Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

At the federal level, data processing by public bodies is supervised by the Federal Commissioner for the protection of personal data and freedom of information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit).  At the regional level, supervision is carried out by the commissioners responsible for regional data protection (Landesdatenschutzbeauftragte).  These commissioners are responsible solely to their respective parliaments and normally are not subject to any scrutiny, instruction or other influence from the public bodies they supervise.  However, the organization of the authorities responsible for supervising private entities’ data processing varies among the regions, and all the laws at the regional level expressly subject those supervisory authorities to state scrutiny.

In the judgment, the European Court of Justice emphasized that the EU Data Protection Directive requires “complete independence” of the work of the competent DPAs.  It held that the Federal Republic of Germany had implemented this requirement incorrectly by subjecting the DPAs to state control.  In this regard, the Court’s opinion differed from the view of Advocate General Mazák, who stated in October 2009 that state supervision over DPAs does not mean the DPAs cannot execute their work completely independently.  In contrast, the European Court of Justice held that the DPAs for the private sector should not be subject to any outside influence.

Even before the Court’s decision, some of the German federal states had already begun to reorganize the responsibilities for supervision of data protection and to unify supervision.  This judgment will force the remaining federal states to do so as well, and could lead to an overhaul of the organization of DPAs in Germany.  Moreover, the judgment will most likely also have broader implications across Europe, given that a number of DPAs in other Member States are also not believed to work with complete independence.  Reorganization of DPAs to give them more independence could also result in more compliance and enforcement actions, and may raise the threshold for the European Commission to issue adequacy decisions concerning the level of data protection in other countries.

Dr. Jörg Hladjk, an associate in the Brussels office of Hunton & Williams, discussed the decision in an article published in the BNA’s Privacy Law Watch™ on March 10, 2010.

The following are the major findings of the study:

At the European level:

• As confirmed by the European Court of Justice in the Promusicae (Productores de Música de España (Promusicae) v. Telefónica de España SAU (C-275/06)) and Tele2 (LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v. Tele2 Telecommunication GmbH (C-557/07)) cases, there is no direct legal conflict between the European legal framework for data protection and online copyright enforcement.
• However, the Court’s decisions leave open several important questions, such as how to apply the proportionality principle in practice and how to strike a fair balance between the various rights involved (i.e., data protection and the right to property).  These issues thus seem to be left to the Member States, and there is little or no harmonization of them at the EU level.

At the Member State level:

• IP addresses are generally considered by DPAs and courts to be personal data, although courts in some countries (e.g., France) have taken conflicting positions on this issue.
• IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing and invoicing), and that consent is generally required to process them for other purposes (such as online copyright enforcement).
• IP addresses processed in the context of online copyright enforcement may be considered to be sensitive data (judicial data), except in Spain.
• ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to certain governmental authorities is allowed).
• The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions.
• The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.
• The disclosure of P2P users’ identities by ISPs to judicial authorities in the context of criminal proceedings is generally authorized.
• The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law.  In particular, ISPs generally may not disclose P2P users’ identities to right holders outside the context of judicial (administrative) proceedings.
• In most Member States, it seems that little consideration was given to the interaction between data protection rules and implementation of the IP Enforcement Directive.

As the study demonstrates, the relationship between data protection law and online copyright enforcement is far from being settled.  This issue will certainly be discussed in the coming months during the ongoing debate on the review of the General Data Protection Directive at the European level, and in the context of the debate around possible graduated response mechanisms at the national level.

In the resolution, the DPAs specify that website operators must comply with the provisions of the German Telemedia Act (“TMG”) when creating user profiles.  According to the TMG, website operators are only allowed to create user profiles by using pseudonyms.  A user’s IP address, however, does not qualify as a pseudonym under the TMG. The resolution further states that the following TMG requirements must be met:

• Website users must have the opportunity to object to the creation of their user profiles, and website operators must honor such objections effectively.
• Pseudonymized user data may not be combined with data about the individual associated with the pseudonym. 
• User data must be deleted (1) if storage is no longer necessary for usage analysis purposes, or (2) if the user requests the deletion.
• Without the user’s consent, personal data may be collected and used only to the extent necessary to enable the use of telemedia services and for billing purposes. Any other use requires the consent of the user.
• In their privacy policies, website operators must (1) provide clear disclosure regarding the creation of pseudonymized user profiles, and (2) inform users that they have the option to object to the creation of such profiles.
• Because complete IP address data may be traced back to a user, analysis of surfing behavior using complete IP addresses (including a geo-localization) is only admissible pursuant to deliberate, explicit consent.  If the user has not given consent, the IP address must be truncated prior to analysis to eliminate the possibility of data being attributed to a specific user.

The Report observes that new technologies developed in recent years now enable companies and organizations to track and trace individuals in various ways over space and time, retaining “digital memories” of the personal data collected. Various technologies, such as videosurveillance, RFID, geolocalization and Bluetooth, are used for different purposes (e.g., security, transportation, advertising, etc.), which may have an impact on an individual’s right to privacy. Furthermore, perceptions of risk have changed – younger generations tend to be less aware of the threats that some websites, such as blogs or social networks, may pose to their privacy.

The Report advocates developing adequate and sustainable solutions to deal with the specific challenges of our time. In particular, it recommends requiring the appointment of Data Protection Officers for companies and organizations with more than fifty employees, creating a new legal obligation for data controllers to notify the French data protection authority (“CNIL”) in the event of a data security breach, and expanding the CNIL to include a network of regional offices. The Report also advocates several points made in the CNIL’s Annual Activity Report, released May 13, including diversifying the CNIL’s financial resources, increasing its personnel and including data protection and privacy rights in the French constitution. 

These reports demonstrate the French Senate’s and the CNIL’s motivation to enhance the right to privacy at both the national and international levels. Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who testified before the French Senate regarding the impact of new technologies on privacy issues, which is among the topics discussed in the Report. The Report and a short summary are available (in French) here. More information about the CNIL’s recently-published Annual Activity Report for 2008 is available here.

The CNIL is increasingly engaged in assisting companies to ensure individuals’ privacy rights as part of diverse technology projects like Streetview, Bluetooth advertising and implementation of an electronic pharmaceutical database.  As a natural extension of these efforts, the CNIL also has positioned itself to be a key player in the field of data protection certification through its participation in the “European Privacy Seal” labeling project and recent membership in the AFNOR Groupe (an organization for certification and security standardization).

Other key initiatives include reconciling e-discovery rules and the European data protection framework (an issue the CNIL has influenced at both a national and European level) and data security (on which point the CNIL has noted business enterprises’ lack of strong security measures).  The CNIL has signaled its intention to issue recommendations on both issues, and plans to contribute to the development of security standards in order to enhance data security awareness.  The full annual report is available (in French) here.