Archive for April, 2012

New model clauses for data processors on their way?

Posted on April 25th, 2012 by

We all know that the times when data processors could  try to shield themselves from data protection compliance by arguing that the law did not apply to them are long gone.

In recent years the role of data processors has become so sophisticated as to test the boundaries of the definition of data controllers to the limit. In addition, the new draft  General Data Protection Regulation of the European Commission (“draft Regulation”) establishes obligations directly applicable to data processors. Therefore data processors will soon be directly liable and subject to monetary penalties. 

However, is this really bad news?  Leaving aside the additional red tape that some of the obligations may generate, it seems that data processors have finally been given a voice. So, for those data processors wanting to get it right and already working on organisational data protection compliance programs, this is actually good news.

At last,  data processors will get deserved recognition for the measures they have adopted to ensure compliance with fundamental data protection obligations, such as those related to the international transfers of personal data outside the EEA.  As Binding Corporate Rules (“BCRs”) continue to establish themselves as the preferred way to legitimise international transfers of personal data  within multinational data controllers, Binding Safe Processor Rules (“BSPRs”)  are the obvious next step  for global data processors. The draft Regulation recognises  this – expressly instructing data processors to take the necessary steps to legitimise international transfers of data by putting in place BSPRs or appropriate contractual arrangements.

However, some European data processors will not have to wait until the approval and implementation of the Regulation in order to take the  bull by the horns. The Spanish data protection authority (“Spanish DPA”) has recently announced that it has drafted a  new set of proposed model clauses  (based on the 2010 controller to processor clauses) that will allow data processors in Spain to engage sub-processors outside the EEA.

Of particular interest is the proposal that data processors can enter these new model clauses directly with sub-processors outside the EEA (i.e. not simply on behalf of the data controller) and seek their own data transfer authorisation from the Spanish DPA.   

By drafting these model clauses the Spanish DPA has responded to the demands of the outsourcing industry to provide a more flexible instrument that covers processor-to-processor exports and, by doing so, eliminate  some of the regulatory barriers that place EU processors at a competitive disadvantage with their non-EEA competitors.

For those familiar with the  existing data transfer authorisation process in Spain, there is no doubt that the new processor authorisation process will be similarly burdensome. However,  an express recognition that data processors  should  be entitled to request  data transfer authorisation and directly manage their own sub-processors is, in itself, is a breath of fresh air.

So the new cookie law sucks – get over it already!

Posted on April 23rd, 2012 by

As has been much publicised in recent weeks, the ICO’s ‘grace period’ for complying with the UK’s new cookie consent requirement expires towards the end of next month (25 May, to be precise).  Across the EU, cookie consent requirements are already in force in a number of territories.

What I’ve found surprising in the run up to the UK deadline is the number of news articles that still complain about how ‘stupid’ this new law is.  While I have a lot of sympathy for these views – from both a practical implementation and academic law standpoint – the time for making these complaints has passed.  Rightly or wrongly, the law is here to stay and businesses need to figure out what they’re going to do about it.

In fact, perhaps the most difficult thing for many of us to admit (myself included), is that the new law has had a number of very positive effects.  It’s shone a light on how little many website operators really knew about what they – and others – were collecting through their websites.  It’s also encouraged a much greater level of transparency around online data collection and encouraged the development of some really innovative cookie control solutions (those with concerns that the ICO opt-in consent banner might become the market norm can breathe a long sigh of relief…) 

Businesses that continue to resist the new law risk missing a trick in terms of demonstrating thought leadership and engendering consumer trust (ignoring legal compliance risk for the moment).  Since BT adopted its implied consent solution (see, I’ve had a number of contacts ask me about ‘the BT approach’ and seen numerous tweets, blogs and articles about it.  I don’t intend to comment on BT’s solution – that’s not the point – but I do think it neatly demonstrates that early engagement with cookie consent can deliver real, positive benefits.

So if you’re still wondering what you need to do, here’s a reminder:

1.  Audit your cookie use and work out what you’ve got.

2.  Assess the intrusiveness of your cookies.

3.  Adopt a notice and consent strategy (express or implied) appropriate to the intrusiveness of your cookies.

4.  Implement forward facing cookie management mechanisms.

One final thought: remember that the law requires “consent”, not “express” or “opt-in” consent.  While these approaches may be appropriate for certain types of intrusive cookie use, other more sophisticated (and less disruptive) consent approaches can and do exist.  For more information, see some of our previous posts (see here) and have a look at our cookie consent tracking table, which shows cookie consent requirements across the EU (here).

Mobile privacy – is there an app for that?

Posted on April 20th, 2012 by

Next week I’ll be chairing a session at the IAPP’s Data Protection Intensive in London on mobile privacy. In advance of my session (and without giving too much away – I highly recommend attending the event!), I thought I’d set out a few key thoughts on the issues mobile operators and developers need to consider when launching mobile apps:

  • Why does m-privacy matter? It’s simple: if you’re anything like me, your mobile device has become your closest, must trusted friend. No one know more about you: your phone knows where you go, who you know, and the passwords to your banking, shopping and social networking accounts. It looks after your diary and has access to all your most treasured and personal photos. This is all very sensitive information – and your phone holds an awful lot of it.
  • Why is m-privacy hard (practically)? Because the actors, devices and consumer expectations are so many and so varied. In the course of downloading, installing and running an app, a consumer will share data with or through its device platform, the relevant app marketplace, the application developer, and various ad networks, analytics providers, payment processors and mobile carriers. Consumers can access apps through smartphones, tablets, netbooks or other mobile devices – each with different platforms having their own data access permissions, device unique data types, and screen sizes and resolutions, thereby making efforts to design a simple ‘one size fits all’ privacy notice a real challenge. Adopting a privacy by design approach is not a nice to have in the mobile environment – it’s a necessity.
  • Why is m-privacy hard (legally)? From a privacy perspective, data protection, e-privacy, communications interception and data retention laws – both in the EU and beyond – can all apply to data collected from mobile devices. Widen the picture out into general consumer law, and issues arise around applicable law, mandatory consumer terms, liability and enforceability of terms (to name but a few). As a few press reports have highlighted recently, just because you CAN access data, doesn’t mean you should – the recent furore surrounding the Girls Around Me app being a very good case in point (see here). And to make matters more complicated, the data protection laws we have can often apply in surprising and unexpected ways – remember, many of them date back to before any of us even had a mobile. Should device ID data really be considered ‘personal data’? Why do ‘cookie consent’ rules apply to mobile apps? Do SoLoMo applications REALLY need to get opt-in consent to location data use?

If you’re attending the IAPP Intensive next week, then do come along and join my session to answer all of these questions – and more!

The proposed Regulation: A ‘catch-22’ for employment data

Posted on April 12th, 2012 by

If there were any doubts under existing data protection law that employers cannot rely on consent to process personal data relating to employees, those doubts have now been laid to rest.  The Regulation seems to envisage that there will always be a clear imbalance between the data subject and the controller in the employment context.  Consequently, employers will need to justify processing of employee data on grounds other than consent.  In many cases, this position is likely to mean that, unless the data processing is required by law (e.g. processing of sickness data to administer sick pay benefit), employers will need to rely on the so-called ‘legitimate interests’ criterion for the processing of employee personal data, namely that the processing is necessary for the legitimate interests pursued by the employer except where such interests are overridden by the interests or fundamental rights and freedoms of the employee which require protection of personal data.

In addition, employers will be required to specify the relevant legitimate interests pursued by them in the data protection notices that they provide to employees.  If employers wish to process personal data for purposes other than those for which employment data was collected (as specified in the relevant data protection notices), they will have limited compliance options. The Regulation makes clear that, where the purpose of further processing is not compatible with the one for which the personal data has been collected, employers will not be able to justify the processing by reference to the legitimate interests criterion.

Given that consent is also unlikely to be an option, the Regulation presents a serious difficulty for employers since there are a number of scenarios in which employers may wish to use personal data in a way that is not compatible with the purposes for which it was collected.  An important test of compatibility is whether the employer intends to use or disclose the employee data in a way in which employees would expect it to be used and disclosed.

So, for example, if employees have been told via an ‘acceptable use policy’ that monitoring is undertaken for a particular purpose, in general, it is likely to be unfair to use the information for another unexpected purpose.  Simply getting employees to sign up to a new acceptable use policy may not get employers where they need to be since the new Regulation makes clear that such consent will not be valid.  Neither will it be possible to rely on the legitimate interests criterion.

Consequently, it will be more important than ever to ensure that employers get their data protection notices/acceptable use policies right at the outset.  In practice, the temptation for employers will be to draft very wide data protection notices to try to anticipate processing activities that they may wish to carry out in the future.  In order to achieve compliance however, the challenge will be to get the balance right between a data protection notice that is comprehensive and one that is meaningful.

Mission: Interoperability

Posted on April 6th, 2012 by

Obama gets it. Viviane Reding gets it. This is indeed a defining moment to get our public policies right in terms of global data protection and privacy. Ignore the human and social implications of the exploitation of personal data and we will lose forever the right to privacy and possibly our freedom. Be too overprotective with one of our greatest assets of our time and we will definitely block progress and prosperity. The stakes are really that high. That was the key underlying message of the recent EU-U.S. Conference on Privacy and Protection of Personal Data held simultaneously in Brussels and Washington.

The EU and the US are by no means the only players in this field, but they have been very active protagonists in relation to the development of policies aimed at addressing the future protection of personal information. The recent conference is therefore a testimony to the commitment by these two parties to achieving that perfect balance between protecting rights and promoting innovation. As mentioned in the jointly released memo, stronger transatlantic cooperation in the field of data protection will enhance consumer trust and promote the continued growth of the global internet economy and the evolving digital transatlantic common market.

So what is being proposed on either side of the Atlantic to achieve that? In Europe, the Commission’s draft Regulation published at the end of January will be the obvious point of reference over the next couple of years. The proposed draft is a far reaching document which still needs to be fully understood and debated by all stakeholders involved. But at its core, it is entirely consistent with the strict, prescriptive and traditional approach that has prevailed in European data protection since its origins several decades ago.

In the US, in February the White House released its privacy blueprint, including the Consumer Privacy Bill of Rights. As part of this initiative, President Obama emphasised his Administration’s commitment to privacy in the US and called for two very concrete actions. First, Congress was invited to pass legislation applying the Consumer Privacy Bill of Rights to commercial sectors not subject to existing federal data privacy laws. Secondly, the White House encouraged the development of enforceable codes of conduct through the collaboration of industry leaders and civil society. Overall, this is a simple but clever attempt to get data privacy on the US legislative agenda, but in a typically flexible and pragmatic way.

Style-wise, the two camps could not be more apart. One has the wonderful stiffness of Downton Abbey whilst the other exhibits the vibrant notes of Homeland. Yet, both parties are adamant that consensus can be reached. They even go as far as saying that working together is possible to create mutual recognition frameworks that protect privacy. Their joint memo goes on to say that both parties consider that standards in the area of personal data protection should facilitate the free flow of information, goods and services across borders. Crucially, they recognise that while regulatory regimes may differ between the US and Europe, there are common principles at the heart of both systems, now re-affirmed by the developments in the US.

The immediate outcome is quite predictable. The US and the EU have reaffirmed once again their loyalty to the USEU Safe Harbor Framework. So if anyone had any concerns about the long term survival of Safe Harbor as an adequacy mechanism, these can be put to rest. Beyond that, what should we expect? The magic word is interoperability. What we don’t know is whether both sides share the same understanding of that concept. For the US, interoperability is an ambitious aim which equates to mutual recognition of their respective data protection frameworks. For Europe, this could well be a soul searching exercise in which we either discover that there is little room for manoeuvre or that we can live with a truly progressive approach to protecting personal information.

This article was first published in Data Protection Law & Policy in March 2012.


Legitimate Interests under the Regulation

Posted on April 1st, 2012 by

Identifying what ground you are relying on in order to lawfully process personal data hasn’t necessarily been something that many UK controllers have worried about up till now. So long as the data is not sensitive, in many if not most instances, a responsible controller can be reasonably certain that they can argue that collecting and processing the data is necessary for legitimate interests either pursued by them or by a third party. The only limitation on this ground is where the processing is unwarranted by reason of prejudice to the rights and freedoms of the individual concerned. Or it may be the case that the processing of data happens in a contractual situation and therefore a controller can rely on the ground that processing such data is necessary for the performance of the contract. By relying on these grounds, the controller can usually side-step having to obtain the consent of individuals and having to deal with the complexity of issues that consent can give rise to (although consent may be unavoidable when data is sensitive).

Although legitimate interests remains a key ground that a controller (presumably any controller despite there being no reference to third party controllers as there is under the Directive) can rely on, it comes as no surprise that under the draft EU Data Protection Regulation the rules on legitimate interests have shifted somewhat.  So, relying on the legitimate interests ground becomes harder when processing children’s data (due to the specific protection afforded to children) and impossible for public authorities since, the Regulation states, it is for the legislator to provide by law the legal basis for public authorities to process data. Clearly the Information Commissioner’s Office is concerned by the implications of this latter point since it states in its initial analysis on the Regulation that this approach will ‘prevent public bodies carrying out processing that may well be necessary although not specifically provided for by law‘. Partly this is due to the different legal cultures within the EU where many if not most EU member states have a codified legal system (unlike the UK) that specifies what public authorities can do.

The Regulation envisages that a controller will be much more transparent about his legitimate interests. Under the Regulation, a controller must explicitly inform individuals of the legitimate interests pursued, document these legitimate interests and remind individuals of their right to object. These further requirements if enacted may prompt UK controllers to be more circumspect than formerly when seeking to rely on the legitimate interests ground.

But it’s not all bad news. The fact that the draft Regulation specifies that certain data processing strictly necessary to ensure network and information security constitutes a legitimate interest provides some comfort to controllers. Additionally the draft Regulation would enable organisations to make more incidental transfers of personal data (from the EU to outside the EU) if necessary for a controller or processor’s legitimate interests.

But perhaps of greatest import is the power that the draft Regulation gives the EU Commission to specify the conditions in various sectors and data processing situations for reliance on the legitimate interests ground. Italian controllers may be used to the idea that a separate authority (in the Italian’s case, the data protection authority, the Garante) specifies the conditions for relying on the legitimate interests condition but UK controllers are not.

It remains to be seen whether these changes to the legitimate interests ground are adopted as part of the final Regulation and what impact such changes will have.