Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

Ms. Reding promised that all proposed EU legislation will comply with the European Charter of Fundamental Rights (which entered into force on December 1, 2009), including the right to privacy.  Ms. Reding also announced that she would work closely with the Council of Europe on fundamental rights issues and would soon be presenting a proposal for the EU’s accession to the European Convention for the Protection of Human Rights.

When asked about the protection of personal data in international agreements (with regard to issues such as banking data, air passenger name records and body scanners), Ms. Reding replied that “our need for security cannot justify any violation of privacy” and that she would not let anyone dictate “rules that go against fundamental rights on anti-terrorism grounds.”

View the EU press release. 

View Ms. Viviane Reding’s answers to the European Parliament’s questionnaire.

The Contribution maintains that the fundamental principles of European data protection law remain valid.  However, it also notes that both improvements in implementation of the existing data protection framework and changes to it should be considered, in particular regarding the following points:

• implementation of the legal framework for data protection in the EU Member States should be improved;
• the system for issuing “adequacy decisions” by the European Commission regarding the level of data protection in third countries should be made more efficient;
• a provision on binding corporate rules should be introduced;
• the position of “privacy by design” in the legal framework should be strengthened;
• a general security breach notification regime (i.e., one not limited to telecom service providers and ISPs as is now the case) should be introduced;
• requirements to notify data processing with national data protection authorities should be simplified or even eliminated in some cases;
• the responsibilities of data controllers should be increased by introducing an accountability principle into the new legal framework (in this regard, the Contribution explicitly mentions the work of the Centre for Information Policy Leadership at Hunton & Williams);
• the use of consent as a legal basis for data processing should be made more restrictive;
• the role of the data protection authorities should be strengthened and clarified, and cooperation between the DPAs should be reinforced, particularly through improvements to the Article 29 Working Party’s working methods.

The European Commission will now evaluate all the contributions received under the Consultation and consider whether changes to the EU legal framework should be proposed.  It should be noted that any changes to the framework would likely take a minimum of five years to be enacted.

The Draft Law requires that data controllers provide information on their data processing activities to their data subjects in a clear, specific and easily accessible manner.  The data subjects would be able to exercise their right of access more easily, including by email.  The Draft Law also distinguishes between the data subject’s right to object to the use of his/her personal data for commercial purposes and his/her right to delete his personal data after it has been processed.

The Draft Law also proposes an increase in the obligations of data controllers.  Organizations with more than fifty employees that either access or process the personal data are required to appoint a data protection officer.  In addition to his obligation to inform the data subjects about a data processing activity, a data controller would have to obtain a data subject’s consent to process data (including for the use of cookies), except if a legal exception applies.  Data controllers would also have to implement stronger security measures to preserve the security and confidentiality of personal data.  In particular, in case of a data security breach, a data controller would have to notify the French data protection authority (“CNIL”), which would then decide whether to inform the data subjects concerned by this breach.

Finally, passage of the law would increase the CNIL’s enforcement authority.  Fines imposed by the CNIL for violations of the law would be increased to a maximum €600,000 (instead of the current €300,000).  The CNIL’s decisions to sanction data controllers would be published more frequently.  The CNIL would further gain the right to produce written observations or to be heard in any civil, criminal or administrative court hearing.

This Draft Law will now be examined by a Committee of the Senate before it is discussed and submitted for a general vote.  Olivier Proust, an attorney in Hunton & Williams’ Brussels office and a member of the Paris Bar, was among the legal experts who were consulted by the Senate in the course of drafting the new law.  View the Draft Law in French.

Our privacy professionals will speak on the following panels:

• Society under Surveillance? Striving for a Balance between Security and Privacy Roundtable with speakers Juan Fernando López Aguilar, President of the Committee on Civil Liberties, Justice and Home Affairs (LIBE), European Parliament; Karim Benyekhlef, Professor of Public Law of University of Montreal; Fred H. Cate, Director of the Center for Applied Cybersecurity Research, Indiana University; and Simon Davies, Director, Privacy International.
• Companies, Privacy and International Data Flows with speakers Damon C. Greer,  Department of Commerce, International Trade Administration; Jacob Kohnstamm,  President of the Data Protection Authority, Netherlands; Michael Donohue, Policy Analyst, Directorate for Science, Technology and Industry, of the Organization for Economic Co-operation and Development; Christopher Kuner, Partner of Hunton & Williams and Chair of the Data Protection Task Force, International Chamber of Commerce; and Kamlesh Bajaj, CEO of the Data Security Council of India.
• Privacy and Corporate Responsibility with speakers Bojana Bellamy, Global Data Privacy Compliance Lead of Accenture; Sandra Hughes, Global Privacy Executive of Procter & Gamble; Martin Abrams, Executive Director of the Centre for Information Policy Leadership, Hunton & Williams; Fran Maier, Executive Director and President of TRUSTe; and Willemien Bax, Deputy Director General of European Consumers’ Organization.

A total of 17 DPAs have now agreed to participate in the mutual recognition procedure. Members of the European Economic Area that participate include France, Germany, Ireland, Italy, Latvia, Luxembourg, Spain, The Netherlands, the UK, Cyprus, Iceland, Liechtenstein and Norway.

BCRs are a set of contractual arrangements and internal policies that allow an organization's personal data to be transferred legitimately to other entities within that organization's global corporate group. The approval, given on September 15, 2009 by the ICO, is the fifth BCR approval issued by the ICO. However, as mentioned above, this approval is the ICO's first under the mutual recognition procedure.

Read more on the BCR Authorization.

The Article 29 Working Party has issued various guidance to assist organizations with the BCR process, such as the BCR FAQs which were revised on April 8, 2009.

The RAND study concludes that the "widely applauded" principles contained in the Directive remain the touchstone for good data protection regulation. However, the implementation and enforcement of these principles require fresh thinking. Excessive bureaucracy and prescriptive criteria for data protection compliance, at the expense of a flexible, harms-based, approach, is one example of how out of date local implementation of the Directive has become.

The study includes a number of recommendations for improvement, working within the framework of the existing Directive, but leading ultimately to an outcomes based regulatory model for the future.

It may be less radical than many had hoped, but there is much within RAND which will stimulate debate. It represents merely the starting point for future discussion.

To access the RAND study, please click here.  To read the summary of the study, which includes a forward by Richard Thomas and the EU Commissioners' Declaration, please click here.

Ruiz did not experience identity theft, but he claimed that the increased risk of identity theft supported his claims.  With respect to the negligence claim, the Complaint stated, “Plaintiff and the Class have suffered damages; they have spent and will continue to spend time and/or money in the future to protect themselves as a result of Defendants' conduct,” and the contract claim was supported with nearly identical language.  Defendants moved for summary judgment.

On the issue of standing, the court held that the increased risk of identity theft indeed constituted “an invasion of a legally protected interest which is (a) concrete and particularized ... and (b) actual or imminent, not conjectural or hypothetical” and that Ruiz met the basic threshold to bring a case in federal court.  Unfortunately for the plaintiff, merely stepping through the proverbial courthouse door is not enough to win a case, and he did not get much further than that.

Dismissing the negligence claim, the court noted that Gap had already offered one year of credit monitoring and that any potential risk not mitigated by that monitoring did not amount to the sort of “appreciable, nonspeculative, present harm [that] is an essential element of a negligence cause of action” under California law.

The contract claim suffered the same fate, as the Court explained that “a breach of contract claim requires a showing of appreciable and actual damage,” and “[b]ecause Ruiz has not been a victim of identity theft, he can present no evidence of appreciable and actual damage as a result of the theft … .”  Ruiz argued that the costs he independently paid for credit monitoring are compensable because they constitute his attempt to mitigate damages, but the court held that “Ruiz has no actual damages to mitigate since he has never been a victim of identity theft.”

Judgment was entered for the defendants.
 

This issue has also attracted attention at the national level and is currently being addressed in some Member States. On March 26, 2009, the French Data Protection Authority (CNIL) issued a report on online behavioral advertising stating that current business models are, in many aspects, a threat to privacy and do not comply with the French Data Protection Act. The CNIL called for more transparency, clear and user-friendly privacy notices, and more wide-spread collection of explicit consumer consent to behavioral advertising. The CNIL also encouraged businesses to adopt a code of conduct and to develop more effective tools that would allow Internet users to have control over information about them. The full report is available (in French) here.

Finally, the French Senate recently completed a study on online tracking and tracing devices and their impact on people’s privacy. The Senate organized a hearing with various stakeholders in which it addressed the question of existing and future tracking technologies and how these technologies can be better addressed in the context of the French Data Protection Act. The Senate is expected to issue a public report in the near future, which may contain legislative proposals to amend the French Data Protection Act.

In the context of a criminal investigation for fraud, the Belgian Public Prosecutor of Termonde had requested the disclosure of detailed account information to identify e-mail users using pseudonyms on their Yahoo! email accounts.  Yahoo! refused to disclose such information. The Belgian Criminal court held that Yahoo! had violated Article 46bis of Belgian Code of Criminal Procedure (Code d’instruction criminelle), which imposes on electronic communication service providers a duty to cooperate with a Public Prosecutor and to provide the identity of their users when requested by a Public Prosecutor in the course of a criminal investigation.

As mentioned above, Yahoo! argued that Belgian law did not apply because there is not a Yahoo! legal entity in Belgium and Yahoo! does not store any customer data in Belgium. Furthermore, Yahoo! argued that the Belgian Public Prosecutor had failed to issue a formal request in accordance with the procedures established by the Treaty on Mutual Legal Assistance on Criminal Matters, signed between the United States and Belgium on 1 January 2000. Following the ruling, Yahoo! appealed the judgment of the Criminal court on 3 March 2009.
 

The French Intellectual Property Code provides that, apart from reports prepared by police investigators, evidence of copyright infringement may be adduced by the provision of a statement from a sworn agent designated by the rights holders’ representative bodies. Under Article 9 of the French Data Protection Act, processing relating to offences, convictions, and safety measures may be undertaken by the rights holders’ representative bodies and by sworn agents on behalf of rights holders  or on behalf of victims of copyright infringements, and for the purpose of ensuring the defense of these rights. However, Article 25 of the same Act requires that such processing, whether automatic or not, be authorized by the CNIL.

On 22 May 2008, the Court of Appeal of Rennes rejected the statement issued by the SACEM agent on the grounds that he had not obtained the prior authorization of the CNIL to collect, preserve, and record a web user’s IP address. On 13 January 2009, the Court of Cassation quashed this decision. The Court of Cassation considered that a sworn agent who accesses manually an individual’s list of files that are uploaded onto a peer-to-peer network in violation of copyrights, without using an automatic monitoring device, does not require a prior authorization of the CNIL. The act of collecting an IP address for the purpose of obtaining an individual’s identity through his internet service provider falls within the powers of a sworn agent and does not constitute data processing. The Court of Cassation did not express a view as to whether an IP address qualifies as personal data. The full text of this decision can be found here (in French).

Among the goals of the project begun in Barcelona is to produce a document that promotes fair processing of data worldwide. In fact, the goal of all privacy laws is fair processing of data. But what constitutes fair processing is colored by culture. Sometimes, what is fair in one location will not be considered fair in another.

Basic principles, articulated in the OECD Guidelines and the APEC Framework, form the foundation of information privacy protection everywhere. By being more general they tend to be less biased toward or away from any particular local orientation about privacy. However, more detailed laws such as the EU Directive and the implementing laws in the 27 EU member states capture details that, in some instances, reflect specific cultural mores.

For example, the Directive contains a principle about the right of individuals not to be subject to automated decisions. What is an automated decision? It is a decision driven by analytic analysis that does not require an individual’s intervention. For example, the analytic tools that protect organizations from fraud yield automated decisions. A credit card transaction is scored to determine whether it is likely fraudulent — if the transaction scores high, it is rejected. A global rule that prohibits subjecting an individual to automated decisions to prevent fraud would increase the incidence of financial loss due to fraud.

In practical terms, data protection officials exempt fraud tools either explicitly or implicitly — from the automated decision-making provisions of most privacy laws. However, other forms of commonly automated decisions are not exempt. For example, the automated decision-making provisions clause of the EU Directive covers credit scoring. Credit scoring is the probabilistics-based process that predicts whether or not the terms of a new line of credit will be met.  Research conducted in the United States by the Credit Research Center and others has demonstrated that scoring algorithms establish the basis for more consistent decisions than people do. In the United States, consumer protection laws ensure that credit scoring is fair. The United States Federal Trade Commission determined that fair processing is reflected in the more accurate decisions that come from credit scoring.

I buy into the concept of privacy as a fundamental interest of all individuals. But when the day is done, local rules reflect cultural sensitivities. The process led by Spain needs to take this into consideration. A code should harmonize key concepts, and mandate respect for local rules.
 
Peter Hustinx, the European Union’s Data Protection Supervisor, has suggested the first step toward a harmonized code would be a feasibility study.  I would concur. I believe the process in anticipation of the November meeting in Madrid might better focus on the key structural concepts that are common everywhere and on a mechanism for assuring respect for fair processing concepts that are culturally based.