Author Archive

UK e-privacy enforcement ramps up

avatar Posted on April 29th, 2013 by Brian Davidson

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

Tags:, , , ,
Posted in Cookie rule, Direct marketing, DPAs competence, Sanctions, Uncategorized

BCR – addressing post-approval challenges

avatar Posted on April 23rd, 2013 by Brian Davidson

Everybody who has been paying attention to what is happening to the evolving European data protection framework knows that BCR will become the default mechanism to deal with international data transfers within global corporate groups. However one of the regulatory considerations that BCR applicants may not be aware of is the requirement to complete the various administrative formalities in all relevant EU Member States in order to confirm that data transfers can take place under the BCR. These formalities vary from one member state to another and derive from the fact that in some jurisdictions, the DPAs still have to provide a permit for transfers based on the safeguards provided for in the BCR.

The European Commission has recognised the challenges for applicants that are attempting to comply with these requirements in different member states by publishing a helpful ‘table of national administrative requirements’, however in practice the information provided for each member state can be insufficient for the purposes of making an application, either because it does not provide the full legal, administrative and practical requirements for making an application in a particular jurisdiction (for example does the documentation have to be submitted via postal mail or will electronic copies via email suffice?) or unfortunately does not contain any information at all (at the time of writing the table did not contain any applicable requirements for Cyprus, Finland, Latvia, Lithuania, Romania and Slovenia).

Our work with clients in this area has highlighted the broad range of requirements between member states. For example in Ireland, Norway and the UK, a simple email seeking a request for approval of the BCR and attaching a copy of the BCR authorisation granted by the ‘lead’ DPA in the initial cooperation/mutual recognition procedure as a courtesy will normally suffice. However, in Italy for example, the requirements are more comprehensive. This requires a Letter of Application in Italian and signed by an individual who can legally represent the applicable local Italian applicant entities. In addition, ‘sworn translations’ of all documents comprising the applicant BCR are required (‘sworn translations’ are a requirement under Italian administrative law and refer to translations executed by either an Italian law firm or from a translator approved by an Italian tribunal) to be sent via postal mail to the Italian Data Protection Authority, together with a fee of €1,000 for each applicant Italian entity (for an equivalent application in Poland the fees tend to be much lower; covering the small cost of stamp duty and submitting an applicable Power of Attorney).

The mutual recognition procedure, created in 2009 and to which 21 of the 27 EU Member States have signed up (to date), is designed to facilitate a speedier approval process of an applicant’s BCR. To recap, once the ‘lead’ DPA has approved the BCR, it then appoints two additional DPAs to further review and comment on the application to verify that it meets the requisite standard. It is then circulated to the remaining signatory DPAs in order to automatically approve the BCR, without further comment.

Although the mutual recognition procedure is designed to further streamline the overall BCR approval process, our recent experience with clients indicates that it can present challenges when dealing with DPAs – as the latter have to ensure that a BCR is in compliance with their own national interpretation of the EU Data Protection Directive before providing their approval – something which DPAs feel they may not have been able to achieve during the initial mutual-recognition process. As a result, DPAs may seek further information from applicants at the ‘post administrative’ permit stage – in spite of the mutual recognition procedure already having been brought to a close.

In spite of such challenges for both DPAs and applicants alike, we have found that any such issues can be overcome. Having a valid set of BCR approved by a lead DPA is a strong factor in being able to answer applicable questions from other DPAs; and because they will already be familiar with the BCR during the initial approval process, issues can be quickly settled.

Despite BCR being a big feature of the proposed General Data Protection Regulation, the approval process is set to become tougher under the proposed ‘consistency mechanism’ (see our earlier blog for an explanation why) therefore data controllers thinking of implementing BCR should do so now, and not later. Despite current post-approval challenges, the process for achieving BCR today is more streamlined than it’s ever been and BCR authorised now will remain in effect once the new Regulation becomes law.

Tags:
Posted in 95 directive, Binding Corporate Rules

A belt and braces approach to the Cloud

avatar Posted on July 4th, 2012 by Brian Davidson

The EU’s Article 29 Working Party has published its latest Opinion, setting out its views on the key data protection issues and challenges of ‘Cloud Computing’ – a term which not only invokes debate in data privacy circles about what it is (it’s essentially the use of technologies which focus on efficient internet-based delivery of IT applications, processing services and memory space) but also the risks of such technology. The truth is, cloud services are here to stay, delivering efficiencies to a huge number of public authorities and global organisations – witness the City of Los Angeles who signed a deal with Google for the use of its cloud services to deliver more efficient public services and store data; or more recently Apple’s ‘iCloud’ service which allows its army of users to purchase, store and access media content and personal documents across their Apple devices.

Whilst acknowledging the economic and societal advantages that cloud technologies can bring, the Opinion is very keen to express the privacy risks facing public and private sector organisations when deploying cloud services and the actions they should therefore take. Indeed, the Opinion begins by highlighting those risks, emphasising the lack of control experienced by ‘cloud clients’ as they surrender their personal data to the ‘cloud providers’ and therefore their control of technical and organisational measures to ensure the availability, confidentiality and transparency of that data. (At this point, we should highlight that the Working Party generally refers to ‘cloud clients’ as data controllers – on the basis that they generally determine the purpose and outsourcing of the processing and ‘cloud providers’ as ‘data processors’ on the basis that they provide the cloud services – based on the instructions of their clients.)

The Opinion also highlights a lack of ‘transparency’ as another risk, whereby insufficient information on a cloud provider’s operations poses a risk to clients and data subjects;  on the basis that they may not be aware of potential threats to their data and therefore cannot take appropriate actions. Therefore, the Working Party highlights the need for such ‘cloud clients’ to carry out adequate risk assessments of potential cloud providers before implementation of any project.

The Opinion emphasises that even in complex cloud data processing arrangements, where parties play different roles in processing personal data, compliance with relevant data protection rules and responsibilities must be clearly allocated. The Opinion recognises that many cloud clients ‘may not have room for manoeuvre’ with regard to contractual terms when negotiating with cloud providers – particularly many of the larger providers who offer ‘standardised’ services. Nevertheless the Opinion emphasises that it is still the cloud client who assumes the role of ‘data controller’ (regardless of how small they are) and must therefore ensure that appropriate guarantees are in place to ensure compliance with data protection legislation for the duration of the agreement.

In addition to identifying compliance with the basic principles of data protection (such as transparency; purpose specification and limitation; security and erasure/anonymisation issues) the Opinion stipulates the standard provisions that the Working Party would expect to see in any contract for cloud services, including:

- the technical and/organisational measures to be implemented by the cloud provider, including clarification of the responsibilities of the cloud provider to notify the cloud client in the event of a data breach.

- relevant details of the instructions issued by the client to the cloud provider, with particular regard to applicable SLAs and penalties.

- subject and time frame of the services to be provided by the cloud provider; including the extent, manner and purpose of the personal data processing by the cloud provider.

- inclusion of a confidentiality clause, binding on both the cloud provider and its employees who may have access to the data.

- the inclusion of express provisions that the cloud provider may not communicate the personal data to third parties, even for preservation purposes, unless it is provided for in the contract that subcontractors will be used. The contract should also stipulate that sub-processors should not be utilised without the consent of the client, in line with a clear duty for the provider to inform the client of any intended changes in this regard – with the client retaining the power to object to such changes and/or terminate the contract.

- an obligation on the cloud provider to provide a list of locations where the personal data may be processed.

Finally, the Opinion recognises the need to regulate data transfers to so-called ‘third countries’ in the context of cloud services but acknowledges that, owing to the lack of a stable understanding of where data is going to be at any given time, some of the current mechanisms in place to ensure the ‘adequacy’ of such transfers are somewhat limited. In this regard, the opinion starts by rejecting the Safe Harbor mechanism as a transfer solution (on the basis that Safe Harbor certification alone cannot substitute for the relevant contractual arrangements and guarantees which may be required by Data Protection Authorities at the national level – particularly on the data security issues applicable to cloud computing – the Working Party emphasises that it does not consider the relevant Safe Harbor data security provisions to be effective in this regard).

Therefore, the Opinion leans towards the use of the 2010 Model Clauses (with its applicable sub-processor provisions) but more importantly recognises the suitability of the BCR framework; and specifically the ongoing development of Binding Safe Processor Rules (BSPR) which would allow the client to entrust their data to the cloud service provider while being assured that onward transfers for sub-processing purposes would receive an adequate level of protection.

In conclusion, whilst acknowledging the significant growth in this area and consequently the need for flexible mechanisms, the Working Party Opinion suggests a belt and braces approach which today puts European customers of cloud service providers in an awkward position. Time will tell if the Working Party’s expectations are realistic but in the meantime, the specific acknowledgement of BSPR as the future model to ensure compliance whilst allowing for the flexibilities presented by cloud computing can be seen as a step in the right direction.

Posted in 95 directive, Article 29 Working Party, Binding Safe Processor Rules, Cloud computing

Cookie consent – The state of the (European) Union

avatar Posted on July 8th, 2011 by Brian Davidson

Now that a month has passed since the deadline for implementation of Europe’s new cookie ‘consent’ law – a deadline missed by almost all EU Member States – it seems that the law is now (slowly) coming into effect across Europe. With online operators everywhere anxiously awaiting news about how Member States are implementing these requirements, now seems a good time to provide our followers with an update.

Aside from the UK, Ireland, Latvia, the Netherlands and Sweden have all now taken the plunge and introduced new cookie ‘consent’ laws. If these early adopters are anything to go by, then national legislators are broadly falling into one of two implementation camps – implementing cookie consent laws either on a strict ‘prior opt-in’ basis or, instead, qualifying the consent requirement by reference to ‘appropriate’ browser (or other application) settings.

So far, there is a roughly 50/50 split between these two camps. Ireland and Sweden have followed the UK’s pragmatic lead by qualifying consent by reference to browser settings, whereas Latvia and The Netherlands appear instead to have taken a strict prior opt-in approach. Most interestingly, the Netherlands has gone even further and clarified that the use of cookies to collect browsing behaviour for targeted advertising purposes will qualify as personal data processing – exposing ad networks not just to compliance with new cookie consent requirements, but with national data protection rules in full.

Coming down the pipeline, Spain and Germany also have legislative proposals under consideration – in each case, qualifying consent by reference to browser settings. However, even in territories that have chosen to allow consent to be expressed through browser settings, the message ringing loud and clear is that the current generation of browsers do not offer suitable settings to obtain consent – principally because they accept cookies by default. In fact, the legislative proposals under consideration in Spain state that users must expressly configure their browser settings in order to consent to cookies.

So there we have it – six more jurisdictions have brought their cookie consent laws online. Interestingly, when publishing his annual report, the UK Information Commissioner took the opportunity to caution businesses to ”take their ‘consent’ obligations seriously” adding ”I’ll be after them if they don’t” (see http://goo.gl/SLvTh). You have been warned!

If you would like a copy of FFW’s “Cookie Assessment Tool” to audit your organisation’s use of cookies, please e-mail my colleague, Phil Lee: phil.lee@ffw.com.

Tags:, ,
Posted in Cookie rule, Targeted advertising, Uncategorized

BCR: Working Party and European Commission focus on streamlining approval process

avatar Posted on May 18th, 2011 by Brian Davidson

Following the calls by the Article 29 Working Party to explicitly include the BCR concept in the new EU data protection legal framework and Viviane Reding’s public support in this regard, the Working Party’s emphasis is now on streamlining the BCR approval process.

In order to achieve this, the Working Party’s BCR sub-group is taking two concrete actions in this respect:

1) First of all, the sub-group is currently working towards devising a more uniform way of reviewing BCR applications, so that the process is identical across EU Member States.

2) At the same time, the Article 29 Working Party Chairman, Jacob Kohnstamm, has written to the other EU data protection authorities to encourage them to join the mutual recognition countries as soon as possible.

In addition, BCR is high on the agenda of the European Commission’s reform of the data protection directive.  Not only is the Commission committed to recognising BCR as an adequacy mechanism in the new directive, but it is also considering incorporating a process whereby the approval of a set of BCR by two EU data protection authorities would automatically allow the data transfers to take place from any Member State without any further transfer authorisation.

Tags:,
Posted in 95 directive, Binding Corporate Rules

EU Justice Commissioner further clarifies revised EU data protection framework proposals

avatar Posted on April 6th, 2011 by Brian Davidson

EU Justice Commissioner Viviane Reding’s recent address at an EPP Group Public Hearing to European Parliamentarians on the cost of data protection compliance rightly raised a number of interesting points, not least on the issue of current data protection notification obligations, which look set to be abolished in a bid to eliminate those administrative obligations that are “unnecessary and ineffective”.

However, her address also raised a number of other interesting points:

First, we again have an instance of a senior member of the European Commission talking candidly about weaknesses in the current Data Protection Directive, the importance of change and the need to make such change a “top legislative priority”. Ms. Reding’s address rightly highlights that the effective regulation of personal data (a significant “economic asset” to many businesses) affects us all, whether individuals, businesses or regulators, and that a fresh solution is required: major changes in technology and business practices have occurred since the heady days of 1995 when the Directive was adopted, and this address is a tacit acknowledgement that the current data protection regime is showing its age.

Secondly, her address highlights that the Commission is alive to the “legal uncertainty and costs” associated with the principle of ‘establishment’ – the concept that businesses must comply with the data protection laws of those member states in which they have an office or equipment for data processing activities – and the legal and practical limitations of this concept in today’s world of cloud-computing, social networking and multi-national processing operations. Her comments further support the view that the future data protection regime is likely to account for the location of data subjects and not just the location of businesses or their IT, in determining where and when EU data protection rules apply.

Finally, her address talks about introducing “intra-company standards rules officially in the new legislation”, simplifying their procedure and introducing the ‘mutual recognition’ principle – hinting at further streamlining of the BCR process and a desire to put it on an official, legislative footing in a bid to improve harmonisation. Interestingly, her address refers to the possible expansion of such “intra-company standard rules” to “groups of companies” – whilst it is difficult to interpret exactly what she meant by this, one possibility is that the Commission may be considering the introduction of sector – or industry-specific rules for companies that process data, such as sector-specific rules for the pharma, finance and telco sectors.

While the questions and speculation will continue, the potential form of the new framework is slowly starting to become clearer. 

The full text of Ms. Reding’s speech is available online here.

Tags:,
Posted in 95 directive, Applicable law, Binding Corporate Rules