Privacy & Information Security Law Blog : Privacy Lawyer & Attorney : Hunton & Williams Law Firm : Personal Data, Information Security

At the federal level, data processing by public bodies is supervised by the Federal Commissioner for the protection of personal data and freedom of information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit).  At the regional level, supervision is carried out by the commissioners responsible for regional data protection (Landesdatenschutzbeauftragte).  These commissioners are responsible solely to their respective parliaments and normally are not subject to any scrutiny, instruction or other influence from the public bodies they supervise.  However, the organization of the authorities responsible for supervising private entities’ data processing varies among the regions, and all the laws at the regional level expressly subject those supervisory authorities to state scrutiny.

In the judgment, the European Court of Justice emphasized that the EU Data Protection Directive requires “complete independence” of the work of the competent DPAs.  It held that the Federal Republic of Germany had implemented this requirement incorrectly by subjecting the DPAs to state control.  In this regard, the Court’s opinion differed from the view of Advocate General Mazák, who stated in October 2009 that state supervision over DPAs does not mean the DPAs cannot execute their work completely independently.  In contrast, the European Court of Justice held that the DPAs for the private sector should not be subject to any outside influence.

Even before the Court’s decision, some of the German federal states had already begun to reorganize the responsibilities for supervision of data protection and to unify supervision.  This judgment will force the remaining federal states to do so as well, and could lead to an overhaul of the organization of DPAs in Germany.  Moreover, the judgment will most likely also have broader implications across Europe, given that a number of DPAs in other Member States are also not believed to work with complete independence.  Reorganization of DPAs to give them more independence could also result in more compliance and enforcement actions, and may raise the threshold for the European Commission to issue adequacy decisions concerning the level of data protection in other countries.

Dr. Jörg Hladjk, an associate in the Brussels office of Hunton & Williams, discussed the decision in an article published in the BNA’s Privacy Law Watch™ on March 10, 2010.

The rejection of the agreement sends the EU and the U.S. back to the drawing board to negotiate a new agreement, this time with the participation of the Parliament.  The vote illustrates the enhanced powers of the Parliament in data protection and privacy matters under the Lisbon Treaty, and the dangers that companies face when caught between U.S. law enforcement requirements on the one hand and EU data protection restrictions on the other.

The British Department of Transport has published an Interim Code of Practice covering the privacy, health and safety, data protection and equality issues associated with the use of body scanners. The Code calls for the implementation of detailed security standards and for an effective privacy policy to be put in place by airport operators. The privacy policy should include as a minimum:

• rules regarding the location of the equipment;
• a process for identifying who will read the screen (i.e., a person of the same sex as the person selected for scanning);
• a process for selecting passengers (passengers must not be selected on the basis of personal characteristics such as, gender, age, race or ethnic origin);
• a prohibition on copying or transferring the images in any way;
• instructions for the images of the passenger to be destroyed and rendered irretrievable once the image has been analyzed; and
• a process to call on an appropriate Security Officer if an image suggests there is a viable threat to passenger or staff security.

The use of body scanners caused alarm in the privacy community when it was first mooted several years ago. The concern was that scanners could violate the European Convention on Human Rights and that their use would raise sensitivities (or even result in the commission of criminal offenses) when used to capture images of children. Towards the end of 2008, the European Commission withdrew a proposal to roll out body scanners across the EU after Members of the European Parliament called for a detailed impact assessment study. This resulted in the formation of a Body Scanners Taskforce, appointed to advise the Commission. A report, or any specific legislative proposals, have yet to be published.   
 
The use of scanners has been discussed previously in France and Germany. In France, the proposal was dropped due to privacy concerns. The German Data Protection Commission  has indicated it  believes the machines infringe on the privacy of both adults and children, but the German news outlet Spiegel Online recently suggested that the machines may yet be installed in German airports following tests by Germany’s federal police. 

Meanwhile, in a Canadian report published in March 2009, the Ontario Privacy Commissioner,  Dr. Ann Cavoukian, approved the usage of the screening technology, commenting that as long as the scanners “incorporate strong privacy filters … [they] can deliver privacy-protective security.”
 
The British Department of Transport will continue to develop the Interim Code of Practice. The Department has announced that it will launch a full public consultation on the requirements relating to the use of scanners as set out in the Interim Code of Practice, and it will publish a Final Code of Practice later in the year. In the meantime, it is likely that additional airports in the UK and elsewhere in Europe will subject travelers to full body scans. 
 

Despite the growing popularity of other mechanisms that provide a legal basis for complying with the EU legal restrictions for transferring personal data outside the EU (such as binding corporate rules), the use of SCCs remains indispensable.  In many situations SCCs are the only “off the shelf” data transfer solution that can be used and implemented on short notice.  The Commission already published a set of SCCs for transfers to data processors that were approved in 2001, but companies have found that they do not always take business realities into account.  The SCCs can be burdensome to use in practice, in particular for the following reasons:

• The existing SCCs do not contemplate the possibility that a data processor outside the EU may need to transfer personal data to another data processor, which happens very often in practice.
• The SCCs can require the application of data security requirements from multiple EU Member States.
• Many Member States impose bureaucratic formalities (notarization of signatures, annual updates, etc.) on use of the clauses.
• There can be practical problems when using the clauses with multiple parties.
• The SCCs contain a mandatory arbitration clause to which many companies have objected.

Although the Commission did not adopt many of the suggestions made by the business associations, thus diluting the value of the new clauses, the new SCCs do have some important advantages over the existing controller-to-processor clauses.  For example:

• For the first time in EU data protection law, the new clauses provide a legal basis for processor-to-processor transfers.  Under the clauses, such transfers may be carried out when (1) the original data controller consents in writing, and (2) the same data protection obligations are imposed on the subprocessor as are imposed on the original data importer.  The original data importer remains liable for any data protection violations by the subprocessor.
• The arbitration clause has been deleted.

There are two further important points with regard to the new clauses:

• The new clauses must be used for new or changed transfers to data processors; i.e., the existing SCCs for controller-to-processor transfers may no longer be used for such transfers (but existing SCCs remain in effect).
• The SCCs cover transfers from the EU to a data processor outside the EU, but not transfers from a data processor in the EU to a subprocessor outside the EU, although data protection authorities “may” allow use of the new clauses in such situations as well.

The full text of the new SCCs has been published in the Official Journal of the European Union.  Christopher Kuner will provide a detailed analysis in the near future.

The following are the major findings of the study:

At the European level:

• As confirmed by the European Court of Justice in the Promusicae (Productores de Música de España (Promusicae) v. Telefónica de España SAU (C-275/06)) and Tele2 (LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v. Tele2 Telecommunication GmbH (C-557/07)) cases, there is no direct legal conflict between the European legal framework for data protection and online copyright enforcement.
• However, the Court’s decisions leave open several important questions, such as how to apply the proportionality principle in practice and how to strike a fair balance between the various rights involved (i.e., data protection and the right to property).  These issues thus seem to be left to the Member States, and there is little or no harmonization of them at the EU level.

At the Member State level:

• IP addresses are generally considered by DPAs and courts to be personal data, although courts in some countries (e.g., France) have taken conflicting positions on this issue.
• IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing and invoicing), and that consent is generally required to process them for other purposes (such as online copyright enforcement).
• IP addresses processed in the context of online copyright enforcement may be considered to be sensitive data (judicial data), except in Spain.
• ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to certain governmental authorities is allowed).
• The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions.
• The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.
• The disclosure of P2P users’ identities by ISPs to judicial authorities in the context of criminal proceedings is generally authorized.
• The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law.  In particular, ISPs generally may not disclose P2P users’ identities to right holders outside the context of judicial (administrative) proceedings.
• In most Member States, it seems that little consideration was given to the interaction between data protection rules and implementation of the IP Enforcement Directive.

As the study demonstrates, the relationship between data protection law and online copyright enforcement is far from being settled.  This issue will certainly be discussed in the coming months during the ongoing debate on the review of the General Data Protection Directive at the European level, and in the context of the debate around possible graduated response mechanisms at the national level.

The Contribution maintains that the fundamental principles of European data protection law remain valid.  However, it also notes that both improvements in implementation of the existing data protection framework and changes to it should be considered, in particular regarding the following points:

• implementation of the legal framework for data protection in the EU Member States should be improved;
• the system for issuing “adequacy decisions” by the European Commission regarding the level of data protection in third countries should be made more efficient;
• a provision on binding corporate rules should be introduced;
• the position of “privacy by design” in the legal framework should be strengthened;
• a general security breach notification regime (i.e., one not limited to telecom service providers and ISPs as is now the case) should be introduced;
• requirements to notify data processing with national data protection authorities should be simplified or even eliminated in some cases;
• the responsibilities of data controllers should be increased by introducing an accountability principle into the new legal framework (in this regard, the Contribution explicitly mentions the work of the Centre for Information Policy Leadership at Hunton & Williams);
• the use of consent as a legal basis for data processing should be made more restrictive;
• the role of the data protection authorities should be strengthened and clarified, and cooperation between the DPAs should be reinforced, particularly through improvements to the Article 29 Working Party’s working methods.

The European Commission will now evaluate all the contributions received under the Consultation and consider whether changes to the EU legal framework should be proposed.  It should be noted that any changes to the framework would likely take a minimum of five years to be enacted.

• UK national laws permit the interception of communications not only where the persons concerned have consented to interception, but also when the person intercepting the communications has “reasonable grounds for believing” that consent has been given.  The Commission believes that these provisions do not comply with the EU concept of “consent,” which must be a freely given, specific and informed indication of a person’s preferences or wishes; and,
• under UK law, only “intentional” interception is prohibited and may be sanctioned, whereas EU laws require Member States to prohibit and sanction any unlawful interception, irrespective of whether it is intentional.

The Commission has confirmed that it is sending a “reasoned opinion” to the UK as a result of the UK government’s failure to take positive action to comply fully with the EU e-privacy and data protection laws.  The reasoned opinion will set out the grounds for the legal proceedings being taken by the Commission and will require the UK to address the issues raised by a specified date; failing to do so may result in the Commission commencing formal proceedings in the European Court of Justice.  The UK has been given two months to provide the Commission with a “satisfactory response” to the proceedings.

Editor's Note:  These proceedings originally commenced in April 2009 following numerous complaints about the use of behavioral advertising technology by internet service providers.

Several major themes emerged from the conference:

• While many are calling for amendment of the Directive in areas such as notifications to data protection authorities and international data transfers, there is little consensus on what those changes should be, or how far they should go. There is also apprehension that attempts to amend the Directive may lead to unforeseen changes that could worsen the current situation. These fears may act as a kind of inertia, lessening the likelihood that the Directive will be amended.
• Several data protection authorities made the point that they are now putting much greater effort into enforcement than they were in the past, and that they are finally being given greater enforcement powers. Thus, companies need to be aware that the data protection enforcement risk in Europe is increasing.
• There is great interest in the increased harmonization of data protection rules, including on a global basis. The Spanish Data Protection Authority is currently leading an initiative to draft global data protection standards, with the possible goal of having the UN adopt a global convention on data protection. Additional information about that initiative is available here.

The conference will be followed by an "open consultation," which will likely take the form of the European Commission requesting that interested parties submit papers on various data protection topics. The Commission is also currently preparing a legal study on Member States' implementation of the Directive, and will make proposals on possible amendments in 2010. Possible changes to the Directive will also be influenced by whether the EU's Lisbon Treaty comes into effect early next year. In any event, the next two years will be crucial to determining the EU's future legal framework for data protection.

The recommendation applies the principles of the General Data Protection Directive (Directive 95/46/EC) and of the e-Privacy Directive (Directive 2002/58/EC) to RFID technology.  In summary, the recommendation provides that:

• Operators of RFID immediately must deactivate RFID tags automatically and free-of-charge at the point of sale, unless the consumer explicitly opts in by asking to keep the chip operational.  This principle is, however, subject to exceptions.
• Consumers must be clearly informed of the use of their personal data, the type of data collected and the purpose of the processing.
• The reading device must be clearly identified, and a contact point must be indicated if the consumer would like to receive further information.
• A common European symbol should be developed to indicate whether a product uses a smart chip.
• Companies and public authorities should develop a framework for privacy and data protection impact assessments.  This framework will have to be endorsed by the Article 29 Working Party.  The goal of these privacy impact assessments is to ensure that consumer privacy is protected.

Strictly speaking, this recommendation is not legally binding on European Union Member States and so is not required to be implemented. Its influence, however, should not be underestimated.  The recommendation provides that Member States should take all necessary measures to bring this recommendation to the attention of all stakeholders which are involved in the design and operation of RFID.  Member States should also inform the Commission of action taken in response to the recommendation no later than 24 months following the publication of the recommendation.  Within three years from the publication of the recommendation, the Commission will provide a report on its implementation, its effectiveness and its impact on operators of RFID technology.

The recommendation can be found here and the FAQs on RFID here.
 

Legal Background
In the UK, those who collect and use data through behavioral advertising technology must comply with the Data Protection Act 1998 (as amended) (the “DPA”), as well as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Privacy Regulations”). In addition, any organization which chooses to “monitor” or “intercept” online communications must also comply with the Regulation of Investigatory Powers Act 2000 (“RIPA”) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (the “LBP Regulations”).

These legislative instruments implemented various EU Directives in the UK. Under Article 226 of the EC Treaty, the European Commission is responsible for ensuring that European Community law is correctly enacted into the local laws of individual Member States. If a Member State fails to comply with European Community law, the European Commission can bring infringement proceedings, and may ultimately refer the case to the European Court of Justice (the “ECJ”). Here, the European Commission has commenced infringement proceedings by issuing a formal notice to the UK. The UK has two months to respond or to comply voluntarily by amending the relevant legislation.

Phorm’s Advertising Tracker System
The debate began with the introduction of Phorm Inc.’s advertising tracker system which allows the company to track the identity and web habits of individual computers by tracing their unique Internet Protocol addresses.

Earlier this week a document was published on “Wikileaks” revealing that British Telecom (one of the UK’s leading telephone operators) had commenced a trial of Phorm’s system in 2006. British Telecom acknowledged in April 2008 that it had used Phorm without customer consent in 2006 and in 2007. The UK’s data protection authority, the Information Commissioner’s Office (the “ICO”), investigated British Telecom’s trial of the Phorm system.

In April 2008, the ICO published a response to the concerns voiced about the use of Phorm. Following several complaints from individuals and privacy experts, the ICO forced Phorm to require its customers to “opt-in” rather than “opt-out” of its use. In response to this, British Telecom reassured the ICO that its trial of Phorm did not permit customers’ web browsing activities to be monitored unless customers positively opted-in to participate. British Telecom also confirmed that its use of Phorm does not store personally identifiable information, URLs or IP addresses or retain browsing histories and that search information is deleted almost immediately and is not retrievable. This is also stated on Phorm’s website.

In practical terms, it appears that personal data is collected by Phorm but is subsequently anonymized.

Behavioral advertising technology is beneficial for both users and businesses as users discover more of what interests them and businesses find a more cost-effective way to communicate with users. Effective online advertising helps to create low barriers to online market entry which in turn facilitates competition and innovation.

Legal Implications
If the European Commission finds that the UK has not correctly implemented legislation which governs behavioral advertising technology, the UK will potentially need to amend the DPA, the Privacy Regulations and RIPA. In addition, the European Commission may insist that more effective sanctions be included in the UK legislation. Such amendments would undoubtedly result in significant changes in practices for UK online businesses, employers and social networking sites. Monitoring and interception practices will be restricted and “implied consent” may not be sufficient. The use of opt-in consent, currently required for direct marketing activities throughout Europe, may also be required as a precondition to the use of cookies, web beacons and user tracking systems which currently only require opt-out consent.

Hunton & Williams will provide updates, on this blog, of the status of these infringement proceedings and consider the potential implications, in particular, for retailers and social networking sites going forward. 

The clauses are quite important for business, as they provide a legal basis for transferring personal data from the EU to data processors in other countries, and are often used in, for example, outsourcing contexts. Among the changes proposed by the three business groups was a new clause that for the first time would provide a legal framework for data transfers from one processor to another. This situation can occur, for example, when a data controller in the EU outsources the processing of personal data to a data processing company in the US, which in turn outsources the processing to a company in India. So far, European data protection law has lacked any discussion of the conditions under which such a transfer could be made between data processors. It is a significant development that the Working Party Opinion recognized this possibility.
 
Some of the other clauses proposed by the Working Party seem unrealistic and unworkable, such as requiring audits by data protection authorities in countries outside the EU, or requiring that the contract between the data processor and the subprocessor, be governed by the law of the country of the data exporter in the EU. ICC and the other business groups will work with the European Commission with the goal of ensuring that the final clauses approved by the Commission are drafted in a way that makes them useable in the real world. The final Commission decision on the clauses is not expected for a few months.