Archive for April, 2011

Unlocking the value of data

Posted on April 28th, 2011 by



According to the World Economic Forum, personal data will continue to increase dramatically in both quantity and diversity, and has the potential to unlock significant economic and societal value for end users, private firms and public organisations alike. This statement by the Swiss organisation behind the prestigious annual Davos meeting summarises its stance on the issue of personal information as an asset. Let’s forget for a second the idea of data protection as a fundamental right and look at it as a tool to maximise the economic and societal value of data. Perhaps the big thinkers at the Forum are up to something.

Earlier this year, the World Economic Forum published a paper called “Personal Data: The emergence of a new asset class” which looked at the current personal data ecosystem and suggested a number of actions aimed at making the most of it. The Forum’s premise is that the full potential of data lies in creating equilibrium among the various stakeholders influencing the personal data ecosystem. In other words, a lack of balance between stakeholder interests – business, government and individuals – can destabilise the personal data ecosystem in a way that erodes rather than creates value. Therefore, the paper explains that to achieve this balance, positive steps are needed across five distinctive areas.

The first one is innovation around user-centricity and trust. The idea is that personal data should be shared in a way that allows all stakeholders to trust the integrity and safety of the data. According to the Forum, offering more transparency on how personal data is used and educating users on the benefits of trust will significantly strengthen trust among all stakeholders. In practical terms, the key action to achieve this is to integrate data protection principles into the development of new services and platforms through the concept of privacy by design.

The second area is not a new one for those involved in legal compliance – the divergence in regulatory frameworks and the establishment of global principles. Privacy-related laws differ significantly across jurisdictions with different cultural, political and historical contexts. This has a number of downsides including the increased costs associated with compliance. Therefore, although the Forum acknowledges that it is unrealistic to hope to develop globally accepted standards and frameworks while national and regional versions are still in significant flux, establishing an international dialog will allow for more rapid harmonisation.

This is linked to the third area – the need to strengthen the dialogue between regulators and the private sector. Whilst self-regulation in the area of personal information protection may not be the answer, it is important that regulatory authorities are made fully aware of the technological advances so that they can adopt 21st century digital policies. This is absolutely critical in the European Union at a time when the regulatory framework is under review.

The fourth area focuses on a technological aspect – the need for interoperability and open standards. The reason for this is simple. If the highest potential for economic and societal value creation lies in the aggregation of different personal data types, the implication is obvious: data should be portable. To enable the seamless sharing of personal data across organisational borders, the Forum lists the following technical requirements: common communication standards and system architectures, accepted personal data terms and definitions, and standard interface design specifications.

The final area highlights the dynamic nature of this issue. For the Forum, it is crucial that stakeholders continuously share knowledge. Interestingly, the key component in this knowledge sharing exercise will be a central gatekeeper within each organisation who actively contributes to the personal data dialog. That person’s competence would not only include privacy, but also encompass a business development and strategic perspective. And that is precisely the essence of the World Economic Forum’s thinking around personal data. Unlocking the value of personal data is about balancing privacy and economic development so that everyone, absolutely everyone, can win.

This article was first published in Data Protection Law & Policy in April 2011.

Article 29 Working Party declares New Zealand “adequate” for international data exports

Posted on April 20th, 2011 by



On 4 April 2011, the Article 29 Working Party (in its opinion 11/2011) recommended that the levels of protection of personal data in New Zealand be considered “adequate” for the purpose of receiving European data exports, having assessed New Zealand data protection laws and, in particular, the Privacy Act 1993 (the “Act”).

The Working Party assessment of the Act indeed showed that it is broadly similar to the EU Data Protection Directive 95/46/EC (the “Directive”) in the following aspects: (i) scope of application; (ii) essential principles; (iii) regulation of sensitive data, automatic individual decision and up to a certain extent direct marketing; (iii) procedural and enforcement mechanisms. That said, the Article 29 Working Party identified some areas of weaknesses, in particular in relation to direct marketing and international data transfers and therefore recommended New Zealand to take the necessary steps to address these issues.

What is data export adequacy?

The concept of data export adequacy originates from the Directive, which prohibits the transfer of personal data to countries outside of the European Economic Area unless “adequate” measures are put in place to protect the data. One such measure is an “adequacy” declaration by the European Commission (“Adequacy Finding”), which normally follows an initial finding by the Article 29 Working Party that the country in question has a legislative regime imposing adequate data protection safeguards to ensure personal data imported from the EU is processed lawfully and securely.

What this means

Obtaining an Adequacy Finding therefore has great significance, helping adequate countries to attract more business from entities with a European presence. Not only does an Adequacy Finding enable data flows for the country in question with European businesses, it also increases a country’s standing on the international stage, by acting as a public declaration of the stringency of that country’s national data protection laws. Accordingly, the Article 29 Working Party’s opinion is great news for New Zealand and represents an important step towards an Adequacy Finding by the European Commission – which will hopefully be forthcoming soon.

Other adequate territories

The growing importance of an Adequacy Finding is seen by the number of countries seeking it. The countries officially declared as adequate are Andorra, Argentina, Canada, Faeroe Islands, Switzerland, the Bailiwicks of Guernsey and Jersey, the Isle of Man and most recently Israel. Uruguay is currently in the final stages of the process, whilst Australia and Japan are looking to be recognised as adequate. An Adequacy Finding is a mark that such jurisdictions take data protection seriously and offer a stable and safe environment to which data can be entrusted.

The Article 29 Working Party’s opinion is available at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp182_en.pdf

Finally, some clarity on cookies!

Posted on April 15th, 2011 by



Website operators and ad networks waiting for cookie ‘consent’ developments could be forgiven for having found the experience like waiting for the number 9 bus:  You wait for ages and then two come along at once.

First off was the news yesterday that the IAB Europe had adopted a new self-regulatory framework for online behavioural advertising, promoting enhanced user notice and choice through the deployment of an ‘advertising option icon’ alongside targeted ads (see post here: http://privacylawblog.ffw.com/?p=86).

Now, just 24 hours later, and the Department of Culture, Media and Sport (“DCMS“) has published its long-awaited proposals (http://goo.gl/Ywn5G) to implement the revised European Electronic Communications Framework in the UK – including the controversial requirement for website operators and ad networks to obtain users’ ‘consent’ to cookies placed on users’ computers or devices.

Browser settings are enough – or are they?

The final DCMS proposals were not unexpected, having largely been proposed already in an earlier consultation document, but this is not to say that they are not significant.  Crucially, they lay out the Government’s intention to implement the revised Article 5(3) of the e-Privacy Directive in the UK (that is, the provision calling for cookie ‘consent’) in a way that allows website operators and ad networks to obtain consent through appropriate browser settings.  The sigh of relief from business is almost palpable.

But there’s a catch.  DCMS stresses that “the current use of browser setting as a form of consent is not consistent with the revised wording … The European Commission is also of this view.“  In other words, browser settings as they exist today do not serve to obtain user consent appropriately (probably on the basis that existing settings are too hidden and not sufficiently granular to allow users real control).  However, to offset concerns that a raft of businesses will suddenly face enforcement come 25th May, the deadline for implementation, DCMS proposes to set up a working group that will explore how more appropriate consent mechanisms can be built into browser settings, and that solutions will be “phased” in gradually.  It goes on to say that “during this time we do not expect that ICO will take enforcement action against businesses and organisations that are working to address their use of cookies or are engaged in development work on browsers and/ or other solutions.“  The message here?  Start showing some proactive effort to audit current cookie use to work out what cookies you use and how you use them, and then consider how you can enhance user notice and choice until appropriate browser solutions come along.  Do this, and you’re unlikely to face any enforcement risk in the short- to mid-term. 

Government support for online ad industry self-regulation

The DCMS response also highlights a marked victory for the online targeted ad industry, with the Government choosing to stand firmly behind industry proposals to self-regulate.  Specifically, the Government announced its support of industry proposals to adopt an ‘online advertising option’ icon as a means of delivering enhanced notice and choice to consumers, a tacit approval of the IAB self-regulatory OBA framework published yesterday.  Or perhaps not even that tacit – the DCMS said: “The Government is also supporting the cross-industry work on third party cookies in behavioural advertising. This industry lead approach will marry the provision of more information on the use of cookies accessed through an easily recognisable internet icon, a privacy policy notice, a single consumer control page, with a self-regulatory compliance and enforcement mechanism.  … The Government is pleased to support the industry-lead work on the use of third party cookies in behavioural advertising and is satisfied that this meets the requirements of the revised Article 5(3). The European commission has also endorsed this work. The Government believes that this work fully addresses one of the uses of cookies of most concern to users and is, therefore, a major component in the Government’s plans for meeting the requirement of the revised provisions.

So, good news for online business in the UK and it’s a relief to see common-sense prevail.  The Government seems to have successfully steered a middle course by, on the one hand, acknowledging that current cookie notice and choice mechanisms need to improve while, on the other hand, proposing sensible solutions that will be welcomed by business.

The question now, of course, is what the rest of Europe will do – whether pan-European pragmatism will prevail or whether more restrictive interpretations by one or two member states could could cause this online house of cards to collapse.  We’ll be watching and will post further updates to this blog as and when they happen.

New European self-regulatory rules for online behavioural advertising

Posted on April 14th, 2011 by



The IAB Europe, the European trade association for the online advertising industry, has today published a new self-regulatory framework for providers of online behavioural advertising (“OBA”) in Europe (see http://goo.gl/lC1QK).

The European framework builds on the Good Practice Principles previously adopted by the UK arm of the IAB back in 2009, and is closely modelled on the similar self-regulatory framework adopted by the Interactive Advertising Bureau in the US.   Unlike the previous UK Good Practice Principles, however, it specifically carves out first party adverts from its scope (i.e. targeted advertising served across one or more websites controlled by a single entity or group of affiliated entities).  This is a significant carve-out when considering how diverse group company businesses can be.  Imagine, for example, a group that owns separate news, social networking, and gaming businesses through its different subsidiaries – would an individual visiting the website of any one of those businesses realise that his or her browsing data may be shared across the entire group and used for targeting on other, seemingly unrelated, group sites? 

This aside, the framework includes some commendable provisions aimed at enhancing user notice and choice.  Most importantly, it promotes the use of a standardised ‘icon’ to be displayed on or around targeted adverts to let individuals know when they are being targeted.  Crucially, the IAB Europe has chosen to adopt the same “advertising option icon” used by the Digital Advertising Alliance in the US for this purpose (www.aboutads.info).  This is a significant step forward in ensuring transatlantic consumer transparency that will help make individuals aware when they are being targeted, regardless of whether the website they are visiting is in the EU or the US.

Companies that comply with the framework will be awarded a B2B seal (essentially, a trust mark) that they can display on their sites to advertise compliance.  This will be removed in the event that the company commits a ‘significant’ breach of its obligations that it fails to remedy.  The intention is that the threat of removal of this trust mark will be sufficient to enforce compliance.  This is perhaps more doubtful – determinedly non-compliant businesses that display targeted advertising to individuals without providing proper notice and choice are hardly likely to concern themselves with whether or not they can display a trust mark.  That said, if the mark gains sufficient traction to be a positive selling point for compliant businesses, then maybe over time it will become sufficiently attractive to engender a compliance culture.

The timing of the publication of these self-regulatory guidelines is, of course, interesting.  May 25th, the deadline for new cookie consent rules, looms large and this self-regulatory guidance undoubtedly has as its aim a desire to encourage a more business-friendly implementation of the e-Privacy Directive Article 5(3) cookie consent requirements.  Given that most Member States still appear to be struggling with how they will implement the new cookie consent rule, and that concerns about cookie usage principally centre on user profiling issues, it may well be that this new guidance will serve as a ‘stitch in time’.  We can only wait and see.

EU Justice Commissioner further clarifies revised EU data protection framework proposals

Posted on April 6th, 2011 by



EU Justice Commissioner Viviane Reding’s recent address at an EPP Group Public Hearing to European Parliamentarians on the cost of data protection compliance rightly raised a number of interesting points, not least on the issue of current data protection notification obligations, which look set to be abolished in a bid to eliminate those administrative obligations that are “unnecessary and ineffective”.

However, her address also raised a number of other interesting points:

First, we again have an instance of a senior member of the European Commission talking candidly about weaknesses in the current Data Protection Directive, the importance of change and the need to make such change a “top legislative priority”. Ms. Reding’s address rightly highlights that the effective regulation of personal data (a significant “economic asset” to many businesses) affects us all, whether individuals, businesses or regulators, and that a fresh solution is required: major changes in technology and business practices have occurred since the heady days of 1995 when the Directive was adopted, and this address is a tacit acknowledgement that the current data protection regime is showing its age.

Secondly, her address highlights that the Commission is alive to the “legal uncertainty and costs” associated with the principle of ‘establishment’ – the concept that businesses must comply with the data protection laws of those member states in which they have an office or equipment for data processing activities – and the legal and practical limitations of this concept in today’s world of cloud-computing, social networking and multi-national processing operations. Her comments further support the view that the future data protection regime is likely to account for the location of data subjects and not just the location of businesses or their IT, in determining where and when EU data protection rules apply.

Finally, her address talks about introducing “intra-company standards rules officially in the new legislation”, simplifying their procedure and introducing the ‘mutual recognition’ principle – hinting at further streamlining of the BCR process and a desire to put it on an official, legislative footing in a bid to improve harmonisation. Interestingly, her address refers to the possible expansion of such “intra-company standard rules” to “groups of companies” – whilst it is difficult to interpret exactly what she meant by this, one possibility is that the Commission may be considering the introduction of sector – or industry-specific rules for companies that process data, such as sector-specific rules for the pharma, finance and telco sectors.

While the questions and speculation will continue, the potential form of the new framework is slowly starting to become clearer. 

The full text of Ms. Reding’s speech is available online here.

National data processing registrations to be abolished?

Posted on April 1st, 2011 by



At an EPP Group Public Hearing in Brussels yesterday, Viviane Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, addressed European Parliamentarians on the costs of data protection compliance.  In doing so, she outlined her proposals to reduce business compliance cost under Europe’s reformed data protection regime.  She proposed:

1.  Improved harmonisation of data protection rules across the EU;

2.  Promotion of innovation and new services;

3.  Simplified rules on applicability of law;

4.  Streamlined and improved international data transfer rules; and

5.  A reduction in ‘red tape’, to remove unnecessary and ineffective administrative burdens on businesses.

Whilst many of these proposals are not new, having previously been raised in the European Commission’s communication on data protection reform to the European Parliament in November 2009, Ms. Reding’s comments on cutting red tape did reveal something very interesting - namely that she proposes to abolish national data processing registration requirements for data controllers (other than for sensitive data). 

She said:  “I will drastically simplify the current system of notifications to data protection authorities. The general obligation to notify data processing activities will be abolished. On the contrary, concerning the more delicate personal data, there will be still rules in place.

The current data processing registration regime is perhaps one of the least harmonised aspects of European data protection regulation, imposing a significant administrative and cost overhead to businesses with little or no discernible benefit to data subjects.  At present, many businesses find themselves needing to register across multiple Member States, each with their own, individual rules and processes as to what much be notified, the need for prior authorisation, and timescales and costs for registration.  If, as Ms. Reding intends, this general registration requirement is abolished under the new data protection regime, it will most certainly be a development resoundly welcomed by business.

The full text of Ms. Reding’s speech is available online at: http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/228&format=HTML&aged=0&language=EN&guiLanguage=en