HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Full control by the customer

The guide emphasizes that German cloud computing customers are data controller and therefore are responsible for the "cloud's" compliance with all data protection requirements under German law. This means the customer needs to know the identity not only of his immediate cloud computing service provider, but of all sub-processors involved in the cloud computing services. The agreement with the immediate cloud computing service provider must contain duties to disclose these sub-processors, and certain core elements of compliance, such as technical and organizational security measures, audit and control rights vis-à-vis such sub-processors, and all locations of data processing. The customer is required to safeguard data subjects’ rights. Examples of how this is achieved include having liquidated damages and penalties in the cloud agreement, and ensuring that data subjects' rights (for instance the right to access, to correct or to have the data deleted) are observed by all cloud service providers. To the extent that the service also includes locations outside the European Economic Area (EEA), the customer may not only rely on using the EU Model Clauses, but must enter into an additional data processing agreement with control and audit provisions, which are mandatory under German data protection law.

Sensitive data in the cloud

The guide gives specific attention to sensitive data. Under German data protection law, the transfer of sensitive data like health data, trade union affiliation, or religious beliefs cannot be justified by a balance of interest test (see, e.g., Art. 7(f) of the EU Data Protection Directive, which provides a legal basis for processing non-sensitive data as necessary for a controller’s legitimate interests unless the interests are outweighed by the fundamental rights and freedoms of the data subject; see also § 28 of the German Federal Data Protection Act). Instead, the transfer of sensitive data can only be justified by the data subject's consent or other very specific exceptions. For any intra-EEA-cloud, this is not an issue since an EEA-located data processor following the data controller's instructions is not considered a third party to which data are transferred. The case is different for any provider located outside the EEA: This is a "third party" to whom the personal data are "transferred", and thus, any use of such cloud for sensitive data cannot be justified by a balance of interest.

Safe Harbor and the cloud

The German DPAs are repeating their careful approach to Safe Harbor certifications. A customer may not rely solely on the service provider's assurance with regard to any Safe Harbor certification. Instead, the customer needs to certify the validity and the applicability (for the relevant type of data) of the provider's Safe Harbor certification at least on the Safe Harbor website. If the customer wants to transfer employee data to the U.S. in the cloud computing environment, the customer also has to verify that the service provider has accepted to cooperate in investigations by, and to comply with the advice of, competent EU authorities. This requirement is reflected in the Safe Harbor FAQs (question 9, section 4).

Relevance of technical safeguards

The guide deals with technical issues and security measures and specific threats for data protection principals by cloud computing services in detail. The guide frequently addresses transparency for customers and data subjects regarding the location of the data processing, and the identity of the service providers involved (even as subcontractors). The guide highlights the problem of the reliable deletion of the data in the view of the vast storage resources of cloud computing services providers, regular back-up services, and the easy copying and global transferring of data in broadband networks. The guide emphasizes that personal data for different clients need to be securely separated. The guide also raises the concern of the potential access to personal data by state authorities beyond what is accepted in the EEA, and views this as a relevant consideration by a customer when deciding on the service provider. Customers need to address security against illegal access to the data, but also the portability of the data in case of their service provider's insolvency or in case of a termination of the contract.

Conclusion

The guide does not contain revolutionary approaches to the difficult question of how to harmonize the benefits of cloud computing with the legitimate objective to ensure compliance with German data protection requirements. However, it is a clear statement that German DPAs do not compromise on sometimes very strict requirements even for globally standardized services. The guide supports the role of intra-EU/EEA cloud computing service providers and those services that are reliable and highly transparent regarding to the location of the data processing and the identity of any subcontractors used in these services.

Both customer and providers of cloud computing services with an interest in the German market should now review their standard agreements for compliance with the requirements published by the German DPAs.

The paper is published in German can be found here.

The Octopus case

As outlined previously in this blog, Octopus Holdings Ltd. and its related companies including Octopus Rewards Limited (collectively referred to as "Octopus") operate the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets.

The Privacy Commissioner's investigation was focussed on the use and collection of personal data in relation to a rewards program that is linked to the Octopus card, whereby card holders may earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). Card holders must register with Octopus in order to take advantage of the Rewards Program and were requested to supply a broad range of personal information on the registration form (some of which was required for the application to proceed).

Octopus provided the personal information of almost 2 million card holders to six business partners for direct-marketing over nearly eight years, earning the company HK$44 million in revenue.

Findings of the Privacy Commissioner

On 18 October 2010, the Privacy Commissioner issued his final determination on the matter. In his report, the Privacy Commissioner found that as the personal data was collected in connection with a rewards program whereby customers benefit from redemption of goods and services in addition to direct marketing offers, the purposes of collection of personal data under the Rewards Program was lawful. However, the Privacy Commissioner found that Octopus had breached two of the six Data Protection Principles set out in the Ordinance.

Data Protection Principle 1 ("DPP1") relates to the purpose and manner of collection of personal data and clearly states that data should only be collected if it is necessary and not excessive for a lawful purpose directly related to the activity of the data user. DPP1 also requires that where personal data is collected from the data subject, he or she should be informed of: (i) the purpose of collection; (ii) the classes of persons to whom the data may be transferred; (iii) the right to, and practicalities of, access to the data; (iv) whether it is obligatory to supply the data; and (v) if so, the consequences of not doing so.

The Privacy Commissioner found that while the data was collected by Octopus for a lawful purpose, the collection of data such as Hong Kong identity card number, passport number, birth certificate number as well as month and year or birth was excessive for the purpose of customer identification. It was found that Octopus could have conducted customer authentication using less intrusive data (e.g. name, telephone numbers and home address) and accordingly Octopus was held to have contravened DPP1.

Further, the Privacy Commissioner found that Octopus did not take all reasonable steps to inform its customers of the classes of persons to whom the personal data may be transferred (thereby contravening DPP1). This was partly attributable to the fact that classes of transferees were referred to in vague terms such as "any person who is under a duty of confidentiality to us", and partly because the Personal Information Collection Statement ("PICS") was printed in unreasonably small font.

The Privacy Commissioner also held that Octopus contravened Data Protection Principle 3 ("DPP3"). DPP3 relates to the use of personal data and requires that personal data should only be used for a purpose directly related to the purpose for which it was collected, unless the data subject expressly consents to another use. DPP3 was breached because customers' personal data was shared with business partners for monetary gain without the consent of Octopus's customers, as the sale of personal data was not stated as a purpose of data collection in the PICS published by Octopus in relation to the Rewards Program. The sale of personal data is not prohibited by the Ordinance as such and can be a legitimate purpose for which data is collected but this has to be made clear at the time the data is collected. In the present case the Privacy Commissioner held that the "sale of data" may not be considered to be the purpose of the data collection (or a directly related purpose). Therefore Octopus was found to be in breach of DPP3.

A further interesting finding as a result of the investigation was that Octopus Holding was held liable for the acts of its subsidiary Octopus Rewards which is the Octopus entity that operated the Rewards Program.

Under the Ordinance as it currently stands, a breach of a data protection principle is not an offence and the only action the Privacy Commissioner may take is to serve an enforcement notice on a party that is found to be contravening the Ordinance. Only in the event that a party contravenes an enforcement notice will they be penalised. The Privacy Commissioner however found that it could not issue an enforcement notice as Octopus had ceased or suspended all arrangements with business partners to sell customers' personal data and had undertaken to implement various changes to its practices in relation to the collection and use of personal data, in order to comply with the requirements of the Ordinance.

Proposals for reform

As we reported previously in this blog, the CMAB published the Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, and received public comments on the proposed amendments until 30 November 2009. 

The CMAB published the Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance (the "Report on Public Consultation") on 18 October 2010 and the public are invited to provide comments on the proposed amendments until 31 December 2010. The Report revealed that the Government has adopted 37 of the 55 amendments proposed in the initial Consultation Document, including amendments relating to direct marketing, data security, statutory powers and functions of the Privacy Commissioner, offences and sanctions and rights of data subjects.

As a result of the Octopus case, a number of further amendments have been proposed specifically dealing with the transfer of personal data for direct marketing purposes, requiring a data user to communicate a clear Personal information Collection Statement outlining its intent to use the personal information for direct marketing and clearly identifying the class of transferees and the kinds of data to be transferred, as well as requiring the data user to provide an opt-out function for people who do not wish their personal information to be used for direct marketing. A further amendment is proposed which would make it an offence if a data user failed to comply with the requirements of the Ordinance in relation to direct marketing and subsequently used the personal information for direct marketing.

Guidance Note

On the same day the final report came out, the Privacy Commissioner issued a guidance note entitled "Guidance on the Collection and Use of Personal Data in Direct Marketing ("Guidance Note"). The Guidance Note is designed to provide practical guidance on direct marketing.

The Guidance note replaces the Fact Sheet on "Guidelines on Cold-Calling" and the Guidance Note on "Cross-Marketing Activities" previously published by the Privacy Commissioner. The Guidance Note covers a number of issues which have been included in the latest round of proposed amendments to the Ordinance but also provides guidance on compliance with the Ordinance as it currently stands. It is expected that the Privacy Commissioner will either revise the Guidance Note or replace it with a new Code of Practice, if and when the proposed amendments are adopted.

The Guidance Note sets out, among other things, the following requirements:

• Collection of personal data for direct marketing should be related to the original purpose of data collection
• Personal data should not be excessively collected (name and contact details should generally be sufficient for the purposes of direct marketing)
• Collection of additional personal data for direct marketing should be voluntary (and the data subject should be informed of the voluntary nature of collection)
• Personal data should not be collected using deceptive/misleading means (e.g. bundled consent)
• The PICS should be effectively communicated to the data subject (taking into account layout, presentation, language etc.)
• The purpose of use of personal data and the classes of transferees should be clearly defined using specific terms. Terms such as "such other purposes as the Company may from time to time prescribe" should not be relied upon to cover direct marketing as a purpose of collection. Similarly, terms such as "such other agents as the Company may from time to time appoint" or "all business partners" should not be used when defining the classes of transferees.

The Guidance Note also contains recommendations relating to the use of personal data from public registers; managing and maintaining opt-out requests; direct marketing activities conducted by agents, contractors and business partners; and the sale of personal data to third parties for direct marketing purposes.

The Octopus case has exposed dubious and lax practices in relation to data protection adopted by many companies in Hong Kong. In response to a request from the Privacy Commissioner, the financial regulator, the Hong Kong Monetary Authority, has issued three circulars between 12 August 2010 and 25 October 2010. The circulars restate recommendations made by the Privacy Commissioner in relation to the collection and use of personal data, in the wake of the Octopus case. HKMA has requested that all approved financial institutions in Hong Kong undertake reviews of their privacy policies and that they suspend all transfer of data to unconnected third parties for marketing purposes, until legal advice on this is sought and discussed with and approved by the authorities.

So where to now? The Ordinance is set for a review, and for now all data users in Hong Kong are advised to revamp their personal data polices and take heed of the advice provided in the Guidance Note if they use such data for direct marketing.

Gabriela Kennedy (Partner) (gabriela.kennedy@hoganlovells.com) and Heidi Gleeson (Registered Foreign Lawyer), Hogan Lovells, Hong Kong.

1. About this code

There is no legal requirement to adhere to the code, so organisations cannot be penalised for failing to follow the guidance it contains; only breaches of the DPA are actionable by the ICO. However, the ICO encourages all organisations, from electronic service providers to small online businesses to use the guidance and to give individuals easier ways to manage their online choices and protect their privacy. Anticipated benefits of using the code include:

• Improved levels of trust and relationships with customers;
• Increased public confidence in the way their information is handled and retained;
• Minimised risk of data breaches and enforcement action by the ICO and
• Reduced risk of customer questions, complaints and disputes over data use.

2. How does the DPA apply to information processed online?

The ICO understands that personal data will be processed online, as information is collected and analysed to distinguish one individual from another, to sell them a product, or perhaps to direct them to other websites, or advertisements. Data processing, as defined by the DPA, can take place even if there are no obvious identifiers, such as names or addresses. In the context of online processing, non-obvious identifiers, such as cookies, or IP addresses are linked to devices (such as home PCs), used by multiple users. In such cases, the ICO advises that even if it is not possible to identify the actual user of the device, the data should still be treated as personal data. Accordingly, the DPA principles of keeping that data secure, protecting it from inappropriate disclosure and being open about its collection and use, will apply.

Data should only be processed if it is necessary and can be justified. The ICO suggests that individuals should not be asked to give their personal data too early, as this may be off-putting and intrusive. Instead, organisations should wait for individuals to interact with them, by requesting details of their services, or loyalty schemes, for example. This will make it easier for organisations to seek consent and to legitimise their data processing.

The code also gives updated guidance on the retention and disposal of personal data, with this link to the National Archives guidance on retention schedules.

3. Marketing your goods and services online

Online advertising is often the subject of bad publicity, but the ICO adopts a sensible approach in the code. This chapter begins with the introduction "Organisations have always used information about their customers to market goods and services to them. This is an established practice that customers have come to expect and are generally happy with."

It is noted that relatively few complaints are made about online behavioural advertising, but individuals often misunderstand the use of technology. As a result, the ICO advises organisations to:

• be open about the marketing techniques they use;
• make individuals aware of the options they have to opt out of marketing, including the use of web browser settings and
• give clear and simple explanations.

Organisations are also reminded of the need to observe other laws (such as the Privacy and Electronic Communications Regulations), industry rules and other codes of practice on marketing, for example, those issued by the Direct Marketing Association and Advertising Standards Authority .

4. Privacy choices

Individuals may also be unfamiliar with the privacy settings available to them online. The code states that people often simply do not understand privacy settings and may not know how or where to find them. Although the code aims to improve individuals' control over their online personal data, if they do not adopt appropriate privacy settings themselves, it can be hard for organisations to do it for them. However, the ICO's view is that it is good practice for providers to set privacy defaults in a way that balances privacy protection and functionality. Individuals should be given choices over access to their information at the time data are collected. Even if they ignore the options, organisations are expected to set privacy defaults to reflect their likely wishes and expectations.

5. Operating internationally

As the DPA prohibits the transfer of personal data outside the EEA (unless an exemption applies), the code includes a chapter on the difficulties of complying with this principle online and offers advice on the use of encryption and contracts between data controllers and processors. This chapter also contains helpful guidance on cloud computing, where services, such as data storage are provided over the internet.

6. Individuals' rights online

The DPA gives individuals rights to access their data. This is interpreted by the ICO in the code, to enable individuals to gain access to their personal data as easily as possible. Although data controllers can charge individuals a fee of £10, organisations are advised to waive, or reduce this fee, as limited administration costs are expected online. Furthermore, the 40 day time-limit for providing the requested information, should be shortened.

7. Things to avoid

The final chapter of the code contains a neat summary on what not to do. Organisations doing business online should avoid:

• being secretive
• not being clear with customers
• collecting information too early, or when it is not needed
• keeping inaccurate or out of date records
• keeping data for longer than necessary
• not respecting individuals' rights
• providing inadequate security
• failing to ensure that data are transferred safely
 

The Draft Consumer Law includes provisions that impose penalties for the improper handling of consumers' personal data. The penalties range from the provision of an apology to damages for both actual loss and emotional distress.

The provisions relating to the protection of consumers' personal data in the Draft Consumer Law represents a significant step towards the setting up of a framework for personal data privacy. The most important aspect of it is that the scope of the personal data protected is now defined. Secondly, it provides various civil remedies for the mishandling of personal data.

To date, privacy is still not recognised as an independent personal right in the Constitution or the General Principles of Civil Law. A data protection legislation exists in draft in the form of "The Personal Information Protection Law" which was submitted to the State Council in 2005, but has not progressed further. Piecemeal provisions relating to personal data exist in various pieces of legislation, the most recent addition being the 2009 new article in the Criminal Law, which prohibits the unauthorised sale or disclosure of personal data. However, the new article only covers serious breaches by government officials, or staff members of financial, telecommunications, education and health institutions. It is therefore hoped that the Draft Consumer Law will be an effective tool that catches a wider range of data privacy breaches.

Recent reports indicate that the SAIC is currently reviewing and discussing the Draft Consumer Law. After this review is completed, the Draft Consumer Law will need to be reviewed by the State Council and the National Congress before it can become law.

The Draft Consumer Law (in Chinese) is available at: http://www.315.gov.cn/AttachFiles/20091016100151.doc 

"Sensitive Personal Data"

The Commissioner’s Review had suggested that the definition of "sensitive personal data" under the Ordinance should include data regarding an individual's race or ethnicity, political and religious beliefs and affiliations, physical and mental health, and sexual preferences ("the extended definition"). However, the Consultation Paper instead proposed that only biometric data be considered sensitive personal data at this stage.

In his Submissions in response, the Commissioner noted that the extended definition accords with Article 8 of the EU Directive 95/46/EC, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In order to be designated as "adequate" under the Directive and allow for uninterrupted data flows with EU member states, the Ordinance must provide a similar level of protection as provided for under the Directive. The Submissions suggest that designation as an “adequate” jurisdiction under the Directive would assist Hong Kong’s growth as a trade and business centre. 

The Commissioner also submitted that given the extent of harm that may arise as a consequence of data in the extended definition being mishandled, it would be appropriate to adopt this wider definition and he urged the CMAB to reconsider the scope of sensitive data.

Regulation of Data Processors

Unlike equivalent legislation in other jurisdictions, such as Australia and Canada, the current provisions of the Ordinance regulate the handling of personal data by data users only and not also by data processors. While the Consultation Paper included the Commissioner’s earlier proposal that data users should be obliged to use contractual and other means to ensure data processors comply with the Ordinance, the Submissions suggested that this control mechanism would not go far enough. Rather than ensuring compliance by self-regulation and internal policy alone, the Commissioner proposed that data processors should be subject to direct regulation under the Ordinance. This would reduce the increasing number of data leakage incidents, many of which have been shown to have resulted from insufficient security safeguards on the part of data processors.

In defence of the decision to exclude data processors from direct regulation, CMAB has raised concerns about the application of the Data Protection Principles (“DPP”) to data processors, particularly DPP3, which provides that personal data should only be used for the purposes (or a directly related purpose) for which they were to be used at the time of collection. As data processors are often unaware of the nature of or purpose of collection of the personal data they are processing, this principle would be difficult to enforce. The Commissioner responded to this by proposing that the wording of DPP 3 be amended to provide, in relation to data processors, that personal data should only be used for the purpose for which the data was entrusted to the data processor.

The Commissioner’s Enforcement Powers

Although many of the Commissioner’s suggestions to increase his own powers of enforcement have been included in the Consultation Document (such as the power to carry out criminal investigations and prosecutions, the power to search premises and seize evidence, and the power to call upon public officers for assistance), CMAB expressed the view that there could be public concerns about giving such wide powers to the Commissioner.

This view was of course not accepted by the Commissioner who disagreed on a number of grounds. There are many examples of statutory bodies that have been given the power to investigate and institute criminal proceedings at their own behest. Further, the Commissioner pointed out that the power to prosecute entails bringing an action and presenting the case before the Court. It does not give the prosecutor the power to determine the culpability of the data user and impose sanctions; that power is reserved for the judiciary. A member of the public has the common law right to bring a criminal prosecution. The power of the Secretary of Justice to intervene and assume control of criminal proceedings is an effective safeguard against any prejudice of the Secretary’s power in the case of an individual, just as in the case of a statutory body. The Commissioner proposed the inclusion of a provision that the Commissioner’s power to prosecute be subject to the consent of the Secretary for Justice.

Outstanding Issues: s. 33 and Cross Jurisdictional Data Transfers

One point of discussion throughout the review and consultation process was the fact that s. 33 of the Ordinance was excluded from consideration. S. 33 restricts, subject to certain exceptions, the transfer of personal data from Hong Kong to any jurisdiction that lacks an adequate data protection scheme. It is the only section of the Ordinance that has not yet been brought into force, despite being on the statute books for the last 14 years. However, with the increasing internationalisation of business, and the ability to disseminate information across the world instantaneously through the Internet, the protection and regulation of cross jurisdictional personal data transfers has come under scrutiny.

Although the government had earlier indicated that s. 33 would be part of the Commissioner’s review, it has not been included in the Consultation Document and comments from both the Government and the Commissioner before and during the consultation period suggest that both are of the view that Hong Kong is not ready for such legislation, and further assessment is needed.

Not bringing section 33 into force means that there is effectively no restriction on the transfer of personal data to jurisdictions that do not have a data protection regime (most significantly, mainland China). This in turn means that parties wishing to protect personal data transfers to such jurisdictions must rely on (and, in cases of breach, take steps to enforce) contractual terms restricting the use of the transferred data. Unauthorised use of personal data in this way is a matter of contract, rather than statutory law.

The Government has yet to make an announcement or release any documentation in relation to the submissions made during the consultation period and the Commissioner’s responses to the Consultation Document. Further updates will be forthcoming when the form the legislative amendments take is made public.