Author Archive

« Older Entries

Transparency 2.0

avatar Posted on May 17th, 2013 by Eduardo Ustaran

Telling people about the uses made of their personal information is probably the most widespread obligation across all data privacy frameworks around the world.  This derives from the fact that data privacy law has always been understood as a means to give people control – or at least a degree of control – over how others use their personal information.  Therefore, for individuals to be able to exercise the appropriate level of control, it is imperative that they are first told how their information will be used.  So irrespective of whether the use of that information is legitimised by an individual’s consent, there is still an overarching obligation to be transparent about personal data uses.  Recent developments confirm that this principle is still very much alive in the mindsets of regulators but also that compliance with the transparency obligation – as fundamental as it may be – is not without its challenges.

At one level, the growing use of increasingly sophisticated technology has made the role of privacy notices more crucial than ever before.  This is supported by the continuous output from regulatory authorities from all jurisdictions stressing the importance of explaining the uses made of data collected through users’ interaction with their devices in a clear and comprehensive manner.  In the EU, for example, the Opinions of the prolific Article 29 Working Party on issues like the deployment of cookies, the use of apps in smart devices and more recently in relation to the “purpose limitation” principle, consistently stress that as technology and data uses become more complex, the responsibility to provide a suitable explanation is even greater.  This has also been reflected in the proposed European Data Protection Regulation, which contains much more detailed transparency obligations than the current directive.  Outside Europe, guidance from the FTC in the USA and the Federal Privacy Commissioner in Canada in relation to mobile data uses emphasises exactly the same message.

The importance of privacy notices does not stop there.  The Regional Court of Berlin has recently upheld the claims made by a German consumer protection association against Apple for being too broad brush with their public privacy policy.  Apparently, the policy did not spell out specifically enough which uses applied to which types of data.  This is an eyebrow raising decision not just because of its potential effect on Apple, but because the structure of Apple’s policy is entirely in line with current market practice.  In a similar vein, the Global Privacy Enforcement Network – which comprises privacy regulators from all over the world – has launched its Internet Privacy Sweep initiative aimed at reviewing the quality of privacy notices of consumer facing websites globally.

However, the challenges faced by policy makers and data users alike are all too obvious to turn this issue into a simple matter of good notice or bad notice.  To begin with, research seems to indicate that only a very small proportion of Internet and mobile users actually read the privacy notices available.  As essential as transparency may be, the reality is that understanding an organisation’s data uses is not regarded as a priority in the context of accessing a service or making a transaction.  In addition, the complexity surrounding current technologies and data usage makes it very difficult for any organisation to explain in plain and clear terms how data will be used for the average individual to understand its implications.  On top of this, the size of devices such as smart phones and their applications – let alone glasses, household appliances, GPS watches or any other gadget without a proper screen – present another practical difficulty in terms of making the right amount of information available at the right time and in the right format.

All in all, traditional and unimaginative transparency mechanisms have their days numbered.  Long and legalistic privacy notices in particular are unlikely to serve their purpose going forward.  Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible.  In recent years, regulators have also favoured a layered approach to the provision of privacy notices.  The next step in this evolution is the adoption of very short “contextual notices” that explain at the right time and in the right way, how certain user data will be used.  These types of notices are probably Internet and mobile players’ best chance of providing truly meaningful information when it matters.

In terms of content, the emphasis is likely to shift towards explaining how technology itself makes it possible for certain data to be collected and analysed.  In other words, the content of privacy notices will focus more specifically on explaining how the relevant technology works.  Looking further into the future, if screen sizes become smaller or disappear altogether, it is likely that some content will be replaced by icons and that privacy notices become akin to “nutritional labels”.  This is something that should be explored further by identifying key technological factors that may affect someone’s privacy – such as the use of cookies, behavioural tracking and location tracking – that could then have their own symbol and a universally accepted intrusiveness grade.  Certainly one to think about.  The transition from today’s predominantly lawyer-driven notices to a more down to earth approach to transparency about data uses will not happen overnight but the process has already started.

 

This article was first published in Data Protection Law & Policy in May 2013.

Posted in Uncategorized

BCR for processors get EU regulators’ vital endorsement

avatar Posted on May 1st, 2013 by Eduardo Ustaran

The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19 page explanatory document to clarifying and endorsing the role of BCR for Processors or “Binding Safe Processor Rules” is very telling. It is nearly 10 years since BCR was conceived and whilst the approval process is not precisely a walk in the park, much has been achieved in terms of its status, simplification and even international recognition. However, the idea of applying the same approach to an international group of vendors or to cloud service providers is still quite novel.

The prospect of the forthcoming EU data protection framework specifically recognising both flavours of BCR is obviously encouraging but right now, the support provided by the Working Party is invaluable. The benefits of BSPR are well documented – easier contractual arrangements for customers and suppliers, one stop shop in terms of data transfers compliance for cloud customers, no need for cumbersome model clauses… It sounds like a much needed panacea to overcome the tough EU restrictions on international data transfers affecting global outsourcing and data processing operations. But as in the early days of the traditional BCR, potential suitors need to know that the idea is workable and regulators will value the efforts made to achieve safe processor status.

Those who were already familiar with the previous opinions by the Working Party on BSPR – in particular WP195 – will not find the content of the new opinion particularly surprising. However, there are very useful and reassuring pointers in there, as highlighted by the following key statements and clarifications:

*    The outsourcing industry has been constant in its request for a new legal instrument that would allow for a global approach to data protection in the outsourcing business and officially recognise internal rules organisations may have implemented.

*    That kind of legal instrument would provide an efficient way to frame massive transfers made by a processor to subprocessors which part of the same organisation acting on behalf and under the instructions of a controller.

*    BCR for processors should be understood as adequate safeguards provided by the processor to the controller allowing the latter to comply with applicable EU data protection law.

*    However, BCR for processors do not aim to shift controllers’ duties to processors.

*    A processor’s organisation that have implemented BCR for processors will not need to sign contracts to frame transfers with each of the sub-processors part of its organisation as BCR for processors adduce safeguards to data transferred and processed on behalf and under the instructions of a controller.

*    BCR for processors already “approved” at EU level will be referred by the controller as the appropriate safeguards proposed for the international transfers.

*    Updates to the BCR for processors or to the list of the members of the BCR are possible without having to re-apply before the data protection authorities.

So in summary, and despite the detailed requirements that must be met, the overall approach of the Working Party is very “can do” and pragmatic. To finish things off in a collaborative manner, the Working Party points out at the end of the document that further input from interested circles and experts on the basis of the experience obtained will be welcomed. Keep it up!

 

Posted in Article 29 Working Party, Binding Corporate Rules, Binding Safe Processor Rules

What will happen to Safe Harbor?

avatar Posted on April 27th, 2013 by Eduardo Ustaran

As data protection-related political dramas go, the debate about the suitability and future viability of Safe Harbor is right at the top. The truth is that even when the concept was first floated by the US Department of Commerce as a self-regulatory mechanism to enable personal data transfers between the EU and the USA, and avert the threat of a trade war, it was clear that the idea would prove controversial. The fact that an agreement was finally reached between the US Government and the European Commission after several years of negotiations did not settle the matter, and European data protection authorities have traditionally been more or less publicly critical of the arrangement. The level of discomfort with Safe Harbor as an adequate mechanism in accordance with European standards was made patently obvious in the Article 29 Working Party Opinion on cloud computing of 2012, which argued that sole self-certification with Safe Harbor would not be sufficient to protect personal data in a cloud environment.

The Department of Commerce has now issued its own clarifications in response to the concerns raised by the Working Party Opinion. Understandably, the Department of Commerce makes a fierce defence of Safe Harbor as an officially recognised mechanism, which was approved by the European Commission and cannot be dismissed by the EU regulators. That is and will always be correct. Whilst the clarifications do not go into the detail of the Working Party Opinion, they certainly confirm that as far as data transfers are concerned, a Safe Harbor certification provides a public guarantee of adequate protection under the scrutiny of the Federal Trade Commission.

Such robust remarks will be music to the ears of those US cloud computing service providers that have chosen to rely on Safe Harbor to show their European compliance credentials. But the debate is far from over. The European regulators are unlikely to change their mind any time soon and if their enforcement powers increase and allow them to go after cloud service providers directly (rather than their customers) as intended by the draft Data Protection Regulation, they will be keen to put those powers into practice. In addition, we are at least a year away from the new EU data protection legal framework being agreed but some of the stakeholders are using the opportunity of a new law to reopen the validity of Safe Harbor adding to the sense of uncertainty about its future.

If I were to make a prediction about what will happen to Safe Harbor, I would say that the chances of Safe Harbor disappearing altogether are nil. However, it is very likely that the European Commission will be forced to reopen the discussions about the content of the Safe Harbor Principles in an attempt to bring them closer to the requirements of the new EU framework and indeed Binding Corporate Rules. That may actually be a good outcome for everyone because it will help the US Government assert its position that Safe Harbor matches the desired privacy standards – particularly if some tweaks are eventually introduced to incorporate new elements of the EU framework – and it may address for once and for all the perennial concerns of the EU regulators.

 

Posted in Article 29 Working Party, Binding Corporate Rules, Cloud computing, Legislative reform

Big data means all data

avatar Posted on April 19th, 2013 by Eduardo Ustaran

There is an awesomeness factor in the way data about our digital comings and goings is being captured nowadays.  That awesomeness is such that it cannot even be described in numbers.  In other words, the concept of big data is not about size but about reach.  In the same way that the ‘wow’ of today’s computer memory will turn into a ‘so what’ tomorrow, references to terabytes of data are meaningless to define the power and significance of big data.  The best way to understand big data is to see it as a collection of all possible digital data.  Absolutely all of it.  Some of it will be trivial and most of it will be insignificant in isolation, but when put together its significance becomes clearer – at least to those who have the vision and astuteness to make the most of it.

Take transactional data as a starting point.  One purchase by one person is meaningful up to a point – so if I buy a cookery book, the retailer may be able to infer that I either know someone who is interested in cooking or I am interested in cooking myself.  If many more people buy the same book, apart from suggesting that it may be a good idea to increase the stock of that book, the retailer as well as other interested parties – publishers, food producers, nutritionists – could derive some useful knowledge from those transactions.  If I then buy cooking ingredients, the price of those items alone will give a picture of my spending bracket.  As the number of transactions increases, the picture gets clearer and clearer.  Now multiply the process for every shopper, at every retailer and every transaction.  You automatically have an overwhelming amount of data about what people do with their money – how much they spend, on what, how often and so on.  Is that useful information?  It does not matter, it is simply massive and someone will certainly derive value from it.  

That’s just the purely transactional stuff.  Add information about at what time people turn on their mobile phones, switch on the hot water or check their e-mail, which means of transportation they use to go where and when they enter their workplaces – all easily recordable.  Include data about browsing habits, app usage and means of communication employed.  Then apply a bit of imagination and think about this kind of data gathering in an Internet of Things scenario, where offline everyday activities are electronically connected and digitally managed.  Now add social networking interactions, blogs, tweets, Internet searches and music downloads.  And for good measure, include some data from your GPS, hairdresser and medical appointments, online banking activities and energy company.  When does this stop?  It doesn’t.  It will just keep growing.  It’s big data and is happening now in every household, workplace, school, hospital, car, mobile device and website.

What has happened in an uncoordinated but consistent manner is that all those daily activities have become a massive source of information which someone, somewhere is starting to make use of.  Is this bad?  Not necessarily.  So far, we have seen pretty benign and very positive applications of big data – from correctly spelt Internet searches and useful shopping recommendations to helpful traffic-free driving directions and even predictions in the geographical spread of contagious diseases.  What is even better is that, data misuses aside, the potential of this hugemongous amount of information is as big as the imagination of those who can get their hands on it, which probably means that we have barely started to scratch the surface of it all.

Our understanding of the potential of big data will improve as we become more comfortable and familiar with its dimensions but even now, it is easy to see its economic and social value.  But with value comes responsibility.  Just as those who extract and transport oil must apply utmost care to the handling of such precious but hazardous material, those who amass and manipulate humanity’s valuable data must be responsible and accountable for their part.  It is not only fair but entirely right that the greater the potential, the greater the responsibility, and that anyone entrusted with our information should be accountable to us all.  It should not be up to us to figure out and manage what others are doing with our data.  Frankly, that is simply unachievable in a big data world.  But even if we cannot measure the size of big data, we must still find a way to apportion specific and realistic responsibilities for its exploitation.

 

This article was first published in Data Protection Law & Policy in April 2013.

Posted in Big Data, Data as an asset, Profiling, Smartphones

The familiar perils of the mobile ecosystem

avatar Posted on March 18th, 2013 by Eduardo Ustaran

I had not heard the word ‘ecosystem’ since school biology lessons.  But all of a sudden, someone at a networking event dropped the ‘e’ word and these days, no discussion about mobile communications takes place without the word ‘ecosystem’ being uttered in almost every sentence.   An ecosystem is normally defined as a community of living things helping each other out (some more willingly than others) in a relatively contained environment.  The point of an ecosystem is that completely different organisms – each with different purposes and priorities – are able to co-exist in a more or less harmonious but eclectic way.  The parallel between that description and what is happening in the mobile space is evident.  Mobile communications have evolved around us to adopt a life of their own and separate from traditional desktop based computing and web browsing.  Through the interaction of very different players, our experience of communications on the go via smart devices has become an intrinsic part of our everyday lives. 

Mobile apps in particular have penetrated our devices and lifestyles in the most natural of ways.  Studies show that apparently an average smartphone user downloads 37 apps.  The fact that the term ‘app’ was listed as Word of the Year in 2010 by the American Dialect Society is quite telling.  Originally conceived to provide practical functions like calendars, calculators and ring tones, mobile apps bring us anything that can be digitised and has a role to play in our lives.  In other words, our use of technology has never been as close and personal.  Our mobile devices are an extension of ourselves and mobile apps are an accurate tool to record our every move (in some cases, literally!).  As a result, the way in which we use mobile devices tells a very accurate story of who we are, what we do and what we are about.  Conspiracy theories aside, it is a fact that smartphones are the perfect surveillance device and most of us don’t even know it!

Policy makers and regulators throughout the world are quickly becoming very sensitive to the privacy risks of mobile apps.  Enforcement is the loudest mechanism to show that nervousness but the proliferation of guidance around compliance with the law in relation to the development, provision and operation of apps has been a clear sign of the level of concern.  Regulators in Canada, the USA and more recently in Europe have voiced sombre concerns about such risks.  The close and intimate relationship between the (almost always on) devices and their users is widely seen as an aggravating factor of the potential for snooping, data collection and profiling.  Canadian regulators are particularly concerned about the seeming lightning speed of the app development cycle and the ability to reach hundreds of thousands of users within a very short period of time.  Another generally shared concern is the fragmentation between the many players in the mobile ecosystem – telcos, handset manufacturers, operating system providers, app stores, app developers, app operators and of course anybody else who wants a piece of the rich mobile cake – and the complexity that this adds to it.

All of that appears to compromise undisputed traditional principles of privacy and data protection: transparency, individuals’ control over their data and purpose limitation.  It is easy to see why that is the case.  How can we even attempt to understand – let alone control – all of the ways in which the information generated by our non-stop use of apps may potentially be used when all such uses are not yet known, the communication device is undersized and our eagerness to start using the app acts as a blindfold?  No matter how well intended the regulators’ guidance may be, it is always going to be a tall order to follow, particularly when the expectations of those regulators in terms of the quality of the notice and consent are understandably high.  In addition, the bulk of the guidance has been targeted at app developers, a key but in many cases insignificant player in the whole ecosystem.  Why is the enthusiastic but humble app developer the focus of the compliance guidelines when some of the other parties – led by the operator of the app, which is probably the most visible party to the user – play a much greater role in determining which data will be used and by whom?

Thanks to their ubiquity, physical proximity to the user and personal nature, mobile communications and apps pose a massive regulatory challenge to those who make and interpret privacy rules, and an even harder compliance conundrum to those who have to observe them.  That is obviously not a reason to give up and efforts must be made by anyone who plays a part to contribute to the solution.  People are entitled to use mobile technology in a private, productive and safe way.  But we must acknowledge that this new ecosystem is so complex that granting people full control of the data generated by such use is unlikely to be viable.  As with any other rapidly evolving technology, the privacy perils are genuine but attention must be given to all players and, more importantly, to any mechanisms that allow us to distinguish between legitimate and inappropriate uses of data.  Compliance with data protection in relation to apps should be about giving people what they want whilst avoiding what they would not want.

This article was first published in Data Protection Law & Policy in March 2013.

Posted in Consent, Data minimisation, Mobile telecoms

The Internet of Things and a balanced approach to regulatory intervention

avatar Posted on March 14th, 2013 by Eduardo Ustaran

To say that the Internet has changed and penetrated our lives is without doubt an understatement.  As cliché as it may sound, Internet technology has already had an effect of historic proportions for humanity.  What is even more amazing is the fact that the real impact is yet to be seen and is only a few years away.  Today, using and benefiting from the wonders of the Internet typically involves a communication device – like a PC, a tablet or a mobile phone – that serves as an interface mechanism for the user.  Browsing the web, shopping online and communicating by e-mail have become second nature to anyone with access to a device connected to the Internet, and the fact that this can happen on the move in all but the most remote places on the planet only makes the whole experience more ordinary.  But the truth is that we have seen nothing yet!  A few glimpses of our current technological development show what is likely to happen next and the potential reach of the next stage in the evolution of the Internet.

The idea that things we do in the offline real world – like making breakfast, going to school, commuting to work, buying groceries, watching the telly and so on – could somehow be interconnected with each other through Internet technology in a sort of automatic way has the flavour of a 1960s science fiction cartoon.  However, that was precisely the kind of thing that a group of visionary engineers had in mind when in the late nineties – as the Internet was starting to catch on – they came up with the concept of the ‘Internet of Things’.  Their vision was that rather than having to rely on constant human intervention for feeding the Internet with instructions and information, everyday items – coffee machines, cars, fridges, central heating systems, TVs, tooth brushes…, you name it – could rely on the power of the Internet to provide even greater value and more convenient uses to their users.  Before we start thinking of this as a prequel for Terminator, this vision was not about machines running wild and taking over our lives, but about exploiting relatively straight forward and wide spread technology to make our lives… easier, more pleasant, more productive, lazier???

It is early days for some of the immediately graspable applications of the Internet of Things to become the norm.  I still text my neighbour on my last day of holiday asking him to pop into my house and turn on the heating rather than log onto my gas company smart console device to do it remotely.  We still rely on weekly shopping lists rather than ask our fridges what we have run out off.  Our everyday offline life is basically still pretty offline.  On the other hand, data from trains, crops, water pipes, smart meters and even running shoes is now being digitally collected for our efficiency and enjoyment.  As technology evolves, every object on the planet could end up being a node in a truly ubiquitous network of networks.  Not even the sky is the limit.  The possibilities are as wide as our imagination and for the more sombre thinkers, so are the risks.  Privacy and security are at the top of the risk list and that has not gone unnoticed to policy makers.

In 2012, the European Commission carried out a public consultation which sought views on an appropriate policy approach to foster a dynamic development of the Internet of Things.  The Commission has recently published its report on the consultation and the findings reflect an unfortunately common polarisation of views.  The Commission’s report shows that far from being consensus as to the need for and scope of public intervention in connection with the Internet of Things, there are two clearly distinguishable factions: the so-called industry camp and the interested citizens, civil society and consumer organisations camp.  The industry argued strongly against any kind of intervention in a sector which is still in its infancy and claimed that Internet technology should develop further before appropriate policy measures can be devised.  The other side claimed that a new and stronger data protection framework was needed so that people can be fully in control of their data.

According to the civil society group of respondents to the Commission’s consultation, the required new framework needs to incorporate elements such as consent, purpose limitation, data anonymisation, transparency, privacy by default and by design, system security, data deletion, accountability and regulatory audits.  A real mouthful of measures which according to this group must override any economic considerations, given that fundamental rights like privacy, security and other ethical issues are at stake.  As is often the case, the views expressed will be seen as antagonistic by each other and, worst of all, could have the regrettable effect of deafening the debate and preventing a balanced approach to regulatory intervention.  We cannot afford that to be the case.  Not just because of its potentially unreasonable effect on economic prosperity, but because there is a correct level of intervention that must be found and applied for everyone’s benefit.  As the Internet evolves, so does the need for privacy and security public policy.  The most appropriate outcome may be debatable but one thing is clear: responsible policies and norms must take into account real and likely opportunities as well as threats, not greedy dreams or extreme conspiracy theories.

This article was first published in Privacy Perspectives in March 2013.

Posted in Legislative reform, Uncategorized

Big Data at risk

avatar Posted on February 1st, 2013 by Eduardo Ustaran

“The amount of data in our world has been exploding, and analysing large data sets — so-called Big Data — will become a key basis of competition, underpinning new waves of productivity growth, innovation and consumer surplus”.  Not my words, but those of the McKinsey Global Institute (the business and economics research arm of McKinsey) in a report that evidences like no other the value of data for future economic growth.  However, that value will be seriously at risk if the European Parliament accepts the proposal for a pan-European Regulation currently on the table.

Following the publication by the European Commission last year of a proposal for a General Data Protection Regulation aimed at replacing the current national data protection laws across the EU, at the beginning of 2013, Jan Philipp Albrecht (Rapporteur for the LIBE Committee, which is leading the European Parliament’s position on this matter) published his proposed revised draft Regulation.  

Albrecht’s proposal introduces a wide definition of ‘profiling’, which was covered by the Commission’s proposal but not defined.  Profiling is defined in Albrecht’s proposal as “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person or to analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour“. 

Neither the Commission’s original proposal nor Albrecht’s proposal define “automated processing”.  However, the case law of the European Court of Justice suggests that processing of personal data by automated means (or automated processing) should be understood by contrast with manual processing.   In other words, automated processing is processing carried out by using computers whilst manual processing is processing carried out manually or on paper.  Therefore, the logical conclusion is that the collection of information via the Internet or from transactional records and the placing of that information onto a database — which is the essence of Big Data — will constitute automated processing for the purposes of the definition of profiling in Albrecht’s proposal.

If we link to that the fact that, in a commercial context, all that data will typically be used first to analyse people’s technological comings and goings, and then to make decisions based on perceived preferences and expected behaviours, it is obvious that most activities involving Big Data will fall within the definition of profiling.

The legal threat is therefore very clear given that, under Albrecht’s proposal, any data processing activities that qualify as ‘profiling’ will be unlawful by default unless those are activities are:

*      necessary for entering into or performing a contract at the request of the individual – bearing in mind that “contractual necessity” is very strictly interpreted by the EU data protection authorities to the point that if the processing is not strictly necessary from the point of view of the individuals themselves, it will not be regarded as necessary;

*      expressly authorised by EU or Member State law – which means that a statutory provision has to specifically allow such activities; or

*      with the individual’s consent – which must be specific, informed, explicit and freely given, taking into account that under Albrecht’s proposal, consent is not valid where the data controller is in a dominant market position or where the provision of a service is made conditional on the permission to use someone’s data.

In addition, there is a blanket prohibition on profiling activities involving sensitive personal data, discriminatory activities or children data.

So the outlook is simple: either the European Parliament figures out how to regulate profiling activities in a more balanced way or Big Data will become No Data.

 

Posted in 95 directive, Big Data, Data as an asset, Legislative reform, Profiling, Targeted advertising

Killing the Internet

avatar Posted on January 25th, 2013 by Eduardo Ustaran

The beginning of 2013 could not have been more dramatic for the future of European data protection.  After months of deliberations, veiled announcements and guarded statements, the rapporteur of the European Parliament’s committee responsible for taking forward the ongoing legislative reform has revealed his position loudly and clearly.  Jan Albrecht’s proposal is by no means the final say of the Parliament but it is an indication of where an MEP who has thought long and hard about what the new data protection law should look like stands.  The reactions have been equally loud.  The European Commission has calmly welcomed the proposal, whilst some Member States’ governments have expressed serious concerns about its potential impact on the information economy.  Amongst the stakeholders, the range of opinions vary quite considerably – Albrecht’s approach is praised by regulators whilst industry leaders have massive misgivings about it.  So who is right?  Is this proposal the only possible way of truly protecting our personal information or have the bolts been tightened too much?

There is nothing more appropriate than a dispassionate legal analysis of some key elements of Albrecht’s proposal to reveal the truth: if the current proposal were to become law today, many of the most popular and successful Internet services we use daily would become automatically unlawful.  In other words, there are some provisions in Albrecht’s draft proposal that when combined together would not only cripple the Internet as we know it, but they would stall one of the most promising building blocks of our economic prosperity, the management and exploitation of personal information.  Sensationalist?  Consider this:

*     Traditionally, European data protection law has required that in order to collect and use personal data at all, one has to meet a lawful ground for processing.  The European Commission had intended to carry on with this tradition but ensuring that the so-called ‘legitimate interests’ ground, which permits data uses that do not compromise the fundamental rights and freedoms of individuals, remained available.  Albrecht proposes to replace this balancing exercise with a list of what qualifies as a legitimate interest and a list of what doesn’t.  The combination of both lists have the effect of ruling out any data uses which involve either data analytics or simply the processing of large amounts of personal data, so the obvious outcome is that the application of the ‘legitimate interests’ ground to common data collection activities on the Internet is no longer possible.

*     Albrecht’s aim of relegating reliance on the ‘legitimate interests’ ground to very residual cases is due to the fact that he sees individual’s consent as the primary basis for all data uses.  However, the manner and circumstances under which consent may be obtained are strictly limited.  Consent is not valid if the recipient is in a dominant market position.  Consent for the use of data is not valid either if presented as a condition of the terms of a contract and the data is not strictly necessary for the provision of the relevant service.  All that means that if a service is offered for free to the consumer – like many of the most valuable things on the Internet – but the provider of that service is seeking to rely on the value of the information generated by the user to operate as a business, there will not be a lawful way for that information to be used.

*     To finish things off, Albrecht delivers a killing blow through the concept of ‘profiling’.  Defined as automated processing aimed at analysing things like preferences and behaviour, it covers what has become the pillar of e-commerce and is set to change the commercial practices of every single consumer-facing business going forward.  However, under Albrecht’s proposal, such practices are automatically banned and only permissible with the consent of the individual, which as shown above, is pretty much mission impossible.

The collective effect of these provisions is truly devastating.  This is not an exaggeration.  It is the outcome of a simple legal analysis of a proposal deliberately aimed at restricting activities seen as a risk to people.  The decision that needs to be made now is whether such a risk is real or perceived and, in any event, sufficiently great to merit curtailing the development of the most sophisticated and widely used means of communication ever invented. 

 
This article was first published in Data Protection Law & Policy in January 2013.

Posted in Consent, Data as an asset, Legislative reform, Profiling

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

Cookie consent enforcement – ICO’s latest

avatar Posted on December 19th, 2012 by Eduardo Ustaran

The UK Information Commissioner’s Office has quietly published today a report detailing the concerns reported to them, the current picture and the action they are taking as of December 2012 in relation to the cookie consent requirement.

The highlights of the report are as follows:

*   Consumers are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.

*   Consumers often complain about the fact that they have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.

*   The ICO is continuing to write to websites they receive concerns about – This means that nobody is off the hook.

*   The ICO has also looked at the types of cookie in use – This means that the regulator has the means to investigate and find out about cookie practices on a per site basis.  If a site operator does not have this information, how is that going to look???

*   The provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.

*   Failure to comply will result in formal action to ensure compliance, and the ICO may decide to name the site in order to make consumers aware of its use of cookies – In other words, the ICO is not going to sit still.  The prospect of facing enforcement action is there.

*   If an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using formal regulatory powers in line with our criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties – This is the clearest threat of enforcement action to date!

 

Posted in Cookie rule, Financial penalties, Sanctions

« Older Entries