FT readers will have already seen FT’s report (4/12/11) that it  has had a sneak preview of the eagerly awaited  draft Data Protection Directive.  The most headline grabbing issue is the possible introduction of fines of up to 5 % of global turnover for privacy breaches.   If that doesn’t make data protection exciting, nothing will!

Remember that the new Directive still has a long way to go.  When the proposal is published officially and in full – expected to be in January – there will be much for data protection practitioners (in every sector and every practice area)  to analyse.

The likely headline issues and broad areas for reform were well signposted in the Commission’s Communication of November 2010.  Just how these broad proposals translate into the detail of the first draft remains to be seen – but if “stronger sanctions” in the Communication translates into “fines of 5% of global turnover” in the first draft, then the detail of that first draft is going to make for interesting and possibly controversial reading!

The UK’s regulator the ICO last month published a “wish list” of issues it hoped to see addressed, and has also begun its own blog on the future of the EU DP regime.

Datonomy will be tracking the progress of the new Directive as it begins its official legislative journey shortly.  With the festive season approaching, Datonomy would love to hear what’s on the wish lists of its readers and correspondents around the globe – at least as far as the future of privacy legislation is concerned!


Posted in Uncategorized | Leave a comment

Datonomy attended the event “Datendialog” hosted by Google in Berlin on 24 November, where many interesting speakers discussed the current situation and future of privacy, but also openness.

Blogger and Science Fiction author Cory Doctorow described the current situation of many free internet offers as “privacy bargain”, in which users traded their personal data for services. The deal, however, would be one-sided and never negotiated. Therefore, Doctorow called for technical measures that would prevent companies from tracking users with cookies and compared the situation to pop up windows, the widespread use of which decreased after Mozilla, as first browser, started offering a tool to block these windows. In his words, cookie managers could be the new pop up blocker.

Federal data protection commissioner Peter Schaar said that German data protection law needed to be amended especially with regard to the question of applicable law. If companies systematically offered services in Europeand collected and used personal data of millions of European users, they should be forced to comply with basic values of European law. He criticised the government’s current preference of self-regulatory solutions as these had the inherent danger of staying below legal rules. Secretary of State Rogall Grothe of the Ministry of Interior, on the other hand, stressed that youth protection level had increased due to self-regulatory solutions in the industry.

Contrary, author Jeff Jarvis emphasised that the principles of publicness and ethical sharing should also be protected, as they allowed for a more open society. He would not want a society that was “private by default”. However, he also stressed that privacy and publicness are not self excluding principles.

Google, once tagged as “data kraken”, is at the moment in the rather comfortable situation that Facebook attracts almost all criticism regarding data protection problems with its approach that German data protection law does not apply to them. For example, Cory Doctorow described their business model as “making big changes and settle for a little less after public outcry”. However, the event showed that Google does not hesitate to invite critics as Cory Doctorow and data protection commissioner Peter Schaar and seems to be interested playing an active role in the discussion about the necessary extent of data protection.


Posted in data collection, Facebook, Germany, Google | Leave a comment

At a recent roundtable event hosted by theBrusselsoffice of Olswang LLP, Datonomy heard a range of perspectives on data protection issues in the context of social network sites (SNS).

Around 50 members of the Belgian Institute of In-House Counsel attended the event.

Iain Stansfield from Olwang’s Londonoffice set the scene and demonstrated through a number of practical examples what can go wrong for companies that are active on SNS – and further, what can go wrong when they are not active. Besides the risks, there are of course clear advantages of being social online and Iain discussed the need to find a balance between being social on the one hand and complying with the law on the other hand.

Christine De Keersmaeker from Olswang’sBrusselsoffice explained what social media do to your Intellectual Property, how they affect trade marks and copyrights and how trademark and copyright holders can deal with the threats of social media through prevention e.g. through creating awareness and policies, and how and why repression is not necessarily the right solution.

Patricia Cappuyns elaborated on the data protection and privacy issues related to SNS. She made in-house counsel aware of the obligations companies face when they are online on SNS. She explained how to apply the fundamental distinction between the data controller and the data processor to the different SNS scenarios, and concluded that companies will often be considered to be joint data controllers.

The ensuing discussion with in-house counsel revealed that most companies are not ready to meet their data protection obligations vis-à-vis virtual customers. Companies should have a policy in place with detailed guidelines, for example on how to comply with a request for access, rectification and deletion of data.

In order to prevent employees from misusing their company’s trade mark on SNS – or simply to prevent them from wasting their time – companies also feel the need to monitor their employees’ online activities. It is easy to see how the legitimate right of supervision, exercised through cyber-surveillance, may conflict with the fundamental right of privacy, which also applies in the workplace. Under Belgian law, a Collective Labour Agreement (N° 81) deals with this issue and sets the conditions in order for companies to legally monitor their employees. This agreement provides amongst others that employers are only allowed to monitor their employees’ electronic communication to the extent that this monitoring meets the principles of legitimacy, finality, proportionality and transparency.

For companies taking their chances on SNS it is therefore of key importance to put in place a legal step-by-step plan without hindering the main objective of the SNS effort, which is to present the company as a social online presence.


Posted in cyber-privacy, data controller, data processor, data protection compliance, privacy policy; privacy notice;, Social networking sites, surveillance | Leave a comment

Facebook encounters more and more problems with Germany’s Data Protection Commissioners. Only last month, the Data Protection Commissioner of Schleswig Holstein, Thilo Weichert, announced proceedings against public authorities and companies in Schleswig Holstein that use Facebook’s Like-Button on their websites (see Datonomy post of 6th October). Mr. Weichert criticised that the Like-Button enabled Facebook to track users even if they had not clicked the button.

Now, Johannes Caspar, Hamburg’s Commissioner for Data Protection and Freedom of Information (HmbBfDI) has conducted an investigation into Facebook’s use of cookies, which enable Facebook to recognise its users even if they are not logged in or if they visit a third party website that uses an embedded Like-Button. According to Caspar, Facebook had reasoned that it uses cookies mainly for security reasons, such as youth or password protection. However, the Commissioner claims that this was essentially not true as most functions were optional and only activated after the users have given their approval. Therefore, Caspar suspects that Facebook uses cookies simply to create tracking profiles of users. Under German data protection law, tracking in form of the collection of personal data is not allowed if the users have not provided their consent. Even in case of a pseudonymized data collection, they have to be informed about the tracking and their right to object.

As a first reaction to Caspar’s accusation, Facebook indicated its willingness to discuss the technical mechanisms of its use of cookies. However, in a parliamentary committee hearing last month, Facebook also claimed that German data protection law would not apply to them.

They might have good reasons to do so – sec. 1 para 5 sentence 1 of the German Data Protection Law (BDSG) provides that the German data protection law does not apply to data controllers situated within a member state of the European Union or the European Economic Area that collect personal data in Germany, if they do not collect such data from a branch office situated in Germany. Facebook’s terms and conditions name Facebook Ireland Ltd. as contract partner of all users who reside outside the US or Canada. Accordingly, Facebook’s German subsidiary “Facebook Germany GmbH” claims to provide mere marketing activities for “the internet site of a social network”. If this was true, Irish Data Protection Law would in fact apply to Facebook’s European activities and only the Irish Data protection authorities would be competent to supervise Facebook’s data collecting activities. This is, however, a different situation for website owners residing in Germanywho use Facebook’s Like Button and are subject to German data protection law.

It remains to be seen if Facebook will risk the consequences of an open conflict with German data protection authorities which might eventually result in a German court ruling that German authorities are ultimately competent to regulate Facebook’s activities inGermany.


Posted in cookies, cookies; behavioural advertising; google, data collection, Facebook, Germany, opt-outs | 1 Comment

The independent Data Protection Commissioner of Schleswig Holstein, Thilo Weichert, has initiated proceedings against public authorities and companies in Schleswig Holstein who use Facebook’s Like-Button on their websites or who operate a Facebook fanpage.

The main point of criticism regarding the Facebook Like-Button is that it is directly loaded from the Facebook site, which enables Facebook to track the internet user by their IP address or a previously set cookie, even if they have not clicked the button. As regards the Facebook fanpage, the data protection authority says it violates data protection laws (in particular, sec. 15 of the German Telemedia Act) as Facebook collects user data to generate web statistics without enabling the user to object to this procedure. Therefore, it would generally not be possible to use a Facebook fan page in a privacy compliant way. By using the Like-Button or creating a fanpage on Facebook, the website or fanpage operator enables the violation of European data protection law by Facebook, Weichert says.

According to newspapers, Weichert’s authority has written letters, inter alia, to several state ministries and the state chancellery, which is the office of the state’s prime minister. The letters request the recipients to remove the Like-Button from their website or to delete their Facebook fanpage until the end of October. According to the Telemedia Act, privacy infringements can be fined by up to 50.000 €.

However, the state chancellery of Schleswig Holstein, whose Facebook fanpage has more than 13.000 fans, has already announced that it intends to keep its fanpage, as it was an important means of communication, especially in the evenings and on weekends.

It remains to be seen if the data protection authority will fine public authorities for not sufficiently protecting the personal data of citizens, and whether public authorities will need to pay these fines with tax money collected from the same citizens, whose protection is meant to be enforced by the fines.

Aside from the undeniably absurd aspects of this case, the Data Protection Commissioner’s approach shows the increasing willingness of German authorities to act against large US companies regarded as “data kraken” – collecting any data they can get hold of. As they cannot get hold of US companies directly, they target German website providers who use the services of these companies. The same approach already motivated Google to offer a data-compliant version of Google Analytics that encrypts part of the user’s IP address.


Posted in cookies; behavioural advertising; google, Facebook, Germany, Google, government data handling, IP address | 1 Comment

At a recent roundtable  event hosted by Olswang LLP, Datonomy heard a range of perspectives on the new cookie consent requirements.  Readers can find useful resources from the event via the right menu below (scroll down to  “Cookie resources”)  including the headline comments from our panel of speakers.

Over 30 in house counsel from a range of consumer facing businesses – all getting to grips with compliance with the UK’s new rules – attended the breakfast seminar.  Recognising that the legal world is now sick  of cookie puns, croissants were on the breakfast menu instead.

The UK regulatory perspective was provided by Dave Evans, Group Manager at the Information Commissioner’s Office. The clear message to UK website owners, echoing the ICO’s recent guidance, is that doing nothing and hoping a browser-based consent solution will come to the rescue is simply not an option.  Businesses should be analysing the cookies on their websites, informing website users about the nature and uses of those cookies and offering choices about whether or not to accept their use, prioritising according to the intrusiveness or otherwise of those cookies used. It was stressed that there will be no single “silver bullet” solution to obtaining consent.  As highlighted in the ICO’s guidance, there are different ways for businesses to approach the issue of consent, according to the context.  Apart from the tick box approach on the ICO’s own website, and a possible browser solution in future (for those scenarios where an up to date browser is used), consent could instead be feature led.  One example  given was of a site which provides local weather information by using cookies to remember the user’s location and which incentivises consent by explaining to the user how these useful features are made possible by cookies.  Our “key points” notes on the right hand menu  give more details of Dave’s insight into the ICO’s enforcement stance on cookies  in the short term.

Technical insight  was provided by Richard Carman and Chris Mellish of web design company Pure Innovations. They too urged businesses to think creatively about consent as part of the consumer’s website experience. They also spoke up for the much-maligned cookie, reminding us that the term covers a wide spectrum of intrusiveness, from the relatively benign to the more sinister zombie cookie.  If, like this Datonomist, you are a bit of a technophobe, you will find answers to those questions you may have been too embarrassed to ask in Richard and Chris’s excellent “Technical FAQs on cookies” on the right hand link below.

With the current focus on the detail of cookie compliance,  Olswang privacy expert Elle Todd encouraged us not to lose sight of the bigger picture of data protection risk and compliance, including security and data retention issues.

Providing international perspective, Matthias Vierstraete and Carsten Kociok from Olswang’s Brussels and Berlin offices respectively summarised the state of play on implementation in their jurisdictions.  See the “EU cookie implementation” table  below for the latest news from Datonomy’s contributors from Belgium, Germany, Spain and beyond.  Self regulatory measures seem to be the favoured approach by those jurisdictions.

Datonomy readers will no doubt have seen last week’s announcement by the Commission about failure of the majority of EU Member States to transpose the rules on time. The UK is one of only seven Member States to have fully transposed the changes required by the EU telecoms package, of which the cookie consent requirements form part.  The other 20 Member States have received letters of formal notice, the first step in the Commission’s armoury of enforcement measures.

Datonomy and its correspondents  around the EU will bring you more news on implementation, guidance and examples of consent solutions which we spot on our (online) travels over the Summer.


Posted in cookies, Data Protection Act 1998, data protection compliance, e-Privacy, ICO guidance, location-based advertisements, online behavioural advertising; OBA, online data protection, Spain, UK, Uncategorized | Tagged , | 1 Comment

For readers who missed the ICO’s inaugural webcast last week, or who have not had a chance to read his Annual Report, Datonomy brings you selected highlights.

But first (and on an unashamedly smug note) Datonomy is grateful to the Commissioner for his answer to the question it posed via the interactive Q&A feature – which, along with the webcast – was another ICO “first”.  We posed the following question:

“As Information Commissioner, if you could have three wishes in the year ahead (relating to UK private sector organisations’ compliance with privacy legislation, to EU policy – or anything else), what would these be?”

The Commissioner responded:

“My three wishes? Businesses to wake up to the fact that 90% of consumers are fairly or very concerned about the privacy of personal information held about them – and to think through the implications for reputation when mistakes are made. Website operators to take their ‘consent’ obligations [i.e. regarding cookies] seriously under the Privacy and Electronic Communications Regulations – because I’ll be after them if they don’t. And more private sector operators to take advantage of the free audit consultancy offered by the ICO to run the ruler over DP compliance. Why wouldn’t you?”

More from us shortly  on the ICO’s stated enforcement stance on cookie consent and third party cookies.

All the Q&A (12 at the latest count)  contain very useful insights on practical privacy issues ranging from the ICO’s approach to data breaches, fines and transatlantic data transfers which will be useful to those dealing with day to day  compliance issues. The interactive Q&A make an excellent complement to the more conventional content of the Annual Report.

Headline risks and radar issues for businesses

Not Datonomy readers will have had time to read the 86 page Report or even the 50 page summary.  So, what does a busy practitioner need to know?

  • Top 10 DP complaints: while issues like security and cookies tend to dominate privacy headlines, complaints about subject access requests are statistically the most likely to reach the Commissioner , accounting for 28% of complaints. Inaccurate data (15%), disclosure of data (12%) then marketing calls and security issues follow, with complaints about email and  SMS bringing up the rear.  
  • Complaints by sector: lenders – though not named – feature high up in the “rogues’ gallery” of most complained-about data controllers by sector, followed by “general business” (whatever that means!), then direct marketing, followed in turn  by local government, health, central government, telecoms and others –  see page 29 of the summary for full details.
  • Consensual audits: to paraphrase the Commissioner’s response to our question above, “what’s not to like about a free compliance audit?” The Commissioner is disappointed by the private sector’s poor take up of a free consensual compliance audit, with only 19% of those private organisations approached taking up the ICO’s offer.  Given that some of these reluctant businesses must have been in the most-complained about sectors of banking and finance, perhaps they would do well to reconsider?  Take up of audits by the public sector – which has suffered its fair share of data breaches – was more enthusiastic.
  • Monetary penalties and other enforcement action: the Report provides a useful catch-up on the first four monetary penalties imposed by the Commissioner, including the factors which contributed to the ICO’s decision to fine in these particular cases.  As a litany of mistakes to avoid, this is a must read for any organisation (see page 37). Undertakings continue to be the ICO’s weapon of choice – see pages 38-39 for illustrations.
  • Enforcement of cookies legislation: the ICO’s approach to developing best practice and enforcing the new rules on cookie consent will be “positive and realistic”.  Despite holding its enforcement powers in reserve until May 2012 to give businesses a chance to come up with workable consent solutions, it doesn’t rule out action “where it is clear that a website owner is doing little to attempt to comply”.
  • The review of Directive: Datonomy readers will already have the review of the EU regime on their radar – the ICO anticipates a busy year helping to shape the revised legislation.

Facts and philosophy for data protection geeks

For privacy geeks interested in the workings and philosophy of the ICO as an institution, there are many other points of interest.  These include the financials, salaries and details of case loads handled and efficiencies made.  On page 10 there are hints at future changes to the funding of the ICO’s respective FOI and DP remits and the possibility that  the ICO might one day break free from the “apron strings of the MoJ” and the “purse strings of HM Treasury”.

The Report is enlivened by some engaging imagery:  the ICO “walks a tightrope” balancing the right to know under the FOIA on the one hand and the right to privacy under the DPA on the other; it is a “robust and ready” regulator, now “armed” with fining powers to boost its “more clearly articulated enforcement strategy”.  But it remains, as we have come to expect, a “practical and helpful” regulator. 

Those who make it to the final page of the long form Report are rewarded with this thought provoking question from T.S. Eliot:

“Where is the wisdom we have lost in knowledge?

Where is the knowledge we have lost in information?”

Datonomy and its correspondents wholeheartedly endorse those sentiments: we try not to bombard our readers too frequently or with with too much information; we certainly aspire to help our readers share useful knowledge with one another.  And as for  wisdom?  Well, we hope you will find the occasional pearl of Data Protection wisdom here too.

 

 

 


Posted in Christopher Graham, civil monetary penalties, cookies, Directive 95/46/EC, EU data protection reform, ICO, ICO fines, Information Commissioner, UK | Leave a comment

Datonomy is pleased to learn that the ICO’s 2010/2011 Annual Report will be launched via  webcast tomorrow. In addition, the ICO is inviting the submission of questions to the Commissioner by email in advance of tomorrow’s launch.

Tune in to the Annual Report section of the ICO’s website at this link at 2.30pm on Wednesday 6 July (where it will also remain available on catch up).

You are encouraged to email the Commissioner at the email address: websitefeedback@ico.gsi.gov.uk to pose all those (data protection) questions you’ve always wondered about, but were afraid to ask. (But be aware that all questions and answers will also be published on the ICO’s website.)

The Annual Report is always a must-read for UK data protection practitioners – not so much for the details of the  ICO’s balance sheet – although Datonomy is of course  curious to see what impact tiered notification fees and the introduction of civil monetary penalties have had on the regulator’s finances of late.  This Datonomist will be turning eagerly to the sections which give insight into the ICO’s enforcement priorities for the year ahead, and, of course details of those organisations who have fallen foul of the rules in recent months.

For those readers who are too busy to watch the webcast or read the report in full, Datonomy will be bringing you selected highlights.


Posted in Data Protection Act 1998, Datonomy, ICO, Information Commissioner, notification fees, Penalty, UK | Leave a comment

Bartleby, the Scrivener, by Herman Melville, published in 1856, is a short story set in the Wall Street office of a respectable but unnamed New York lawyer, who narrates the story. He is one of those “unambitious” lawyers who, “in the cool tranquillity of a snug retreat, do a snug business among rich men’s bonds and mortgages and title deeds”. He employs in his office scriveners, copyists of legal documents, the strangest of whom is Bartleby. Bartleby shows himself to be a reliable if odd employee and copyist. But after a time there are unexpected events. Bartleby creates an enclosed place for himself in his employer’s part of the office with a screen, behind which he withdraws. It becomes clear that he is living in the office, because he is always there. Most importantly, when asked to carry out tasks by his employer he responds each time by saying “I would prefer not to”.

His exasperated but not unsympathetic employer does not know what to do in response. He enquires and considers exhaustively about Bartleby, what to do about Bartleby, and his enigmatic responses to ordinary requests. Most interestingly for our purposes, on one occasion, the narrator reflects that he never felt so private as when he was in the presence of Bartleby. Withdrawal, seclusion, privacy.

Bartleby has been interpreted in many ways, but it has perhaps not been noticed that “preferring not to” looks forward to the iconic statement on privacy in the Harvard Law Review by Warren and Brandeis (1890), with its equation of privacy with the right to be let alone. That means, among other things, saying I would prefer not to – or perhaps only establishing one’s preferences on preferring not to?

So what would Bartleby do with Facebook? Would he say, I prefer not to? Or would he join and set his privacy preferences to reflect where he would draw the line on preferring not to? This is perhaps the most baffling and ambiguous privacy issue to work through in relation to ICT’s and the social media. Does preferring not to mean not consenting at all, or consenting on the basis that privacy controls and preferences work and that a line can be drawn?

While the latter option seems reasonable , and the former a turning away from what might be a key feature of contemporary digital reality, isn’t there a sense about the current situation with privacy, reputation and the social media on the Internet that suggests the web and the technology are too strong, evolving too rapidly, and can’t be adequately controlled and regulated? And that the terms have altered decisively against privacy as we have known it? So, if you are still thinking abut Facebook, there might be something to be said for saying I’d prefer not to ?

Bartleby, The Scrivener can be found in Billy Budd, Sailor and Selected Tales: Oxford World’s Classics.


Posted in Uncategorized | Leave a comment

The controversial and heavily challenged Data Retention Directive is under fire again.  Today’s post on telecoms blog Watching the Connectives discusses the recent EDPS Opinion in which the privacy watchdog calls on the European Commission to consider all options,  including repeal of the Directive, to strike a better balance between individual rights and crime prevention.  You can read the Opinion in full here, and Rob Bratby’s summary here.


Posted in Communications Data Retention Directive, Data Retention, EDPS Opinions, Human Rights | Leave a comment