Inside Privacy - Updates on Developments in Global Privacy & Data Security

Last week, the Office of the Privacy Commissioner in Canada (OPC) issued important guidance under Canada’s national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  The guidance highlights various scenarios in which PIPEDA applies based on judicial opinions and previous OPC interpretations.  In general, PIPEDA applies to the personal information that an organization collects, uses or discloses in the course of “commercial activities.”  The term “commercial activities” is defined broadly in PIPEDA to mean “any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists.”

The guidance outlines scenarios in which PIPEDA applies or does not apply based on the conduct of commercial activities, including:

• An intermediary who relays financial information into and out of Canada for international transactions involving Canadian banks is engaged in a commercial activity.
• A non-profit daycare organization partially subsidized by a municipal government is engaged in a commercial activity. 
• A landlord who collects, uses or discloses tenants’ personal information to administer a lease or for insurance purposes is an organization engaged in a commercial activity.
• An educational institution is not engaged in a commercial activity if the institution’s core activity is the provision of educational services and the institution does not have as one of its objectives the goal of earning a profit for the owners of the institution.

Organizations with Canadian business operations or seeking to do business in Canada should be aware of PIPEDA’s broad-based applicability and requirements, which include customer consent provisions, limitations on information use, disclosure, and retention, and obligations to safeguard personal information.

On 1 April, 2012, the UK press reported that the UK Home Office is preparing to propose new legislative reform of the communications data monitoring law, in the Queen’s Speech in May.  The press reports, and the response from the Home Office on 3 April 2012, provided some further details on a programme that was first announced (without detail) by the current Government in October 2010 in the Strategic Defence and Security Review.  The programme, which resembles a predecessor plan under the prior Labour Government named the “Interception Modernisation Programme”, is now known as the “Communications Capability Development Programme” (CCDP). 

Continue Reading

On March 20, 2012, the Philippines Senate unanimously passed the Data Privacy Act of 2011 (“the Act”) on its third and final reading. According to one of its sponsors, Senator Edgardo Angara, the Act is heavily based on the current EU Data Protection Directive (Directive 95/46/EC) and meets the standards of the Asia Pacific Economic Cooperation Privacy Framework. Legislators stated that the Act was necessary due to the importance of the IT industry to the Philippine economy and the need for the Philippines to adhere to international standards.

A key provision of the legislation is the creation of a data protection authority, the National Privacy Commission, whose role it will be to implement and enforce the Act’s provisions. The Act also sets out a range of penalties for offences such as the unauthorized processing or unauthorized disclosure of personal information. These include prison terms of up to six years and fines of up to PHP 5,000,000. The power to prosecute and impose these penalties however will rest with the Department of Justice, not the National Privacy Commission.

Continue Reading

This week, the U.K.-based GSM Association unveiled voluntary app privacy guidelines, which are being implemented by several major European mobile telephone service operators for their own branded applications.  According to the GSM Association, the companies adopting these guidelines includes Deutsche Telekom, France Telecom - Orange, Telecom Italia, Telefónica, and Vodafone.  This development  follows last week's announcement of an agreement by Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion to ensure that mobile device apps that collect personal information contain privacy policies.

The GSM Association guidelines are designed to apply to all parties in the app or service delivery chain that are responsible for collecting and processing a user's personal information, including developers, device manufacturers, platforms, mobile operators, and advertisers.  The guidelines encourage the development, delivery, and operation of mobile apps that help users understand what personal information an app may access, collect and use; what the information will be used for, and why; and how users may exercise choice and control over this use.

Examples illustrating practices the GSM Association considers compliant and noncompliant with these guidelines are also provided.

The Korean Herald reports that the Korea’s Communications Commission (KCC) has opened an investigation into Google’s rollout of its new privacy policy in that country.  The investigation reportedly will focus on whether the company has received sufficient consent to the changes to Google's existing policy and whether Google is collecting more data than is required to provide its services. 

Google’s new privacy policy also faces scrutiny from regulators in the EU, where Google recently rejected a request by the Article 29 Working Party to “pause” the rollout of the policy, and in the U.S., where members of the House have sought additional information from the company on the meaning of the changes for consumers.  

Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. 

For example, key measures include:

Continue Reading

The Ontario Appeals Court last Wednesday recognized—for the first time in Canada—the intrusion upon seclusion privacy tort.  In Jones v. Tsige, 2012 ONCA 32, the plaintiff sued a coworker for looking through her financial records.  The motion judge granted summary judgment for the defendant on the ground that Ontario law does not recognize plaintiff’s claim.  The Court of Appeal for Ontario reversed, resolving a question that “has been debated for the past one hundred and two years”—namely, whether to recognize a tort for the invasion of privacy.

The court concluded that the time had come to recognize the cause of action.  Acknowledging “the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form,” the court stated that “technology change has motivated the legal protection of the individual’s right to privacy.” 

Ontario’s new cause of action adopts the elements of the intrusion upon seclusion tort in the Restatement (Second) of Torts, which requires that a defendant intentionally act to invade, without lawful justification, a person’s private affairs or concerns, and that a reasonable person would find the invasion highly offensive.  The court declined to impose an economic harm requirement, noting that “given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.”

The new privacy right is not absolute.  Competing claims—such as “claims for the protection of freedom of expression and freedom of the press”—may in some circumstances override individual privacy rights.

By Dan Cooper and Maria-Martina Yalamova

On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive.  The guidance is intended to help website operators and those using cookies understand how the rules apply.  As we reported earlier, when the rules were first introduced in May 2011, the ICO made it clear that it would be unlikely to take formal action against those who are taking steps to comply with the rules during a 12 month lead-in period.  When this transition period ends in May 2012, the regulator will expect companies that have not yet achieved full compliance to be able to provide a clear timescale for when compliance will be achieved and demonstrate that steps are being taken to make that happen.  Highlighted below are some of the more notable aspects of the guidance.

Scope.  The guidance confirms that the rules will apply to websites using cookies and other similar technologies for sharing information, such as Local Shared Objects (so-called “flash cookies”), web beacons, bugs, and so forth.  The requirements apply equally to cookies set on computers, mobile devices, and other terminal equipment, such as enabled televisions and games consoles.

New obligations.  The ICO has made it clear that under the new rules, organizations deploying cookies (and similar technologies) must:

• inform  subscribers and users that the cookies are there;
• explain what the cookies are doing; and
• obtain  subscriber or user consent to store a cookie on a device.

The ICO makes it clear that providing information about cookies by means of company privacy policies or website terms and conditions will no longer be sufficient to achieve compliance.  Organizations will need to be more pro-active in providing information to subscribers and users.

Exceptions.  Under UK law, some exceptions will apply to the notice and consent rules, notably where the use of the cookie is:

• for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• where such storage or access is strictly necessary (i.e., essential, rather than reasonably necessary or important) for the provision of an information society service requested by the subscriber (i.e., the person who pays for Internet connection) or the user (i.e., the person using a computer or a mobile phone to browse the Internet).

An “information society service” is defined in Article 2(1), Electronic Commerce (EC Directive) Regulations 2002 as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service”.  These exemptions are the same that appear in the EU-level directive, the e-Privacy Directive 2002/58.

Consent.  Absent an applicable exception, the cookie rules require that a subscriber or a user consents to the deployment of a cookie on their device.  Prior consent is not expressly required (and may not be technically feasible in some cases), but website operators must be able to demonstrate that they have expended effort to reduce the amount of time before a subscriber or user receives information about cookies and is provided with clear options.  At present, the ICO discourages websites from relying on implied consent due to the relatively low user awareness of the functions and use of cookies.  However, as consent mechanisms evolve and user awareness improves, there is a suggestion that the position may change.

Obtaining consent in practice.  The ICO paper highlights a number of consent mechanisms that companies may rely on to achieve compliance, such as pop ups or “splash pages”; message and header/footer bars (particularly in the case of occasional website visitors); information on cookies in terms and conditions presented when a user signs up to a service; settings-led consent (e.g., “remember me?” prompts); and feature-led consent.  The ICO discourages the use of browser settings as a means to obtain valid consent on the basis that today’s browsers are not sophisticated enough to adequately reveal a subscriber or user’s informed consent. 

Notice.  Under the guidance, there is no prescribed format for furnishing adequate notice, but text must be sufficiently full and intelligible for subscribers and users to understand the potential consequences of accepting cookies.  When a website allows third parties to set cookies on a subscriber or user’s device, it must provide clear and comprehensive information to the individuals and allow them to make an informed choice. 

Analytical cookies.  Setting analytical cookies on a user’s device also will require consent as they do not fall within the “strictly necessary” exception criteria.  Where websites do not have a relationship with users (e.g., users simply visit the site to browse), they must ensure information about cookies is highlighted in a prominent place (not just made available via a general privacy policy link).  Where the information collected from a subscriber or user is shared with third parties, this should be made absolutely clear.

Responsibility for compliance.  As a general rule, the organization setting the cookie is responsible for compliance with the UK rules.  However, where third-party cookies are set through a website, both parties are jointly responsible for compliance, but either party may obtain consent. 

By Dan Cooper and Kristof Van Quathem

A widely-leaked version of the first legislative proposal for a General Data Protection Regulation is making its way through Brussels and beyond.  The draft Regulation -- which, among other things, aims to apply a harmonized and updated set of core data protection rules across the EU -- will be reviewed by the different Directorates-General of the European Commission in the coming weeks, and thus could be liable to change.  The Commission is not expected to release its final proposal until late January 2012.  

Although implementation of the Regulation is not expected for some time, it will eventually replace Data Protection Directive 95/46 and be directly applicable in all European Member States.  One of the chief criticisms of the existing EU data protection regime is that EU Member States have implemented the Directive in a divergent fashion.  The Regulation would remedy this problem and establish a common set of standards applicable across the entire EU.  Highlighted below are some of the more notable aspects of the draft Regulation. That said, with over 91 articles, the Regulation contains a great deal, including a number of radically new concepts.  It also envisions the Commission enacting a large number of delegated acts intended to furnish additional guidance and detail on particular matters.

Continue Reading

On 24 November 2011, the EU Court of Justice decided that ISPs cannot be forced to filter Internet traffic to fight intellectual property violations.  

In 2007, the Brussels Court of First Instance obliged the ISP Scarlet to filter all internet traffic and to block traffic involving violations of intellectual property rights, in particular in peer-to-peer applications.  An appeal was launched and the Brussels Court of Appeal filed two pre-judicial questions to the EU Court regarding the compatibility of such filtering obligation with European rules on e-commerce, intellectual property and data protection.

The Court has now rules that the E-Commerce Directive prohibits the imposition of general surveillance obligations on an ISP.  Moreover, the Court argues that while there is a right to property, protected by the EU Charter on Human Rights, this right is not absolute.  To the contrary, the right to property must be balanced against other rights, such as the freedom to undertake a business and the right to privacy.  The Court decides that the filtering obligation is disproportionate and in both cases fails to strike a fair balance.   

In respect of privacy, the Court explains that the filtering obligation would inevitably require a systematic analysis of the content of communications and the collection and “identification” of IP addresses of Internet users exchanging illegal materials.  These IP addresses are personal data because they allow the ISP to identify relevant individuals.  In addition, the Court is concerned that the filtering system affects the freedom of communication because the filtering system is not sufficiently precise and could block communications that do not contain any illegal materials.  The Court therefore holds that the filtering obligation does not strike a fair balance between intellectual property rights, the right to protection of one’s personal data and the right of free communications.

The Court’s qualification of IP addresses as personal data in this context is uncontested.   ISPs which allocate IP addresses to their subscribers, can indeed link these IP addresses back to the subscribers.  This in contrast to most information society services (such as websites, internet e-mail services, etc.), which do not allocate IP addresses.  Their ability to link IP addresses to individual users is much less clear.  Whether or not IP addresses are personal data in the latter context has given rise to diverging case law throughout the EU.

This past week, officials from the Asia-Pacific Economic Cooperative’s 21 member nations met in Honolulu to discuss a range of policy issues affecting the Asia-Pacific region.  One development coming out of the meeting was the adoption by APEC of the Honolulu Declaration, which includes an endorsement of a self-regulatory, cross-border privacy program to promote what the Declaration calls a “seamless regional economy.”

The Honolulu commitment, which aims to “reduce barriers to information flows, enhance consumer privacy, and promote interoperability across regional data privacy regimes,” has been welcomed by companies that do business internationally, many of which have expressed concern about the extent to which conflicting national privacy regulations can interfere with the ability to conduct business across national borders.

Here in the U.S., FTC Commissioner Edith Ramirez issued a statement applauding the development as holding promise to “bridge the gaps between different legal systems and privacy regimes.”  Beyond the Asia-Pacific region itself, the FTC’s and the Administration’s decision to embrace cross-border privacy regimes is seen by many as an indication that the United States Government is committed to working collaboratively on the international stage to facilitate interoperability between national privacy regulation and promote international business activity, concepts that we expect to see in the final privacy reports that the FTC and the Department of Commerce will soon release.

Companies that participate in the new APEC Cross Border Privacy Rules System will participate in an independent review and certification of their privacy practices and will submit to a voluntary enforcement scheme.  Though the APEC program will not be implemented for at least a year, we expect that U.S. companies doing business in the Asia-Pacific region will continue to follow these developments with interest.

Recently, the Swedish Data Protection Authority ("DPA") published a review of the use of cloud services, informed by the practices of three Swedish municipalities' use of services from leading cloud providers.  Based on the study, the DPA has published guidelines (currently only available in Swedish) that clarify the requirements of Swedish data protection law with regard to cloud services. They contain a checklist that organizations using the cloud to provide services of their own should follow to ensure compliance. The guidelines stress the importance of negotiating contractual provisions that reflect the personal data processing practices of cloud providers, so that data controllers outsourcing to the cloud can ensure these are in line with their intentions. In summary, the Swedish DPA asserts that while it is possible for organizations to outsource processing of personal data to the cloud, it is under no circumstances possible for them to renounce responsibility for the manner in which personal data is processed.

This initiative follows decisions by other European DPAs, earlier this year, to reject the use of cloud services by public authorities because of security risks. In February 2011, The Danish DPA rejected the Municipality of Odense's planned use of Google's cloud computing services within schools. More recently, on September 29, 2011, the German federal and state DPAs issued a resolution on cloud computing and compliance with data protection law. In their statement, they urge cloud service customers to use cloud services only if they are in a position to fulfil their obligations as data controllers and have verified that the appropriate data security requirements are in place.

By Dan Cooper and Helena Marttila

On 11th of July, 2011, Hungary adopted a new data privacy law (Act CXII of 2011 on Informational Self-Determination and Freedom of Information) (the "Act"), which will enter into force on 1 January 2012. The main changes brought about by the Act are briefly discussed below:

Continue Reading

By Dan Cooper and Helena Marttila

On 24th of August 2011, the Government of India’s Ministry of Communications & Information Technology finally issued clarification on the application of the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the "Rules"). As we blogged here, much ambiguity has surrounded the interpretation and effect of the Rules, and companies with outsourcing activities in India have been concerned about the potentially wide scope of the legislation.

According to the Government clarification, the Rules apply to any company or person located in India that processes sensitive personal data (the application of the Rules to personal information more generally remains unclear). The Rules provide an exhaustive definition of "sensitive data", which encompasses passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information.

However, the clarification further states that the obligations under Rules 5 and 6 (described below) do not apply to companies or persons that process sensitive personal data on behalf of any other company located within or outside of India, in other words, outsourcing arrangements are exempted from certain requirements under the Rules.

Rule 5 provides, among other things, that an Indian company or person that processes sensitive data must obtain the prior written consent of the "provider of information". The Government has clarified that "provider of information" means any natural person who provides sensitive personal data to a company. Rule 5 also prohibits the Indian company or person who processes sensitive data to retain the data longer than is required for the purposes for which the information was collected or to use the information for any other purposes than for which it was collected. Further, Rule 5 requires companies to ensure that the personal data they process is accurate and to provide data subjects an option to withdraw their consent to the processing of their data.

Rule 6 restricts the disclosure of sensitive personal data to any third party unless (i) the individual whose data is being disclosed has provided his or her prior consent; (ii) the disclosure is permitted under a contract between the company and the individual; or (iii) the disclosure is necessary in order to comply with a legal obligation.

Therefore, if a company located in India or abroad outsources the processing of sensitive data to a service provider located in India, that service provider has no obligation to obtain consent from individuals before processing their data or disclosing it to third parties. On the other hand, if an Indian company provides services to and obtains sensitive data directly from individuals, it will need to obtain their prior written consent and comply with the other requirements set out in Rules 5 and 6 when handling their personal data.

China’s Internet regulator, the Ministry of Information and Industry Technology, or MIIT,  is close to releasing the final version of China’s first national standards for personal information protection.  Drafted with the assistance of two other government departments, the release of  “Information Security Technology - Guidelines for Personal Information Protection” (信息安全技术个人信息保护指南) represents China’s first foray into the field of data privacy regulation.  As a voluntary national standard, the Guidelines will lack the force of law but will likely serve as an important guidepost for future lawmaking.  We understand that a final version of the Guidelines is expected to be released in the second half of 2011.

The Guidelines as currently drafted set out (1) suggested principles for processors and administrators of personal information, (2) rights enjoyed by the data subject, and (3) requirements for the collection, processing, transfer, use, blockage, deletion, and management of personal information. 

Among the requirements for data transfer in the Guidelines are restrictions that would prevent the transfer of personal information overseas.  Article 5.3.5 of the draft states that unless otherwise stipulated in law or regulation or having gained the approval of the relevant ministry, no data administrator within China may transfer personal information to a foreign administrator. Such a requirement would prevent the transfer of personal information gathered in China to any non-China based entity and would affect both the internal transfer of personal information within multinational companies as well as any personal information transfers between cross-border cloud computing servers.

The appearance of these Guidelines appear to be a stop-gap measure for the future passage of China’s Personal Information Protection Law (个人消息保护法).  That law, in draft form since 2005, shows no signs of enactment in the near term and with China’s Internet population expanding rapidly (485 million users in June 2011, a 1700% increase since 2000) it appears MIIT has decide to take the lead in ensuring China’s legal regime does not fall further behind its rapidly evolving online social and e-commerce environments.  While non-mandatory, the suggested provisions point the way for future developments in China, including potential inclusion in a future Personal Information Protection Law.

On July 19, 2011, the European Commission announced that it sent formal requests for further information to 20 Member States regarding their failure to implement the EU's new package of telecoms rules.  The rules, which include amendments to the E-Privacy Directive to create new consent requirements for the use of most web cookies, were required to be enacted by the Member States by May 25, 2011.

As we described here previously, the new measures have been delayed in many Member States over questions regarding how such consent requirements and breach notifications will work in practice.  Some Member States are also clearly hoping that new browser settings will be developed in order to facilitate adequate user consents.  Meanwhile, other Member States have implemented the new rules but subsequently also adopted a cautious stance over enforcement of the new rules.  As reported previously, the UK's rules are now in force, but the UK ICO has indicated that it will not substantively enforce the new cookie rules until May 2012.  Although the UK does not appear to be in the firing line, the Commission is clearly taking a dim view of such ongoing concerns.  It is unusual for enforcement proceedings to be launched so quickly and against so many Member States.

This enforcement action comes on the heels of other significant Commission activity in relation to the e-Privacy amendments.  On July 14, 2011, Commissioner Neelie Kroes launched a new consultation on how the new data breach notification requirements for electronic communication service providers should be carried out in practice.  The consultation will focus on the circumstances that trigger a data breach notification obligation, the practical procedures that should be followed when making a notification, and the information that such notifications will include.  Responses can be submitted until September 9, 2011.

On 15 July, 2011, the Working Party 29 group of European data protection authorities released Opinion 187, on the definition of "consent" as used in the Data Protection Directive and the e-Privacy Directive.  Focusing on factors such as whether the consent is (i) informed, (ii) freely given, (iii) specific, (iv) unambiguous, and so on, the paper explores different scenarios in which consents provided by data subjects are sufficient or insufficient for data controllers and processors to rely on when processing relevant data. 

Continue Reading

Qatar has published a first version of its new Personal Information Privacy Protection Law. This is a groundbreaking development as, should the law be enacted, it will make Qatar the only country in the Middle East to have nationally-applicable data protection legislation.

The draft legislation applies to operators in the private and public sectors and to "electronic processing of personal information about an individual." The proposed definition of personal information covers any information that can reasonably be linked to an individual, regardless of whether the individual can be identified (thus extending to geographic location data). The draft text also includes the accountability principle, requiring organizations to appoint staff to oversee processes involving use of personal information and ensure that personnel are trained in information protection practices.

The Qatari government is currently seeking input from international privacy experts on the content of the draft law, including whether the law should include the principle of "privacy by design," i.e. an obligation to incorporate privacy protections into products and systems at the outset of their development. For more information see here.

The U.K. Information Commissioner's Office (ICO) issued a press release yesterday calling on companies to undergo more data protection audits.  (Currently, only some public sector entities in the UK can be made to undergo audits -- the ICO can effectively only request to audit a private sector company).  The ICO issued the "warning" after releasing new figures that show that the private sector was responsible for almost a third of all data breaches in 2010/2011, and that only 19% of private sector organisations voluntarily accepted to undergo audits by the ICO (compared to 71% in the public sector).  The Information Commissioner Christopher Graham proceeded to single out lenders and direct marketing companies as the worst culprits, saying that "many of them are still resisting our offer to undergo audits."

The ICO also released new figures about the progress of such audits, which show that the ICO performed 26 audits in 2010/2011 -- a 60% increase on the previous year.  The figures also reveal that over 90% of ICO recommendations were acted upon following an audit.

Additionally, the ICO released its full Annual Report and held an online webcast and Q & A session on its annual performance.  While further questions can still be submitted, one colourful answer by the Commissioner regarding the new cookie rules (see our previous posts here, here and here) has already been published:  "Website operators", he said, "[should] take their 'consent' obligations seriously under the Privacy and Electronic Communications Regulations -- because I'll be after them if they don't."

In 2009, Directive 2002/58/EC, the so-called ePrivacy Directive, was amended.  The deadline for EU Member States to implement the revised Directive in their national laws was May 25, 2011, but very few Member States met the deadline and even today, almost one month after the deadline, discussions remain ongoing in most national parliaments.  The implementation efforts that have occurred vary, suggesting that that there will be variations among national outcomes rather than an EU-wide approach.

As background, the ePrivacy Directive regulates the use of “technology aimed at storing and accessing information on the user’s terminal equipment."   The 2002 Directive required that users (i) be informed about the use of such technology, and (ii) be offered the right to refuse it.  This requirement, better known as "the cookie-rule"  traditionally has been implemented through website privacy policies that inform visitors of the use of cookies and how they can refuse them through browser settings. 

But the 2009 revision of the ePrivacy Directive calls into question the well established practice of relying on browser settings to infer user consent.  The revised article 5.3 replaces the “right to refuse” of the old article 5.3 with a “consent that has been obtained” -- a language change that suggests that prior consent may be required.  At the same time, however, the amending Directive contains a recital stating that “user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”  The contradiction between the strengthening of the consent requirement in section 5.3 of the revised Directive, on the one hand, and the reference to the traditional browser-consent in the recital, on the other hand, has caused uncertainty for businesses and national legislators. 

Given this uncertainty, national outcomes are expected to diverge from one Member State to another.  The below examples of (partial) implementation of the revised article 5.3 to date illustrate the difficulty of forecasting a possible EU wide outcome:

Continue Reading

By Shamma Iqbal and Helena Marttila

This April, the Indian government quietly passed the 2011 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (the "Rules"). Among other things, the Rules require written consent for the processing of "sensitive personal information" in India and that organizations processing personal information in India implement reasonable security practices and procedures. As drafted, the Rules apply to organizations that process personal information, including sensitive personal information, in India regardless of where the information originates or whether the information relates to Indian or non-Indian citizens. The Rules also do not differentiate between "data controller" and "data processor" and thus it is likely that they apply to all organizations engaging in data processing activities in India, whether or not the processing is performed on behalf of other organizations.

Much ambiguity surrounds the interpretation and practical effect of the Rules, and the Indian government had not provided any clarification on the Rules at the time of writing, although it is expected to respond to questions posed by industry stakeholders on the meaning of certain provisions in the coming weeks.

The key features of the Rules, and their potential application, are discussed below:

1. Definition of Sensitive Personal Information. The Rules provide an exhaustive definition of "sensitive personal data", which is similar to the definition contained in the EU Privacy Directive. This definition encompasses passwords, financial information, physical, physiological and mental health condition, sexual orientation, medical records and history, and biometric information. The definition excludes any information that is freely available or in the public domain.

2. Privacy Policy Requirement. Organizations based in India are required to adopt a privacy policy to cover their processing of personal information and sensitive personal information. The Rules set forth certain disclosure obligations for such policies, e.g., disclosure of the categories of information collected and the purposes of the processing.

Continue Reading

Late yesterday the UK ICO issued a new press release and guidance on its plans to enforce the new UK "cookie regulation," which was enacted by the UK Government to implement the EU's e-Privacy Directive.  

The new release, which follows previous ICO guidance outlining how businesses might comply with the new rules (see my previous post), declared that the ICO intends to pursue enforcement with a "light touch" and promised that the ICO will not take enforcement actions against businesses using cookies in the UK without user consent for a 'lead-in' period of one year.  The new rules, which come into effect today, require websites to obtain consent from users when placing cookies on the user's devices. The UK Government has interpreted this requirement to entail specific opt-in consent from users, but it has also specified that consent can be obtained after the cookie has been placed on the user's device, i.e., retroactively.  Businesses will now have a grace period for compliance, but the ICO has warned that those who "do nothing" for this period will find that factor being taken into account when the ICO begins enforcement actions next year.

Christopher Graham, the Information Commissioner, said of the new policy that "I have said all along the new EU rules on cookies are challenging….Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren’t there yet."  The ICO's new release was accompanied yesterday evening by an open letter from Ed Vaizey, the Minister for Culture, Communications and Creative Industries, in which the Department for Culture, Media and Sport endorsed the ICO's new approach and explained its take on the new regulation.

Another effect of the new regulation is the granting of new powers to the ICO is that the Commissioner will now have increased powers to impose financial penalties on telecoms and Internet service providers who suffer data breaches without telling the ICO; audit service providers without their consent (although consent will still be sought before this power is used according to new guidance); and impose civil penalties, especially on businesses sending unwanted marketing calls and text message spam.

Singapore's Minister for Information, Communications and the Arts recently announced that the government will take steps to introduce a generic data protection statute in Singapore early next year.  The Singaporean government has been considering the issue for a number of years but now appears to have taken a concrete decision to proceed with targeted legislation in this area.  The Minister announced that the proposed law will "curb excessive and unnecessary collection of individuals' personal data by businesses, and include requirements such as obtaining consent of individuals to disclose their personal information."  The government is also planning to establish an enforcement authority to oversee implementation and compliance with the new legislation.

There will be a public consultation process overseen by InfoComm Development Authority of Singapore (IDA) later this year.  The proposed legislation is expected to be laid before Parliament in early 2012.

Following its vague warning on cookies in March, and confirmation last month that the UK would adopt the amended EU rules on cookies verbatim, the UK ICO has now issued new guidance that makes it clear that websites must obtain users' consent before storing cookies on devices.  The guidance, which relates to amendments to the UK e-privacy legislation that come into force on 26 May, 2011, issues a stark warning to companies that they "cannot ignore these rules".

The new guidance focuses on new European rules that require businesses to obtain user consent before placing cookies on their computers.  Previous measures, which included informing users that cookies were being used and offering 'opt-out' procedures, will no longer be sufficient.  The guidance sets out various ways in which the user's consent may be validly obtained, including via pop-ups, terms and conditions of use, and 'feature-led' consent.  The guidance notes that the list of methods for obtaining consent is not exhaustive, though states that browser settings currently are not "sophisticated enough" to allow websites to assume that users have given consent.

There is an exception to the new rule -- user consent will not be required if the use of the cookie is 'strictly necessary' for the operation of the service requested by the user.  Examples include cookies that enable online 'shopping baskets', for example, where a site needs to remember what was placed in the 'basket' before it is paid for by the user.  However, the ICO does warn that this exception should be interpreted "quite narrowly".

In terms of enforcement, the guidance suggests that businesses which show they are considering how to change their policies to comply with the new rules will not face penalties if they have not fully implemented the change by 26 May, 2011.  This reflects an earlier statement from the UK Communications Minister, Ed Vaizey,  that the government does not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.  The ICO has stated that further detailed guidance on enforcement procedures is also in the pipeline.

Smartphone Location Data

Last week two UK-based researchers revealed that Apple iPhones record location-based data in an unencrypted file stored on each phone. The information, gleaned from WiFi routers and cellular towers within the phone's signal range, has been collected without the knowledge of the phones' owners, and would allow Apple to track each phone's approximate location. Evidence suggests the data is sent back to Apple from the phones on a periodic basis. The researchers used the unencrypted information to reconstruct over a year of each smartphone's movements. The Wall Street Journal reports that turning off the phone's location-based services does not stop the phone from collecting and storing the data. In a recent press release, Apple answered several questions posed by this discovery, and explained that a software bug in its traffic-prediction software was responsible for the year-long retention period. Apple also said it would release a fix for the bug.

Nevertheless, the revelations have piqued European regulatory interest. German, French and Italian data protection authorities have now opened investigations into whether Apple has breached EU privacy rules regarding the tracking and storing of user location data. The Irish authority has said it is actively examining the issue after receiving complaints. The South Korean government authority has also said it will look into the issue, while meanwhile South Korean police arrested three men on 27 April for illegally collecting the location and movements of hundreds of thousands of South Korean smartphones, for use in mobile advertising.

In the United States, Apple and a number of other technology companies have been asked to respond to inquiries from Congress regarding the extent to which they collect, use and retain data in connection with their provision of location-based services.

Sony Declares Breach

In a separate matter this week Sony announced that the 76-million user PlayStation Network had been hacked. The company confirmed that data had been stolen from the system, potentially including sensitive data such as payment records, user names, and credit card details. The PlayStation Network has been shut down since 21 April, but until Tuesday the company hadn't verified the reason for the shut down.

Irish, UK and Austrian data protection authorities have already confirmed their concern over the breach, and all three authorities have now opened investigations into Sony's data security practices.

The Article 29 Working Party recently released an opinion on data breach notification in the EU. The opinion addresses two main issues:

• Experience to date with the existing breach notification rules in the ePrivacy Directive.

The breach notification obligation imposed by article 4.3-5 of the ePrivacy Directive (2002/58/EC) only applies to providers of electronic communications services. EU Member States are still in the process of transposing the rules into their national laws. However, as most of them are unlikely to meet the deadline of May 25, the Working Party had little to go on for its evaluation. The Working Party underscores the need for harmonization and highlights the areas where such harmonization may be threatened, in particular (i) divergences in the scope of the breach notification obligation; (ii) diverging national guidelines on the modalities of the notification; and (iii) diverging interpretation of what constitutes "protected data" (e.g., encrypted data) that is not subject to some aspects of the breach notification obligation. In order to help ensure harmonization and to increase coordination in cross border breaches, the Working Party has decided to set up a sub-group on breach notification.

• Expansion of the breach notification obligation to other sectors.

The Working Party welcomes the European Commission's intention to adopt a horizontal breach notification obligation as part of the revision of the Data Protection Directive. In particular, the Working Party stresses that the new regime should be similar to the one in the ePrivacy Directive; that is, with the same harm threshold, the same notification procedure and the same modalities. More so, the Working Party invites the Commission to propose secondary legislation under the ePrivacy Directive that could also serve under the expected general breach notification, once introduced in the Data Protection Directive.

While the Working Party's position comes as no surprise, three points are worth highlighting:

Continue Reading

The Society for Worldwide Interbank Financial Telecommunication, or SWIFT, provides an organizational platform for facilitating international payments.  U.S. and foreign financial institutions use SWIFT messages to initiate, process, receive, and settle payment orders.  The amount of information exchanged via SWIFT is immense.  More than 9,000 financial institutions in 209 countries rely on SWIFT to process international payments, and an average of 17,000,000 SWIFT messages are sent in a given day.  SWIFT messages contain sensitive financial information about consumers, businesses, and governments and for that reason raise unique financial privacy concerns.

In recent years, governments such as the United States have obtained access to the SWIFT database, including transactions involving citizens as well as foreign residents, in order to combat terrorism.  However, certain countries have criticized and pushed back against such access out of concerns for their citizens’ privacy.  In 2010, the United States and European Union reached an agreement whereby SWIFT message information will be made available only for the purpose of preventing, detecting, and prosecuting terrorism and only upon a showing that such information is necessary.

More broadly, the Dodd-Frank Act provides for Federal Reserve supervision of systemically important payment and settlement activities, and it is generally expected that the international payments system will receive more attention from regulators in the future.  For instance, recent Treasury rulemakings have requested further comment on the subject of non-U.S. payment and settlement providers. 

The EU Art 29. Working Party finished its 80th plenary meeting in Brussels last week.  This week, the Party released a series of new policy opinions produced during the plenary.  The highlights included:

• A declaration that, in WP 29's opinion, New Zealand's data protection regime is now "adequate" for the purposes of international data transfer.  This opinion will now be taken into account by the Commission when it decides whether or not to officially declare New Zealand as an "adequate" jurisdiction for the purposes of transferring data out of the EU.
• A paper expressing WP 29's concern with the proposed EU passenger data directive.  WP 29 deplored the too-wide scope of the proposal, which would collect data from all passengers on all flights entering or leaving the EU.  The opinion also expressed scepticism about the Commission's plan to 'anonymise' data after 30 days, and claimed that the data would not actually be anonymised, but merely available to fewer people.
• An opinion on "smart meters", providing guidance on issues such as how to define a "data processor" in a smart energy grid, whether data subject consent is needed to transfer metered information back out to the energy company, and encouraging smart meter systems to be designed in accordance with the ideals of "privacy by design" and "privacy by default".
• An expression of support for the Commision's communication last November calling for the reform of the currently patchy data breach notification regime.  Right now Member States all have different requirements in regards to data breaches - for example, some Member States require no notification under any circumstances, while some, such as Germany, have strict "harm" thresholds that must be passed before a company must notify either the affected data subjects, or the national authority.  The WP 29 paper expressed support for an expansion of the data breach regime seen in the E-Privacy Directive, and lent its support to this reform effort.

Today the European Commission, European data protection and information security authorities, NGOs and industry groups signed the Privacy and Data Protection Impact Assesment Framework for RFID Applications, which establishes a self-regulatory mechanism for ensuring data protection in the field of RFID (Radio Frequency Identification).  RFID technology – so called “smart tags” – can be found in a growing number of products.  When a RFID tag is brought near a “reader” the tag is activated and data is exchanged, raising potential privacy risks.

Under the agreement, companies will conduct an assessment of privacy risks and take measures to address any risks identified in the assesment before a new RFID application is introduced on the market.  The agreement includes detailed procedures for this process that should enable the delivery of RFID applications in compliance with the Data Protection Directive (95/46/EC) and the e-Privacy Directive (2002/58/EC).

The Commission called on industry in 2009 to develop a RFID impact assesment framework that would meet the requirements of the Article 29 Working Party, comprising EU Member State data protection authorities and the European Data Protection Supervisor.  The agreement signed today is the culmination of those efforts.

“This is truly a historic moment, and I want to thank our industry and civil society partners,” said Digital Agenda Commissioner Neelie Kroes.  “It is obvious that technology evolves faster than legislation.  The various parties gathered today have recognized this and decided that this … Framework was the most effective and efficient way to protect the privacy of European citizens without stifling innovation when using RFID applications.”

On March 17, the French data protection authority, the Commission nationale de l'informatique et des libertes (CNIL), imposed a 100,000 Euro fine on Google, for privacy violations arising from its collection of personal data with respect to its Street View product and its Latitude geolocation service.  This is the largest fine assessed by CNIL since it obtained the power to impose financial penalties in 2004.

The CNIL imposed this fine as a result of Google's unlawful collection of personal data, as well as its failure to comply with agency requests that Google disclose information about the computer program used to obtain information on WI-FI network users.  The CNIL also cited Google's continued collection of data on Wi-Fi access points through smart phones connected to its Latitude service, without notifying users, in its decision.  Google has two months to appeal the decision to the French State Council. 

Mexico's data protection oversight body, the Federal Transparency and Data Protection Institute has indicated that it expects the draft implementing regulations that will bring into effect the new Mexican federal privacy statute to be ready in July of this year.  Introduced on July 6, 2010, Mexico's "Federal Law Protecting Personal Data in Private Possession" is the first piece of legislation to regulate, on a federal scale, how businesses handle personal information.  Enforcement of the new law is not expected to occur until 2012.

The data protection authority has indicated that a public consultation inviting comments on the provisions of the draft implementing regulations will be opened.

Taiwan's revised Data Protection Act, which is not yet formally effective, is the first privacy-specific statute in the APAC region to contain an enforceable requirement to notify individuals of a data breach incident.  To date, no other privacy legislation in the Asia region has imposed an enforceable legislative requirement to communicate a data breach incident to individuals.  

A few notable aspects of the legal obligations are as follows:

• The relevant provision requires that, where a public or private sector agency "violates any provision" of the Act, "such that personal data is stolen, disclosed, altered or otherwise impaired," then "the agency, after investigating shall notify the subjects by appropriate means."
• The requirement does not extend to every breach occurrence, only those that constitute an actual violation of the Data Protection Act. 
• Certain aspects of the data breach provision remain unclear, such as the extent to which organizations may delay the issuance of notices while investigating an incident.
• There does not appear to be any requirement to notify any supervisory body of the breach incident.  Indeed, the Data Protection Act does not name any a single body with oversight over or enforcement responsibility for the Data Protection Act.  It appears that enforcement has been left to individual industry ministries, as is the case in Japan.

Last July, the Irish Data Protection Commissioner formalized and approved a Code of Practice for organizations suffering information security breaches:  the Personal Data Security Breach Code of Practice. The Code specifies that all data security incidents should be reported to the Data Protection Commissioner, except in very limited cases, and sets out additional risk minimization measures. 

Although the intention was that the Code of Practice would have legal force, the Irish Data Protection Commissioner has revealed that, at the current time, the Code is still not legally binding in Ireland because the final parliamentary measure that would have bestowed the Code with legal status was never undertaken.  Speaking at an Irish Computer Society event this week, Commissioner Hawkes said that "the code of practice that exists now is not legally binding - it's just strong recommendations."

Any Irish-based or multinational organization affected by a data security breach will want to consider this statement in assessing its reporting obligations.  For more information, see this article from the Irish Times.

The European Commission has proposed a Passenger Name Record Directive that would require airlines to provide EU Member States with data on passengers arriving from, or departing to, countries outside the EU. Under the proposal, copies of such PNR data held on an airline’s reservation system would be transferred to a dedicated “Passenger Information Unit” in the Member State of arrival or departure, for the purpose of fighting serious crime and terrorism. The Passenger Information Unit would be an authority (or a branch of an authority) with responsibility for preventing, detecting, investigating or prosecuting such offences. The Directive would also require the Commission to undertake a study on applying these PNR transfer requirements to internal EU flights.

PNR is defined to mean “a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers.” According to the Commission, this would include data already collected by airlines for their own commercial purposes such as travel dates, itinerary, ticket information, contact details, means of payment and baggage information. The Commission says that airlines would not be required to retain additional data under the Directive. Transfer of “sensitive data” such as information revealing a traveler’s religious beliefs or political views would be prohibited.

The proposal could, however, face a tough review from the European Parliament, where arrangements to transfer PNR and financial data to the US have come under criticism on privacy grounds. The European Data Protection Supervisor has also questioned the consistency of such PNR transfer requirements with individuals’ data protection rights, in particular the principle of proportionality.

The Commission maintains that access to PNR data is critical for combating serious crime and terrorism. The Commission also notes that several Member States already have or are implementing PNR transfer requirements. The Directive, the Commission says, will ensure a harmonized approach.

It is expected to take two years for a final agreement on the proposal to be reached with the Parliament and the Council, which represents Member States.

The Article 29 Working Party, comprising data protection authorities from each of the EU Member States and the European Data Protection Supervisor, has reiterated concerns about aspects of Passenger Name Record (PNR) agreements between the EU and the US, Canada and Australia. Under the agreements, airlines must allow authorities in the US, Canada and Australia to review data on passengers traveling from the EU to those countries to combat terrorism and other crimes.

The Working Party’s views are contained in a letter to Home Affairs Commissioner Cecilia Malmström that was prepared in anticipation of negotiations on new PNR agreements and that was released last week.

With respect to the US, the Working Party is concerned about the ability of US authorities to directly access EU PNR data from terminals in the US.  The Working Party believes that this could enable US authorities to review data on flights not covered by the agreement, such as those within the EU.  While a filtering mechanism was apparently put in place in November, the Working Party “considers it fundamental that any future agreements provide for data to be pushed to the US authorities, with no possibility for US officials to separately access the data.”

More broadly, the Article 29 Working Party calls for all PNR agreements to demonstrate the necessity of using PNR data, to include all relevant provisions (eliminating the need for side letters and similar documents), and to prohibit authorities from circumventing the agreements by directly approaching computer reservation service providers.

Blog readers in the U.S. may have missed this month's Wired U.K.,  which included "ultra personalized" covers that provided detailed information about each of a small number of subscribers who received it.  The cover included hand-collected data about subscribers' telephone numbers, social networking activities, eBay purchases, property sales, and other activities, and was designed to highlight Wired's cover story on "what the end of privacy means for you."

Wired has received mostly positive reactions, and a fair amount of attention, concerning its cover.  U.K. journalist Benjamin Cohen blogged after receiving the magazine that he was "shocked" at how much Wired learned about him, including details such as the address to which Cohen's parents had moved and the fact that he recently had a meeting with an ex-boyfriend.

Writer Andrew Losowsky observes that this is not the first time magazines have offered hyper-personalized content, but the cover comes at a time when the policy debate over information privacy continues at a rapid clip, with the FTC and NTIA in the U.S. working to develop new frameworks for regulating privacy and the EU regulator taking a hard look at data security.

It will come as no surprise to privacy professionals that online sources and government records can include information about individuals -- particularly if those individuals do not use existing social media privacy settings, as Cohen says he did not.  But, just as a series of reports in the Wall Street Journal last year led to a high-profile congressional investigation, renewed attention to consumer privacy issues in the press has the potential to focus regulators' attention on these issues as they consider whether new legislation in the U.S. is necessary to address concerns about consumer privacy.

Later this week, we'll look in more depth at the major considerations that are likely to influence regulators' approach to privacy in the coming year.

Following on from ENISA's recent report on cloud computing in government, Commissioner Neelie Kroes set out some further thoughts on a European Cloud Computing Strategy last week at Davos.  In an encouraging sign for cloud providers and European industry more broadly, Commissioner Kroes spoke positively about the need to ensure that effective data protection and the EU's Single Market do not clash with cloud computing, and her wish to make Europe "not just 'cloud-friendly' but 'cloud-active'."  To help achieve these goals, Commissioner Kroes indicated that her strategy would cover three broad areas: the legal framework regarding data protection and privacy; technical and commercial fundamentals, including research, security and technical standards; and the market, e.g., support for pilot projects aiming at cloud deployment.  Commissioner Kroes will be inviting cloud providers and cloud users to Brussels "for a series of intense consultations" in the spring.         

Hot on the heels of its report on data breach notifications in the EU, the EU's cyber security regulator, ENISA, published yesterday a new report on cloud computing in the government.  The report is targeted at senior managers of public bodies who are considering cloud computing platforms and services, and it aims to highlight the pros and cons of different cloud models with regard to information security and resilience.  The report summarizes relevant legal and regulatory considerations, and bases its analysis and conclusions on the examples of a healthcare authority and local public administration migrating to the cloud, and the creation of a governmental cloud infrastructure.

The report acknowledges that cloud computing has the potential to offer public administrations substantial benefits and improvements over current IT provisioning, such as increased availability and reliability, stronger security and better value.  However, the report recommends private and community clouds over public clouds, and ultimately urges European governments to adopt a staged approach in integrating cloud computing into their operations.

This past week, the United Kingdom Minister of State for Immigration, Damian Green, announced that the UK will join the Eurodac fingerprint database, a large centralized database containing the fingerprint data of asylum seekers and illegal border crossers who are found within EU territory.  Accordng to Green, the move will assist Europe in streamlining its immigration processes. The Eurodac regulation, which governs the operation of the fingerprint database, is designed to prevent abuse of asylum processes by helping European governments ascertain the most appropriate jurisdiction for asylum applications, thus making it difficult for asylum seekers to make applications for asylum in several Member States at once. 

Predictably, this move has met with criticism from privacy rights organizations who have voiced concerns over the government’s readiness to share personal information with foreign states whose law enforcement systems display varying degrees of accountability.  For their part, immigration control advocates applaud the move as an important law enforcement and argue that adequate controls are in place to avoid abuses of the Eurodac system.

On December 10, 2010, Nova Scotia's Personal Health Information Act, which regulates the collection, use, disclosure and disposal of personal health information, was granted royal assent.  The purpose of the new legislation is to better protect citizens’ health data, while also facilitating the use of electronic medical records by provincial health institutions.  Nine of Canada’s 10 provinces have legislation specifically regulating the health information sector. 

After much mulling, the Canadian Parliament passed, on December 16, Bill C-28, the Fighting Internet and Wireless Spam Act, which creates a new regime for businesses engaged in online marketing.  The legislation regulates commercial “electronic messages,” a term defined broadly to include e-mail, instant messaging, text messages, and messages on “any similar account” -- a catch-all category that potentially could include messages on Facebook and Twitter.  The law also provides a new private right of action, modeled on the CAN-SPAM Act in the United States.

No date has been set for the legislation to come into force.  The federal cabinet will establish implementation timelines. 

On December 20, 2010, the Federal Court of Canada fined consumer credit agency TransUnion of Canada Inc. under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).  TransUnion was ordered to pay approximately $5,000 to a consumer who was unable to secure a loan after TransUnion reported inaccurate credit information to his bank. 

The negative information should have been attributed to a different individual with a similar name and similar address.  The court held that even though the error may have been caused by a “commercially sensible” matching system, the reported credit information was not “sufficiently accurate, complete, and up-to-date” for the purposes for which it was used.

The damages award is the first under the applicable section of PIPEDA in the statute’s ten-year history.  The court found that while damages are discretionary under the statute, they were appropriate as to TransUnion:  “Where the credit reporting service has failed to take prompt, reasonable steps to correct the record and to therefore ameliorate the embarrassment of the individual, it should expect that it will be ordered to compensate him for the humiliation it has caused.”

EU Home Affairs Commissioner Cecilia Malmström announced that the European Commission will propose amendments to the Data Retention Directive (2006/24/EC) following publication of an evaluation report on the Directive early next year.  Under the Directive, Member States must ensure that providers of publicly available electronic communications services or public communications networks retain certain traffic data on communications for a period of six months to two years.  Such data should ensure that authorities can determine the date, time, duration, source and destination of each communication, and the service and equipment used including the location of mobile devices.

Continue Reading

EU Justice Commissioner Viviane Reding is in the U.S. this week and was scheduled to meet with Attorney General Eric Holder on ways the U.S. and E.U. can cooperate on protecting consumer data.

Commissioner Reding also met with the Washington Post's Cecilia Kang to discuss the relationship between E.U. and U.S. conceptions of privacy.  They discussed the "right to be forgotten" -- an idea that Commissioner Reding introduced last month.  Commissioner Reding explained that a person's data should belong to him or her, not a commercial entity or the state, and emphasized the importance of being able to delete data stored online or port it to another online platform.  While data portability is a popular concept in the U.S., Commissioner Reding's conception of data ownership is not universally adhered to in the U.S.