Archive for the ‘Uncategorized’ Category

NIS Directive establishes first EU-wide cyber security rules

Posted on February 10th, 2016 by

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive (‘NIS Directive’), establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied.

Mark Webber and Michael Brown of Fieldfisher discuss five key issues for online businesses to consider in reaction to the Directive.


Under the NIS Directive, certain companies operating in critical sectors such as health, energy and transport, as well as some online businesses like search engines, online marketplaces and cloud computing providers, will be required to satisfy wide-ranging security and incident reporting obligations.

From the TalkTalk hack to the Ashley Madison breach, cyber security issues and risks have captured the attention of journalists, CEOs, legislators and ordinary citizens in recent years. The NIS Directive represents a legislative attempt to address some of these cyber issues and risks and, in doing so, safeguard EU critical infrastructure and the much-vaunted EU Digital Single Market.

Although the NIS Directive has yet to be formally adopted by the European Parliament and the Council of the EU, the authors of this article have obtained a copy of the agreed text. We understand from sources in Brussels that there are unlikely to be any notable amendments to the text that we reviewed. The law makes for fascinating reading and will undoubtedly raise significant compliance challenges for all of the entities who will be subject to its requirements. These entities are divided into the following two categories: (i) operators of essential services; and (ii) digital service providers.

In February/March 2016, the European Parliament and Council of the EU will formally approve the law. After that, the text will be published in the EU Official Journal and will officially enter into force. Member States will have 21 months to implement the NIS Directive into their national laws and six months more to identify operators of essential services. During this time, the European Commission will adopt implementing acts, which will realise some of the more specific elements of the law on security measures and incident notification. Here we set out five key issues with which online businesses will have to wrestle to ensure cyber security compliance and, in turn, hopefully reduce their chances of becoming the next breach story.


The first critical issue for online businesses is to assess whether they are subject to the law’s requirements. The NIS Directive applies to operators of essential services and digital service providers. It does not apply to telcos or payment service providers who are subject to separate security and incident reporting obligations. It also does not apply to hardware/software developers or small/micro-sized digital service providers.

Operators of essential services can be public or private entities and are defined as follows: ‘(i) the entity provides a service which is essential for the maintenance of critical societal and/or economic activities; (ii) provision of that service depends on network and information systems; and (iii) an incident to the network and information systems of that service would have significant disruptive effects on its provision.’ There is little merit in analysing this definition since each Member State will be responsible for identifying its operators of essential services. These entities will then be listed in the national laws that implement the Directive. One of the law’s purposes is to protect critical infrastructure in the event of a cyber attack and so it is highly likely that energy suppliers, airports, banks, utility companies and healthcare providers will be considered as operators of essential services.

Digital service providers are defined to consist of online marketplaces, online search engines and cloud computing services. From the law’s recitals, it seems that all three categories will be interpreted very widely.

An online marketplace is defined as ‘a digital service that allows consumers and/or traders as defined respectively in Article 4(1)(a) and 4(1)(b) of Directive 2013/11/EU to conclude online sales and service contracts with traders either on the online marketplace’s website or on a trader’s website that uses computing services provided by the online marketplace.’ The breadth of this definition means that large players like Amazon and eBay will be caught but, equally, small e-commerce stores where consumers can purchase products/services from third party traders may also be subject to the law. App stores are also deemed to be in scope but price comparison websites are not.

An online search engine is defined as ‘a digital service that allows users to perform searches of in principle all websites or websites in a particular language on the basis of a query on any subject in the form of a keyword, phrase or other input; and returns links in which information related to the requested content can be found.’ Clearly, the likes of Google and Bing will fall within this definition. A cloud computing service is defined as ‘a digital service that enables access to a scalable and elastic pool of shareable computing resources.’ The law’s recitals provide brief guidance on the following different elements of this definition: ‘computing resources’; ‘scalable’; ‘elastic pool’; and ‘shareable.’ However, it remains very unclear how this definition will be applied in practice. Put simply, a vast number of online businesses provide cloud computing services (even if they are not the business’ primary commercial offering) and thus are likely to fall within this definition as drafted.

Given the opaqueness of the definition and recitals, online businesses should carry out a careful legal analysis of whether they are defined as a cloud computing service. The need for this analysis is heightened by the fact that, unlike operators of essential services, the obligation is on online businesses to self-assess whether they are subject to the law’s requirements.

Despite the NIS Directive’s apparent broad net, the good news for online businesses is that the law sets out a more ‘light-touch’ approach towards its security and notification obligations compared to operators of essential services. Information on these obligations is set out below.


As a brief recap, the NIS Directive will be transposed into a national law for each Member State. Therefore, online businesses in scope will need to assess which national law applies to their network and information systems. It seems that operators of essential services and digital service providers that are active in multiple Member States may not need to comply with the national implementing law in each of these countries. The entity will only have to comply with the national law in the Member State where it is established. In this context, establishment means where an entity has an ‘effective and real exercise of activity through stable arrangements’ rather than, for example, the physical location of its network and information systems or location of its legal branch.

If a digital service provider is not established in a Member State but still provides services within the EU then it must appoint a ‘representative.’ At this stage, there is little guidance on who can perform the role of a representative.

Finally, as a ‘minimum harmonisation’ law, Member States are entitled to adopt or maintain provisions with a view to achieving a higher level of cyber security than set out in the law. For example, certain Member States like Germany and Spain are likely to enact stricter security legislation than other Member States. All in all, the national implementations of the NIS Directive represent an additional issue (though clearly not as significant as tax or employment  issues) for an online business to consider when deciding upon its EU country of establishment.


Online businesses in scope should acquaint themselves with the new authorities/bodies established by the NIS Directive. This is crucial so that a business knows the following: (i) to which authority incidents should be notified; and (ii) the authority that has the power to sanction non-compliance.

The NIS Directive refers to two bodies of importance to online businesses. The first is the national competent authority (‘NCA’). An NCA will be formed in each Member State and will be in charge of regulating the law’s application at national level. It may be an existing regulator or a new body (the UK Information Commissioner’s Office has already made known its reluctance to perform this role). Each NCA will have differing powers in relation to operators of essential services and digital service providers.

Unlike with operators of essential services, the NCA will have no general power to regulate the conduct of digital service providers. However, it will be able to take ‘action’ when provided with ‘evidence’ that a digital service provider is failing to comply with the NIS Directive. Such evidence can be provided by the digital service provider itself, a user of its service or another NCA.

In an environment of user activism regarding data protection and cyber security, it is reasonable to think that evidence will be submitted. Thus, online businesses should prepare themselves for such scenarios. The ‘action’ that the NCA will be able to take will be to require the digital service provider to remedy any failure to fulfil its security and incident notification requirements. No explanation is provided as to how the NCA will require remedial action to be taken. This, along with other enforcement measures (like fines, undertakings etc.) will be determined by each Member State and then set out in the national law.

The second body of importance is the Computer Security Incident Response Team (‘CSIRT’). Each Member State will have a CSIRT, which will provide guidance to operators of essential services and digital service providers on cyber security issues as well as cooperate internationally to ensure that cross-border threats are detected and handled. Online businesses may wish to liaise with a CSIRT regarding the practical issues/questions relating to incident preparedness.

At present, the precise powers and responsibilities of the NCAs and CSIRTs are uncertain. For example, the NIS Directive provides that incident notifications can be made to an NCA, a CSIRT or both. Clearly, this is not ideal since an online business needs certainty on the appropriate notifying body and also to bake this information into its incident handling policies/procedures. Hopefully, this point will be resolved in the implementing acts or national transpositions. Online businesses should keep a watching brief on these and the formation of the NCAs/CSIRTs to determine their regulatory approach.


Online businesses in scope will be required to put in place ‘appropriate and proportionate technical and organisational measures’ to protect NIS. These measures must ensure that digital service providers manage the risks posed to the security of networks and information systems that they use in the provision of their service.

In implementing these security measures, digital service providers must take into account the following elements: (i) security of systems and facilities; (ii) incident management; (iii) business continuity management; (iv) monitoring, auditing and testing; and (v) compliance with international standards.

The European Commission will adopt implementing acts that set out in more detail the specifications of the security measures. These are intended to be harmonised across Member States for digital service providers. Putting in place security measures is a key requirement under the NIS Directive but one that remains up in the air (despite the fact that it is similar to the ‘data security’ requirement in the Data Protection Directive). In light of this uncertainty, an online business should monitor the publication of European Commission implementing acts and then conduct a review of its security measures for compliance.


Online businesses in scope will be required to notify any incident having a ‘substantial impact’ to the provision of its digital service. The European Commission will adopt implementing acts on the notification requirement, which is intended to be harmonised across Member States for digital service providers. However, what we know so far is that the notification should be made to the NCA or the CSIRT ‘without undue delay.’ The notification should contain information to enable the NCA or the CSIRT to determine the significance of any cross-border impact. After consulting with the digital service provider, the NCA or the CSIRT may choose to publicise the incident in certain circumstances.

In order to determine whether the impact is ‘substantial,’ the digital service provider should consider the following parameters: (i) the number of users affected by the incident, in particular users relying on the service for the provision of their own services; (ii) the duration of the incident; (iii) the geographical spread with regard to the area affected by the incident; (iv) the extent of the disruption of the functioning of the service; and (v) the extent of the impact on economic and societal activities.

No guidance has been provided as to how overlapping notification obligations (e.g. under the NIS Directive and the General Data Protection Regulation) will work in practice. Hopefully this business headache will be resolved in the implementing acts.

This is a landmark requirement since digital service providers are not currently obliged to notify data security or cyber security incidents in EU Member States. Therefore, the new law mandates notification (which is voluntary in most Member States) thereby meaning that digital service providers need to take incident handling and notification more seriously than ever before. This means that online businesses in scope should formulate and agree upon incident handling and notification policies and procedures to ensure they are ready to deal with likely incidents and mitigate commercial, reputational and regulatory risks.

This article first appeared in the January 2016 edition of E-Commerce Law and Policy.

Everything you need to know about the GDPR in under 60 minutes

Posted on February 1st, 2016 by

In addition to the excellent “Getting to Know the GDPR” series Fieldfisher Privacy, Security and Information team members have been posting through this blog, my partner Mark Webber and I recently gave a live presentation on “Everything you need to know about the GDPR in under 60 minutes”.

The presentation was recorded, and a copy of our presentation is now available for viewing online here.  If you’re looking for some simple training on the key GDPR issues most likely to affect your business, then enjoy!


Getting to know the General Data Protection Regulation, Part 3 – If you receive personal data from a third party, you may need to “re-think” your legal justification for processing it

Posted on November 13th, 2015 by

One of the most hotly debated issues of the new General Data Protection Regulation (GDPR) is that of consent. The controversy arises from the proposed stricter requirements for consent and reforms to the so called “legitimate interests” grounds.

While the “consent” and “legitimate interests” grounds are just two of a number of grounds for justifying the processing of personal data, they are the grounds that are most commonly relied upon for the purposes of the Directive. The proposals under the GDPR with regard to these data processing grounds could have serious practical implications for business.

What does the law require today?

At present, in order to validly obtain consent, businesses need to provide sufficient information to individuals about how and why they process their personal data and provide a mechanism whereby individuals can indicate their consent. In this sense, consent can be implied under the Directive and it is only in specific cases, such as the processing of sensitive personal data (i.e. data that can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data relating to the data subject’s health or sex life) that consent needs to be explicit.

The ‘legitimate interests’ condition provides grounds to process personal data in a situation where a business needs to do so for the purpose of its own legitimate interests or the legitimate interests of the third party to whom the information is disclosed. The legitimate interests of the business or the third party must be balanced against any prejudice to the rights and freedoms or legitimate interests of the individual whose data is being processed.

In a number of jurisdictions, including the UK, the “legitimate interests” condition provides a degree of data processing flexibility that might not otherwise exist. On the other hand, some DPAs have taken a more restrictive approach – for example, the Spanish data protection regulator considers that personal data should only be processed for the purposes it was collected, with very limited exceptions.

Nevertheless, the Directive offers a business-friendly approach that the legislators are now considering re-defining.

What will the General Data Protection Regulation require?

As regards consent, the Commission proposed (and the Parliament agreed) that consent should always be “explicit, freely given, specific and informed”. It also noted that consent should be obtained through a statement or “clear affirmative action”, that it could be withdrawn at any given time by the data subject, and that it would not be legally valid if there is “a significant imbalance between the position of data subject and the controller”.

The Commission’s and Parliament’s “explicit consent approach” is a radical change to that of the Directive, which only requires “explicit” consent to process sensitive data.  On the other hand, the Council suggests that consent under the GDPR need not be “explicit” – it need only be “unambiguous”.

A requirement in GDPR for consent to be “explicit” (stated clearly and in detail) is very different to a requirement for it to be “unambiguous” (clear and cannot be understood wrongly). Whereas unambiguous consent would mean consent could still be implied, explicit consent would open the door to a world of never-ending tick boxes.

Additionally, and regardless of the type of consent that is finally agreed to be valid under the GDPR, the Parliament proposes that companies should be required to demonstrate that they have effectively obtained users’ consent – this proposal, if implemented, would impose a significant practical burden on businesses.

Given the likely difficulty of relying on consent, the possibility of relying on the “legitimate interests” ground will be crucial from a business perspective. However, it is unclear what form this condition will take in the final text of the GDPR.

On the one hand, the Commission and Parliament suggest individuals’ data can only be processed: (i) for a purpose to which they have consented; or (ii) for such legitimate interests of the controller or relevant third parties as individuals could reasonably expect.

On the other hand, the Council proposes a more business-orientated approach, which would allow controllers and processors alike to process data on the “legitimate interests” ground even for purposes that are incompatible with the original purposes of the processing, provided that the interests or the fundamental rights and freedoms of the individual are not overriding.

It remains to be seen what form the “legitimate interests” condition will ultimately take.

What are the practical implications?

If a business wishes to process personal data for purposes other than those for which it was collected (as specified in the relevant data protection notices), they will potentially have limited compliance options. If the approach of the Commission and Parliament is ultimately adopted, businesses that wish to undertake processing that is not compatible with the purpose for which the personal data has been collected will not be able to justify the processing by reference to the “legitimate interests” criterion.

Of course, there is the option of explicit consent but that is likely to mean serious (and expensive!) re-engineering of data collection forms, online and mobile user interfaces as well as a revaluation of terms and conditions/privacy policies etc. In some scenarios, consent may not be an option in any event, e.g. where there is a significant imbalance between the individual and the organisation that is collecting the personal data.

Given that consent is less likely to be an option for one reason or another, the proposed reforms present a serious difficulty for businesses since there are a number of scenarios in which businesses may wish to use personal data in a way that is not compatible with the purposes for which it was collected.

Further, the proposals may also give rise to legally and commercially complicated situations, for example, where the user does not consent to or withdraws his/her consent to the relevant data processing.

So, what can businesses do now?

Start auditing all their various uses of data;

  • Understand the grounds on which they collect and use data; and
  • Assess whether these grounds remain valid under the GDPR and, if not (or if those grounds become marginalised) have in place plans to transition to new grounds.

Weltimmo – The lesser-known decision of the Court of Justice of the European Union

Posted on October 21st, 2015 by

In all of the excitement surrounding the Schrems decision and its impact on Safe Harbor, it would be easy to miss the significance of the other decision of the Court of Justice of the European Union (“CJEU“) in Weltimmo – issued just days before the judgement in Schrems. Yet the Weltimmo judgement, in its own way, has the potential to significantly impact the way in which global organisations should be thinking about their data protection strategy in Europe.

In Weltimmo, the CJEU came to a number of game-changing conclusions in relation to the applicability of EU data protection law. In essence, the judgement opens the doors for individuals to beat a path to the door of their local DPA to complain about data protection law breaches, even if the organisations about which they are complaining claim to be established in another EU Member State.

Under the EU Data Protection Directive, if a business is ‘established’ in an EU Member State and is processing personal data in the context of that establishment, it will fall within the scope of the data protection law of that Member State. Up to now, businesses have interpreted this rule to mean that if they are headquartered in a particular EU Member State, they have to comply with the data protection laws of only that Member State. Many US multinationals have taken the approach of incorporating an entity in particular Member State (e.g. Ireland) and nominating this entity as the data controller for the purposes of EU data protection law.

My colleague Tim Van Canneyt has previously discussed how the nomination of a single data controller is under fire – see here. The decision in Weltimmo puts beyond doubt that companies should be re-thinking this strategy.

So what does the Weltimmo decision say? Key points are:

  • The concept of establishment must be interpreted broadly;
  • Currently, there is no ‘one-stop-shop’ principle –  if a data controller is established on the territory of more than one Member State, each of the establishments must comply with applicable data protection law;
  • The legal form of such establishment (e.g. branch, subsidiary etc) is not the determining factor;
  • The formalistic approach whereby organisations are considered to be established solely in the place in which they are registered is not the correct approach;
  • There is a 3-pronged test:
    1. Is there an exercise of real and effective activity – even a minimal one?
    2. Is the activity through stable arrangements?
    3. Is personal data processed in the context of the activity?

In determining whether the above test is met, the CJEU provides guidance on a number of factors to be taken into consideration. In particular, the context must be considered i.e. the nature of the economic activities/service provided by a business.  For an Internet business, the fact that the website is written in the language of a Member State (and, as a consequence, mainly or directly or targeted at that Member State) is a significant factor,

Crucially, the presence of only one representative in a Member State can, in some circumstances, suffice to meet the stable arrangement criterion – the role of the representative is relevant in this context, e.g. as a point of contact for data subjects and/or as a representative for the data controller in judicial and administrative proceedings.  The opening of a bank account by the data controller in a particular Member State is also relevant.  However, the nationality of the owners of the business should not be taken into account.

On the other hand, the CJEU decision turns very much on the facts – it is difficult to work out what weight to give to each of the relevant factors to be taken into consideration.  For example, it is not clear whether physical presence is always required, e.g. whether it would be enough if, in the context of an Internet business, the business is targeting the citizens of a particular country on an ongoing basis via a website translated into the language of that country.

However, in view of the low threshold for determining whether a data controller is ‘established’ in a particular Member State – processing personal data in the context of the exercise of an activity, however minimal, and, depending on the circumstances, having just one representative – it is likely that many organisations headquartered in a particular Member State will need to revisit their European data protection strategy.

As per our recommendations here, businesses should put in place certain conditions and and controls to support the contention that the nomination of a data controller in a particular Member State goes beyond a mere nomination “on paper”. However, as a result of Weltimmo, businesses should also look to other key EU Member State markets, e.g. where they are targeting the citizens of those Member States and/or have even a minimal presence, and consider the likely implications of being subject to the data protection laws of those Member States.


Getting to know the GDPR, Part 2 – Out-of-scope today, in scope in the future. What is caught?

Posted on October 20th, 2015 by

The GDPR expands the scope of application of EU data protection law requirements in two main respects:

  1. in addition to data “controllers” (i.e. persons who determine why and how personal data are processed), certain requirements will apply for the first time directly to data “processors” (i.e. persons who process personal data on behalf of a data controller); and
  2. by expanding the territorial scope of application of EU data protection law to capture not only the processing of personal data by a controller or a processor established in the EU, but also any processing of personal data of data subjects residing in the EU, where the processing relates to the offering of goods or services to them, or the monitoring of their behaviour.


The practical effect is that many organisations that were to date outside the scope of application of EU data protection law will now be directly subject to its requirements, for instance because they are EU-based processors or non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). For such organisations, the GDPR will introduce a cultural change and there will be more distance to cover to get to a compliance-ready status.

What does the law require today?

The Directive

At present, the Data Protection Directive 95/46/EC (“Directive“) generally sets out direct statutory obligations for controllers, but not for processors. Processors are generally only subject to the obligations that the controller imposes on them by contract. By way of example, in a service provision scenario, say a cloud hosting service, the customer will typically be a controller and the service provider will be a processor.

Furthermore, at present the national data protection law of one or more EU Member States applies if:

  1. the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. When the same controller is established on the territory of several Member States, each of these establishments should comply with the obligations laid down by the applicable national law (Article 4(1)(a)); or
  2. the controller is not established on EU territory and, for purposes of processing personal data makes use of equipment situated on the territory of a Member State (unless such equipment is used only for purposes of transit through the EU) (Article 4(1)(c)); or
  3. the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law (Article 4(1)(b)). Article 4(1)(b) has little practical significance in the commercial and business contexts and is therefore not further examined here. The GDPR sets out a similar rule.


CJEU case law

Two recent judgments of the Court of Justice of the European Union (“CJEU“) have introduced expansive interpretations of the meaning of “in the context of the activities” and “establishment”:

  1. In Google Spain, the CJEU held that “in the context of the activities” does not mean “carried out by”. The data processing activities by Google Inc are “inextricably linked” with Google Spain’s activities concerning the promotion, facilitation and sale of advertising space. Consequently, processing is carried out “in the context of the activities” of a controller’s branch or subsidiary when the latter is (i) intended to promote and sell ad space offered by the controller, and (ii) orientates its activity towards the inhabitants of that Member State.
  2. In Weltimmo, the CJEU held that the definition of “establishment” is flexible and departs from a formalistic approach that an “establishment” exists solely where a company is registered. The specific nature of the economic activities and the provision of services concerned must be taken into account, particularly where services are offered exclusively over the internet. The presence of only one representative, who acts with a sufficient degree of stability (even if the activity is minimal), coupled with websites that are mainly or entirely directed at that EU Member State suffice to trigger the application of that Member State’s law.


What will the GDPR require?

The GDPR will apply to the processing of personal data:

  1. in the context of the activities of an establishment of a controller or a processor in the EU; and
  2. of data subjects residing in the EU by a controller not established in the EU, where the processing activities are related to the offering of goods or services to them, or the monitoring of their behaviour in the EU.

It is irrelevant whether the actual data processing takes place within the EU or not.

As far as the substantive requirements are concerned, compared to the Directive, the GDPR introduces:

  1. new obligations and higher expectations of compliance for controllers, for instance around transparency, consent, accountability, privacy by design, privacy by default, data protection impact assessments, data breach notification, new rights of data subjects, engaging data processors and data processing agreements;
  2. for the first time, direct statutory obligations for processors, for instance around accountability, engaging sub-processors, data security and data breach notification; and
  3. severe sanctions for compliance failures.


What are the practical implications?

Controllers who are established in the EU are already caught by EU data protection law, and will therefore not be materially affected by the broader scope of application of the GDPR. For such controllers, the major change is the new substantive requirements they need to comply with.

Processors (such as technology vendors or other service providers) established in the EU will be subject to the GDPR’s direct statutory obligations for processors, as opposed to just the obligations imposed on them by contract by the controller. Such processors will need to understand their statutory obligations and take the necessary steps to comply. This is a major “cultural” change.

Perhaps the biggest change is that controllers who are not established in the EU but collect and process data on EU residents through websites, cookies and other remote activities are likely to be caught by the scope of the GDPR. E-commerce providers, online behavioural advertising networks, analytics companies that process personal data are all likely to be caught by the scope of application of the GDPR.

We still have at least 2 years before the GDPR comes into force. This may sound like a long time, but given the breadth and depth of change in the substantive requirements, it isn’t really! A lot of fact finding, careful thinking, planning and operational implementation will be required to be GDPR ready in 24 months.

So what should you be doing now?

  1. If you are a controller established in the EU, prepare your plan for transitioning to compliance with the GDPR.
  2. If you are a controller not established in the EU, assess whether your online activities amount to offering goods or services to, or monitoring the behaviour of, EU residents. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR. You may need to appoint a representative in the EU.
  3. Assess whether any of your EU-based group companies act as processors. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR.
  4. If you are a multinational business with EU and non-EU affiliates which will or may be caught by the GDPR, you will also need to consider intra-group relationships, how you position your group companies and how you structure your intra-group data transfers.

Debunking EU Data Protection Reform

Posted on September 24th, 2015 by

Europe’s proposed General Data Protection Regulation remains subject to some significant negotiation and is unlikely to come into force until 2017 – 2018.  Any business using personal data should start considering the future rules and what they are likely to mean in practice, not least as there are potentially some significant changes.  The overall intent is to update the existing laws and to introduce greater harmonisation across EU Members States.  As you would expect, the Fieldfisher Privacy, Security and Information team is monitoring the progress of the legislative changes.  Whilst we are cautious about recommending any significant preparatory steps until the exact make-up of the final rules is better understood (hopefully during the early part of 2016), businesses should be aware of the potential impact of the proposed Regulation.

Click here for our “infographic” on debunking EU Data Protection Reform.  We have set out 10 things that we think that you should know and will be running a blog series over the next weeks and months dealing with each of these areas in further detail.

Look out for our first blog by my colleague Phil Lee next week: “The pool of data which is potentially personal gets deeper”.

As John F. Kennedy put it: “Change is the law of life.  And those who only look to the past or present are certain to miss the future.”

German DPA takes on Facebook again

Posted on July 31st, 2015 by

The DPA of Hamburg has done it again and picked up a new fight against mighty US giant Facebook. This time, the DPA was not amused about Facebook´s attempt to enforce its real name policy, and issued an administrative order against Facebook Ireland Ltd.

The order is meant to force Facebook to accept aliased user names, to revoke the suspension of user accounts that had been registered under an alias, to stop Facebook from unilaterally changing alias user names to real user names, and to stop requesting copies of official ID documents. It is based on Sec. 13 (6) German Telemedia Act, which requires service providers like Facebook to offer access to their services anonymously or under an alias, and also a provision of the German Personal ID Act which arguably prohibits requesting copies of official ID documents.

Despite this regulation, Facebook´s terms of use oblige users to use their real name in Germany, too. Early this year, Facebook started to enforce this policy more actively and suspended user accounts that were registered under an alias. The company also requested users to submit copies of official ID documents. It also sent messages to users asking them to confirm that “friends” on the network used their real name. In a press statement, Mr Caspar, head of the Hamburg DPA said: “As already became apparent in numerous other complaints, this case shows in an exemplary way that the network [Facebook] attempts to enforce its so-called real name obligation with all its powers. In doing so, it does not show any respect for national law.”

“This exit has been closed”

Whether Facebook is at all subject to German law has been heavily disputed. While the Higher Administrative Court of the German state Schleswig-Holstein ruled that Facebook Ireland Limited, as a service provider located in an EU member state, benefits from the country-of-origin principle laid down in Directive 95/46/EC, the Regional Court of Berlin came to the opposite conclusion: It held that Facebook Inc. rather than Facebook Ireland Ltd would be the data controller, as the actual decisions about the scope, extent and purpose of the processing of data would be made in the US. The court also dismissed the argument that Facebook Ireland acts as a data controller in a data controller-processor agreement with Facebook Inc., as it ruled that the corporate domination agreement between Facebook Inc. and Facebook Ireland prevails over the stipulations of the data controller-processor agreement. As Facebook has a sales and marketing subsidiary in Hamburg, the Hamburg DPA now believes to have tailwind due to the ECJ ruling in the Google Spain case to establish the applicability of German law: “This exit has been closed by the ECJ with its jurisdiction on the Google search engine. Facebook is commercially active in Germany through its establishment in Hamburg. Who operates on our playing field must play by our rules.”

While previous activities of German DPAs against Facebook were aimed at legal issues that did not really agitate German users, such as the admissibility of the “like”-button, the enforcement of the real name policy upset German users in numbers, and a lot of users announced to turn their back on the network. The issue also saw a lot of press coverage in national media, mostly in strong criticism of Facebook.

5 Practical Steps to help companies comply with the E-Privacy Directive (yes, it’s cookies again!)

Posted on July 13th, 2015 by

This month (July 2015), the IAB Europe published new Guidance titled “5 Practical Steps to help companies comply with the E-Privacy Directive“. These 5 sensible steps in the document are aimed at brand advertisers, publishers and advertising businesses.  The EU’s cookie compliance rules were remodelled as far back as 2009 when a broader set of telecommunications rules updated the e-Privacy Directive.  There’s been no change since so this Guidance has not been prompted by any regulatory change or significant shift in the compliance landscape.  It it does however serve as a useful practical reminder to anyone considering or revisiting their compliance strategy.

The context and Article 5.3

The advice in the Guidance centres around that now familiar extract from the e-Privacy Directive, Article 5.3.  This of course requires you obtain the prior informed consent for storage of, or access to, information stored on a user’s terminal equipment.

The Guidance rightly acknowledges that there are differences in both the national implementations of this rule as well as the related regulatory guidance Member State to Member State.  Therein lies the rub, as many are seeking a “one-size-fits-all” approach for Europe. Often criticised, the law requires you to get consent, but doesn’t actually say how. These 5 steps from the IAB delve into the “how” and may assist you.

The 5 recommended steps in the Guidance

At a high-level the Guidance makes the following practical observations:

  1. Monitor and assess your digital property – know your properties, their technology, and what data they collect. Regularly audit these to understand the data collected and how it is used. Be particularly cautious when using partners who are collecting data on your properties.
  2. Be clear and transparent in how you present information to consumers – use plain and easy-to-understand language and don’t mislead. Consider a layered approach and, where appropriate, use helpful websites (eg like or to convey messages about how and why your property deploys its technologies (and for what purposes).
  3. Make things prominent – ensuring your privacy property is available and distinguishable. There are some short tips around ways you could go about this.
  4. Context is king! – the Guidance suggests you consider ways to achieve consent in a contextual way. Rightly this step suggests “that the key point is that you must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to indicate their acceptance.” Fieldfisher reminds you that are a number of mechanisms (express and implied) by which you may achieve this and the Guidance suggests a few of the available approaches in this step.
  5. Consider joining the EU industry programme to provide greater contextual transparency and control to consumers over customised digital advertising – “why not?” we say, as this is another tactic for in staying in touch and demonstrating commitments. This step highlights the benefits of to behavioural advertisers and the “icon” initiative and transparency mechanisms available via

The so what?

The e-Privacy Directive and the EU cookie compliance issues associated with it have been alive and well for years now. We’ve frequently updated readers on the enforcement issues, sweep days other stories where cookie compliance comes to the fore. It’s not entirely clear what prompted this “best practice” advice and steps from the IAB, but the short document is practical and insightful, whether you’re new to cookie compliance or revisiting your compliance approach.

As other members of the team have recently blogged, the CNIL recently issued a press release stating that, following its online cookies audits conducted last October (see our previous blog article), it has sent out  a formal letter of enforcement (“lettre de mise en demeure“) to approximately 20 companies requesting them to comply with the cookie rules in France.  Cookie compliance needs are not going away nor are they particularly difficult for most online properties.  What’s more, when looking at your peers, there’s no doubt that a level of compliance and transparency is fairly prevalent across EU and EU facing websites today.

What now?

So how should you deal with cookies?  Well, the steps in this Guidance give you a great practical head start. Cookie compliance and the approach to compliance has been market-led since the outset. When asked what “good” looks like, even among the regulators the thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen. That’s where bodies like the IAB Europe have played a central role and, by aligning your own practices with the pack, you are rarely in a bad place in the world of cookie compliance.


Mark Webber, Partner – Digital Regulation and Technology (Silicon Valley)


France’s Ambition for the Future of the Digital Economy

Posted on June 24th, 2015 by

On June 18th, the French National Digital Council (“Conseil National du Numérique” or “CNN”) released a Report entitled “Digital Ambition: a French and European policy for a digital transition” containing 70 proposals for the future of the digital economy in France and Europe. The Report follows a nation-wide consultation of the major stakeholders which has also sparked a debate on various issues relating to the digital economy, such as how to regulate digital platforms and how to boost the competitiveness of French start-up companies.

The Report was officially presented to the public in the presence of Manuel Valls, the French Prime Minister, Emmanuel Macron, Minister for the Economy, the Industry and the Digital Economy, and Axelle Lemaire, State Secretary for Digital Affairs. During the press conference, Manuel Valls announced that its Government has already prepared and will introduce a “Digital Bill” before the French National Assembly in the fall, aimed at regulating the use of the Internet, as well as stimulating innovation and fostering growth in the digital economy. The competent public authorities, such as the French Data Protection Authority (“CNIL”), will be consulted beforehand on the draft Bill.

The 70 proposals in the Report are structured around four main topics, namely: 1) Fairness and freedom in a shared digital environment; 2) Re-defining public action in the digital sphere: openness, innovation, participation; 3) Boosting the French economy: towards an economy of innovation; and 4) Solidarity, equality, emancipation: the stakes of a digital economy.

Below is a selection of some of the key proposals in the field of data protection that can be found in the Report:

  • The right to self-determination of data

The Report recommends creating a fundamental right to self-determination of data, a concept directly inspired from German law, based on a decision of the German Constitutional Court of 1983, which recognized the individual’s right to decide on the communication and use of one’s personal data.

The CNN acknowledges the progress made in the upcoming General Data Protection Regulation (see my previous article on the topic) and calls for the adoption of a broad definition of “personal data”, consent of the individual for secondary uses of his/her data, and a reinforced control of the individual over his data (including over the disclosure of data).

  • The right to the portability of data

The right to portability is viewed as an extension of the right to self-determination, enabling the individual to transfer and re-use his/her data across various services. This could be done, for example, by encouraging the development of PIMS (“Personal Information Management Systems”) that would allow individuals to store their data where they wish and to control how their data is disclosed to third parties.

  • Criteria applicable to the de-listing of data

The Report suggests creating a legal framework (by way of either a European Regulation or a national law) for user requests to de-list their personal data based on a set of criteria that are defined by the national data protection authorities, not search engines. The Report specifically refers here to the guidelines set out by the Article 29 Working Party in its analysis of the Mario Costeja Gonzales case adopted in November 2014 (see our previous article) and considers that these guidelines should apply to search engines.

  • Secondary uses of personal data

The Report considers that individuals are insufficiently informed about the disclosures of their personal by the initial data controller data to third parties (such as business partners). To increase transparency, the Report recommends imposing on the initial data controller an obligation to inform the data subjects clearly about the selling or disclosure of their data to third parties (including the names of such parties) and to allow the data subject to opt-out from the disclosure of their data to third parties, at any time, regardless of the opt-in or opt-out provided to the initial data controller.

  • Data protection class actions

The Report supports the idea of creating a class action for violations of data protection legislation that would be brought before the first instance courts by consumer protection associations.

  • Fairness of web platforms

The Report underlines an unfair balance between web platforms and their users, due to the lack of transparency regarding the use of Big Data, the difficulties for users to migrate from one platform to another, or the excessive cost of services on some platforms. To remediate this situation, the Report proposes to create a principle of fairness that would require web platforms to conduct their business in good faith and in a transparent manner, for example, with regard to the collection, processing and restitution of personal data. The principle of fairness would apply to web platforms in their relations with consumers and professionals.

  • Information provided to users

The Report encourages the development of new means of communication to make the Terms of Use on websites more readable and understandable to users, for example by working on the design of such documents to make them easier and more accessible to all (e.g., by using “privacy icons”). Also, the Report recommends providing users with the necessary and essential elements of the Terms of Use at the time of collection of their consent.

  • Algorithms used to process Big Data

The Report observes that profiling of individuals can be done by combining different sets of data, without actually verifying an individual’s identity, which can cause unfair or unlawful discriminations. For this reason, the Report proposes to increase transparency by requiring web platforms to provide prior information to users about the algorithms they use for profiling purposes.

The announced “Digital Bill” is expected to contain important new measures on the future governance of the Internet. In particular, Manuel Valls did stress the importance of the right to self-determination and to the portability of data. The challenge for the French Government will be to introduce such measures without contradicting the upcoming Data Protection Regulation that was recently adopted by the EU Council of Ministers. The CNIL is expected to issue an opinion on the draft Digital Bill in the coming weeks.

This article was first published in the IAPP‘s Privacy Tracker.

German monopoly commission advises not to regulate algorithms

Posted on June 5th, 2015 by

This week, the German Monopoly Commission has published its extraordinary opinion on digital markets. Particularly interesting: the Commission advised not to regulate algorithms – which seems to be an answer to a question nobody posed only at first glance.

The study, which is available in German here, looks at a broad scope of digital business models and markets. One thing that immediately sprang to my mind is a section about the need to regulate algorithms. The background is that the Commission sees the risk that search engine providers that also offer other services such as review websites, map services or price comparison tools, may prioritize their own services against third-party offerings.

First, the Monopoly Commission clearly advocates against an unbundling of such businesses, arguing that the impact of such an unbundling is severe, and the unbundling would also contravene the general goal of competition regulation to generate an incentive for innovation by accepting organic, internal growth.

Second, the Commission also denied the feasibility of an “algorithm” regulation, i.e. an agency that would look into an algorithm to determine whether it works “neutrally”. Here, the Commission states that the number of changes that a typical search engine provider implements each year would constitute an unreasonable effort. Further, given the complexity of those algorithms, the commission doubts that it would be possible to detect a bias at all.

In particular the last point is interesting. At first glance, it seems to be the answer to a question nobody posed, but we have occasionally seen requests for an “algorithm police” in the recent past, and a couple of weeks ago, when I asked Jan Philipp Albrecht, very well-known for being the rapporteur of the European Parliament for the EU’s General Data Protection Regulation as well as for the EU-US data protection framework agreement, he clearly spoke in favour of regulating algorithms. The fact the Monopoly Commission addressed this topic may thus be more than just a side note, and it seems that this debate has only started.