Whilst a lot of attention has been given to European data protection legislation, we should not forget some interesting developments which are happening in Asia at the moment.

Indeed a spate of new data protection legislation has been prepared and in some cases already passed in the last year. For example, Malaysia will have its new data protection regime come into force this summer and just last month the Philippine government passed its privacy legislation.

Particular interest has been generated by the Singaporean draft legislation, the latest (and potentially last) draft of which was published a few weeks ago. Whilst the legislation does borrow some concepts from the current European regime, other provisions draw more comparison with US privacy laws (particularly with regard to information which is made publicly available).

Areas of difference to familiar European legislation which caught Datonomy’s eye include:

  • The focus of the legislation is only on the private sector. Government agencies are not covered.
  • All organisations that are engaged in data collection, processing or disclosure within Singapore would be caught by the regime, even where the organisation is not physically located in Singapore. So, for example, an organisation which is based in the UK (such as a UK website) but which collects personal data from Singaporean customers would need to comply. This raises similar extra-territorial debates to those raised recently with the new draft European Regulation. In this case the Singaporean government has admitted that it recognises enforcement and investigation may be rather difficult in the case of overseas companies.
  • The Act draws no distinction between personal and sensitive personal data – all must be treated the same.
  • The law specifically incorporates a reasonableness test so organisations must  consider “what a reasonable person would consider appropriate in the circumstances” when complying with the Act.
  • There are no notification requirements so less bureaucracy.
  • Perhaps most interestingly, the government made a decision to extend rights to cover data of deceased individuals in terms of obligations around data disclosure and security up to 10 years from the date of death.

 So, what do readers think of the proposals?  To date the European legislation remains silent as to whether data subjects must be living but most national regimes (including that of the UK) have limited it in this way. Do you think that there may be merit in revisiting this like Singapore?

Datonomy wll be keeping an eye on the developments in Asia and, in particular, will feed back when the final Singaporean draft is published.

Posted in Malaysia, Singapore | No Comments »

In a decision as of 6 March 2012 that covers aspects of consumer rights related to data protection, the Berlin regional court ruled that several clauses of Facebook Ireland Ltd.’s terms and conditions violate German consumer laws and are therefore void (LG Berlin, Judgement of 6 March 2012, 16 O 551/109). Facebook Ireland Ltd. is the contract partner of all Facebook users that are not residents of the USA or Canada.

Firstly, the court said that the users’ consent in Facebook’s terms and conditions regarding the use of their personal data for advertising purposes is void. The reason for this assessment is not known yet – however, in a case against Google, the regional court of Hamburg had decided in 2009 that a consent provided in terms and conditions to a certain use of personal data unreasonably disadvantages a consumer if they are not specifically informed about the intended use of their personal data (LG Hamburg, judgement of 7 August 2009, 324 O 650/08). Facebook does not provide such information to their users either.

In addition, the court ruled that Facebook cannot use terms and conditions to obtain a comprehensive, world-wide and royalty-free license to use the users’ content, as the users remain owners of the intellectual-property rights of pictures and music they compose. The court also provided that Facebook must ensure that the user will be informed about amendments of the terms and conditions and the privacy guidelines in good time before changes become effective.

Finally, the court said that Facebook’s friend finder service violates the law against unfair competition (UWG). Said service offers Facebook users the possibility to check their email address books to see if their friends are already on Facebook. If the friends are not Facebook members yet, the user can send an invitation to them. The court said that Facebook must not send friendship requests without the addressee’s prior consent. Here, it will be interesting to read the written verdict, as one could also regard invitations that were initiated by a user as sent by the users and not by Facebook.

However, the verdict has not been published in detail yet and all information about the case comes from the plaintiff and the regional court. While it is still disputed if German data protection law applies to Facebook’s activities inGermany, as the data controller is probably Facebook Ireland Ltd. whose activities are subject to Irish data protection law, this might not be the case for German consumer rights. Article 6 of the Regulation 593/2008 (Rome1) provides that a contract between a professional from one country and a consumer from another country must comply with the mandatory rules of the consumer’s country of residence, if the professional directs commercial activities to that country.

The case had been brought to court against Facebook Ireland Ltd. by the consumer-rights institution Verbraucherzentrale Bundesverband e. V. Consumer organisations are entitled under German law to take action against companies that use prohibited terms and conditions or illegal marketing practices. Sources say that it is likely that Facebook will appeal the decision.

Posted in consumer protection, Facebook, Germany, transparency | No Comments »

Any readers aiming to get their organisation’s response to the MoJ consultation ready in time for the 6 March deadline will find much food for thought in the ICO’s initial analysis, published earlier this week.

The Initial analysis of the European Commission’s proposals for a revised data protection legislative framework covers both the draft Regulation and the proposed Directive on data protection in the context of criminal matters.   The ICO makes it clear that this is unlikely to be its last word on the proposals, with more detailed analysis to come as the legislative process kicks off. Nonetheless, the ICO’s observations are an invaluable source for businesses currently analysing the potential practical implications. The ICO has focussed on aspects of the proposal which it views as unduly onerous or unlikely to work well in practice.

Given the breadth and ambition of the European Commission’s proposal, it is not surprising that the ICO’s reactions to various dimensions of the proposal are mixed.  There are however some consistent themes in the ICO’s response: the need for proportionate, sensible and effective privacy protection, and less emphasis on red tape, form filling and common processes. “Harmonisation on paper…will not necessarily deliver sensible and effective data protection in practice“, states the ICO. As well as highlighting the potential burdens on the regulator itself, the response is in many respects a business-friendly one.

For those preparing a consultation response of their own, the ICO’s 29 page critique of the draft Regulation merits reading in full, but here are some key issues on which the UK regulator’s stance will be of particular interest.

  • Right to be forgotten:   this new right, and its practical implications, “need thinking through carefully” and should be presented in “less ambitious terms” to avoid a mismatch between individuals’ expectations and the various exceptions to the right already proposed. If the new right is “insufficiently qualified” it will have serious implications for freedom of expression in particular. – See pages 13-14
  • Data portability: is welcomed in principle, but with acknowledgement of the practical burdens for data controllers and the need for businesses’ IP rights to be safeguarded.
  • Profiling: clarification is needed as to whether online behavioural advertising is intended to be caught or not; a more risk-based approach is need to reflect that different types of profiling pose different levels of privacy risk – see page 15.
  • Prior authorisation and prior consultation: the ICO has a number of concerns about the “unrealistic” proposals in Article 34 concerning pre vetting of certain processing activities, particularly overseas transfers. See page 19.
  • Breach notification: while broadly welcoming the notification requirement, the ICO calls for more proportionate triggers and thresholds and more flexible deadlines – see page 17-18. 
  • DPOs: the ICO takes a measured and risk-based stance on the mandatory appointment of DPOs and rightly points out that the 250 employee threshold is too blunt an instrument for determining when an organisation should have a dedicated privacy officer – page 19.
  • Sanctions:  the ICO “has doubts” about a number of aspects of the proposals on turnover based fines.  Again, proportionality and “a link between administrative failure and practical [privacy] consequences” are missing – page 27.
  • One stop regulation for multinationals: the ICO foresees various practical obstacles to the ideal of “one stop” regulation for EU multinationals. Identifying the “main establishment” of a business with multiple centres of processing and decision making may not be as easy in practice as the draft Regulation assumes. See pages 7 and 22-23.
  • Enforcement against non EU businesses: the ICO also has doubts about the efficacy of the extra-EU reach of the Regulation (page 5) and need for the designation of an EU representative – page 17.
  • Children: on the issue of verifiable parental consent from under 13s, the ICO argues for a less black and white requirement, proposing that the approach to parental consent be applied more flexibly, according to the privacy risks of the particular online service – page 8.
  • Personal data, sensitive personal data and  data subject: the ICO broadly welcomes the proposed extension of the personal data definition – pages 5-6. However it has reservations about the continued “binary distinction” between sensitive and non sensitive personal data, and the lack of correlation which can sometimes result between the categories of sensitive data and privacy risk.

It is helpful that the ICO has shared its views with other potential respondents before the MoJ deadline, and reassuring that the regulator is alive to the practical businesses impacts and costs of the proposed changes.  Businesses may be less pleased by the ICO’s assertion that the new rules – once agreed at EU level – should have a shorter lead in time than the two years currently  proposed (see page 2). The ICO’s argument is that DP rules are not new, and that many aspects of the proposals simply represent current best practice.  

As we’ve said before, the Regulation has a long way to go before adoption.  But let’s hope that – if the ICO’s wish for a tight compliance deadline is heeded by the EU institutions –  that its various suggestions for moderation of the rules are taken on board too.

For those wishing to add their views to the Ministry of Justice’s consultation by next Tuesday, the link is here.

Posted in Uncategorized | No Comments »

Air your views on the draft DP Regulation – by 6 March!

Claire Walker - February 10th, 2012

Datonomy readers who wish to influence the detail of the EU’s reform proposals via the UK Government have until 6 March to do so.  The Ministry of Justice has this week issued a Call For Evidence to help inform its negotiating stance on the proposed Regulation.  The link to the document and to an online questionnaire is here.

Datonomy readers could be forgiven for having a sense of deja vu – the MoJ conducted a similar exercise in 2010 as part of  the lengthy consultation process which preceded the Commission’s formulation of the current proposal.  Of course, a new consultation exercise is necessary now that the “phoney war” is over and we are dealing with actual draft legislation  rather than a series of policy objectives and statements. 

What line is the UK Government likely to take? The Secretary of State For Justice, Ken Clarke expressed a conservative (in both senses of the word) approach in this May 2011 speech . He suggested that the reform of the EU data protection regime called for “a good service or test on a well loved old car, rather than writing off the vehicle altogether and trying to buy a flashy but impractical new one“.  The need for pragmatism is also repeated  in the introduction to the  new Call for Evidence.

Well, there are plenty of well loved – or at least familiar – principles in the new draft, many of these amplifying existing requirements and advancing  soft law and best practice approaches  into black letter law.  One suspects however that the Secretary (and others) might view many aspects of the draft Regulation as “flashy” and/or impractical. 

One of Datonomy’s more data-sceptic colleagues (I  won’t name names) has promised to eat his (or her)  hat if a a fine of 0.5% of global turnover is ever imposed on a data controller for responding late to a data subject access request – as is theoretically possible, if the Regulation were to be  adopted in its current form. 

Could Olswang’s offices be witness to hat-eating in, say, four or five years’ time?  For all kinds of reasons, Datonomy hopes not.  The black letter law detail of the Regulation has many hurdles to cross first, and then there will be the small matter of regulatory enforcement policy.  The immediate milestone on the horizon, for  data sceptics and for data enthusiasts alike, is to make your views and concerns known to the UK Government by 6 March. 

 

 

 

Posted in Reform of EU DP law, reform proposals, Uncategorized | No Comments »

So, the reports that we would not see the detail of the reforms until March proved unfounded. The official publication of the Commission’s DP reform proposals earlier today, exactly on schedule,  cannot have escaped the notice of Datonomy readers. (But just in case, the link to the package of new measures is here .)

The centre of attention is the comprehensive Regulation, weighing in at 139 Recitals and 91 Articles and a total of 118 pages (if you include the memo at the front and the impact statement at the back).

The Datonomy correspondents at Olswang have been busy all afternoon analysing the practical implications of the proposal, and their initial analysis for in house counsel is now available.

The new regime will obviously have a major impact on data protection regulators too – the  initial reactions of the UK’s  regulator are here on the ICO’s website.

Anyone who missed Vice President Reding’s press conference at lunchtime can watch it at their leisure.  Datonomy was delighted to see that the Vice President echoed the views in the  recent post by Christina Motejl that the strong new rules draw inspiration from Germany.

There will be no shortage of law firm and business commentary in the media over the hours and days to come – Datonomy looks forward to hearing the views and comments of its correspondents and readers (both in house and in private practice) from around the globe, and to some lively debate as the details of the proposals are evaluated in more depth – and at greater leisure.

Posted in EU data protection reform, EU Legislation, eu proposals, Germany, ICO | No Comments »

If , like this Datonomist, you have been trying to make sense of the conflicting reports about  delays – or otherwise – to publication of the draft DP Regulation, then this report  just posted byEuractiv.com confidently predicts the publication of a “package” comprising a communication, a regulation, a directive and a technical report on the 25 January – the date  expected for formal publication, following the unofficial debut of an interservice text last month.    

Datonomy is sure that its readers have already seen the various reports since last week, rumouring the possible delay and detailing the numerous objections from various Directorates General at the Commission which prompted it.   If not,  the Euractiv article provides  a useful snapshot of these, as does recent coverage on MLex.

Which report is right?  Who knows.  Datonomy is saving it energies for analysing the official draft of the proposal – whenever it may emerge!

The leaked proposal for the new Regulation has also attracted criticism from the other side of the Atlantic – an  ”informal note” detailing 9 pages of concerns (but “not necessarily represent[ing] the views of the FTC nor any other US governmental agency” appears on the on the Statewatch site . Those specific (and non exhaustive) concerns, relating to matters within the remit of the FTC, follow two broad themes: potential adverse effect on interoperability of privacy frameworks, and implications for enforcement activities.

And, as Datonomy’s Berlin  correspondent Christina Motejl reported yesterday, the draft proposal has attracted criticism from Germanyby virtue of its form – a directly applicable regulation – on constitutional and political grounds.

Last but not least, the business lobby is already weighing up the potential impact of the regulation on day to day operations.  If the reports are to be believed, we can expect to see some toning down of certain  aspects of the leaked draft.   Additional red tape is never going to be welcome, but will the next draft have been  watered down enough to make it  palatable?

Datonomy looks forward to some concrete developments in the week ahead.

Posted in Directive 95/46/EC, EU Legislation, Germany, Reform of EU DP law, United States | No Comments »

The draft data protection regulation of the European Commission that had leaked in early December has been widely criticised by the German Minister of the Interior and aFederal Constitutional Court judge. The points of concern were not the new and mainly stricter rules of the draft regulation, but that the European Commission chose a regulation instead of a directive.

First, Johannes Masing, one of the sixteen judges of theFederal Constitutional CourtinKarlsruhe, unmistakably warned about the new regulation in a newspaper article last Monday titled “Goodbye to fundamental rights”. Mr. Masing said that as a regulation was in fact a directly applicable law in every member state, national rights would be pushed aside. This would also be the case with regard to the fundamental rights of the Grundgesetz, the German constitution.

In Germany, data protection laws do not originate from the European Directive 95/46/EC or a simple law, but were “invented” by the Constitutional Court in a fundamental decision in the year 1983, in which the court derived personal data protection rights directly from the constitution. Therefore, all German courts apply data protection regulations also with regard to the fundamental rights guaranteed by the constitution.

As a consequence of data protection law being regulated in a regulation, national German courts could no longer decide on the interpretation of data protection law, but would need to present critical cases to the European Court of Justice (ECJ) being the only decisive authority on European law. Mr. Masing fears that this would lead to a decline of legal protection, as the ECJ was not a special human rights court and in charge of 27 member states. Furthermore, only courts and not individuals could present cases to the ECJ. Contrary, inGermany, subject to further requirements every citizen can appeal to the Federal Constitutional Courtif they feel that their basic rights are violated. 

Judge Masing’s opinion is mainly shared by the Federal Minister of the Interior, Hans-Peter Friedrich, who criticised in an interview on 15 January that a regulation would relocate further legal competences to the European Union. Despite this material criticism, both stressed that an increasingly harmonised data protection law would strengthen the internal market.

Especially Judge Masing’s reaction is interesting, as constitutional court judges are generally more reserved when it comes to direct criticism of laws, especially European laws. Rumours say that Commissioner Viviane Reding’s ambitious draft is subject to highly controversial debates between the other members of the commission and that this may have been a reason why its text leaked more than six weeks prior to its official announcement. Therefore, the draft may not even be the final version that will be presented on 25 January.  

This shows, however, that the discussion on the new regulation on data protection has just started. The regulation will be adopted, if at all, according to the ordinary legislative procedure pursuant to article 294 of the Treaty on the Functioning of the European Union. This means that both the Council of the European Union and the European Parliament have to approve the regulation in two or three readings. Normally, this procedure can take up to two and a half years – enough time for national governments and lobby groups to look for like-minded governments and politicians to push for legislative changes in the new data protection law’s form and content.

Posted in Directive 95/46/EC, EU data protection reform, EU Legislation, EU powers, eu proposals, Germany | No Comments »

After a first read through of the leaked Commission proposal for a new data protection regulation (Draft Regulation) that was published by statewatch.org (it is not meant to be officially published until the end of January), I remembered a speech by Viviane Reding’s Chief of Cabinet who said that the Commissioner for Justice was very impressed by German data protection rules. This might help in explaining several provisions of the Draft Regulation.

Take for example the rules on data processing. After some scandals on data leakages at data processors,Germanytightened the requirements for the contract on data processing to cover several specific details of data security. Article 27 of the  Draft Regulation takes up this idea and requires controller and processor to stipulate several rules and precautionary measures in their agreement, as that the controller may only act on instructions from the controller and that its staff must have committed themselves to confidentiality. However, contrary to German law, the contract must not cover specific details on data security measures.

Another principle deriving from German data protection is Article 4 of the Draft regulation, which says that personal data must be limited to the minimum necessary in relation to the purposes for which they are processed. This is almost the same as the principle of data reduction in sec. 3 a of the German Federal Data Protection Act. In comparison, Article 6 of the current Directive only required data processing not to be “excessive in relation to the purposes for which they are collected and/or further processed”.

Also the stricter requirements to consent to data processing seem to derive from German data protection law. Article 7 of the Draft Regulation provides amongst others that consent to data processing in a written declaration on another matter must be made distinguishable in its appearance, which is almost the same provision as in sec. 4 a of the German Federal Data Protection Act (BDSG). Also the data subject’s right to withdraw such consent at any time is an unwritten principle of German law, as well as the assumption that a consent is not freely given where there is a significant imbalance between the data subject and the controller.

The Draft Regulation also covers the use of personal data for direct marketing for commercial purposes and makes it subject to the data subject’s consent to such marketing (Article 5 para 2 Draft Regulation). This is even stricter than German data protection law, which provided an important exception for the requirement of a consent in allowing the use of personal data for advertising if the data was listed and contained only categories as name, occupation, title, address and year of birth and was obtained through a contract or a similar relation with the data subject or from public sources.

Therefore, reading the Draft regulation as a German is an interesting déja vu. The fact that the European Commission proposes a regulation to create a harmonised level of data protection will – if it is eventually adopted – certainly make the life of many companies easier, as the legal requirements were sometimes very different in several member states. However, the regulation contains quite strict and detailed rules. It remains to be seen if other member states will agree that the principles of countries with a stricter approach to data protection should be applied to the whole European Union.

Posted in EU data protection reform, EU Legislation, eu proposals, Germany, Germany; address lists | No Comments »

The ICO has today  published its promised “half term report” on organisations’ compliance with the new cookie consent rules, along with updated practical guidance.   On third party cookies, which the ICO acknowledges is “one of the most challenging areas” for compliance, the ICO states that it is still working with industry and other DP regulators to find the right answers on this complex issue.

The new version of the guidance replaces  and expands on the 10 page version published back in May.   As well as providing more practical illustrations of the various possible consent options(pop ups, footer bars, terms and conditions, settings led and feature led consent) it  sets out the ICO’s likely enforcement stance when the “amnesty” period ends in May 2012. 

In line with the ICO’s Regulatory Action Strategy,  any formal action taken for cookie breaches would need to be proportionate – but the tone of the guidance and the half term report is very much that of a school master who is running out of patience:  there are pockets of good practice and transparency – but many businesses “must try harder” to get compliant in time for May 2012.

Datonomy confesses that it was somewhat distracted by last week’s  news about the unofficial publication of a draft of the new General Data Protection Regulation, but will now turn  its attention to matters of current, rather than future, law and will review the latest cookie guidance in more depth.

Posted in Uncategorized | No Comments »

Consultation draft of new DP Regulation published?

Claire Walker - December 8th, 2011

The Statewatch website has published what appears to be a draft of the Proposal for a Regulation to replace the current Data Protection Directive.  The   draft for the proposal is still at the inter-service consultation stage, i.e. doing the rounds of the different DGs with a potential interest in the proposal.  So, the final draft of the proposal (not due to make its official appearance until January)  might differ from the version currently on the Statewatch site – and of course, assuming this version is authentic….

However, with those caveats in mind, following the FT’s teaser at the weekend, those eager for a preview of the content may not be able to resist taking a look.  There are 116 pages to trawl through, but notably:

  • the proposal is for a Regulation, not a Directive, therefore directly applicable in and binding on Member States
  • for proposals on sanctions, see Chapter 8 (and for fines in particular, Article 79 (4) on page 89)
  • the hot topic of data security and breach notification rules are contained in Section 2.

Datonomy is grateful to one of its eagle-eyed correspondents for spotting the document  on Statewatch.  We will continue to track the progress of the new Regulation and  its potential implications, and we look forward to Datonomy readers’ views too.

 

 

Posted in Uncategorized | No Comments »

FT gets a sneak preview of the new draft DP Directive

Claire Walker - December 5th, 2011

FT readers will have already seen FT’s report (4/12/11) that it  has had a sneak preview of the eagerly awaited  draft Data Protection Directive.  The most headline grabbing issue is the possible introduction of fines of up to 5 % of global turnover for privacy breaches.   If that doesn’t make data protection exciting, nothing will!

Remember that the new Directive still has a long way to go.  When the proposal is published officially and in full – expected to be in January – there will be much for data protection practitioners (in every sector and every practice area)  to analyse.

The likely headline issues and broad areas for reform were well signposted in the Commission’s Communication of November 2010.  Just how these broad proposals translate into the detail of the first draft remains to be seen – but if “stronger sanctions” in the Communication translates into “fines of 5% of global turnover” in the first draft, then the detail of that first draft is going to make for interesting and possibly controversial reading!

The UK’s regulator the ICO last month published a “wish list” of issues it hoped to see addressed, and has also begun its own blog on the future of the EU DP regime.

Datonomy will be tracking the progress of the new Directive as it begins its official legislative journey shortly.  With the festive season approaching, Datonomy would love to hear what’s on the wish lists of its readers and correspondents around the globe – at least as far as the future of privacy legislation is concerned!

Posted in Uncategorized | No Comments »

Future of Privacy and Openness in Germany

Christina Motejl - November 30th, 2011

Datonomy attended the event “Datendialog” hosted by Google in Berlin on 24 November, where many interesting speakers discussed the current situation and future of privacy, but also openness.

Blogger and Science Fiction author Cory Doctorow described the current situation of many free internet offers as “privacy bargain”, in which users traded their personal data for services. The deal, however, would be one-sided and never negotiated. Therefore, Doctorow called for technical measures that would prevent companies from tracking users with cookies and compared the situation to pop up windows, the widespread use of which decreased after Mozilla, as first browser, started offering a tool to block these windows. In his words, cookie managers could be the new pop up blocker.

Federal data protection commissioner Peter Schaar said that German data protection law needed to be amended especially with regard to the question of applicable law. If companies systematically offered services in Europeand collected and used personal data of millions of European users, they should be forced to comply with basic values of European law. He criticised the government’s current preference of self-regulatory solutions as these had the inherent danger of staying below legal rules. Secretary of State Rogall Grothe of the Ministry of Interior, on the other hand, stressed that youth protection level had increased due to self-regulatory solutions in the industry.

Contrary, author Jeff Jarvis emphasised that the principles of publicness and ethical sharing should also be protected, as they allowed for a more open society. He would not want a society that was “private by default”. However, he also stressed that privacy and publicness are not self excluding principles.

Google, once tagged as “data kraken”, is at the moment in the rather comfortable situation that Facebook attracts almost all criticism regarding data protection problems with its approach that German data protection law does not apply to them. For example, Cory Doctorow described their business model as “making big changes and settle for a little less after public outcry”. However, the event showed that Google does not hesitate to invite critics as Cory Doctorow and data protection commissioner Peter Schaar and seems to be interested playing an active role in the discussion about the necessary extent of data protection.

Posted in data collection, Facebook, Germany, Google | No Comments »

Social Network Sites: Data protection issues

Matthias Vierstraete - November 17th, 2011

At a recent roundtable event hosted by theBrusselsoffice of Olswang LLP, Datonomy heard a range of perspectives on data protection issues in the context of social network sites (SNS).

Around 50 members of the Belgian Institute of In-House Counsel attended the event.

Iain Stansfield from Olwang’s Londonoffice set the scene and demonstrated through a number of practical examples what can go wrong for companies that are active on SNS – and further, what can go wrong when they are not active. Besides the risks, there are of course clear advantages of being social online and Iain discussed the need to find a balance between being social on the one hand and complying with the law on the other hand.

Christine De Keersmaeker from Olswang’sBrusselsoffice explained what social media do to your Intellectual Property, how they affect trade marks and copyrights and how trademark and copyright holders can deal with the threats of social media through prevention e.g. through creating awareness and policies, and how and why repression is not necessarily the right solution.

Patricia Cappuyns elaborated on the data protection and privacy issues related to SNS. She made in-house counsel aware of the obligations companies face when they are online on SNS. She explained how to apply the fundamental distinction between the data controller and the data processor to the different SNS scenarios, and concluded that companies will often be considered to be joint data controllers.

The ensuing discussion with in-house counsel revealed that most companies are not ready to meet their data protection obligations vis-à-vis virtual customers. Companies should have a policy in place with detailed guidelines, for example on how to comply with a request for access, rectification and deletion of data.

In order to prevent employees from misusing their company’s trade mark on SNS – or simply to prevent them from wasting their time – companies also feel the need to monitor their employees’ online activities. It is easy to see how the legitimate right of supervision, exercised through cyber-surveillance, may conflict with the fundamental right of privacy, which also applies in the workplace. Under Belgian law, a Collective Labour Agreement (N° 81) deals with this issue and sets the conditions in order for companies to legally monitor their employees. This agreement provides amongst others that employers are only allowed to monitor their employees’ electronic communication to the extent that this monitoring meets the principles of legitimacy, finality, proportionality and transparency.

For companies taking their chances on SNS it is therefore of key importance to put in place a legal step-by-step plan without hindering the main objective of the SNS effort, which is to present the company as a social online presence.

Posted in cyber-privacy, data controller, data processor, data protection compliance, privacy policy; privacy notice;, Social networking sites, surveillance | No Comments »

Facebook – Cookies to be investigated in Germany

Christina Motejl - November 10th, 2011

Facebook encounters more and more problems with Germany’s Data Protection Commissioners. Only last month, the Data Protection Commissioner of Schleswig Holstein, Thilo Weichert, announced proceedings against public authorities and companies in Schleswig Holstein that use Facebook’s Like-Button on their websites (see Datonomy post of 6th October). Mr. Weichert criticised that the Like-Button enabled Facebook to track users even if they had not clicked the button.

Now, Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information (HmbBfDI) has conducted an investigation into Facebook’s use of cookies, which enable Facebook to recognise its users even if they are not logged in or if they visit a third party website that uses an embedded Like-Button. According to Caspar, Facebook had reasoned that it uses cookies mainly for security reasons, such as youth or password protection. However, the Commissioner claims that this was essentially not true as most functions were optional and only activated after the users have given their approval. Therefore, Caspar suspects that Facebook uses cookies simply to create tracking profiles of users. Under German data protection law, tracking in form of the collection of personal data is not allowed if the users have not provided their consent. Even in case of a pseudonymized data collection, they have to be informed about the tracking and their right to object.

As a first reaction to Caspar’s accusation, Facebook indicated its willingness to discuss the technical mechanisms of its use of cookies. However, in a parliamentary committee hearing last month, Facebook also claimed that German data protection law would not apply to them.

They might have good reasons to do so – sec. 1 para 5 sentence 1 of the German Data Protection Law (BDSG) provides that the German data protection law does not apply to data controllers situated within a member state of the European Union or the European Economic Area that collect personal data in Germany, if they do not collect such data from a branch office situated in Germany. Facebook’s terms and conditions name Facebook Ireland Ltd. as contract partner of all users who reside outside the US or Canada. Accordingly, Facebook’s German subsidiary “Facebook Germany GmbH” claims to provide mere marketing activities for “the internet site of a social network”. If this was true, Irish Data Protection Law would in fact apply to Facebook’s European activities and only the Irish Data protection authorities would be competent to supervise Facebook’s data collecting activities. This is, however, a different situation for website owners residing in Germanywho use Facebook’s Like Button and are subject to German data protection law.

It remains to be seen if Facebook will risk the consequences of an open conflict with German data protection authorities which might eventually result in a German court ruling that German authorities are ultimately competent to regulate Facebook’s activities inGermany.

Posted in cookies, cookies; behavioural advertising; google, data collection, Facebook, Germany, opt-outs | 1 Comment »

German Public Authorities: You shall not use Facebook!

Christina Motejl - October 6th, 2011

The independent Data Protection Commissioner of Schleswig Holstein, Thilo Weichert, has initiated proceedings against public authorities and companies in Schleswig Holstein who use Facebook’s Like-Button on their websites or who operate a Facebook fanpage.

The main point of criticism regarding the Facebook Like-Button is that it is directly loaded from the Facebook site, which enables Facebook to track the internet user by their IP address or a previously set cookie, even if they have not clicked the button. As regards the Facebook fanpage, the data protection authority says it violates data protection laws (in particular, sec. 15 of the German Telemedia Act) as Facebook collects user data to generate web statistics without enabling the user to object to this procedure. Therefore, it would generally not be possible to use a Facebook fan page in a privacy compliant way. By using the Like-Button or creating a fanpage on Facebook, the website or fanpage operator enables the violation of European data protection law by Facebook, Weichert says.

According to newspapers, Weichert’s authority has written letters, inter alia, to several state ministries and the state chancellery, which is the office of the state’s prime minister. The letters request the recipients to remove the Like-Button from their website or to delete their Facebook fanpage until the end of October. According to the Telemedia Act, privacy infringements can be fined by up to 50.000 €.

However, the state chancellery of Schleswig Holstein, whose Facebook fanpage has more than 13.000 fans, has already announced that it intends to keep its fanpage, as it was an important means of communication, especially in the evenings and on weekends.

It remains to be seen if the data protection authority will fine public authorities for not sufficiently protecting the personal data of citizens, and whether public authorities will need to pay these fines with tax money collected from the same citizens, whose protection is meant to be enforced by the fines.

Aside from the undeniably absurd aspects of this case, the Data Protection Commissioner’s approach shows the increasing willingness of German authorities to act against large US companies regarded as “data kraken” – collecting any data they can get hold of. As they cannot get hold of US companies directly, they target German website providers who use the services of these companies. The same approach already motivated Google to offer a data-compliant version of Google Analytics that encrypts part of the user’s IP address.

Posted in cookies; behavioural advertising; google, Facebook, Germany, Google, government data handling, IP address | 1 Comment »

Cookie consent: practical perspectives

Claire Walker - July 27th, 2011

At a recent roundtable  event hosted by Olswang LLP, Datonomy heard a range of perspectives on the new cookie consent requirements.  Readers can find useful resources from the event via the right menu below (scroll down to  “Cookie resources”)  including the headline comments from our panel of speakers.

Over 30 in house counsel from a range of consumer facing businesses – all getting to grips with compliance with the UK’s new rules – attended the breakfast seminar.  Recognising that the legal world is now sick  of cookie puns, croissants were on the breakfast menu instead.

The UK regulatory perspective was provided by Dave Evans, Group Manager at the Information Commissioner’s Office. The clear message to UK website owners, echoing the ICO’s recent guidance, is that doing nothing and hoping a browser-based consent solution will come to the rescue is simply not an option.  Businesses should be analysing the cookies on their websites, informing website users about the nature and uses of those cookies and offering choices about whether or not to accept their use, prioritising according to the intrusiveness or otherwise of those cookies used. It was stressed that there will be no single “silver bullet” solution to obtaining consent.  As highlighted in the ICO’s guidance, there are different ways for businesses to approach the issue of consent, according to the context.  Apart from the tick box approach on the ICO’s own website, and a possible browser solution in future (for those scenarios where an up to date browser is used), consent could instead be feature led.  One example  given was of a site which provides local weather information by using cookies to remember the user’s location and which incentivises consent by explaining to the user how these useful features are made possible by cookies.  Our “key points” notes on the right hand menu  give more details of Dave’s insight into the ICO’s enforcement stance on cookies  in the short term.

Technical insight  was provided by Richard Carman and Chris Mellish of web design company Pure Innovations. They too urged businesses to think creatively about consent as part of the consumer’s website experience. They also spoke up for the much-maligned cookie, reminding us that the term covers a wide spectrum of intrusiveness, from the relatively benign to the more sinister zombie cookie.  If, like this Datonomist, you are a bit of a technophobe, you will find answers to those questions you may have been too embarrassed to ask in Richard and Chris’s excellent “Technical FAQs on cookies” on the right hand link below.

With the current focus on the detail of cookie compliance,  Olswang privacy expert Elle Todd encouraged us not to lose sight of the bigger picture of data protection risk and compliance, including security and data retention issues.

Providing international perspective, Matthias Vierstraete and Carsten Kociok from Olswang’s Brussels and Berlin offices respectively summarised the state of play on implementation in their jurisdictions.  See the “EU cookie implementation” table  below for the latest news from Datonomy’s contributors from Belgium, Germany, Spain and beyond.  Self regulatory measures seem to be the favoured approach by those jurisdictions.

Datonomy readers will no doubt have seen last week’s announcement by the Commission about failure of the majority of EU Member States to transpose the rules on time. The UK is one of only seven Member States to have fully transposed the changes required by the EU telecoms package, of which the cookie consent requirements form part.  The other 20 Member States have received letters of formal notice, the first step in the Commission’s armoury of enforcement measures.

Datonomy and its correspondents  around the EU will bring you more news on implementation, guidance and examples of consent solutions which we spot on our (online) travels over the Summer.

Tags: ,
Posted in cookies, Data Protection Act 1998, data protection compliance, e-Privacy, ICO guidance, location-based advertisements, online behavioural advertising; OBA, online data protection, Spain, UK, Uncategorized | 1 Comment »

For readers who missed the ICO’s inaugural webcast last week, or who have not had a chance to read his Annual Report, Datonomy brings you selected highlights.

But first (and on an unashamedly smug note) Datonomy is grateful to the Commissioner for his answer to the question it posed via the interactive Q&A feature – which, along with the webcast – was another ICO “first”.  We posed the following question:

“As Information Commissioner, if you could have three wishes in the year ahead (relating to UK private sector organisations’ compliance with privacy legislation, to EU policy – or anything else), what would these be?”

The Commissioner responded:

“My three wishes? Businesses to wake up to the fact that 90% of consumers are fairly or very concerned about the privacy of personal information held about them – and to think through the implications for reputation when mistakes are made. Website operators to take their ‘consent’ obligations [i.e. regarding cookies] seriously under the Privacy and Electronic Communications Regulations – because I’ll be after them if they don’t. And more private sector operators to take advantage of the free audit consultancy offered by the ICO to run the ruler over DP compliance. Why wouldn’t you?”

More from us shortly  on the ICO’s stated enforcement stance on cookie consent and third party cookies.

All the Q&A (12 at the latest count)  contain very useful insights on practical privacy issues ranging from the ICO’s approach to data breaches, fines and transatlantic data transfers which will be useful to those dealing with day to day  compliance issues. The interactive Q&A make an excellent complement to the more conventional content of the Annual Report.

Headline risks and radar issues for businesses

Not Datonomy readers will have had time to read the 86 page Report or even the 50 page summary.  So, what does a busy practitioner need to know?

  • Top 10 DP complaints: while issues like security and cookies tend to dominate privacy headlines, complaints about subject access requests are statistically the most likely to reach the Commissioner , accounting for 28% of complaints. Inaccurate data (15%), disclosure of data (12%) then marketing calls and security issues follow, with complaints about email and  SMS bringing up the rear.  
  • Complaints by sector: lenders – though not named – feature high up in the “rogues’ gallery” of most complained-about data controllers by sector, followed by “general business” (whatever that means!), then direct marketing, followed in turn  by local government, health, central government, telecoms and others –  see page 29 of the summary for full details.
  • Consensual audits: to paraphrase the Commissioner’s response to our question above, “what’s not to like about a free compliance audit?” The Commissioner is disappointed by the private sector’s poor take up of a free consensual compliance audit, with only 19% of those private organisations approached taking up the ICO’s offer.  Given that some of these reluctant businesses must have been in the most-complained about sectors of banking and finance, perhaps they would do well to reconsider?  Take up of audits by the public sector – which has suffered its fair share of data breaches – was more enthusiastic.
  • Monetary penalties and other enforcement action: the Report provides a useful catch-up on the first four monetary penalties imposed by the Commissioner, including the factors which contributed to the ICO’s decision to fine in these particular cases.  As a litany of mistakes to avoid, this is a must read for any organisation (see page 37). Undertakings continue to be the ICO’s weapon of choice – see pages 38-39 for illustrations.
  • Enforcement of cookies legislation: the ICO’s approach to developing best practice and enforcing the new rules on cookie consent will be “positive and realistic”.  Despite holding its enforcement powers in reserve until May 2012 to give businesses a chance to come up with workable consent solutions, it doesn’t rule out action “where it is clear that a website owner is doing little to attempt to comply”.
  • The review of Directive: Datonomy readers will already have the review of the EU regime on their radar – the ICO anticipates a busy year helping to shape the revised legislation.

Facts and philosophy for data protection geeks

For privacy geeks interested in the workings and philosophy of the ICO as an institution, there are many other points of interest.  These include the financials, salaries and details of case loads handled and efficiencies made.  On page 10 there are hints at future changes to the funding of the ICO’s respective FOI and DP remits and the possibility that  the ICO might one day break free from the “apron strings of the MoJ” and the “purse strings of HM Treasury”.

The Report is enlivened by some engaging imagery:  the ICO “walks a tightrope” balancing the right to know under the FOIA on the one hand and the right to privacy under the DPA on the other; it is a “robust and ready” regulator, now “armed” with fining powers to boost its “more clearly articulated enforcement strategy”.  But it remains, as we have come to expect, a “practical and helpful” regulator. 

Those who make it to the final page of the long form Report are rewarded with this thought provoking question from T.S. Eliot:

“Where is the wisdom we have lost in knowledge?

Where is the knowledge we have lost in information?”

Datonomy and its correspondents wholeheartedly endorse those sentiments: we try not to bombard our readers too frequently or with with too much information; we certainly aspire to help our readers share useful knowledge with one another.  And as for  wisdom?  Well, we hope you will find the occasional pearl of Data Protection wisdom here too.

 

 

 

Posted in Christopher Graham, civil monetary penalties, cookies, Directive 95/46/EC, EU data protection reform, ICO, ICO fines, Information Commissioner, UK | No Comments »

Datonomy is pleased to learn that the ICO’s 2010/2011 Annual Report will be launched via  webcast tomorrow. In addition, the ICO is inviting the submission of questions to the Commissioner by email in advance of tomorrow’s launch.

Tune in to the Annual Report section of the ICO’s website at this link at 2.30pm on Wednesday 6 July (where it will also remain available on catch up).

You are encouraged to email the Commissioner at the email address: websitefeedback@ico.gsi.gov.uk to pose all those (data protection) questions you’ve always wondered about, but were afraid to ask. (But be aware that all questions and answers will also be published on the ICO’s website.)

The Annual Report is always a must-read for UK data protection practitioners – not so much for the details of the  ICO’s balance sheet – although Datonomy is of course  curious to see what impact tiered notification fees and the introduction of civil monetary penalties have had on the regulator’s finances of late.  This Datonomist will be turning eagerly to the sections which give insight into the ICO’s enforcement priorities for the year ahead, and, of course details of those organisations who have fallen foul of the rules in recent months.

For those readers who are too busy to watch the webcast or read the report in full, Datonomy will be bringing you selected highlights.

Posted in Data Protection Act 1998, Datonomy, ICO, Information Commissioner, notification fees, Penalty, UK | No Comments »

Bartleby on Facebook

Roger Hartley - June 14th, 2011

Bartleby, the Scrivener, by Herman Melville, published in 1856, is a short story set in the Wall Street office of a respectable but unnamed New York lawyer, who narrates the story. He is one of those “unambitious” lawyers who, “in the cool tranquillity of a snug retreat, do a snug business among rich men’s bonds and mortgages and title deeds”. He employs in his office scriveners, copyists of legal documents, the strangest of whom is Bartleby. Bartleby shows himself to be a reliable if odd employee and copyist. But after a time there are unexpected events. Bartleby creates an enclosed place for himself in his employer’s part of the office with a screen, behind which he withdraws. It becomes clear that he is living in the office, because he is always there. Most importantly, when asked to carry out tasks by his employer he responds each time by saying “I would prefer not to”.

His exasperated but not unsympathetic employer does not know what to do in response. He enquires and considers exhaustively about Bartleby, what to do about Bartleby, and his enigmatic responses to ordinary requests. Most interestingly for our purposes, on one occasion, the narrator reflects that he never felt so private as when he was in the presence of Bartleby. Withdrawal, seclusion, privacy.

Bartleby has been interpreted in many ways, but it has perhaps not been noticed that “preferring not to” looks forward to the iconic statement on privacy in the Harvard Law Review by Warren and Brandeis (1890), with its equation of privacy with the right to be let alone. That means, among other things, saying I would prefer not to – or perhaps only establishing one’s preferences on preferring not to?

So what would Bartleby do with Facebook? Would he say, I prefer not to? Or would he join and set his privacy preferences to reflect where he would draw the line on preferring not to? This is perhaps the most baffling and ambiguous privacy issue to work through in relation to ICT’s and the social media. Does preferring not to mean not consenting at all, or consenting on the basis that privacy controls and preferences work and that a line can be drawn?

While the latter option seems reasonable , and the former a turning away from what might be a key feature of contemporary digital reality, isn’t there a sense about the current situation with privacy, reputation and the social media on the Internet that suggests the web and the technology are too strong, evolving too rapidly, and can’t be adequately controlled and regulated? And that the terms have altered decisively against privacy as we have known it? So, if you are still thinking abut Facebook, there might be something to be said for saying I’d prefer not to ?

Bartleby, The Scrivener can be found in Billy Budd, Sailor and Selected Tales: Oxford World’s Classics.

Posted in Uncategorized | No Comments »

The controversial and heavily challenged Data Retention Directive is under fire again.  Today’s post on telecoms blog Watching the Connectives discusses the recent EDPS Opinion in which the privacy watchdog calls on the European Commission to consider all options,  including repeal of the Directive, to strike a better balance between individual rights and crime prevention.  You can read the Opinion in full here, and Rob Bratby’s summary here.

Posted in Communications Data Retention Directive, Data Retention, EDPS Opinions, Human Rights | No Comments »

View All Posts