Commentary Legislation and Guidance Personal Data News Legislation and Guidance News Legislation and Guidance

Commentary Legislation and Guidance News Longawaitedopinionontheuseofsearchengines...... 3 Legislation and Guidance Search engines in the spotlight ...... 5 Turkey: Turkey introduces data UpdateonthelatestdataprotectionnewsfromItaly...... 7 protectionbill...... 15 E-privacy and copyright in online content distribution: a European overview 8 United Kingdom: Information France:PromusicaevTelefónica:AjudgmentofSolomon?...... 10 Commissioner has power to Germany:Newsforoperatorsofsocialnetworks...... 11 imposefines...... 16 ICO guidance on data security breach management...... 12 Information Commissioner issues advice for elected Personal Data councillors in Wales...... 16 New Canadian domain name policy balances privacy with public access . . 19 United States: The FTC Approves Finnish Government proposes limited right to investigate employees’ credit history 20 new rule provision under theCAN-SPAMAct...... 16 Greece: Monitoring employees’ electronic communications...... 20 Consumer advocates and government target online behavioural advertising: MySpace wins $234 million debateemergesbetweenself-regulationandrigidregulatorycontrols.... 22 under CAN-SPAM Act ....16 Dataprotection2.0:Whatnextforonlinebehaviouraladvertising?...... 25 Federal Court supports seizures Broad new privacy rule affects use of consumer information from affiliates of laptops at U.S. borders . . 17 formarketingpurposes...... 28 Federal Trade Commission looks UnitedKingdom:ClosingtheDataProtectionwall...... 30 into privacy implications of ‘contactless payment options’ 18 News Legislation and Guidance Australia: Privacy law review coming to an end; The Australian Computer Society submits its recommendations to the Law Reform Commission . . . 14 Canada: Manitoba wants to appoint Privacy Commissioner ...... 14 Europe: Data Protection Supervisor releases Annual Report ...... 14 Finland: Finnish Government proposes changes to Data Protection Act .... 14 Hong Kong: Privacy Commissioner calls on Hong Kong Government to strengthendataprivacylaws...... 14 Ireland: Data Protection Commissioner releases Annual Report for 2007 . . . 15

1 World Data Protection Report

Publishing Director: Editors: Jacqueline Gazey Commissioning Editor: Production Manager: Deborah Hicks and Nicola McKilligan Shelley Malhotra Nitesh Vaghadia Editorial Director: Joel Kolko

Submissions by Authors: The editors of World Data Protection Report invite readers to submit for publication articles that address issues arising out of the regulation of data protection, either on a national or transnational level. Articles with an appeal to an international audience are most welcomed. Prospective authors should contact Deborah Hicks, World Data Protection Report, BNA Inter- national Inc, 29th Floor, Millbank Tower, 21-24 Millbank, London SW1P 4QP,U.K. Tel. (+44) (0)20 7559 4800; fax (+44) (0)20 7559 4880; or e-mail: [email protected]. If submitting an article by mail please include an electronic copy of the article in a recognised software.

World Data Protection Report is published monthly by BNA International or May’s edition we report on yet another very interesting month in Inc., a subsidiary of The Bureau of F National Affairs, Inc., Washington, D.C., the world of data protection particularly for our Italian readers who U.S.A. Administrative headquarters: 29th might be amongst the unfortunate majority of Italian citizens who had Floor, Millbank Tower, 21-24 Millbank, their salary details deliberately published on the web by the departing London SW1P 4QP, England. Tel. (+44) Italian Government! (0)20 7559 4801; Fax (+44) (0)20 7559 4840; e-mail [email protected]. In the In this edition we carry a full update on the international data privacy U.S. call toll-free on: 1-800-727-3116. news and special reports on behavioural advertising and employee Subscription price: U.K. and rest of world monitoring amongst others. £725; Eurozone €1,175; U.S. and Canada U.S.$1,245. Additional copies of this publication are available to existing In April we also welcomed a new member to our editorial team. subscribers at half price when they are Shelley Malhotra joins us as Commissioning Editor and is largely sent in the same envelope as a standard responsible for this month’s bumper edition. Shelley will play a vital subscription. role in selecting articles which continue to keep you up to date Reproduction or distribution of this publication by any means, including As ever we hope you enjoy this edition. mechanical or electronic, without the express permission of The Bureau of National Affairs, Inc. is prohibited except Nicola and Jackie as follows: 1) Subscribers may reproduce, for local internal distribution only, the highlights, topical summary and table of contents pages unless those pages are sold separately; 2) Subscribers who have registered with the Copyright Clearance Center and who pay the $1.00 per page per copy fee may reproduce portions of this publication, but not entire issues. The Copyright Clearance Center is located at 222 Rosewood Drive., Danvers, Massachusetts (USA) 01923; tel. (508) 750-8400. Permission to reproduce BNA International Inc. material may be requested by calling +44 (0)20 7559 4821; fax +44 (0)20 7559 4848 or e-mail: [email protected] Website: www.bnai.com ISSN 1473-3579

Please contact us with your opinions or suggestions or if you would like to write for us, by phone on:+44 (0)7720 774224 or by email at [email protected], or [email protected]

2 News

Personal Data

Asia Pacific: Launch of privacy competition for 2008 33 Ireland: Bank of Ireland under investigation by the DataProtectionCommissioner...... 34 Chile: Anonymous hacker posts the data of six Italy: Tax agency posts Italians’ tax returns online . . . 34 million Chileans on the Internet ...... 33 United Kingdom: HSBC loses customer details; Hong Kong: Former Deputy Commissioner sentenced Information Commissioner warns Government for swindling expenses; Significant number of about ‘Big Brother’ communications database; security breaches involving patients’ data; First Complaints about automated calls ...... 35 inspection by the Privacy Commissioner; HSBC United States: Google begins blurring faces on Street loses the data of 159,000 Hong Kong customers . 33 View...... 35

Legislation and Guidance

Europe Long awaited opinion on the use of search engines

By Patrick Van Eecke, Andrew Dyson and Maarten Truyens the Directive applies not just to entities that process personal data in the context of a permanent establishment in the E.U. The authors are lawyers in the Technology, Media and (e.g. , by selling targeted advertising to E.U. residents), but also Commercial department of law firm DLA Piper. Dr. to companies that makeuseofequipmentsituated within the Patrick Van Eecke also teaches at the University of E.U.. Antwerp, King’s College, London and Queen Mary, The concept of “making use of equipment” is interpreted University of London. Reach them at patrick.van.eecke@ broadly, and will include the mere act of instructing an Internet dlapiper.com, [email protected] and browser on a user’s pc to store a cookie. On this basis, any [email protected]. search engine used by an individual within the E.U. is capable of falling within the scope of the Data Protection Directive, Online privacy and search engines irrespective as to whether the operator has a formal establishment or data centre in the E.U.. This has potentially On April 4, 2008, the Article 29 Working Party, the E.U. far-reaching jurisdictional consequences for search engines advisory body on data protection, issued its opinion on data based outside the E.U.. protection matters arising from the use of Internet search engines, such as those operated by Yahoo, Google and The Working Party adopts a narrower view of the applicability Microsoft. The opinion was long-anticipated, as both the of the Data Retention Directive. This Directive imposes Working Party and the E.U. parliament have been openly obligations on Internet service providers (ISPs) and telecom investigating the data protection implications of search companies to store traffic data. Google had previously argued engines in recent years. While many parts of the opinion that its business was subject to the Directive and that it was restate principles that were set out in previous opinions, therefore legitimate for it to store extensive personal data several new insights are provided which are helpful in about its customers. The Working Party clearly rejects this understanding the relationship between search engines and view, stating that E.U. legislation does not require search E.U. data protection legislation. engines to store traffic data about their users.

Applicability of E.U. data protection legislation Types of personal data being processed The Working Party considered the extent to which the E.U. There has been much debate recently about the scope of Data Protection Directive (95/46/EC) and E.U. Data Retention information regulated by the Data Protection Directive within Directive (2006/24/EC) apply to companies operating Internet the definition of “personal data”. search engines. A lot of the information that search engine operators process In their opinion, almost all search engine operators, whether from individuals carrying out searches has limited obvious established in the E.U. or overseas, will be subject to relationship to identifiable individuals. For example, server log regulation under the Data Protection Directive. This is because files (including actual search queries from users), IP addresses 3

3 Legislation and Guidance of users and cookies. The Working Party is clear that most of data (for example, service improvements, system security, this data will amount to “personal data” and should be fraud prevention, accounting, personal advertising and law managed in compliance with the Data Protection Directive. enforcement requests), the Working Party clearly explains that it is important to ensure that the amount and extent of the Personal data in the cache and index personal data being processed in each case is limited as far Search engine operators may also find that they are regularly as possible to the needs of the relevant purpose. processing personal data when undertaking an index of Applying this test, the Working Party rejects the idea that it is website contents which contain personal information. The justifiable to retain personal data for the purpose of service Working Party has confirmed that they will not be regarded as improvement. In its view, most service improvement activity responsible for control of the data. That will be left to the can be undertaken effectively by analysing anonymised data. owner of the relevant website. Similarly, the Working Party rejects the idea that personal data Search engines will however be responsible for personal data needs to be stored to allow search engines to comply with law contained in any search results generated for users (i.e. the list enforcement requests. While search engine operators must of websites they return as a result of a search operation). obviously comply with such requests, these requests cannot These should be managed in compliance with the Directive, be used in advance as a reason to store large quantities of which means (at least in theory) that individual data subjects personal data. On the contrary: according to the Working have the right to ask search engine operators to update or Party, storing large amounts of personal data may trigger law delete personal data. It is not clear whether the Working Party enforcement authorities to submit even more access requests. would require search engines to comply with such requests, which would certainly be interesting for individuals who want Enrichment of user profiles to minimise the harm caused by websites containing adverse The Working Party also considers a new variety of search information about them. engines which build profiles of individuals by combining The search engine operator is also likely to be responsible for information from a variety of other websites (‘people search any personal data retained in copies of a website as a result of engines’). The Working Party is cautious about the legality of data ‘caching’. Caching is a common method used to speed these engines and suggests that consent of the relevant up the indexing process to allow users to access content individuals is likely to be required before storing such when the original website is unavailable. According to the information. Working Party, the search engine operator will become a Similar principles govern the increasing use of data controller of personal data in cached websites where their ‘enrichment’ techniques. This is where an individual’s personal retention of the cache extends beyond keeping an up-to-date profile is enhanced with data gathered from third party copy of the underlying website. Thus for example, if a copy of sources (including correlation of data obtained through a a website held in a cache by a search engine operator does search engine’s related services, aggregation with third party not capture recent changes to the original website e.g., to data, or the use of advanced technologies such as facial remove incorrect personal data – the operator will become recognition in photos). The Working Party is critical of the controller of that personal data. The Working Party suggests privacy risk created by these techniques and recommend they that they should immediately comply with any requests to should only be carried out with the prior consent of the update (or temporarily block) the cached copy until the individuals concerned. website has been revisited by the search engine and develop measures to automatically inform search engines of any Retention periods request they receive themselves to delete personal data. It is As a basic principle of E.U. data protection legislation, difficult to envisage how these arrangements will be personal data should not be stored longer than necessary for implemented in practice. the specific purpose for which it is being processed. After this Lawfulness of personal data processing period, it should be deleted or irreversibly anonymised. The opinion also provides an in-depth discussion of the legal Although Google already reduced its retention periods from 24 grounds that can be invoked to justify the processing of to 18 months in order to mitigate the concerns of the Working personal data by search engines. The grounds which are Party, the Working Party now considers that the retention anticipated as being most relevant to justify lawful processing period should not generally amount to more than six months are: (1) prior consent of the data subject; (2) necessity to (unless national legislation from an E.U. Member State would execute a contract with the data subject; or (3) legitimate be even more strict). If search engine operators would like to interest of the search engine. Although the prior consent and retain personal data longer than six months, they must necessity to execute a contract (grounds 1 and 2) are the demonstrate comprehensively that such a retention period is most solid legal grounds to justify processing, the Working strictly necessary. Party notes that they are unlikely to be relevant other than in Inthesamevein,thelifetimeofbrowsercookiesshouldbe the exceptional circumstances where personal data are limited as much as possible (previously, some search engines provided by registered users of search engines. used lifetimes of up to 30 years), and users should be In most cases, the legitimacy of data processing operations transparently informed about these cookies. undertaken by search engines will have to be based on the third ground (legitimate interest). This inevitably involves a Anonymisation trade-off between the interests of the search engine and the The Working Party remain concerned that certain rights of the data subjects concerned. In the context of the anonymisation techniques (such as truncation of the last octet main purposes for which search engines process personal of an Internet Protocol (IP) address: 10.37.129.XXX, or using 4

4 Legislation and Guidance unique identifiers instead of usernames) may still allow the policies may not be sufficient: a basic description of the use of identification of individuals. Further, log anonymisation or personal data should be provided whenever it is collected, deletion must also be applied retroactively and encompass all even when a more detailed description is provided elsewhere of the relevant search engine’s logs worldwide. (such as in the privacy policy). This applies particularly for browser cookies, for which search engines must provide Informing users information about the purpose of the cookies, and how the cookies can be accessed, edited and deleted. Also, the Finally, the Working Party stresses the need to inform users information about the data retention period chosen by search about all relevant aspects of the data processing. Interestingly, engine providers should be easily accessible from their the Working Party claims that standard website privacy homepage.

Europe Search engines in the spotlight

Shannon Yavorsky is an Associate at Kirkland & Ellis the storage of server logs in general and requested more International LLP and can be contacted at syavorsky@ information about Google’s cookies. Finally, it referred Google to a resolution on privacy protection and search engines, kirkland.com adopted by the 28th International Data Protection and Privacy With reference to the previous report at page 3, detailing the Commissioner’s Conference in November 2006, which called Article 29 Working Party’s Opinion on Search Engines, one upon search engines to comply with data protection rules. immediately wonders if the Working Party is referring to search In its June 2007 response, Google stated that the retention of engines other than the big three (Google, MSN Search and log data for 18–24 months is proportionate in view of the law Yahoo!) or if the reference to ‘search engines’ is a diplomatic and the purposes for which the data are retained and provides nod to the assorted smaller search engines on the Internet. the reasons why it decided to retain data for 18–24 months Although the opinion does not refer to any search engine by (namely to analyse the data for the purpose of refining search name – in confirming that the Data Protection Directive quality and building new services and helping to prevent fraud (95/46/EC) applies to search engines even if they are and abuse). Google’s response also points to the fact that the established outside the European Economic Area (‘EEA’) but law in relation to many features of E.U. data protection are using equipment based in one or more EEA Member legislation is in fact equivocal. Google’s letter helpfully poses a States – the opinion is at least partially the product of the number of key questions about data retention, the answers to Working Party’s highly publicised correspondence with Google which it surmises would go a long way to untangling the skein in the past year. The opinion offers some much needed of data retention legislation in Europe. Finally, Google clarification on a few points and should, in principle, be concedes that it would lower its data retention period to 18 welcomed by search engines of all sizes and privacy months to assuage the Working Party’s concerns. The practitioners. Search engines may nevertheless be surprised Working Party did not send an official response to Google’s by some of the Working Party’s recommendations. In letter but the Working Party’s latest opinion answers a few of particular, the six month benchmark for data retention, a Google’s questions and lays down further data protection and stipulation that stands at odds with the policies of certain large retention guidance for all search engines. search engines. Moreover, the Working Party’s view that server logs and IP addresses are ‘personal data’ for the The opinion purposes of the Data Protection Directive (95/46/EC) may be viewed as controversial by search engine providers. The search engine kingdom

Background The opinion starts by acknowledging the usefulness and importance of search engines and offers a broad definition of In March 2007, Google published a statement on its website search engines as “services that help their users to find informing users of the steps it would take to improve its information on the web”. The Working Party appears to be privacy policy. The statement confirmed that Google collects working towards a taxonomy for search engines and states information about “your search, such as the query itself, IP that they are a subset of information society service and can addresses and cookie details” and stores the information for be distinguished according to the different types of data they as long as it is useful. Google reported that it was changing its retrieve, i.e. text or photos or videos. The Working Party states privacy policy and would anonymise server logs older than that its primary focus for the purpose of the opinion is those 18–24 months. The Article 29 Working Party took note of the search engines that follow the dominant search engine statement and wrote to Google shortly thereafter. The letter business model based on advertising (with revenues being commended Google for its new privacy practices relating to generated by the tried and tested pay-per-click method). This server logs but also suggested that Google’s practices did not phylum of search engine includes all well known search quite meet European data protection requirements. The engines, in addition to specialised search engines such as Working Party expressed its concern that Google did not those focused on personal profiling and meta search engines sufficiently explain the purpose for which the server logs had – search engines that search search engines, i.e. the likes of to be kept and asked for clarification in this regard. The dogpile.com which searches, amongst others, Google, Yahoo! Working Party also asked Google for its legal justification for and MSN Search. The opinion specifically excludes those 5

5 Legislation and Guidance search engines which appear on a website and are used in a Member State but makes use of equipment in that solely to search the website’s own domain. Member State for the purposes of processing personal data, then that Member State must apply its national data It is noted by the Working Party that the profitability of protection legislation to the search engine. In this case, the advertising-fuelled search engines is contingent on the law of several countries may apply (i.e. if the company has effectiveness of the advertising that accompanies the search equipment in several countries). results. It points out that, in order to optimise revenues, search engines try to acquire as much information as possible about ePrivacy Directive each search. It is here that the issue narrows and becomes clearer: search engines want to find out as much as possible The Working Party determines that the ePrivacy Directive about searchers and searchers’ modus operandi so they can (2002/58/EC) does not apply to search engines since they fall make more money by advertising more effectively. Search outside of the remit of the definition of “electronic engines are therefore obliged to strike a balance between communications services” for the purposes of that Directive. observing users’ privacy on the one hand, and, on the other, Data Retention Directive gleaning as much information as possible about users to increase advertising profits. A precarious balance on any Nor, in the Working Party’s view does the Data Retention estimation. Directive (2006/24/EC) apply to search engines. Article 5(2) of the Data Retention Directive states that “no data revealing the Types of data content of the communication may be retained pursuant to the Directive”. Search queries themselves would be The Working Party identifies four kinds of data which can be considered content rather than traffic data and the Directive obtained by search engines from searchers. The first are ‘log would therefore not justify their retention. It is therefore the files’ which, provided they are not anonymised, the Working case that reference to the Data Retention Directive with regard Party contends are the most important personal data that are to server logs generated by search engines is unjustified. processed by the search engines. The second kind of data are IP addresses which a search engine can link to different Obligations on search engines request and search sessions. It is possible to track and correlate all the web searches originating from a single IP The Working Party points out that search engines have address if the searches are logged. The third kind of data are mentioned the following purposes and grounds for using and web cookies which are provided by search engines and stored storing personal data: improving the service, securing the on the user’s computer. The last kind of data are flash cookies system, fraud prevention, accounting requirements, which some search engines store on a user’s computer. personalised advertising, statistics and law enforcement. The Working Party notes that certain purposes, such as The Working Party affirms its categorisation of IP addresses as “improvement of the service” and “the offering of personalised personal data. It explains that although in most cases IP advertising” are too broadly defined to allow for a addresses are not directly identifiable by search engines, determination on whether they are legitimate purposes. The identification can be achieved by a third party. It observes that Working Party concludes that search engines may only Internet access providers hold IP address data, that law process personal data for legitimate purposes and the amount enforcement and national security authorities can gain access of data has to be relevant and not excessive in respect of the to these data and in some Member States, private parties various purposes to be achieved. Once a search engine no have gained access to such information through civil litigation. longer needs the personal data for a particular purpose, it It therefore considers that the necessary data will be available must be deleted or anonymised. To this end, the Working to identify the users of the IP addresses. As to cookies, the Party calls for the development of appropriate anonymisation Working Party observes that when a cookie contains a unique schemes by search engines. user ID, there is no question that this ID is also personal data. It is further clarified that a search engine that processes user As to data retention periods, the Working Party observes that data including IP addresses and/or cookies containing a these should be minimised and be proportionate to each unique identifier falls within the scope of the definition of purpose set out by a search engine. The Working Party does controller since the search engine is effectively determining the not see a basis for a retention period longer than six months. purpose and means of processing. In the event that data is retained for longer than six months, the search engines must demonstrate that it is strictly Applicability of legislation necessary for the service. In any event, the data retention period should be clearly set out on the search engine’s home Data Protection Directive page. The Working Party draws several conclusions about the The Working Party points out that while search engine applicability of the Data Protection Directive to search engines. providers collect some personal data about users of their First, it notes that the provisions of the Directive may apply services resulting from standard HTTP traffic, it is not even where the headquarters of a search engine are outside necessary to collect additional personal data in order to be the EEA. It observes that the applicable national data able to perform the service of delivering search results. As to protection laws may vary and that in some cases, the law of cookies, web cookies and flash cookies should only be alive several countries may apply. For search engines located within foraslongasisdemonstrablynecessary.Cookiesshouldonly the EEA, the law of the Member State in which the search be installed if clear information is provided about the purpose engine is established applies to the exclusion of all other for which they are to be installed and how to edit or delete this national law (even if the company makes use of equipment in information. As to search engines themselves, information other Member States). If the search engine is not established must be provided about their identity and location and about 6

6 Legislation and Guidance the data they intend to collect, store or transmit as well as the have more responsibilities under the Directive than they might purpose for which they are collected. Search engines should have thought. Although opinions of the Working Party are not also respect website editor opt-outs indicating that the legally binding, they nevertheless have a hand in shaping E.U. website should not be crawled and indexed in the search policy and are largely followed by Member States. This opinion engines’ caches. is an important one and though it is aimed at search engines, will have to be considered by many companies that engage in Rights of users online activities. The broad implications of this opinion will The Working Party makes it clear that users of search engines mean that E.U. companies (and those with equipment in E.U. have the right to access, inspect and correct if necessary, all Member States) will have to take a hard look at their privacy their personal data, including their profiles and search history. policies to ensure that they are in line with the latest Finally, cross-correlation of data originating from different conclusions from the Working Party. The bottom line is that services belonging to the search engine may only be search engines and companies should take note of the performed where consent has been granted by the user for recommended six month data retention period and the fact that specific service. that IP addresses should, in most cases, be considered personal data. Expect to hear more about this opinion once its Conclusion importance filters through to those it will affect the most. While this opinion will be welcome clarification on certain A copy of the opinion can be found at: http://ec.europa.eu/ aspects of data privacy, it makes it clear that search engines justice_home/fsj/privacy/workinggroup/wpdocs/2008_en.htm

Italy Update on the latest data protection news from Italy

By Debora Stella and Giulia Mozzato, Bird & Bird from members of the pharmaceutical industry and other organisations in the clinical sector by February 15, 2008. Debora Stella is an Associate based in Milan. She can be The guidelines set out the measures that should be taken to contacted at [email protected] and Giulia ensure that patients’ personal and sensitive data are Mozzato can be reached at [email protected] processed legally during clinical trials. This is especially important as the personal data from such trials are accessible In the past few months the Italian Data Protection Authority to sponsor companies also, who can be members of the has issued a number of guidance documents and press same group but established in other countries. communications aimed at providing more information about the application of Italian data protection legislation in certain The guidelines standardise legislation that is currently in force; sectors. Legislative Decree No. 196/2003 and, more specifically, Annex 4 to the decree on “Processing of personal data for statistical Proposals to accept Binding Corporate Rules and scientific purposes”. The guidelines set out in detail the main principles of data processing, and in particular the Multinational corporations need new mechanisms by which methods and procedures (e.g. notice, patient’s consent, intra-group transfers of data to group members in non-E.U. retention period, security measures) that have to be followed. countries will be permitted. The various means of transferring The guidelines also provides practical advice on the possible personal data set out in the Data Protection Directive, such as roles of various groups involved in the processing (e.g. the use of standard contractual clauses, have been criticised pharmaceutical companies, clinical study monitors, patients, in Italy when used in intra-group transfers. Consequently the etc.) as autonomous data controllers or data processors. Data Protection Authority strongly supports adoption of legislation that will allow Binding Corporate Rules to be used Simplification of customer care procedure in Italy. On December 10, 2007 the Italian Data Protection Authority The Italian Data Protection Authority submitted a formal issued general guidance concerning activities relating to calls request to the Italian Parliament and Government requesting received by companies responsible for customer care, that it changes the law to allow Binding Corporate Rules. This after-sales assistance and telephone banking. The Authority would mean that the Italian Data Protection Authority could stated that these companies should always inform customers authorise companies to transfer personal data using Binding that their personal data may be processed, unless the Corporate Rules to members of its Group outside the EEA. customer has already been informed, (e.g. at subscription, or Under Italian civil law these Binding Corporate Rules would during the call). A proper notice that is clear, immediately bind companies within and outside the group. comprehensible and concise, should always be given by call centre operators (or through a recorded message) when the Clinical trials company intends to use the data for a different purpose, such as marketing activity. The Italian Data Protection Authority has adopted guidelines on processing data as part of clinical trials. It has started a The Authority also invited companies operating in the public consultation with the intention of collecting comments telephony sector to ensure professionalism and proper 7

7 Legislation and Guidance security of the data when it is processed. In particular, the personal relationships, religious beliefs, political opinions, guidance underlined the importance of exercising caution health and sex life). All this data must be deleted within two when the same call centre manages different databases for months of the adoption of the provision. Telephone and different data controllers. Internet operators are only allowed to retain data that is required to provide the services and send invoices. Processing customers’ data in the banking The provision also prevents operators from using any proxy sector servers that are not necessary for routing the communication In October 2007, the Italian Data Protection Authority provided or invoicing the services. This is because these servers sit guidance to banks on how to process customers’ personal between the users and the website and are able to collect a data, in compliance with the Italian Data Protection Code large amount of data related to sites visited by the user during (Legislative Decree No. 196/2003). The Authority requires the web session. banks to provide updated information to customers, to ask for identity documents only if strictly necessary, and to adopt New Regulation on security for telephone and proper security measures. These guidelines also apply, insofar Internet traffic data as they are compatible with specific sector-related features, to similar activities carried out by post offices in providing On February 1, 2008 the Italian Data Protection Authority banking and financial services. published new Regulations. These covered security measures to be implemented by electronic communication providers Deletion of web navigation information when processing telephone and Internet traffic data (for the purposes of justice, and invoicing payments and marketing). At the end of January 2008, the Italian Data Protection Authority required certain telephone and Internet operators Under this new Regulation, electronic communication (i.e. Telecom, Vodafone IT, H3G, Wind) to delete all traffic data providers are required to implement strong security measures, that could reveal the content of the communication (i.e. web listed in the Regulation, by October 31, 2008 and to notify the pages visited or destination IP addresses) as these could Italian Data Protection Authority when they have complied with potentially disclose users’ sensitive data, (e.g. data concerning the new provisions.

Europe E-privacy and copyright in online content distribution: a European overview

Tim Wright (Partner), Alessandro Liotta (Associate) and owners’ intellectual property rights. The software used in Dominic Hodgkinson (Associate), Pillsbury Winthrop P2P networks operates such that communications are not channelled through a central server, but are instead shared Shaw Pittman LLP,London. The authors may be directly among the participants to the network (peers). The contacted on: [email protected], lack of a ‘central’ server controlling the flow of information [email protected] and circulating among peers facilitates online piracy, and has [email protected] been cited as the cause of significant loss of revenue to the music and entertainment industries in Europe and In the Promusicae case,1 the European Court of Justice (ECJ) worldwide. provided some clarity on the relation between Internet users’ privacy rights, copyright owners’ rights and the role of Internet In response to the growth of P2P, the industry has Service Providers (ISPs) in relation to online piracy. A question developed technology that can be used to monitor the web which remains, however, is how, if at all, E.U. member states and track individuals’ use of the internet including identify will react, in light of the current inconsistency in approach at a potential violations of intellectual property rights in the national level, to the question of ISPs’ responsibility for content shared over such networks (digital right combating illegal file sharing of music and audiovisual works. management, watermarking, filtering etc). However, the The European legal framework applicable to the use of the application of these monitoring technologies potentially Internet is based on a series of directives adopted between conflicts with individuals’ privacy rights. 1995 and 2004 and implemented at national level by each member state. Although the harmonisation objectives of the The Promusicae case European Union (E.U.) have so far been largely achieved, the On November 28, 2005, Productores de Música de España constant development and commercial adoption of new (Promusicae), a Spanish non-profit collecting society for technologies provides an ongoing challenge to the producers and publishers of musical and audio-visual achievement of these objectives at a regulatory level. recordings, requested a Spanish court to order Telefónica Peer-to-peer (P2P) is a technology that creates networks of de España SAU (Telefónica), a Spanish ISP, to disclose the Internet users allowing them to easily communicate with identity of certain of Telefónica’s customers that were using each other and share content files and information, such as the KaZaA platform (a P2P technology) to gain illegal access music and video files, often in disregard to the content to copyrighted music files. 8

8 Legislation and Guidance

At first instance the Commercial Court of Madrid ordered the entertainment industry have been in discussions to introduce an disclosure of the identity of the users. On appeal, Telefónica agreed voluntary scheme under which ISPs would monitor pirate argued that under Spanish law (implementing Community activity on the internet. directives) the disclosure of personal data sought by Promusicae No agreement has so far been reached, but the U.K. would be authorised only in a criminal investigation or for the Government2 has committed to implementing any necessary purposes of safeguarding public security and national defence, legislation by April 2009, if the relevant industries do not adopt not in civil proceedings. appropriate self-regulation. Current legislation (derived in The Spanish Court of Appeal sought guidance from the ECJ as particular from the E-commerce Directive (2000/31/EC)) shields to whether Community law meant that the duty on ISPs to retain (to a certain extent) ISPs from liability arising from the use of the and make available connection and traffic data would extend to Internet, but a more active role for ISPs is expected to be civil claims. required in tackling illegal file sharing. The ECJ decided that the applicable Community directives did not require member states to impose an obligation to disclose Germany personal data in the context of civil proceedings, but that In April 2008, the German Parliament approved a new member states are not precluded from doing so. However, when copyright law aiming at preventing illegal file sharing. Under implementing those directives and any permitted derogations the new law, ISPs will be forced to reveal the identity of under them, member states must apply a fair balance between Internet users accused of copyright infringements perpetrated the various fundamental rights at stake (including copyright) and on a commercial scale. must make sure that they do not rely on an interpretation of them which would be in conflict with the general principles of Doubts have been raised over the scope of the new law as Community law, such as the principle of proportionality. well as its effectiveness in tackling the problem by prosecution of file sharers, given that the new law will potentially cap the On the basis of that interpretation, the Spanish legislation fine for each infringement at €100. currently in place, forbidding the disclosure of users’ identity in civil proceedings was in line with the Community framework. Belgium and the Republic of Ireland Different approaches at national level In Belgium and the Republic of Ireland, copyright owners and The ECJ decision has come at a moment when the debate recording companies are conducting a different strategy against surrounding P2P has reached its peak. Civil and criminal illegal file sharing and are directly suing ISPs for facilitating such proceedings commenced by the entertainment industry against activities, requesting their national courts to order ISPs to adopt P2P providers, ISPs and individuals have increased exponentially filtering technology to monitor users’ Internet behaviour, detect during the past few years. attempts to share infringing files and block such communications. Each member state has so far responded in different ways to the pressures raised by the various stakeholders in the online content This approach has been endorsed by the Court of Brussels in the distribution sector, while it has been so far hard to reach an case of SACEM v Scarlet (formerly Tiscali)3 , and is now being agreement at European level and, to date, the ECJ has largely left brought before the Dublin courts by EMI (Ireland), Sony (Ireland), it to member states to adopt their own national rules to deal with Universal Music (Ireland) and Warner (Ireland) against Eircom, the the issue. largest broadband provider in the country. France If the Irish court follows the Belgian court’s approach, ISPs in the Republic of Ireland will be bound to monitor each individual’s use Influenced by a strong national entertainment industry, on of the web more closely, implementing specific technology for November 23, 2007, just a few months before the ECJ ruling in that purpose. Promusicae, President Sarkozy backed an Accord for the development and protection of works and cultural programmes Italy on the new networks, which was signed by 45 signatories (as at December 14, 2007) among ISPs and music and film industry In contrast with the policies that are being followed in France, representatives, in order to tackle illegal file-sharing, adopting a Germany, Belgium and the Republic of Ireland, the Italian Data 4 so-called ‘three strikes and you’re out’ policy. Protection Authority has recently ruled that the activity of monitoring peer-to-peer users for the purposes of prosecuting Under the so-called Sarkozy Agreement, the entertainment alleged copyright infringements is illegal. industry, with the support of ISPs, has committed to putting in place technology enabling ISPs to monitor the web and to track The case involved a German record company, Peppermint Jam illegal file sharing activity. A public authority will be established Records, that had instructed Logistep (a Swiss company and given the power to prosecute and sanction any online specialised in anti-piracy solutions) to monitor certain copyright infringement. ISPs will, under that authority’s direction, peer-to-peer networks in various European countries (including send electronic warnings to the suspected infringers and will Italy). Upon Peppermint’s request, the Court of Rome ordered, at implement any sanction imposed by the authority (which may first instance, two Italian ISPs (Telecom Italia and Wind) to 5 lead to the cancellation of the Internet access). Additionally, a list disclose the identity of certain alleged infringers. The orders of the individuals sanctioned by the authority will be published. adopted by the court of first instance were then reversed by the 6 See also the following article at page 10. Court of Appeal which declared that the disclosure of the identity of the users clashed with data protection law. United Kingdom At the end of February 2008, the Italian Data Protection Authority A similar approach to France may be taken in the U.K., where confirmed that the collection and processing of the personal data certain ISPs (including BT, Virgin and Tiscali) and the of Internet users undertaken by Peppermint and Logistep was 9

9 Legislation and Guidance unlawful, unfair and disproportionate, and ordered the immediate regulatory framework for the Internet, in light of the various destruction of such data. economic interests at stake and of the new technologies available to the public. Denmark The Sarkozy Agreement was at first meant to become the On February 5, 2008, the court of Frederiksberg (Copenhagen, solution to be adopted by the E.U., but on April 10, 2008 the Denmark) ordered DMT2 (a Danish ISP) to take all necessary E.U. Parliament approved a resolution on cultural industries in measures to prevent its customers from having access to Europe calling on the Commission and the member states to www.thepiratebay.org, a BitTorrent protocol site providing search avoid adopting measures conflicting with the principles of engine and other services in relation to all music and video files proportionality, effectiveness and dissuasiveness such as the available on a certain P2P network. interruption of Internet access. The Danish court considered that DMT2, by allowing its Given that Internet services operate at a cross-border level, a customers to access the website, was facilitating the search and stronger effort by the E.U. institutions seems to be required in download of copyright protected files, thus contributing to the order to ensure that a harmonised regulatory approach is illegal file sharing. adopted across all member states, allowing individuals and businesses to operate in a certain regulatory environment Sweden whereby tensions between an individual’s right to privacy and A study launched by the Swedish Ministry of Culture (the Renfors an owner’s rights to its creative works are resolved. report) put forward a proposal to compel ISPs to restrict Internet 1 ECJ Decision of January 29, 2008, Productores de Música de access of subscribers who repeatedly download protected files. España v. Telefónica de España SAU, in Case C-275/06. The Swedish Government has finally rejected the Renfors report 2 Department for Culture, Media and Sport’s paper on its strategy to after it received a cool reception from many members of the provide support to the creative industry of February 22, 2002. Swedish Parliament. Instead, Sweden has approved a law under 3 Decision of the Court of first instance of Brussels of June 29, 2007, which (according to some press releases) copyright owners will in SCRL Societe Belge des Auteurs v. Scarlet SA. be able to ask the courts to force ISPs to disclose the IP 4 Peppermint case, Resolution of Garante per la Protezione dei Dati addresses used in illegal file sharing, similarly to the provisions of Personali (the Italian Data Protection Authority) of February 28, 2008. the German legislation. 5 Order of the Court of Rome in Peppermint v. Wind telecomunicazioni spa of September 22, 2006; Order of the Court Conclusions of Rome in Peppermint v. Telecom Italia spa of February 9, 2007. 6 Order of the Court of Rome in Peppermint vs. Wind The fragmentation that is being observed among the member telecomunicazioni spa of October 26, 2007; Order of the Court of states is a symptom of the E.U.’s inability to harmonise the Rome in Peppermint v. Telecom Italia spa of July 14, 2007.

France Promusicae v Telefónica: A judgment of Solomon?

An update on the Promusicae v. Telefónica producers and publishers of musical and audiovisual recordings case and its effects in France had been able to identify the IP addresses of persons using peer-to-peer (P2P) file exchange programmes to provide access By Stéphanie Faber, Marianne Schaffner and to shared files containing recordings for which members of Jean-Christophe Duton, Linklaters, Paris. Stéphanie Faber Promusicae held the exploitation rights. is a Partner and Head of the Technology, Media and Promusicae needed to identify the users behind these IP Telecommunications practice. Her main practice areas addresses in order to launch civil proceedings against them. It include technology contracts, outsourcing, data therefore asked the Spanish courts to order Telefónica to disclose protection, e-commerce and telecommunications. the identities and physical addresses of certain customers using Stéphanie Faber can be contacted at: stephanie.faber@ its Internet services. linklaters.com. Marianne Schaffner is a Partner in the Intellectual Property practice based in Paris. She can be In turn, the Spanish court asked the ECJ, via interlocutory proceedings, whether Community law should be construed as contacted at: [email protected]. requiring Member States to lay down in their respective laws, in Jean-Christophe Duton works in the Technology, Media order to ensure effective protection of copyright, an obligation to and Telecommunications practice and can be contacted communicate personal data in the context of civil proceedings. at [email protected] .

Which should prevail? The protection of intellectual property or Decision of the ECJ the protection of personal data? Such is the intricate question Under Directives 95/46 and 2002/58, traffic data and, more that the European Court of Justice had to resolve in generally, personal data are confidential. However, the same Promusicae v Telefonica.1 directives make it possible for the Member States to adopt legislative exceptions restricting confidentiality “when such Peer to peer battles restriction constitutes a necessary, appropriate and proportionate This case is part of the continuing fight by producers and measure within a democratic society to safeguard” some general publishers against the free exchange of music and video files or public order interests (e.g. national security) or some using peer to peer technology. Promusicae, an organisation of fundamental rights. 10

10 Legislation and Guidance

Both Directives include, inter alia, an exception ensuring the whereas situations and offences are crossing borders via the prevention, investigation and prosecution of criminal offences but Internet. the ECJ noted that civil proceedings are not expressly mentioned in the list of exceptions. However, both Directives include in their Position in France exceptions “measures necessary for the protection of the rights In France, the law permits the obtaining of the disclosure of and freedoms of others”. personal data in the context of criminal proceedings.3

The ECJ considered that copyrights are part of the fundamental In the context of civil proceedings, the holder of intellectual rights which are protected in the community legal order2 and property rights may obtain from a court provisional measures therefore these Directives do not exclude the possibility for the against an Internet access provider so that the infringement of Member States to lay down an obligation to disclose personal itsrightsisstoppedpursuantto article 6-1-8 of the LCEN and data in the context of civil proceedings aimed at protecting article 8 paragraph 3 of Directive 2001/29. These provisions copyrights. However, it is only a possibility and not an obligation. were applied by the Tribunal de Grande Instance (TGI) of Neither of these Directives nor those relating to intellectual Nanterre in the LimeWire case.4 property compel the Member States to lay down such an The new “Plan to fight against cyber criminality” will provide obligation in order to ensure an effective protection. less protection to Internet users’ data in criminal proceedings More importantly, the ECJ considers that Member States must (e.g. carrying out searches from a distance). The recent guarantee “a fair balance between the various fundamental Olivennes report dated November 2007 proposes a warning rights”. In this respect, mechanism together with administrative penalties (differing from the criminal sanctions). Such administrative sanctions “the authorities and courts of the Member States must not would be taken by a public authority which would be only interpret their national law in a manner consistent with authorised to link traffic data to the identity of users. the directives but also make sure that they do not rely on an This future public authority in charge of the fight against interpretation of them which would be in conflict with those on-line piracy will, in compliance with the Promusicae fundamental rights or with the other general principles of decision, have to use the general principle of proportionality to Community law, such as the principle of proportionality”. reconcile three fundamental rights, namely: the right of As a result, the question remains fully open to the Spanish (intellectual) property, the right to an effective judicial courts! The Member States and their respective national protection and the right to personal data protection and, more courts retain (a certain) freedom and bear the entire generally, privacy. responsibility of guaranteeing a fair balance in the fundamental 1 C-275/06 rights of the principle of proportionality. This freedom derives 2 See Laserdisken E-479/04. from both State sovereignty and the need for flexibility. 3 See Article L34-1 of the Code des Postes et Communications However, it may result in the emergence of different solutions Électroniques. from one country to another within the European Union, 4 TGI Nanterre, Limewire May 2, 2007.

Germany News for operators of social networks process. Such information should also include details By Dr. Michael Schmidl, Maître en Droit, LL.M. Eur., who about the possible consequences for the users’ private is a partner of Baker & McKenzie Partnerschaft von life that may result from publishing data in the user Rechtsanwälten, Solicitors und Steuerberatern, Munich profiles. Moreover the operators should inform their users and member of the firm’s Information Technology Group. how to handle the data of third parties ( e.g. other users). Dr. Schmidl is a specialised attorney for IT-Law and a 2. The GDK makes clear that the use of personal data for lecturer for Internet law at the University of Augsburg. the use of telemedia is only admissible, to the extent that The author may be contacted at: the data subjects have provided valid consents. [email protected]. Advertisements based on profile data have to be organised in a manner to at least give data subjects the In April 2008 the German Düsseldorfer Kreis (“GDK”), a panel possibility to object. The GDK, furthermore, recommends where the German Federal States’ data protection authorities that it should be the users’ decision if and what profile reach agreement on the uniform application of the FDPA, and usage data may be used for advertisement purposes decided1 inter alia on the data protection law obligations of by the operator. operators of so-called social networks. The key message 3. The GDK highlights that the storage of usage data emerging from the GDK’s decision, is that operators of so-called beyond the end of a session, is only admissible if such social networks are obliged to respect the legal framework as data are required for invoicing purposes vis-à-vis the user. provided for in applicable privacy laws. The GDK highlighted the following eight central requirements to respect: 4. There is no legal foundation for storing data about the usage of social networks in case such data should one 1. Operators of social networks have to inform their users day be needed for criminal prosecution purposes. Such fully with regard to the processing of their personal data storage is not possible on the basis of the legislation on and with regards their possibilities to influence the data retention (Vorratsdatenspeicherung) either. 11

11 Legislation and Guidance

5. The GDK further underlines that the German Telemedia ■ personal data, once entered, are virtually undeletable, Act requires operators to allow their users to act ■ the setup of the network suggests a misleading shortcut anonymously or under a pseudonym within the social to friendship with other users, which might lead to users network and that such requirements apply independently being less cautious in disclosing personal information, from the question of whether the user needs to identify himself with real data vis-à-vis the operator of the social ■ personal data might be used as a payment for access to network. networks which are announced as being free of charge, 6. Operators are obliged to take the required technical and ■ operators are able to closely monitor every move made organisational measures in order to safeguard data by their users, security. They are especially obliged to avoid a systematic ■ personal data in a social network might become a useful mass export or download of profile data from the social tool for HR specialists to identify weaknesses of a network. candidate, 7. Furthering data protection should especially be done via ■ the standard settings of a social network environment, for all too generous provision of data within the social example, the availability of profile data to third parties. networks might spur identity theft. The data protection authorities demand from the The challenge for and at the same time the limitation of operators of social networks to design the standard privacy-law-based protection for users of social networks lies settings in a way as to protect the users’ privacy as in the users’ increasing willingness and readiness to provide efficiently as possible. Such standard settings should be their personal data. Although there is a broad agreement that designed especially restrictively if the network is data protection is essential in order to safeguard the addressed to minors. Search engine access must only be individuals’ personal sphere, it can hardly be denied that allowed on the basis of the users’ express consent. almost (if one were not inclined to avoid absolute statements 8. Users have to have the possibility to easily delete their the “almost” could also be left out) every single Internet user profile themselves and the operators of social networks who has decided to join a social network deliberately accepts should consider the implementation of expiration dates or to share intimate information with others as a means of automatic blocking of profiles which can be defined by becoming part of a greater whole and that such users would users themselves. not hesitate to willingly accept dangers for their privacy or – Undoubtedly social networks are becoming increasingly flattered by third parties’ interest in their personal data – popular. The GDK’s decision shows, however, that the change the settings to allow an even greater proliferation of increasing spread of social networks does not only have their personal data even if properly informed on the occasion positive effects. The following is a summary of the risks of their registration as a user of the social network. associated with the use of social networks: 1 www.datenschutz.de/news/detail/?nid=2662

United Kingdom ICO guidance on data security breach management

Tim Wright (Partner), and Dominic Hodgkinson (Trainee businesses to notify any security breaches. In response, the Government felt that this would desensitise consumers to Solicitor), Pillsbury Winthrop Shaw Pittman LLP,Global security issues and undermine confidence in the Internet as a Sourcing and Privacy, London. The authors may be business medium. Additionally, the European Commission contacted on: [email protected] and proposed a ‘data breach notification directive’ that would require [email protected]. Internet service providers (such as BT Retail or Virgin Media) to notify security breaches. The Guidance admits that there is no The U.K. data protection regulator, the Information law expressly requiring notification of a security breach but Commissioner’s Office (ICO), has published new guidance1 reminds businesses that sector specific regulators, such as the (the ‘Guidance’) to help businesses deal with a situation Financial Services Authority or Ofcom (the independent regulator where personal data under their control is lost or stolen. The of the U.K. communications industries), may require them to ICO Guidance is designed to assist businesses in notify. formulating an appropriate course of action in the event of a data security breach arising from unauthorised or unlawful Overall, however, the Guidance presents a checklist of four basic processing, accidental loss, destruction of or damage to principles (containment, risk assessment, notification and personal data. Amongst other things, the Guidance warns evaluation) that businesses should apply in order to ensure a of the “dangers of ‘over notifying’”. proportionate response when data security is breached.

Notification of security breaches is currently a hot topic in the Containment and recovery U.K. (especially in the wake of the recent Government security breaches). Recently, the House of Lords Select Committee on The Guidance begins by stating that data security breaches Science and Technology recommended that the Government set will require not just an initial response (containment) but also a up a mandatory and uniform central reporting system for recovery plan including, where necessary, damage limitation. 12

12 Legislation and Guidance

This should involve specialist input from IT, HR and legal Guidance recommends that individuals should be given clear professionals and, in some cases, contact with external and specific advice on what to do next and a means of suppliers. Businesses are encouraged to determine in contact such as a helpline number or email address. advance who should lead an investigation into the breach and what resources they should have to hand. Businesses should Upon being notified of a breach, the ICO will expect to see then determine who else needs to be made aware of the details of any security measures (e.g.encryption) or breach and what they can do to contain it. This could mean procedures (e.g. daily backup of data) that were in place at isolating or closing a compromised section of the network. An the time the breach occurred. The ICO should be informed if assessment of what can be done to recover any losses and the media are already aware of the breach. If the media are limit the damage should then be carried out. This might informed after the ICO have been notified, businesses should include determining what can be done to restore lost or tell them that the ICO has been contacted and what action damaged data, putting staff on alert and, where appropriate, has been taken. Depending on the nature of the breach, third informing the police. parties that may need to be notified include the police, insurers, professional bodies, bank or credit card companies Assessing the risks and trade unions. The Guidance says that before deciding what recovery steps Evaluation and response are necessary, businesses should assess the risks specific to the breach, and, most importantly, the consequences for Where there are systemic and ongoing problems, simply individuals. This will depend on thetypeofdatainvolved.The containing the breach and continuing ‘business as usual’ will more sensitive the data, the greater the risk. The Guidance not be acceptable. Clearly, the fact that a breach occurred at gives two examples of sensitive data: health records and all is a sign that a business should review its security systems, financial data. The scale of the assessment should be in policies and response procedures. The Guidance suggests a proportion to how many individuals are involved and who they number of points that may help identify where improvements are. Loss of financial data may require liaison with banks while can be made. These include examining where the data is any wider consequences of a data security breach such as a stored, the method and security of data transmission, any risk to public health should be taken into account. The ICO weak points in the security measures, monitoring staff also hints at the need for damage limitation from a PR awareness of security issues and identifying the group of perspective when it suggests that businesses should take into people responsible for reacting to reported breaches of account “loss of public confidence in an important service you security. It is also suggested that if an organisation already has provide”. a business continuity plan for dealing with serious incidents, a similar plan should be considered for data security breaches. Notification Most notably, the Guidance states that “informing people Comment about a breach is not an end in itself”. It stresses that notification should have a clear purpose, whether to enable The need to notify, and the processes either side of a security individuals to take steps to protect themselves or to allow the breach, will vary from sector to sector and within sectors appropriate regulatory bodies to perform their functions, according to the type of data being processed. The provide advice and deal with complaints. Simply notifying the communications sector is arguably higher risk and the ICO may not be sufficient. question of whether to notify may be answered by the proposed E.U. directive in the case of Internet service The Guidance sets out factors to be taken into account when providers. Nevertheless, the issue of data security breach deciding whether to notify the ICO and/or affected individuals. notification is one of proportionality and as such has split These factors include any legal or contractual requirements. opinion. The ICO agrees with the Government that mandating Although there is no data breach notification law as such, data security breach notification would desensitise the public businesses should consider whether notification will help them to security issues and potentially undermine the Internet as a meet their security obligations under the Data Protection Act business medium. The counter lobby argue that the need for 1998 (namely, that businesses must take appropriate transparency and accountability is paramount and that clear measures against loss or theft of personal data). Individuals rules governing data breach notification would incentivise should be notified if it will help them mitigate risks, for example organisations to maintain higher security standards. by cancelling credit cards or changing passwords, but clearly there will be no need to notify an entire customer base about The ICO has published another guidance, called Notification an issue that affects only a small number of customers. So, of Data Security Breaches to the Information Commissioner’s according to the Guidance, where a company with a database Office, which provides further detail on the notification section containing details of two million customers is hit by a security in this Guidance, at least in so far as it concerns notification to breach such that only two thousand individuals are affected, the ICO. For the time being however, and until the European this would not give rise to a need to notify all of its customers. Commission or the Government legislates on notification, However, where a large number of people are affected, or businesses would be well-advised to make sure their security there are very serious consequences, the ICO should be procedures incorporate this Guidance’s four data security informed and it can assist the business to decide which breach management principles. individuals and/or organisations should be informed. 1 The guidance can be found at www.ico.gov.uk/upload/ How to notify individuals will depend on the urgency of the documents/library/data_protection/practical_application/guidance_ situation and the security of a medium of notification. The on_data_security_breach_management.pdf

13 Legislation and Guidance News

AUSTRALIA For further information, please visit the ASC’s website at: www.acs.org.au/index.cfm Privacy law review coming to an end CANADA The Australian Law Reform Commission is at the final stage of completing its review of Australia’s privacy laws and is due to Manitoba wants to appoint Privacy present its findings to the Attorney General on May 30, 2008. The Commission held 250 meetings and received just under Commissioner 600 written submissions. TheCanadianProvinceofManitobaistopropose One of the big concerns to emerge is the complexity amendments to the Freedom of Information and Protection of surrounding privacy laws in Australia. In addition to the Federal Privacy legislation that would allow it to appoint its own Privacy Act, which has two separate set of principles, one for privacy commissioner similar to Ottawa’s. the public sector and another set for the private sector, Privacy issues are currently handled by the Manitoba separate states and territories have their own privacy Ombudsman who carries out informal investigations into legislation. Furthermore, New South Wales and Victoria have complaints and issues recommendations. The privacy their own health privacy legislation. commissioner would have the power to hold quasi-judicial hearings and issue binding orders. Recommendations are likely to include having one set of uniform principles and for the Privacy Commissioner to provide more detailed guidance. EUROPE The Commission’s findings will be made public once the report has been tabled in Parliament. Data Protection Supervisor releases Annual Report For further information, visit the Commission’s website at: www.alrc.gov.au/inquiries/ The European Data Protection Supervisor (EDPS), Peter Hustinx has released his Annual Report for 2007 and a separate Executive Summary. The report can be obtained by The Australian Computer Society from the EDPS’s website at: submits its recommendations to the www.edps.europa.eu/EDPSWEB/ Law Reform Commission

The Australian Computer Society (ASC) has made several FINLAND recommendations as part of its submission to be considered by the Australian Law Reform Commission as part of its Finnish Government proposes changes privacy review. These include: to Data Protection Act ■ The development of an authorisation policy and The Finnish Government recently approved changes to the procedure to identify a chain of who can access Data Protection Act. The changes have been put forward as a employee e-mails. means to protect Finland’s corporate secrets. ■ A log book system to clearly identify when an unintended The proposed changes will make it legal in certain situations, recipient of an e-mail has access to the e-mail and for for companies to examine e-mails sent by employees and what purpose, for example the IT department. their intended recipients. The bill was prepared by Finland’s Minster of Communications, Suvi Linden who felt changes to ■ A permission and/or alert system to notify employees if the Act were extreme but necessary to protect business their e-mails are accessed by another party such as the against the loss of crucial corporate information. ITdepartmentasacourseofroutinebusiness. The proposed changes have been approved by the Finnish ■ Establish a code of conduct to make it a disciplinary Government but still need to be considered by Parliament. If offence to use or divulge any information accessed in the approved, the changes could come into effect in 2009. course of meeting a statutory or corporate interception requirement. The Code should also include clear instructions on procedures to follow when accessing HONG KONG e-mails, and instructions not to amend e-mails. Privacy Commissioner calls on Hong ■ Organisations should be subject to random auditing to detect any breaches of privacy laws and they should Kong Government to strengthen data have a clear e-mail and web usage policy for their staff. privacy laws ■ Employees should have a right of privacy with regard to Earlier this month, The Privacy Commissioner, Roderick Woo, personal e-mail and web browsing within the workplace repeated calls for the government to strength the Personal except where there is reason to suspect misconduct or Data (Privacy) Ordinance. The Commission reviewed the where corporate guidelines are not being followed. ordinance in 2006 and submitted over fifty recommendations. 14

14 Legislation and Guidance

He is again calling for the government to launch a public Organisations mentioned in the Report consultation paper and start the legislative process. The Report includes information about the DPC’s dealings His Office will receive an additional $2 million for its with several organisations and government departments. 2008/2009 budget to help cope with its increasing workload. However, the Commissioner still wants the There is a detailed summary of the Commissioner’s actions to government to consider allocating further resources as deal with the problem of unauthorised access to personal data demands on the Commission’s services continue to held by public sector organisations including the police and increase. the Department for Social and Family Affairs. There is also an update on the number of complaints received about the marketing practices of Sky. IRELAND The Commissioner has also provided detailed case studies about some of the DPC’s specific investigations including: Data Protection Commissioner releases Annual Report for 2007 ■ Aer Lingus’s inappropriate disclosure of employee information Earlier this month, the Irish Data Protection Commissioner, ■ Ryanair’s failure to provide individuals with a reasonable Billy Hawkes released his Annual Report for 2007. He chose means to opt-out from e-mail direct marketing the opportunity to highlight the need for balancing the right to privacy with the increasing need to process personal ■ Tesco’s unsolicited e-mail marketing due to technical information for security reasons, commenting, issues “Have we not succumbed to terror and submitted to ■ Extensive work with Eircom to resolve the matter of extremism when we loose the liberty to live our lives without unwanted marketing calls, following a large number of constant intrusion by the State in the name of security?” complaints, which resulted in Eircom donating €35,000 to charity The Commissioner has chosen to comment on a wide variety of issues; including the benefits derived from the increasing For further information and to obtain a copy of the full awareness of data privacy amongst the public, media and Annual Report, please visit the DPC’s website at: organisations both in the public and private sector, the www.dataprotection.ie usefulness of codes of practice, the trend by organisations to voluntarily notify security breaches as good practice and the TURKEY ongoing challenges posed by new technology and the internet. Turkey introduces data protection bill Report highlights Turkey has introduced a bill on the protection of personal data as part of its reform package to become a member of the 1.The number of formal complaints received by the Data European Union. The bill is being introduced alongside a Protection Commissioner’s Office (DPC) has risen proposal on governing state secrets and transparency. It substantially from 658 in 2006 to 1037 in 2007. The includes the following provisions: sharp rise is partly due to an increase in complaints made to the DPC about unsolicited text messages (390 Sensitive data: The Bill imposes strict conditions on the use of complaints). sensitive personal data such as an individual's race, political opinions, philosophical beliefs, religion, denomination or other 2. In addition to the formal complaints received and dealt type of convictions; membership in an association, foundation with, the DPC dealt with over 24,000 enquiries; 20,000 or a union; health condition; or private affairs. It also includes by telephone, 4,000 by e-mail and a small number of strict conditions for handling police and criminal records. postal enquiries. 3. Onsite investigations conducted by the DPC to collect Individuals Rights’ and fair and lawful processing: Individuals evidence from parties committing apparent data will have the right to know if information about them has been protection breaches, has led to the Commissioner used and recorded and will be given the rights of review, currently having 350 prosecutions before the courts. correction and deletion in relation to incorrect, mistaken or 4. The DPC conducted twelve audits in 2007. Organisations inadequate data. The bill allows for data to be collected in audited included Aer Lingus, Axa Insurance, Hays situations where the individual has provided consent, to meet Recruitment and the University of Limerick. legal obligations, or the information collected is in the public interest. 5. To ensure data protection requirements are being met, the Commissioner has increasingly used his powers to Retention: With regards to retention of personal information, conduct visits without prior notice. where there are no specified legal retention requirements, the 6. The Commissioner’s work with the Government to ensure data should be anonymised or destroyed. The procedures and data protection concerns are addressed in relation to the conditions regulating when and under what circumstances proposed DNA database and the intention to introduce such data should be made anonymous will be decided by a an ‘eBorders’ system to track individuals entry and exit charter to be prepared by the personal information protection from the country. council. 7. The Report also includes an unscientific list of the top ten Security: The Bill allows the collection of personal information threats to privacy identified by DPC staff, designed to as long as there is legislation in place ensuring the provoke discussion on further issues. confidentiality of such data. 15

15 Legislation and Guidance

Data Transfers: It allows international data transfers to Information Commissioner issues another country, only if it has legislation in place which advice for elected councillors in Wales offers the equivalent level of privacy protection. The Information Commissioner’s Office (ICO) has sought to Penalties and fines: It introduces jail sentences between six remind elected councillors in Wales of their obligations months and three years for any party found to be collecting under the Data Protection Act. Anne Jones, Assistant personal information in breach of the law. Introduce jail Commissioner for Wales has written to all councillors sentences of one to four years for individuals who disclose offering them advice and assistance and the ICO has personal information or convey it illegally to a third party. published guidance outlining key data protection issues Fines can be imposed, ranging from YTL 1,000 to which should be considered before using residents’ YTL 10,000. personal information. The ICO has also published advice to local authorities on disclosing personal information to Exemptions elected members. Both documents are available at from the Commissioner’s website: www.ico.gov.uk The Bill also introduces exemptions for processing of personal information. UNITED STATES 1. The Bill introduces strict conditions for handling police records. Personal information can be collected in cases The FTC approves new rule provision where there is no breach of an individual’s private life and under the CAN-SPAM Act the interests of the public necessitate such collection of data, and providing there are safeguards to ensure the The Federal Trade Commissioner (FTC) has approved four confidentiality of such data. new rule provisions under the Controlling the Assault of 2. Criminal records will be subject to monitoring by the Non-Solicited Pornography and Marketing Act, 2003 Justice Ministry only. otherwise known as the CAN-SPAM Act. The provisions are intended to clarify the requirements of the Act and address 3. Third parties can have access to personal information four areas: only in cases specified by law. Sharing such data with relevant institutions will be allowed in situations where 1. a sender cannot require an e-mail recipient to pay a fee, national security or national defense reasons require such provide information other than his/e-mail address and intelligence gathering to investigate or prevent a crime. opt-out preferences, or take any steps other than 4. The use of personal information by health centres, sending a reply e-mail message or visiting a single insurance companies, social security institutions, Internet page to opt-out of receiving future e-mail; businesses obliged to have their own nurseries, medical 2. the definition of “sender” has been altered to make it schools and universities is also allowed with certain easier to identify which of the multiple parties advertising conditions regarding medical treatment. in a single e-mail message, is responsible for complying Under the proposed Bill, Turkey would establish an with the Act’s opt-out requirements; autonomous privacy watchdog with the power to act 3. a “sender” of commercial e-mail can include an independently from the government. accurately-registered post office box or private mailbox established under United States postal service regulations to satisfy the Act’s requirement that a UNITED KINGDOM commercial e-mail display a “valid physical postal address”; and Information Commissioner has power 4. a definition of the term “person” has been added to clarify to impose fines that CAN-SPAM’s obligations are not limited to natural persons. The Information Commissioner, Richard Thomas, now has the power to impose substantial fines on organisations that The FTC will use its Statement of Basis and Purpose, to be deliberately or recklessly commit serious breaches of the released shortly, to address other issues. These include, the Data Protection Act. The new sanctions have been provided Act’s definition of “transactional or relationship message”, to the Commissioner under the Criminal Justice and the FTC’s decision not to alter the length of time a ‘sender’ Immigration Act. The maximum penalty will be set out in of commercial e-mail has to comply with an opt-out regulations to be published by the Secretary of State. request, the FTC’s decision not to assign additional ‘aggravated violations’ under the Act and the FTC’s view on The Commissioner is still waiting to hear when the Act will how the Act applies to ‘forward to a friend’ e-mail marketing come into effect. campaigns.

David Smith, Deputy Information Commissioner said: Further information can be obtained from the FTC’s website at: www.ftc.gov/ “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal MySpace wins $234 million under information. The prospect of substantial fines for deliberate CAN-SPAM Act or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take A Los Angeles Court has ordered two spammers to pay their data protection obligations more seriously.” MySpace $234 million after deluging its users with over 16

16 Legislation and Guidance

725,000 spam messages. This is the largest award under Privacy concerns the 2003 CAN-SPAM Act and sets a record for this type of Internet abuse. The ACTE, along with groups such as the American Civil Liberties Union and the Electronic Frontier Foundation are The judgment goes against spammers, Sanford Wallace and concerned that these searches are taking place without just Walter Rines who were accused of using their own cause and without a policy in place to govern the search and MySpace accounts and hijacking other users’ accounts to seizure practices. Not only can border authorities search send e-mails to fellow MySpace users. electronic devices, they can copy the contents and there is no policy on what subsequently happens to the information Wallace and Rines set up the e-mails to appear as if users obtained, how long it can be held and how it may be used. were being sent the e-mails by their ‘friends’ on MySpace. The e-mails included links to sales pitches or websites that Commenting on the latest decision, ACTE Global Executive earned the pair ‘per hit’ payments. Some of the links were to Director, Susan Gurley argues that, ‘the expectation of privacy adult websites and were sent to MySpace’s younger users. at the border is considerably less than one can expect in their home or office’. The ACTE is so concerned, it issued the Wallace and Rines chose not to appear in court. following advice:

■ do not carry any confidential, personal information that you do not want examined by third parties on your Federal Court supports seizures of computer – or other electronic devices. This includes laptops at U.S. borders financial data, photographs, and email stored on computers, wireless phones, Blackberries, or iPod-type Following a U.S. Federal Court decision that electronic devices. devices should be subject to the same searches as luggage at U.S. borders and airports, travel associations and civil ■ limit the amount of proprietary business information you liberties groups have joined forces and written to Congress carry on your computer. Transmit it before crossing the asking for limits to be imposed on the Department for border to access the information, in the event your unit is Homeland Security’s search and seizure practices. They are seized. calling for Congress to investigate these arbitrary searches ■ If you use your laptop as your home computer, get a and to consider enacting legislation to prevent abusive separate one for travel purposes. searches. In issuing this advice the ACTE does clarify that it is not Background advising travellers to hide data from U.S. border authorities, but simply to minimise the impact of data loss and the inability Three years ago, Timothy Arnold, a Californian teacher to access it, in the event of an electronic device being seized. challenged the Federal Government’s right to search laptops. On his way back from the Philippines, border The letter agents searched his laptop, reportedly found child pornography and eventually, arrested him. The U.S. District The Electronic Freedom Foundation has written an open letter Court for the Central District of California ruled in his favour, addressed to both U.S. houses of Congress asking for stating that border authorities should have reasonable cause hearings into the U.S. Department of Homeland Security’s to search electronic devices and this had not been the policy of searching and seizing traveller’s electronic devices. case, in this instance. The Ninth U.S. Circuit Court of Several Freedom of Information requests have been made Appeals decision (issued April 21, 2008) overturned this asking agencies to explain their policies and procedures, judgment by the District Court after an appeal by the however, they have responded slowly and refused to reveal Federal Government. very much. The privacy and security concerns raised in the letter include: The Association of Corporate Travel Executives (ACTE) filed ■ an amicus briefing in support of Arnold, arguing that laptops the seizure of password protected corporate laptops, are ‘essentially intellectual property and not the same as ■ the vague definition of what constitutes “suspicious”, luggage or freight’, further arguing that there was no legal justification for border authorities collecting storing and ■ the lack of published procedures or guidelines governing searching personal information without reasonable electronic device search and seizure, and suspicion. In addition, the ACTE objected to the fact that ■ the disposition of personal data regarding other electronic devices, once taken, can be held indefinitely by individuals named or listed in seized data (such as border authorities. corporate records, financial material, human resources personnel records, private email, and family A recent 2008 survey by the ACTE of its members, revealed communications). that 81 percent of respondents were unaware that laptops and other electronic devices that were seized could be held For more information, please visit the ACTE website at: indefinitely. 65 percent of respondents stated that their www/acte.org/laptop_seizures.php companies have now instituted a policy restricting the A copy of the letter, can be found at: amount of sensitive or proprietary data that could be carried on a laptop. That number is expected to increase following www.eff.org/press/archives/2008/05/01/border-search-open- this court decision. letter 17

17 Legislation and Guidance

Federal Trade Commission looks into examined include, the security and privacy threats to privacy implications of ‘contactless consumers and, the emerging practices and technology that payment options’ may influence CPDs over the next few years. The FTC will use the meeting to explore the use of RFID enabled devices The Federal Trade Commission (FTC) is to host a town hall both in the U.S. and around the world, looking at both the meeting on July 24, 2008 to investigate ‘contactless payment benefits and risks to consumers. devices’ (CPDs) which use RFID technology. The meeting will be free to attend and open to the public. Individuals interested in being panellists should contact the FTC by June 6. Anyone wishing to submit suggestions on CPDs are typically a smart card, fob or mobile phone and topics relevant to the discussion, should do so by June increasingly being used by consumers in the U.S. to make 20. low dollar purchases. The FTC is holding the meeting to examine the implications posed to consumers through the More information about the proposed meeting can be found use of such technology. The issues the FTC wants at: www.ftc.gov/bcp/workshops/payonthego/index.shtml

All BNA International journals now include web access for one designated user. By accessing your service online you have at your fingertips the latest news & analysis, a fully searchable database of information plus regular email alerts briefing you on breaking news & recent changes. To activate your web access – or to discuss extending web access to your colleagues – please contact Customer Service by telephone at: (+44) (0) 207 559 4800 or by email: customerservice@ bnai.com

BNA International Inc., 29th Floor, Millbank Tower, 21–24 Millbank, London SW1P 4QP, UK Phone: + 44 (0) 20 7559 4801 Fax: + 44 (0) 20 7559 4840 E-Mail: [email protected] Website: www.bnai.com

18 Personal Data Personal Data Canada New Canadian domain name policy balances privacy with public access

By Michael Geist. controversial domain names, such as domains used for websites devoted to public criticism or political advocacy, Michael Geist holds the Canada Research Chair in often wanted to shield their personal information for fear of Internet and E-commerce Law at the University of public censure. Ottawa, Faculty of Law. He served on the CIRA board As privacy and data protection commissioners began to from 2000 – 2006 and was an active supporter of whois express reservations about the legality of requiring domain policy reforms. He can be reached at [email protected] name registrants to disclose their personal information, CIRA or online at www.michaelgeist.ca proposed a new policy in 2004. After two major public consultations, mounting opposition from law enforcement Last month, the Canadian Internet Registration Authority about its loss to “unfettered” access to whois data, and years (CIRA), the agency that manages the dot-ca domain, of operational delays, CIRA last week began informing celebrated its one millionth domain name registration. While registrants that the new policy will take effect on June 10, that represents an important milestone, a far more noteworthy 2008. development is that CIRA also quietly announced the implementation of a new “whois” policy that will better protect Under the new policy, CIRA will continue to collect the same the privacy of hundreds of thousands of Canadians and serve contact information from registrants as under its current policy. as a model for domain name registries around the world. However, it will no longer require that such information be publicly available through its whois directory. In its place, CIRA The whois issue has attracted little public attention, yet it has will only require the public disclosure of limited technical been the subject of heated debate within the domain name information, though individual registrants may voluntarily community for many years. It revolves around the whois “opt-in” to providing more personal information. database, a publicly accessible, searchable list of domain name registrant information (as in “who is” the registrant of a While the CIRA policy protects the privacy of individual particular domain name). registrants, corporate or organisational registrants will typically have their full information publicly disclosed. The policy When CIRA was first established, its whois policy permitted recognises that corporate information does not raise specific detailed disclosures about domain name registrants. A typical privacy concerns since corporate information does not whois entry included the domain name itself, the name of the constitute personally identifiable information. Moreover, registrant, and comprehensive contact information including consumers may often want to access corporate whois postal address, phone and fax numbers, as well as email information when judging the reliability of a website. addresses. In order to ensure that domain name registrants can still be The ready availability of such information proved useful to law contacted, CIRA has also established a unique message enforcement, which often used whois information as part of delivery system. CIRA will allow the public to contact domain cybercrime investigations. Similarly, the pursuit of intellectual name registrants without access to their personal information property infringement claims, such as domain name by relaying the message through a web-based submission cybersquatting cases, relied upon access to whois information form. to commence legal challenges to domain name registrations. The Canadian changes may be long overdue, however, they Notwithstanding these uses, CIRA recognised that its policy of also instantly catapult the dot-ca into a global leadership publicly disclosing personal information was generating position. With more than a million Canadian domain name significant discomfort among many registrants. Citing privacy registrations, the resolution of the whois issue ensures that the and spam concerns, many registrants preferred to conceal Canadian domain name space is set for continued growth as their identity from the public (though CIRA and the domain it now features a “privacy advantage” over other domains name registrar responsible for the registration would have struggling to strike a similar compromise. access to the personal information). Moreover, registrants of

For more information on advertising and sponsorship opportunities with BNA International, please contact Charlotte Martinez at +44 20 7559 4800 or email [email protected]

19 Personal Data

Finland Government proposes limited right to investigate employees’ credit history1

By Seppo Havia, Partner, Dittmar & Indrenius. Seppo ■ the grant and monitoring of financially significant credit; Havia can be contacted by telephone +358 9 68 1700, ■ access to protected business and professional secrets of fax +358 9 65 2406 or email [email protected] the employer and its customers; The Finnish Government has announced proposed changes to ■ the use of a system for transferring funds of the the Act on Protection of Privacy in Working Life (759/2004) employer or its customers, or other data relating to those concerning an employer’s right to collect information regarding its funds; employees’ credit history in order to assess their reliability. The ■ the handling of significant amounts of money, securities proposed amendment is intended to establish clear rules on or objects of value without direct supervision by the processing such information. The Government proposal was employer; submitted to Parliament on March 7, 2008. ■ the safeguarding of funds of the employer or its Background customers; or The importance of employees’ credit history has increased. ■ unsupervised work in a private residence. Personal credit information is being used in recruitment in order Under the proposal, an employer or its representative could be to assess applicants’ reliability. At present, no detailed provisions sentenced to a fine for deliberately or negligently violating exist regarding the situations in which an employer can check an these requirements. employee or applicant’s credit history.

Key features Employer’s duty to provide information In addition, in future an employer must collect personal An employer is entitled to process an employee’s personal credit information about the employee primarily from the employee information directly only where it is necessary for the employment himself or herself. Furthermore, the employer must notify the relationship which arises from the nature of the work concerned. employee in advance that information is to be collected in order According to the proposal, an employer would be entitled to to establish his or her reliability. If credit information concerning acquire and process credit history information about (i) a job the employee has been collected from a source other than the applicant who has already been selected for the job, or (ii) an employee, the employer must notify the employee of this employee who wishes to relocate within the company, provided information before it is used to make decisions concerning the that the employee’s work assignment requires a special degree of employee. The employee has a right to discuss with the trustworthiness and there is a possibility that the employee may employer the reasons that affected the gathering of personal seek an unjustified economic benefit and thus cause financial credit information. loss to the employer. The amendments to the Act on Protection of Privacy in Working An employer’s right to process information about its employees’ Life are expected to come into force during Spring 2008. credit history would be limited to tasks which involve: 1 This article was first published on www.internationallawoffice.com – ■ the power to make decisions regarding or the the Official Online Media Partner to the IBA, an International Online independent discretionary power to make significant Media Partner to the ACC and European Online Media Partner to financial commitments; the ECLA.

Greece Monitoring employees’ electronic communications

By Maria Giannakaki, Attorney at Law, at Karageorgiou & According to Greek legislation, case law and theory, Associates, based in Athens. She can be reached at employees have the right and the legitimate expectation to a certain degree of privacy even in the workplace. This right [email protected] or tel. +30-210-7221021. should be balanced with other legitimate interests of the Introduction employer and in particular the employer’s right to run his business efficiently to a certain extent and the right to The development of information and communication technology protect himself from the liability or the harm that his systems allow employers to register and process employees’ employees’ actions may create. personal data in the workplace. Technology systems such as tools for website/email monitoring and CCTV may be used to Therefore, it would only be in exceptional circumstances monitor employees’ professional behaviour in their workplace, that employee monitoring would be considered necessary but may also collect information regarding employees’ private life. and justified, as explained in detail below. 20

20 Personal Data

Greek legal framework may contain harmful viruses, spy ware, violation of the company’s trade secrets, intellectual property rights etc. The basic legal framework governing data protection in e. with regard to sensitive personal data, there are tight Greece in general, is set by Law 2472/1997 “On the restrictions. They can only be processed with the explicit protection of individuals with regard to the processing of consent of the individual concerned or various other, very personal data” which implemented Directive 95/46/EC into narrow circumstances. In the event that an employer Greek legislation (the “DPA.”). collects and processes employees’ sensitive personal The DPA is applicable when employers monitor or keep data, it should be filed and kept separately from other records of employees’ communications in order to protect data. their right to run their business efficiently and protect f. from the employment law perspective there is no express themselves from liability or harm that employees’ actions may requirement to consult with or obtain the approval of create. trade unions or works councils before conducting the However, in cases where employee monitoring is effectuated monitoring, unless such an obligation derives from a for reasons of national security and an interception is made, contractual commitment of the company. However, in the by and on behalf of a specified public official or for the event that a company has more than 20 employees and purpose of preventing or detecting crimes, Law 2225/94 is therefore a work council, the employer should inform the applicable and an interception procedure is followed by the work council before implementing a new system of Public Prosecutor. employee monitoring. This information should include the means, methods, purposes and priorities of employee The Greek Data Protection Authority (the “Authority”) who is monitoring. responsible for the implementation and enforcement of the DPA, has issued Directive 115/2001, which sets out rules in Employees’ rights relation to employees data and monitoring at the workplace. The Directive sets out the opinion of the Authority’s view on With regards to employers’ monitoring systems, employees the application of the general data protection rules to have the following rights: monitoring employees’ activities, taking into consideration the a. right to access: the DPA provides that “everyone is Working Document on the surveillance of electronic entitled to know whether personal data relating to him or communications in the workplace of the Data Protection her are being processed or have been processed”. Working Party (“WP”) of article 29. b. right to object – rectify: Accordingly the DPA provides that The Directive’s field of application is extended not only to “the data subject shall be entitled to object, at any time, employees or workers, but also to candidates for a certain to the processing of data relating to him. Such objections post, as well as to former workers. ‘Workplace’, within the shall be in writing and addressed to the controller, and meaning given by the Directive, is considered to be every must contain a request for specific action to be taken, place where an employee or a worker is performing his/her such as rectification, temporary abstention from use, assigned task. Therefore, the rules set out by the Directive are blocking and abstention from transmission or erasure. applicable to personal data processing that takes place by The controller must reply in writing on these objections employment agencies, temporary employment agencies, as within 15 days from the submission of the request. In his well as personnel selection consultants. Moreover, the reply, he must the data subject about the actions he has Directive applies to agencies and businesses that loan staff to taken or the reason for not satisfying the request, as the other natural or legal entities. case may be. In case of rejection of the objections the reply must also be communicated to the Authority”. Conditions of employees monitoring c. right to provisional judicial protection: according to article Employee monitoring in the workplace, should comply with 14 of the DPA “everyone is entitled to request from the the following requirements: competent Court the immediate suspension or non-application of an act or decision affecting him, issued a. employers should file a notification of data processing to by an administrative authority or public law entity or the Authority prior to the collection and processing of private law entity or association or natural person solely their data, on automated processing of data intended to evaluate b. they should also inform employees and third parties his/her personality and especially his/her effectiveness at about the monitoring of their communications in an work, creditworthiness, reliability and general conduct”. express and appropriate manner, c. employees and third parties should freely and expressly Decisions issued by the Greek Authority consent to their monitoring. In situations where employees and/or third parties have not given their In addition to the above it is worth referring to the Authority’s consent, employers may monitor their communication decisions that formulate a more detailed approach to this only if they have a legitimate interest that evidentially matter. A great number of the Authority’s decisions related to prevails over employees’ and third parties’ fundamental employee monitoring, refer to employers who prevented their right of privacy and secrecy of correspondence, employees from gaining access to their personal data and exercising their right of rectification. d. monitoring should be effectuated in compliance with the principle of finality and proportionality, according to which Among other decisions, it is worth referring to the Authority’s employees’ data are collected for precisely determined decision no 61/2004 with regard to the installation of a Virtual purposes such as browsing web pages and emails that Network Computing (“VNC.”) software on its employees’ 21

21 Personal Data personal computers enabling the employer to monitor the b. the call centre in question does not permit the screen of each employee and have access to the data stored appearance of the last three digits of out coming calls in each computer. The company’s work council requested that and the Authority provide an opinion on the legality of this remote c. data subjects have been informed in advance. control of their personal computers. The Greek Authority concluded that the VNC. software was implemented in a way Conclusion that could not guarantee the respect of employees’ right to privacy and therefore amounted to a blatant violation of their Given the above, we may conclude that the collection personal freedom. and processing of employees’ electronic communications in the workplace, is permitted insofar as it is absolutely Another useful reference is the Authority’s decision no necessary for organising and monitoring the performance 637/18/2000 with regard to a call-centre management of employers’ business operations (e.g. monitor system installed in a company for the monitoring of expenses). The communication data reported must be employees’ electronic communications. The Authority limited to those absolutely necessary and appropriate to concluded that the implementation of a similar management fulfil such purposes. In no event is the recording and system is legitimate, provided that: processing of the entire number, or the totality of a. the purpose of the system is the only way to monitor communication data, or data of their contents allowed, employees’ use of the company’s communication which may not be collected except with permission from infrastructure for work purposes or if excessive or costly court authorities and provided that it is necessary for calls for personal purposes are effectuated through work reasons of national security or to investigate exceptionally telephone connections, serious crimes.

United States Consumer advocates and Government target online behavioural advertising: debate emerges between self-regulation and rigid regulatory controls

Timothy P.Tobin and S. Montaye Sigmon bills to regulate Internet advertisers’ tracking activities. This coincides with significant opposition in the European Union Tim Tobin is an attorney in the Washington, D.C. office of to online behavioural practices and new regulatory action Proskauer Rose, LLP.Tim co-authored a chapter on that threatens existing business models. While these Privacy Laws in Proskauer on International Litigation and governmental actions have progressed, various industry Arbitration: Managing, Resolving, and Avoiding groups have continued to develop standards to address Cross-Border Business or Regulatory Disputes, available consumer concerns. A debate thus has emerged between at www.proskauerguide.com and is a contributor to the self-regulation and strict legislative controls. Some Proskauer Privacy Law Blog, available at consumer groups contend that new technologies require privacylaw.proskauer.com. He can be contacted at: new laws. Businesses counter that, straight-jacketing will impede the development of new technologies and business [email protected] models that underwrite the availability of free Internet Montaye Sigmon is an attorney in the Los Angeles office content. of Proskauer where she too is a contributor to the Proskauer Privacy Law Blog. She can be contacted at: Background [email protected] Online advertising serves to underwrite the availability of free Both Tim and Montaye practice in the firm’s Privacy and online content, much as in the print and broadcast worlds. Data Security Law Practice Group. Online behavioural advertising involves the process of tracking online users’ behaviour and serving ads tailored to that On December 20, 2007, the United States Federal Trade behaviour. While the methods vary, the primary methods used Commission (FTC) issued a statement proposing online are cookie-based, conveying to advertisers web pages self-regulatory principles for businesses engaged in online a user visits. Companies may also use search data. This behavioural advertising. The proposed principles provide a information is sometimes combined with demographic data framework that facilitates businesses targeting relevant such as geographic location, to help further personalise advertisements to consumers online while safeguarding advertisements. The process of tracking the behaviour of consumers’ privacy. Meanwhile, in New York and users on the web to deliver more relevant advertisements has Connecticut, legislators have introduced first-of-their-kind drawn intense criticism from consumer watchdog groups.

22 Personal Data

Tracking usually is conducted anonymously with data The New York Bill collected linked only to a computer’s Internet Protocol (IP) The New York Assembly has taken notice of the ongoing address, not name or other personally identifiable information. debate over online behavioural advertising and is considering Typically, there is notice and opportunity for consumers not to a first-of-its-kind bill, the Third Party Internet Advertising participate in such programs. The emergence of new Consumer’s Bill of Rights Act of 2008, to regulate third parties technologies offered by companies such as Nebu-Ad, Phorm Internet advertisers’ tracking activities.3 The proposed and Adzilla that use so-called “deep packet inspection” to legislation is based on the Network Advertising Initiative (NAI)4 collect data on every page a user visits, rather than just those self-regulatory principles adopted in 2002.5 The bill would that are part of an online advertising network has focused new create an extensive regime of consumer notice and choice for attention on behavioural advertising. third party tracking of different types of consumer online activity. The FTC Proposed Self-Regulatory Principles Under the legislation as proposed, consumers must be given On November 1–2, 2007, the FTC held a town hall meeting the option of opting out of third-party “online preference titled ‘Ehavioral Advertising: Tracking, Targeting and marketing.” Moreover, absent obtaining a consumer’s prior Technology’. The FTC sought comment from both industry affirmative consent or opt-in, third parties would be prohibited and consumer groups. As a result of the town hall, the FTC from: (a) using sensitive medical data, financial data, sexual issued its December 20, 2007 statement proposing four behaviour or sexual orientation for online targeted advertising; “self-regulatory” principles to guide businesses engaged in or (b) merging previously collected non-personally identifiable online behavioural advertising.1 After issuing the statement, information with personal identifiable information. Further, even the FTC continued to accept public comments for a period of when consent is given, consumers must have a way of time on these principles, as well as additional information on revoking such consent for future mergers of such information what other uses businesses are making of online tracking on a prospective basis. data. The bill would require clear notice by third party advertising companies on their own sites of their profiling activities, the The self-regulatory approach taken by FTC staff in the types of data they collect, how they use the data, the proposed principles expressly recognizes the benefits procedures for the opt-out process, and the length of time the behavioural advertising provides. Specifically, the FTC staff data is retained. Further, it would require third party advertising concluded that ad-supported content makes newspapers and companies to contractually require the sites to which they other valuable information from around the world more readily provide services to include notice and opt-out options. available to consumers online and that many consumers value personalised ads. FTC staff did, however, express concern Notably, the bill would prohibit a third party from tracking that behavioural advertising and the related data collection “is information from websites when it does not have a contractual largely invisible and unknown to consumers.” The four relationship with the website owner. This provision could have principles FTC staff has proposed to address concerns over major implications for companies that contract with Internet transparency and consumer choice state that: Service Providers to monitor surfing activity across all websites a consumer visits. The bill is also significant because 1. every website that collects data for behavioural it would effectively create a national law – companies with a advertising should include “a clear, concise, national online presence would necessarily be doing business consumer-friendly and prominent statement” that (a) in New York as well.6 consumer data is being collected online for behavioural advertising, and (b) consumers can exercise choice on collection of their data for such purposes, with a “clear, The Connecticut Bills easy-to-use, and accessible method” provided for doing Connecticut this year also introduced legislation to address so; online behavioural advertising. Connecticut House Bill 5765, 2. a company engaged in behavioural targeting should An Act Concerning Online Advertising and Privacy contains reasonably secure the data collected and only retain it “as requirements that substantively, are nearly identical to those long as necessary to fulfil a legitimate business purpose contained in the New York bills.7 A separate Senate Bill (S.B. or a law enforcement need”; 515) takes a different approach: it simply requires disclosure of certain information to consumers upon request.8 In particular, 3. a company should obtain consumers’ “affirmative the bill would require commercial Internet web site operators express consent” if it is going to use personal data for a to disclose to Connecticut consumers whether the operator materially different purpose than was disclosed when the has disclosed personal information to third parties within the data was collected; and past year and whether the operator knows or reasonably 4. a company should obtain “affirmative express consent” should know that the third parties used the personal before collecting “sensitive” consumer data (such as information for the direct marketing purposes of a third party. health data, sexual orientation, and children’s data); FTC Further, if the operator has disclosed personal information to staff are seeking further comment on the types of data third parties, it must include the third parties to which that constitute “sensitive” information and whether information was disclosed and the type of personal instead of consumer choice, a prohibition on collection of information provided to such parties.9 such data would be a better approach. These principles, based on notice and choice, provide sound The European Union guidance that legitimate online businesses utilise and that The press has recently reported about controversy in the U.K. protect consumers.2 concerning reports that the country’s three largest ISPs: BT, Talk 23

23 Personal Data

Talk, and Virgin Media, had contracted with Phorm for service.” Further, search engine providers must delete behavioural targeting services. A U.K. think tank, the Foundation personal data when a legitimate purpose no longer exists; in for Information Policy Research (FIPR) submitted an open letter to the alternative, search engine providers may anonymise the U.K Information Commissioner charging that Phorm’s data as long as the anonymisation is completely irreversible. activities violate British privacy law and the European Union’s Finally, search engine providers must inform users about the Data Protection Directive by not affording consumers opt-in applicable retention policies for all types of user data they choice for the tracking.10 Phorm is claiming that it uses a cookie process. with a random number assigned to track information so that it does not collect personally identifiable information. Notably, companies based outside the E.U. must be aware of the jurisdictional claims made by the E.U.. In particular, The controversy over Phorm in the U.K. illustrates the heightened the Working Party concluded that the Data Protection tensions in the European Union (E.U.) over online behavioural Directive applies even where a search engine company’s advertising. Compared with the U.S., the E.U. has shown a headquarters is outside the European Economic Area. willingness to take a much tougher stance toward online Where the search engine service provider is not based in tracking, even for anonymous data. Just last month, the Article one of the Member States, the Data Protection Directive 29 Working Party (“Working Party”) issued an opinion11 applies where either: (a) the search engine provider has an concerning the privacy implications of Internet search engines, establishment in a Member State; or (b) the search engine which has far reaching ramifications for online business practices. makes use of equipment in the territory of a Member State. The Working Party opinion confirms the E.U. position that IP “Use of equipment” includes a user’s personal computer. addresses standing alone constitute personally identifiable These new restrictions have extensive ramifications for information12 and, therefore, search engine operators must treat search engines engaged in behavioural advertising. all IP information as personal data unless they can ensure “with absolute certainty” that data corresponding to users cannot be identified. Industry and interest group guidelines The Working Party found that collection and processing of In addition to the activity discussed above, industry and personal data must be based on at least one legitimate ground. consumer interest groups continue to propose new guidelines. Such grounds include: consent of the user to allow the search In April of this year, the NAI announced new proposed engine provider to use specified data for a specified purpose; guidelines. The Proposed 2008 NAI Principles are in reaction necessity for the performance of a contract with the data subject to the FTC Statement and include a variety of revisions such (rejecting reliance on “de facto” contract between Internet as (i) clarified “sensitive” consumer segment prohibitions; (ii) companies and the user of a service); and necessity for the new rules requiring opt-in consent for certain “restricted purposes of a legitimate interest pursued by the controller, which consumer segments;” (iii) prohibition against creating are defined to be service improvements, systems security, fraud behavioural advertising segments specifically targeting prevention, accounting, personalised advertising (if based on children under the age of 13, and (iv) enhanced data security anonymised data) or law enforcement and legal requests. requirements.13 The Working Party also determined guidelines for certain Also, earlier this year the Interactive Advertising Bureau – an practices: organisation comprised of many leading Internet companies – 1. Persistent cookies containing a unique user ID are issued self-regulatory guidelines similar to the FTC’s but personal data and should be defined to allow an designed to give companies more flexibility in their approach improved web surfing experience and a limited cookie to notice and choice.14 This spring, the Center for Democracy duration. Moreover, users must be informed about the and Technology issued its Privacy Principles for the use and effect of cookies. Development of User Controls for Behavioural Targeting, 2. Where search engine providers utilise a cache which focuses on allowing consumers to express their functionality, they should only retain content in a cache preferences for behavioural targeting, having those for the “time period necessary to address the problem of preferences remain in place until altered by the consumer, and temporary inaccessibility to the website itself” – any encouraging companies to have readily available and easily 15 caching period of personal data contained in indexed understandable policies. websites beyond this necessity of technical availability should be considered an independent republication. Conclusion 3. Correlation of personal data across services and The Internet offers consumers access to content and platforms for authenticated users can only be legitimately resources, frequently without a fee. That model is sustained by done based on informed consent by the user. advertising revenue to compensate for the limitations of other 4. Search engine providers may not suggest that using their revenue streams. The self-regulatory protections afforded to service requires a personalised account by automatically consumers continues the tradition in the United States to re-directing unidentified users to a sign-in form for a permit the Internet to evolve with a regulatory light touch. The personalised account. proposals in certain states and in the E.U. for rigid regulation With respect to retention of personal data, the Working is causing justifiable concern over negative effects on the Party expressed that it saw no basis for a retention period continued growth of free content available to consumers and of more than six months in any instance and that the on handicapping new technologies that offer consumers more retention period should be “no longer than necessary for the relevant and tailored online advertising, freeing them from the specific purposes of the processing.” Where data is retained clutter of generalised advertising. How this debate plays out for longer than six months, a search engine provider must will define the next generation of publishing and commerce on demonstrate that such retention “is strictly necessary for the the Internet. 24

24 Personal Data

1 See Online Behavioural Advertising: Moving the Discussion 2005. See California Civil Code § 1798.83. By limiting the scope to Forward to Possible Self-Regulatory Principles, available at commercial Internet website operators, SB 515 is much narrow www.ftc.gov/os/2007/12/P859900stmt.pdf than California’s Shine the Light law, which applies to most 2 Once a business adopts self-regulatory principles and publicly business categories. discloses those as policies, it becomes legally bound to comply 9 Both bills received a favourable review from the Joint Committee with its promised practices or risk enforcement action under on General Law and from the Legislative Commissioner’s Office, Section 5 of the FTC Act, 15 U.S.C. § 45. See, e.g., In the Matter and were placed on the House and Senate calendars, respectively. of Gateway Learning Corp., FTC File No. 042-3047, available at 10 The letter is available at http://www.fipr.org/080317icoletter.html. www.ftc.gov/os/caselist/0423047/0423047.shtm (involving a company’s rental of information to marketers contrary to explicit 11 Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/ promises made in the privacy policy). wpdocs/2008/wp148_en.pdf. The opinion specifically addressed 3 There are identical versions of the bill in the New York Assembly the applicability of the E.U. Data Protection Directive (95/46/EC) and the New York Senate (A. 9275 and S. 6441), available at and the Data Retention Directive (2006/24/EC) to the processing of http://assembly.state.ny.us/leg/?bn=A09275&sh=t. personal data by search engines. 4 The NAI is an industry group of online advertising firms. 12 According to an earlier opinion issued by the Working Party 5 Available at www.networkadvertising.org/pdfs/NAI_principles.pdf. (available at http://ec.europa.eu/justice_home/fsj/privacy/docs/ wpdocs/2007/wp136_en.pdf), personal data includes an 6 The Assembly bill is presently before the Assembly Committee on individual’s internet search history if the individual to whom it Consumer Affairs and Protection while the Senate bill is pending in relates is identifiable. the Senate Committee on Consumer Protection. 13 See www.networkadvertising.org/networks/principles_ 7 Connecticut House Bill 5765 is available at comments.asp. www.cga.ct.gov/2008/FC/2008HB-05765-R000148-FC.htm. 8 Connecticut Senate Bill 515 is available at www.cga.ct.gov/2008/ 14 See www.iab.net/about_the_iab/recent_press_releases/press_ FC/2008SB-00515-R000136-FC.htm. SB 515 is patterned closely release_archive/press_release/195099. after California’s Shine the Light law, S.B. 27, which took effect in 15 See www.cdt.org/privacy/pet/Privacy_Controls_IPWG.pdf Data protection 2.0: What next for online behavioural advertising?

By Phil Lee who is a Senior Solicitor at Osborne Clarke. With (or even without) the benefit of hindsight, you might He can be contacted at: [email protected] imagine that this technology would ring a few privacy alarm bells, and indeed it did. But this did not stop 44 websites Online behavioural advertising has become something of a hot partnering with Facebook when it launched its Beacon topic in both data privacy and marketing circles in recent technology on November 6, 2007, prompting an immediate months, albeit for very different reasons. Broadly speaking, user backlash. Faced with significant press and user criticism online behavioural advertising (sometimes called behavioural (including a petition on Facebook itself), Facebook targeting) refers to the collection and use of information about subsequently changed its Beacon technology to require user an individual’s interests, likes and dislikes in order to deliver consent before broadcasting users’ online activities to their advertising which is specifically targeted at that individual – for Facebook friends. In addition, Facebook now allows its users example, targeted banner advertising on websites. Naturally, to turn off Beacon completely. online behavioural advertising (or, in the interests of brevity, behavioural advertising) has been hailed by marketers as a A Phorm in a teacup? killer application that will, at last, enable them to deliver advertising which is interesting, informative and, above all, After a turbulent period of twelve months in which a deluge of relevant to all recipients; conversely, privacy groups have data privacy stories hit the headlines in the U.K. and abroad expressed justifiable concerns about the (often covert) manner (Beacongate, TK Maxx, the Driver Vehicle Licensing Agency in which behavioural advertising platforms are deployed. (DVLA), Child Benefit and Revenue and Customs (HMRC) data losses, to name but a few), along came Phorm, claiming to be Beacongate the world’s first “privacy-friendly” behavioural advertising platform. This claim was not without some merit: following an Of course, behavioural advertising has already made a splash initial privacy impact assessment undertaken by his company in the marketing and data privacy worlds. Last year, Facebook 80/20 Thinking, Simon Davies (a director of pressure group drew considerable criticism following its decision to deploy its Privacy International) professed: Beacon behavioural advertising technology on third party “We were impressed with the effort that had been put into participating websites (critics dubbed the resulting furore minimising the collection of personal information.”1 “Beacongate”). In essence, when viewing a participating website, a web beacon (a small one pixel by one pixel image Phorm’s platform (the Open Internet Exchange or ‘OIX’) works file) would automatically download onto the end user’s by placing a cookie on end users’ computers. This cookie is computer without the user’s knowledge. The next time the assigned a random number which is used by the OIX to track user logged into Facebook, Facebook would interrogate his or which websites the end user visits. The OIX then records the her web beacons to determine what online activities the user product and service categories comprised in those websites had engaged in. This information was then automatically (but not details of the website itself) against the end user’s broadcast on Facebook (without the user’s consent) so that random number (e.g. number 123456789 is interested in that the user’s Facebook friends could see what he or she had cameras and holidays). The next time that user visits a been up to online. partnering website, Phorm matches its random number with 25

25 Personal Data the interests recorded against that number in the OIX and seeking to operate their behavioural advertising platform on an uses this information to present the user with targeted opt-out basis will need to look to an alternative basis under advertising. Phorm therefore claims that the only information it Schedule 2 of the DPA to legitimise their use of end users’ needs to maintain are a list of random numbers and the personal data for behavioural advertising (such as implied interests associated with those numbers – in other words, it consent or legitimate interests). However, given the perceived claims not to collect any personally-identifiable information intrusiveness of behavioural advertising, it is doubtful whether from end users. anything less than express consent will suffice, supporting the view that behavioural advertising must be opt-in. These assurances notwithstanding, Phorm has found itself Nevertheless, in the absence of specific guidance from the subject to criticisms from privacy lobbyists who claim Information Commissioner on this issue, it remains open to (amongst other things) that it may be possible to link IP marketers to argue the case for operating on an “opt out” addresses or other personally-identifiable information to the basis. random numbers assigned by Phorm; further that by tracking the websites visited by users, Phorm may be making an Notwithstanding whether behavioural advertising targeted at “unlawful interception” of end user communications. In an individual is instigated on the basis of opt-in or opt-out response, Phorm points out that neither the Information consent, marketers must respect that individual’s right Commissioner’s Office (‘ICO’) nor the Home Office (both subsequently to turn off targeted advertising.4 In practice, this consulted by Phorm), have yet raised any concerns that means that marketers should make available simple and clear Phorm’s platform entails either the processing of personal data instructions that inform individuals how they may turn off or “unlawful interception” of end user communications targeted advertising functionality (for example, by clicking on a (although the ICO has said that Phorm will need to operate on hypertext link). an opt-in basis – more on this below). Privacy and Electronic Communications Regulations Article 29 Working Party 2003 (PEC Regulations) Against this backdrop, it perhaps comes as no surprise that at Compliance with the DPA only gets part of the way there, the end of last year, Gabriele Loewnau, senior legal advisor to however. Since virtually all online behavioural advertising tools the German Federal Commissioner (the then-head of the operate on the basis of cookies and/or monitoring of end user Article 29 Working Party), declared behavioural advertising to Internet traffic, the PEC Regulations will also apply. be “a very hot topic” that would form part of the Article 29 Working Party’s “work programme” for 2008.2 So far, the Regulation 6 of the PEC Regulations requires website Working Party has not made any further statements – but it operators to notify end users if their website makes use of seems highly likely that further E.U. pronouncements on cookies. Since most online behavioural advertising platforms behavioural advertising (whether in the form of guidelines, will use cookies to collect information about the end user, this consultations or otherwise) may not be too far off. means that marketers will need to give targeted individuals clear and concise information: (i) that their website uses The U.K. position cookies for behavioural advertising purposes; and (ii) about how to refuse or turn off cookies (for example, how to tweak So how is behavioural advertising regulated in the U.K.? website browser settings to reject cookies from the marketer’s Interestingly, there is no specific regulation of behavioural website). advertising itself. Instead, marketers must ensure that their behavioural advertising platforms operate within the general Perhaps more importantly, regulation 7 of the PEC Regulations advertising and data privacy frameworks that exist in the U.K.. prohibits website operators from using traffic data to provide A general analysis of the U.K. data protection regime value added services unless the end user concerned has applicable to behavioural advertising follows. consented to this. In a behavioural advertising context, this will prevent marketers from using, say, records about the websites Data Protection Act visited by an end user (i.e. traffic data) to provide that end user When considering the legality of any behavioural advertising with targeted marketing (i.e. value added services) unless that campaign, marketers must resort to data protection first individual has given consent. The effect of this is to require principles. What legislation will apply? Well, the Data marketers who wish to use traffic data to operate on an opt-in Protection Act 1998 (‘DPA’) and the Privacy and Electronic basis. At least, this was the view taken by the Information Communications (EC Directive) Regulations 2003 (‘PEC’ Commissioner in relation to Phorm in its revised statement 5 Regulations), certainly; potentially too the Regulation of issued on April 10. However, it is perhaps interesting to note Investigatory Powers Act 2000. In addition, marketers may be that few, if any, behavioural marketers currently operate on an well advised to consider also the applicability of advertising opt-in basis. codes of practice (e.g. the CAP (Committee of Advertising Regulation of Investigatory Powers Act Practice) codes of practice) and even the potential impact of human rights legislation. It is important for marketers to realise that the core data protection laws set out in the DPA and PEC Regulations are First things first, collection and use of personal information as only half the picture. For a complete privacy analysis of the part of a behavioural advertising campaign must be fair and potential risks of operating a behavioural advertising platform, lawful3: individuals should be informed how their personal marketers must also consider the impact of the Regulation of information will be used, for example, by making appropriate Investigatory Powers Act 2000 (‘RIPA’). disclosures in a privacy policy and at data capture points, and a legal basis must exist for that use. Typically, this will be the In essence, RIPA makes it a criminal offence for any person opt-in consent of the individuals concerned. Marketers intentionally and without lawful authority to intercept a 26

26 Personal Data communication in the course of transmission over a public for undesirable purposes. Bearing these issues in mind, the telecommunications system.6 In order to have lawful authority to FTC published proposed self-regulatory guidelines7 for intercept a communication, a person must show either: (a) that comment by interested parties (although it stopped short of he has the consent of both the sender and the recipient of the recommending the implementation of “Do Not Track” lists message; or (b) that it has a warrant or another legal basis for the proposed by various privacy groups). Briefly summarised, the interception such as, for example, a legal basis set out in the guidelines make the following key recommendations: Telecommunications (Lawful Business Practice) (Interception of ■ Communications) Regulations 2000 (the Lawful Business Transparency: Behavioural advertisers should provide Practice Regulations). clear, concise, consumer-friendly, information that (i) data about consumers’ activities online will be collected for The implications of RIPA for marketers wishing to undertake use in providing behavioural advertising; and (ii) behavioural advertising campaigns are not to be underestimated. consumers can choose whether or not to have their Marketers that analyse an end users’ web traffic for the purposes information collected for this purpose (together with a of behavioural advertising run the risk that they will be criminally clear, easy-to-use, and accessible method for exercising liable under RIPA unless they have consent both from the this option). targeted end user and from the sender of the communication. From an end user perspective, this requirement again supports ■ Security: To reassure consumers that their data will not the view that behavioural advertising programs must be operated be used for nefarious purposes, behavioural advertisers on an opt-in consent basis. should adopt reasonable security measures proportionate to the sensitivity of the data collected and However, what are the RIPA requirements for seeking consent the risks faced by the business. from the “sender” of the communication? Does this really mean that marketers must approach and seek consent from every ■ Retention: Behavioural advertisers should not retain content owner on the Internet whose web pages may be visited consumers’ data for longer than is necessary to fulfil by an end user? From a legal perspective, the answer to this their legitimate business needs. question is far from clear although common sense would tend to ■ suggest not: intercepting the transmission of a publicly Change of use: Consumers have a right to expect that accessible website for the purposes of behavioural advertising is their data will only be used for the purposes notified to clearly an entirely different prospect from wire-tapping someone’s them. If marketers intend to use consumers’ data for phone. Marketers may argue, for example, that by making reasons not previously notified to them, the FTC content publicly available to anyone on the Internet, content recommends that they seek the relevant consumers’ owners have impliedly consented to interceptions of their content affirmative express consent. This could be particularly for the purpose of delivering targeted advertising to end users relevant in a merger and acquisition context where the who have opted-in to receive such advertising. purchasing entity proposes to change the way that the acquired customer data is collected, stored and/or used. In the absence of consent, marketers would need to look to another legal basis to undertake web traffic interception for the ■ Sensitive data: Sensitive data should not be used for purposes of behavioural advertising. However, there is nothing in behavioural advertising unless the relevant consumers’ either RIPA itself or the Lawful Business Practice Regulations that express, affirmative consent has been obtained. On this would appear to authorise such an interception. The effect of issue, the FTC invited comments on what should this, in practice, is to require marketers to operate behavioural constitute sensitive data and whether use of sensitive advertising platforms on an opt-in consent basis (in relation to data for behavioural advertising should be permitted at end users) and rely on implied consent from content owners. all. However, this argument is far from watertight and, until tested The FTC invited responses to its proposed guidelines by (whether or not by Phorm), behavioural advertisers will potentially February 22, 2008. To date, it has not yet published revised remain “on the hook”. guidelines in light of the comments it has received.

The U.S. position In other U.S. developments, the New York legislature is currently Across the pond, and in keeping with U.S. attitudes on data pondering the Third Party Internet Advertising Consumers’ Bill of privacy generally, our American cousins have adopted a more Rights Act of 2008,8 theprincipalpurposeofwhichistoensure relaxed attitude towards behavioural advertising. that consumers are fully informed about when third party advertisers may collect data about their online activities and to In November 2007, the Federal Trade Commission (‘FTC’) give consumers control over the use of that data. Among the held discussions on behavioural advertising issues in an event provisions proposed are a requirement for advertisers to disclose entitled “Ehavioral Advertising: Tracking, Targeting, and their behavioural profiling activities on their own website, including Technology”. The FTC accepted that behavioural advertising the data they collect, how they use it, how long they retain it and offered benefits to consumers but noted that the process was how users can opt out of profiling. Similarly, advertisers will have “largely invisible and unknown to consumers”. Therefore, to require the websites on which they display adverts to provide whilst behavioural advertising helps to fund free information notice and opt-out options. Finally, and significantly, the proposed provision to consumers and to provide information about legislation does not permit advertisers to collect behavioural products and services that are tailored to particular consumer tracking data relating to websites with which it does not have a preferences, most consumers are unaware of the importance contractual relationship – potentially having a huge impact on of data collection to this process. The FTC further noted that behavioural advertisers that contract with Internet service transparency should be a guiding principle of any online data providers (‘ISPs’) to monitor all websites visited by end users. collection and that consumers had legitimate concerns that their personal data may fall into the wrong hands or be used Similar legislation is also being considered in Connecticut.9 27

27 Personal Data

Practical steps 4. Provide cookie information. Since most behavioural Whilst the U.S. currently has a more favourable regime towards advertising campaigns will entail the use of cookies behavioural advertising, it is clear that change is afoot and that placed on end users’ machines, advertisers must give privacy standards more akin to the U.K. and European regime may users information about what cookies are and how end not be far off. Bearing this in mind, what steps can behavioural users can refuse cookies – even if refusing cookies may advertisers take with a view to complying with U.K. data protection impair or prevent the advertisers’ ability to deliver law? A few suggested compliance principles are set out below: targeted advertising to that end user. This information would normally be set out in the privacy policy. 1. Always have a privacy policy. Behavioural advertisers 5. Due diligence. Advertisers that wish to contract with a should ensure that they have a clear, concise privacy third party (such as a website operator or an ISP) to policy explaining what personal data they collect, the deliver targeted advertising to that third party’s user-base circumstances in which they collect that personal data should check that the third party has in place a robust and the uses to which that personal data may be put. privacy policy that allows it to disclose personal data The privacy policy should explain to end users that they about its end users to the advertiser for behavioural have the ability to opt out of the use of their personal data advertising purposes. for marketing purposes and provide them with a simple 1 www.8020thinking.com/news/9.html?task=view means of doing this. 2 http://uk.reuters.com/article/technology-media-telco-SP/ 2. Obtain opt-in consent. From a U.K. perspective, any idUKL2364727520071123 behavioural advertising campaign should ideally be 3 DPA Schedule 1, Paragraph 1 conducted on an opt-in basis. Running a behavioural 4 DPA s. 11 campaign on this basis would be consistent with the PEC 5 www.ico.gov.uk/Home/about_us/news_and_views/current_topics/ Regulations and ICO’s revised statement on Phorm and phorm_webwise_and_oie.aspx would help to minimise (although not necessarily 6 RIPA s. 1(1) eliminate) the risk that the campaign falls foul of RIPA. 7 www.ftc.gov/os/2007/12/P859900stmt.pdf 3. Provide an opt-out mechanism. Advertisers must provide 8 http://assembly.state.ny.us/leg/?bn=A09275&sh=t a clear mechanism by which individuals can opt out of 9 Connecticut’s Senate Bill 515 “An Act Concerning Internet Web the use of their personal data for behavioural advertising, Site Tracking of Consumer Data” www.cga.ct.gov/2008/ TOB/S/2008SB-00515-R00-SB.htm even if they previously opted in.

United States Broad new privacy rule affects use of consumer information from affiliates for marketing purposes

Heidi Salow has been handling cutting-edge issues The new rule governs the use of information by an affiliate,not involving privacy and data security, intellectual property, the sharing of information among affiliates, and thus is distinct and e-Commerce for much of her career. In addition to from the affiliate sharing ‘opt-out’ provision under the Fair Credit Reporting Act (FCRA). The rule became effective on January 1, her experience in helping companies achieve compliance 2008, but affected businesses have until October 1, 2008 to comply.2 with a host of complex privacy, data security, intellectual property and e-Commerce laws, she has extensive Background experience in legislative advocacy, commercial transactions and litigation. Prior to joining DLA Piper, Ms. Salow was The Fair Credit Reporting Act senior counsel/director for Sprint Nextel Corporation. The FCRA, as amended, provides that a company may communicate to an affiliate or a non-affiliated third party, without Heidi Salow, Of Counsel, Communications, Electronic becoming a consumer reporting agency, information solely about Commerce and Privacy Group, DLA Piper transactions or experiences between the consumer and the [email protected] + (202) 799–4444 company. The FCRA further provides that a company may share ‘other’ information – that is, information that is not transaction or The Federal Trade Commission’s (FTC) recent ruling on affiliate experience information, including information from credit reports marketing, impacts on companies that share consumer and credit applications – among its affiliates without becoming a information among affiliates. This rule generally prohibits a consumer reporting agency if: company from using certain consumer information received from 1. it is clearly and conspicuously disclosed to the consumer that an affiliate for marketing purposes, unless the consumer is given such information may be communicated among affiliates; notice and a reasonable and simple method to opt-out.1 The types of information subject to this new opt-out rule include 2. the consumer was given an opportunity to ‘opt out’; and information derived from the consumer’s transactions or account 3. the consumer has not opted out. relationship with an affiliate, the consumer’s application for What is ‘eligibility information’? services, and credit history. This new rule applies to any entity – not just financial institutions – that uses certain types of The new rule has potentially significant implications for consumer information for marketing purposes. companies that use consumer information for determining 28

28 Personal Data credit eligibility. Eligibility information is broadly defined to ■ to perform services for another affiliate subject to certain include: conditions; 1. information that meets one of seven criteria for a ■ in response to a communication initiated by the ‘consumer report’ (credit worthiness, credit standing, consumer; or credit capacity, character, general reputation, personal ■ to make a solicitation that has been authorised or characteristics, or mode of living);3 and requested by the consumer. 2. an affiliate’s transaction or experience information (which is otherwise exempted under the FCRA’s affiliate sharing Private right of action provisions)4 provided that such information is used or may be used to The FCRA provides for civil liability when companies either determine eligibility for credit, insurance, or employment or for wilfully or negligently fail to comply with its provisions. In another permissible purpose under the FCRA. response to industry concerns about being faced with significant monetary damages, the FTC revised the rule to Eligibility information includes, for example, information that a avoid imposing specific duties on any affiliate other than the company has a legitimate business need for (1) in connection affiliate that intends to use shared eligibility information to with a transaction initiated by the consumer; or (2) to review solicit the consumer. Although an opt-out notice must be an account to determine whether the consumer continues to provided by the affiliate that has a pre-existing business meet the terms of the account. relationship with the consumer, no other affiliate has an actual Eligibility information does not include anonymous or duty to provide such a notice. The FTC reasoned that the aggregate information that lacks personal identifiers, such as absence of an actual obligation by these entities to provide names, addresses, or account numbers. notice should mitigate concerns about civil liability.

How to comply – notice and opt out Key takeaways The new FTC affiliate marketing rule governs the use of If one affiliate receives a consumer’s eligibility information consumer information by an affiliate, not the sharing of from another affiliate and plans to use that eligibility consumer information among affiliates, which is covered by information for marketing purposes, a notice and opt-out the FCRA. Further, unlike the affiliate sharing opt-out method must be provided to the consumer. The FTC rule requirement, the new opt-out rule applies to both transaction limits who can actually send the notice – it must be either or experience information and ‘other’ information. the affiliate with a pre-existing business relationship with the consumer, or both affiliates, as long as at least one of them Thus, certain information will be subject to two opt-outs, a has a pre-existing business relationship with the consumer. sharing opt-out and a marketing use opt-out. The challenge for affiliated companies will be to revise their existing FCRA The notice must include clear and conspicuous disclosures, opt-out notices to provide consumers with a new opt-out including: notice that does not limit the affiliated companies’ ability to ■ a general description of the types of information that may share consumer information with affiliates while giving be used to make solicitations to the consumer; consumers the right to prevent use of such information for marketing purposes. Fortunately, the new opt-out notice can ■ a statement that the consumer may limit the use of be combined with other legally required disclosures, such as information for marketing purposes; the privacy disclosures required by the Gramm-Leach-Bliley ■ a statement that the consumer’s election will apply for Act. the period of time specified in the notice and, if 1 Section 214 of the Fair and Accurate Credit Transactions Act – applicable, that the consumer will be allowed to renew which amends the Fair Credit Reporting Act – is the basis for the the election once that period expires; new FTC rule. Section 214 provides generally that if a company receives certain consumer ‘eligibility information’ from an affiliate, ■ if the notice is provided to consumers who may have the company may not use that eligibility information to market its previously opted out (such as if a notice is provided to products or services to the consumer unless the consumer is given consumers annually), a statement that the consumer notice and a simple method to opt out. who has chosen to limit marketing offers does not need 2 Substantially similar rules will be issued separately by the Office of the Comptroller of the Currency, Board of Governors of the Federal to act again until the consumer receives a renewal Reserve Board, Federal Deposit Insurance Corporation, Office of notice; and Thrift Supervision, National Credit Union Administration, and the ■ a reasonable and simple method for the consumer to opt Securities and Exchange Commission. out. 3 The FCRA defines ‘consumer report’ as any written, oral, or other communication of any information by a consumer reporting agency In addition, the affiliate must honour any opt-out request bearing on a consumer’s credit worthiness, credit standing, credit received from a consumer for at least five years. When the capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in opt-out period expires, the consumer must be given a renewal whole or in part for the purpose of serving as a factor in notice and an opportunity to renew the opt-out. establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) Are there any exceptions? employment purposes; or (C) any other purpose authorised under Section 604 15 U.S.C. § 1681b. Yes. A company can use eligibility information: 4 ‘Transaction or experience’ information includes information about the consumer’s account history. ■ to solicit a consumer with whom the company has a pre-existing business relationship; Printed with permission from DLA US LLP.

29 Personal Data

United Kingdom Closing the Data Protection wall

By Chris Potter and Denis Potemkin, security professionals to comment that the Act was a PricewaterhouseCoopers LLP toothless dinosaur. Indeed, the Information Commissioner’s Office has repeatedly called for more effective sanctions Chris Potter is a partner at PricewaterhouseCoopers LLP against organisations that fail to live up to their who specialises in helping clients manage their responsibilities under the DPA. This call has now been technology risks. He co-authored the 2008 information heeded. On May 8, 2008, the Criminal Justice and Immigration Act received Royal Assent. Measures in this security breaches survey report for BERR, and the 2002, new legislation give the ICO the power to directly impose 2004 and 2006 reports for the DTI. He can be contacted substantial fines on organisations that deliberately or at: [email protected] recklessly commit serious breaches of the DPA. In addition there is power for the Secretary of State to bring in Denis Potemkin is a solicitor at PricewaterhouseCoopers imprisonment for up to two years. Not to forget the fact that Legal LLP.He specialises in compliance and risk in the directors can already be criminally liable for the acts of their areas of technology, data and intellectual property. Denis employees where this results from their negligence or works regularly with risk specialists and other business connivance. The toothless dinosaur is now getting some consultants at PricewaterhouseCoopers to help clients teeth! with compliance and managing business change. He can be contacted at: [email protected] So, how likely are U.K. companies to fall foul of these new penalties? Every two years, since the early 1990s, the One of the most memorable moments in Shakespeare’s Department for Business, Enterprise and Regulatory Reform classic Henry V is the King’s exhortion to his troops “Once (BERR, and its predecessor, the DTI) has sponsored a more unto the breach, dear friends, once more; Or close survey on information security practices in U.K. companies. the wall up with our English dead!” Over the last year, with The latest BERR survey was released on April 22, this year, data security breaches repeatedly in the news, one wonders and sheds further light on the Information Commissioner’s how often such sentiments (though perhaps not such concerns. eloquence) have resounded in the nation’s board rooms. What is clear is that almost any type and size of First, the good news. Compliance with the DPA continues to organisation can be a casualty and the issue of data improve. 71 percent of U.K. companies (and 91 percent of security is creating an increasing amount of noise. those with more than 500 employees) have documented procedures to ensure data protection compliance. A further On April 23, the Information Commissioner, Richard 11 percent of companies are currently putting procedures in Thomas, reminded chief executives of the vital importance place. Senior management priority makes a big difference. of protecting staff and customers’ personal information 82 percent of companies that give a very high priority to following an alarming number of security breaches reported security have data protection procedures, versus 42 percent to his Office in the past six months. Since the security of those where security is low or no priority. breach at HM Revenue and Customs which exposed twenty five million personal records in November last year, the Principle seven of the DPA requires companies to keep Information Commissioner’s Office (ICO) has been notified of personal data secure. It is encouraging, therefore, that almost 100 data breaches by public, private and third sector protecting customer information is the top driver for U.K. organisations. Of the security breaches that the ICO has companies’ expenditure on information security, with 94 been made aware of by private sector organisations, 50 percent rating this as an important or very important driver were reported by financial institutions. Of those reported for them. Tellingly, where senior management understand almost a third occurred in central government and security issues very clearly, customer information, reputation associated agencies and a fifth in National Health Service and compliance are the biggest drivers, with more than organisations. four-fifths rating each one as being very important. If senior management have a very poor understanding of security Incredibly, even after the high-profile loss of disks by HM issues, the focus tends to be more on maintaining data Revenue and Customs and the well-publicised loss of a integrity and business continuity. laptop by a Nationwide building society employee, information that has gone missing includes unencrypted Furthermore, investment in a formal data protection process laptops and computer discs, as well as memory sticks and appears to yield real benefits. Companies with documented paper records. Information has been stolen, lost in the post procedures to ensure compliance with the DPA are half as and whilst in transit with a courier. The material includes a likely to experience data protection infringements, wide range of personal details, including financial and health unauthorised access or confidentiality breaches by staff as records. those that do not.

Under the Data Protection Act 1998 (DPA), the ICO only had But, unfortunately, there is plenty of bad news as well. powers to issue an enforcement notice against Turning the statistics on their heads, 29 percent of organisations in breach of the Act. This, together with the companies (and 9 percent of those with more than 500 small scale of fines imposed, had caused many information staff) have not even taken the most basic steps to ensure 30

30 Personal Data compliance. Worryingly, 25 percent of companies that say breaches have come from the FSA. Other utility they hold highly confidential electronic information lack regulators also impose customer service requirements procedures to comply with the DPA. that have a data protection impact;

■ There also seems to be a big gulf between good intentions a breach could lead to third party contractual or tortious and actual practice. 81 percent of companies believe claims. For example, the Payment Card Industry (PCI) security is a high priority to their board, but only 55 percent Data Security Standard affects all people, processes and have a security policy. 77 percent say protecting customer technology that deal with credit card transactions and information is very important, but only 11 percent prevent it impose contractual fines of up to £250,000 for each walking out of the door on USB sticks. 71 percent have instance of non-compliance. Consider also security, procedures to comply with the Data Protection Act, but only confidentiality and intellectual property provisions in any 8 percent encrypt laptop hard drives. A staggering 78 number of contracts with customers, suppliers and percent of computers that were stolen last year did not business partners; have encrypted hard drives, putting any confidential data on ■ some of the biggest losses from data breaches in the them at risk. U.S. have been attributable to settling compensation claims (the hacking of the TJX Companies Inc. in 2005–7 A further area of exposure relates to offshore activities. The resulted in losses of $250 million for the company, much number of companies offshoring some of their IT operations of that attributable to settling law suits from banks that has doubled since 2006, and has quadrupled for large had to replace millions of customer credit cards). While businesses. Six out of seven of very large businesses now the U.K. is a less litigious environment and class actions offshore some of their IT operations. The problem is that are harder to bring, these may well become a bigger principle eight of the DPA requires companies to make sure feature in years to come. that personal information is not transferred to other countries without adequate protection. Further, a corollary of While data security is only an aspect of the DPA, it is a far principle seven is that businesses must retain oversight of wider issue with potentially significant legal ramifications – in and audit how their service providers handle their data. addition to commercial and financial damage. Finally data protection measures must be documented in So, what should companies do to ensure that they do not any contract between a data controller and a data fall victim to data security breaches? The BERR survey processor. Yet, only 51 percent of companies that offshore suggests five simple steps that every company, of any size, IT operations have addressed data protection requirements should take: in their contract with their offshore provider, and 16 percent take no steps to ensure the offshore provider is secure. 1. Understand the security threats you face, by drawing on the right knowledge sources. It is true to say that not every data compromise is going to 2. Use risk assessment to target your security investment at result in penalties under the DPA. A company that has the most beneficial areas. adequate security and organisational measures yet suffers a sophisticated hacking attack will not be in breach. The DPA 3. Integrate security into normal business behaviour, through is likely to be breached if there is clearly inadequate security clear policy and staff education. or if data falls into the wrong hands or is lost altogether as 4. Deploy integrated technical controls and keep them up to the result of poor compliance measures or wilful acts. But it date. is worth noting that a data compromise can have much 5. Respond quickly and effectively to breaches, e.g.by wider ramifications than just non-compliance with the DPA. planning ahead for contingencies. To give a flavour of the potential legal ramifications: Taking each of these in turn…. ■ a data compromise that results in permanently lost or damaged data can lead to breaches of a host of laws 1. The right knowledge sources relating to compulsory retention of data, covering HR, A concern is that staff with security qualifications remain in finance and tax data. It could also render an organisation short supply, with only 12 percent of U.K. companies having unable to provide information where required by law, for that skill-set in-house. Furthermore, only 21 percent of the example under corporate reporting requirements, the people responsible for information security in U.K. companies Freedom of Information Act or Court disclosure rules; are aware of the contents of the British (and International) ■ unauthorised disclosure of data could lead to a breach of Standard on information security awareness, BS 7799/ISO other confidentiality or secrecy requirements such as 27001. It’s important that, if companies lack skills in-house, under the Official Secrets Act or, for information about they gain advice from external providers that understand both minors, child protection legislation; data protection law and information security practice. Critical to understanding the security threats is an understanding of ■ industry-specific regulations can be breached. For where to look. This means not only a technical understanding example, communications providers have recently of data inputs, outputs and repositories, but an understanding become subject to new data retention obligations. The of which controls are critical in view of the organisation’s Markets in Financial Instruments Directive (MiFID) and profile. Consider some less than obvious examples: resulting Financial Services Authority (FSA) guidance imposes new stricter obligations on financial services ■ access rights and HR controls such as monitoring will be companies outsourcing any material aspect of their of particular importance to businesses that rely heavily business, including around control of service providers’ on temporary staff or agency workers, especially if these handling of customer data. The largest fines for data staff have the same access to systems and data as 31

31 Personal Data

regular staff – and particularly in view of the data being downloaded onto USB memory sticks (or MP3 confidentiality and security risks associated with Web 2.0 players and digital cameras, for that matter) or burned onto sites; CDs or DVDs. There are security tools that will lock USB ports and DVD drives down so that they can write to ■ are service providers keeping data safe and using it authorised encrypted devices only. Often, today, companies within stated restrictions? Is their behaviour actually deploy technical defences after suffering a major breach – audited? smarter businesses are observing others’ woes and putting ■ is retained “non-live” data organised and protected in the defences in place before being bitten. same way as live data? Who has access to retained data and why? 5. Contingency planning ■ what are the company’s contractual obligations to its The ICO has recently published a document (Guidance on customers and business partners, that bring unexpected data security breach management) which suggests a four categories of data within the ambit of data security risk? stage process to dealing with breaches: ■ does the particular industry or markets in which the business operates require a wider definition of personal, a. Containment and recovery. Initial response to investigate sensitive or confidential data? and contain the breach is vital. This will often involve input from specialists across the business such as IT, HR and 2. Risk assessment legal and in some cases contact with external Assessing security risks is absolutely fundamental to targeting stakeholders and suppliers. However, containment alone expenditure at the areas that need them most. The worrying is not enough – companies need also to start planning for thing is that most U.K. companies believe they understand the recovery from the breach. security risks, whereas their security practices indicate that b. Assessment of ongoing risk. Some data security understanding is patchy at best. 79 percent of businesses breaches will not lead to risks beyond possible believe they have a clear understanding of the security risks inconvenience to those who need the data to do their they face, but only 48 percent formally assess those risks. job. Others, such as theft of a customer database, could Risk assessment is particularly important for data protection, result in identity fraud. Before deciding on what steps are since the consequences of breaches often hit customers necessary further to immediate containment, companies rather than the business itself. It is telling that companies that should assess the potential adverse consequences for carry out risk assessment are four times as likely to detect individuals affected, how serious or substantial these are identity theft as those that do not. Businesses often treat data and how likely they are to happen. protection as a non-critical compliance item or simply as a c. Notification of breach. At present, there is no law technical security issue. But a targeted compliance and expressly requiring companies to notify a breach (unlike, security assessment that focuses specifically on data security for example, in California, although there are some risk is both essential and much more readily achievable than, European Commission proposals to introduce such a say, a general data protection compliance audit (although the law) but sector specific rules may lead companies latter must not be forgotten). towards issuing a notification. Notification to the affected individuals may be required to help them take steps to 3. Changing behaviour protect themselves. Notification to the appropriate Some 80 percent of security breaches notified to the ICO regulatory bodies enables them to perform their involve staff, so there is a clear need for all workers to have a functions, provide advice and deal with complaints. basic understanding of the DPA and other confidentiality and d. Evaluation and response. It is important not only to data security issues. The ICO has produced a training investigate the causes of the breach but also to evaluate checklist, which outlines the main points that should be the effectiveness of the company’s response to it. If the included in any training. However, a checklist approach breach was caused by systemic and ongoing problems, (“ticking the box”) should be avoided – to avoid breaches, then simply containing the breach and continuing companies need to focus on changing actual staff behaviour ‘business as usual’ is unlikely to prevent future such so that the culture is security-aware all the time, rather than breaches occurring. just rolling out awareness training. The actions of middle This last comment is pertinent: beyond the legal and management are more important in changing staff behaviour commercial costs of a specific data security incident, (or blocking change) than any training programme. businesses should ask: what does this incident say about our wider data handling and compliance practices?

4. Technical defences So, the bottom line is that data protection (in its widest It is clear that there are certain technical defences that sense) is more important now than ever before, both to companies should deploy as a matter of course. Laptops meet customers’ expectations and to avoid expensive legal that might carry personal data should always be encrypted ramifications. Paying lip service to data protection is now no – the technology is mature, and the cost relatively low. longer enough. So, to misappropriate Shakespeare, it is Similarly, companies cannot ignore the risk of confidential time to “Cry Havoc! And let loose the dogs of war”.

32 Personal Data News

ASIA PACIFIC HONG KONG Former Deputy Commissioner Launch of privacy competition for 2008 sentenced for swindling expenses This month saw the launch of an international privacy Former Hong Kong Deputy Privacy Commissioner, Tony Lam competition aimed at secondary school students in was sentenced to nine months in prison by a Hong Kong Australia, Hong Kong, New Zealand and Canada. District Court Judge on May 15, 2008. He was convicted on April 23, 2008 for fraudulently claiming HK$100,000 in The competition is hosted by the Asia Pacific Privacy expenses for trips to Australia between 2001 and 2005. Lam Authorities (APPA) as part of its annual Privacy Awareness had been under investigation since August 2005, by the Week which takes place from August 24–30, 2008 to raise Independent Commission Against Corruption, after privacy awareness. The theme for this year is ‘privacy is anonymous letters detailing the scam were sent to the media your business’. and anonymous faxes sent to the Privacy Commissioner. Students are asked to create a video about any aspect of The sentence delivered on May 15 actually sentenced him to privacy, for example, their opinion of privacy and its twelve months in prison but this was reduced to nine months relevance in today’s society, whether it affects their daily because Lam had returned the money and fully co-operated lives, or the influence of the Internet on privacy. with the investigation. He had faced the possibility of a maximum 14-year prison sentence and a fine of HK $1 million. The closing date for the competition is July 25, 2008 and the winners will be announced during Privacy Awareness Week. In response to the judgment and sentencing, the Privacy Commissioner, Roderick Woo issued a statement reaffirming Karen Curtis, the Australian Privacy Commissioner said, his Office’s commitment to be fully accountable for its expenditure, especially with regards to overseas spending. “Our Offices have chosen to target secondary school students as this group is one of the main users of social networking sites and they appear to give away a Significant number of security significant amount of personal information via this medium.” breaches involving patients’ data Over the course of the last few weeks, several incidents For more details about the competition or Privacy Awareness involving the loss of patients’ data have been reported to the week, visit: www.privacyawarenessweek.org Privacy Commissioner’s Officer. They include: For further details about APPA, visit: www.privacy.gov.au/ ■ Patient information held by the Department of Health, international/appa/index.html including sensitive data on approximately 700 teenagers with social and developmental problems, has been lost or stolen. The information, held on a USB flash drive, CHILE was ‘stolen’ from an unlocked room at a Child Assessment Centre. The drive held information including, detailed interview assessment notes, some photos, Anonymous hacker posts the data of Hong Kong identity card numbers and address details. six million Chileans on the Internet ■ The Hospital Authority (HA) announced on May 5, 2008 that there had been nine incidents involving the loss of An anonymous hacker stole data from government sites and 6000 patients’ data over the last twelve months in five posted the personal information of six million Chileans on a different hospitals. technology blog, www.fayerwayer.com to highlight the lack of privacy laws in Chile. ■ On the same day, the Commissioner’s Office was notified by another hospital about the loss of a flash drive holding The hacker, named ‘Anonymous Coward’, posted three the personal data of approximately 10,000 patients. compressed files which included names, addresses, telephone numbers and tax payer identification numbers Action taken by the Commission taken from the Education Ministry, Electoral Service and state-run telephone companies’ websites. He also posted All the incidents have prompted the Commissioner’s Office to an accompanying note claiming that he was simply drawing take action. attention to the lack of data protection measures in Chile. A ■ One hospital has been issued with a summons asking site editor spotted the information, removed the files and theofficeinchargetoappearbeforetheCommissioner called the police. to give evidence relating to the loss of information held on a USB flash drive. The data security breach made front page news in Chile and has drawn people’s attention to privacy issues and ■ In relation to three other cases of data loss, the weaknesses in the government’s IT security measures. Commissioner had contacted both the Department of 33

33 Personal Data

Health and the HA asking for more information about the end, the Commissioner has already received an update of the incidents. While waiting for the information, he then incident. discovered further unpublicised losses of patients’ data This incident follows another data loss in April by HSBC U.K. and immediately launched investigations into both the See the report on page 35. Department of Health and the HA, commenting, “I am deeply concerned that these data losses might well be just the tip of the iceberg. Even taken at face value, the IRELAND situation is very worrying not just to this Office but to the general public. Patients’ data are regarded by all civilised Bank of Ireland under investigation by societies as sensitive personal data and must be handled the Data Protection Commissioner with due respect and care. I am determined to do my utmost to help improve the protection of patients’ data.” The Irish Data Protection Commissioner is currently investigating several high profile incidents, including the theft ■ The remaining data losses involving two other hospitals of several laptops from the Bank of Ireland in the last 12 are currently being investigated to determine what, if any months. The laptops supposedly held the personal information action should be taken. of approximately 31,000 insurance and mortgage customers. The Commissioner has decided it is in the public interest to The details held included names, addresses, back account exercise his powers of inspection under Section 36 of the details and medical histories. The Bank has already tightened Ordinance and will conduct an inspection of the HA’s system up its security by introducing new procedures including the to hold personal data. See the following article for more encryption of all laptops. Letters have also been sent to the information. affected customers. The Data Protection Commissioner’s Office (DPC) has asked the Bank of Ireland for a full report into the circumstances First inspection by the Privacy surrounding the thefts. Their investigation will focus on why Commissioner personal and sensitive personal information was held on the laptops, the adequacy of security arrangements, the delay in The Hong Kong Hospital Authority (HA) has been served with reporting the thefts internally and what action the Bank of a notice from the Privacy Commissioner, Roderick Woo, Ireland should have and should be taking to meet the informing the HA of its intention to carry out an inspection of requirements of the Data Protection Act. The DPC is working HA’s patients’ data system. The HA has been give 14 days’ with the Irish Financial Regulator on this matter. notice of an onsite inspection which will start on May 23, 2008. The need for an inspection follows a series of security ITALY breaches leading to the loss of patients’ data. The Commissioner has voiced his concerns about the incidents, Tax agency posts Italians’ tax returns and now for the first time the Commissioner will use his online inspection powers. The Italian Privacy Chief, Francesco Pizzetti was forced to The inspection is to assist the Commissioner in making intervene earlier this month when the Italian tax agency posted recommendation for HA’s compliance with the Personal Data the details of Italians’ tax returns on its website, (Privacy) Ordinance. In particular, the inspection will focus on www.agenziaentrate.gov.it security aspects of the system. The tax agency allowed access to all tax returns filed for 2005, including those filed by politicians and people in the public HSBC loses the data of 159,000 Hong eye. The data included: total revenue earned, income tax paid Kong customers and other personal information. Within a few hours of posting the information, the site collapsed from the sheer volume of HSBC has admitted losing a server at the end of April 2008, users wanting to pry into the finances of their friends, family which held transaction data on 159,000 Hong Kong based and celebrities. account holders. The server went missing during renovation In response to a huge uproar from consumer groups, privacy work at a district branch of the bank. The information held on advocates and politicians, the Italian Data Protection Authority the server included names, account numbers, transaction (DPA) stepped in and issued a formal complaint, asking the amounts and the types of transactions. agency to suspend access to the tax returns on its website. HSBC waited two weeks before publicly announcing the theft of the server to conduct an internal investigation. The theft is Why was the information released? still being investigated by the police. Tax evasion has been a huge problem for successive Italian The server does have several layers of security, therefore governments. Both the outgoing Prime Minister, Romano HSBC has claimed that the risk of fraudulent transactions Prodi, and the new Prime Minister, Silvio Berlusconi have should be minimal, although it has promised to cover any promised to deal with the problem. fraudulent losses which may stem from the breach. The Minister who made the decision, Vincenzo Visco argued The Privacy Commissioner, Roderick Woo has already been in that the publication of tax returns had been due to take place touch with HSBC about the data loss and has been assured in January 2008 but subsequently delayed due to the by the bank that it will co-operate with his investigation. To this elections. Visco’s legal basis for allowing online access to the 34

34 Personal Data information online was a series of laws approved in the 1970s, e-mail and Internet usage and VoIP – voice over internet allowing citizens to view tax returns held at municipal offices. protocol records. The information would be held for 12 months and police and security services would require Despite Visco’s reported claims that this was a ‘simple matter warrants through the courts to gain access. The Government of transparency and democracy’, the timing of this decision to has until March 15, 2009 to transpose the remaining allow online access to the information (two days before the requirements of the Directive. outgoing regime transferred power to the newly elected government led by Berlusconi) has been called into question The option of such a database has yet to be discussed by by commentators. ministers, however, Jonathan Bamford, Assistant Information Commissioner has already expressed the ICO’s concerns, Privacy concerns “If the intention is to bring all mobile and Internet records The applicability of the laws cited by Visco, was heavily together under one system, this would give us serious disputed by the Italian DPA. Pizetti argued that viewing tax concerns and may well be a step too far. We are not aware returns in an office is vastly different to viewing tax returns of any justification for the state to hold every U.K. citizen’s online where the data is likely to end up in search engines and phone and Internet records. We have real doubts that such become globally accessible. The DPA also asked the media a measure can be justified, or is proportionate or desirable. not to publish any information collected from the site but was Such a measure would require wider public discussion. ignored by several newspapers who went on to print the Proper safeguards would be needed to ensure that the data earnings of several notable Italians, including Silvio Berlusconi is only used for the proper purpose of detecting crime. and several footballers. Defeating crime and terrorism is of the utmost importance, One consumer group, the Codacons (www.codacons.it), has but we are not aware of any pressing need to justify the already offered to help Italians seek damages from the tax government itself holding this sort of data.” authorities. For more information about the Data Retention (EC Directive) Regulations 2007, visit: www.opsi.gov.uk/si/si2007/uksi_ UNITED KINGDOM 20072199_en_1 To view the ICO’s comments on the database, visit: HSBC loses customer details www.ico.gov.uk

HSBC UK admitted in April 2008 that it had lost an unencrypted disk holding 370,000 customer details which Complaints about automated calls was posted but failed to arrive at its intended recipient. The Enforcement Team at the Information Commissioner’s The UK Information Commissioner’s Office is waiting to decide Office (ICO) is currently investigating a large number of on any possible action it may take, pending an internal complaints which have been made to the ICO about investigation into the incident by HSBC UK. automated telephone calls which refer to ‘debt reduction The UK Financial Services Authority (FSA) is also looking into schemes’ or ‘government debt initiatives’. Under the Privacy the incident and could possibly fine HSBC if it finds its security and Electronic Communications Regulations 2003, automated procedures were lax. Nationwide, the building society, was marketing calls should not be made unless an organisation previously fined £980,000 last year after a laptop was stolen has an individual’s prior consent. The Enforcement Team is from an employee’s home. It held confidential customer currently trying to establish who is responsible for the calls. information. Norwich Union was fined £1.26 million by the FSA for not having effective security controls thus enabling UNITED STATES fraudsters to use customers’ details and cash in £3.3 million of policies. Google begins blurring faces on Street View Information Commissioner warns To demonstrate its commitment to privacy, Google recently Government about ‘Big Brother’ announced that it has begun testing technology to blur faces on communications database its Street View service. The technology is being tested in Manhattan before it becomes more widely used. The Information Commissioner’s Office (ICO) has warned the The Director of Google Earth and Google Maps, John Hanke, Government about its plans to introduce a Government revealed that the technology works by scouring Google’s image database to house phone, e-mail and Internet traffic data as database for faces and then blurring them. The face-blurring part of the Data Communications Bill currently being prepared technology has taken a year to develop, although the research by the Home Office. behind it, has been several years in development. The proposed database is part of the Government’s second Google launched Street View back in May 2007 and faced a phase to implement the E.U. Data Retention Directive. The barrage of criticism from privacy advocates. The furore first phase saw the introduction of the Data Retention (EC eventually quietened until Google announced it was planning Directive) Regulations 2007 which required telecoms to launch Street View in Europe next year. The company has companies to retain records of phone calls to and from already been warned by the European Data Protection landlines and mobiles (the traffic data but not the content). Supervisor, Peter Hustinx, that Google’s Street View The second phase, being introduced as part of the Data technology must meet data protection requirements in Communications Bill, will extend the retention requirement to Europe. 35

35 Special Report Transfer Pricing Aspects of IP and Intangibles

The OECD Transfer Pricing Guidelines define intangibles as ‘rights to use industrial assets such as patents, trademarks, trade names, designs or models’ and IP as ‘know-how and trade secrets’, all of which are items which may be of immense value to a business. Globalisation of trade has meant that many companies are transferring or sharing IP, intangibles and services with related companies in other parts of the world leading to possible conflict between tax authorities which may lead to effective double taxation. Many tax specialists will doubtless still feel chills when they recollect the GlaxoSmithKline case, which resulted in the company paying more than US$3 billion to settle a dispute with the US IRS.

In a memorandum dated April 2007, the US IRS’s Patricia C. Chaback, Industry Director for Communications, Technology, and Media, stated that the transfer of intangibles offshore has been identified as ‘one of the most significant compliance challenges facing large and mid-size business’, so it is no surprise that there is a need for detailed, specialist information on transfer pricing planning in this area.

All of the authors to be found within these pages have specialist knowledge of the intricacies of transfer pricing relating to the movement of IP and intangibles around the world. In sharing their expertise, they may assist readers to avoid the expensive pitfalls – costly in time as well as money – which may occur when a transfer pricing strategy does not properly face the challenges of IP and intangibles.

Contents:

•Overview Jamal Hejazi, Gowlings Lafleur Henderson, LLP, Ottawa •Transfer pricing risk management: empirically-based guidance John Hobster and Sean Trahan, Ernst & Young, London •The tangible effect of intangibles: customs valuation and IP Damon V. Pike, The Pike Law Firm, P.C., Atlanta •Transfer pricing in the pharmaceutical industry Shiv Mahalingham, Mike Murphy and David Zaiken, Alvarez & Marsal Taxand, UK and US •Put Belgium on your short list for IP planning Dirk Van Stappen and Yves de Groote, KPMG Tax & Legal Advisers, Brussels and Antwerp •China: transfer pricing of IP and intangibles Jeff Yuan, PricewaterhouseCoopers, Shanghai •France: intangible asset remuneration Jean-Sébastien Lénik, Yann de Kergos and Julien Monsenego NERA and Dechert, Paris Pages: 60 •Global impact on the Indian audit scenario Price: £125/$215/€185 Karishma Popat, Grant Thornton India, Mumbai Format: Print or pdf •Russia – how transfer pricing applies to IP ISBN: 978-0-906524-78-7 Henrik Hansen and Alexandra Dyomina, Ernst & Young (CIS) B.V., Moscow •Intangibles in the UK – too hot to handle Order Today: Andrew Hickman and Kirsty Rockall, KPMG in the UK Web: www.bnaishop.com •Invention, iteration and intangible value in the USA Daniel S. Karen, Ernst & Young LLP, Atlanta E-mail: [email protected] •US taxpayer-initiated adjustments: traps for the unwary Phone: +44 (0)20 7559 4801 Thomas M. Zollo and Zachary Perryman, KPMG LLP, Washington DC Fax: + 44 (0)20 7559 4840