although it does not suggest specific language or legislation.

In conclusion, the CNIL’s consultation document regarding nanotechnologies is not fundamentally different from the European Commission’s recommendations on RFIDs, except that the CNIL puts more emphasis on bio-ethic issues, undoubtedly due to the fact that many of the nanotechnology applications will somehow be linked to the human body, which obviously raises significant privacy issues.

The CNIL's paper was issued as part of a national debate on nanotechnologies, organized by the French government in the Spring of 2009.

• Email This
• Print

Lawyers from Hogan & Hartson offices in London, Paris, Brussels, Berlin and Washington recently presented a webinar in partnership with the Association of Corporate Counsel for Europe, entitled

Navigating the Privacy Challenges: Crossing the Line in Cross-Border Data Transfers

The program, now available in "on demand" format, provides an overview of the law governing international data transfers, as well as two case studies illustrating the practical issues involved in such data transfers.  The webinar concludes with a summary of "hot privacy topics" in  the US and Questions and Answers.  Complimentary attendance and access to the webinar, including the Powerpoint deck, is available by clicking here

• Email This
• Print

In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they are current with their Safe Harbor certifications.  In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program.

The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies’ misrepresentations are deceptive.  The scope of the FTC’s actions is limited to the companies’ lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.

The proposed settlement agreements, open for public comment until November 5^th, prohibits each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party.  In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC. 

The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program.  We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and likely further actions against companies with lapsed certifications.

The FTC complaints, proposed settlements and related documents are available at http://ftc.gov/opa/2009/10/safeharbor.shtm.

• Email This
• Print

On October 12, 2009 the CNIL issued ten recommendations for companies to help protect their data.  The recommendations are fairly basic, ranging from implementing a rigorous password policy to ensuring that only authorized personnel have access to the company’s computer room.  The recommendations have an important pedagogical role, however, and illustrate that the CNIL is broadening its scope of focus from its traditional role of defining under what conditions personal data can be processed in France to dealing with the results of that processing,  in particular focusing on the prevention of data breaches. 

For those familiar with the security recommendations issued by ENISA, the European Network and Information Security Agency, the CNIL’s recommendations may seem quite rudimentary in comparison.   ENISA has issued a number of detailed recommendations on data security, and it is unfortunate that the CNIL did not refer to the excellent ENISA work in this area.   See, for example, ENISA's 2009 papers "10 Security Awareness Good Practices" and "Information Security Awareness in Financial Organizations - Guidelines and Case Studies."   However, the CNIL's recommendations may only be a first step, and it will be interesting to see whether the CNIL's guidance evolves as concern about data breaches continues to grow. 

• Email This
• Print

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print

The United Kingdom Information Commissioner's Office ("ICO") has announced that with effect from 1 October 2009, a new notification fee of £500 will be payable by some larger organizations.  This is the first change to the fee structure since the Data Protection Act 1998 became law in 2000.

Notification is the process by which data controllers register with the ICO.  It is a mandatory requirement for organizations which process personal information in the UK.  

The new £500 per annum fee will apply to a higher tier of:

• data controllers in the private sector with a turnover of £25.9 million and 250 or more members of staff; and

• data controllers in the public sector with 250 or more members of staff.

The standard notification fee is otherwise £35 per year and this will remain so for organizations in the lower tier category.  The ICO has also confirmed that registered charities will not pay the higher fee, regardless of their size.

The increase in fees for larger organizations will, according to the ICO, help increase activity in terms of audits and investigations.   An interesting comment, which should be noted by data controllers.
 

• Email This
• Print

Uruguay may be on its way to become the second Latin-American country recognized by the European Commission as offering an adequate level of data protection. Last month, the Uruguayan government adopted a set of regulations implementing the country’s 2008 Personal Data Protection Act (Law 18331). The implementation of this new law, as well as the creation of a national data protection authority last May, are expected to have a positive impact on the European Commission’s assessment as to whether or not Uruguay’s data protection rules meet EU adequacy standards.

The EU Data Protection Directive (95/46/EC) provides that the transfer of personal data from EU member States to non-Member States may in principle only take place if the laws in the recipient country ensure an adequate level of data protection.  The European Commission can decide that a non-EU country has adequate protection if the country’s legal framework covers all the basic data protection principles (set out in the Directive) and if there is an enforcement system in place ensuring the effectiveness of that framework. To date the European Commission has issued adequacy decisions in favor of Argentina, Canada, Guernsey, Isle of Man, Jersey, Switzerland, the U.S. Department of Commerce’s Safe Harbor Principles, and the transfer of air travelers' data to the U.S. Department of Homeland Security.

Uruguay filed a request for EU adequacy recognition in October 2008, and the preliminary reactions so far appear to be favorable. However, the recognition process is unlikely to be completed before the end of the year. An adequacy decision from the European Commission will allow personal data to flow freely from the EU to Uruguay, without the need for additional data privacy safeguards. EU recognition will help Uruguay boost its outsourcing industry and attract more EU-based companies looking for providers of administrative, financial and other data processing services in Latin America.

• Email This
• Print

This past June France enacted an Internet anti-piracy law commonly known as the "HADOPI" or "three strikes" law, because after a certain number of warnings an online infringer's Internet access would be cut off.   On June 10th, the French Constitutional Court found a portion of the law unconstitutional.  Specifically, the court held that because terminating an individual's Internet access affects that individual's right to free expression, a fundamental right, a decision to terminate access must be made by a court after a careful balancing of interests.  Because the HADOPI law gave Internet access termination power to an agency, the court held that grant of authority unconsitutional.  Further background on this decision can be found in our update on the HADOPI law and the French Consitutional Court's decision .

On September 22, 2009, the French parliament passed a bill intended to remedy the enforcement gap left by the court's decision.  This bill, known as HADOPI 2,  empowers French courts, instead of the HADOPI administrative agency, with the authority to cut off the Internet access of copyright infringers or of individuals who are manifestly negligent in their duty to protect their broadband access line against illegal downloading.

The cornerstone of the new law is an affirmative duty imposed on French broadband subscribers to take measures to ensure that their broadband access is not used for infringing file sharing.  If the subscriber ignores this duty and the broadband access is used for illegal downloading, the subscriber of the line may have his or her Internet access cut off for a limited time.  If the subscriber installs certain approved protection technologies (and no one is yet sure what those technologies will be), the subscriber will be deemed to have fulfilled his or her duty of care.

• Email This
• Print

On July 10, 2009, the Federal Council (Bundesrat) finally passed an important amendment to the Federal Data Protection Act (FDPA), which imposes comprehensive obligations on data controllers in case of a loss or unlawful transmission of personal data to third parties (data breach). The new rules apply as of September 1, 2009. 

The legal obligation of a data controller to notify data breaches to the affected individuals and to the relevant data protection authorities (usually, the state’s data protection commissioner – Landesdatenschutzbeauftragter) is restricted to the loss or unlawful transmission of sensitive data, i.e. personal data revealing (i) racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and information on an individual’s health or sex life, (ii) information that constitutes a professional secret, (iii) information regarding criminal activities or administrative offenses, or (iv) information relating to bank accounts or credit card accounts.

In addition to the requirement that the personal data subject to the data breach must fall within one of the categories specified above, the loss or unlawful transmission of such personal data to a third party must constitute a severe threat to the rights or legitimate interests of the individuals involved. If these two requirements are met, the data controller must, first of all, immediately (“without undue delay”) inform the competent data protection commissioner of the data breach, providing (i) a precise description of the data breach itself, (ii) information regarding the potential consequences and risks of such breach, as well as (iii) measures that have been or will be taken by the data controller in order to mitigate the negative impacts of such breach. As a second step, the data controllers must notify the individuals involved without undue delay, provided, however, that the controller has located the leak which has lead to the data breach and taken all measures in order to avoid unlawful access of third parties using such leak (“responsible disclosure”). In case personal data relating to potential criminal acts or administrative offenses has been breached, the individuals involved will only be informed by the controller provided that such information does not put an ongoing criminal investigation at risk.

Generally, each individual whose personal data has been breached must be informed by the data controller. However, if the information duty would lead to extraordinary and unreasonable costs (i.e. if the data breach affects a large number of people), the data controller can meet its obligation by publishing a detailed notification (of at least half a page) in two newspapers which are published throughout Germany.

The amendment to the FDPA, which is clearly inspired by U.S. data breach notification laws, is an important contribution to the protection of consumers. It remains to be seen, however, how corporations and data protection authorities will deal with the fact that notification obligations only apply if a data breach poses a severe threat to important rights and legitimate interests of individuals.

• Email This
• Print

On August 19, 2009, the French Official Journal published the French Data Protection Authority's (‘CNIL’) long-awaited recommendations on the transfer of personal data for U.S. discovery purposes (‘Recommendations’, currently only available in French). The Recommendations were based at least in part on suggestions from a working group composed of representatives from all stakeholders, which was set up by the CNIL in 2008. The CNIL’s Recommendations are particularly useful for companies that find it difficult to reconcile French data protection and blocking statute limitations with U.S. discovery demands.

It is perhaps no surprise that the Recommendations largely echo the views of the Article 29 Working Party, which provided EU-wide guidance on pre-trial discovery for cross-border civil litigation earlier this year. Like the guidance from the Article 29 Working Party, the Recommendations do not apply to investigations by U.S. federal authorities or criminal offenses in the U.S. relating to data destruction.

• Email This
• Print