Archive for the ‘Uncategorized’ Category

Getting to know the General Data Protection Regulation, Part 3 – If you receive personal data from a third party, you may need to “re-think” your legal justification for processing it

Posted on November 13th, 2015 by

One of the most hotly debated issues of the new General Data Protection Regulation (GDPR) is that of consent. The controversy arises from the proposed stricter requirements for consent and reforms to the so called “legitimate interests” grounds.

While the “consent” and “legitimate interests” grounds are just two of a number of grounds for justifying the processing of personal data, they are the grounds that are most commonly relied upon for the purposes of the Directive. The proposals under the GDPR with regard to these data processing grounds could have serious practical implications for business.

What does the law require today?

At present, in order to validly obtain consent, businesses need to provide sufficient information to individuals about how and why they process their personal data and provide a mechanism whereby individuals can indicate their consent. In this sense, consent can be implied under the Directive and it is only in specific cases, such as the processing of sensitive personal data (i.e. data that can reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data relating to the data subject’s health or sex life) that consent needs to be explicit.

The ‘legitimate interests’ condition provides grounds to process personal data in a situation where a business needs to do so for the purpose of its own legitimate interests or the legitimate interests of the third party to whom the information is disclosed. The legitimate interests of the business or the third party must be balanced against any prejudice to the rights and freedoms or legitimate interests of the individual whose data is being processed.

In a number of jurisdictions, including the UK, the “legitimate interests” condition provides a degree of data processing flexibility that might not otherwise exist. On the other hand, some DPAs have taken a more restrictive approach – for example, the Spanish data protection regulator considers that personal data should only be processed for the purposes it was collected, with very limited exceptions.

Nevertheless, the Directive offers a business-friendly approach that the legislators are now considering re-defining.

What will the General Data Protection Regulation require?

As regards consent, the Commission proposed (and the Parliament agreed) that consent should always be “explicit, freely given, specific and informed”. It also noted that consent should be obtained through a statement or “clear affirmative action”, that it could be withdrawn at any given time by the data subject, and that it would not be legally valid if there is “a significant imbalance between the position of data subject and the controller”.

The Commission’s and Parliament’s “explicit consent approach” is a radical change to that of the Directive, which only requires “explicit” consent to process sensitive data.  On the other hand, the Council suggests that consent under the GDPR need not be “explicit” – it need only be “unambiguous”.

A requirement in GDPR for consent to be “explicit” (stated clearly and in detail) is very different to a requirement for it to be “unambiguous” (clear and cannot be understood wrongly). Whereas unambiguous consent would mean consent could still be implied, explicit consent would open the door to a world of never-ending tick boxes.

Additionally, and regardless of the type of consent that is finally agreed to be valid under the GDPR, the Parliament proposes that companies should be required to demonstrate that they have effectively obtained users’ consent – this proposal, if implemented, would impose a significant practical burden on businesses.

Given the likely difficulty of relying on consent, the possibility of relying on the “legitimate interests” ground will be crucial from a business perspective. However, it is unclear what form this condition will take in the final text of the GDPR.

On the one hand, the Commission and Parliament suggest individuals’ data can only be processed: (i) for a purpose to which they have consented; or (ii) for such legitimate interests of the controller or relevant third parties as individuals could reasonably expect.

On the other hand, the Council proposes a more business-orientated approach, which would allow controllers and processors alike to process data on the “legitimate interests” ground even for purposes that are incompatible with the original purposes of the processing, provided that the interests or the fundamental rights and freedoms of the individual are not overriding.

It remains to be seen what form the “legitimate interests” condition will ultimately take.

What are the practical implications?

If a business wishes to process personal data for purposes other than those for which it was collected (as specified in the relevant data protection notices), they will potentially have limited compliance options. If the approach of the Commission and Parliament is ultimately adopted, businesses that wish to undertake processing that is not compatible with the purpose for which the personal data has been collected will not be able to justify the processing by reference to the “legitimate interests” criterion.

Of course, there is the option of explicit consent but that is likely to mean serious (and expensive!) re-engineering of data collection forms, online and mobile user interfaces as well as a revaluation of terms and conditions/privacy policies etc. In some scenarios, consent may not be an option in any event, e.g. where there is a significant imbalance between the individual and the organisation that is collecting the personal data.

Given that consent is less likely to be an option for one reason or another, the proposed reforms present a serious difficulty for businesses since there are a number of scenarios in which businesses may wish to use personal data in a way that is not compatible with the purposes for which it was collected.

Further, the proposals may also give rise to legally and commercially complicated situations, for example, where the user does not consent to or withdraws his/her consent to the relevant data processing.

So, what can businesses do now?

Start auditing all their various uses of data;

  • Understand the grounds on which they collect and use data; and
  • Assess whether these grounds remain valid under the GDPR and, if not (or if those grounds become marginalised) have in place plans to transition to new grounds.

Weltimmo – The lesser-known decision of the Court of Justice of the European Union

Posted on October 21st, 2015 by

In all of the excitement surrounding the Schrems decision and its impact on Safe Harbor, it would be easy to miss the significance of the other decision of the Court of Justice of the European Union (“CJEU“) in Weltimmo – issued just days before the judgement in Schrems. Yet the Weltimmo judgement, in its own way, has the potential to significantly impact the way in which global organisations should be thinking about their data protection strategy in Europe.

In Weltimmo, the CJEU came to a number of game-changing conclusions in relation to the applicability of EU data protection law. In essence, the judgement opens the doors for individuals to beat a path to the door of their local DPA to complain about data protection law breaches, even if the organisations about which they are complaining claim to be established in another EU Member State.

Under the EU Data Protection Directive, if a business is ‘established’ in an EU Member State and is processing personal data in the context of that establishment, it will fall within the scope of the data protection law of that Member State. Up to now, businesses have interpreted this rule to mean that if they are headquartered in a particular EU Member State, they have to comply with the data protection laws of only that Member State. Many US multinationals have taken the approach of incorporating an entity in particular Member State (e.g. Ireland) and nominating this entity as the data controller for the purposes of EU data protection law.

My colleague Tim Van Canneyt has previously discussed how the nomination of a single data controller is under fire – see here. The decision in Weltimmo puts beyond doubt that companies should be re-thinking this strategy.

So what does the Weltimmo decision say? Key points are:

  • The concept of establishment must be interpreted broadly;
  • Currently, there is no ‘one-stop-shop’ principle –  if a data controller is established on the territory of more than one Member State, each of the establishments must comply with applicable data protection law;
  • The legal form of such establishment (e.g. branch, subsidiary etc) is not the determining factor;
  • The formalistic approach whereby organisations are considered to be established solely in the place in which they are registered is not the correct approach;
  • There is a 3-pronged test:
    1. Is there an exercise of real and effective activity – even a minimal one?
    2. Is the activity through stable arrangements?
    3. Is personal data processed in the context of the activity?

In determining whether the above test is met, the CJEU provides guidance on a number of factors to be taken into consideration. In particular, the context must be considered i.e. the nature of the economic activities/service provided by a business.  For an Internet business, the fact that the website is written in the language of a Member State (and, as a consequence, mainly or directly or targeted at that Member State) is a significant factor,

Crucially, the presence of only one representative in a Member State can, in some circumstances, suffice to meet the stable arrangement criterion – the role of the representative is relevant in this context, e.g. as a point of contact for data subjects and/or as a representative for the data controller in judicial and administrative proceedings.  The opening of a bank account by the data controller in a particular Member State is also relevant.  However, the nationality of the owners of the business should not be taken into account.

On the other hand, the CJEU decision turns very much on the facts – it is difficult to work out what weight to give to each of the relevant factors to be taken into consideration.  For example, it is not clear whether physical presence is always required, e.g. whether it would be enough if, in the context of an Internet business, the business is targeting the citizens of a particular country on an ongoing basis via a website translated into the language of that country.

However, in view of the low threshold for determining whether a data controller is ‘established’ in a particular Member State – processing personal data in the context of the exercise of an activity, however minimal, and, depending on the circumstances, having just one representative – it is likely that many organisations headquartered in a particular Member State will need to revisit their European data protection strategy.

As per our recommendations here, businesses should put in place certain conditions and and controls to support the contention that the nomination of a data controller in a particular Member State goes beyond a mere nomination “on paper”. However, as a result of Weltimmo, businesses should also look to other key EU Member State markets, e.g. where they are targeting the citizens of those Member States and/or have even a minimal presence, and consider the likely implications of being subject to the data protection laws of those Member States.


Getting to know the GDPR, Part 2 – Out-of-scope today, in scope in the future. What is caught?

Posted on October 20th, 2015 by

The GDPR expands the scope of application of EU data protection law requirements in two main respects:

  1. in addition to data “controllers” (i.e. persons who determine why and how personal data are processed), certain requirements will apply for the first time directly to data “processors” (i.e. persons who process personal data on behalf of a data controller); and
  2. by expanding the territorial scope of application of EU data protection law to capture not only the processing of personal data by a controller or a processor established in the EU, but also any processing of personal data of data subjects residing in the EU, where the processing relates to the offering of goods or services to them, or the monitoring of their behaviour.


The practical effect is that many organisations that were to date outside the scope of application of EU data protection law will now be directly subject to its requirements, for instance because they are EU-based processors or non EU-based controllers who target services to EU residents (e.g. through a website) or monitor their behaviour (e.g. through cookies). For such organisations, the GDPR will introduce a cultural change and there will be more distance to cover to get to a compliance-ready status.

What does the law require today?

The Directive

At present, the Data Protection Directive 95/46/EC (“Directive“) generally sets out direct statutory obligations for controllers, but not for processors. Processors are generally only subject to the obligations that the controller imposes on them by contract. By way of example, in a service provision scenario, say a cloud hosting service, the customer will typically be a controller and the service provider will be a processor.

Furthermore, at present the national data protection law of one or more EU Member States applies if:

  1. the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State. When the same controller is established on the territory of several Member States, each of these establishments should comply with the obligations laid down by the applicable national law (Article 4(1)(a)); or
  2. the controller is not established on EU territory and, for purposes of processing personal data makes use of equipment situated on the territory of a Member State (unless such equipment is used only for purposes of transit through the EU) (Article 4(1)(c)); or
  3. the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law (Article 4(1)(b)). Article 4(1)(b) has little practical significance in the commercial and business contexts and is therefore not further examined here. The GDPR sets out a similar rule.


CJEU case law

Two recent judgments of the Court of Justice of the European Union (“CJEU“) have introduced expansive interpretations of the meaning of “in the context of the activities” and “establishment”:

  1. In Google Spain, the CJEU held that “in the context of the activities” does not mean “carried out by”. The data processing activities by Google Inc are “inextricably linked” with Google Spain’s activities concerning the promotion, facilitation and sale of advertising space. Consequently, processing is carried out “in the context of the activities” of a controller’s branch or subsidiary when the latter is (i) intended to promote and sell ad space offered by the controller, and (ii) orientates its activity towards the inhabitants of that Member State.
  2. In Weltimmo, the CJEU held that the definition of “establishment” is flexible and departs from a formalistic approach that an “establishment” exists solely where a company is registered. The specific nature of the economic activities and the provision of services concerned must be taken into account, particularly where services are offered exclusively over the internet. The presence of only one representative, who acts with a sufficient degree of stability (even if the activity is minimal), coupled with websites that are mainly or entirely directed at that EU Member State suffice to trigger the application of that Member State’s law.


What will the GDPR require?

The GDPR will apply to the processing of personal data:

  1. in the context of the activities of an establishment of a controller or a processor in the EU; and
  2. of data subjects residing in the EU by a controller not established in the EU, where the processing activities are related to the offering of goods or services to them, or the monitoring of their behaviour in the EU.

It is irrelevant whether the actual data processing takes place within the EU or not.

As far as the substantive requirements are concerned, compared to the Directive, the GDPR introduces:

  1. new obligations and higher expectations of compliance for controllers, for instance around transparency, consent, accountability, privacy by design, privacy by default, data protection impact assessments, data breach notification, new rights of data subjects, engaging data processors and data processing agreements;
  2. for the first time, direct statutory obligations for processors, for instance around accountability, engaging sub-processors, data security and data breach notification; and
  3. severe sanctions for compliance failures.


What are the practical implications?

Controllers who are established in the EU are already caught by EU data protection law, and will therefore not be materially affected by the broader scope of application of the GDPR. For such controllers, the major change is the new substantive requirements they need to comply with.

Processors (such as technology vendors or other service providers) established in the EU will be subject to the GDPR’s direct statutory obligations for processors, as opposed to just the obligations imposed on them by contract by the controller. Such processors will need to understand their statutory obligations and take the necessary steps to comply. This is a major “cultural” change.

Perhaps the biggest change is that controllers who are not established in the EU but collect and process data on EU residents through websites, cookies and other remote activities are likely to be caught by the scope of the GDPR. E-commerce providers, online behavioural advertising networks, analytics companies that process personal data are all likely to be caught by the scope of application of the GDPR.

We still have at least 2 years before the GDPR comes into force. This may sound like a long time, but given the breadth and depth of change in the substantive requirements, it isn’t really! A lot of fact finding, careful thinking, planning and operational implementation will be required to be GDPR ready in 24 months.

So what should you be doing now?

  1. If you are a controller established in the EU, prepare your plan for transitioning to compliance with the GDPR.
  2. If you are a controller not established in the EU, assess whether your online activities amount to offering goods or services to, or monitoring the behaviour of, EU residents. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR. You may need to appoint a representative in the EU.
  3. Assess whether any of your EU-based group companies act as processors. If so, asses the level of awareness of / readiness for compliance with EU data protection law and create a road map for transitioning to compliance with the GDPR.
  4. If you are a multinational business with EU and non-EU affiliates which will or may be caught by the GDPR, you will also need to consider intra-group relationships, how you position your group companies and how you structure your intra-group data transfers.

Debunking EU Data Protection Reform

Posted on September 24th, 2015 by

Europe’s proposed General Data Protection Regulation remains subject to some significant negotiation and is unlikely to come into force until 2017 – 2018.  Any business using personal data should start considering the future rules and what they are likely to mean in practice, not least as there are potentially some significant changes.  The overall intent is to update the existing laws and to introduce greater harmonisation across EU Members States.  As you would expect, the Fieldfisher Privacy, Security and Information team is monitoring the progress of the legislative changes.  Whilst we are cautious about recommending any significant preparatory steps until the exact make-up of the final rules is better understood (hopefully during the early part of 2016), businesses should be aware of the potential impact of the proposed Regulation.

Click here for our “infographic” on debunking EU Data Protection Reform.  We have set out 10 things that we think that you should know and will be running a blog series over the next weeks and months dealing with each of these areas in further detail.

Look out for our first blog by my colleague Phil Lee next week: “The pool of data which is potentially personal gets deeper”.

As John F. Kennedy put it: “Change is the law of life.  And those who only look to the past or present are certain to miss the future.”

German DPA takes on Facebook again

Posted on July 31st, 2015 by

The DPA of Hamburg has done it again and picked up a new fight against mighty US giant Facebook. This time, the DPA was not amused about Facebook´s attempt to enforce its real name policy, and issued an administrative order against Facebook Ireland Ltd.

The order is meant to force Facebook to accept aliased user names, to revoke the suspension of user accounts that had been registered under an alias, to stop Facebook from unilaterally changing alias user names to real user names, and to stop requesting copies of official ID documents. It is based on Sec. 13 (6) German Telemedia Act, which requires service providers like Facebook to offer access to their services anonymously or under an alias, and also a provision of the German Personal ID Act which arguably prohibits requesting copies of official ID documents.

Despite this regulation, Facebook´s terms of use oblige users to use their real name in Germany, too. Early this year, Facebook started to enforce this policy more actively and suspended user accounts that were registered under an alias. The company also requested users to submit copies of official ID documents. It also sent messages to users asking them to confirm that “friends” on the network used their real name. In a press statement, Mr Caspar, head of the Hamburg DPA said: “As already became apparent in numerous other complaints, this case shows in an exemplary way that the network [Facebook] attempts to enforce its so-called real name obligation with all its powers. In doing so, it does not show any respect for national law.”

“This exit has been closed”

Whether Facebook is at all subject to German law has been heavily disputed. While the Higher Administrative Court of the German state Schleswig-Holstein ruled that Facebook Ireland Limited, as a service provider located in an EU member state, benefits from the country-of-origin principle laid down in Directive 95/46/EC, the Regional Court of Berlin came to the opposite conclusion: It held that Facebook Inc. rather than Facebook Ireland Ltd would be the data controller, as the actual decisions about the scope, extent and purpose of the processing of data would be made in the US. The court also dismissed the argument that Facebook Ireland acts as a data controller in a data controller-processor agreement with Facebook Inc., as it ruled that the corporate domination agreement between Facebook Inc. and Facebook Ireland prevails over the stipulations of the data controller-processor agreement. As Facebook has a sales and marketing subsidiary in Hamburg, the Hamburg DPA now believes to have tailwind due to the ECJ ruling in the Google Spain case to establish the applicability of German law: “This exit has been closed by the ECJ with its jurisdiction on the Google search engine. Facebook is commercially active in Germany through its establishment in Hamburg. Who operates on our playing field must play by our rules.”

While previous activities of German DPAs against Facebook were aimed at legal issues that did not really agitate German users, such as the admissibility of the “like”-button, the enforcement of the real name policy upset German users in numbers, and a lot of users announced to turn their back on the network. The issue also saw a lot of press coverage in national media, mostly in strong criticism of Facebook.

5 Practical Steps to help companies comply with the E-Privacy Directive (yes, it’s cookies again!)

Posted on July 13th, 2015 by

This month (July 2015), the IAB Europe published new Guidance titled “5 Practical Steps to help companies comply with the E-Privacy Directive“. These 5 sensible steps in the document are aimed at brand advertisers, publishers and advertising businesses.  The EU’s cookie compliance rules were remodelled as far back as 2009 when a broader set of telecommunications rules updated the e-Privacy Directive.  There’s been no change since so this Guidance has not been prompted by any regulatory change or significant shift in the compliance landscape.  It it does however serve as a useful practical reminder to anyone considering or revisiting their compliance strategy.

The context and Article 5.3

The advice in the Guidance centres around that now familiar extract from the e-Privacy Directive, Article 5.3.  This of course requires you obtain the prior informed consent for storage of, or access to, information stored on a user’s terminal equipment.

The Guidance rightly acknowledges that there are differences in both the national implementations of this rule as well as the related regulatory guidance Member State to Member State.  Therein lies the rub, as many are seeking a “one-size-fits-all” approach for Europe. Often criticised, the law requires you to get consent, but doesn’t actually say how. These 5 steps from the IAB delve into the “how” and may assist you.

The 5 recommended steps in the Guidance

At a high-level the Guidance makes the following practical observations:

  1. Monitor and assess your digital property – know your properties, their technology, and what data they collect. Regularly audit these to understand the data collected and how it is used. Be particularly cautious when using partners who are collecting data on your properties.
  2. Be clear and transparent in how you present information to consumers – use plain and easy-to-understand language and don’t mislead. Consider a layered approach and, where appropriate, use helpful websites (eg like or to convey messages about how and why your property deploys its technologies (and for what purposes).
  3. Make things prominent – ensuring your privacy property is available and distinguishable. There are some short tips around ways you could go about this.
  4. Context is king! – the Guidance suggests you consider ways to achieve consent in a contextual way. Rightly this step suggests “that the key point is that you must gain consent by giving the user specific information about what they are agreeing to and providing them with a way to indicate their acceptance.” Fieldfisher reminds you that are a number of mechanisms (express and implied) by which you may achieve this and the Guidance suggests a few of the available approaches in this step.
  5. Consider joining the EU industry programme to provide greater contextual transparency and control to consumers over customised digital advertising – “why not?” we say, as this is another tactic for in staying in touch and demonstrating commitments. This step highlights the benefits of to behavioural advertisers and the “icon” initiative and transparency mechanisms available via

The so what?

The e-Privacy Directive and the EU cookie compliance issues associated with it have been alive and well for years now. We’ve frequently updated readers on the enforcement issues, sweep days other stories where cookie compliance comes to the fore. It’s not entirely clear what prompted this “best practice” advice and steps from the IAB, but the short document is practical and insightful, whether you’re new to cookie compliance or revisiting your compliance approach.

As other members of the team have recently blogged, the CNIL recently issued a press release stating that, following its online cookies audits conducted last October (see our previous blog article), it has sent out  a formal letter of enforcement (“lettre de mise en demeure“) to approximately 20 companies requesting them to comply with the cookie rules in France.  Cookie compliance needs are not going away nor are they particularly difficult for most online properties.  What’s more, when looking at your peers, there’s no doubt that a level of compliance and transparency is fairly prevalent across EU and EU facing websites today.

What now?

So how should you deal with cookies?  Well, the steps in this Guidance give you a great practical head start. Cookie compliance and the approach to compliance has been market-led since the outset. When asked what “good” looks like, even among the regulators the thinking went that the online industry was better placed to innovate creative and unobtrusive ways to get consent than lawyers, regulators and legislative draftsmen. That’s where bodies like the IAB Europe have played a central role and, by aligning your own practices with the pack, you are rarely in a bad place in the world of cookie compliance.


Mark Webber, Partner – Digital Regulation and Technology (Silicon Valley)


France’s Ambition for the Future of the Digital Economy

Posted on June 24th, 2015 by

On June 18th, the French National Digital Council (“Conseil National du Numérique” or “CNN”) released a Report entitled “Digital Ambition: a French and European policy for a digital transition” containing 70 proposals for the future of the digital economy in France and Europe. The Report follows a nation-wide consultation of the major stakeholders which has also sparked a debate on various issues relating to the digital economy, such as how to regulate digital platforms and how to boost the competitiveness of French start-up companies.

The Report was officially presented to the public in the presence of Manuel Valls, the French Prime Minister, Emmanuel Macron, Minister for the Economy, the Industry and the Digital Economy, and Axelle Lemaire, State Secretary for Digital Affairs. During the press conference, Manuel Valls announced that its Government has already prepared and will introduce a “Digital Bill” before the French National Assembly in the fall, aimed at regulating the use of the Internet, as well as stimulating innovation and fostering growth in the digital economy. The competent public authorities, such as the French Data Protection Authority (“CNIL”), will be consulted beforehand on the draft Bill.

The 70 proposals in the Report are structured around four main topics, namely: 1) Fairness and freedom in a shared digital environment; 2) Re-defining public action in the digital sphere: openness, innovation, participation; 3) Boosting the French economy: towards an economy of innovation; and 4) Solidarity, equality, emancipation: the stakes of a digital economy.

Below is a selection of some of the key proposals in the field of data protection that can be found in the Report:

  • The right to self-determination of data

The Report recommends creating a fundamental right to self-determination of data, a concept directly inspired from German law, based on a decision of the German Constitutional Court of 1983, which recognized the individual’s right to decide on the communication and use of one’s personal data.

The CNN acknowledges the progress made in the upcoming General Data Protection Regulation (see my previous article on the topic) and calls for the adoption of a broad definition of “personal data”, consent of the individual for secondary uses of his/her data, and a reinforced control of the individual over his data (including over the disclosure of data).

  • The right to the portability of data

The right to portability is viewed as an extension of the right to self-determination, enabling the individual to transfer and re-use his/her data across various services. This could be done, for example, by encouraging the development of PIMS (“Personal Information Management Systems”) that would allow individuals to store their data where they wish and to control how their data is disclosed to third parties.

  • Criteria applicable to the de-listing of data

The Report suggests creating a legal framework (by way of either a European Regulation or a national law) for user requests to de-list their personal data based on a set of criteria that are defined by the national data protection authorities, not search engines. The Report specifically refers here to the guidelines set out by the Article 29 Working Party in its analysis of the Mario Costeja Gonzales case adopted in November 2014 (see our previous article) and considers that these guidelines should apply to search engines.

  • Secondary uses of personal data

The Report considers that individuals are insufficiently informed about the disclosures of their personal by the initial data controller data to third parties (such as business partners). To increase transparency, the Report recommends imposing on the initial data controller an obligation to inform the data subjects clearly about the selling or disclosure of their data to third parties (including the names of such parties) and to allow the data subject to opt-out from the disclosure of their data to third parties, at any time, regardless of the opt-in or opt-out provided to the initial data controller.

  • Data protection class actions

The Report supports the idea of creating a class action for violations of data protection legislation that would be brought before the first instance courts by consumer protection associations.

  • Fairness of web platforms

The Report underlines an unfair balance between web platforms and their users, due to the lack of transparency regarding the use of Big Data, the difficulties for users to migrate from one platform to another, or the excessive cost of services on some platforms. To remediate this situation, the Report proposes to create a principle of fairness that would require web platforms to conduct their business in good faith and in a transparent manner, for example, with regard to the collection, processing and restitution of personal data. The principle of fairness would apply to web platforms in their relations with consumers and professionals.

  • Information provided to users

The Report encourages the development of new means of communication to make the Terms of Use on websites more readable and understandable to users, for example by working on the design of such documents to make them easier and more accessible to all (e.g., by using “privacy icons”). Also, the Report recommends providing users with the necessary and essential elements of the Terms of Use at the time of collection of their consent.

  • Algorithms used to process Big Data

The Report observes that profiling of individuals can be done by combining different sets of data, without actually verifying an individual’s identity, which can cause unfair or unlawful discriminations. For this reason, the Report proposes to increase transparency by requiring web platforms to provide prior information to users about the algorithms they use for profiling purposes.

The announced “Digital Bill” is expected to contain important new measures on the future governance of the Internet. In particular, Manuel Valls did stress the importance of the right to self-determination and to the portability of data. The challenge for the French Government will be to introduce such measures without contradicting the upcoming Data Protection Regulation that was recently adopted by the EU Council of Ministers. The CNIL is expected to issue an opinion on the draft Digital Bill in the coming weeks.

This article was first published in the IAPP‘s Privacy Tracker.

German monopoly commission advises not to regulate algorithms

Posted on June 5th, 2015 by

This week, the German Monopoly Commission has published its extraordinary opinion on digital markets. Particularly interesting: the Commission advised not to regulate algorithms – which seems to be an answer to a question nobody posed only at first glance.

The study, which is available in German here, looks at a broad scope of digital business models and markets. One thing that immediately sprang to my mind is a section about the need to regulate algorithms. The background is that the Commission sees the risk that search engine providers that also offer other services such as review websites, map services or price comparison tools, may prioritize their own services against third-party offerings.

First, the Monopoly Commission clearly advocates against an unbundling of such businesses, arguing that the impact of such an unbundling is severe, and the unbundling would also contravene the general goal of competition regulation to generate an incentive for innovation by accepting organic, internal growth.

Second, the Commission also denied the feasibility of an “algorithm” regulation, i.e. an agency that would look into an algorithm to determine whether it works “neutrally”. Here, the Commission states that the number of changes that a typical search engine provider implements each year would constitute an unreasonable effort. Further, given the complexity of those algorithms, the commission doubts that it would be possible to detect a bias at all.

In particular the last point is interesting. At first glance, it seems to be the answer to a question nobody posed, but we have occasionally seen requests for an “algorithm police” in the recent past, and a couple of weeks ago, when I asked Jan Philipp Albrecht, very well-known for being the rapporteur of the European Parliament for the EU’s General Data Protection Regulation as well as for the EU-US data protection framework agreement, he clearly spoke in favour of regulating algorithms. The fact the Monopoly Commission addressed this topic may thus be more than just a side note, and it seems that this debate has only started.

CNIL unveils its 2015 inspections plan. Are you ready for what’s coming?

Posted on May 26th, 2015 by

In 2014, I warned about the French data protection authority (“CNIL”) being a regulator to watch. One year down the road, CNIL has not failed to deliver. A few weeks ago, CNIL released its Annual Activity Report for 2014 revealing that in the past year it had conducted 421 inspections (including 58 online audits), issued 62 enforcement notices and pronounced 18 sanctions. As the current chair of the Article 29 Working Party, CNIL continues to play an active role on the European and international scene on topics such as the General Data Protection Regulation, the on-going discussions between the US and EU on Safe Harbor and the recent online sweeps organized by GPEN.

What are the CNIL’s top priorities?

The CNIL intends to conduct 550 inspections divided between 350 on-site or off-site inspections and 200 online audits. Specifically, CNIL will prioritize its actions in the following key sectors:

  • Ecommerce: following its guidance on the processing of bank card details, CNIL will focus now on payment cards with no contact (i.e., bank cards that have an integrated chip and enable cardholders to make wireless payments via “near field communication” or “NFC” technology). In particular, CNIL will verify whether adequate security measures are designed around the use of such cards and whether the financial institutions who offer these types of cards inform their customers and enable them to object to using these cards (e.g., by deactivating the integrated chip or by ordering a traditional card that is not compatible with the “NFC” technology). CNIL is also preparing for the next evolution of entirely digitalized payments by smartphone.
  • Employee privacy in the workplace: Employee privacy continues to be high on the CNIL’s agenda due to the rising number of employees who file complaints with the CNIL each year. In particular, CNIL will inspect private and public organizations who have recently conducted surveys on social-psychological risks for employees.
  • mHealth: Following the Article 29 Working Party’s opinion on mobile apps and its letter to the European Commission on the meaning of “health data” in the context of mobile apps and devices (see our previous blog), CNIL will audit interconnected objects and online services in the area of health and well-being to verify (amongst other things) whether users are provided with notice and their consent is obtained.
  • Public sector: With the French Parliament currently debating a new law to broaden the online investigation powers of the French law enforcement and national security agencies, CNIL will continue to monitor the compliance of public sector databases with the Data Protection Act. This time, CNIL will focus on the National Register for Drivers’ Licenses (“Fichier National des Permis de Conduire“) held by the Ministry of Interior, which centralises all the data about registered drivers, including fines and traffic felonies.
  • Public Wi-Fi connections: Another growing area that is receiving particular attention are publicly available Wi-Fi hotspots (such as those that are available in department stores, train stations or airports) which capture data that is being transmitted by a user’s mobile phone (e.g., type of device, MAC address, location data) and is being used more frequently to track users, to send them advertisements or offers, or to analyse their behaviour.
  • Binding Corporate Rules: Last but not least, CNIL has announced its intention to begin enforcing against companies with BCR. Since their introduction in 2003, approximately 60 organizations have had their BCR approved, but so far, no enforcement measures were taken against BCR. However, a few months ago, the lead DPAs across Europe started contacting organizations with a view to verifying and completing the information about their BCR that is posted on the European Commission’s website, thus implying that this grace period is over. The things CNIL could verify are, for example, whether a BCR policy is easily accessible on the organization’s website and whether companies have implemented the internal measures that are required for BCR compliance.

What are the CNIL’s enforcement powers?

The CNIL can carry out four types of enforcement actions, namely:

  • On-site control: the CNIL may access the buildings and premises used to process personal data, inspect the data processing applications and databases;
  • Off-site control: the CNIL may organize a hearing in its offices and require the data controller or its data protection officer to provide explanations;
  • Long distance control: the CNIL may communicate with the data controller by postal mail or email and, for example, may conduct routine surveys; and
  • On-line inspections: CNIL may conduct on-line inspections of personal data that is available on websites or mobile apps.

What sanctions can the CNIL pronounce?

If the CNIL finds that a company has failed to comply with the Data Protection Act, it can either pronounce a warning or issue a formal notice to comply within a given deadline. If the controller fails to comply with the notice served, the CNIL may then pronounce a fine up to EUR 150,000 (or EUR 300,000 in the event of a second breach within five years or 5% of the company’s gross revenue for legal entities) or an injunction to cease the processing.

Are you prepared for a CNIL inspection?

In recent years, I have assisted many companies to comply with CNIL inspections. Too often, companies are caught by surprise when the CNIL comes knocking on their door unannounced because they haven’t put in place any internal process for handling this kind of situation. As with any regulator, the dealings with the CNIL require a minimum amount of awareness and preparation.

While a CNIL inspection does not necessarily end with the CNIL pronouncing a fine or sanction against the company, inevitably this does have a disruptive effect for the company being investigated because it reveals the flaws that this company may have with regard to privacy compliance. Therefore, companies are in a better position if they tackle privacy issues at an early stage, rather than to leave it for later and risk having to fire-fight their way through a CNIL inspection.


By Olivier Proust, Of Counsel (

The Belgian Facebook Recommendation: How the Nomination of a Single EU Data Controller is Under Fire

Posted on May 20th, 2015 by

Last week, the Belgian Privacy Commission published (a first part of) its much anticipated recommendation following its investigation into Facebook’s data processing activities.

For the data protection community, the most interesting part of this recommendation is not the assessment of Facebook’s compliance. The real importance concerns the regulatory interpretation of the EU Data Protection Directive’s applicable law principles, a topic that is of particular importance to all non-EU headquartered companies that process personal data in the EU.

Recap of the applicable law principle

To determine whether EU data protection law applies at all and, if so, which EU Member State’s data protection law(s), article 4 of the Directive 95/46/EC sets out a twofold test:

  • Step 1 – The establishment test: If the data controller processes personal data in the context of the activities of an “establishment” (i.e. a subsidiary or a branch office) on the territory of a Member State, only the data protection laws of that Member State will apply (article 4.1.a). This is the case even if the personal data in question is collected from individuals resident in other EU Member States;
  • Step 2 – The equipment test: If the data controller does not have such an establishment on the territory of a Member State, but it uses “equipment” to process personal data situated in the territory of one or more Member States, the data protection laws of those Member States will apply (article 4.1.c).

At first sight these rules seem quite straightforward. However, over recent years, it has become more and more difficult to apply them to the reality of multinational corporations that have their headquarters outside the EU and that have incorporated a number of subsidiaries or branches in one or more Member States.

The crux of the problem is to determine which entity in a multinational group qualifies as the “data controller” for European data protection compliance purposes. For many years, a lot of US multinationals have taken the approach of incorporating an affiliate in a tax-friendly Member State (such as Ireland, Luxembourg or the Netherlands), indicating that this affiliate qualified as data controller for the purpose of their processing activities in Europe.

As a result of creating this EU “establishment”, then applying the Establishing Test above their processing activities were subject to the data protection laws of only that particular Member State and they were only subject to the regulatory scrutiny of the regulator of that Member State.

First attempts by Member States to circumvent this principle

This evolution has been ill-received by many civil rights activists and regulators based in Member States due to concerns that multinational businesses may be exploiting the Establishment Test for forum shopping purposes (On this topic, see my colleague Phil Lee’s recent blog post).

In more recent times, some data protection authorities and national courts have therefore refused to recognize multinationals’ nominated EU data controlling subsidiaries and sought to apply the Equipment Test instead so as to find their national law applicable.

In 2013, two German courts for instance ruled that Apple and Google had to comply with German data protection law, rejecting their argument that German law did not apply. Last year, the High Court of Berlin came to the same conclusion in a case against Facebook and disregarded Facebook’s argument that Facebook Ireland qualified as its EU data controller and therefore, under the Establishment Test, it should only comply with Irish data protection laws.

The Belgian Privacy Commission’s Facebook recommendation

In its recent recommendation, the Privacy Commission has taken a similar approach to justify that Belgian data protection law applies.

Almost half of the recommendation is used to justify why Facebook is subject to Belgian law. The Privacy Commission’s arguments can be summarized as follows.

  • Facebook, Inc. and not Facebook Ireland is the data controller

On the basis of a detailed factual analysis, the Privacy Commission firstly concludes that Facebook Ireland cannot qualify as a data controller because it “does not appear to be able to take independent decisions when it comes to determining the purpose and the resources relating to the processing of the personal data of Belgian citizens”.

In this regard, the Privacy Commission attaches a lot of importance to the fact that the new privacy policy, which kicked off the investigation in the first place, has been rolled out globally, without a specific version issued by Facebook Ireland that was adapted for the EU market. Another element that was relied upon is the fact that the privacy policy did not refer to the term “personal data” but rather to the more generic/US-inspired terms “data” and “personal information” – though quite why these terms should be relevant to an assessment of an entity’s controllership (or lack of it) is far from clear.

For those reasons, the Privacy Commission takes the view that Facebook, Inc., with its registered office in the US, has to be considered the sole data controller.

  • Facebook Belgium qualifies as an establishment in the sense of article 4.i.a of Directive 95/46/EC

Having that it considers Facebook, Inc. to qualify as data controller, the Privacy Commission then goes on to examine the role of Facebook Belgium.

Facebook Belgium is a subsidiary of Facebook, Inc. whose corporate purpose is reportedly limited to public policy and legislative and regulatory outreach activities and is not involved in any commercial activity as such.

However, applying the principles of the ECJ’s Costeja “Right to be Forgotten” judgment (C‑131/12 –  see also our blog post on this decision), the Privacy Commission concluded that Facebook Belgium is an establishment of Facebook, Inc. because it considered these activities to be “inextricably linked” to Facebook, Inc.’s activities – the first reported instance of the Right to be Forgotten judgment being applied by a local regulator to submit another major US-led multinational to a Member State’s local data protection laws

  • Alternatively, Facebook Inc. uses equipment on the Belgian territory

The recommendation then goes on by stating that even if Facebook Belgium (or any other Facebook affiliate in the EU for that matter) does not qualify as an establishment in the context of which Facebook, Inc. processes personal data, then Facebook, Inc. is still subject to the Belgian data protection laws by virtue of the Equipment Test due to its use of cookies and other tracking technologies served on Belgian residents’ devices.

Practical implications for other businesses

Until today, like many multinational businesses, Facebook has consistently maintained that it is only subject to Irish data protection law by virtue of having an Irish data controller. With the Privacy Commission now threatening to initiate legal proceedings, it will be interesting to see how this matter evolves.

In the meantime, a few general conclusions can already been drawn:

First, the criticism around forum shopping is ever increasing. The lack of a harmonised enforcement approach in the EU, and the perception (rightly or wrongly) that certain DPAs have been too lenient has resulted in a situation in which many national data protection authorities are trying to protect their citizens by applying their own national law, regardless of the principles laid down in article 4 of Directive 95/46/EC.

Second, Non EU-based businesses should therefore carefully consider how they want to respond to this risk when approaching their EU data protection compliance. Naturally, any business wants to avoid the legal uncertainty and risk that arises from potentially having to comply with the laws of the 28 Member States.

While it therefore makes sense to create an EU subsidiary to fulfil a data controller role, it is not sufficient to simply “nominate” one on paper. Businesses must put in place the conditions and controls that allow this EU subsidiary to really act as data controller in the field. This implies devolved decision-making autonomy to the EU subsidiary and (if necessary) arm’s length subcontracting back of carefully monitored and controlled data processing activities to the non-EU parent. Similarly, the EU subsidiary needs to play an active role in designing and implementing the business’s data protection policies to ensure they reflect EU compliance requirements.

Additional measures might include appointing a data protection officer within the EU subsidiary, accountable for ensuring the business’s compliance with EU data protection law. Similarly, training programs run within the EU subsidiary that ensure local staff are aware of their data protection responsibilities, and internal audit programs intended to monitor the EU subsidiary’s compliance with EU data protection requirements (including in respect of any activities it subcontracts back to its parent) will also be valuable steps to take.

In the absence of such factual control by the EU subsidiary, businesses risk being caught in a situation where they must comply with the data protection laws of potentially all Member States in which they have affiliates, customers or even just cookies. And that would bring them back to square one.

This article was first published in the IAPP’s Privacy Tracker.