Posted on December 16, 2011 by Bret Cohen

Article 29 Working Party Rebuffs European OBA Industry... Again

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.

What Went Wrong

Much of the opinion is dedicated to describing what elements of self-regulatory proposal, in the opinion of the Working Party, violate EU law, particularly in the areas of notice, choice, and data retention. Though some of these criticisms are not new, the Working Party crystallized its viewpoints on the issue, including the following.

(1)    An icon accompanying targeted ads that is linked to the information website www.youronlinechoices.eu does not provide adequate notice. 

In its June 2010 OBA opinion, the Working Party cited the use of contextual icons attached to ads that can be clicked to learn about cookies and express preferences as an example “which the Working Party finds both positive and necessary.” The current opinion, however, made clear that icons are not sufficient to provide notice because consumers today don’t know what they mean. That said, the Working Party recognized the usefulness of icons as a means to complement other forms of notice, but only after the user has provided consent to process data for OBA purposes (or if used to direct the user to a more fulsome mechanism to obtain consent). In that context, the Working Party suggested that the word “advertising” alongside the icon is not sufficient even to inform users that the ad uses cookies for OBA purposes, and stated “at minimum” the language should include the phrase “personalized advertising.”

The Working Party also took the opportunity to reiterate its position from its 2010 OBA opinion that at minimum, notice for OBA should include:

  • what entity is responsible for serving the cookie and collecting the related information;
  • that the cookie will be used to create profiles;
  • what type of information will be collected to build such profiles;
  • the fact that the profiles will be used to deliver targeted advertising; and
  • the fact that the cookie will enable the user’s identification across multiple websites.

(2)    The use of an opt-out cookie is not sufficient to provide consent.

The industry proposal would permit consumers who visit the www.youronlinechoices.eu website to download an opt-out cookie to record their refusal to participate in OBA. In addition to criticizing the proposal for not following an opt-in approach, the Working Party noted other aspects of the opt-out system that it believed violated EU law, including that:

  • “it has been demonstrated that” ad networks continue to collect information from users’ computers even after the opt-out cookie is downloaded;
  • the approach does not offer the possibility of managing and deleting previously installed tracking cookies; and
  • the www.youronlinechoices.eu website itself contains links to a number of JavaScript functions that collect personal data (such as IP addresses) without consent.

(3)    The notice to users lacks necessary provisions on the scope of data collection and data retention.

The Working Party took the position that notice to users about OBA must disclose how much data is collected by the different advertising networks, how long it is stored, and for what purposes it is processed. At minimum, the notice should address the period during which consent can be considered valid, and after which data must then be deleted.

What Went Right

The Working Party did commend the industry proposal in a couple areas. It noted the proposal’s “interesting approaches” on how to make consent mechanisms more effective, such as industry’s commitment to engaging in educational initiatives to inform individuals and businesses about OBA. The opinion also, unsurprisingly, welcomed the proposal’s principle that a user’s explicit consent is required prior to creating or targeting OBA segments that make use of sensitive data (i.e., data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life).

Suggestions for Consent

One of the most frequent complaints about the Working Party’s position on OBA has been that by requiring opt-in consent for targeted advertisements, users will be subjected to countless pop-up requests whenever a website wishes to place a cookie. The Working Party opinion attempted to dispel this notion by proposing a number of alternatives to or ways to mitigate the annoyance of pop-ups, including:

  • An opt-in cookie approach: Under such an approach, the first time a user visits a website served by an ad network, the ad network can display a message on the page prompting the user for consent to participate in OBA (the Working Party suggests that this message can be where the ad normally would appear). If the user then opts in, he or she can receive targeted advertising on all websites associated with that ad network without having to be prompted again for consent. If the user declines, the ad network should place an opt-out cookie.
  • A static information banner on the top of a website: Such a banner, like the one present on the website of the UK Information Commissioner Office, would request the user’s consent to set cookies, with a hyperlink to a privacy policy containing a full notice.
  • A splash screen upon entering a website: Users would be presented with the option to consent before entering the website, such as when breweries require users to confirm they are of age before they enter the site.
  • Click-to-consent: The Working Party singled out the method used by the German e-zine Heise that defaults a button associated with cookies to light grey. Only once the user clicks on and “activates” the button will the cookie be placed and the third party be able to send and receive user data. This process, however, would need to be transparent to users.
  • Browser plug-ins: Though the Working party repeatedly has said that browser settings permitting users to opt out of cookies are not sufficient to provide informed consent, it would support default opt-out browser settings accompanied by ad network plug-ins and extensions through which users would indicate their wish to opt in to online tracking. Interestingly, this is the polar opposite of the opt-out browser plug-ins available today, which assume tracking as the default and permit users to opt out of OBA.
  • Where a website uses several ad providers, group together all necessary consent requests in one presentation: This would the need for users to confront multiple, serial pop-ups. As an example, the Working Party cited the interface on www.youronlinechoices.eu, which provides a single interface to permit users to opt out of multiple ad networks.

The Working Party also noted that EU law does not require informed consent for certain cookies necessary to facilitate the user’s requested services, such as session cookies, shopping basket cookies, and security cookies (though notice is required before placing these cookies). Therefore, no additional consent mechanisms are required to place these cookies.

 
Tags: , , , , , ,
Posted on November 9, 2011 by HL Chronicle of Data Protection

FTC Announces First Flash Cookie Enforcement and Settlement with Child Social Network

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) yesterday announced settlements with two online companies for deceptively collecting personal information from consumers.  In the first enforcement action against the use of Flash cookies, the FTC alleged that ScanScout, an online behavioral advertiser that was recently acquired by Tremor Video, circumvented user choice by collecting information through Flash cookies even while telling consumers they could opt out of this collection through other means. In the case of Skid-e-Kids, a social networking website that targets children, the FTC alleged violations of both the FTC Act and Children’s Online Privacy Protection Act (“COPPA”) for the collection of personal information from children without parental consent. 

ScanScout

ScanScout, which claims it is the “web’s largest in-stream video ad network,” agreed to settle FTC charges that it violated Section 5 of the FTC Act by failing to live up to representations made in its website privacy policy. The FTC’s complaint states that ScanScout’s privacy policy claimed that users could “opt out of receiving a cookie by changing [their] browser settings to prevent the receipt of cookies.”  Despite this representation, ScanScout used Flash cookies—which are locally stored files associated with the Adobe Flash Player—to track user behavior, which could not be blocked by changing browser settings as indicated in the privacy policy. The FTC deemed ScanScout’s inaccurate description of the ways that consumers could opt out of tracking to be a deceptive act or practice that violated Section 5 of the FTC Act.  The privacy policies of many websites and Internet-based applications state that consumers can opt out of tracking by disabling cookies, so these companies should reexamine whether they (or their web vendors) also use Flash cookies, HTML5, ETags, or any other methods to track website users that would not cease when users disable traditional HTML cookies.

Under the consent decree (PDF), the FTC barred ScanScout from misrepresenting its online information practices, including how consumers’ data is collected, used, shared, and disclosed, and required ScanScout to implement measures aimed at providing consumers with more effective notice of how their data is used and simplified methods by which consumers may opt out of such use. 

As a corollary, the FTC yesterday released a consumer education article, entitled “Cookies: Leaving a Trail on the Web (PDF),” which explains how cookies can monitor online activity and how users can control this monitoring, including a section on controlling Flash cookies.

Skid-e-Kids

Skid-e-Kids, the self-proclaimed “Facebook and Myspace for kids,” agreed to settle FTC charges that it violated the COPPA Rule and made deceptive claims in violation of Section 5 of the FTC Act. 

The COPPA Rule requires that any collection, use, or disclosure of personally identifiable information of a child under 13 be preceded by verifiable parental consent. The FTC’s complaint (PDF) alleges that Skid-e-Kids collected personally identifiable information from approximately 5,600 underage users without first obtaining parental consent, a violation of the COPPA Rule. This enforcement action comes on the heels of the FTC’s recent proposal to amend the COPPA Rule aimed at keeping pace with developments in the online world, including the advent of social networks and the development of smartphone and geolocation technology.

The complaint also alleges that Skid-e-Kids represented in its privacy policy that a child’s account would not be activated until it received parental consent. Nevertheless, Skid-e-Kids registered children and activated their accounts without parental consent, and subsequently collected personally identifiable information from those registered child users. The FTC found that Skid-e-Kids’ failure to live up to the representations made in its privacy policy constituted a deceptive act or practice that violated Section 5 of the FTC Act.   

Under the consent decree (PDF), the FTC barred Skid-e-Kids from misrepresenting the details of its collection, use, and disclosure of children’s personal information. The settlement also required Skid-e-Kids to delete the information collected; provide links to a government website that educates consumers on children’s privacy issues on the Skid-e-Kids website, in notices sent to parents, and in its privacy policy; and employ a third-party oversight mechanism that will ensure future compliance with COPPA. In addition, the settlement imposed a civil penalty of $100,000 on the operator of the website, though all but $1,000 of which was suspended.
Tags: , , , , , , , , ,
Posted on October 19, 2011 by Mark Brennan

New Guidelines Released for Mobile App Privacy Policies

On October 17, the Mobile Marketing Association (“MMA”) released a set of draft privacy policy guidelines for mobile applications (“apps”) designed to address key data and privacy security issues. Entitled “Mobile Application Privacy Policy Framework,” the draft guidelines provide a “starting point” privacy policy template written in consumer-friendly language with instructions for adapting the template to specific apps.

The guidelines provide a helpful tool for informing app users of the type of information that the app obtains and how that information is used, with sections devoted to both user-provided data and automatically collected information. The guidelines also address the collection and use of “precise" real-time location information, an issue that has garnered much media attention (and increasing regulatory scrutiny) due to the popularity of new location-based services. Finally, the guidelines also address other critical app areas, including:

  • Third-party access and use of consumer data;
  • Advertising (including the use of mobile advertising networks);
  • Consumer consent and opt-out rights;
  • Data retention;
  • Children’s Online Privacy Protection Act (“COPPA”) compliance;
  • Security and confidentiality safeguards; and
  • Future changes to the policy.

The guidelines are a response to data privacy and security concerns brought about by the skyrocketing consumer demand for and usage of apps, which have exploded in the last few years. For example, although the iTunes Store and Android Market only opened in 2008, today more than 1.2 million apps are currently available from multiple app stores on various operating systems. And consumers have downloaded more than 10 billion mobile apps to date.

Hogan Lovells represented the Future of Privacy Forum, a member organization of the MMA Privacy & Advisory Committee,which developed the guidelines. According to MMA, the draft guidelines are the first in a series of privacy policy materials that the organization is planning to develop. 

Comments on the draft guidelines are due November 18, 2011. After that date, the guidelines will be finalized and released publicly.
Tags: , , , , , , , , , , , , , , , , ,
Posted on August 29, 2011 by Winston Maxwell

France Implements EU Requirements for Data Breach Notification, Audits and Cookies Applicable to Electronic Communications Service Providers

This entry was drafted by Winston Maxwell and Lionel de Souza.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

Sanctions: The criminal sanction for failing to notify data breaches is up to 5 years in prison and three hundred thousand euro (300,000 €) fine. The sanction is in line with other criminal sanctions for failure to comply with French data protection legislation. With regards to the fine, it should be noted that the maximum sanction for companies is multiplied by five (5), thus bringing the maximum sanction to up to one and a half million euro (1,500,000 €).  

Security Audits. The Ordonnance empowers the French government to order security audits of any operator's networks, systems and services. The operator must bear the cost of the audit, and must give the government approved auditors access to all relevant equipment and to the operator's "documents relating to its security policy." A future decree will be adopted to provide details on these requirements. However, one takeaway from this new provision is that operators should probably conduct preventive data and network security audits and make sure their security policies are up to date and applied.

Cookies. Implementing the revised ePrivacy Directive, the Ordonnance provides that users of electronic communications services must not only receive clear information about the use of cookies and tools available to block them (this was already a requirement under French law), but also that users give their consent before the cookies or similar measures are implemented. The Ordonnance states that "the consent can result from appropriate parameters in [the user's or subscriber's] connection system or any other system under [the user's or subscriber's] control." This suggests that browser settings might constitute sufficient prior consent, although the recent Article 29 Working Party opinion on consent (Opinion 15/2011) appears to take a different view.

As before, an exception exists for cookies that are designed to facilitate the communication, or that are strictly necessary for the provision of the Internet application or service requested by the user.
Tags: , , , , , , , , , , , , , ,
Posted on July 26, 2011 by Winston Maxwell

European Cookie Legislation: Pragmatic advice for five jurisdictions

Hogan Lovells privacy lawyers from five European jurisdictions have published an overview of privacy rules applicable to Internet cookies in Europe .  The new rules, which flow from a recent amendment to the European E-Privacy Directive, are not yet settled in all European Member States.  This overview provides practical guidance on how to comply with the new prior consent rules that will apply in the United Kingdom, France, Germany, Italy and Spain.

Tags: , , , , , ,
Posted on July 19, 2011 by Winston Maxwell

Article 29 Working Party Guidelines on Consent will Lead to More Pop-ups

On July 13, 2011, Europe’s Article 29 Working Party issued an opinion on the notion of consent and how it should be interpreted and used under European data protection laws. The guidelines are in large part a compilation of recommendations previously made by the Article 29 Working Party for particular forms of processing, such as collection of patient data for electronic health records, transfer of data to third parties, processing of passenger name records, etc. The guidelines also draw on case law of the European Court of Justice, including an important decision in the field of employment law interpreting what constitutes a valid consent of an employee. 

What emerges from the guidelines is first that data controllers should be wary of relying too much on consent as a basis for processing, particularly when other justifications for the processing may suffice under the directive. It is tempting in some cases to apply a “belt and suspenders” approach by asking data subjects for their consent even when another legal justification for the processing would suffice by itself. The guidelines point out that requesting consent in these circumstances might be a “false good solution”, and create awkward situations when a consent is withdrawn while the data controller still has legitimate grounds to pursue the processing of data.

Another important lesson that emerges from the consent guidelines is that consent must be sufficiently granular to show that the individual specifically gave his or her consent to each type of processing that is envisaged by the data controller. According to their Article 29 Working Party, a general consent to any and all transfers to unspecified third parties would not be sufficiently specific to constitute valid consent. The Article 29 Working Party pointed to the 2010 opinion of the Advocate General in a case involving agricultural funds in Europe, in which the Advocate General held that a broad consent in the fund’s terms and conditions was not sufficiently precise to conclude that the beneficiary of the fund had given unambiguous consent to the publication of his or her name. 

Another conclusion that we can draw from the guidelines is that silence or the failure to act can never be considered valid consent. The Article 29 Working Party heavily relies on the notion of "indication" of the data subject's wishes, which is featured in the definition of consent laid out by the 1995 Directive, to conclude that positive action would be required to demonstrate consent.  Consequently the sending of an e-mail to a consumer informing him or her of changes to the privacy policy or stating that the processing of his/her data will be undertaken unless he/she objects within a defined period of time would not be sufficient to constitute the consumer’s consent to the new policy or the contemplated processing. The consent would have to be evidenced by an affirmative clicking of a box or any other relevant positive act. Similarly, the Article 29 Working Party states that browser settings in themselves cannot constitute valid consent. This raises questions in the context of the new European rules requiring prior consent to cookies. Some Member States are studying the extent to which browser settings can be used as a manifestation of prior consent to cookies.

The guidelines helpfully remind us also that consent can, in some cases, be implicit. For example, if an online merchant asks a consumer to provide personal information and the consumer provides it, the consumer will have implicitly consented to the merchant’s use of that information in order to process orders and deliver the goods and services ordered by the consumer. There is no need for a separate consent because the purpose for which the consumer provided the information is obviously to permit the merchant to provide the online goods and services and such processing is therefore reasonably expected by the consumer. On the other hand, if the merchant wishes to use the data for another purpose, such as selling behavioural advertising, a separate specific consent would be needed. 

From a general and practical standpoint, implementing the rules as foreseen by the Article 29 Working Party will, in many instances, require companies to initiate a complete review of the conditions under which they use consent to evaluate whether other grounds are available to legitimize their processes and whether consents they have obtained present a sufficient level of granularity to provide accurate and satisfactory information for data subjects. For online service providers, European requirements for consent will lead necessarily to multiple pop-up windows and separate check-the-box consent options. The more granular and affirmative each consent is, the more likely it is to be valid. On the other hand, grouping all data protection consents together in the terms of use is likely to prove risky in light of the Article 29 Working Party guidelines and applicable case law.
Tags: , , , , , , , ,
Posted on May 10, 2011 by HL Chronicle of Data Protection

UK Issues Guidance on Obtaining Consent for the Use of Cookies

Quentin Archer in the Hogan Lovells London office prepared this entry.  

Few topics in the world of EU data protection have generated so much debate, and so little understanding, as the change to the law on cookies. On 9 May the UK Information Commissioner issued some guidance on the new law, but anyone expecting clear instructions on how to achieve compliance will be very disappointed.

In essence, the change in the law is simple. The Privacy and Electronic Communications Directive of 2002 provided that users should be given clear information about cookies as well as an opportunity to opt out of them. Under the 2009 amendment to the Directive, which Member States are to implement by 26 May, users must give their consent to the storage of the cookie on their terminal equipment. Cookies employed for the sole purpose of carrying out the transmission of a communication over an electronic network, or which are strictly necessary for the provision of a service requested by a user, are exempt.

But how can consent be given? The Directive suggests in a recital that browser settings may be used, but does not mandate this, and largely leaves the question of the method of obtaining consent up to Member States. In recent months there has appeared to be a degree of brinkmanship amongst EU regulators, with everyone wanting to see how others would achieve implementation in practice. The UK regulations published last week (snappily titled the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) state that consent may be signified by browser settings, but the problem is that at present most browser settings are not sophisticated enough to allow a website owner to ensure that consent has been given.

In his guidance the Information Commissioner says that it is the responsibility of the website owner to determine how consent will be achieved. He expects owners to review cookie use. Some cookies may be “strictly necessary” for the receipt of a service being provided by means of a website, so will not require specific consent. Some will not intrude on the user’s privacy, so while they may fall under the terms of the new law they may not deserve priority attention. Potentially intrusive cookies should be examined to determine whether they are really necessary for the business of the website owner and, if they are, plans should be drawn up for obtaining the necessary consent from each user.

If browser settings cannot be used, then the website might be modified so that a pop-up window with a tick-box appears the first time a cookie is used, although the Commissioner recognises that this could be irritating. As an alternative, terms and conditions could be changed, allowing a whole set of cookies to be accepted at the same time, but there would need to be clear information provided to the user as well as a clear mode of giving consent – previous consent to future changes (e.g. the ubiquitous provisions allowing website owners to make changes to their terms from time to time) would not be enough. Other times for obtaining consent are where the user is setting up preferences for use of a site, or selecting features that he or she wishes to enjoy.

Nothing more specific than this is likely to emerge in the short term. The Commissioner says that he will be keeping the situation under review and will consider issuing more detailed advice, if appropriate, in the future. His message to website owners is that “we do not intend to issue prescriptive lists on how to comply. You are best placed to work out how to get information to your users, what they will understand and how they would like to show that they consent to what you intend to do. What is clear is that the more directly the use of a cookie or similar technology relates to the user’s personal information, the more carefully you need to think about how you get consent.”

The Commissioner has not yet published his guidance on enforcement of the new law, but his current policy is clear. If an organisation has considered the new law and has drawn up a realistic plan to achieve compliance then it will be treated with much more leniency in the event of a complaint than an organisation which (for whatever reason) has done nothing.

There are other changes coming on the 26 May in the UK, some of which are caused by amendments to existing EU Directives. The Commissioner’s powers to serve monetary penalties of up £500,000 are extended to cover direct marketing activities. The Commissioner will be able to require telecommunications companies and ISPs to provide him with information that he needs to investigate breaches of the Privacy and Electronic Commerce Regulations. The same bodies will also be required to notify the Commissioner and their customers in certain circumstances when a data breach occurs (the first time such laws have become compulsory in the UK). But it’s cookies which continue to grab the headlines.
Tags: , , , ,
Posted on December 22, 2010 by Winston Maxwell

Court Finds NebuAd Users Gave Valid Consent to Monitoring

In 2008, when several network operators began experiments with behavioral advertising firms NebuAd and Phorm, privacy advocates cried foul, arguing that network operators should never be allowed to monitor traffic for advertising purposes because the threats to privacy are too great.  In testimony before the U.S. Congress, some network operators retorted that what certain network operators and NebuAd proposed to do is similar to what large Internet advertising networks already do when they plant cookies on users' terminals to track behavior.  Why should network operators be held to a different standard than advertising networks at the edge of the network? 

Everyone agrees that monitoring online behavior can constitute a serious violation of privacy, and that user consent is critical. But what kind of consent: opt-in or opt-out?  In Europe the recently amended e-Privacy directive appears to require an opt-in regime for cookies, but many wonder how an opt-in regime can work in practice.  The 2008 NebuAd and Phorm turmoil did not focus on consent but on whether behavioral advertising can ever be done by network operators, regardless of the users' consent.  For some, it is unthinkable that network operators could get into the behavioral advertising business, regardless of the safeguards put in place

One of the telecom operators who experimented with NebuAd in 2008 was sued in federal court for illegally monitoring user traffic.  Users brought a class action for illegal interceptions and invasion of privacy.  On December 13, 2010 a U.S. District Court in Montana held that users of the network had consented to the operator's use of NebuAd monitoring technology.  The court found that the operator "gave Plaintiffs specific notice of when the NebuAd Appliance trial would commence and provided a link for its customers to opt out of the NebuAd Appliance if they so chose."  It is not clear in the decision whether users got individual e-mails, or whether the specific notice was only posted on the operator's website.

The court held that user consent adequately covered the monitoring activities, but that the consent may not have been sufficiently broad to cover alleged modifications made to users' computer settings by the cookies sent by the NebuAd appliance.  The court therefore allowed these issues to go to trial, while dismissing most of the other claims against the network operator.

The NebuAd case focuses the debate on whether valid consent was given or not.  In France there are debates about whether ISPs may in some circumstances block certain kinds of content.  Staunch net neutrality advocates argue that operators should under no circumstances be allowed to monitor, slow or block certain content, unless they are ordered to do so by a court.  But in fact there are other circumstances where operators can legitimately monitor traffic: reasonable network management of course, but also cases where the user has unambiguously consented.  If adequate consent is given, operators could install tools to limit access to certain content, or even propose discounted Internet subscriptions for users who accept to be monitored for targeted advertising purposes. In Europe, this kind of regime already exists for location based services provided by mobile operators: operators are alllowed to use precise location information generated by their network to provided value-added services to subscribers, as long as the subscribers consent in advance and have an easy way to opt-out. 

In the context of the current focus on improvements to privacy protection, adequate safeguards need to be put in place to ensure that the tools installed by operators are not misused, and do not collect or store any more data than is necessary.  Data minimisation and anonymisation are key, and can be achieved through privacy by design. 

The NebuAd case confirms that there need not be any distinction between a network operator and a service provider at the edge of the network providing targeting advertising. In both cases, there exist potential privacy risks for the user. The key issue is what kind of consent is sufficient for these potentially invasive monitoring tools to be used, and what kind of privacy protections should be integrated into the technology through privacy by design. 
Tags: , , , , , , , , ,
Posted on November 30, 2009 by Gerry Oberst

European Data Privacy Supervisor Issues Press Release on ePrivacy Directive

ePrivacy:  On 9 November, the European Data Privacy Supervisor (EDPS) issued press release 09/13 on the ePrivacy Directive, which will be amended soon as part of the E-Communications Regulatory Framework.  The EDPS is an independent body responsible for data privacy within EU institutions.  As would be expected, it takes an expanded view of data privacy, because that is its sole focus and responsibility.  The EDPS titled its press release as “improvements on security breach, cookies and enforcement, and more to come.”  It expanded on this theme with the following: 

  • For the first time in the EU, a framework for mandatory notification of personal data breaches.  Any communications provider or Internet service provider (ISP) involved in individuals’ personal data being compromised must inform them if the breach is likely to adversely affect them.  Examples of such circumstances would include those where the loss could result in identity theft, fraud, humiliation or damage to reputation.  The notification will include recommended measures to avoid or reduce the risks.  The data breach notification framework builds on the enhanced provisions on security measures to be implemented by operators, and should stem the increasing flood of data breaches;
  • Reinforced protection against interception of users’ communications through the use of - for example - spyware and cookies stored on a user’s computer or other device.  Under the new Directive users should be offered better information and easier ways to control whether they want cookies stored in their terminal equipment;
  • The possibility for any person negatively affected by spam, including ISPs, to bring effective legal proceedings against spammers; and
  • Substantially strengthened enforcement powers for national data protection authorities.  They will for example be able to order breaches of the law to stop immediately and will have improved means of cross-border cooperation.

These provisions could impose substantial new requirements for industry.  The data breach requirement in particular could lead to heightened security for all companies – after a 26 October seminar on data breach protection, the EDPS stated: 

data controllers, together with other stakeholders, [must] adopt proper risk management in order to appropriately mitigate the risk of such breaches.  It was stressed that this will not only require technological solutions but also organisational measures, including increasing the responsibility of the highest management levels of entities concerned.  They should also promote the development of adequate safeguards and facilitate a more transparent distribution of responsibilities.

 In light of this emphasis on the new provisions, it will be necessary in the near term to consider company procedures on data protection and breach notification, to the extent that a company or its affiliates provide public electronic communications services.

Tags: , ,
Posted on November 16, 2009 by Wim Nauwelaerts

EU ePrivacy Directive and Cookies: The Consent Requirement May Not Be as Broad as Believed

The Wall Street Journal has reported that “the Council of the European Union has approved new legislation that would require Web users to consent to Internet cookies.”   But it is not quite as clear-cut as that quote suggests.  The consent requirement relates cookies that collect personal data  -- an important qualification -- and some cookies appear to fall outside of the consent requirement. 

Last week the Council of the European Union and the European Parliament reached an agreement on the EU telecom reform, as a result of which the ePrivacy Directive is expected to be amended shortly. Following adoption of the revised ePrivacy Directive, the EU Member States have 18 months to transpose the Directive’s provisions into their national legislation. One of the proposed amendments that has recently triggered the attention of several commentators on both sides of the Atlantic is the so-called “cookie law”.

The new ePrivacy Directive will include a provision requiring the EU Member States to ensure that “the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing”.

There is no doubt that this provision intends to cover the use of cookies, even if the provision does not specifically refer to cookies. Moreover, the Article 29 Working Party has earlier expressed the view that the “neutral” wording chosen is not limited to cookies but implies any other new technology that could be used to track users’ behavior using their browser.               

The specific reference to the EU Data Protection Directive (95/46/EC) is important because it limits the consent requirement to personal data, as opposed to other types of information. In the opinion of the Article 29 Working Party as well as many data protection authorities throughout the EU, persistent cookies containing a unique user ID are personal data and therefore subject to applicable data protection rules. Arguably some cookies (or similar technologies) may not meet these criteria and therefore fall outside the scope of the law.

As far as the consent requirement is concerned, the law is not entirely clear on how and when to obtain consent. The new provision does not explicitly refer to “prior” consent, but the use of the past tense (“has given”) suggests that the European legislator wanted to make sure that users are offered with an opportunity to refuse cookies and the like before these are delivered to users’ computers.

So how will consent have to be obtained in this specific context? Although the jury is still out on this question, the recitals of the legislative proposal include the following, perhaps interesting suggestion: “where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application”.

Earlier this year, the Article 29 Working Party strongly objected to the idea of using default browser settings as a means to provide consent. Concerned about the possible erosion of the definition of consent and a subsequent lack of transparency, the Article 29 Working Party opined that: “most browsers use default settings that do not allow the users to be informed about any tentative storage or access to their terminal equipment. Therefore, default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive. With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings”. In light of the recitals approved by the Council and the Parliament, it would perhaps be useful if the EU data protection authorities could reach a consensus (and subsequently provide guidance) on this issue.                   

Tags: , , ,