Archive for May, 2011

Cookie, D’oh! UK government publishes open letter on cookie consent

Posted on May 25th, 2011 by



Just two days before new cookie “consent” rules come into effect across Europe, the Department for Culture, Media and Sport published an open letter on how UK cookie consent requirements should be interpreted (goo.gl/LuNHk). The letter sets out the views of DCMS (as legislator) in implementing these new rules but, unfortunately, it seems to conflict with earlier advice from the ICO (as regulator) and the Article 29 Working Party.

Specifically:

1. Support for OBA initiatives: The DCMS says that the UK approach has “been built around support for the cross-industry work on third party cookies in behavioural advertising“. This is clearly a good sign for the IAB and the self-regulatory OBA framework it has adopted. However, it does not answer the important question of whether enhanced notice and opt-out, as supported by the targeted ad industry, will meet the consent requirement.

2. Consent after the event: The Article 29 Working Party has indicated that prior opt-in consent is more in line with the legal requirement (at least in relation to third party ad network cookies), but the DCMS says that suggestions that there is a mandatory need for prior consent are based on a “misunderstanding” of the UK implementation. It notes that Article 5(3) of the revised e-Privacy Directive does not itself use the word ‘prior’, suggesting that consent can be given after the event. It’s challenging to reconcile this position with that of the ICO who said, in its cookie advice, “You need to provide information about cookies and obtain consent before a cookie is set for the first time“.

3. Default browser settings: The DCMS letter also adds confusion to the role of browser settings. Both the ICO and DCMS are clear that current browser settings are not sufficient to obtain visitor consent. But then the DCMS says that the new consent rule “does not preclude an individual giving consent by … leaving his browser settings as they are“, which contrasts with an earlier statement that “default settings could not be considered to meet the requirements of the new Directive.” Earlier Article 29 Working Party guidance said “It is a fallacy to deem that on a general basis data subject inaction (he/she has not set the browser to refuse cookies) provides a clear and unambiguous indication of his/her wishes“.

What does this mean?

The answer lies in the browser settings available to users. Both the DCMS and the ICO agree that reliance on current browser settings are not sufficient to obtain consent, and the DCMS has to therefore be read in this light.

This means that prior consent may not be necessary once appropriate browser solutions exist. Also, once these solutions do exist, then website operators may be able to obtain consent from users who do not amend their browser settings or controls. However, until these browser solutions are available, then the prior consent standard – and the practical and technical complexities its attracts – would seem to apply.

Thankfully, though, the DCMS has repeated its message that there should be no enforcement before appropriate solutions exist. This means that, rather than worrying about how to implement awkward technical changes to web platforms to obtain user consent, the compliance exercise for now should instead focus on:

(i) auditing existing cookie use;

(ii) assessing intrusiveness; and

(iii) enhancing user transparency, as per earlier posts.

Geolocation in the spotlight

Posted on May 23rd, 2011 by



No avid reader of Article 29 Working Party opinions would be surprised to see statements such as “location data from smart mobile devices are personal data” or “the combination of the unique MAC address and the calculated location of a WiFi access point should be treated as personal data”. However, when those statements appear alongside references to the night table next to someone’s bed, or the fact that specific locations reveal data about someone’s sex life, one can’t stop wondering whether an intended clarification of the applicable legal framework to geolocation services available on smart mobile devices is getting a bit sensationalistic.

Let’s get the basic facts right first: every electronic exchange of information is recorded somewhere - emails sent, web pages visited, telephone calls made, credit card transactions, etc. It is in the nature of the digital age. Smartphones and the like represent the latest form of communications technology and, as such, mobile communications leave behind some of the most sophisticated records that digital technology can generate. So a full assessment of the rules affecting the use of smartphones should go beyond a textbook interpretation of European data protection law and look at whether the collection and use of this information has an impact on people’s privacy and data security.

Some of the information generated by our day to day use of mobile communication devices will no doubt be very private. For example, the concepts of “traffic data” and “location data” are carefully defined by EU law and their use is strictly regulated because it is perceived as sufficiently sensitive. Although there are some subtle differences, in both cases the lawful use of such data normally involves obtaining the consent of the individual. However, in the case of location data, consent is not required if the data is anonymous.

This is a crucial point in the context of smartphones-generated data which the Working Party Opinion does not fully appreciate in its recent opinion on geolocation services. This is unfortunate because instead of acknowledging the different types of information that a smart mobile device may produce, all data is dumped into the same bucket. The assumption seems to be that all data collected through a smartphone device should be regarded as personal data despite the fact that some of the data does not identify the device’s user, or that the uses made of such data will never involve singling out an individual.

According to the Working Party, because location data from smart mobile devices reveals intimate details about the private life of their owner, the main applicable legitimate ground is prior informed consent. Again, this is a massive generalisation of the multiples modalities of geolocation services, many of which will rely on anonymous data or, at least, data which is not meant to identify or affect a particular user. Therefore, requiring consent from individuals may go further than what the EU legal framework intended.

For many human beings, life without a smart mobile device would be unimaginable. That is a slightly scary thought and regulators have a duty to scrutinise the data protection implications of new technologies that have the power to radically affect our lives. Clarifying how data protection law interacts with continuously evolving geolocation services is a laudable aim from which everyone can benefit. But unfortunately, a black and white approach to this issue conveys an unhealthy sense of panic and, even worse, distracts us from the fundamental challenge: spotting the real threats to our privacy and security that may be caused by rapid and imperfect technological development.

This article was first published in Data Protection Law & Policy in May 2011

European Commission seeks your input on the future of cloud computing

Posted on May 19th, 2011 by



Question: what does the European Commission consider has the potential to:

- generate revenues of c. EUR 35billion in Europe by 2014;

- develop into a major new service industry;

- drastically reduce the price to business of IT;

- cut the cost of government services; and

- save energy?

 Answer: cloud computing.

Looking to harness the power of IT’s economic and environmental superhero, the European Commission has launched a consultation to collect opinions, experiences and requirements related to cloud computing from companies, individuals, academics and public sector bodies.

The consultation forms part of the European Commission’s commitment under the Digital Agenda to develop and deliver economic and social benefit through a strong digital economy. The results of the consultation will inform a European Cloud Computing Strategy set for release by the Commission in 2012. The Strategy will address the legal data protection and privacy framework applicable to the cloud, including international issues and user’s rights; technical and commercial issues such as security, availability and the development of standard form agreements; and the market, with European Commission Vice President for the Digital Agenda, Neelie Kroes, stating in January that pilot projects aiming at cloud deployment would be supported.

Against this background the consultation is seeking input on areas including:

- the development of the Data Protection Directive to facilitate cloud computing and the issues encountered under local data protection law;

- the issue of applicable law;

- the rights, responsibilities and liabilities of users and providers;

- the potential for (and content of) model agreements and service levels for cloud services;

- the problems encountered in both the use and provision of cloud services in the EU and elsewhere;

- interoperability; and

- cloud services in the public sector.

The consultation is available at http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/575&format=HTML&aged=0&language=EN&guiLanguage=en and closes on 31 August.

There is little doubt that the European Commission sees cloud services as playing a significant role in Europe’s digital economy. On the basis that if ‘you don’t ask, you don’t get’, the consultation offers both providers and users a chance to engage with and help shape the legal, technical and economic framework in which cloud services will be offered in the future.

Let’s not panic about smartphones

Posted on May 18th, 2011 by



Today’s Metro’s headline “Android phones all leak secrets” (placed next to a photo of a gloomy looking Arnie for added dramatic effect) was a fitting prelude to the publication of the latest Article 29 Working Party Opinion on geolocation services on smart mobile devices. The message of both pieces seemed to be very similar: enjoy your smartphone at your peril! Is it really that bad?

Let’s get the basic facts right first: every electronic exchange of information is recorded somewhere – emails sent, web pages visited, telephone calls made, credit card transactions, etc. It is in the nature of the digital age. Smartphones and the like represent the latest form of communications technology and, as such, mobile communications leave behind some of the most sophisticated records that digital technology can generate. The issue is whether the collection and use of this information has an impact on people’s privacy and data security.

The concepts of “traffic data” and “location data” are defined by EU law and their use is strictly regulated because it is perceived as sufficiently sensitive. Although there are some subtle differences, in both cases the lawful use of such data involves obtaining the consent of the individual. However, in the case of location data, consent is not required if the data is anonymous.

This is a crucial point in the context of smartphones-generated data that the Working Party Opinion does not fully address. According to the Working Party, because location data from smart mobile devices reveals intimate details about the private life of their owner, the main applicable legitimate ground is prior informed consent. This is a massive generalisation of the multiples modalities of geolocation services, many of which will rely on anonymous data or, at least, data which is not meant to identify or affect a particular user. Therefore, requiring consent may go further than what the EU legal framework intended.

Unfortunately, a black and white approach to this issue conveys an unhealthy sense of panic and, even worse, distracts us from the real challenge: spotting the real threats to our privacy and security that may be caused by rapid and imperfect technological development.

BCR: Working Party and European Commission focus on streamlining approval process

Posted on May 18th, 2011 by



Following the calls by the Article 29 Working Party to explicitly include the BCR concept in the new EU data protection legal framework and Viviane Reding’s public support in this regard, the Working Party’s emphasis is now on streamlining the BCR approval process.

In order to achieve this, the Working Party’s BCR sub-group is taking two concrete actions in this respect:

1) First of all, the sub-group is currently working towards devising a more uniform way of reviewing BCR applications, so that the process is identical across EU Member States.

2) At the same time, the Article 29 Working Party Chairman, Jacob Kohnstamm, has written to the other EU data protection authorities to encourage them to join the mutual recognition countries as soon as possible.

In addition, BCR is high on the agenda of the European Commission’s reform of the data protection directive.  Not only is the Commission committed to recognising BCR as an adequacy mechanism in the new directive, but it is also considering incorporating a process whereby the approval of a set of BCR by two EU data protection authorities would automatically allow the data transfers to take place from any Member State without any further transfer authorisation.

FFW launches Cookie Assessment Tool to help businesses fulfil new cookie requirements

Posted on May 17th, 2011 by



To help online businesses prepare for the the new “consent” regime for cookies in the UK (and the rest of Europe), Field Fisher Waterhouse has developed a new Cookie Assessment Tool.

In its advice on how to comply with the incoming cookie consent regime, the Information Commissioner’s Office (the “ICO“) recommended that website operators:

(i) Identify what cookies they place through their site;

(ii) Assess the intrusiveness of those cookies; and

(iii) Consider appropriate strategies for obtaining consent.

Field Fisher Waterhouse’s new Cookie Assessment Tool helps online businesses fulfil points (i) and (ii) of the ICO’s recommentaions. It provides an assessment document that can be circulated amongst internal IT, marketing and other relevant stakeholders to raise questions and gather relevant information about website cookie use. The information it captures enables businesses to assess the intrusiveness of the cookies they use and facilitates consideration as to what transparency and consent requirements may be needed as a consequence.

FFW is providing this tool free of charge to its clients and contacts. If you would like to obtain a copy of the tool for your internal business purposes, please e-mail Phil Lee, Senior Associate within FFW’s Privacy and Information Law Group at phil.lee@ffw.com.

The day of the £1000 fine!

Posted on May 10th, 2011 by



UK data security law seemingly took a couple of backwards steps this week, with Parliament and the Information Commissioner showing a preference for the £1000 fine for security breaches.

Today ICO published news that it had fined the founder of now-defunct law firm ACS Law a mere £1000 for a very serious security breach that exposed information on a database of alleged copyright infringers to full scrutiny on the ‘net. This included highly sensitive information. This notorious example of shocking data failure was described by ICO in the following terms:

“The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure. While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.”

So, what kept the fine so low, when public authorities have been fined tens-of-thousands-of-£pounds for less serious breaches? Answer: Mr Crossley’s law firm went bust. Had it not done so, ICO would have fined £200,000!

The other £1000 fine development is contained in the new Privacy and Electronic Communications Regulations, which have been amended to reflect the changes introduced in late 2009 by the Citizens Rights Directive.  As well as introducing the new Cookie rules, the new PEC Regs bring in the mandatory breach disclosure regime for the e-comms sector. New Reg 5.C says that if telcos and ISPs fail to comply with their disclosure obligations, ICO can fine them £1000, which is reduced to £800 for early settlement.

£1000 doesn’t seem much of a deterrent, but the law makers will argue that its not the quantum that matters, its the stigma of being fined. Whether that’s true or not remains to be seen, but at the moment some data controllers will be thinking that UK law has gone a little soft.  However, telcos and ISPs should remember that the £1000 breach disclosure fine is additional to the £500,000 data breach fine that was introduced last year. 

Stewart Room

The way the cookie crumbled – New UK law says browser settings to signify a user’s consent, but not yet declares ICO

Posted on May 9th, 2011 by



Despite the loud furore that has accompanied discussions on the proposed amendments to the cookies law since November 2009, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 quietly made it onto our statute books on 5th May 2011, whilst the country and commentators were focused on predicting the outcome of the referendum on AV.  So what do the new rules say?

The rules are unambiguous in the requirement that the user must have given his or her consent to the storage of or gaining access to information stored in the user’s terminal equipment.  However, as previously promised by DCMS, (see post here: http://privacylawblog.ffw.com/?p=92) the government has thrown website operators a lifeline by stating that “consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.”

Before website operators start declaring that it is business as usual, they would be advised to consider the ICO guidance on the new law, published today and available here.  The ICO has made it clear that they expect organisations to consider the new law and devise a “realistic plan to achieve compliance… [The ICO] would handle this sort of  [organisation] very differently… from an organisation which decides to avoid making any changes to current practice.  The key point is that you cannot ignore these rules.”  Furthermore, the ICO has confirmed the view of DCMS and the European Commission in declaring that current browser settings are not sophisticated enough to signify a user’s consent and advises organisations to use another mechanism to gain consent.  Helpfully the guidance does give some suggestions as to what these other mechanisms may look like and acknowledges that website operators may need to deploy a range of solutions depending on the nature of cookies used on their sites.

In discussing such other possible mechanisms the ICO has stressed the importance of being transparent as to how your website uses cookies and providing the means by which a user can indicate their consent, for example through pop up boxes or tick boxes confirming agreement of new or amended terms and conditions.  Interestingly the ICO has not precluded website operators from relying on users implied consent in some circumstances, for example where they have requested a particular service or selected various options on the site (such as language or location based services) provided that the user is fully informed of the consequences of taking such actions.  One thing that is clear from the guidance is that the more intrusive the use of cookies is (for example if they are used to profile users based on browsing history) the greater the obligation on the organisation to provide clear information and increased choice.

One area where the guidance is silent as to the means of complying with the new law is in relation to third party cookies, for example cookies used to serve targeted advertising; the ICO concedes that this will be the area that poses the greatest challenge whilst deferring to industry and other European data protection authorities.  The advice offered is that “anyone whose website allows or uses third party cookies to make sure that they are doing everything they can to get the right information to users and that they are allowing users to make informed choices about what is stored on their device”. Unfortunately this provides little assistance to those operators currently grappling with this issue, however it is yet another indication that initiatives such as the IAB self regulatory framework (see post here: http://privacylawblog.ffw.com/?p=86) will be the preferred route to compliance.

Both the regulator and industry are in uncharted waters; it will be a journey of discovery for all parties.  Although the ICO has previously indicated that there will be a sunrise period in which it will not take enforcement action for breaches of the new law, the guidance is clear that despite the uncertainty and lack of clear solution, inaction will not be tolerated.