Archive for August, 2011

The guessing game

Posted on August 26th, 2011 by

It has been a busy year for the European Commission’s Data Protection Unit so far.  Day after day, week after week, month after month, a multicultural team of officials based in an unassuming Brussels building have been brainstorming ideas, pouring over written submissions and listening patiently to the wishes, concerns and ideas of those who hope to have a say in the future European data protection framework.  Despite all this hard work, it seems that we may not see a formal proposal until the end of the year.  The reason for this – in addition to the massive pressure to get the first draft right – is that the Commission would like to feed into the proposal the outcomes of the current public consultations on cloud computing and data breach notification.  That is understandable but in the meantime and to temper our anxiety, we can make an informed guess of what we will be presented with.

Much of the debate surrounding this process so far has been around the form that the new legislative framework will take.  If, as it has been made patently clear, the primary objective of the legislative reform is to achieve the greatest possible degree of harmonisation, the Commission is likely to favour a Regulation over another Directive.  The effect of this would be a single piece of legislation immediately applicable across the European Union without the need for implementation at a national level.  If the extremely clumsy implementation process of the revised e-privacy directive is anything to go by, the prospect of a Regulation seems very possible indeed.  However, even a Regulation would be enforced at a national level by each data protection authority, so an element of local interpretation will always exist.

A crucial building block of the new regime will be the rules determining the applicability of the law.  For EU-based organisations, a Regulation would solve the problem of facing multiple national laws and the ‘country of origin’ principle seems the way forward in terms of determining the competent data protection authority.  The big change in this respect will be for overseas organisations, which will find themselves subject to EU law, not when they happen to serve a humble cookie on an EU-based machine, but when they target people in Europe, for example by employing them or marketing to them.

With regard to the substantial content of the new framework, much of our beloved law will stay with some tweaks.  An important objective of the new legal framework will be to give greater control to individuals.  The cornerstone of this, as trumpeted by Viviane Reding, is the so-called ‘right to be forgotten’ which is meant to allow individuals to get their personal information removed from publicly available platforms like networking sites and other websites.  However, the huge two-fold difficulty with extending this beyond the current right to object is how to reconcile it with the freedom of expression of others to disseminate information and the intermediary roles of those which only act as conduits for this information.

As for transparency and consent, expect clever attempts to make these two aspects truly meaningful.  Once again, the emphasis will be on putting people in control, but let’s hope that the Commission’s efforts to make legal obligations clear cut do not translate into unachievable targets like the Working Party’s unqualified interpretation of consent as prior, express opt-in and nothing else.  At the very least, it is reasonable to assume that the legal grounds for processing personal data will continue to include – and possibly expand – the legitimate interest condition to justify such processing.

However, for most organisations the key new ingredient will no doubt be the ‘accountability package’.  Not that it will be ever called that, but it is almost certain that a whole range of practical measures – from mandatory data protection officers to  privacy impact assessments, and possibly internal audit and training requirements – will make its way into the black letter of the law.  An outstanding question is to what extent this will be linked to the provisions affecting international data transfers.  With all probability, the Commission is likely to retain some restrictions but widen the mechanisms available to ensure that such transfers are lawful.  The greatest hope of all is that at the end of the day, the EU legislative bodies manage to come up with a regime that shows the benefits of data protection for all and encourages compliance not just for the sake of it, but for the good of the future generations.  Time will tell.

This article was first published in Data Protection Law & Policy in August 2011

The e-Privacy Directive – when and how does it apply exactly?

Posted on August 11th, 2011 by

One of the most frequent questions we get asked by clients is whether the e-Privacy Directive (2002/58/EC) applies on ‘country of origin’ or ‘country of destination’ basis.  This is normally in the context of e-marketing: advertisers running a pan-European campaign naturally want to understand whether they have to comply with the national e-privacy rules:

(a) only of the Member State in which they are established (the ‘country of origin’ principle); or

(b) of every Member State where their e-marketing recipients are based (the ‘country of destination’ principle).

However, while most commonly raised in an e-marketing context, understanding when and how the e-Privacy Directive applies is also relevant to determining website operators’ cookie ‘consent’ responsibilities. Do they have to comply with the (as yet to be determined) opt-in or opt-out rules of every Member State?

Why does this uncertainty exist?

Quite simply, this uncertainty exists because the e-Privacy Directive, unlike the Data Protection Directive (95/46/EC), does not have any provisions that expressly set out its geographical scope of application.

Article 1 of the e-Privacy Directive says only that: “This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.” Article 3 provides some further clarity, adding that the e-Privacy Directive applies “to the processing of personal data in connection with the provision of publicly available electronic communications services.

Both Article 1 and 3 indicate that, in order for the e-Privacy Directive to apply, there must be processing of personal data. Yet, interestingly, regulatory consensus is that processing of personal data is not necessary for the e-Privacy Directive’s cookie ‘consent’ requirements to apply. The Article 29 Working Party said, in their Opinion on Online Behavioural Advertising, that “It is not a prerequisite for the application of this provision that this information is personal data within the meaning of Directive 95/46/EC“.  It’s challenging to resolve this interpretation with the applicability criteria specified in Articles 1 and 3 – but, challenging or not, this is the position that Data Protection Authorities seem to be taking.

So when and how do e-privacy rules apply?

To return to the original question of whether the e-Privacy Directive applies on a ‘country of origin’ or a ‘country of destination’ basis, marketers and website operators might naturally feel that the ‘country of origin’ principle ought to apply. There is precedent for this in the e-Commerce Directive (2000/31/EC), which says that “Each Member State shall ensure that the information society services provided by a service provider established on its territory comply with the national provisions applicable in the Member State in question” (Article 3(1)).

However, despite setting the principle that information society service regulation should generally be determined on a ‘country of origin’ basis in the EU, the e-Commerce Directive subsequently excludes data protection e-marketing rules from this principle.

Country of origin rules for e-marketing

The key clarification about the scope of the e-Privacy Directive can in fact be found in Article 1(2). This points out that the provisions of the e-Privacy Directive “particularise and complement” those of the Data Protection Directive.

Put another way, this means that the e-Privacy Directive can be thought of as a specialised subset of rules that fall under the overall privacy framework established by the Data Protection Directive.  This is confirmed by Recital 10 of the e-Privacy Directive, which clarifies that the Data Protection Directive applies “to all matters concerning protection of fundamental rights and freedoms which are not specifically covered by the provisions of this [e-Privacy] Directive, including the obligations on the controller and the rights of individuals“.

So, in the absence of clear geographical applicability rules in the e-Privacy Directive itself, data controllers must instead look to the applicability rules of the Data Protection Directive.  These are set in Article 4 of the Data Protection Directive and, for EU-based data controllers, make clear that data protection laws apply on a ‘country of origin’ basis.  However, non-EU based data controllers are subject to the national laws of the territories in which they use ‘equipment’ – which potentially includes devices where cookies are served to collect data – and so need to review local EU law risk carefully.

What this means and why it matters

It is a commonly-held misconception that data protection e-marketing rules apply to EU businesses on a ‘country of destination’, not a ‘country of origin’ basis. The consequence of this is that marketers often expend excessive legal budget taking legal advice across multiple EU member states in respect of the pan-European campaigns they want to conduct. Naturally, there will be local laws that apply (e.g. local consumer protection laws, advertising standards rules, and gaming laws), but data protection advice will need normally only to be sought from the from the EU territory in which the marketer is based. A proper understanding of the geographical scope of application of the e-Privacy Directive therefore has the potential to substantially reduce marketing budgets.

The same ought to be true for cookies. That is to say, a website operator established in one EU member state should have to comply with the cookie ‘consent’ requirements of that Member State only – not those of other Member States. However, the advantages of the ‘country of origin’ are lost where the operator is established outside the European Union, because in that case, the national data protection authorities will argue very strongly that where ‘equipment’ in used in their jurisdictions, each of their local laws will most definitely apply.

In support of Legitimate Interests

Posted on August 1st, 2011 by

Plato may have made the assumption that silence means consent but the Article 29 Working Party have made it clear that they do not. In their Opinion on consent (WP 187), the Working Party state that consent based on an individual’s inaction or silence would not normally constitute valid consent for the purposes of EU data protection rules. Additionally, the Working Party set out that consent must be given before any data processing starts, must be unambiguous and, moreover, blanket consent without specifying and separating out each processing purpose is not valid. In effect, the Working Party sets a very high standard for any controller who wishes to legitimise data processing by relying on the consent of the individual.

But is the position of the Working Party in WP 187 surprising? Perhaps not when one considers the remarks that have been made over the years in other Working Party publications. Something of this caution around consent was conveyed back in 2005 when the Working Party published their working document on a common interpretation of Article 26 (1) of the Directive (WP 114). In this instance, the Working Party examined the grounds (which include consent) under which international data transfers can be lawfully made. As well as warning employers not to rely solely on employee’s consent when transferring data (a concern echoed in other Working Party papers concerned with data processing in the context of employment relationships), the paper states that ‘relying on consent may therefore prove to be a “false good solution”, simple at first but in reality complex and cumbersome’.

Additionally in 2009 the Working Party published their response (in collaboration with the Working Party on Police and Justice) on the European Commission’s consultation on the future of privacy (WP168). In commenting on consent, the Working Party stated that ‘the requirement that consent has to be informed starts from the assumption that it needs to be fully understandable to the data subject what will happen if he decides to consent to the processing of his data’. In reality, it can be very difficult to prove incontrovertibly that an individual fully understands what will happen to his personal data, a fact that the Working Party admitted in their next remark which states that ‘the complexity of data collection practices, business models, vendor relationships and technological applications in many cases outstrips the individual’s ability or willingness to make decisions to control the use and sharing of information through active choice’. So how can a controller ever be fully confident that an individual is properly informed in order to be able to effectively consent?

These previous remarks indicate that the Working Party’s recent narrow interpretation on what constitutes valid consent under EU data protection rules is fairly consistent with their past pronouncements. But what should controllers make of this? If meeting the consent requirements under the Directive is now effectively a ‘gold standard’ then, from a practical perspective, controllers could understandably only rely on consent when either the law explicitly requires consent or where no other lawful ground is available. In other words, a controller could take the view to only rely on consent in exceptional circumstances and rely on other grounds in all other case. Grounds such as the legitimate interest ground.

Other grounds under Article 7 of the Directive are relatively specific whereas the concept of legitimate interest recognises that data processing frequently involves a balance between the lawful activities of an organisation and the impact of data processing on an individual’s privacy. In a sense, the legitimate interest ground captures something of the day to day business reality that many organisations face when they have to weigh up certain risks. A project involving processing personal data may not fall readily into one of the other Article 7 grounds. An approach which requires a controller to assess the impact of the proposed processing on the fundamental rights and freedoms of the individuals with regard to privacy brings into play the need to assess the situation on its specific merits. A mere tick-box approach (which obtaining an individual’s consent can encourage) is unlikely to bring this degree of sensitivity to compliance issues. Privacy Impact Assessments of course are the tool that helps to model this approach.  Likewise, accountability and the need for organisations to be able to demonstrate that they have thought about privacy risks and have procedures in place to deal with such risks, also complements an approach which is sensitive to the specific processing situation.

Therefore, since consent has been in effect written off as a false good solution, controllers are by default being encouraged to rely on the legitimate interest ground in general data processing circumstances. Any amendments to the current data protection regime should equip controllers to carry out assessments so that they can test whether their processing is necessary for their legitimate interests and consequently put in place necessary protections to ensure that the privacy rights of individuals are not overridden.  Regulators should embrace and promote the legitimate interest ground as a means of instilling good data protection compliance practices in controllers.