Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

The claimant, however, was not satisfied with the seven-day grace period and decided to press for the deletion of IP addresses as soon as an Internet connection ends.  In the claimant’s view, such deletion is required by data protection law and is fundamental to the protection of personal privacy.  Because IP addresses may allow third-parties to monitor a user’s behavior on the Internet, and even create personality profiles based on the observed behavior, the claimant argued that a seven-day retention period is unacceptable.

The Court disagreed with these arguments, stating that there is no legal basis for requiring Deutsche Telekom AG to delete IP addresses immediately, and that IP addresses are necessary for invoicing purposes under the German Telecommunications Act.

In addition, the Court argued that the claimant had overlooked some aspects of his contractual relationship with the provider.  His subscription covered a combination of services for a flat fee, and allowed him to use his login to use other telecommunications accounts and access techniques.  These supplemental services may generate additional costs that must be calculated and documented by the service provider using stored IP addresses.  If the IP addresses were deleted right after the Internet connection ended, it would be impossible for the provider to allocate and invoice the supplemental services to the appropriate subscriber.

The retention of IP addresses also is permitted for security and technical reasons.  According to the provisions of the German Telecommunications Act, the retention of Internet traffic data is permitted to identify, limit or remedy disturbances or errors in a telecommunications system.  If the IP addresses were deleted immediately, it would be nearly impossible for a provider to resolve certain technical issues.  The claimant failed to demonstrate that the immediate deletion of IP addresses would not have an adverse effect on invoicing and detection of technical disturbances, thus the seven-day retention period agreed with the German federal DPA could not be challenged.

The Higher Regional Court’s decision is now on appeal to the German Federal Court of Justice (Az.: III ZR 146/10).

For further information on the judgment, please contact Dr. Jörg Hladjk in the Brussels office of Hunton & Williams.

Although the CNIL’s inspections are ongoing, preliminary findings reveal that Google collected passwords to users’ email inboxes as well as email content, and may have used this data for other services such as Google Maps and Google Latitude.  The report indicates that the CNIL is the first DPA in the world to obtain data collected by Google Street View, and that it appears Spanish and German authorities have made similar demands.

According to the CNIL, these findings confirm its conclusion that Google’s activities involving Latitude constitute a form of “processing” being carried out on French soil.  Accordingly, the CNIL reminded Google that it must comply with the French Data Protection Act by registering its data processing activities related to Google Latitude.  Google faces criminal sanctions if the CNIL’s investigation concludes that it collected personal data illegally.

The CNIL's full report is available (in French) on its website.

According to the DPA, clouds located outside the European Union are per se unlawful, even if the EU Commission has issued an adequacy decision in favor of the foreign country in question (for example, Switzerland, Canada or Argentina).  A Commission adequacy decision does not confer “agent” status, which normally would privilege such transfers, on entities located in the adequate jurisdiction.  The recipient entities remain “third parties” which means that a transfer in the legal sense takes place and therefore a legal basis is required.  The potential legal basis under German law (“fulfillment of contract” or “balancing of interests test”), however, requires that the transfer is also “necessary.”  The DPA is of the opinion that there are no arguments that the use of a cloud located outside the EU is compulsory. 

This result may be avoided, however, if the German rules on commissioned data processing are applied by analogy and by using an EU-approved model contract for controller-processor data transfers, so long as the German requirements for data processor agreements are also followed. 

The DPA’s opinion further states that self-certification to the U.S. Department of Commerce’s Safe Harbor framework alone does not provide an adequate level of protection in the cloud context.  Accordingly, reliance on certification to the Safe Harbor should not be used to circumvent the more strict EU legal requirements applicable to cloud computing. 

In addition, the DPA indicates that, because SAS 70 Type II Certificates used by some cloud providers do not contemplate the material and procedural interests of data subjects, such certifications offer only partial compliance with German legal requirements for commissioned data processing. 

The opinion concludes by suggesting that binding corporate rules are also an appropriate tool for companies seeking to implement a cloud solution.

For further information on the opinion, please contact Dr. Jörg Hladjk in the Brussels office of Hunton & Williams.

In addition, the Report highlights the following topics:

• In the context of international data transfers, the Report describes the increasing effectiveness of Binding Corporate Rules (“BCRs”) through the “mutual recognition” principle, adopted by nineteen data protection authorities (“DPAs”).  In 2009, the CNIL approved BCRs for three companies and is currently reviewing seven others.  In 2010, the CNIL expects to receive approximately ten BCR applications coordinated by other DPAs.
• When transferring personal data to the U.S. in the context of pre-trial discovery proceedings, it is important to comply with the Data Protection Act and other applicable French laws.  In 2009, the CNIL issued guidelines explaining to companies based in France how to comply with these rules.
• Faced with an increase in offshore activities, the CNIL recently simplified its approval procedure for transfers of personal data outside of the European Union.  Now the President or Vice President of the CNIL may approve basic international transfers, although transfers of sensitive data continue to require the approval of the full college of commissioners. 
• The CNIL also conducted an analysis of developing outsourcing activities (particularly in the context of cloud computing) and participated in the preparation of an opinion regarding the concepts of “controller” and “processor” recently issued by the Article 29 Working Party.
• In light of a recent decision by the French Court of Cassation, which found that a company’s whistleblowing procedure, although approved by the CNIL, was illegal due to its unrestricted scope, the CNIL intends to conduct hearings in 2010 to consider  modifying its 2005 authorization process for whistleblowing procedures.
• In 2009, the CNIL received more than 4,265 complaints and 68,185 data processing registrations.  It also conducted 270 on-site inspections, which constitutes a 24 percent increase over 2008.  Recently, the CNIL released its 2010 inspections report which indicates that it plans to conduct at least 300 inspections over the course of 2010.

Read the CNIL’s full report (in French).
Read our coverage of the CNIL’s 2008 Activity Report. 

An October 2009 report by the German consumer protection magazine Stiftung Warentest led to an investigation which revealed that agents had been instructed to analyze customers’ account data prior to contacting them to offer new financial products.  Deutsche Postbank, which acquires customers through Postbank Finanzberatung AG, was accused of having disclosed the account transaction data to Postbank Finanzberatung’s network of self-employed agents who had been asked to analyze certain customer account transactions.  Technical measures were put in place to block agents from accessing the data as of November 2009.

View the DPA’s press release (in German).

The letter was highly critical of Google’s implementation of its social networking site, Google Buzz, in February of this year.  When it was launched, the social networking application operated by selecting popular email contacts from Gmail, Google’s private, web-based email system, and allowing them to be made public over Google Buzz by default.  Critics argued that Google had exposed personal information to the public without seeking users’ permission.  Google responded to the outcry by revising Buzz to allow users to regulate access to their contact lists.

The regulators further questioned whether Google adequately examines privacy issues prior to launching products.  The letter stated that “it is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise.  Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.”

The letter calls on Google to set an example for others to follow, requesting that Google incorporate fundamental privacy principles directly into the design of new online services.  This would include policies such as:

• collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
• providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
• creating privacy-protective default settings;
• ensuring that privacy control settings are prominent and easy to use;
• ensuring that all personal data is adequately protected, and
• giving people simple procedures for deleting their accounts and honoring their requests in a timely way.

In closing, the authorities stated that they would like a response from Google, “indicating how Google will ensure that privacy and data protection requirements are met before the launch of future products.”

In addition to publishing the letter, the signatories held a press conference on April 20, 2010, to discuss the issue further.  Below are some highlights from the press conference.

• The data protection authorities noted that Buzz was not an isolated case, and that Google is not the only company to have engaged in this kind of practice.  They said they are looking to Google to be a leader going forward by incorporating the above-listed principles from the beginning rather than waiting to respond to complaints.
• They recommended that “privacy by design” processes be incorporated throughout the life cycle of a product or service, from the design and development stages through marketing and sales.
• They emphasized the fact that, while the Internet is global, privacy enforcement is local, and signaled that they plan to act jointly in the future to further fundamental international privacy values.

The full text of the letter can be found on the Canadian Privacy Commissioner’s website.

The CNIL also intends to focus on certain business sectors and concerns, such as:

• the airline industry, including customer relations (customer databases, mileage programs, “no-fly” lists, passenger name record data), airport security (body scanners, cameras in airports) and biometric passports;
• the real estate industry, including the collection of personal data by real estate agencies, test screenings, blacklisting and discriminatory practices;
• the protection of minors, including verifying the collection of personal data about minors, particularly in the context of direct marketing to minors by online merchants; and
• the use of closed-circuit television (“CCTV”) for video surveillance, including verifying that such surveillance systems comply with the Data Protection Act and respect the privacy rights of individuals.

In 2009 the CNIL conducted 270 on-site inspections, representing a 27% increase over 2008.  According to the CNIL, this increase in inspections and more effective enforcement is a result of a strengthening of the CNIL’s powers in 2004.  Of the 270 inspections, 22% led to warnings or sanctions and 85% of the inspections targeted private sector entities.  The CNIL also noted that 92% of the organizations it inspected had not appointed a data protection officer.

More information about the CNIL’s agenda for 2010 may be found (in French) on the CNIL’s website.

In its decision, the Court ruled on several provisions of a legislative bill (the “Bill”) aimed at combating acts of group violence and protecting public servants.  This Bill would have authorized the owners of buildings to provide live, closed-circuit video surveillance images of a building’s common areas to local or national law enforcement authorities in the event that activities taking place on the premises might require police intervention.  The Court ruled against this provision on the grounds that it did not provide the safeguards necessary to protect the privacy rights of individuals living in the buildings.

Following the Court’s ruling, the French Data Protection Authority (the “CNIL”) took the opportunity to restate that video surveillance images are considered “personal data” since they allow for the identification of individuals.  Consequently, any video surveillance using a system that is installed on the private premises of a building (e.g., in hallways, staircases or elevators) constitutes a data processing activity within the scope of the Data Protection Act and requires prior notification to the CNIL.

View the full text of the Court’s decision and the CNIL’s comments (both in French).

At the federal level, data processing by public bodies is supervised by the Federal Commissioner for the protection of personal data and freedom of information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit).  At the regional level, supervision is carried out by the commissioners responsible for regional data protection (Landesdatenschutzbeauftragte).  These commissioners are responsible solely to their respective parliaments and normally are not subject to any scrutiny, instruction or other influence from the public bodies they supervise.  However, the organization of the authorities responsible for supervising private entities’ data processing varies among the regions, and all the laws at the regional level expressly subject those supervisory authorities to state scrutiny.

In the judgment, the European Court of Justice emphasized that the EU Data Protection Directive requires “complete independence” of the work of the competent DPAs.  It held that the Federal Republic of Germany had implemented this requirement incorrectly by subjecting the DPAs to state control.  In this regard, the Court’s opinion differed from the view of Advocate General Mazák, who stated in October 2009 that state supervision over DPAs does not mean the DPAs cannot execute their work completely independently.  In contrast, the European Court of Justice held that the DPAs for the private sector should not be subject to any outside influence.

Even before the Court’s decision, some of the German federal states had already begun to reorganize the responsibilities for supervision of data protection and to unify supervision.  This judgment will force the remaining federal states to do so as well, and could lead to an overhaul of the organization of DPAs in Germany.  Moreover, the judgment will most likely also have broader implications across Europe, given that a number of DPAs in other Member States are also not believed to work with complete independence.  Reorganization of DPAs to give them more independence could also result in more compliance and enforcement actions, and may raise the threshold for the European Commission to issue adequacy decisions concerning the level of data protection in other countries.

Dr. Jörg Hladjk, an associate in the Brussels office of Hunton & Williams, discussed the decision in an article published in the BNA’s Privacy Law Watch™ on March 10, 2010.

The case, which is the first of its kind, was brought by a public prosecutor in Milan and did not involve Italy’s data protection authority, the Garante.  It calls into question the interpretation of European privacy laws as it appears to suggest that employees of organizations that provide services such as Google Video and YouTube, may be found criminally responsible for content that users upload, even though they have no control over such content.  The case also suggests that hosting and social networking providers may no longer rely on the EU safe harbor that absolves them of liability for the content posted on their websites, provided they remove unlawful content as soon as they are notified of its presence.

Concerns also have been expressed with respect to the impact of the ruling on the principles of freedom on which the Internet was founded, including freedom of speech and freedom of information.  Arguably, if hosting and social networking providers are required to screen or vet all content uploaded to their websites, such freedoms are jeopardized, as is the very existence of such organizations.  In the words of Richard Thomas, the UK’s former Information Commissioner and Senior Global Privacy Advisor to Hunton & Williams, the case is “ridiculous” and “it is unrealistic to expect firms to monitor everything that goes online.”

Update: The Italian Judge's full opinion was released April 12, 2010.

The following are the major findings of the study:

At the European level:

• As confirmed by the European Court of Justice in the Promusicae (Productores de Música de España (Promusicae) v. Telefónica de España SAU (C-275/06)) and Tele2 (LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v. Tele2 Telecommunication GmbH (C-557/07)) cases, there is no direct legal conflict between the European legal framework for data protection and online copyright enforcement.
• However, the Court’s decisions leave open several important questions, such as how to apply the proportionality principle in practice and how to strike a fair balance between the various rights involved (i.e., data protection and the right to property).  These issues thus seem to be left to the Member States, and there is little or no harmonization of them at the EU level.

At the Member State level:

• IP addresses are generally considered by DPAs and courts to be personal data, although courts in some countries (e.g., France) have taken conflicting positions on this issue.
• IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing and invoicing), and that consent is generally required to process them for other purposes (such as online copyright enforcement).
• IP addresses processed in the context of online copyright enforcement may be considered to be sensitive data (judicial data), except in Spain.
• ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to certain governmental authorities is allowed).
• The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions.
• The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.
• The disclosure of P2P users’ identities by ISPs to judicial authorities in the context of criminal proceedings is generally authorized.
• The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law.  In particular, ISPs generally may not disclose P2P users’ identities to right holders outside the context of judicial (administrative) proceedings.
• In most Member States, it seems that little consideration was given to the interaction between data protection rules and implementation of the IP Enforcement Directive.

As the study demonstrates, the relationship between data protection law and online copyright enforcement is far from being settled.  This issue will certainly be discussed in the coming months during the ongoing debate on the review of the General Data Protection Directive at the European level, and in the context of the debate around possible graduated response mechanisms at the national level.

In its press release, the German DPA made the following points:

1. Asking for a cause of illness in this context is lawful only for one of four purposes: (i) to alleviate contamination risk; (ii) to eliminate the causes of an employee’s disease; (iii) to ascertain whether an employee returning from sick leave is still fit to do his or her job; or (iv) to assign to the employee a position more appropriate to his or her health condition.  A review of Müller’s records indicated that the data collection was at least partly illegal because there was no justification for the questioning in most cases.
    
2. The employees were not properly informed about their data protection rights prior to being asked to complete the post-sick leave form.  The employer should have disclosed (i) what types of information employees are obliged to provide, (ii) what types of information employees may choose whether to disclose based on their own interests, and (iii) what would happen with the information provided.
    
3. Regardless of whether the cause of sickness was lawfully requested for one of the four purposes outlined above, or voluntarily disclosed by employees, it was not necessary to retain the information on a printed form to forward to the HR department or to store the information in electronic records.  This data processing was illegal, and retaining cause of illness data in HR files constitutes a major breach of data protection law.  Further, the records should not have been forwarded by the individual entities to the central HR department in the absence of detailed written agreements with Müller Ltd. & Co. KG.
    
4. The company had failed to appoint a Data Protection Officer (“DPO”) for nine of the entities as is required by law based on the number of employees involved in the processing of personal data.

In response, in April 2009, the Müller Group (i) suspended its illegal data processing practices, (ii) appointed a DPO for all entities, (iii) promised to delete the health data from its files, and (iv) made a commitment to comply with data protection law in the future.  These remedial measures did not, however, prevent the DPA from imposing on the two largest Müller entities, Müller Ltd. & Co. and MH Müller Handels GmbH, a fine amounting to €137,500 for illegal retention of health-related data and failure to appoint a DPO.

View the Baden-Wurtemberg DPA’s press release (in German).

In the resolution, the DPAs specify that website operators must comply with the provisions of the German Telemedia Act (“TMG”) when creating user profiles.  According to the TMG, website operators are only allowed to create user profiles by using pseudonyms.  A user’s IP address, however, does not qualify as a pseudonym under the TMG. The resolution further states that the following TMG requirements must be met:

• Website users must have the opportunity to object to the creation of their user profiles, and website operators must honor such objections effectively.
• Pseudonymized user data may not be combined with data about the individual associated with the pseudonym. 
• User data must be deleted (1) if storage is no longer necessary for usage analysis purposes, or (2) if the user requests the deletion.
• Without the user’s consent, personal data may be collected and used only to the extent necessary to enable the use of telemedia services and for billing purposes. Any other use requires the consent of the user.
• In their privacy policies, website operators must (1) provide clear disclosure regarding the creation of pseudonymized user profiles, and (2) inform users that they have the option to object to the creation of such profiles.
• Because complete IP address data may be traced back to a user, analysis of surfing behavior using complete IP addresses (including a geo-localization) is only admissible pursuant to deliberate, explicit consent.  If the user has not given consent, the IP address must be truncated prior to analysis to eliminate the possibility of data being attributed to a specific user.

A total of 17 DPAs have now agreed to participate in the mutual recognition procedure. Members of the European Economic Area that participate include France, Germany, Ireland, Italy, Latvia, Luxembourg, Spain, The Netherlands, the UK, Cyprus, Iceland, Liechtenstein and Norway.

BCRs are a set of contractual arrangements and internal policies that allow an organization's personal data to be transferred legitimately to other entities within that organization's global corporate group. The approval, given on September 15, 2009 by the ICO, is the fifth BCR approval issued by the ICO. However, as mentioned above, this approval is the ICO's first under the mutual recognition procedure.

Read more on the BCR Authorization.

The Article 29 Working Party has issued various guidance to assist organizations with the BCR process, such as the BCR FAQs which were revised on April 8, 2009.

The Report observes that new technologies developed in recent years now enable companies and organizations to track and trace individuals in various ways over space and time, retaining “digital memories” of the personal data collected. Various technologies, such as videosurveillance, RFID, geolocalization and Bluetooth, are used for different purposes (e.g., security, transportation, advertising, etc.), which may have an impact on an individual’s right to privacy. Furthermore, perceptions of risk have changed – younger generations tend to be less aware of the threats that some websites, such as blogs or social networks, may pose to their privacy.

The Report advocates developing adequate and sustainable solutions to deal with the specific challenges of our time. In particular, it recommends requiring the appointment of Data Protection Officers for companies and organizations with more than fifty employees, creating a new legal obligation for data controllers to notify the French data protection authority (“CNIL”) in the event of a data security breach, and expanding the CNIL to include a network of regional offices. The Report also advocates several points made in the CNIL’s Annual Activity Report, released May 13, including diversifying the CNIL’s financial resources, increasing its personnel and including data protection and privacy rights in the French constitution. 

These reports demonstrate the French Senate’s and the CNIL’s motivation to enhance the right to privacy at both the national and international levels. Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who testified before the French Senate regarding the impact of new technologies on privacy issues, which is among the topics discussed in the Report. The Report and a short summary are available (in French) here. More information about the CNIL’s recently-published Annual Activity Report for 2008 is available here.

The CNIL is increasingly engaged in assisting companies to ensure individuals’ privacy rights as part of diverse technology projects like Streetview, Bluetooth advertising and implementation of an electronic pharmaceutical database.  As a natural extension of these efforts, the CNIL also has positioned itself to be a key player in the field of data protection certification through its participation in the “European Privacy Seal” labeling project and recent membership in the AFNOR Groupe (an organization for certification and security standardization).

Other key initiatives include reconciling e-discovery rules and the European data protection framework (an issue the CNIL has influenced at both a national and European level) and data security (on which point the CNIL has noted business enterprises’ lack of strong security measures).  The CNIL has signaled its intention to issue recommendations on both issues, and plans to contribute to the development of security standards in order to enhance data security awareness.  The full annual report is available (in French) here.

Kaleidoscope Ltd had published a national advertisement for a marquis ring which included a term in small print stating that “by ordering from us, you are consenting to us sharing your information with other organisations and to us or them contacting you for marketing purposes by mail, telephone, email or otherwise. If you do not wish to be contacted by us by telephone for marketing purposes, please tick this box.”

The ASA ruled that this advertisement breached the CAP Code (rules 43.4c and 43.5), as the small print stated that by responding to the promotion, consumers were not explicitly consenting to the advertiser sharing their information with other organisations who might (by whatever means) contact them directly.

To comply with the CAP Code, which reflects the requirements of the UK Data Protection Act 1998 (“DPA”) and the UK Privacy and Electronic Communications Regulations 2003 (the “Regulations”), marketers advertising within the UK or collecting personal information from individuals within the EU must gain the explicit consent of consumers (i.e., "opt-in” consent) before sending any electronic marketing or disclosing their personal details to third parties for direct marketing purposes.

In contrast, in the U.S., the Federal Trade Commission under CAN-SPAM  allows direct electronic marketing to be sent to anyone, without permission, until the recipient explicitly requests to optout. The Kaleidoscope decision reminds us that in the EU, pursuant to the Directive 2002/58/EC on privacy and electronic communications, marketers are required to obtain explicit consent from subscribers before sending electronic communications.  In addition to a positive indication of consent, the UK CAP Code provides that at the time of data collection and on each occasion that marketing communications are sent, marketers are required to provide subscribers with the opportunity to opt out of future marketing.