Archive for the ‘Privacy by design’ Category

In defence of the privacy policy

avatar Posted on March 29th, 2013 by Phil Lee

Speaking at the Games Developers’ Conference in San Francisco yesterday on the panel “Privacy by [Game] Design”, I was thrown an interesting question: Does the privacy policy have any place in the forward-thinking privacy era?

To be sure, privacy policy bashing has become populist stuff in recent years, and the role of the privacy policy is a topic I’ve heard debated many, many times. The normal conclusion to any discussion around this point is that privacy policies are too long, too complex and simply too unengaging for any individual to want to read them. Originally intended as a fair processing disclosure about what businesses do with individuals’ data, critics complain that they have over time become excessively lengthy, defensive, legalistic documents aimed purely to protect businesses from liability. Just-in-time notices, contextual notices, privacy icons, traffic lights, nutrition labels and gamification are the way forward. See, for example, this recent post by Peter Fleischer, Google’s Global Privacy Counsel.

This is all fair criticism. But that doesn’t mean it’s time to write-off privacy policies – we’re not talking an either/or situation here. They continue to serve an important role in ensuring organisational accountability. Committing a business to put down, in a single, documented place, precisely what data it collects, what it does with that data, who it shares it with, and what rights individuals have, helps keep it honest. More and more, I find that clients put considerable effort into getting their privacy policies right, carefully checking that the disclosures they make actually map to what they do with data – stimulating conversations with other business stakeholders across product development, marketing, analytics and customer relations functions. The days when lawyers were told “just draft something” are long gone, at least in my experience.

This internal dialogue keeps interested stakeholders informed about one another’s data uses and facilitates discussions about good practice that might otherwise be overlooked. If you’re going to disclose what you do in an all-encompassing, public-facing document – one that may, at some point, be scoured over by disgruntled customers, journalists, lawyers and regulators – then you want to make sure that what you do is legit in the first place. And, of course, while individuals seldom ever read privacy policies in practice, if they do have a question or a complaint they want to raise, then a well-crafted privacy policy serves (or, at least, should serve) as a comprehensive resource for finding the information they need.

Is a privacy policy the only way to communicate with your consumers what you do with their data? No, of course not. Is it the best way? Absolutely not: in an age of device and platform fragmentation, the most meaningful way is through creative Privacy by Design processes that build a compelling privacy narrative into your products and services. But is the privacy policy still relevant and important? Yes, and long may this remain the case.

Posted in Accountability, Privacy by design

Designing privacy for mobile apps

avatar Posted on March 16th, 2013 by Phil Lee

My phone is my best friend.  I carry it everywhere with me, and entrust it with vast amounts of my personal information, for the most part with little idea about who has access to that information, what they use it for, or where it goes.  And what’s more, I’m not alone.  There are some 6 billion mobile phone subscribers out there, and I’m willing to bet that most – if not all of them – are every bit as unaware of their mobile data uses as me.

So it’s hardly surprising that the Article 29 Working Party has weighed in on the issue with an “opinion on apps on smart devices” (available here).  The Working Party splits its recommendations across the four key players in the mobile ecosystem (app developers, OS and device manufacturers, app stores and third parties such as ad networks and analytics providers), with app developers receiving the bulk of the attention.

Working Party recommendations

Much of the Working Party’s recommendations don’t come as a great surprise: provide mobile users with meaningful transparency, avoid data usage creep (data collected for one purpose shouldn’t be used for other purposes), minimise the data collected, and provide robust security.  But other recommendations will raise eyebrows, including that:

(*)  the Working Party doesn’t meaningfully distinguish between the roles of an app publisher and an app developer – mostly treating them as one and the same.  So, the ten man design agency engaged by Global Brand plc to build it a whizzy new mobile app is effectively treated as having the same compliance responsibilities as Global Brand, even though it will ultimately be Global Brand who publicly releases the app and exploits the data collected through it;

(*)  the Working Party considers EU data protection law to apply whenever a data collecting app is released into the European market, regardless of where the app developer itself is located globally.  So developers who are based outside of Europe but who enjoy global release of their app on Apple’s App Store or Google Play may unwittingly find themselves subjected to EU data protection requirements;

(*)  the Working Party takes the view that device identifiers like UDID, IMEI and IMSI numbers all qualify as personal data, and so should be afforded the full protection of European data protection law.  This has a particular impact on the mobile ad industry, who typically collect these numbers for ad serving and ad tracking purposes, but aim to mitigate regulatory exposure by carefully avoiding collection of “real world” identifiers;

(*)  the Working Party places a heavy emphasis on the need for user opt-in consent, and does not address situations where the very nature of the app may make it so obvious to the user what information the app will collect as to make consent unnecessary (or implied through user download); and

(*)  the Working Party does not address the issue of data exports.  Most apps are powered by cloud-based functionality and supported by global service providers meaning that, perhaps more than in any other context, the shortfalls of common data export solutions like model clauses and safe harbor become very apparent.

Designing for privacy
Mobile privacy is hard.  In her guidance on mobile apps, the California Attorney-General rightly acknowledged that: “Protecting consumer privacy is a team sport. The decisions and actions of many players, operating individually and jointly, determine privacy outcomes for users. Hardware manufacturers, operating system developers, mobile telecommunications carriers, advertising networks, and mobile app developers all play a part, and their collaboration is crucial to enabling consumers to enjoy mobile apps without having to sacrifice their privacy.
Building mobile apps that are truly privacy compliant requires a privacy by design approach from the outset.  But, for any mobile app build, there are some top tips that developers should be aware of:
  1. Always, always have a privacy policy.  The poor privacy policy has been much maligned in recent years but, whether or not it’s the best way to tell people what you do with their information (it’s not), it still remains an expected standard.  App developers need to make sure they have a privacy policy that accurately reflects how they will use and protect individuals’ personal information and make this available both prior to download (e.g. published on the app store download page) and in-app.  Not having this is a sure fire way to fall foul of privacy authorities – as evidenced in the ongoing Delta Airlines case.
  2. Surprise minimisation.  The Working Party emphasises the need for user consents and, in certain contexts, consent will of course be appropriate (e.g. when accessing real-time GPS data).  But, to my mind, the better standard is that proposed by the California Attorney-General of “surprise minimisation”, which she explains as the use of “enhanced measures to alert users and give them control over data practices that are not related to an app’s basic functionality or that involve sensitive information.” Just-in-time privacy notices combined with meaningful user controls are the way forward.
  3. Release “free” and “premium” versions.  The Working Party says that individuals must have real choice over whether or not apps collect personal information about them.  However, developers will commonly complain that real choice simply isn’t an option – if they’re going to provide an app for free, then they need to collect and monitise data through it (e.g. through in-app targeted advertising).  An obvious solution is to release two versions of the app – one for “free” that is funded by exploiting user data and one that is paid for, but which only collects user data necessary to operate the app.  That way, users that don’t want to have their data monitised can choose to download the paid for “premium” version instead – in other words, they have choice;
  4. Provide privacy menu settings.   It’s suprising how relatively few apps offer this, but privacy settings should be built into app menus as a matter of course – for example, offering users the ability to delete app usage histories, turn off social networking integration, restrict location data use etc.  Empowered users are happy users, and happy users means happy regulators; and
  5. Know Your Service Providers.  Apps serve as a gateway to user data for a wide variety of mobile ecosystem operators – and any one of those operators might, potentially, misuse the data it accesses.  Developers need to be particularly careful when integrating third party APIs into their apps, making sure that they properly understand their service providers’ data practices.  Failure to do proper due diligence will leave the developer exposed.

Any developer will tell you that you don’t build great products by designing to achieve compliance; instead, you build great products by designing a great user experience.  Fortunately, in privacy, both goals are aligned.  A great privacy experience is necessarily part and parcel of a great user experience, and developers need to address users’ privacy needs at the earliest stages of development, through to release and beyond.

Posted in Article 29 Working Party, Geolocation, Mobile telecoms, Privacy by design, Smartphones

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

2013 to be the year of mobile regulation?

avatar Posted on January 4th, 2013 by Phil Lee

After a jolly festive period (considerably warmer, I’m led to understand, for me in Palo Alto than for my colleagues in the UK), the New Year is upon us and privacy professionals everywhere will no doubt be turning their minds to what 2013 has in store for them.  Certainly, there’s plenty of developments to keep abreast of, ranging from the ongoing EU regulatory reform process through to the recent formal recognition of Binding Corporate Rules for processors.  My partner, Eduardo Ustaran, has posted an excellent blog outlining his predictions here.

But one safe bet for greater regulatory attention this year is mobile apps and platforms.  Indeed, with all the excitement surrounding cookie consent and EU regulatory reform, mobile has remained largely overlooked by EU data protection authorities to date.  Sure, we’ve had the Article 29 Working Party opine on geolocation services and on facial recognition in mobile services.  The Norwegian Data Protection Inspectorate even published a report on mobile apps in 2011 (“What does your app know about you?“).  But really, that’s been about it.  Pretty uninspiring, not to mention surprising, when consumers are fast abandoning their creaky old desktop machines and accessing online services through shiny new smartphones and tablets: Forbes even reports that mobile access now accounts for 43% of total minutes spent on Facebook by its users.

Migration from traditional computing platforms to mobile computing is not, in and of itself, enough to guarantee regulator interest.  But there are plenty of other reasons to believe that mobile apps and platforms will come under increased scrutiny this year:

1.  First, meaningful regulatory guidance is long overdue.  Mobiles are inherently more privacy invasive than any other computing platform.  We entrust more data to our mobile devices (in my case, my photos, address books, social networking, banking and shopping account details, geolocation patterns, and private correspondence) than any other platform and generally with far less security – that 4 digit PIN really doesn’t pass muster.  We download apps from third parties we’ve often scarcely ever heard of, with no idea as to what information they’re going to collect or how they’re going to use it, and grant them all manner of permissions without even thinking – why, exactly, does that flashlight app need to know details of my real-time location?  Yet despite the huge potential for privacy invasion, there persists a broad lack of understanding as to who is accountable for compliance failures (the app store, the platform provider, the network provider or the app developer) and what measures they should be implementing to avoid privacy breaches in the first place.  This uncertainty and confusion makes regulatory involvement inevitable.

2.  Second, regulators are already beginning to get active in the mobile space – if this were not the case, the point above would otherwise be pure speculation.  It’s not, though.  On my side of the Pond, we’ve recently seen the California Attorney General file suit against Delta Air Lines for its failure to include a privacy policy within its mobile app (this action itself following letters sent by the AG to multiple app providers warning them to get their acts together).  Then, a few days later, the FTC launched a report on children’s data collection through mobile apps, in which it indicated that it was launching multiple investigations into potential violations of the Children’s Online Privacy Protection Act (COPPA) and the FTC Act’s unfair and deceptive practices regime.  The writing is on the wall, and it’s likely EU regulators will begin following the FTC’s lead.

3.  Third, the Article 29 Working Party intends to do just that.  In a press release in October, the Working Party announced that “Considering the rapid increase in the use of smartphones, the amount of downloaded apps worldwide and the existence of many small-sized app-developers, the Working Party… [will] publish guidance on mobile apps… early next year.” So guidance is coming and, bearing in mind that the Article 29 Working Party is made up of representatives from national EU data protection authorities, it’s safe to say that mobile privacy is riding high on the EU regulatory agenda.

In 2010, the Wall Street Journal reported: “An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders… Many apps don’t offer even a basic form of consumer protection: written privacy policies. Forty-five of the 101 apps didn’t provide privacy policies on their websites or inside the apps at the time of testing.“  Since then, there hasn’t been a great deal of improvement.  My money’s on 2013 being the year that this will change.

Posted in Article 29 Working Party, Geolocation, Mobile telecoms, Privacy by design, Smartphones

Brussels calling: news on the Regulation

avatar Posted on October 12th, 2012 by Olivia Harrisson

There was a definite data protection buzz in Brussels this week as the European Parliament hosted a two-day Inter-parliamentary Committee Meeting to discuss the new EU Data Protection framework, proposed by the European Commission in January.

Representatives of global technology organisations, consumer protection groups, members of national parliaments and members of the EU institutions were prominent among the innumerable stakeholders there, each eager to present their views and contribute to the debate.

The conference was organised by the Committee on Civil Liberties, Justice and Home Affairs (LIBE), the body appointed by the European Parliament to assist with the data protection reforms, headed up by rapporteurs Jan Albrecht and Dimitrios Droutsas.

Since the Lisbon Treaty came into force in 2009, the European Parliament and the Council of the European Union are jointly responsible for negotiating and agreeing upon legislative proposals put forward by the Commission. It follows then that this conference provided a fundamental platform upon which stakeholders could share their opinions and concerns, and an important means by which legislators could gain insight into the practical, legal and economic realities behind the proposals. These contributions will feed directly into the legislative process, and LIBE will no doubt consider them when preparing its draft opinion on the reforms which is expected later this year.

So what then was the outcome of the conference? There are certainly many questions that remain unanswered and it was pointed out by Simon Davies from the London School of Economics that there is almost no agreement among stakeholders on any single point. A huge amount of re-thinking and re-drafting will no doubt ensue. That said, what was abundantly clear was an overwhelming support in principle for the reforms and, despite there being some way to go in terms of getting the legislation right, a sense that the key people responsible for drafting it are listening to what people have to say.

For instance, Viviane Reding (the Vice President of the Commission) made it clear that the Commission would consider reducing the vast number of delegated acts. This will no doubt have come as welcome news to many. Delegated and implementing acts enable the Commission to supplement and amend certain non-essential elements of the legislation once it has come into force. In other words, they achieve flexibility and enable clauses to be drafted in a technologically neutral manner, making way for new technological innovations that will be prevalent in the years to come. The counter argument though is that delegated acts give the Commission excessive (and in many cases unnecessary) powers, which would constitute a bar to strengthening democracy and promoting transparency across the EU.

Francoise Le Bail (the Commission’s Director General for Justice), whilst defending the number of delegated acts currently drafted, recognised there were a lot of question marks and problems outstanding but stressed that stakeholder contributions were valued by the Commission which is determined to take into account the proposals and comments made. There is still room then for voices to be heard.

The debate on delegated acts was one thing, and there are no prizes for guessing some of the other controversial elements that repeatedly cropped up. The “right to be forgotten”, “one-stop-shop”, “consent”, “profiling” and “data protection by design” were all key concepts which unsurprising featured in the debate and, whether for or against them, the general view was clear. The drafting needs to be tightened up, and greater clarity is needed in many cases so as to be sure of the exact rights and obligations of everyone concerned.

The proposed legislation does after all affect a huge number people; not just citizens, but consumers, SMEs, global organisations and public authorities are all affected, and this was also a key feature of the debate. On the one hand, we were reminded that data protection is a fundamental right of each citizen in the EU and measures must be taken to protect that right; on the other we were reminded that data, which flows across the digital environment in ever-increasing volumes, is a hugely important economic asset, not-to-mention a vital component in terms of law enforcement.

So a balance needs to be struck. There are clearly business incentives for building trust in the digital environment, and similarly there is an undisputed recognition of the fact that we need to bolster the rights of individuals. It seems that all stakeholders are recognising the need to be flexible in their approach and response to these reforms, and are working hard to achieve a robust and coherent legal system that will, over the coming years, facilitate innovation whilst providing people with protection and control of their data, to enable the EU to continue to be a major player in the digital economy.

LIBE is expected to present its draft report on the proposed legislation by the end of this year, after which Member States will be invited to table their amendments. LIBE will then meet to discuss those amendments and it is expected that an orientation vote (where the committee votes and concludes upon its initial position in light of the negotiations) will be held in April 2013.

Tags:
Posted in Consent, Privacy by design, Profiling, Right to be forgotten, Uncategorized

Mobile privacy – is there an app for that?

avatar Posted on April 20th, 2012 by Phil Lee

Next week I’ll be chairing a session at the IAPP’s Data Protection Intensive in London on mobile privacy. In advance of my session (and without giving too much away – I highly recommend attending the event!), I thought I’d set out a few key thoughts on the issues mobile operators and developers need to consider when launching mobile apps:

  • Why does m-privacy matter? It’s simple: if you’re anything like me, your mobile device has become your closest, must trusted friend. No one know more about you: your phone knows where you go, who you know, and the passwords to your banking, shopping and social networking accounts. It looks after your diary and has access to all your most treasured and personal photos. This is all very sensitive information – and your phone holds an awful lot of it.
  • Why is m-privacy hard (practically)? Because the actors, devices and consumer expectations are so many and so varied. In the course of downloading, installing and running an app, a consumer will share data with or through its device platform, the relevant app marketplace, the application developer, and various ad networks, analytics providers, payment processors and mobile carriers. Consumers can access apps through smartphones, tablets, netbooks or other mobile devices – each with different platforms having their own data access permissions, device unique data types, and screen sizes and resolutions, thereby making efforts to design a simple ‘one size fits all’ privacy notice a real challenge. Adopting a privacy by design approach is not a nice to have in the mobile environment – it’s a necessity.
  • Why is m-privacy hard (legally)? From a privacy perspective, data protection, e-privacy, communications interception and data retention laws – both in the EU and beyond – can all apply to data collected from mobile devices. Widen the picture out into general consumer law, and issues arise around applicable law, mandatory consumer terms, liability and enforceability of terms (to name but a few). As a few press reports have highlighted recently, just because you CAN access data, doesn’t mean you should – the recent furore surrounding the Girls Around Me app being a very good case in point (see here). And to make matters more complicated, the data protection laws we have can often apply in surprising and unexpected ways – remember, many of them date back to before any of us even had a mobile. Should device ID data really be considered ‘personal data’? Why do ‘cookie consent’ rules apply to mobile apps? Do SoLoMo applications REALLY need to get opt-in consent to location data use?

If you’re attending the IAPP Intensive next week, then do come along and join my session to answer all of these questions – and more!

Tags:,
Posted in 95 directive, Applicable law, Cookie rule, Mobile telecoms, Privacy by design, Targeted advertising

The new EU framework: Uniform, prescriptive and ambitious

avatar Posted on February 3rd, 2012 by Eduardo Ustaran

These are truly exhilarating times for the data protection world.  Viviane Reding’s recent announcement of the Commission’s proposal for a fully harmonised European data protection framework had the connotations of an Olympic opening ceremony – the years of hard work in preparation for this moment, the sense of achievement in the face of challenge and the triumphant belief that something memorable is going to come out of this.  Only the big drums and the flame were missing.  The jury is now out but this is without a doubt the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.

As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive.  This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation.  Recent legislative history suggests that a single EU-wide regulation is likely to be the only way to achieve the desired uniformity across the European Union.  Member States’ struggle to implement the changes to the e-privacy directive in a coherent way remind us daily of the limitations of a directive.  But a single pan-European law is a double edged sword – one set of rules is meant to be beneficial to organisations operating internationally, but those who are used to dealing with the reasonably practical obligations of jurisdictions like the UK or Ireland face a cultural and legal shock.

The proposed regulation is also aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century.  The novelties are varied and creative, but they all have in common one thing: the principles, rights and obligations are far more prescriptive in nature than under the 95 directive.  This is a natural consequence of having to draft a directly applicable regulation, but it is a fundamental change from the way European data protection has operated until now. 

The bulk of the proposed regulation brings with it a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

Above all, the Commission’s proposal is an ambitious one.  Not least because it sets out a very clear basis for its extra-territorial application.  The regulation does away with the cumbersome references to equipment located in the European Union and introduces brand new EU residency grounds.  Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event.  But in addition, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.

This approach will affect Internet businesses from all over the world but the Commission’s ambition goes even further than that.  One of the greatest challenges ahead is not faced by organisations using personal information but by the regulators themselves.  They will need to learn a radical new law which demands constant dialogue and closer cooperation than ever before.  The legislative process is now wide open and 2012 will be a crucial year to influence the outcome of the new law.  We have a real opportunity to contribute to this process, so it is our responsibility to get the right result.

This article was first published in Data Protection Law & Policy in January 2012.

Posted in 95 directive, Applicable law, Breach Disclosure, Privacy by design

Deconstructing the privacy macaron

avatar Posted on December 7th, 2011 by Eduardo Ustaran

Compact.  Self-contained.  Multi-layered.  Hard to penetrate and rich inside with a mix of flavours and tones.  Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law.  But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.

So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?

*   A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.

*   Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.

*   Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.

*   Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.

*   Consent – Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice.

*   Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.

*   Controller’s responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.

*   Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.

*   International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

*   Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

*   Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.

All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today’s and tomorrow’s data protection.  Whether the result will suit everyone’s taste is a different matter.

This article was first published in Data Protection Law & Policy in November 2011.

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Data minimisation, Financial penalties, Privacy by design, Profiling

Proportionality – the key to compliant anti-bribery due diligence

avatar Posted on July 20th, 2011 by Phil Lee

On 1 July, the long anticipated Bribery Act 2010 came into force.   The Act attracted significant debate during its passage into law, largely due to concerns about how the newly-created s.7 offence of “failure by a commercial organisation to prevent bribery” would apply in practice. 

At an overview level, any organisation carrying on business in the UK can potentially be liable under s.7 for a bribe paid by its “associated persons” (including employees, contractors and subsidiaries), whether or not it knew of the bribe.  There is no requirement that the bribe must take place in the UK – organisations can attract liability for bribes paid by “associated persons” in overseas jurisdictions.  Criminal penalties apply for breach, including unlimited fines and even the prospect of personal liability (including jail time) for directors.  These onerous liabilities, coupled with the wide jurisdictional reach of s.7, are enough to give any senior executive sleepless nights.

“Adequate procedures” to guard against bribery risk

Organisations charged under s.7 have a defence if they can show that they had implemented “adequate procedures” to protect against bribery risk.  With a view to clarifying the anti-bribery measures it expects organisations to adopt, the Government published guidance on implementing “adequate procedures” in March this year (available here: www.justice.gov.uk/guidance/docs/bribery-act-2010-guidance.pdf).  This explained that implementation of “adequate procedures” by an organisation to guard against bribery risk should be informed by six principles: (i) Proportionate procedures; (ii) Top-level commitment; (iii) Risk assessment; (iv) Due diligence; (v) Communication (including training); and (vi) Monitoring and review of anti-bribery policies and procedures.  

FFW has separately published detailed overviews (including FAQs) of the Bribery Act and the Government’s “adequate procedures” guidance at http://www.ffw.com/feature/the-bribery-act-2010.aspx

Due diligence and data protection

With the excitement surrounding s.7 and the need to mitigate bribery risk by implementing “adequate procedures”, it’s all too easy for organisations to overlook their privacy compliance responsibilities.  However, organisations that do not take proper account of the privacy consequences of implementing “adequate procedures” risk jumping out of the frying pan and into the fire – on the one hand, mitigating risk under the Bribery Act while on the other hand exposing themselves to a raft of potential liabilities under UK and European data protection legislation.

This is particularly the case with counterparty due diligence.  Undertaking appropriate due diligence will be a compliance cornerstone in guarding against risk under the Bribery Act.  Of critical importance – for both data privacy and Bribery Act purposes – is that any due diligence conducted must be proportionate to its aims. The level of due diligence appropriate in any given situation will necessarily depend on a variety of factors, including the nature of the role and the organisation concerned, the services to be provided, and any other readily identifiable business or bribery risks. 

In the course of conducting due diligence, businesses will undoubtedly handle sensitive personal data relating to prospective clients, employees and contractors – such as information relating to criminal convictions and proceedings, political affiliations (e.g. if the data subject is a ‘politically exposed person’), trade union membership or otherwise.  This raises a number of issues, not least in terms of the need to make (or update) suitable data processing registrations with the Information Commissioner’s Office in order to reflect any sensitive data processed – bearing in mind that failing to make and maintain accurate and up-to-date registrations is, itself, a criminal offence. 

In particular, sensitive data benefits from enhanced protection under data protection law, and organisations must establish a lawful basis to legitimise their sensitive data processing in the first place.  In this context, it is important to note that the Bribery Act does not create a legal obligation to conduct due diligence or to process sensitive data.  It says only that “adequate procedures”, where implemented, are a defence to liability under the Bribery Act.  For this reason, simply assuming that the Bribery Act itself legitimises due diligence processing of sensitive data is misguided.  Businesses must instead consider the sensitive data processing grounds set out in the Data Protection Act 1998 and identify those that permit the specific due diligence processing in question.  Whilst various grounds potentially exist, it is important to identify the specific grounds that will be relied on in any given case, and to ensure that the sensitive data processing keeps within the scope of those grounds.  In many cases, it may be necessary to obtain explicit, informed consent directly from the due diligence subject to enable processing of his or her sensitive data.

The jurisdictional reach of the Bribery Act also has the potential to strain data privacy compliance.  Given their potential liability for acts of bribery conducted by overseas employees, subsidiaries and contractors, a natural response for UK organisations would be to conduct due diligence on any overseas counterparty they engage, either directly or through a subsidiary.  However, overseas data protection regimes may not readily permit processing of sensitive data for due diligence activities designed to mitigate risk under UK law (Spanish and Belgian data protection regimes, for example, impose strict requirements for sensitive data processing).  As a consequence, overseas subsidiaries and contractors that want to process and share due diligence data with UK businesses for Bribery Act compliance purposes may find themselves hindered by their national data protection regimes.  Likewise, overseas organisations that carry on business in the UK may want to implement due diligence procedures to guard against Bribery Act risk, but find themselves constrained by their local data protection laws.   Organisations therefore need to consider carefully how to implement “adequate procedures” in a way that fully addresses the requirements of wider European (and other) data protection regimes where these apply.

Why this matters

Any organisation implementing “adequate procedures” to mitigate Bribery Act risk must consider carefully its responsibilities under data protection law.  Without doing this, it runs the risk of implementing procedures that, while carefully designed to protect against bribery risk, attract liabilities under data protection law.  Due diligence is just one example, but organisations also need to consider other data privacy liabilities arising when, for example, implementing ‘speak up’ or whistleblowing procedures, or when conducting internal investigations into allegations of bribery by staff.

At first glance, the Bribery Act and data protection law might appear to impose conflicting demands on organisations that are difficult to resolve.  However, proportionality is at the heart of both regimes: whatever the “adequate procedures” implemented, they must be proportionate in light of the actual risks to the organisation.   For this reason, rather than considering data protection as a barrier to Bribery Act compliance, it should be viewed as an enabler to implementing effective and proportionate Bribery Act compliance mechanisms.  By considering and identifying potential privacy risks at the outset and rolling out “adequate procedures” that take account of these risks, a happy – and compliant – compromise can be achieved.

If you would like more information, please contact Phil Lee, Senior Associate, at phil.lee@ffw.com.

Tags:,
Posted in Data security, Data sharing, Privacy by design, Supply chain management