On 27 February 2013, the Article 29 Working Party (hereinafter “Article 29 WP”) adopted its newest Opinion WP 202 (hereinafter “Opinion”) regarding apps on smart devices. This article summarizes some of the most important statements and guidelines provided by the European data protection authorities.

Applicable law

First of all, the Opinion emphasizes that the Data Protection Directive (95/46/EC) and the ePrivacy Directive (2002/58/EC, as revised by 2009/136/EC) constitute the relevant EU legal framework for the processing of personal data via apps on smart devices and that both directives are imperative laws which cannot be excluded by contractual agreement.

Four main parties

Hereafter, the Opinion identifies four main parties which, depending on the purposes and means of the respective data processing activity, carry different responsibilities:

1. App developers

According to the Opinion, app developers decide the extent to which apps access and process personal data in the device and insofar have to be regarded as data controllers. Their responsibilities can be limited though, if no personal data are processed and/or made available outside the device.

2. OS and device manufacturers

Operating system (OS) and device manufacturers are considered as (joint) data controllers for personal data which are processed for the manufacturers’ purposes, such as the smooth running of the device or security issues.

3. App stores

App stores are likely to be regarded as data controllers for personal data of users (such as their name, address of financial data) that are processed, when the users are purchasing apps.

4. Third parties

There are various third parties involved in the processing of data through the use of apps, e. g. advertising networks or analytics providers. The Opinion distinguishes between two roles of third parties: one is to execute operations for the app owner. In that case, when acting exclusively on behalf of the app developer, the third party is likely to be operating as data processor. The second role is to collect information via apps and processing this information for own purposes. According to the Opinion, in that case the third party acts as data controller.  

Legal ground

The Opinion then examines the legal grounds for handling data in connection with apps. It hereby distinguishes between two main stages of data processing:

1. Prior to installation

According to the Opinion, the user’s consent pursuant to Article 5 (3) of the ePrivacy Directive must be obtained, before information may be placed on and/or retrieved from the user’s device. The Opinion points out that this consent refers to any information on the device and has to be obeyed by every service offered “in the Community“, regardless of the location of the service provider.

In addition, if personal data (e. g. contacts in the address book or pictures) shall be processed before or during the installation of an app, it must also be ensured that the user gives his or her consent pursuant to Art. 2 lit h) of the directive 95/46/EC.

The Opinion points out that both consent requirements are simultaneously applicable and subject to the conditions of having to be free, specific and informed.  

2. During usage of the app

When it comes to the usage of the app itself, the legal ground for the processing of personal data may change and either be based on consent or on other forms such as the necessity for the performance of a contract with the data subject (Article 7 lit b)) or the necessity for legitimate interests (Article 7 lit f) of the directive 95/46/EC).

Other topics covered by the Opinion

In addition to the above, the Opinion also examines other relevant topics regarding the processing of data through apps. This includes an analysis of the  fundamental principles of purpose limitation and data minimisation, a review of the security requirements and information obligations and a discussion on the data subject’s rights, the retention periods and the specific safeguards that must taken for the protection of children.

Guidelines and information

At the end, the Opinion provides various conclusions and recommendations for each main party. The most important ones are the following:

App Developers must

  • Ask for consent before the app starts to retrieve or place information;
  • Ask for granular consent for each type of data the app will access and allow users to revoke their consent;
  • Be aware that consent does not legitimise excessive or disproportionate data processing;
  • Provide a readable, understandable and easily accessible privacy policy.

OS and device manufacturers must

  • Update their APIs (application programming interface) and store rules to offer users sufficient control to exercise valid consent over the data processed by apps;
  • Implement consent collection mechanisms in their OS at the first launch of the app or the first time the app attempts to access personal data;
  • Employ privacy by design principles and ensure the default settings of pre-installed apps are compliant with European data protection law;
  • Provide (by default) user-friendly and effective means to avoid being tracked by third parties;
  • Ensure the availability of appropriate mechanisms to inform and educate the end user before the app installation.

App stores must

  • Comply with their obligations as data controllers when they process personal data;
  • Enforce the information obligation of the app developer, including the types of data the app is able to access and for what purposes;
  • Provide detailed information on the app submission checks they perform.

Third parties must

  • Comply with the consent requirement determined in Article 5 (3) of the ePrivacy Directive when they read or write data on mobile devices;
  • Not circumvent any mechanism designed to avoid tracking;
  • When acting as advertising parties, avoid delivering ads outside the context of the app.

Of course this overview can only draw the attention to some of the relevant statements, which the Article 29 WP issued in the Opinion. From a practical point of view, one has to keep in mind that the national authorities generally conform to these European inputs and adopt them within their own field of activity.

Posted in Article 29 Working Party, data controller, data processor, Directive 2002/58, Directive 95/46/EC, e-Privacy, EU | No Comments »

Do you BYOD? Is your organisation DP compliant?

Audrey Tissier - March 26th, 2013

With the Bank Holiday weekend fast approaching many Datonomy readers are likely to be taking some work home, checking into emails and looking at other work functions over the break.  And the chances are that you will be doing this on a personal device, such as a smartphone, tablet or laptop. As Datonomy readers are no doubt aware, working off your own personal device is an increasing trend known as ‘bring your own device’ (BYOD).  In September 2012, Apple’s CEO, Tim Cook, stated that iPads were in 94% of Fortune 500 companies, and tablets represent just one wavelength in the spectrum of technology infusing the workplace.

Along with the potential benefits of BYOD, such as working from your favourite coffee shop with a latte in hand, comes increased data protection and data security risks.  The Information Commissioner’s Office (ICO) recently commissioned a survey that YouGov conducted in February this year which found, rather worryingly for the world of data protection, that fewer than 3 in 10 employees who use a personal device at work are provided with guidance on BYOD despite the prevalence of these devices in work environments.  However, the good news is that this risk can be managed, provided organisations have clear policies. 

Naturally, in pole position for championing a comprehensive BYOD strategy to avoid data protection breaches is the ICO, with its first piece of specific BYOD guidance, issued a couple of weeks ago. We assume that most Datonomy readers will be aware of the guidance already but Datonomy’s colleagues have been examining the guidance – you can see the full article on Olswang LLP’s website here.

From a quick straw poll of Datonomy’s European colleagues, it seems the UK is the first to provide specific guidance on this issue.  However, the issue is a hot topic around the globe –  Datonomy’s colleague Rob Bratby, Partner at Olswang Asia, recently spoke at Questex Asia’s BYOD and Mobile Security conference in Singapore on the subject (see the slides here).  And in a post on his Watching the Connectives blog, Rob strongly advocates a holistic approach to BYOD policies; going beyond the legal department – changes must be implemented by senior management, HR, IT services, and, crucially, all members of staff in order to be effective. 

Datonomy’s correspondents will continue to monitor any developments (on the BYOD landscape) with keen interest from their mobile devices, naturally!

Tags: , ,
Posted in breach notification, Cloud computing, Communications Data Retention Directive, data, data breach, data breach notification, data breaches, data controller, data loss, Data Protection Act 1998, data protection compliance, Data Protection Guidance, data security standards, encryption, ICO, ICO guidance, Information Commissioner, information security, online data protection, privacy. identity.sensitive personal data | No Comments »

There have been various press reports over the last couple of days on the Irish Presidency’s memo to the EU Council of Ministers’ on the draft data protection Regulation.  The memo has been reported as a watering down of the Commission’s proposals. 

The Presidency encourages further consideration of a more risk based approach to compliance, with an alleviation of some of the burdens of the new Regulation where processing of data is limited or involves pseuodonymous data. They have also asked the Council to consider whether the controversial requirement for organisations to appoint a data protection officer could be made optional, with possible incentives in the form of reduced regulation where an organisation does appoint a DPO.

Datonomy’s view is that although the memo is a step in the right direction it is a tentative one which fails to delve into specifics or tackle the more controversial provisions of the draft Regulation. The jury is still out and the votes on the Regulation over the next few months are likely to provide a better guide to where the Regulation will finally land.

Posted in data protection compliance, data protection regulation, privacy issues, privacy., privacy. identity.sensitive personal data, Uncategorized | No Comments »

In a month that has seen US politicians claim that is “losing the war” against international cyber attacks, and yet more household names report hacks on their systems, Datonomy has been looking at the practical obligations that the EU’s proposed new Directive on Network and Information Security could bring for businesses, and considering similar measures which are coming into force in Asia.

As if the escalating levels of threat are not enough (take your pick of this month’s news coverage – how about the “Eight billion hacking attacks a day” headline from ITV here )  governments around the globe are proposing new legal obligations and sanctions to compel organisations to get their cyber defences in order and notify the authorities when their systems have been compromised.

The EU officially unveiled its cyber strategy and Directive on Network and Information Security at the start of the month. This was followed on 20 February by the latest progress report from the UK Government (which adopted its own cyber strategy in 2011), including theestablishment of the UK’s Computer Emergency Response Team (CERT).

The Datonomy team have been analysing the NIS Directive – see this article for our full analysis, which includes a comparison with the EU’s proposed security and data breach notification obligations under the draft DP Regulation. For Datonomy readers advising organisations on information security and crisis management, this is another important piece of the regulatory jigsaw.

If it is adopted, NIS would apply to public administrations and “market operators”. Market operators are split into two categories

a) “Providers of information society services which enable the provision of other information society services”. These include: “e-commerce platforms; Internet payment gateways; social networks; search engines; cloud computing services; application stores”. That list is described as non exhaustive.

b) “Operators of critical infrastructure that are essential for the maintenance of vital economic and societal activities in the fields of energy, transport, banking, stock exchanges and health”. These are detailed more fully (and again, non-exhaustively) in Annexe II to the Directive.

The new obligations on these organisations would include the following.

  • Obligation to take “appropriate technical and organisational measures to manage the risks posed to the security of the networks and information systems which they control and use in their operations.”  This obligation is elaborated on as follows: “Having regard to the state of the art, these measures shall guarantee a level of security appropriate to the risk presented. In particular…to prevent and minimise the impact of incidents …and  ensure the continuity of the services”  -  Article 14 (1).
  • Obligation to notify to the competent authority of “incidents having a significant impact on the security” of the core services they provide -  Article 14 (2).
  • Compliance with “binding instructions” from the competent authority – Article 15(5).
  • Use of technical standards and specifications is to be promoted by Member States, to promote consistency – Article 16.
  • Obligation to provide information (to the competent authorities) needed to assess the security of their networks and information systems, included documented info security policies – Article 15(2) (a).
  • Obligation to undergo security audits by the national authority or an independent body, with the results made available to the competent authority – Article 15(2) (b).

The devil of the new regime will be in the detail – for example with regard to national guidance to define the circumstances in which incidents need to be reported,  and the nature of the “binding instructions” which national cyber crime authorities will have the power to issue. Technical standards and benchmarks will undoubtedly have a key role to play in helping define whether a business has done enough to comply. It is unclear how far current technical benchmarks like ISO 27001 will apply, or whether further standards will need to be developed.

Further afield – Singapore’s “nimble and comprehensive response” to cyber crime

So, as Datonomy’s European correspondents add another Directive to their watch list (a year or two for the EU institutions to agree on and adopt the proposal, and a further 18 months for Member States to transpose the rules?) our correspondents in Asia report that the Singapore Government have already adopted what are essentially very similar proposals. You will need to be a subscriber to the excellent Ecommerce Law & Policy to read the analysis by Matt Pollins and Rob Bratby of Olswang Asia in full, but here are some headlines. The rules have been introduced by amendments to Singapore’s Computer Misuse Act, giving the Government power to compel organisations to take a range of proactive and reactive steps to combat cyber crime. The powers come into play whenSingapore’s defences, international relations or “essential services” are under threat. In other words, a similarly broad spectrum of businesses and sectors are potentially caught. The new regime will have teeth: fines of up to $ 50,000 and even prison terms for senior management, for ignoring the rules. But like the proposed EU regime, much of the devil is likely to be in the detail of the very broadly drafted legislation.

Datonomy will of course be tracking legal developments both in Europe and Asia.  Looking back at the past month’s tech news headlines, though, this Datonomist cannot help but think that it is the escalating practical threat and implications of a cyber attack, rather than the prospect of further (and possibly far off) new legal obligations that will galvanise organisations to review their information security.

Posted in cyber crime, data breach, data breach notification, data loss, data protection regulation, data security standards, EU Legislation, information security, networks, Singapore, United States | No Comments »

Spain, a new front in Google’s data protection battle

Claire Walker - February 22nd, 2013

Datonomy’s Spanish correspondents have just posted an analysis of a recent ruling by the AEPD over Google’s autocomplete function, Google Suggest. The full analysis, which spans not only data protection but wider issues of defamation, intermediary liability and freedom of speech, is well worth a read over the weekend.

For Datonomy readers short of time, here’s a lunchtime synopsis provided by our Iberian  Datonomists,  Blanca Escribano and Marcos Garcia-Gasco.

The latest AEPD ruling

In May 2012, a citizen addressed a claim before Spain’s DP authority, the AEPD.  Google’s autocomplete function paired his name with the term “gay”, which he found a potential door of defamation against him. Now, a decision against Google has been issued by the AEPD, which recognises the data subject’s right to object.

 How does Google Suggest work?

As Datonomy readers will be familiar, Google’s autocomplete function helps users to find information quickly by predicting and displaying searches that might be similar to the one that internet surfers are typing. Suggest’s predictions are algorithmically determined based on the popularity of the searched terms, geo-location references and other  factors.

 Google’s arguments …

Google explained that Google Suggest’s predictions are based in an algorithmic system where no human intervention takes place. Google Suggest offers information automatically, which only determines that some terms often appear connected. However, it is not possible to establish a direct relation between those terms and, even more, it cannot be said that those linked terms provide any kind of information about themselves. Google also states that its autocomplete function cannot be considered a structured filing system according to the wording of the Spanish legislation and the European Directive.

 … AEPD’s  conclusions

The AEPD ruling concluded as follows:

 a)       Information associated by Google to data subjects must be considered personal data.

b)      There is a processing of personal data.

c)       Google is the controller of the relevant  processing of data.

 Thus, the AEPD recognises the right of objection of the data subject and obliges Google to take appropriate measures in order to avoid the undue association between the data subject and the term provided by Google Suggest. 

 Search engines in the EU, a restricted future?

Future implications of the AEPD’s decision are still uncertain. The legal disputes now being conducted in Spain should be added to others already being conducted in France and Germany, where Google Suggest has also been called into question.

It is worth considering whether this ‘restrictive’ EU data protection approach may put at risk the essence of search engines, or what is probably more important, third rights connected with its activity such as the freedom of expression, information and other Internet freedoms. However, it seems logical to believe that this kind of cases may be considered merely anecdotal when compared with the massive numbers of  queries per second that Google records every day.

Please see this link to read the full analysis of this interesting case.

Posted on behalf of Blanca Escribano and Marcos Garcia-Gasco, Olswang Madrid.

Posted in Google, Spain | No Comments »

Earlier this week, a new set of online behavioural advertising (OBA) rules came into effect, aiming to secure transparency and control for web users. The new rules will be enforced by the ASA. As OBA is typically administered by the use of cookies, these rules supplement existing opt in and transparency rules for cookies under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (Regulations), which are enforced by the ICO.

As Datonomy readers are no doubt aware, OBA is a form of targeted advertising whereby third party advertising networks partner with websites from whom they collect data on users’ web viewing behaviour, in order to deliver them advertising that is more likely to be of interest. To illustrate by way of example, one of the Datonomy Home Team admits to being practically stalked by advertising for a particular brand of luxury handbag, as a result of her own online browsing.

What do the ASA rules require?

In terms of substance, there is some overlap between the ASA’s new guidance and the cookie consent opt in legal requirements under the Regulations, which have been enforceable in the UK since May 2012.

The new rules require:

  • Notifying consumers – third parties delivering ads to web users using OBA must give a “clear and comprehensive” notice to web users about the collection and use of web viewing behaviour data. This notice must be given on the third party’s own website and either in or around the advertisement delivered by OBA.
  • Consumer choice – the notice must also inform users of how to opt out of OBA and must include a link to a relevant mechanism that allows them to opt-out.
  • Explicit consent if all info captured – third parties that use technology to collect and use information about all or substantially all websites visited by web users on a particular computer must obtain explicit consent. This rule is aimed at “deep packet inspection” OBA, typically conducted at an ISP level.
  • No targeting the under 12s – third parties delivering OBA must also not create “interest segments” specifically designed for the purpose of targeting children aged 12 or under.

As mentioned, OBA is typically administered by way of a cookie, i.e. a small text file that is stored on the web user’s computer to determine which advertising they receive. It does therefore seem that there will be some potentially confusing overlap between this regime and that administered by the Information Commissioner’s Office. Whereas the ASA rules require an opt-out, the Regulations  require web users to have given prior consent to the use of ad-related cookies. In addition the Regulations will bite on both the third party OBA provider and the website publisher. Cookies used for behavioural targeting are at the more intrusive end of the scale and therefore the requirements under the Regulations for information and opt in consent are greater than for, say, analytic cookies.

Is this good news for web users?

Datonomy welcomes any change which allows web users to be better informed and exercise more choice over how their data is used. The ASA states that these new rules are integral to the European Self-Regulatory Framework. Datonomy notes that many third party ad networks already pay a licence fee to a pan-EU body, the European Interactive Digital Advertising Alliance (EDAA), to use a single icon in or around display advertisements in order to provide notice to users. This icon links to a website called youronlinechoices.eu, whereby users have the choice to opt out of a range of third parties’ OBA (for more info see this author’s note here). Nonetheless there are clear benefits to offering consumers and the industry recourse to an independent complaint handling body in the form of the ASA.

It is disappointing to us here at Datonomy that, the new rules do not cover the use of OBA on mobile devices. The ASA has stated that it envisages that the rules will be updated for mobile devices in the future. Given that over 10% of all web browsing now takes place via a mobile phone and that mobile is key to many retailers’ strategies, Datonomy is curious about the ASA’s justifications for leaving this browsing unprotected by the rules.

Enforcement risks for retailers?

The new rules are aimed at “third party” organisations. This means that the website owners or indeed the retailers of the goods advertised as a result of OBA (the luxury handbag brand, in our example above) are not directly on the hook. One potential problem with enforcing the new rules is that the ASA may not be able to identify the third party ad networks serving the advertising. To solve this issue, the rules provide that the advertiser on behalf of whom the advertising is delivered, must co-operate with the ASA in good faith to help determine the identity of the third party.  Retailers who outsource their OBA delivery will therefore wish to keep a close eye on any sub-contracting by their appointed third party ad network.

Given that the stricter rules on the use of tracking cookies have been fully in force since last year, will the addition of less onerous, soft law requirements make much difference?  The ICO has not published details of any enforcement action specifically in relation to behavioral advertising cookies, although it is taking steps against a number of non compliant websites, as it reported in its enforcement updates at the end of last year here and here.

Are Datonomy readers stalked by targeted ads?   Are opt outs being honoured in practice? Share your stories!

p.s. speaking of being followed online, we can’t help but nudge you to follow Datonomy on Twitter

Posted in behavioural advertising, Code of advertising practice, Consumer concern, consumer protection, cookies, data, data profiling, Information Commissioner, UK | No Comments »

German employment data law reform put on hold

Carsten Kociok - February 6th, 2013

Following wide range criticism from the opposition, the unions and various data protection officials, the German government coalition last week eventually withdrew its highly disputed bill for a new employee data protection regime in Germany.

The bill, which the government had originally published in August 2010 and which had been substantially amended twice since then, was supposed to introduce new rules for the collection, processing and use of employee data prior to and during an employer-employee relationship.

Amongst the most disputed regulations of the bill were various provisions which, subject to certain restrictions, allowed for

  • the use of tracking systems for the location of employees;
  • pre-recruitment medial examinations;
  • video surveillances of non-publicly accessible business premises;
  • the collection, processing and use of biometric data; and
  • the collection, processing and use of data generated through the use of telephone, internet or other telecommunication services.

According to senior government officials, additional discussions with the relevant stakeholders shall now take place before the legislative proceedings are resumed. It remains to be seen whether this will lead to further amendments of the bill or whether the bill will finally be dropped completely and replaced by a new draft.

In the meantime, employee data continue to be specifically addressed only by a single provision within the Federal Data Protection Act (Bundesdatenschutzgesetz) which broadly allows for the collection, processing and use of employee data if it is necessary for the conclusion, execution or termination of an employer-employee relationship.

Posted in Consumer concern, consumer protection, data, data protection compliance, data protection regulation, Germany, legislative amendment, privacy issues, reform proposals, workers' records | No Comments »

The latest responses by the UK government and the ICO to the EU reform proposals will (mostly) resonate with businesses concerned about some of the more far-reaching changes.

The latest developments and time line

Datonomy has been taking stock of two recent UK developments: the Government’s response to the Justice Select Committee’s opinion on the European Data Protection framework proposals published by the MOJ on 11 January, and the “latest views from the ICO” 2 –pager  on 22 January.

Datonomy readers are no doubt au fait with the intricacies of the EU legislative process, but may nonetheless enjoy the blog post by Deputy Commissioner David Smith with its helpful insight into the current state of play and user friendly time line. Despite the strength of the European Parliament’s support for the Commission’s proposals, it still has a way to go, procedurally speaking. And not everyone shares the EP’s wholehearted support for every aspect of the proposals – as the most recent UK pronouncements illustrate.

Some UK concerns

The MoJ’s response document, which will inform the UK’s negotiating stance, and the ICO paper welcome aspects of the reforms but both highlight similar concerns:

  • The legal framework: both the MoJ and ICO are concerned about the “twin track” proposal for a general Regulation and the Directive relating to criminal law enforcement, and the potential for inconsistencies to arise. The UK is lobbying for the Regulation to be re-cast as a directive. Germany too has constitutional concerns about the reforms – see our 2012 post here.

 

  •  Too much harmonisation? While fundamental principles should be harmonised across Member States, both papers argue that not every detail of the regime needs to be harmonised. Indeed, for businesses operating internationally, greater harmonisation is one of the plus points of the reforms.

 

  • The “legitimate interests” condition: Developing this theme further, the ICO’s paper argues the need to recognise different legal traditions (e.g. less prescriptive regimes like the UK’s) and cites the application of the legitimate interests condition as a practical example. As Datonomy noted in this recent post, this important condition could be significantly narrowed if the European Parliament’s amendments are adopted.

 

  • Economic impact: the MoJ counters the Commission’s 2.3 billion Euro cost-saving estimate with the UK’s impact assessment of £100-360 million per annum, and emphasises the impact of additional red tape costs for small businesses, in particular.

 

  • Regulatory costs: the ICO is naturally concerned about the proposed loss of funding from notification fees, aside from which it estimates the new regime could cost it an extra £8-28 million.

 

  • Right to be forgotten: Both organisations are concerned about the practicality of the R2BF and the dangers of raising unrealistic expectations for consumers.

 

  • Which organisations will require a DPO? The UK is advocating a more risk-based approach to the requirement to appoint a data protection officer – depending on the quantity and sensitivity of data handled, rather than a blunt threshold of size of the organisation (as proposed by the commission) or the size of the database (the EP’s counter proposal).

 

  • Sanctions: Both advocate regulators having discretion over whether to impose fines. The MoJ believes the current proposals on sanctions could create an overly risk adverse environment, and the ICO thinks that linking fines to a percentage of turnover is “impracticable”.

Comment

The “sovereignty” theme runs through a number of these concerns (and is topical given the current debate about the UK’s future in Europe). For many businesses the debate over the form of the new rules seems academic; it is the substance and the business impact (and cost) that counts. Datonomy hopes that the politicians will not get too bogged down in form, but will instead focus on ensuring the substance of the Regulation is workable, proportionate and does not tie up recession-hit businesses in unnecessary red tape.

Tags: , , , , , , ,
Posted in data protection regulation, EU data protection reform, European Commission, European Parliament, ICO, MOJ | No Comments »

The German state of Rhineland-Palatinate (German: Rheinland-Pfalz) recently caused some amusement amongst the internet community.

Despite long resistance from the state’s Data Protection Commissioner Edgar Wagner, Rhineland-Palatinate finally went online with its own Facebook fan page in January – however, not without Mr Wagner imposing a “feedback-channel-ban” that requests all government agencies not to answer user questions on Facebook. Users who seek specific answers from the state government via its Facebook fan page are now referred to other ways of communication such as e-mail or the state’s official websites.

The motivation behind this is, of course, data protection. Mr Wagner wants to keep the state’s fan page clear of any user interaction in order to avoid user data being generated by Facebook.

According to Mr Wagner, Rhineland-Palatinate did not want to stay completely out of Facebook as the social network offered good opportunities to provide information to its citizens. The state’s presence on Facebook shall however only serve as a “bridge” for users to the state’s official website.

“Presence without communication”, “social network without dialogue”. The “feedback-channel-ban” has already caused some mockery on the internet and by third parties. Johannes Steiniger from the Young Christian Democrats, for example, called it a “real-life satire”. And Pia Schellhammer from the Green Party asked Facebook users to post their questions on her webpage. She would then try to obtain answers from the state government and publish these on her own Facebook website.

However, despite – or probably because of – its satirical character the case provides yet another illustrative example of the increasing resistance that Facebook is facing from data protection authorities in Germany.

Posted in Consumer concern, cookies, data protection compliance, Facebook, Germany, government information sharing, Information Commissioner, privacy issues, Social networking sites | No Comments »

Happy 32nd birthday, Data Protection

Claire Walker - January 28th, 2013

Today  is Data Protection Day and in the spirit of the occasion, Datonomy thought it would do its bit for privacy awareness.

For the uninitiated, Data Protection Day was initiated by the Council of Europe in 2006 to “celebrate the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals with regard to automatic processing of personal data”, which was in 1981, thus making the discipline of data protection a mature, but still relatively youthful, 32.

The Council of Europe’s website goes on “The aim of the Data Protection Day is to give everyone a chance to understand what personal data is collected and processed and why, and what our rights are with respect to this processing…Each interested member state, national or international body is encouraged to participate. The Data Protection Day is intended to be organised in a flexible and decentralised manner so as to cater for the wishes and resources of each participant.”

In the spirit of education, the UK ICO is, according to its very helpful press office, due to mark the day with various activities including initiatives to embed awareness of privacy rights in the primary and secondary school system. (The teenage children of this particular Datonomist will be delighted to learn that their personal information has value, particularly if that can be monetised…)

With privacy compliance now widely acknowledged as a board level issue, the Market Research Society is marking the day with the launch of its Fair Data kite mark endorsed by the ICO – see today’s coverage in the Telegraph.  According to the report, major brands including GlaxoSmithKline have signed up. According to other reports, accreditation will require an audit by the MRS. Privacy seals are a hot topic for consumer brands – Article 39 of the draft new Regulation seeks to promote the use of such certification to give the public a more user-friendly way of assessing whether the brands to which they entrust their data are compliant.

Mention of the draft Regulation reminds us that last year, of course, Data Protection Day was marked in spectacular style by the European Commission with the official unveiling of its proposals for strengthened privacy rights and sanctions. As readers will be familiar, those tough new proposals have gained strong endorsement from the European Parliament, and look increasingly likely to be adopted.  So, how many more Data Protection Days will come and go before the new rules actually come into force?  Datonomy reckons another two, or at most three anniversaries from now – taking us to 2015 or 2016.

What should data controllers do in the interim to prepare for the introduction of more prescriptive rules and turnover based fines? The next two years provide a vital window to audit and get the house in good shape for compliance. To that end, the Datonomy team have been busy developing an online audit tool to help organisations with what can be a cumbersome and time consuming process.  If you’d like to know more about the tool, please call Ross McKean (020 7067 3378) or Claire Walker (020 7067 3174).

Datonomy wishes all its readers a very happy Data Protection Day, and looks forward to comments about how the event has been observed around the world, or in your organisation.

Across the Channel, the event is being marked with a series of workshops, talks, book launches and even an art exhibition, detailed on the website of European Privacy Day. Datonomy readers have unfortunately missed the Privacy Party which took place on 25 January. For our readers on the other side of the Atlantic, details of events taking place in the US and Canada can be found on the website of Data Privacy Day,

Tags: , ,
Posted in audit, children, Consumer concern, data protection compliance, Data protection day, ICO, minors | No Comments »

Most Datonomy readers will already be aware of this morning’s news of a £250,000 ICO fine for Sony over the 2011 PlayStation hack, which Sony reportedly intends to appeal.

The ICO published the monetary penalty notice this morning, with Deputy Commissioner David Smith appearing on YouTube “making no apologies” for the size of the fine (the largest imposed on a private sector organisation to date, and the third largest fine ever imposed by the ICO).

Understandably, much of the factual detail and specifics on the vulnerabilities of the system have been redacted to avoid compounding the risks to Sony’s system by giving future hackers a helping hand. This makes for a slightly frustrating reading experience, and inevitably limits the insight which the decision gives practitioners into the specifics of what might or might not constitute appropriate security in the given context. So, what can we usefully take from the Sony investigation and subsequent enforcement action?

Timing and appeals

It is not clear why it has taken almost two years from the breach, in April 2011, for the penalty notice to be issued. The ICO must of course follow the notice and consultation process set out in Section 55B of the DPA, and its own guidance on the use of monetary penalties.

Sony is reported to be planning to use its right to lodge an appeal to the Information Tribunal, which must be done within 28 days. It is possible to challenge the issue of a penalty notice and its amount, on the grounds that the fine was not in accordance with the law, and that to the extent the IC exercised its discretion, that it ought to have exercised it differently.

Given that monetary penalties are relatively new, the appeals process is relatively uncharted territory. Earlier this month, the first appeal against a monetary penalty notice, by Central London Community Healthcare Trust, was rejected by the Information Tribunal. That ruling gives practitioners (and would be appellants) useful insight into the Tribunal’s powers and likely approach. The progress and outcome of Sony’s appeal, the first by a private sector data controller, will be watched with interest.

Fines – present and future

In his video clip, David Smith commented that, from the ICO’s perspective, the “bright side” of the Sony data hack was the raised public awareness and concern over data security. Datonomy likes to believe in silver linings too – if it is any comfort to Sony, the fine, whist high, is only half the maximum available to the ICO, and pales in comparison with the $171 million dollar cost which Sony itself was reported to have put on the breach in 2011. Today’s fine is also considerably lower than the 2% of global turnover fines which could apply in future under the EU proposals.

Obligations to notify breaches – present and future

Aside from the prospect of greatly increased fines, how else might the data hack scenario differ under the proposed new regime? 

Under the draft Regulation, all data controllers would be legally obliged to notify the regulator “without undue delay” and where feasible within a specified deadline. That notification window is subject to negotiation, with the Commission proposing 24 hours but the Parliament recommending a more pragmatic 72.  Notifying a data breach to the regulator is currently only mandatory in the UK for communications service providers, although the ICO takes the view that all serious breaches should be notified.

The draft regulation would also introduce an obligation to bring breaches to the attention of affected individuals “without undue delay” where the breach puts their ID at risk.

As a matter of damage limitation and reputation management, even under the current voluntary regime, a household name suffering a major data breach is likely to opt to bring serious breaches to the attention of consumers and regulators – at least where that breach is or is likely to become public knowledge. Whether or not to challenge a monetary penalty notice is perhaps a more difficult tactical decision as it does inevitably prolong media attention.

Datonomy will monitor the progress and outcome of the appeal with keen interest.

Posted in cyber crime, cyber-privacy, data, data breach, data breach notification, data breaches, Data Protection Act 1998, data protection compliance, Data Protection Guidance, data protection regulation, data theft, data violation, disclosure of personal data, ICO, ICO fines, ICO guidance, Information Commissioner, information security, Uncategorized | No Comments »

Datonomy has been reading the draft report of Rapporteur Jan Philipp Albrecht on the proposed Data Protection Regulations – all 215 pages of it!  The full report (available here) was discussed today by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament and although it is not binding on the Committee or on the Parliament itself, it will carry significant weight during the upcoming negotiation phase of the draft Regulation.

What is clear from the report is that both the Commission and the Rapporteur are strongly supportive of radical reform to the current data protection regime. After the report was published Vivianne Reding, EC Commissioner for justice, fundamental rights and citizenship, tweeted that she is “looking forward to swift adoption by both EP [the European Parliament] and Council” of the new data protection regulation. Momentum is building.

The helpful:

  • A proposal to extend the period within which controllers have to notify data breach (to their data protection regulator) from 24 hours, as originally proposed, to 72 hours. This is a welcome change though the requirement that notification must be made “without delay” remains (recital 67, Article 31).
  • There has been much discussion of “notification fatigue”. In the US where breach notification laws have been in place in most States for several years, consumers are plagued with breach notifications and, so the argument goes, are less likely to pay attention when notified of a serious breach. To address this, the Rapporteur has proposed clarifying that affected individuals need only be notified where the personal data breach is likely to adversely affect the protection of personal data or privacy of the data subject “for example in cases of identity theft or fraud, physical harm, significant humiliation or damage to reputation” (article 32).
  • The controversial “right to be forgotten” and “data portability” rights receive broad support (OK, not so helpful). However, more helpfully the Rapporteur has proposed that the right to demand erasure of data and be forgotten should apply only where the data was made public “without legal justification” (recital 54) so would not apply for example where an individual has agreed to publication. Any broader right to be forgotten is “neither realistic nor legitimate” according to the Rapporteur.

The unhelpful:

  • No real change to the very broad concepts of personal data. Where a natural person can be identified from the data by any person (i.e. not just the data controller), then the data is personal data. So, IP addresses of a company monitoring hits to its website would be personal data, even if the company has no means of linking that data to an individual on the basis that an ISP somewhere in the world would be able to make the link. (see article 4(1) and recitals 23 and 24).
  • A narrowing of the broad “legitimate interests” justification for processing personal data. This justification should apply “in exceptional circumstances” (recital 38). The Rapporteur has also attempted to define the circumstances where “as a rule” processing will be justified as legitimate and where “as a rule” processing would be unwarranted due to the interests or fundamental rights and freedoms of the data subject taking precedence. (see new proposed Articles 6(1)). If a controller wants to rely on this justification it must also “publish reasons for believing that its [legitimate] interests override the interests … of the data subject”. In the UK the legitimate interests justification is one of the most often relied upon to legitimise processing – the proposed amendments would require a paradigm shift in terms of how controllers seek to justify processing if they become law.
  • No change to the requirement that when relying on consent as a justification for processing, the consent must be “explicit”. The net result of the narrowing of the legitimate interests justification and consent justification is that it will be much harder for controllers to justify processing of personal data.
  • No real change to the requirement for data controllers to appoint a Data Protection Officer. Under the current regime in the UK, there is no such requirement – instead controllers just have to notify the ICO and pay a fee of £35, or £500 if they have more than 250 staff. Under the draft Regulation, the notification requirement is replaced with an obligation to appoint a Data Protection Officer. The Commission proposed a threshold of 250 employees. The Rapporteur has proposed an alternative threshold of 500 data subjects per year (arguably an even lower threshold). The net result is that the current notification cost of £35 is likely to be replaced with a requirement to appoint a DPO costing business thousands if not tens of thousands each year.
  • The very significant anti-trust style fines for infringing the requirements of the Regulation (up to 2% of annual worldwide turnover) are largely unchanged though trying to charge a data subject to access their personal data is promoted from a maximum fine of 0.5% turnover to 1% turnover due to its “chilling effect on data subjects”. (article 79(5)). The proposed fines certainly make the blood run cold.

Overall, the report is not helpful for business at a time when Europe needs all the help it can get to stimulate growth. It is a missed opportunity to cure some of the many shortcomings of the draft Regulation.
Datonomy will be keeping a close eye on the progress of the draft Regulation this year. Watch this space.

Tags: ,
Posted in data, data breach, data breach notification, data breaches, data protection compliance, data protection regulation, Uncategorized | No Comments »

The Open Government Data Initiative: Risks and Rewards

Mel Shefford - November 22nd, 2012

The opportunities and risks involved in exploiting consumers’ personal data are the subject of much coverage at the moment. But what about the commercial potential of the vast data sets being made available by the public sector? Datonomy shares some observations.

Some of the Datonomy crew attended a Westminster eForum conference earlier in the month which had as its theme “policy priorities for user data”. Datonomy was particularly interested to hear one of the speakers, Professor Nigel Shadbolt, talk about the open government data initiative. The initiative is supported by a new independent organisation which is funded by the Technology Strategy Board, the Open Data Institute, which the Professor chairs with Sir Tim Berners-Lee as president.

The initiative – which involves publishing anonymised government data – was announced in November 2011 by George Osbourne and can be seen as part of a general drive for transparency in government which in recent years has seen the public procurement process laid bare and the passing of freedom of information legislation.

So far, nearly 9000 data sets have been published on the data.gov.uk website. This Datonomist discovered all sorts of information there, ranging from the location of bus stops in Sunderland and alcohol-related statistics, to the intriguing “no crime” data set which shows what percentage, by police force, of reported offences were actually recorded as offences by police.

So why do we care about bus stops in Sunderland?

Open government data is a good idea for several reasons. Firstly, it encourages government accountability (for example, in relation to crime rates or public spending). Obviously the government isn’t always keen on releasing some kinds of information, but Francis Maude, the Cabinet Minister spearheading the initiative, has challenged government departments to be as transparent as possible, saying “I don’t have any doubt that giving our Press a lot of data to pore over will at times be uncomfortable for us in Government. But that’s the whole point. A closed door culture encourages complacency at best and at worst corruption.”

It’s not just about accountability though: analysis of multiple data sets can lead to improved procedures and decision making, and in turn, reduced costs – just last week, Margaret Hodge claimed that the government could save £33 billion by making better use of big data. For example, the NHS could analyse data which shows which hospitals are fighting an infection outbreak well and how they are doing so as a way of trying to control the infection. On a more global scale, data analysis can really yield results: earlier this month, Sir Tim Berners-Lee quoted an example of how data on the price and availability of medicines revealed that some governments were being charged up to 25% more for the same medicines, and this enabled some of the governments to pressurize pharmaceutical companies to reduce their prices.

Government data can also be used to help empower individuals by allowing them easy access to all kinds of data (such as in relation to local healthcare facilities and crime statistics). This ties in nicely with the government’s “midata” initiative, which is designed to allow consumers to gain access to data that is held in relation to them by businesses (such as on their spending or usage patterns).

In addition, it is suggested that the initiative can help drive economic growth because a significant amount of the data is licensed on an open government licence and can therefore be used by third parties (for potentially commercial applications). At a simple level, the bus stop data in Sunderland could be used in a third party app (which could involve advertising) to show the good folk of Sunderland their nearest bus stop. There are also more sophisticated examples, such as the Mapumental website which allows a user to input the postcode of their work location and how long they are prepared to commute. The website then uses government travel data to show the user where they could live. It can also interact with property rental and sale websites to show the user where they could afford to live based on their desired commute time (with somewhat depressing results for this Datonomist!).

So what are the risks in using government data?

It’s worth noting that government data is not risk free. As with any data, the data sets could be inaccurate, incomplete or unreliable. Analysis and extraction may also be difficult if non-transparent file formats are used, such as PDFs.

However, the more significant risk – from Datonomy’s perspective – is that government data could be used to obtain personal data if it is not properly anonymised. For example, a crime map which shows only one reported crime in a street could be used to provide information on a known individual. The Information Commissioner is very much alive to this concern, having published guidance on crime mapping in February 2012 and a new code of practice on anonymisation earlier this week.

However, whilst these risks should be taken seriously, they should not detract from the real value that can be obtained from using government data. In the initiative’s infancy, there are already many interesting examples of how it is being used by the public sector, individuals and businesses, and Datonomy looks forward to it being used in increasingly innovative and commercial ways.

 

Tags: , , , , , , , , , , ,
Posted in data protection compliance, data security standards, freedom of information, government data handling, government information sharing, ICO guidance, Information Commissioner, information security, Information Sharing proposals, internet, NHS, transparency | No Comments »

UK notifications: ICO consults on changes

Claire Walker - November 1st, 2012

Any Datonomy readers who are responsible for their organisations’ annual DP notifications may wish to respond to the consultation published by the ICO today.  The deadline is 30 November and it poses the following three  questions about possible refinements to the UK system:

  • should the notification and payment process go fully online (Datonomy knows what a pain  the manual nature of the current process is);
  • should the register contain contact details to help individuals with questions about the use of their  personal data (already a matter of good practice when it comes to an organisation’s privacy policy); and
  • whether data controllers should have the option of providing a more narrative description of the data processing they carry out, with the opportunity to link to the organisation’s  more detailed privacy policies.

The ICO would continue to provide template forms for specific types of data controllers, but Datonomy suspects that many of its readers’ organisations would favour a more nuanced approach.

The current consultation is confined to improving the status quo to make data controllers’ lives easier and, the ICO hopes, encouraging better levels of notification.

It does not allude to the proposals now being debated in Brussels that could ultimately make the exercise of notification a thing of the past. As Datonomy readers will be aware, Recital 70 of the new draft  Data Protection Regulation would put an end to the “indiscriminate general notification obligation“.  That, however, is on the assumption that it would be replaced by a raft of other (more onerous) compliance obligations, such as the appointment of DPOs, documentation of processing activities, privacy by design and in some cases privacy impact assessments –  and that those measures would provide more effective protection for individuals’ privacy than filling in a form once a year.

Just how many of those proposed changes will become law remains to be seen. So for now  (and probably until 2016,  when the EU reforms  would be likely to take effect in Member States) annual notification is with us…any improvements to the UK system are likely to be welcomed.  The ICO consultation is here and Datonomy would be interested in readers’ reactions to the idea of narrative notification.

Posted in EU data protection reform, Information Commissioner, reform proposals, UK | No Comments »

Google: EU regulators’ recommendations published

Claire Walker - October 16th, 2012

Documents from the Article 29 Working Party do not always attract a lot of  media attention, but today’s letter to Google and  Main Findings and Recommendations document, which follow the recent investigation by CNIL, will be of wider interest than usual…

 

Posted in Article 29 Working Party, Google, Google data storage policy | No Comments »

A quick briefing on Singapore’s new DP Bill

Claire Walker - September 13th, 2012

Datonomy’s Asian correspondents provide a practical  guide to the Personal Data Protection Bill,  introduced before the Singapore Parliament this week. This post by Olswang’s Rob Bratby provides corporates with a user-friendly guide to the essentials. The legislation could be in force by the end of 2012.

Datonomy has been watching the progress of Singapore’s privacy regime with interest – see our April post by Elle Todd, which highlights some of the key differences with the EU regime  with which Datonomy readers are more familiar.

 

Posted in Asia, comparison of laws, Singapore | No Comments »

At a recent conference on the EU’s data protection reform proposals in Berlin, Cornelia Rogall-Grothe, state secretary at the German Ministry of Interior, expressed doubts regarding some fundamental principles of the draft regulation which made it clear that the European Commission’s proposal has a long way to go before a final version may be adopted.

It is not news that the German government disapproves of the draft regulation’s approach to also regulate data protection for the public sector, i.e. the state. Ms. Rogall-Grothe emphasised that German data protection provisions for the public sector were very elaborated, both by statutory law and judgements of theFederal Constitutional Court. Thus, it would not be necessary to regulate the organisation of public registries or the handling of social security data by a harmonised European law.

In addition, the state secretary sees an inherent danger that efforts to enforce data protection rules for the private sector were exceeding the necessary level. In this regard, the current reshaping of data protection rules on the European level would provide a unique possibility for change. Accordingly, she laid out that the German government supported the idea to introduce a legal regime which provides for a general permission to collect and use personal data unless a legal provision prohibited such use.

The conference’s second keynote speaker, Jan Philipp Albrecht, member of the European Parliament and member of the Committee on Civil Liberties, Justice and Home Affairs, expressed his surprise about this proposal as the idea that the collection and use of personal data must be prohibited unless explicitly allowed has been the basic principles of the German data protection law for over 30 years and also inspired the Commission’s draft regulation (see Article 6). Contrary to Ms. Rogall-Grothe, he regarded the Commission’s draft proposal as a useful base, although he indicated that several amendments and clarifications were necessary. He explicitly criticised the position of the European Commission as too strong, because it authorised the Commission to further develop several undefined terms and processes.

Ms. Rogall-Grothe announced that German Federal Government was currently planning a European conference on data protection in October. At this conference, the government intended to particularly discuss 3 topics: (a) less data protection provisions for individuals and small businesses, (b) a flexible data protection regulation which depends on the particular risk involved for the individuals’ private spheres, and (c) self regulation options for businesses.

As these topics are rather big issues, there is increasing indication that the legislative process for the draft regulation will not be short and easy.

Posted in Germany | No Comments »

Germany: Wait and see, have a Cookie!

Christina Motejl - June 8th, 2012

Unlike in the UK, the implementation of the European Directive 2009/136/EC, also called Cookie-Directive, is not a major point of concern amongst e-commerce businesses in Germany.

So far, the Federal government limited the implementation of the directive to amendments of the Telecommunications Act (TKG) that mainly covers the technical process of sending signals and the telecommunications market regulation and sees no need to amend other German legislation due to the directive. In the TKG draft amendment, government stated that individual questions such as the amendment of Art. 5 para 3 of directive 2002/58/EC are still subject to a consultation process on the European level including self regulation solutions by the advertising industry, and that they intend to wait for the results of this consultation process before amending any laws.

The Ministry of Economics takes the view that an opt-in solution is already realised by sec. 12 para 1 and 2 of the German Act on Telecommunication Media (TMG) which require the user’s consent for a collection of their personal data. The ministry thus seems to hold the view that a general consent by using the browser option to accept cookies is sufficient to declare such consent and that the directive does not set a higher threshold for such consent. This interpretation is similar to the IOC recent guidance on implied consent. However, it is also wider, as it only requires the user to select the browser setting “accept cookies”, but no action of the user on a particular website. Accordingly, German websites are not more active in publicising their use of cookies in practice after the deadline for the implementation of the Cookie-Directive became effective.

However, the German data protection authorities think that the TMG will need to be amended to implement the Cookie-Directive, as the directive requires an informed consent to receive cookies. The German Federal Data Protection Officer doubts that such consent is currently provided by the browser option to accept cookies, as this option was often set as default without providing any information about cookies. Last month, Peter Schaar, Germany’s Federal Data Protection Officer, announced his opinion that the Directive might also be directly applied by the data protection authorities. 

Legislative proposals by the Bundesrat, the legal representation of the German states, and the major opposition party SPD provided for an explicit consent for cookies, but were not adopted. However, the final say if the implementation is sufficient lies with the European Commission, which has already announced to sue Belgium, The Netherlands, Poland, Portugal, and Slovenia for non implementation of the Directive.

The current view of the government is consistent with German business practice pursuant to which a consent by the user to accept cookies is only required if the cookies process personal data, and any way, consent may be given by setting the browser to accept cookies. Due to sec. 13 para 1 TMG, the use of cookies must also be mentioned in the website’s privacy statement if they might process personal data in the future, and most German websites comply with this requirement.

Although it is possible to take a different legal view, there is no known case of data protection authorities taking action against internet sites that use normal cookies. Some data protection officers have issued warning letters against webshops that use webtracking technology like Google Analytics, which is based on Cookies, but this was motivated by the fact that Google Analytics transfers the IP-address (which, according to the authorities, constitutes personal data) to Google. However, the German public is quite critical about large corporations who create personal user profiles for targeted marketing, and it is possible that the data protection authorities will change their strategy regarding cookies on the basis that the Directive may be directly applicable in Germany because it was not properly implemented.

Posted in cookies, cookies; behavioural advertising; google, Uncategorized | No Comments »

Datonomy can empathise with anyone tasked with making their organisation’s website compliant with the cookie consent rules. Here we share our own experiences,  review the latest guidance from the ICO and take a look at some of the compliance mechanisms appearing  on other UK websites.

Stop press – revised guidance from the ICO on implied consent

The ICO marked the end of its year long enforcement amnesty by refreshing its guidance.  On 25 May it launched:

The clear message from the ICO is that, although non compliant businesses must now take action, the emphasis should be on “good” rather than “rushed” compliance solutions.  

The most important point to note about version 3 of the guidance – which is otherwise an evolution of version 2 – is the significant shift in emphasis on the validity of implied consent. Since publishing version 2 in December 2011, the ICO has warmed to the merits of implied consent as potential consent solution in the right circumstances – see pages 6-8 for the salient details which include:

“For implied consent to work there has to be some action taken by the consenting individual from which their consent can be inferred. This might for example be visiting a website, moving from one page to another or clicking on a particular button. The key point, however, is that when taking this action the individual has to have a reasonable understanding that by doing so they are agreeing to cookies being set.”

The new ICO guidance also gives explicit endorsement to the approaches suggested in the very practical ICC UK Cookie Guide which came out in April.

Datonomy was of course already taking “measured and proportionate steps” towards cookie compliance before the UK deadline, so in the remainder of this post we thought we’d share our learning curve.

Compliance curve Step 1 – conducting our audit

Writing about one’s own cookie compliance is surely a hostage to fortune, given the ease with which anyone else can audit your site to find out whether you’re telling full story or not. Note for example the Collusion initiative being promoted by the Guardian Newspaper and Mozilla which encourages us to “track the trackers“. So, with some trepidation, we embarked on the audit process.  What if it revealed that a modest blog site set up to highlight developments in privacy law and practice turned out to be harbouring guilty cookie secrets of its own?

To find out, we used Attacat’s Cookie Audit Tool (an extension for Google Chrome) to scan Datonomy for cookies. The resulting report details the cookies by domain, name, duration and – my personal favourite column – “possible naughtiness” on a scale of 1-5. Certain cookies – like the universally used Google Analytics cookies _utma, _utmz etc are becoming familiar. Would be-cookie auditors should brace themselves for lengthy lists of cookies, many of them identified by incomprehensible jumbles of letters and numbers.

Datonomy particularly likes the chatty and informal style of the Attacat report. An example is the “Unknown 1st party cookie” on which the Attacat Report’s “Thoughts” column recommends: “Grab a cuppa with your developer and run through the detailed log“.  For any readers concerned about this one , it is indeed under investigation (over a cuppa). Social media-savvy readers who “Like” us on Facebook, share us on LinkedIn and Tweet our posts should take note that the social media/ sharing tools set by third party sites account for the vast majority of the cookies set on a user’s visit to Datonomy.

For others about to embark on a similar exercise, and at the risk of  stating the obvious, in order to get a comprehensive picture it’s important to put the site you are auditing through its paces while you are running the scan, using all the potential functionality available to an end user.

Step 2 – providing you with clear and comprehensive information

Armed with a detailed audit report, the next step is to provide “clear and comprehensive” information.  Datonomy has taken a layered approach, with a short notice prominently displayed at the top right of the screen linking to a more detailed table for those with the appetite for more detail.

Datonomy has always believed that good privacy practice can be creative and individual, so it has labelled its own cookie notice a little differently.  Did you spot it? What do you think?

Datonomy’s more grown-up relation, the Olswang.com website has opted for greater conventionality, labelling its notice “cookie policy”. It has also followed ICO guidance by moving the cookie information out of obscurity to greater prominence at the top of the screen.

Datonomy is also a fan of the practical guidance, cookie categorisations and suggested descriptions in the ICC’s UK Cookie Guide mentioned above,  including the iconography used by BT’s website to represent the four main cookie types. although it hasn’t used them, Datonomy very much likes the “cookies in use” icons available in a range of styles  from the Attacat website.

Datonomy readers are probably the best judges of whether the information we’ve provided is clear and comprehensive enough. Whether, in Dave Evans’s words, the information  “means something to them“.   Why not post a comment (which will of course trigger a cookie) and let us know your views?

Step 3 – getting your consent

So having audited, and provided information, that just leaves the trickiest bit – how to obtain your consent to the various cookies without deterring you from visiting the site altogether.

The most creative consent mechanism we’ve seen so far is the interactive cookie control “slider” on BT’s website. The BBC website introduced a banner – style consent option across the top of its site last week, and first time visitors to the Olswang.com website are now greeted with a pop up at the bottom of the screen. 

Datonomy, with more limited resources, is working with its web development colleagues and is considering customising an opt in pop up button provided by Cookie Control. However, in view of the limited intrusiveness of the cookies we deploy, and the latest guidance from the ICO on the validity of implied consent based on a “shared understanding” between us and our readers about these cookies, perhaps we don’t need to bother?  There is an argument that we could rely on implied consent based on your continued and now well-informed navigation of the website.   Datonomy’s readers are a well-informed  and opinionated bunch, so we await your views with interest.

For those still wondering what consent solution is right for their particular website, the ICC’s Guidance, now officially endorsed by the ICO, is a rich source of practical options, for cookies of varying types.  ( Sorry to mention it for a third time, but it really is one of the best things to have emerged from the cookie experience, and  Datonomy can’t help thinking that if the ICC’s sensible  advice  had come out a year ago, there would have been less hoo-ha about compliance.)

And finally…

The ICO, as well as educating users, is encouraging members of the public to report their cookie concerns, no doubt to help the ICO build a fuller picture and prioritise any enforcement action. We hope that Datonomy readers will not have any concerns about our cookies, but if you do please bring them to the attention of our blogging team.  

If you have got this far, we assume you have duly noted our cookie information and we infer your consent to the cookies which will by now have been placed on your device. Alternatively, you may have taken steps to block cookies via your browser – in which case we hope your “user experience” on the site has not been significantly impaired.

Whatever your levels of cookie tolerance, though, we hope you will continue to read and interact with this blog.

Tags:
Posted in cookies, Directive 2002/58, ICO, ICO guidance, Information Commissioner, online behavioural advertising; OBA, online data protection, PEC Regs | No Comments »

Whilst a lot of attention has been given to European data protection legislation, we should not forget some interesting developments which are happening in Asia at the moment.

Indeed a spate of new data protection legislation has been prepared and in some cases already passed in the last year. For example, Malaysia will have its new data protection regime come into force this summer and just last month the Philippine government passed its privacy legislation.

Particular interest has been generated by the Singaporean draft legislation, the latest (and potentially last) draft of which was published a few weeks ago. Whilst the legislation does borrow some concepts from the current European regime, other provisions draw more comparison with US privacy laws (particularly with regard to information which is made publicly available).

Areas of difference to familiar European legislation which caught Datonomy’s eye include:

  • The focus of the legislation is only on the private sector. Government agencies are not covered.
  • All organisations that are engaged in data collection, processing or disclosure within Singapore would be caught by the regime, even where the organisation is not physically located in Singapore. So, for example, an organisation which is based in the UK (such as a UK website) but which collects personal data from Singaporean customers would need to comply. This raises similar extra-territorial debates to those raised recently with the new draft European Regulation. In this case the Singaporean government has admitted that it recognises enforcement and investigation may be rather difficult in the case of overseas companies.
  • The Act draws no distinction between personal and sensitive personal data – all must be treated the same.
  • The law specifically incorporates a reasonableness test so organisations must  consider “what a reasonable person would consider appropriate in the circumstances” when complying with the Act.
  • There are no notification requirements so less bureaucracy.
  • Perhaps most interestingly, the government made a decision to extend rights to cover data of deceased individuals in terms of obligations around data disclosure and security up to 10 years from the date of death.

 So, what do readers think of the proposals?  To date the European legislation remains silent as to whether data subjects must be living but most national regimes (including that of the UK) have limited it in this way. Do you think that there may be merit in revisiting this like Singapore?

Datonomy wll be keeping an eye on the developments in Asia and, in particular, will feed back when the final Singaporean draft is published.

Posted in Malaysia, Singapore | 1 Comment »

View All Posts