Archive for May, 2012

The future of privacy

Posted on May 31st, 2012 by

Not that long ago, reading this article (let along writing it) would have been regarded as nerdy.  Data protection used to be seen as arcane and irrelevant to businesses and ordinary people.  Introducing yourself as a data protection lawyer or a privacy professional was a recipe for embarrassment and a sure way of getting some funny looks.  However, at some point, something suddenly changed.  What was wacky is now cool, and what seemed like an obscure legal discipline with funny jargon and odd rules has become a critical consideration for business and government.  What happened?  What was the event that radically altered our perception of the importance of personal information for the world’s prosperity?  The crucial catalyst was in fact a combination of three factors that will also shape the future of privacy and data protection going forward.

The first one is the most obvious of all because it has impregnated our lives to such degree that we can no longer live without it.  Remember life before e-mail, mobile phones, the Internet, search engines, CCTV cameras, biometric passports, chip & pin, apps and cookies?  The evolution of technology has been the primary contributor to the growing importance of data protection as digitalisation has led to a never ending, yet not always visible, churn of personal data.  The second one has been the realisation that personal data is a very valuable asset.  Some examples: last year, Google’s turnover was nearly $38bn, LinkedIn doubled the value of its shares on the day it floated on the stock exchange, and Facebook’s IPO reportedly created 1,000 millionaires overnight.  What these businesses have in common in addition to being amazing success stories of the post-dotcom boom is that their success is based on the power and value of personal information.  The third critical factor is no other than the reality of data globalisation: the fact that geographical distance and cultural barriers have become almost negligible for the exploitation of data.

These three factors have thrown into the air many existing preconceptions and turned legal conundrums into business critical issues.  Getting the right answer to which law applies or who is in control of the information generated by our daily use of global interconnecting technologies has massive practical implications.  Some will be purely financial and others political, but their significance has not gone unnoticed.  Even the very thing at the centre of the legal debate – ascertaining what is and what isn’t personal data – has become an issue of great economic impact for businesses across all industry sectors, from technology to financial services and from retail to life sciences.  As an overarching theme, the question of how to ensure global compliance with maximum effectiveness and minimum cost has suddenly focused the minds of business leaders and politicians.

But having got to this place, the question that we now need to address is this: what happens next?  Or in other words: what is the future of privacy and data protection?  For policy makers and data reliant businesses alike the answer to that question lies in addressing the three issues that have so radically changed things.  Regulating and managing the evolution of technology necessarily involves understanding technology.  That means that a likely component of tomorrow’s privacy regulation will be about explaining technology in a way that their users can understand what is likely to happen to their personal information generated by the use of that technology.  This is transparency 2.0 and from a compliance perspective, collecting and using data will entail making the impenetrable world of new technologies understandable to everyone.  But beyond pure transparency, something that no legal regime has addressed to date but that will form part of the legal obligations of the future is the provision of value.  When a government or a business asks a citizen or customer for their personal information, it will only be fair to give that person something back or to share with individuals part of the value extracted from their data.  That would certainly be a much better way of getting the control balance right than seeking an empty and meaningless consent.

One remaining challenge is the international nature of data flows and information exploitation.  Data protection will never be a local issue again.  Data is no longer transferred from A to B.  Geographically speaking, where data actually is in an interconnected world is completely irrelevant, because data is ever accessible from everywhere.  Law and practice will have to come to terms with that.  Overcoming the legal limitations affecting international data transfers has always been a difficult challenge because, even in the old days, data was pretty fluid.  Today’s and tomorrow’s data globalisation needs a completely different approach which focuses on mutual recognition of rules, regulatory collaboration and incentives to do the right thing.

This article was first published in issue number 100 of Data Protection Law & Policy in May 2012.

Cookie compliance letters from ICO

Posted on May 25th, 2012 by

Earlier this week news began to spread that David Smith, the Deputy Information Commissioner, had revealed at a press briefing that ICO would be sending out a letter to 50 organisations, about their cookie compliance strategy. According to one article we have read, Mr Smith refused to reveal the identity of those organisations, but the list has been published all the same.

Or, rather, it has and it hasn’t.  We have been provided with working links to pages on the ICO website, that contain the list and the template for the letter, but its unclear how you actually access this from the ICO website itself.  Perhaps we have early versions of the links, or perhaps ICO has intended to “de-publish” the list. Whatever the position is, our links work. 

We’re not going to publish the list or the links, but its contents are curious.  We cannot see an obvious theme in the list of names.  A friend has speculated that the list is of the 50 most visited UK websites, but that sounds unlikely when you see some of the names involved. 

Others speculate that the list is actually compiled from other lists of regulatory actions, investigations and inquiries held by ICO – in other words, the suggestion is that ICO may have written to organisations that it may perceive to have compliance problems in other areas of the law.  So, for instance, ICO might have written to controllers who are on the radar for security breach problems, or perhaps subject access problems – and so on.  This idea may have merit, seeing that ICO follows what it describes as a “risk based approach” to regulation; a risk based approach naturally means placing your resources where you perceive the most risk. 

Or, of course, the list may be entirely random

Anyway, this list reminds me of two other recent situations

Not too long back ICO was handling a Freedom of Information Act request, that sought information about data controllers and security incidents regulated by the PEC Regulations. ICO invited the data controllers to comment on whether their details should be revealed before making its decision

A little further back, there was another list circulating, which, I seem to recall, was a list of data controllers whom ICO have invited to participate in consensual audits.  That list was published and then later removed

Whatever the case may be, how the organisations named on the list will view their inclusion may depend on whether they are a “glass half full” kind of organisation, or a “glass half empty kind”.  The glass half full organisation can say that it doesn’t matter that they’re on the list, because they’ve got a great story to tell about their cookie compliance strategy, so there is nothing to worry about. The glass half empty kind may say that while they’ve got a great story to say on cookies, they see a risk that their inclusion on the list may contain an innuendo, published to the world, to the effect that ICO sees them as having a wider compliance issue and as the cookie issue fades from importance, the innuendo may remain – and that may not be helpful

There is, of course, another kind of organisation; the one who actually wants to know how their name came to be included on the list and whether ICO’s selection reflected on issues that are not strictly part of the current cookie compliance debate.  For those organisations, there are mechanisms that are available to them to understand the basis behind their selection

Oh, yes, there is another kind of organisation – the one that has not got a good story to tell on cookie compliance.  Now, if the basis behind their selection is some other compliance issue, they may have something to worry about.  For them, some very interesting questions arise.  These principally concern the legal status of the letter they have received and the legal status of the request for a response within 28 days.  What legal power does ICO rely upon when making the request for an answer?  Is ICO making any promises that the answers received “will not be used in evidence” against them, or is there a chance that the responses will provide a substantive basis for enforcement action?  For an organisation with these concerns, it would be wise to understand the legal parameters of what is actually going on.  Whether this is worth doing or not ultimately depends on how you read the letter. but like every letter, ICO’s one ends with a signature.  And the signature is that the PECR Enforcement Manager

Makes you think…

(Posted on behalf of Stewart Room, Partner, Privacy & Information Law Group)

Cookie consent – developments in Spain

Posted on May 11th, 2012 by

Last month, Spain became the most recent territory to implement Europe’s ‘cookie consent’ requirement through amendments to its law on the Information Society and Electronic Commerce (34/2002).

The amended law allows website operators to serve cookies provided individuals have given “consent”, having been given clear and comprehensive information about why their personal data will be collected and processed. 

Contrary to some reports, the amended law does not require “opt in” or “express” consent, and recognises the possibility of obtaining consent through appropriate browser or application settings. However, given Spain’s longstanding history of vigorous data protection enforcement, website operators wishing to rely on “implied” consent solutions must provide robust transparency and choice.

Consent in Spain

Consent to data processing – whether express or implied – must always be freely given, unambiguous, specific and informed.

For historical reasons, Spanish data protection law allows personal data processing on an implied consent basis – requiring express consent only when the letter of the law explicitly mandates it. There is no legal reason why a similar approach should not also apply to cookie consent.

However, to rely on implied consent the website operator must be able to point to a demonstrable action or omission by the individual clearly indicating his or her wishes.   This is because the interpretation of the ‘specific’ and ‘unambiguous’ consent requirements by the Spanish DPA and the Spanish courts has historically been highly restrictive, unsurprisingly leaning towards a preference for express consent.

So while no guidance has been published to date by the Spanish DPA on how to comply with the cookie consent rule, relevant precedents indicate that it will interpret the ability for website operators to rely on implied consent very restrictively.

Practical advice for website operators

Coming up with an implied consent strategy that both benefits from the fact that express consent is not required by law and takes into account the context described above therefore requires careful consideration and some degree of creative thinking. It must necessarily reflect the level of intrusiveness that the cookies served will have on individuals’ expectations of privacy.

While the Spanish DPA will inevitably prefer opt-in approaches to consent,  this is not required as a matter of Spanish law. Reliance on robust implied consent can suffice, in appropriate contexts, provided the website operator displays a prominent notice demonstrably visible to all visitors that:

(a) includes clear and detailed information about the use of cookies, the data they collect and how the data will be used (possibly through the use of layered notices);

(b) makes readily available easy-to-use, granular controls allowing visitors to accept or reject cookies as they please (e.g. cookie “on/off” switches); and

(c) critically, contains language explaining to visitors that their action or omission will indicate “acceptance” of cookies – for example, that by dismissing the cookie notice without changing cookie settings, individuals will accept the cookies the website operator serves.

In a perfect world, this notice would of course be given to the individual prior to the processing – for example, through a pop-up before cookies are served.  However, Spanish data protection law does envisage the possibility of temporary processing prior to obtaining consent from the individual under certain circumstances – suggesting that, with sufficient transparency and control, a cookie notice and controls may be served contemporaneously with the cookies themselves.

To opt-in or not to opt-in, that is the question!

The position in Spain is therefore no different to that in many other territories – a regulatory preference for express opt-in consent, but with the possibility that lawful implied consent approaches can be adopted. The challenge for website operators is to design notices and controls that obtain freely given, unambiguous, specific and informed consent on an implied basis – a high threshold, certainly, but one that can be met with careful thought and design.

French data protection authority updates its guidance on cookies

Posted on May 4th, 2012 by

The French data protection authority (the CNIL) has updated its guidance on local cookie consent requirements and has, in particular (i) suggested that analytics cookies might be exempt from the consent requirement, subject to certain conditions, and (ii) advised on possible means to obtain consent from Internet users in a way which complies with the law. 

Use of analytics cookies without consent

 The CNIL considers that because of the specific purpose of these cookies and the “very limited risk to privacy posed by this type of processing“, it is not necessary to obtain prior consent from internet users.

 However, the CNIL sets certain conditions that must be met in order to benefit from the exception, including (i) the provision of information (clear, complete and accessible from the site home page), (ii) the right of access, (iii) the right to refuse analytics cookies, (iv) purpose limitation (measuring website page traffic and producing anonymous statistics only), (v) restrictions on IP address use (geolocalization cannot be more specific than determining the city) and (vi) length of data retention (maximum six months).

 It should be noted that the CNIL mentions that this new position might change in the very near future depending on an opinion soon to be adopted by the Article 29 Working Party.

 High threshold to obtain a valid consent

 The CNIL has not fundamentally changed its opinion that express means must be used to obtain consent from internet users.  It reaffirmed that the (non-exhaustive) mechanisms it considers compliant are consent banners on the top of a webpage, consent requests overlaid on the page and tick boxes while subscribing to a service online.

 One useful aspect of the CNIL’s updated guidance is that it gives specific examples of the types of consent wording it expects. It insists that the information given to end users must include the specific purpose of the cookie. As such, the CNIL says that if the purpose of the cookie is to “create user profiles in order to send targeted advertising“, the information must include all of these words and not just the word “advertising”.

 The CNIL’s guidance provides the two following examples of consent language that it considers to be valid:

 “Do you accept a cookie from our partners PUBIX and ADVIX in order to analyze your interests for the purpose of delivering personalized advertising to you?

 [   ] I accept    [   ] I refuse

 More information here.”

 “By ticking this box, I agree to receive cookies from during my visit to partnering Internet sites in order to identify me when I wish to share my favourite content with my friends.

 To learn more.”

 Finally, the CNIL also provides an interesting clarification, pointing out that simply mentioning cookies in the Terms of Use does not constitute an “acceptable” means of obtaining consent.

Three truths about cookie consent

Posted on May 1st, 2012 by

Less than a month to go for the first anniversary of the implementation of the amended e-privacy directive in the UK, which will coincide with end of the self-imposed moratorium on enforcement of the ‘cookie consent’ requirement by the UK Information Commissioner.  With that in mind, it is a good time to come clean on some of the inaccuracies that seem to be circulating around in relation to compliance with this requirement:

*   No one will get fined for cookie consent breaches under the current UK law – Despite the sensationalists claims made by some, the truth is that the threshold for monetary fines under UK data protection law is so high, that fines for this type of breach (in the UK!) are extremely unlikely.  However, it would also be extremely foolish to assume that in the absence of fines, non-compliant websites are simply off the hook.  Quite the opposite.  The ICO will focus instead on ensuring that infringing sites are forced to get their house in order within a limited period of time and therefore, both undertakings and enforcement notices will become the preferred enforcement tool in this area.

*   Implied consent does not mean business as usual – Much of the debate to date has centred on the scope for implied consent – that holy grail of compliance that does not involve ticking boxes or clicking on ‘I Accept’ buttons.  However, the notion of consent (however we want to qualify it) still involves a clear understanding of what we are agreeing to.  So if implied consent is going to be relied upon, it will have to be obvious to the average user what is happening, which in practice means that, as a minimum, a suitably visible and clear notice must be displayed and made available for long enough to be seen and digested.  Anything less than that would make it very hard to argue that consent was obtained and is likely to be dismissed as insufficient by regulators and the courts.

*   Sticking the words “By using this site you agree to…” in a privacy policy will NOT cut it – Finally, a word of caution to those who have received or seen guidance to the effect that consent may be obtained by functional use only – i.e. by sticking the words “By using this site you agree that we can place cookies on your device” in a privacy policy or cookie notice.  Needless to say, unless one can show that the notice was read (which is unlikely if it sits behind a minute link at the bottom of a website), the informed consent requirement will not be met.

So to comply with this requirement and as mentioned in the past, a prominent notice, a simple explanation and an opportunity to take a view on whether to accept or reject cookies will go a long way, but only if they move from a wish list to action.