Datonomy readers may have had to grapple with the tricky issue of which national data protection law to apply in the context of an online service with a cross border dimension. They are not alone – the German courts have recently considered the issue in relation to Facebook’s operations.

In April, the German Higher Administrative Court of Schleswig-Holstein ruled that German data protection law does not apply to Facebook’s collection and processing of personal data of users in Germany. Instead only Irish data protection law would be applicable.

The case

The Internet giant faced an order by the Independent Data Protection Authority of Schleswig-Holstein, which wanted to force Facebook to allow German users the use of pseudonyms for the registration and for their profile names instead of the real name. German data protection law obliges website providers to enable this feature to the extent that this is technically possible and reasonable.

The decision

According to the Higher Administrative Court, German data protection law is however not applicable here, as it is Facebook’s Irish affiliate, Facebook Ireland Ltd., that is to be regarded as the relevant establishment for the processing of personal data of users in Germany, regarding the registration and the management of their accounts.

According to article 4 (1) a) of the directive 95/46 EC, only the data protection law of that Member State is applicable, where the establishment of a controller, which carries out the relevant processing of personal data in the context of its activities, is located.   

The court furthermore stated that Facebook’s German subsidiary in Hamburg, Facebook Germany GmbH, would exclusively operate in the fields of marketing and advert acquisition without having any actual influence on the German user accounts.

Since the requirements of article 4 (1) a) of the directive 95/46/EC were fulfilled by Facebook Ireland Ltd. and its processing of personal data of German users, the court consequently did not examine the question, if German data protection law could be applied pursuant to article 4 (1) c) of the directive 95/46/EC, as both provisions are mutually exclusive.

The Higher Administrative Court completed its ruling with an additional statements saying that German data protection law would only insufficiently implement article 4 (1) a) of the directive 95/46/EC. The Higher Administrative Court further emphasised that if personal data is processed by an establishment that is not located in a EU/EEA member state, article 4 (1) c) of the directive 95/46/EC applies and determines the applicable national law.

Finding the applicable law

It is important to highlight that finding the applicable law under article 4 (1) of the directive 95/46/EC is anything but easy. The directive provides two distinctive situations, in which the national data protection law of a member state will apply:

  • Article 4 (1) a): If the processing is carried out in the context of the activities of an establishment of the controller on the territory of a member state, the national provisions of that member state apply, regardless of where the controller is established; this can even be outside of the EU/EEA.
  • Article 4 (1) c): If the controller is not established on EU/EEA territory and no relevant establishment in the EU/EEA is involved in the processing of personal data and, for purposes of processing personal data, the controller makes use of equipment, automated or otherwise, situated on the territory of a member state, the data protection law of this member state applies.

National data protection authorities in the EU take however different approaches when determining the meaning of the term “equipment”. While cookies or other software that are placed on a user’s PC or smart phone, are widely recognized as equipment, different views are taken when it comes to other scenarios. The Article 29 Working Party, for example, interprets the term equipment in a rather broad way stating that also the activities of a processor in a member state could constitute a “making use of equipment”. Other data protection authorities believe that a non-relevant establishment of a controller can be seen as equipment.

Conclusion and comment

In each case, the determination of the applicable national data protection law regime depends on how personal data are processed and on the particularities of the relevant establishment that is responsible for the processing. Since different national rules impose different rights and obligations on the data controller regarding the processing of personal data, companies should structure their data processing activities thoroughly in order to avoid legal uncertainties.

The Working Party sought to bring some clarity and consistency of interpretation to this difficult area in its 2010 Opinion here. Datonomy and its colleagues at Olswang commented on the Opinion here  and here. Could applicable law conundrums become a thing of the past for companies with multinational operations? That is certainly one of the drivers behind the  draft General Data Protection Regulation, which seeks to harmonise substantive data protection rules across Europe, and introduce “one stop” regulation by the Member State where the organisation is headquartered. In practice, will differences over substantive rules and local enforcement approaches ever be eradicated? Datonomy readers will have to wait and see!


Posted in Article 29 Working Party, data controller, data processor, data protection regulation, Directive 95/46/EC, EU, EU data protection reform, EU Legislation, Facebook, Germany, internet, Ireland, Social networking sites | Leave a comment

On 27 February 2013, the Article 29 Working Party (hereinafter “Article 29 WP”) adopted its newest Opinion WP 202 (hereinafter “Opinion”) regarding apps on smart devices. This article summarizes some of the most important statements and guidelines provided by the European data protection authorities.

Applicable law

First of all, the Opinion emphasizes that the Data Protection Directive (95/46/EC) and the ePrivacy Directive (2002/58/EC, as revised by 2009/136/EC) constitute the relevant EU legal framework for the processing of personal data via apps on smart devices and that both directives are imperative laws which cannot be excluded by contractual agreement.

Four main parties

Hereafter, the Opinion identifies four main parties which, depending on the purposes and means of the respective data processing activity, carry different responsibilities:

1. App developers

According to the Opinion, app developers decide the extent to which apps access and process personal data in the device and insofar have to be regarded as data controllers. Their responsibilities can be limited though, if no personal data are processed and/or made available outside the device.

2. OS and device manufacturers

Operating system (OS) and device manufacturers are considered as (joint) data controllers for personal data which are processed for the manufacturers’ purposes, such as the smooth running of the device or security issues.

3. App stores

App stores are likely to be regarded as data controllers for personal data of users (such as their name, address of financial data) that are processed, when the users are purchasing apps.

4. Third parties

There are various third parties involved in the processing of data through the use of apps, e. g. advertising networks or analytics providers. The Opinion distinguishes between two roles of third parties: one is to execute operations for the app owner. In that case, when acting exclusively on behalf of the app developer, the third party is likely to be operating as data processor. The second role is to collect information via apps and processing this information for own purposes. According to the Opinion, in that case the third party acts as data controller.  

Legal ground

The Opinion then examines the legal grounds for handling data in connection with apps. It hereby distinguishes between two main stages of data processing:

1. Prior to installation

According to the Opinion, the user’s consent pursuant to Article 5 (3) of the ePrivacy Directive must be obtained, before information may be placed on and/or retrieved from the user’s device. The Opinion points out that this consent refers to any information on the device and has to be obeyed by every service offered “in the Community“, regardless of the location of the service provider.

In addition, if personal data (e. g. contacts in the address book or pictures) shall be processed before or during the installation of an app, it must also be ensured that the user gives his or her consent pursuant to Art. 2 lit h) of the directive 95/46/EC.

The Opinion points out that both consent requirements are simultaneously applicable and subject to the conditions of having to be free, specific and informed.  

2. During usage of the app

When it comes to the usage of the app itself, the legal ground for the processing of personal data may change and either be based on consent or on other forms such as the necessity for the performance of a contract with the data subject (Article 7 lit b)) or the necessity for legitimate interests (Article 7 lit f) of the directive 95/46/EC).

Other topics covered by the Opinion

In addition to the above, the Opinion also examines other relevant topics regarding the processing of data through apps. This includes an analysis of the  fundamental principles of purpose limitation and data minimisation, a review of the security requirements and information obligations and a discussion on the data subject’s rights, the retention periods and the specific safeguards that must taken for the protection of children.

Guidelines and information

At the end, the Opinion provides various conclusions and recommendations for each main party. The most important ones are the following:

App Developers must

  • Ask for consent before the app starts to retrieve or place information;
  • Ask for granular consent for each type of data the app will access and allow users to revoke their consent;
  • Be aware that consent does not legitimise excessive or disproportionate data processing;
  • Provide a readable, understandable and easily accessible privacy policy.

OS and device manufacturers must

  • Update their APIs (application programming interface) and store rules to offer users sufficient control to exercise valid consent over the data processed by apps;
  • Implement consent collection mechanisms in their OS at the first launch of the app or the first time the app attempts to access personal data;
  • Employ privacy by design principles and ensure the default settings of pre-installed apps are compliant with European data protection law;
  • Provide (by default) user-friendly and effective means to avoid being tracked by third parties;
  • Ensure the availability of appropriate mechanisms to inform and educate the end user before the app installation.

App stores must

  • Comply with their obligations as data controllers when they process personal data;
  • Enforce the information obligation of the app developer, including the types of data the app is able to access and for what purposes;
  • Provide detailed information on the app submission checks they perform.

Third parties must

  • Comply with the consent requirement determined in Article 5 (3) of the ePrivacy Directive when they read or write data on mobile devices;
  • Not circumvent any mechanism designed to avoid tracking;
  • When acting as advertising parties, avoid delivering ads outside the context of the app.

Of course this overview can only draw the attention to some of the relevant statements, which the Article 29 WP issued in the Opinion. From a practical point of view, one has to keep in mind that the national authorities generally conform to these European inputs and adopt them within their own field of activity.


Posted in Article 29 Working Party, data controller, data processor, Directive 2002/58, Directive 95/46/EC, e-Privacy, EU | Leave a comment

With the Bank Holiday weekend fast approaching many Datonomy readers are likely to be taking some work home, checking into emails and looking at other work functions over the break.  And the chances are that you will be doing this on a personal device, such as a smartphone, tablet or laptop. As Datonomy readers are no doubt aware, working off your own personal device is an increasing trend known as ‘bring your own device’ (BYOD).  In September 2012, Apple’s CEO, Tim Cook, stated that iPads were in 94% of Fortune 500 companies, and tablets represent just one wavelength in the spectrum of technology infusing the workplace.

Along with the potential benefits of BYOD, such as working from your favourite coffee shop with a latte in hand, comes increased data protection and data security risks.  The Information Commissioner’s Office (ICO) recently commissioned a survey that YouGov conducted in February this year which found, rather worryingly for the world of data protection, that fewer than 3 in 10 employees who use a personal device at work are provided with guidance on BYOD despite the prevalence of these devices in work environments.  However, the good news is that this risk can be managed, provided organisations have clear policies. 

Naturally, in pole position for championing a comprehensive BYOD strategy to avoid data protection breaches is the ICO, with its first piece of specific BYOD guidance, issued a couple of weeks ago. We assume that most Datonomy readers will be aware of the guidance already but Datonomy’s colleagues have been examining the guidance – you can see the full article on Olswang LLP’s website here.

From a quick straw poll of Datonomy’s European colleagues, it seems the UK is the first to provide specific guidance on this issue.  However, the issue is a hot topic around the globe –  Datonomy’s colleague Rob Bratby, Partner at Olswang Asia, recently spoke at Questex Asia’s BYOD and Mobile Security conference in Singapore on the subject (see the slides here).  And in a post on his Watching the Connectives blog, Rob strongly advocates a holistic approach to BYOD policies; going beyond the legal department – changes must be implemented by senior management, HR, IT services, and, crucially, all members of staff in order to be effective. 

Datonomy’s correspondents will continue to monitor any developments (on the BYOD landscape) with keen interest from their mobile devices, naturally!


Posted in breach notification, Cloud computing, Communications Data Retention Directive, data, data breach, data breach notification, data breaches, data controller, data loss, Data Protection Act 1998, data protection compliance, Data Protection Guidance, data security standards, encryption, ICO, ICO guidance, Information Commissioner, information security, online data protection, privacy. identity.sensitive personal data | Tagged , , | Leave a comment

There have been various press reports over the last couple of days on the Irish Presidency’s memo to the EU Council of Ministers’ on the draft data protection Regulation.  The memo has been reported as a watering down of the Commission’s proposals. 

The Presidency encourages further consideration of a more risk based approach to compliance, with an alleviation of some of the burdens of the new Regulation where processing of data is limited or involves pseuodonymous data. They have also asked the Council to consider whether the controversial requirement for organisations to appoint a data protection officer could be made optional, with possible incentives in the form of reduced regulation where an organisation does appoint a DPO.

Datonomy’s view is that although the memo is a step in the right direction it is a tentative one which fails to delve into specifics or tackle the more controversial provisions of the draft Regulation. The jury is still out and the votes on the Regulation over the next few months are likely to provide a better guide to where the Regulation will finally land.


Posted in data protection compliance, data protection regulation, privacy issues, privacy., privacy. identity.sensitive personal data, Uncategorized | Leave a comment

In a month that has seen US politicians claim that is “losing the war” against international cyber attacks, and yet more household names report hacks on their systems, Datonomy has been looking at the practical obligations that the EU’s proposed new Directive on Network and Information Security could bring for businesses, and considering similar measures which are coming into force in Asia.

As if the escalating levels of threat are not enough (take your pick of this month’s news coverage – how about the “Eight billion hacking attacks a day” headline from ITV here )  governments around the globe are proposing new legal obligations and sanctions to compel organisations to get their cyber defences in order and notify the authorities when their systems have been compromised.

The EU officially unveiled its cyber strategy and Directive on Network and Information Security at the start of the month. This was followed on 20 February by the latest progress report from the UK Government (which adopted its own cyber strategy in 2011), including theestablishment of the UK’s Computer Emergency Response Team (CERT).

The Datonomy team have been analysing the NIS Directive – see this article for our full analysis, which includes a comparison with the EU’s proposed security and data breach notification obligations under the draft DP Regulation. For Datonomy readers advising organisations on information security and crisis management, this is another important piece of the regulatory jigsaw.

If it is adopted, NIS would apply to public administrations and “market operators”. Market operators are split into two categories

a) “Providers of information society services which enable the provision of other information society services”. These include: “e-commerce platforms; Internet payment gateways; social networks; search engines; cloud computing services; application stores”. That list is described as non exhaustive.

b) “Operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health”. These are detailed more fully (and again, non-exhaustively) in Annexe II to the Directive.

The new obligations on these organisations would include the following.

  • Obligation to take “appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations.”  This obligation is elaborated on as follows: “Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular…to prevent and minimise the impact of incidents …and  ensure the continuity of the services”  -  Article 14 (1).
  • Obligation to notify to the competent authority of “incidents having a significant impact on the security” of the core services they provide -  Article 14 (2).
  • Compliance with “binding instructions” from the competent authority – Article 15(5).
  • Use of technical standards and specifications is to be promoted by Member States, to promote consistency – Article 16.
  • Obligation to provide information (to the competent authorities) needed to assess the security of their networks and information systems, included documented info security policies – Article 15(2) (a).
  • Obligation to undergo security audits by the national authority or an independent body, with the results made available to the competent authority – Article 15(2) (b).

The devil of the new regime will be in the detail – for example with regard to national guidance to define the circumstances in which incidents need to be reported,  and the nature of the “binding instructions” which national cyber crime authorities will have the power to issue. Technical standards and benchmarks will undoubtedly have a key role to play in helping define whether a business has done enough to comply. It is unclear how far current technical benchmarks like ISO 27001 will apply, or whether further standards will need to be developed.

Further afield – Singapore’s “nimble and comprehensive response” to cyber crime

So, as Datonomy’s European correspondents add another Directive to their watch list (a year or two for the EU institutions to agree on and adopt the proposal, and a further 18 months for Member States to transpose the rules?) our correspondents in Asia report that the Singapore Government have already adopted what are essentially very similar proposals. You will need to be a subscriber to the excellent Ecommerce Law & Policy to read the analysis by Matt Pollins and Rob Bratby of Olswang Asia in full, but here are some headlines. The rules have been introduced by amendments to Singapore’s Computer Misuse Act, giving the Government power to compel organisations to take a range of proactive and reactive steps to combat cyber crime. The powers come into play whenSingapore’s defences, international relations or “essential services” are under threat. In other words, a similarly broad spectrum of businesses and sectors are potentially caught. The new regime will have teeth: fines of up to $ 50,000 and even prison terms for senior management, for ignoring the rules. But like the proposed EU regime, much of the devil is likely to be in the detail of the very broadly drafted legislation.

Datonomy will of course be tracking legal developments both in Europe and Asia.  Looking back at the past month’s tech news headlines, though, this Datonomist cannot help but think that it is the escalating practical threat and implications of a cyber attack, rather than the prospect of further (and possibly far off) new legal obligations that will galvanise organisations to review their information security.


Posted in cyber crime, data breach, data breach notification, data loss, data protection regulation, data security standards, EU Legislation, information security, networks, Singapore, United States | Leave a comment

Datonomy’s Spanish correspondents have just posted an analysis of a recent ruling by the AEPD over Google’s autocomplete function, Google Suggest. The full analysis, which spans not only data protection but wider issues of defamation, intermediary liability and freedom of speech, is well worth a read over the weekend.

For Datonomy readers short of time, here’s a lunchtime synopsis provided by our Iberian  Datonomists,  Blanca Escribano and Marcos Garcia-Gasco.

The latest AEPD ruling

In May 2012, a citizen addressed a claim before Spain’s DP authority, the AEPD.  Google’s autocomplete function paired his name with the term “gay”, which he found a potential door of defamation against him. Now, a decision against Google has been issued by the AEPD, which recognises the data subject’s right to object.

 How does Google Suggest work?

As Datonomy readers will be familiar, Google’s autocomplete function helps users to find information quickly by predicting and displaying searches that might be similar to the one that internet surfers are typing. Suggest’s predictions are algorithmically determined based on the popularity of the searched terms, geo-location references and other  factors.

 Google’s arguments …

Google explained that Google Suggest’s predictions are based in an algorithmic system where no human intervention takes place. Google Suggest offers information automatically, which only determines that some terms often appear connected. However, it is not possible to establish a direct relation between those terms and, even more, it cannot be said that those linked terms provide any kind of information about themselves. Google also states that its autocomplete function cannot be considered a structured filing system according to the wording of the Spanish legislation and the European Directive.

 … AEPD’s  conclusions

The AEPD ruling concluded as follows:

 a)       Information associated by Google to data subjects must be considered personal data.

b)      There is a processing of personal data.

c)       Google is the controller of the relevant  processing of data.

 Thus, the AEPD recognises the right of objection of the data subject and obliges Google to take appropriate measures in order to avoid the undue association between the data subject and the term provided by Google Suggest. 

 Search engines in the EU, a restricted future?

Future implications of the AEPD’s decision are still uncertain. The legal disputes now being conducted in Spain should be added to others already being conducted in France and Germany, where Google Suggest has also been called into question.

It is worth considering whether this ‘restrictive’ EU data protection approach may put at risk the essence of search engines, or what is probably more important, third rights connected with its activity such as the freedom of expression, information and other Internet freedoms. However, it seems logical to believe that this kind of cases may be considered merely anecdotal when compared with the massive numbers of  queries per second that Google records every day.

Please see this link to read the full analysis of this interesting case.

Posted on behalf of Blanca Escribano and Marcos Garcia-Gasco, Olswang Madrid.


Posted in Google, Spain | Leave a comment

Earlier this week, a new set of online behavioural advertising (OBA) rules came into effect, aiming to secure transparency and control for web users. The new rules will be enforced by the ASA. As OBA is typically administered by the use of cookies, these rules supplement existing opt in and transparency rules for cookies under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations), which are enforced by the ICO.

As Datonomy readers are no doubt aware, OBA is a form of targeted advertising whereby third party advertising networks partner with websites from whom they collect data on users’ web viewing behaviour, in order to deliver them advertising that is more likely to be of interest. To illustrate by way of example, one of the Datonomy Home Team admits to being practically stalked by advertising for a particular brand of luxury handbag, as a result of her own online browsing.

What do the ASA rules require?

In terms of substance, there is some overlap between the ASA’s new guidance and the cookie consent opt in legal requirements under the Regulations, which have been enforceable in the UK since May 2012.

The new rules require:

  • Notifying consumers – third parties delivering ads to web users using OBA must give a “clear and comprehensive” notice to web users about the collection and use of web viewing behaviour data. This notice must be given on the third party’s own website and either in or around the advertisement delivered by OBA.
  • Consumer choice – the notice must also inform users of how to opt out of OBA and must include a link to a relevant mechanism that allows them to opt-out.
  • Explicit consent if all info captured – third parties that use technology to collect and use information about all or substantially all websites visited by web users on a particular computer must obtain explicit consent. This rule is aimed at “deep packet inspection” OBA, typically conducted at an ISP level.
  • No targeting the under 12s – third parties delivering OBA must also not create “interest segments” specifically designed for the purpose of targeting children aged 12 or under.

As mentioned, OBA is typically administered by way of a cookie, i.e. a small text file that is stored on the web user’s computer to determine which advertising they receive. It does therefore seem that there will be some potentially confusing overlap between this regime and that administered by the Information Commissioner’s Office. Whereas the ASA rules require an opt-out, the Regulations  require web users to have given prior consent to the use of ad-related cookies. In addition the Regulations will bite on both the third party OBA provider and the website publisher. Cookies used for behavioural targeting are at the more intrusive end of the scale and therefore the requirements under the Regulations for information and opt in consent are greater than for, say, analytic cookies.

Is this good news for web users?

Datonomy welcomes any change which allows web users to be better informed and exercise more choice over how their data is used. The ASA states that these new rules are integral to the European Self-Regulatory Framework. Datonomy notes that many third party ad networks already pay a licence fee to a pan-EU body, the European Interactive Digital Advertising Alliance (EDAA), to use a single icon in or around display advertisements in order to provide notice to users. This icon links to a website called youronlinechoices.eu, whereby users have the choice to opt out of a range of third parties’ OBA (for more info see this author’s note here). Nonetheless there are clear benefits to offering consumers and the industry recourse to an independent complaint handling body in the form of the ASA.

It is disappointing to us here at Datonomy that, the new rules do not cover the use of OBA on mobile devices. The ASA has stated that it envisages that the rules will be updated for mobile devices in the future. Given that over 10% of all web browsing now takes place via a mobile phone and that mobile is key to many retailers’ strategies, Datonomy is curious about the ASA’s justifications for leaving this browsing unprotected by the rules.

Enforcement risks for retailers?

The new rules are aimed at “third party” organisations. This means that the website owners or indeed the retailers of the goods advertised as a result of OBA (the luxury handbag brand, in our example above) are not directly on the hook. One potential problem with enforcing the new rules is that the ASA may not be able to identify the third party ad networks serving the advertising. To solve this issue, the rules provide that the advertiser on behalf of whom the advertising is delivered, must co-operate with the ASA in good faith to help determine the identity of the third party.  Retailers who outsource their OBA delivery will therefore wish to keep a close eye on any sub-contracting by their appointed third party ad network.

Given that the stricter rules on the use of tracking cookies have been fully in force since last year, will the addition of less onerous, soft law requirements make much difference?  The ICO has not published details of any enforcement action specifically in relation to behavioral advertising cookies, although it is taking steps against a number of non compliant websites, as it reported in its enforcement updates at the end of last year here and here.

Are Datonomy readers stalked by targeted ads?   Are opt outs being honoured in practice? Share your stories!

p.s. speaking of being followed online, we can’t help but nudge you to follow Datonomy on Twitter


Posted in behavioural advertising, Code of advertising practice, Consumer concern, consumer protection, cookies, data, data profiling, Information Commissioner, UK | Leave a comment

Following wide range criticism from the opposition, the unions and various data protection officials, the German government coalition last week eventually withdrew its highly disputed bill for a new employee data protection regime in Germany.

The bill, which the government had originally published in August 2010 and which had been substantially amended twice since then, was supposed to introduce new rules for the collection, processing and use of employee data prior to and during an employer-employee relationship.

Amongst the most disputed regulations of the bill were various provisions which, subject to certain restrictions, allowed for

  • the use of tracking systems for the location of employees;
  • pre-recruitment medial examinations;
  • video surveillances of non-publicly accessible business premises;
  • the collection, processing and use of biometric data; and
  • the collection, processing and use of data generated through the use of telephone, internet or other telecommunication services.

According to senior government officials, additional discussions with the relevant stakeholders shall now take place before the legislative proceedings are resumed. It remains to be seen whether this will lead to further amendments of the bill or whether the bill will finally be dropped completely and replaced by a new draft.

In the meantime, employee data continue to be specifically addressed only by a single provision within the Federal Data Protection Act (Bundesdatenschutzgesetz) which broadly allows for the collection, processing and use of employee data if it is necessary for the conclusion, execution or termination of an employer-employee relationship.


Posted in Consumer concern, consumer protection, data, data protection compliance, data protection regulation, Germany, legislative amendment, privacy issues, reform proposals, workers' records | Leave a comment

The latest responses by the UK government and the ICO to the EU reform proposals will (mostly) resonate with businesses concerned about some of the more far-reaching changes.

The latest developments and time line

Datonomy has been taking stock of two recent UK developments: the Government’s response to the Justice Select Committee’s opinion on the European Data Protection framework proposals published by the MOJ on 11 January, and the “latest views from the ICO” 2 –pager  on 22 January.

Datonomy readers are no doubt au fait with the intricacies of the EU legislative process, but may nonetheless enjoy the blog post by Deputy Commissioner David Smith with its helpful insight into the current state of play and user friendly time line. Despite the strength of the European Parliament’s support for the Commission’s proposals, it still has a way to go, procedurally speaking. And not everyone shares the EP’s wholehearted support for every aspect of the proposals – as the most recent UK pronouncements illustrate.

Some UK concerns

The MoJ’s response document, which will inform the UK’s negotiating stance, and the ICO paper welcome aspects of the reforms but both highlight similar concerns:

  • The legal framework: both the MoJ and ICO are concerned about the “twin track” proposal for a general Regulation and the Directive relating to criminal law enforcement, and the potential for inconsistencies to arise. The UK is lobbying for the Regulation to be re-cast as a directive. Germany too has constitutional concerns about the reforms – see our 2012 post here.

 

  •  Too much harmonisation? While fundamental principles should be harmonised across Member States, both papers argue that not every detail of the regime needs to be harmonised. Indeed, for businesses operating internationally, greater harmonisation is one of the plus points of the reforms.

 

  • The “legitimate interests” condition: Developing this theme further, the ICO’s paper argues the need to recognise different legal traditions (e.g. less prescriptive regimes like the UK’s) and cites the application of the legitimate interests condition as a practical example. As Datonomy noted in this recent post, this important condition could be significantly narrowed if the European Parliament’s amendments are adopted.

 

  • Economic impact: the MoJ counters the Commission’s 2.3 billion Euro cost-saving estimate with the UK’s impact assessment of £100-360 million per annum, and emphasises the impact of additional red tape costs for small businesses, in particular.

 

  • Regulatory costs: the ICO is naturally concerned about the proposed loss of funding from notification fees, aside from which it estimates the new regime could cost it an extra £8-28 million.

 

  • Right to be forgotten: Both organisations are concerned about the practicality of the R2BF and the dangers of raising unrealistic expectations for consumers.

 

  • Which organisations will require a DPO? The UK is advocating a more risk-based approach to the requirement to appoint a data protection officer – depending on the quantity and sensitivity of data handled, rather than a blunt threshold of size of the organisation (as proposed by the commission) or the size of the database (the EP’s counter proposal).

 

  • Sanctions: Both advocate regulators having discretion over whether to impose fines. The MoJ believes the current proposals on sanctions could create an overly risk adverse environment, and the ICO thinks that linking fines to a percentage of turnover is “impracticable”.

Comment

The “sovereignty” theme runs through a number of these concerns (and is topical given the current debate about the UK’s future in Europe). For many businesses the debate over the form of the new rules seems academic; it is the substance and the business impact (and cost) that counts. Datonomy hopes that the politicians will not get too bogged down in form, but will instead focus on ensuring the substance of the Regulation is workable, proportionate and does not tie up recession-hit businesses in unnecessary red tape.


Posted in data protection regulation, EU data protection reform, European Commission, European Parliament, ICO, MOJ | Tagged , , , , , , , | Leave a comment

The German state of Rhineland-Palatinate (German: Rheinland-Pfalz) recently caused some amusement amongst the internet community.

Despite long resistance from the state’s Data Protection Commissioner Edgar Wagner, Rhineland-Palatinate finally went online with its own Facebook fan page in January – however, not without Mr Wagner imposing a “feedback-channel-ban” that requests all government agencies not to answer user questions on Facebook. Users who seek specific answers from the state government via its Facebook fan page are now referred to other ways of communication such as e-mail or the state’s official websites.

The motivation behind this is, of course, data protection. Mr Wagner wants to keep the state’s fan page clear of any user interaction in order to avoid user data being generated by Facebook.

According to Mr Wagner, Rhineland-Palatinate did not want to stay completely out of Facebook as the social network offered good opportunities to provide information to its citizens. The state’s presence on Facebook shall however only serve as a “bridge” for users to the state’s official website.

“Presence without communication”, “social network without dialogue”. The “feedback-channel-ban” has already caused some mockery on the internet and by third parties. Johannes Steiniger from the Young Christian Democrats, for example, called it a “real-life satire”. And Pia Schellhammer from the Green Party asked Facebook users to post their questions on her webpage. She would then try to obtain answers from the state government and publish these on her own Facebook website.

However, despite – or probably because of – its satirical character the case provides yet another illustrative example of the increasing resistance that Facebook is facing from data protection authorities in Germany.


Posted in Consumer concern, cookies, data protection compliance, Facebook, Germany, government information sharing, Information Commissioner, privacy issues, Social networking sites | Leave a comment