The Internet is global by definition. Or more accurately, by design. The original idea behind the Internet was to rely on geographically dispersed computers to transmit packets of information that would be correctly assembled at destination. That concept developed very quickly into a borderless network and today we take it for granted that the Internet is unequivocally global. This effect has been maximised by our ability to communicate whilst on the move. Mobile communications have penetrated our lives at an even greater speed and in a more significant way than the Internet itself.

This trend has led visionaries like Google’s Eric Schmidt to affirm that thanks to mobile technology, the amount of digitally connected people will more than triple – going from the current 2 billion to 7 billion people – very soon. That is more than three times the amount of data generated today. Similarly, the global leader in professional networking, LinkedIn, which has just celebrated its 10th anniversary, is banking on mobile communications as one of the pillars for achieving its mission of connecting the world’s professionals.

As a result, everyone is global – every business, every consumer and every citizen. One of the realities of this situation has been exposed by the recent PRISM revelations, which highlight very clearly the global availability of digital communications data. Perversely, the news about the NSA programme is set to have a direct impact on the current and forthcoming legislative restrictions on international data flows, which is precisely one of the factors disrupting the globalisation of data. In fact, PRISM is already being referred to as a key justification for a tight EU data protection framework and strong jurisdictional limitations on data exports, no matter how non-sensical those limitations may otherwise be.

The public policy and regulatory consequences of the PRISM affair for international data flows are pretty predictable. Future ‘adequacy findings’ by the European Commission as well as Safe Harbor will be negatively affected. We can assume that if the European Commission decides to have a go at seeking a re-negotiation of Safe Harbor, this will be cited as a justification. Things will not end there. Both contractual safeguards and binding corporate rules will be expected to address possible conflicts of law involving data requests for law enforcement or national security reasons in a way that no blanket disclosures are allowed. And of course, the derogations from the prohibition on international data transfers will be narrowly interpreted, particularly when they refer to transfers that are necessary on grounds of public interest.

The conflicting realities of data globalisation could not be more striking. On the one hand, every day practice shows that data is geographically neutral and simply flows across global networks to make itself available to those with access to it. On the other, it is going to take a fair amount of convincing to show that any restrictions on international data flows should be both measured and realistic. To address these conflicting realities we must therefore acknowledge the global nature of the web and Internet communications, the borderless fluidity of the mobile ecosystem and our human ability to embrace the most ambitious innovations and make them ordinary. So since we cannot stop the technological evolution of our time and the increasing value of data, perhaps it is time to accept that regulating data flows should not be about putting up barriers but about applying globally recognised safeguards.

This article was first published in Data Protection Law & Policy in June 2013.

Apart from the obvious ‘I told you so’ justifications for a strict and wide reaching data protection regime in Europe that will populate much of the political rhetoric from now on, there are specific provisions in the draft Data Protection Regulation that may end up being the perfect recipe for a conflict of international laws. In particular, the PRISM revelations will increase the reluctance of the EU Parliament to allow disclosures of personal data in response to a legal obligation or public interest duties which do not specifically emanate from EU law. Therefore, any hopes of widening the current references in the draft Regulation to “European Union law or the law of the EU Member State to which a controller is subject” as a basis for either justifying data processing operations which are necessary for compliance with a legal obligation or the performance of a task carried out in the public interest are now substantially smaller. What this means in practice is that global organisations operating in the European Union may be left facing a conflict between complying with legally binding non-EU duties or avoiding a breach of EU data protection law.

The other aspect of EU data protection law directly affected by the PRISM story is the restriction on international data transfers. This is indisputably one of the greatest compliance challenges for EU organisations and one that many of us were hoping would be more pragmatically addressed in the new law. What are the chances of that now?? My guess is that this sort of story is the perfect ammunition for those who seek to maintain the pureness of ‘adequacy findings’ and therefore, it will make it more difficult for any country – not least the USA – that wishes to be regarded as providing an adequate level of data protection. In addition to that, all of the other mechanisms and exemptions to overcome the restrictions on international data transfers – Safe Harbor, contractual arrangements, BCR, transfers made on the grounds of public interest – will be much more closely scrutinised, so global data flows will remain a focus of regulatory attention.

At times like this, it becomes more essential than ever to keep a clear head and get the facts right, because achieving a realistic and balanced legislative outcome with the appropriate safeguards and a degree of pragmatism is as important as respecting our privacy.

Commissioner Reding’s remarks at the end of Justice Council meeting this week, at which she represented the European Commission, summarise the current situation and reveal where the challenges are. She was certainly grateful to the Irish Government for the efforts of the last few months whilst at the helm of the Council to steer the process in the right direction. For Reding the principal areas of focus in the reform of the current regime are the replacement of a patchwork of 27 contradictory national rules (her words, not mine) with a single law, the modernisation of the existing principles, and the strengthening of the rights of individuals. By and large, the Commissioner seems to think that the Council is properly addressing these areas, but there is perhaps an element of doubt in respect of what she calls the “absolute red line” below which she is not prepared to go: the current level of protection as laid down in the 1995 Directive. In other words, Reding’s obvious fear is to end up with a new law that does not match the standards of the existing one.

Without a doubt, the Parliament’s draft will ensure that such an outcome is out of the question. How restrictive the Parliament’s preferred position will be is yet to be seen but we can assume that the emphasis will be on putting people in control of their own data. Whatever the positions of the Council and the Parliament, something that Reding is already predicting is the need to step up the pace of the dialogue so that any gaps can be addressed sooner rather than later.

So the question remains: will the European institutions be able to agree the final version of the Regulation before the end of the current Parliament in 2014? Sceptical views have popped up here and there in recent times but both the rhetoric and the actions of the key players confirm their commitment to finding a way forward. Time will tell but at the moment and despite the crucially important and numerous issues that will need to be agreed, there is will to devise the right framework. Frankly, sticking for much longer with what we have today would ultimately be more damaging for all.

So far, so iPhone.

But, because users wear and interact with Google Glass wherever they go, they will have a depth of relationship with their device that far exceeds any previous relationship between man and computer. Then throw in the likely short- to mid-term evolution of the device—augmented reality, facial recognition—and it becomes easy to see why Google Glass is so widely heralded as The Next Big Thing.

Of course, with an always-on, always-worn and always-connected, photo-snapping, video-recording, social media-sharing device, the privacy issues are a-plenty, ranging from the potential for crowd-sourced law enforcement surveillance to the more mundane forgetting-to-remove-Google-Glass-when-visiting-the-men’s-room scenario. These concerns have seen a very heated debate play out across the press, on TV and, of course, on blogs and social media.

But to focus the privacy debate just on Google Glass really misses the point. Google Glass is the headline-grabber, but in reality it’s just the tip of the iceberg when it comes to the wearable computing products that will increasingly be hitting the market over the coming years. Pens, watches, glasses (Baidu is launching its own smart glasses too), shoes, whatever else you care to think of—will soon all be Internet-connected. And it doesn’t stop at wearable computing either; think about Internet-connected home appliances: We can already get Internet-connected TVs, game consoles, radios, alarm clocks, energy meters, coffee machines, home safety cameras, baby alarms and cars. Follow this trend and, pretty soon, every home appliance and personal accessory will be Internet-connected.

All of these connected devices—this “Internet of Things”—collect an enormous volume of information about us, and in general, as consumers we want them: They simplify, organize and enhance our lives. But, as a privacy community, our instinct is to recoil at the idea of a growing pool of networked devices that collect more and more information about us, even if their purpose is ultimately to provide services we want.

The consequence of this tends to be a knee-jerk insistence on ever-strengthened consent requirements and standards: Surely the only way we can justify such a vast collection of personal information, used to build incredibly intricate profiles of our interests, relationships and behaviors, is to predicate collection on our explicit consent. That has to be right, doesn’t it?

The short answer to this is “no”—though not, as you might think, for the traditionally given reasons that users don’t like consent pop-ups or that difficulties arise when users refuse, condition or withdraw their consents. 

Instead, it’s simply that explicit consent is lazy. Sure, in some circumstances it may be warranted, but to look to explicit consent as some kind of data collection panacea will drive poor compliance that delivers little real protection for individuals.

Why? 

Because when you build compliance around explicit consent notices, it’s inevitable that those notices will become longer, all-inclusive, heavily caveated and designed to guard against risk. Consent notices become seen as a legal issue, not a design issue, inhibiting the adoption of Privacy by Design development so that—rather than enhancing user transparency, they have the opposite effect. Instead, designers build products with little thought to privacy, safe in the knowledge that they can simply ‘bolt on’ a detailed consent notice as a ‘take it or leave it’ proposition on installation or first use, just like terms of service are now. And, as technology becomes ever more complicated, so it becomes ever more likely that consumers won’t really understand what it is they’re consenting to anyway, no matter how well it’s explained. It’s also a safe bet that users will simply ignore any notice that stands between them and the service they want to receive. If you don’t believe me, then look at cookie consent as a case in point.

Instead, it’s incumbent upon us as privacy professionals to think up a better solution. One that strikes a balance between the legitimate expectations of the individual with regard to his or her privacy and the legitimate interests of the business with regard to its need to collect and use data. One that enables the business to deliver innovative new products and services to consumers in a way that demonstrates respect for their data and engenders their trust and which does not result in lazy, consent-driven compliance. One that encourages controllers to build privacy functionality into their products from the very outset, not address it as an afterthought.

Maybe what we need is a concept of an online “personal space.”

In the physical world, whether through the rules of social etiquette, an individual’s body language or some other indicator, we implicitly understand that there is an invisible boundary we must respect when standing in close physical proximity to another person. A similar concept could be conceived for the online world—ironically, Big Data profiles could help here. Or maybe it’s as simple as promoting a concept of “surprise minimization” as proposed by the California attorney general in her guidance on mobile privacy—the concept that, through Privacy by Design methodologies, you avoid surprising individuals by collecting data from or about them that, in the given context, they would not expect or want.

Whatever the solution is, we’re entering a brave new world; it demands some brave new thinking.

This post first published on the IAPP Privacy Perspectives here.

As the popularity of mobile and tablet devices rises, the proliferation of apps will continue. But some apps will sink without a trace and some will become global hits. Amidst all the excitement, those developing apps would do well to consider certain essential privacy pointers in order to anticipate any potential obstacles to widespread adoption and in order to avoid any unwelcome regulator attention down the road. These include:

1. Think Privacy from the beginning – design your app so that it shows an understanding of privacy issues from the start i.e. include settings that give an individual control over what data you collect about them, usually through providing an opt-out;

2. Tell individuals what you’re doing – include a notice setting out how you use their data, make sure that the notice is accessible and in a language that people can understand, and adopt a ‘surprise minimisation’ approach so that you can reasonably argue that individuals would not be surprised by the data you collect on them in a given context;

3. Decide whether you’re sharing the data you collect with anyone else – if so, make sure that there’s a good reason to share the data, tell individuals about the data sharing and check to see whether there are any rules that require you to obtain individuals’ consent before sharing their data i.e. for marketing purposes;

4. Check to see whether you’re collecting special types of data – be aware that certain types of data (such as location data or health data) are considered more intrusive and you may need to obtain an individual’s consent before collecting this data;

5. Implement an implied consent solution when using cookies or other tracking technologies in the EU - the debate is pretty much over on how to comply with the EU cookie rule since implied consent is increasingly being adopted by regulators (see Phil Lee’s recent blog)

While an initiative scrutinising App privacy policies and practices (similar to the ‘Internet Sweep Day’ we have seen initiated recently by the Global Privacy Enforcement Network) is probably some time off, appreneurs that can get privacy ‘right’ from the start will have a competitive advantage over those that do not.

The Working Party appears to sit somewhere in the middle between the Commission’s proposal and Albrecht’s approach. That is still a very strict position to adopt, clearly aimed at eliminating the perceived risks of profiling (although such risks are not identified in the paper).

On the one hand, the Working Party’s advice takes a more severe approach than the Regulation by extending the regime to the “collection” of data for the purposes of profiling. On the other hand, it is less draconian than Albrecht by not applying the regime unless profiling “significantly affects” individuals.

Aside from figuring out what “significantly affects” may mean, which could have academics, lawyers and regulators debating it for life, the most challenging aspect of the Working Party’s advice is their call for explicit consent and data minimisation. These would be real practical challenges given the omnipresent and evolving nature of profiling and I wonder whether they are fully justifiable from a public policy perspective.

In order to answer that question, it is crucial to pin down what the risks of profiling are. As with so many other privacy-related topics, profiling as an activity seems to have a rather emotional slant to it – mainly negative. That is an issue because regulatory decisions should be free from that kind of interference. Therefore, it would be wise to take advantage of the year or so that remains before the draft Regulation becomes law to get this matter right, so that real risks are properly tackled whilst the value of data – not just commercial, but societal as well – is preserved and maximised.

• The Berlin court supported the applicability of German Data Protection law on controllers in another EU Member State on the basis of Art. 6 (1) of Regulation 593/2008 (“Rome-I”);
• The Berlin court questioned the transparency of the standard Privacy Policy framework; and
• The Berlin court viewed anonymised location data as personal data.

The Question of Applicability
The most contested legal point concerned the applicability of German data protection law on Apple´s Privacy Policy. The Berlin court affirmed that under Art. 6 (1) Rome-I, the law of the Member State applies according to the location of the consumer. However, applicability is by no means a cut and dried issue as shown by the Facebook judgment where the Schleswig-Holstein court stated that the service would be subject to Irish data protection regulation. The Schleswig-Holstein court argued that Sec. 1 (5) of the German Data Protection Act, which states that if the controller has an establishment in another EU Member State other than Germany then the law of the other Member State applies, would be an “overriding mandatory provision” within the meaning of Sec. 9 (2) of the Rome-I Regulation. Although the Berlin court may have had strong arguments to counter the Schleswig-Holstein court’s position, its failure to communicate them was at best, lacking in transparency, and, at worst, sloppy judicial decision-making.

The Merits of the Case
On the case’s merits, the court granted the claim in full and, in doing so, provided scant reasoning. The judgment was based on an interpretation of each clause that is most disadvantageous for the consumer. In this regard, the court departed from the appropriate viewpoint of the “average consumer without legal education” to adopt the position of the “most naive customer imaginable”. The court also held that location data, even where anonymized, must always be regarded as personal data – a reasoning that can only be explained with a blatant misunderstanding of the way location based services work.

Apple will likely appeal the decision and, if it does, there is a good chance that the judgment will be overturned on certain points. Nevertheless, other criticisms of the court do have merit such as the fact that Apple’s Privacy Policy, in keeping with most policies in the market, lacks transparency and that the Privacy Policy does not sufficiently distinguish which category of data is subject to which purpose of use. Given the ambiguity rule, the court correctly assumes that this could be understood as a blanket license.

Impact of the Judgment
The question of whether or not German Data Protection law is applicable in cases like these is becoming a more prominent legal debate. The Berlin court has now made clear that it is not willing to follow the position of the Schleswig-Holstein court. The resulting debate has just begun, and it must be assumed that the Federal Court of Justice or the European Court of Justice will have a future say.

The court´s criticism of transparency should be taken very seriously since it is a key principle upheld by German courts and by the EU. The Berlin judges also switched the focus from completeness to comprehensibility/clarity and questioned the framework used by most market players due to its sheer ambiguity.

The judgment further highlighted two key points: the growing irritation in German courts about the privacy practices of international actors in Germany and the strategy of German consumer protection associations and DPAs to go after the big players for impact and publicity. This combination makes it critical for businesses in Europe to consider the German position when drafting their privacy-related processes and documentation.

Why these changes are needed

In February this year the Dutch government concluded that the cookie law had overshot its intended objective. The current cookie law require website owners to obtain visitors’ opt-in consent to virtually all types of cookies, except those which are strictly necessary. This led to widespread adoption of opt-in consent barriers and pop-up screens which, the Government accepts, is undesirable from both a consumer and business standpoint.

The Government believes the problem with the current law is that it applies equally to all cookies, even those with little privacy impact. Because of this, it proposes that the scope of the consent exemptions should expand to include more types of cookies.

New exemptions: analytics cookies, affiliate cookies and a/b-testing cookies

Currently, a website operator does not have to obtain consent if cookies are strictly necessary to provide a visitor-requested service. Once the bill enters into effect, a further category of cookies will be exempted from the consent requirement – those which are “absolutely necessary […] to obtain information about the quality and effectiveness of an information society service provided  – provided that this has no or little consequences for the privacy of the user.”

First-party and third-party analytics cookies, affiliate referral cookies and a/b testing cookies all seem likely to fall within the scope of this new exemption.  However, to ensure that these cookies qualify as having “no or little consequences for the privacy of the user”:

• the data collected by these cookies must not be used to make a profile of the visitor (e.g. for targeting purposes); and

• if the website operator shares cookie data with a third party (e.g. an analytics service provider), it must conclude an agreement with the third party that either requires the third party not to use the data for its own purposes or, alternatively, only for defined purposes that have no or little effect on visitors’ privacy.

Implied Consent

For other types of cookies (in particular, targeted advertising cookies), the consent requirements of the cookie law apply in full.  However, the explanatory memorandum to the bill discusses the interpretation of ‘consent’ in great detail and advocates the legal validity of implied consent solutions.

In particular, it advocates that implied consent may be legally derived from the behavior of the visitor of a website – for example, in the case where a visitor is presented with a clear notice about the website’s use of cookies and given options to control those cookies but continues to browse the website.  This is at odds with previous regulatory opinions of the ACM (formerly the OPTA, the relevant regulator for these purposes) which said that implied consent would not constitute valid consent.

Although Dutch recognition of implied consent has been anticipated for a while (see here), this is a critical development for online businesses in the Netherlands.  Once the bill enters into force, website operators will be able to replace their current explicit consent barriers and pop-ups with more user-friendly implied consent banners indicating that continued use of the website without changing cookie settings will constitute consent.

All in all, the bill is a major step towards a more pragmatic implementation of the cookie law. With these changes, Dutch law will better balance the privacy interests of website visitors with online businesses’ legitimate data collection activities.

When will the bill enter into force?

The bill is open for public consultation until 1 July 2013, and the Minister must also consult the Council of State and the Dutch Data Protection Authority. On the basis of the consultation responses, the minister may then decide to amend the bill or submit it to Parliament as currently drafted. Parliamentary discussion can be completed within a few months, but may potentially take up to a year. However, given the current momentum behind adopting a more pragmatic cookie regime in the Netherlands, it is anticipated that the overall process will be toward the shorter end of this timescale.

With thanks to our friends Nicole Wolters Ruckert and Maarten Goudsmit, Privacy Attorneys at Kennedy Van der Laan, for this update. 

The agency notes that the current security standards used by companies are insufficient to protect efficiently their professional data. Electronic devices enable to store lots of data obtained directly (e.g., emails, agenda, contacts, photos, documents, SMS) or indirectly (navigation data, geolocation data, history). Some of this data may be considered sensitive by companies (e.g., access codes and passwords, security certifications) and may be used fraudulently to access business information stored on the company’s professional network. Thus, the use of electronic devices in the work place contains a risk that business data may be modified, destroyed or disclosed unlawfully. In particular, the risk of a data security breach deriving from the use of an electronic device is quite high due to the numerous functionalities that they offer. This risk is generally explained by the vulnerability of the information systems installed on electronic devices, but also the wrongful behaviour of employees who are not properly informed about the risks.

The Agency realizes that it is unrealistic to want to reach a high level of security when using mobile devices, regardless of the security parameters used. Nevertheless, the Agency recommends that companies implement certain security parameters in order to mitigate the risk of a security incident. These security parameters should be installed on the employee’s device within a unique profile that he/she cannot modify. In addition to the technical measures, companies should also implement organizational measures, such as a security policy and an internal document explaining to employees the authorized uses of IT systems and devices. Finally, those security measures should be reassessed throughout the lifecycle of the electronic device (i.e., inherent security of the device, security of the information system before the device is used by the employee, security conditions applied to the entire pool of electronic devices, reinitializing the electronic devices before they are reaffected).

The twenty-one security measures that are outlined in the Agency’s paper are categorized as follows:

- access control: renewal of the password every three months; automatic lock-down of the device after five minutes; use of a PIN code when sensitive data are stored on the device; limit the number of attempts to unlock the device;

- security of applications: prohibit the ‘by default’ use of the on-line store for applications; prohibit the unauthorized installation of applications; block the geolocation functionality when not used for certain applications; switch off the geolocation functionality when not used; install security patches on a regular basis;

- security of data and communications:  wireless connections (e.g., Bluetooth, Wi-Fi) must be deactivated when not used; avoid connecting to unknown wireless networks when possible; apply robust encryption to the internal storage of the device; sensitive data must be shared by using encrypted communication channels in order to maintain the confidentiality and integrity of the data; 

- security of the information system: automatically upgrade information systems on a regular basis by installing security patches; if needed, reinitialize the device entirely once per year.

The Agency explains that these security parameters are incompatible with a BYOD policy involving the combined use of an electronic device both for private and professional purposes. The Agency recommends that professional devices be used exclusively for that purpose (meaning that employees should have a separate device for private purposes), and if the same device is used professionally and privately, that both environments be separated efficiently.

The Agency’s paper is available (in French) by clicking on the following link: NP_Ordiphones_NoteTech[1]

At one level, the growing use of increasingly sophisticated technology has made the role of privacy notices more crucial than ever before.  This is supported by the continuous output from regulatory authorities from all jurisdictions stressing the importance of explaining the uses made of data collected through users’ interaction with their devices in a clear and comprehensive manner.  In the EU, for example, the Opinions of the prolific Article 29 Working Party on issues like the deployment of cookies, the use of apps in smart devices and more recently in relation to the “purpose limitation” principle, consistently stress that as technology and data uses become more complex, the responsibility to provide a suitable explanation is even greater.  This has also been reflected in the proposed European Data Protection Regulation, which contains much more detailed transparency obligations than the current directive.  Outside Europe, guidance from the FTC in the USA and the Federal Privacy Commissioner in Canada in relation to mobile data uses emphasises exactly the same message.

The importance of privacy notices does not stop there.  The Regional Court of Berlin has recently upheld the claims made by a German consumer protection association against Apple for being too broad brush with their public privacy policy.  Apparently, the policy did not spell out specifically enough which uses applied to which types of data.  This is an eyebrow raising decision not just because of its potential effect on Apple, but because the structure of Apple’s policy is entirely in line with current market practice.  In a similar vein, the Global Privacy Enforcement Network – which comprises privacy regulators from all over the world – has launched its Internet Privacy Sweep initiative aimed at reviewing the quality of privacy notices of consumer facing websites globally.

However, the challenges faced by policy makers and data users alike are all too obvious to turn this issue into a simple matter of good notice or bad notice.  To begin with, research seems to indicate that only a very small proportion of Internet and mobile users actually read the privacy notices available.  As essential as transparency may be, the reality is that understanding an organisation’s data uses is not regarded as a priority in the context of accessing a service or making a transaction.  In addition, the complexity surrounding current technologies and data usage makes it very difficult for any organisation to explain in plain and clear terms how data will be used for the average individual to understand its implications.  On top of this, the size of devices such as smart phones and their applications – let alone glasses, household appliances, GPS watches or any other gadget without a proper screen – present another practical difficulty in terms of making the right amount of information available at the right time and in the right format.

All in all, traditional and unimaginative transparency mechanisms have their days numbered.  Long and legalistic privacy notices in particular are unlikely to serve their purpose going forward.  Whilst from a pure legal perspective, there is some merit in making sure that all possible information is available, there is a trend supported by at least some regulators to simplify the content of the notices as much as possible.  In recent years, regulators have also favoured a layered approach to the provision of privacy notices.  The next step in this evolution is the adoption of very short “contextual notices” that explain at the right time and in the right way, how certain user data will be used.  These types of notices are probably Internet and mobile players’ best chance of providing truly meaningful information when it matters.

In terms of content, the emphasis is likely to shift towards explaining how technology itself makes it possible for certain data to be collected and analysed.  In other words, the content of privacy notices will focus more specifically on explaining how the relevant technology works.  Looking further into the future, if screen sizes become smaller or disappear altogether, it is likely that some content will be replaced by icons and that privacy notices become akin to “nutritional labels”.  This is something that should be explored further by identifying key technological factors that may affect someone’s privacy – such as the use of cookies, behavioural tracking and location tracking – that could then have their own symbol and a universally accepted intrusiveness grade.  Certainly one to think about.  The transition from today’s predominantly lawyer-driven notices to a more down to earth approach to transparency about data uses will not happen overnight but the process has already started.

This article was first published in Data Protection Law & Policy in May 2013.