Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: consent

Posted in International/EU Privacy

ICO Turns Spotlight on Data Broker Industry

Data brokers are organisations that obtain data from a variety of sources and then sell or license it to third parties. Many trade in personal data, which is purchased by their customers for several purposes, most commonly to support marketing campaigns. The UK data protection regulator has for some time been actively enforcing against organisations who buy individuals’ personal data for direct marketing purposes without first conducting appropriate due diligence to ensure that those individuals have adequately consented to receiving marketing communications. However, in a recently issued monetary penalty notice, the ICO indicated that it may be shifting its enforcement strategy. This post discusses the latest developments.

Posted in International/EU Privacy

Future-Proofing Privacy: Profiling Restrictions versus Big Data

Part 6 of Future-Proofing Privacy: Profiling Restrictions versus Big Data. Profiling and big data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation.

Posted in International/EU Privacy

Future-Proofing Privacy: Justifying Data Uses

Part 4 of Future-Proofing Privacy: Justifying Data Uses – From Consent to Legitimate Interests. Currently, under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law will remain unchanged under the Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher. This is especially true with regards to consent.

Posted in International/EU Privacy

Data Protection Compliance in Spain (2015)

Spain is well known for having one of the most restrictive data protection regimes in the European Union. It also counts with some of the highest penalties (fines are up to € 600,000 per infringement), and a data protection authority – the Spanish Data Protection Agency – with a reputation for being one of the fiercest of the EU. Moreover, the penalties envisaged are not only on paper; they are applied on a regular basis by the AEPD. For instance, in the past few years, it has imposed fines of € 450,000, € 900,000 and € 1,400,000.

Posted in International/EU Privacy

Part 6: Profiling Restrictions v. Big Data

Profiling and Big Data analytics are set to play a pivotal role in the growth of the digital economy. From cookie-based tracking to people’s interaction through social media, the size and the degree of granularity of our digital footprints have created unprecedented opportunities for business development and service delivery. The scale of data collection, data sharing and data analysis has not gone unnoticed to public policy makers and this has led to the inclusion of special rules addressing profiling in the Regulation. In fact, from the point of view of those businesses seeking to benefit from data analytics, the provisions dealing with profiling are likely to become the most crucial aspect of the entire Regulation. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”

Posted in International/EU Privacy

Part 4: Justifying Data Uses – From Consent to Legitimate Interests

Under the Data Protection Directive, each instance of data processing requires a legal justification – a “ground for processing”. This fundamental feature of EU data protection law remains unchanged under the draft Regulation. However, the bar for showing the existence of certain grounds for processing will be set higher, particularly in relation to consent. This entry is an excerpt from Hogan Lovells’ “Future-proofing privacy: A guide to preparing for the EU Data Protection Regulation.”

Posted in Consumer Privacy, International/EU Privacy

Sweep Reveals Scale of Cookie Consent Non-Compliance

The results of an international investigation into the cookie consent practices of 478 websites frequently visited by European citizens have now been published. The outcome is perhaps unsurprising: cookies are used en masse by websites operating in Europe, their expiry dates are often excessive, and crucially, not enough is being done to provide notice and obtain valid consent for the use of cookies and other device identifying technologies. The specific websites that were investigated are not identified (as yet), however those selected were amongst the 250 most frequently visited by individuals within each member state taking part in the investigation (as ranked by Alexa.com). Sites in the media, e-commerce and public sectors were targeted in particular because they are perceived by the EU data protection regulators to present the greatest data protection and privacy risks to EU citizens.

Posted in International/EU Privacy

Italian DPA Publishes Decision on Cookies

On 3 June, Italy’s data protection authority, the Garante, published a general decision on user notice and consent requirements when an organization uses cookies as part of its online services. The decision outlines specific categories of cookies based on their intended uses and the roles played by the entities placing those cookies, and highlights different levels of notice and consent requirements for each. The decision also offers guidelines for providing users with adequate notice through a two-layer privacy notice and outlines the consequences of failing to comply with Italy’s rules on cookies.

Posted in International/EU Privacy

CNIL Adds New Consent Requirement for Use of Credit Card Data

The CNIL, France’s data protection authority, published on 25 February 2014 a new recommendation relating to the collection of credit card information, replacing an older 2003 recommendation. The new recommendation, which represents a de facto standard for online merchants and payment services providers who collect data from French consumers, is more prescriptive than the old, particularly regarding how online merchants should seek consent for the retention of credit card information.

Posted in International/EU Privacy

UK ICO Suggests Preparations for Draft EU Data Protection Regulation

The continued uncertainty around the draft EU Data Protection Regulation presents something of a challenge for data controllers. It’s clear that it could require them to make significant changes to how they handle individuals’ data, but the ongoing fundamental political disagreements make it difficult to predict which changes will make it into the final form of the legislation. So it is interesting to see the recommendations on the UK ICO’s blog on where to start in preparing for reforms, highlighting three areas: consent, breach notification, and privacy by design.

Posted in Consumer Privacy, International/EU Privacy

EU LIBE Committee Adopts EU Data Protection Compromises; Reform Package Set for Parliamentary Vote

The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.

Posted in Consumer Privacy, International/EU Privacy

EU Parliamentarian Releases “Highlights” of Data Protection Amendments

On October 17, Jan Albrecht, rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), issued a release in which he claims that “Edward Snowden and the PRISM scandal laid the ground” for including a prohibition against telecommunications and Internet companies transferring data to other countries’ governmental authorities unless otherwise permitted by EU law. Albrecht’s release offers 10 points to describe the draft Regulation that LIBE is scheduled to vote upon on October 21. If LIBE adopts the draft, the Parliament, Council, and Commission will begin work on negotiating the final legislation, which parliamentarians hope will be adopted before elections in May 2014.

Posted in Consumer Privacy, Privacy & Security Litigation

Federal Court Certifies Consumer Class Action Alleging comScore Violated Federal Privacy Laws by Exceeding Scope of Users’ Consent

A recent federal court opinion raises concerns that privacy cases alleging violations of a standard user license agreement may be susceptible to class certification.  Last week, the U.S. District Court for the Northern District of Illinois certified a class in a consumer privacy lawsuit against comScore, Inc.   Plaintiffs allege that comScore exceeded the scope of the […]

Posted in Consumer Privacy, International/EU Privacy

European Regulators State that Non-EU Mobile Apps Must Comply with EU Privacy Laws

The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“). Applicability of EU laws According to WP29, the 1995 Data Protection Directive applies to all […]

Posted in International/EU Privacy

Blogging from Brussels: Key European Officials Discuss Changes to EU Text

Prominent European government officials provided up-to-the-minute perspectives on the proposed European data privacy regulation at this week’s IAPP Europe Data Protection Congress  in Brussels. The officials’ comments — summarized below –indicate how the proposal might evolve for the next steps in the policy process, which include the issuance of the European Parliament’s formal report on […]

Posted in International/EU Privacy

Article 29 Working Party Publishes Opinion on Cookie Consent Exemptions

On 7 June 2012, the Article 29 Data Protection Working Party issued an opinion on cookie consent exemptions. The Directive 2009/136/EC, amending Directive 2002/58/EC, introduced an opt-in regime which requires providers to request that users grant their express consent to the use of cookies, as opposed to the regime under which users are given the opportunity to opt-out. This opinion clarified when opt in consent is needed, and when it is not.

Posted in Consumer Privacy, International/EU Privacy

Article 29 Working Party Rebuffs European OBA Industry… Again

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising industry’s self-regulatory proposal, continuing to hold firm that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. The Working Party broke down the OBA industry proposal, and then–in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows–offered up a number of methods of obtaining consent not involving pop-ups.

Posted in International/EU Privacy

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

Although the European Commission was expected to release its overhaul of the 1995 Data Protection Directive (95/46/EC) next month, some of the details of those changes emerged earlier than expected this week. In this post, we summarize the many key changes between the Data Protection Directive and the Commission’s draft Data Protection Regulation.

Posted in International/EU Privacy

France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers

On August 26, 2011 France implemented new EU provisions on data breach notifications for electronic communications providers, as well as new provisions requiring prior consent for cookies. The French measure also gives the government power to order security audits for electronic communications providers.

Posted in International/EU Privacy

Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups

Article 29 WP has issued guidelines in which it recommends separate pop-ups and affirmative “check the box” consent options. Consent clauses buried in terms of use are not specific enough to meet European requirements, according to tthe guidelines. Consent requires an affirmative ‘click’ by the consumer. Browser settings alone may not be sufficient, which raises questions under new EU cookie regulations. Details are contained in this blog posting.