Archive for February, 2012

Processors in the fining line

Posted on February 27th, 2012 by

“The Data Protection Directive doesn’t apply to processors”. You may have heard that statement many times and, if you are a processor, it may be music to your ears as you realise that you only have to think about contractual obligations and not what the stuffy old DP Directive requires. However, all that seems likely to change under the draft new Data Protection Regulation. In the first few Articles of the Regulation it is clear that a processor (as well as a controller) is subject to the Regulation when they process personal data in the EU.

A number of the obligations that processors face under the Regulation reflect the existing data protection framework. For instance, processors as well as controllers are required to document the relationship they have with controllers in writing – similar to the obligation currently on controllers under Article 17 (4) of the EU Data Protection Directive. But there are also new obligations that affect both controllers and processors. For example, both parties must maintain documentation of all processing operations under their responsibility. This could potentially be quite a burden for a processor. The documentation that must be maintained includes details such as the purposes of the processing, a description of categories of individuals and a general indication of retention limits for the data. This may be all very well if a processor is performing a straightforward outsourcing for one single controller and such details are readily accessible. But what about a processor that is a cloud computing provider? Is such a processor really required to keep in documentary form all necessary details about every single one of its potentially thousands of customers? Or is the processor only required to maintain this documentation for information within its reasonable control?

Under the Regulation, processors are required to cooperate with data protection authorities which won’t be surprising in view of the greater role regulators play in the new framework. However, significantly there is no direct requirement on processors to notify a security breach to the regulator. Instead the processor’s role is to alert and inform the controller after it establishes that there has been a data breach and it is for the controller to notify the breach to the regulator. Although the tenor of the Regulation emphasises that controllers bear ultimate responsibility for compliance with data protection principles, there are certain aspects which seem to cut across this. So, a data protection authority has the power to order a processor to comply with an individual’s request to exercise their rights under the Regulation even though a processor is not, for instance, required to provide an individual with access to their personal data in the first place under the Regulation since the responsibility falls to a controller only.

In several areas the Regulation allows a controller to delegate certain activities to a processor. So, a processor may act on behalf of a controller in carrying out a data protection impact assessment. Or a processor may be instructed by a controller to consult with a regulator before commencing processing that presents a high degree of risk. Although such flexibility is welcome, processors and controllers will need to ensure that their contractual arrangements set out all the necessary mechanisms and procedures for when the processor acts on behalf of the controller in such circumstances. Additionally it’s not necessarily clear from the Regulation who would be ultimately responsible to the regulator where a processor acts on behalf of a controller in carrying out a PIA or consulting with a regulator. The question of who bears the liability as between the controller and processor and in what circumstances as well as what indemnities are appropriate are all matters that will need to be addressed in the contract.

If the Regulation is implemented as drafted, processors will also have to get used to covering their backs from individuals and regulators. The Regulation envisages that processors can be sued by individuals in court as well as be subject to fines from data protection authorities. Ultimately, a processor could be liable for a fine of up to 2% of its annual worldwide turnover. So, for instance, if a processor intentionally or negligently fails to maintain the documentation that the Regulation specifies, it could receive a fine. If a processor intentionally or negligently processes personal data in violation of its obligations to process data on behalf of a controller, it could receive a fine. The prospect of receiving a fine for the processing it carries out is likely to focus the mind of a processor during its contractual negotiations with a controller. In any event, the days of a processor being able to, in one sense, ignore the impact of data protection rules on its processing when carried out on behalf of controllers are unlikely to return.

The extra-territorial application of the new EU law

Posted on February 15th, 2012 by

One of the most expected changes likely to be introduced by the new EU Data Protection Regulation proposed by the European Commission is the criteria to determine the applicability of EU law – quite an important issue.  To recap briefly, under the current Data Protection Directive, the rules are essentially as follows: 

*   If the controller is based in an EU Member State (e.g. Acme (UK) Limited based in the UK), that controller will be subject to the law of that Member State (e.g. the UK Data Protection Act) and to the scrutiny of the regulator of that country (e.g. the UK Information Commissioner).

*   If the controller is based outside the EU (e.g. Acme Inc.) but uses equipment (e.g. servers or people’s computers) to collect information, that controller will be subject to the laws of every single Member State and to the scrutiny of each and every regulator. 

However, the rule that determines the applicability of the law to non-EU controllers produces bizarre situations like the potential application of EU law to organisations that have no presence, employees or customers in the EU but happen to engage an EU-based service provider (with equipment in Europe), or like the non-application of EU law to organisations who may be dealing with millions of Europeans over the Internet but have no real processing equipment in the EU.

Therefore, under the proposed Data Protection Regulation, the rules would be as follows: 

*   If the controller is based in an EU Member State and it has one main establishment (e.g. Acme (UK) Limited based in the UK), then it will still be subject to the Regulation but it will only be subject to the scrutiny of one regulator (e.g. the UK Information Commissioner).

*   If the controller is based outside the EU (e.g. Acme Inc.) and offers products or services to EU residents or monitors the behaviour of EU residents, it will be subject to the Regulation and to the scrutiny of each and every regulator.

For non-EU organisations, the million dollar question is what does the Regulation mean by “offering products or services” or, more intriguingly, “monitoring the behaviour”?  The answer to this question will undoubtedly become clear as the legislative process progresses, but in the meantime it is helpful to consider the explanations given in the recitals to the Regulation.

First of all, the whole point of the extra-territorial reach of the law (both under the Directive and even more under the Regulation) is to protect people who live in Europe where their data is used elsewhere.  The “offering products or services” side of the equation is also clearly aimed at capturing visible commercial relationships where, typically via the Internet, an organisation is making its goods or services available to EU residents.

The meaning of “monitoring the behaviour” is slightly trickier because the recitals only refer to one very specific form of monitoring: Internet tracking and profiling.  So the commonplace practice of building an Internet user’s picture through the use of cookies with a view to targeting that individual with tailored advertising will definitely be caught – not a very “technologically neutral” provision, it must be said.  The question that we will need to address over the coming months is what is the intended scope of the phrase “monitoring the behaviour” beyond Internet tracking and more precisely, how granular or detailed that monitoring must be to trigger the application of the law.  The debate is wide open.

France: Sending of direct marketing communications: list brokers and clients: CNIL finds liability on both sides

Posted on February 13th, 2012 by

On 12 January 2012, the CNIL imposed a significant fine on a real property reports company which had purchased a list of real estate owners’ personal data, obtained from online advertisements posted by these real estate owners, and which then sent direct marketing communications by SMS to the property owners without having previously obtained their express consent.


The CNIL’s decision is important for three reasons:


  • Firstly, the amount of the fine imposed is relatively high (20,000 €) and the CNIL made its decision public. It is obvious that the CNIL wishes to set an example in order to put an end to this type of practice, which according to it “inundates owners of property for sale and distorts competition“.


  • Secondly, it is the first time a fine has been imposed on the grounds of the direct marketing provisions which result from the Electronic Commerce Directive and which are included in Article 34-5 of the Post and Telecommunications Code.


Although the CNIL’s concern about the issue of obtaining prior consent before sending marketing communications dates from 2009, until now it has only imposed fines on marketing list brokers and always on the grounds of the French Data Protection Act of 6 January 1978, in particular Article 6 on fair collection (Decision no. 2009-148 of 26 February 2009 “Directannonces” [fine of 40.000€] and Decision no. 2011-193 of 28 June 2011 “PM Participation” [fine 10.000€]).


  • And thirdly, because the CNIL clearly states that marketing list brokers’ clients have an obligation to “ensure that they buy only “opt-in” files from their partners, ie, containing the addresses of persons who have given prior consent to receive marketing communications“.  


How should this “ensure” (in French “veiller à“) be interpreted? Unfortunately the CNIL does not provide further details. In the case at hand, the contract made with the marketing list broker did not state that the marketing list broker had obtained prior consent from the persons in question to receive direct marketing communications by SMS. Would the company have avoided a fine if such a clause had been included? We cannot be sure. However, this does seem to be the most practical and reasonable solution.


Following this decision, two questions remain unanswered:


  • Is a contractual clause stating that the persons in question gave their consent to receive direct marketing communications sufficient to protect the purchaser of such list from being fined?


  • Insofar as the CNIL has only given its opinion on data collected from real estate advertisements, will its position be the same for other types of data collection and intended recipients?


It will be worth paying attention to the future decisions rendered by the CNIL in this area.


And finally, it is important to note that this contractual clause will not exempt the client from compliance with the French Data Protection Act and in particular, the obligations to give notification of processing, inform those whose data is processed, and implement an effective system for opposition to processing.

Have your say on the draft Data Protection Regulation

Posted on February 8th, 2012 by

Is a fine of up to 2% of annual worldwide turnover too big? Is it possible to report data breaches within 24 hours?

The Ministry of Justice has opened a call for evidence on the European Commission’s draft General Data Protection Regulation. The information obtained from the four-week long evidence gathering exercise will be used to help inform the Government’s negotiating position on the Regulation.

The call for evidence itself is wide-ranging and comments are requested on:

- the potential consequences of the Regulation on the processing of personal data;

- the likely benefits to individuals and the effect on their data protection rights;

- the extent to which the proposal builds “trust in the online environment”; and

- the impact of the proposal on economic growth.

Stressing the need for responses to include “quantifiable costs and benefits” and “real life examples”, the Ministry of Justice appears receptive and keen to hear views on the proposed Regulation.

To make the most of this opportunity, we suggest that you review the draft Regulation in the context of your industry and think about how the rights and obligations it creates will apply to your business. For example, how will an individual’s ‘right the be forgotten’ sit with the way that your sector uses personal data? Will the changes regarding the use of data processors affect the way that you operate? We can of course help you decode the Regulation and consider how it may apply – we also recognise from our own experience working on the Regulation that the challenge for business will be in framing a response which clearly sets out its impact.

Although time is short (there is a four week window) in which to delve through the Regulation and draft an effective response to the call for evidence, the willingness on the part of the Ministry of Justice to engage with stakeholders suggests that it will be worth it. Given the scale of the proposed changes and on the premise that if ‘you don’t ask, you don’t get’, the call for evidence offers interested parties a valuable opportunity to engage with, and help shape the future of data protection both in Europe and, if the current draft Regulation is anything to go by, worldwide!

The call for evidence closes on either 4 March 2012 (according to the Call for Evidence paper itself) or 6 March 2012 (the date provided on the Justice website). Further information, including the call for evidence questionnaire can be found at

Transparency at the heart of the new EU Data Protection Regulation

Posted on February 3rd, 2012 by

Transparency is fundamental to the existing European data protection framework. The law already places extensive obligations on organisations to be open and honest about the ways that they use information about individuals. However, the draft EU Data Protection Regulation unveiled by the European Commission last week gives this issue a reinvigorated central role.

We are of course familiar with today’s requirements to provide information as to:

-    The identity of the data controller (or any representative).

-    The purposes for which the data is being collected and processed.

-    Any further information needed to ensure that the data is processed fairly.

But the Commission (and needless to say the data protection authorities) want to expand that list to cover the following additional information:

-     The specific “legitimate purposes” of the controller, where the processing in based on this legal ground.

-     The period for which the personal data will be stored.

-     The different rights available to individuals established by law.

-     The right to complain to a data protection authority and the contact details of the authority.

-     Whether the personal data will be transferred internationally.

-     Whether the provision of personal data is obligatory or voluntary (when collected directly from individuals).

-     The source of the data (when collected from third parties).

At a time when less is more and clarity is everything, this extended requirement poses a tricky challenge.

If we add to the mix the expectation that any information relating to the processing of personal information must use clear and plain language which is tailored to the relevant audience and must also be easily accessible, it is obvious that most organisations will be faced with the daunting prospect of undertaking a full scale review of their public facing documents and policies to meet the renewed transparency requirements.

One could take the view nobody bothers to read privacy policies but the possibility of a fines of up to €500,000, or up to 1% of annual worldwide turnover for some enterprises for breaches of this obligation is incentive enough to get a head start on their review of such policies and procedures now.

The new EU framework: Uniform, prescriptive and ambitious

Posted on February 3rd, 2012 by

These are truly exhilarating times for the data protection world.  Viviane Reding’s recent announcement of the Commission’s proposal for a fully harmonised European data protection framework had the connotations of an Olympic opening ceremony – the years of hard work in preparation for this moment, the sense of achievement in the face of challenge and the triumphant belief that something memorable is going to come out of this.  Only the big drums and the flame were missing.  The jury is now out but this is without a doubt the most significant global legislative development affecting the collection, use and protection of personal information of the past 15 years.

As expected, the proposed new general framework for data protection is set out in a regulation, rather than another directive.  This means that once adopted, the regulation will be directly and universally applicable across all EU Member States without the need for national legislation.  Recent legislative history suggests that a single EU-wide regulation is likely to be the only way to achieve the desired uniformity across the European Union.  Member States’ struggle to implement the changes to the e-privacy directive in a coherent way remind us daily of the limitations of a directive.  But a single pan-European law is a double edged sword – one set of rules is meant to be beneficial to organisations operating internationally, but those who are used to dealing with the reasonably practical obligations of jurisdictions like the UK or Ireland face a cultural and legal shock.

The proposed regulation is also aimed at rejuvenating a law which has lost its effectiveness to tackle the data protection challenges of the 21st century.  The novelties are varied and creative, but they all have in common one thing: the principles, rights and obligations are far more prescriptive in nature than under the 95 directive.  This is a natural consequence of having to draft a directly applicable regulation, but it is a fundamental change from the way European data protection has operated until now. 

The bulk of the proposed regulation brings with it a whole new set of obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

Above all, the Commission’s proposal is an ambitious one.  Not least because it sets out a very clear basis for its extra-territorial application.  The regulation does away with the cumbersome references to equipment located in the European Union and introduces brand new EU residency grounds.  Any company that processes personal data in the context of an EU-based establishment will be subject to the new law in any event.  But in addition, the regulation will extend the applicability of European data protection rules to organisations established elsewhere that use personal information in relation to the offering of goods or services to, or the monitoring of the behaviour of, individuals who live in the EU.

This approach will affect Internet businesses from all over the world but the Commission’s ambition goes even further than that.  One of the greatest challenges ahead is not faced by organisations using personal information but by the regulators themselves.  They will need to learn a radical new law which demands constant dialogue and closer cooperation than ever before.  The legislative process is now wide open and 2012 will be a crucial year to influence the outcome of the new law.  We have a real opportunity to contribute to this process, so it is our responsibility to get the right result.

This article was first published in Data Protection Law & Policy in January 2012.

How to run a successful cookie audit

Posted on February 1st, 2012 by

Cookie audits sound so simple in theory, don’t they?  I mean, how hard can it be to identify what cookies you have, assess their intrusiveness, and decide on your strategy for obtaining consent?

Having now worked with a number of clients to conduct cookie audits, I can report that they are in fact fraught with legal, commercial and technical difficulties that only website operators with the most minimal online presence could hope to escape.  For operators with more substantial web portfolios, cookie audits can prove very complex and time-consuming. 

As a case in point, we recently helped a client audit its web portfolio of some 60+ Internet domains, serving around 3,000 cookies.  Fully identifying all the cookies they served, let alone what they do and how intrusive they are, was a substantial task in itself.  Another client has set up a large internal stakeholder group to address cookie consent requirements, comprising representatives from legal, IT, marketing and data analytics teams, all of whom have different needs and face different demands when deciding how to use the humble cookie.  Some of our clients are technology service providers, many non-EU based, who want to pursue risk-based consent strategies that are odds with those of the website operators they serve, and reaching a common ground can therefore be a challenge.

So, for enterprises struggling to figure out a way to deal with their cookie consent compliance demands, here are the top tips I have gleaned from our experience running cookie audit projects to date:

1.  Outsource your technical cookie audit.  While it may be manageable for a website operator with just one (or maybe just a few) Internet domain(s) to rely on their IT staff to audit their cookie use, this approach just doesn’t scale for large enterprises.  Sophisticated websites will often drop 10, 20 or more cookies through a page and, when scaled up across hundreds of pages and tens of different domains, this quickly becomes an unassailable task for any internal IT function, who often will have little knowledge of how third party service providers deploy their cookies.  A number of third party vendors now offer comprehensive cookie audit services, and engaging one of these vendors to help you in your task is a must.  A good example is Evidon, which offers a comprehensive technical audit service that scales easily across large web portfolios and provides detailed cookie reporting in a well-structured, readily-accessible format. 

2.  KYC – Know your cookies!  Lawyers need to know and understand what cookies do in general and, more precisely, they need to know what each specific cookie served through the website(s) does.  Without this, there’s simply no way that they can meaningfully assess their intrusiveness or advise on an appropriate strategy for obtaining cookie consent.  If relying on an in-house legal function to perform this role, take time to ensure your in-house lawyers are fully educated by your IT, analytics and marketing teams, all of whom will use different cookies for different purposes.  It’s important that your lawyers can ‘speak the language’ of your IT, analytics and marketing teams in order to turn their technical descriptions of the cookies they use into meaningful, legal disclosures that meet e-privacy transparency requirements.  A careful choice of vendor for your technical cookie audit will simplify this task enormously – Evidon, for example, maintains a lookup database of third party tracking cookies that describes the purposes these cookies fulfil and the technical basis on which they collect data, significantly simplifying legal investigation into cookie intrusiveness.

3.  Disclosures by type, not by identity.  For large scale cookie deployment, listing in a privacy policy every single cookie that your website serves and what it does is a laborious, back-breaking task that helps no one.  The purpose of the e-Privacy cookie rules is to better inform users about what cookies do and to put them in control of cookie data collection.  A cookie-by-cookie list of tens, hundreds or thousands of cookies does not achieve this.  It’s far better to group cookies by type (‘advertising cookies’, ‘analytics cookies’, ‘content sharing cookies’ etc.) and disclose these categories of cookies, explaining what they do and allow consumers to choose whether or not they want to receive those types of cookies.  This is not only easier to understand, it also makes forward-facing maintenance of your cookie disclosures much, much simpler.

4.  One size does not fit all.  Don’t take a sledgehammer to crack a nut – a single consent strategy across the entire cookie environment cannot hope to obtain meaningful consumer consent and can impair legitimate data collection practices.  Enterprises need to understand the different consent strategies available to them – from cookies that are exempt from the consent requirement, to cookies where implied consent strategies are an acceptable solution (with or without enhanced contextual notices, depending on the intrusiveness of the cookies in question), to cookies where more express forms of consent may be appropriate.  Adopting a tiered consent strategy allows for better, clearer disclosures to consumers, more granular control and better levels of data collection.