Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

While the new code is not legally binding, it does offer useful “best practice” advice to organizations that collect personal data online.  In particular, the code provides guidance on controversial issues such as behavioral advertising, cloud computing and the use of cookies.  “Organizations must be transparent so that consumers can make online privacy choices and see how their information will be used.  Individuals can take control by checking their privacy settings and being careful about the amount of personal details they post to social networking sites and elsewhere online,” said Mr. Graham.

The Personal Information Online Code of Practice is available on the ICO's website.

According to the DPA, clouds located outside the European Union are per se unlawful, even if the EU Commission has issued an adequacy decision in favor of the foreign country in question (for example, Switzerland, Canada or Argentina).  A Commission adequacy decision does not confer “agent” status, which normally would privilege such transfers, on entities located in the adequate jurisdiction.  The recipient entities remain “third parties” which means that a transfer in the legal sense takes place and therefore a legal basis is required.  The potential legal basis under German law (“fulfillment of contract” or “balancing of interests test”), however, requires that the transfer is also “necessary.”  The DPA is of the opinion that there are no arguments that the use of a cloud located outside the EU is compulsory. 

This result may be avoided, however, if the German rules on commissioned data processing are applied by analogy and by using an EU-approved model contract for controller-processor data transfers, so long as the German requirements for data processor agreements are also followed. 

The DPA’s opinion further states that self-certification to the U.S. Department of Commerce’s Safe Harbor framework alone does not provide an adequate level of protection in the cloud context.  Accordingly, reliance on certification to the Safe Harbor should not be used to circumvent the more strict EU legal requirements applicable to cloud computing. 

In addition, the DPA indicates that, because SAS 70 Type II Certificates used by some cloud providers do not contemplate the material and procedural interests of data subjects, such certifications offer only partial compliance with German legal requirements for commissioned data processing. 

The opinion concludes by suggesting that binding corporate rules are also an appropriate tool for companies seeking to implement a cloud solution.

For further information on the opinion, please contact Dr. Jörg Hladjk in the Brussels office of Hunton & Williams.

In addition, the Report highlights the following topics:

• In the context of international data transfers, the Report describes the increasing effectiveness of Binding Corporate Rules (“BCRs”) through the “mutual recognition” principle, adopted by nineteen data protection authorities (“DPAs”).  In 2009, the CNIL approved BCRs for three companies and is currently reviewing seven others.  In 2010, the CNIL expects to receive approximately ten BCR applications coordinated by other DPAs.
• When transferring personal data to the U.S. in the context of pre-trial discovery proceedings, it is important to comply with the Data Protection Act and other applicable French laws.  In 2009, the CNIL issued guidelines explaining to companies based in France how to comply with these rules.
• Faced with an increase in offshore activities, the CNIL recently simplified its approval procedure for transfers of personal data outside of the European Union.  Now the President or Vice President of the CNIL may approve basic international transfers, although transfers of sensitive data continue to require the approval of the full college of commissioners. 
• The CNIL also conducted an analysis of developing outsourcing activities (particularly in the context of cloud computing) and participated in the preparation of an opinion regarding the concepts of “controller” and “processor” recently issued by the Article 29 Working Party.
• In light of a recent decision by the French Court of Cassation, which found that a company’s whistleblowing procedure, although approved by the CNIL, was illegal due to its unrestricted scope, the CNIL intends to conduct hearings in 2010 to consider  modifying its 2005 authorization process for whistleblowing procedures.
• In 2009, the CNIL received more than 4,265 complaints and 68,185 data processing registrations.  It also conducted 270 on-site inspections, which constitutes a 24 percent increase over 2008.  Recently, the CNIL released its 2010 inspections report which indicates that it plans to conduct at least 300 inspections over the course of 2010.

Read the CNIL’s full report (in French).
Read our coverage of the CNIL’s 2008 Activity Report. 

In her introductory remarks, outgoing FTC Commissioner Pamela Jones Harbour identified many of the key issues addressed over the course of the day, including (1) the importance of defaults, (2) the lack of consumer knowledge regarding how data are collected and used, (3) the lack of consumer engagement with online notices, (4) the special challenges presented by mobile devices and cloud computing, and (5) the role of de-identified data.

In his opening comments, David Vladeck, Director of the Bureau of Consumer Protection, identified what he perceived to be the three main messages from the first Exploring Privacy workshop, which was held in Washington, D.C., on December 7, 2009.  First, consumers have little understanding of how their data are used and transferred.  Second, notices often are not an effective tool for communicating with consumers, but they remain important to facilitate transparency.  And finally, consumers do care about privacy even though they may behave otherwise.  Vladeck also stressed that the roundtables are not the only tool the FTC is using to address privacy.  “We continue to maintain an active law enforcement practice to protect privacy,” Vladeck noted.

Over the course of the day, 35 panelists addressed technology’s role in protecting privacy and how the government should encourage the adoption and use of privacy-enhancing technologies.  There was broad agreement that stand-alone privacy-enhancing technologies have met with little consumer acceptance, but that these technologies have been adopted by businesses and have been introduced into operating systems, browsers and email clients.  When encountering these protective measures, consumers often avoid or turn off privacy features of technologies that interfere with their access to the material and services they want.

As at the first workshop, there was broad agreement that, although notice and choice have offered little privacy protection, there is no clear consensus as to what might replace or supplement that framework.  Two approaches that were frequently mentioned are the Centre for Information Policy Leadership’s use model and its accountability project.

Thursday’s roundtable revealed a surprising amount of agreement in favor of the FTC playing a more pronounced regulatory role in, at a minimum, identifying the objectives of “good” privacy protection, as well as setting standards for measuring the achieved objectives.  This position was supported not only by privacy advocates and academics, but also by a number of business participants who noted the need for greater certainty in privacy regulation.

Speaking on the final panel, the Centre for Information Policy Leadership’s Senior Policy Advisor, Fred Cate, echoed two themes from his earlier presentation at the December roundtable: first, that the government should be careful to avoid creating disincentives for good privacy behavior or otherwise discouraging efforts to protect privacy; and second, that government can contribute to enhancing privacy in many ways, including by funding the development of more useful privacy-enhancing technologies and then helping to create a market for such technologies by purchasing them itself.

Whatever the government’s ultimate role may be, there seemed to be general agreement that protecting privacy responsibly requires, in Peter Cullen’s words, “people, processes, and technologies.”  Essentially, although technologies alone are not sufficient, technological considerations must not be left out of the equation.

The FTC’s third and final roundtable in this series will take place in Washington, D.C., in March 2010.  In addition, Danny Weitzner, Associate Administrator for Policy at the National Telecommunications and Information Administration, announced that the Department of Commerce is looking at the linkage between privacy and innovation and is observing the FTC’s process.  He further welcomed input from stakeholders as to the Department’s role in helping protect privacy.