Inside Privacy - Updates on Developments in Global Privacy & Data Security

Earlier this week the European Data Protection Supervisor (“EDPS”) adopted an Opinion on the proposed Anti-Counterfeiting Trade Agreement (“ACTA”) between the EU and its Member States, Australia, Canada, Japan, the Republic of Korea, the United Mexican States, the Kingdom of Morocco, New Zealand, the Republic of Singapore, the Swiss Confederation and the USA.

The Agreement aims to protect intellectual property rights (“IP rights”) by developing a common approach to enforcement and facilitating cooperation at international level.  Though ACTA includes a wide range of provisions addressing issues such as the counterfeiting of goods and the unlawful use of trademarks, the Opinion focuses in particular on measures relating to the enforcement of IP rights in the digital environment.

Continue Reading

This week, the U.K.-based GSM Association unveiled voluntary app privacy guidelines, which are being implemented by several major European mobile telephone service operators for their own branded applications.  According to the GSM Association, the companies adopting these guidelines includes Deutsche Telekom, France Telecom - Orange, Telecom Italia, Telefónica, and Vodafone.  This development  follows last week's announcement of an agreement by Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion to ensure that mobile device apps that collect personal information contain privacy policies.

The GSM Association guidelines are designed to apply to all parties in the app or service delivery chain that are responsible for collecting and processing a user's personal information, including developers, device manufacturers, platforms, mobile operators, and advertisers.  The guidelines encourage the development, delivery, and operation of mobile apps that help users understand what personal information an app may access, collect and use; what the information will be used for, and why; and how users may exercise choice and control over this use.

Examples illustrating practices the GSM Association considers compliant and noncompliant with these guidelines are also provided.

Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. 

For example, key measures include:

Continue Reading

By Dan Cooper and Maria-Martina Yalamova

On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive.  The guidance is intended to help website operators and those using cookies understand how the rules apply.  As we reported earlier, when the rules were first introduced in May 2011, the ICO made it clear that it would be unlikely to take formal action against those who are taking steps to comply with the rules during a 12 month lead-in period.  When this transition period ends in May 2012, the regulator will expect companies that have not yet achieved full compliance to be able to provide a clear timescale for when compliance will be achieved and demonstrate that steps are being taken to make that happen.  Highlighted below are some of the more notable aspects of the guidance.

Scope.  The guidance confirms that the rules will apply to websites using cookies and other similar technologies for sharing information, such as Local Shared Objects (so-called “flash cookies”), web beacons, bugs, and so forth.  The requirements apply equally to cookies set on computers, mobile devices, and other terminal equipment, such as enabled televisions and games consoles.

New obligations.  The ICO has made it clear that under the new rules, organizations deploying cookies (and similar technologies) must:

• inform  subscribers and users that the cookies are there;
• explain what the cookies are doing; and
• obtain  subscriber or user consent to store a cookie on a device.

The ICO makes it clear that providing information about cookies by means of company privacy policies or website terms and conditions will no longer be sufficient to achieve compliance.  Organizations will need to be more pro-active in providing information to subscribers and users.

Exceptions.  Under UK law, some exceptions will apply to the notice and consent rules, notably where the use of the cookie is:

• for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• where such storage or access is strictly necessary (i.e., essential, rather than reasonably necessary or important) for the provision of an information society service requested by the subscriber (i.e., the person who pays for Internet connection) or the user (i.e., the person using a computer or a mobile phone to browse the Internet).

An “information society service” is defined in Article 2(1), Electronic Commerce (EC Directive) Regulations 2002 as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service”.  These exemptions are the same that appear in the EU-level directive, the e-Privacy Directive 2002/58.

Consent.  Absent an applicable exception, the cookie rules require that a subscriber or a user consents to the deployment of a cookie on their device.  Prior consent is not expressly required (and may not be technically feasible in some cases), but website operators must be able to demonstrate that they have expended effort to reduce the amount of time before a subscriber or user receives information about cookies and is provided with clear options.  At present, the ICO discourages websites from relying on implied consent due to the relatively low user awareness of the functions and use of cookies.  However, as consent mechanisms evolve and user awareness improves, there is a suggestion that the position may change.

Obtaining consent in practice.  The ICO paper highlights a number of consent mechanisms that companies may rely on to achieve compliance, such as pop ups or “splash pages”; message and header/footer bars (particularly in the case of occasional website visitors); information on cookies in terms and conditions presented when a user signs up to a service; settings-led consent (e.g., “remember me?” prompts); and feature-led consent.  The ICO discourages the use of browser settings as a means to obtain valid consent on the basis that today’s browsers are not sophisticated enough to adequately reveal a subscriber or user’s informed consent. 

Notice.  Under the guidance, there is no prescribed format for furnishing adequate notice, but text must be sufficiently full and intelligible for subscribers and users to understand the potential consequences of accepting cookies.  When a website allows third parties to set cookies on a subscriber or user’s device, it must provide clear and comprehensive information to the individuals and allow them to make an informed choice. 

Analytical cookies.  Setting analytical cookies on a user’s device also will require consent as they do not fall within the “strictly necessary” exception criteria.  Where websites do not have a relationship with users (e.g., users simply visit the site to browse), they must ensure information about cookies is highlighted in a prominent place (not just made available via a general privacy policy link).  Where the information collected from a subscriber or user is shared with third parties, this should be made absolutely clear.

Responsibility for compliance.  As a general rule, the organization setting the cookie is responsible for compliance with the UK rules.  However, where third-party cookies are set through a website, both parties are jointly responsible for compliance, but either party may obtain consent. 

On 24 November 2011, the EU Court of Justice decided that ISPs cannot be forced to filter Internet traffic to fight intellectual property violations.  

In 2007, the Brussels Court of First Instance obliged the ISP Scarlet to filter all internet traffic and to block traffic involving violations of intellectual property rights, in particular in peer-to-peer applications.  An appeal was launched and the Brussels Court of Appeal filed two pre-judicial questions to the EU Court regarding the compatibility of such filtering obligation with European rules on e-commerce, intellectual property and data protection.

The Court has now rules that the E-Commerce Directive prohibits the imposition of general surveillance obligations on an ISP.  Moreover, the Court argues that while there is a right to property, protected by the EU Charter on Human Rights, this right is not absolute.  To the contrary, the right to property must be balanced against other rights, such as the freedom to undertake a business and the right to privacy.  The Court decides that the filtering obligation is disproportionate and in both cases fails to strike a fair balance.   

In respect of privacy, the Court explains that the filtering obligation would inevitably require a systematic analysis of the content of communications and the collection and “identification” of IP addresses of Internet users exchanging illegal materials.  These IP addresses are personal data because they allow the ISP to identify relevant individuals.  In addition, the Court is concerned that the filtering system affects the freedom of communication because the filtering system is not sufficiently precise and could block communications that do not contain any illegal materials.  The Court therefore holds that the filtering obligation does not strike a fair balance between intellectual property rights, the right to protection of one’s personal data and the right of free communications.

The Court’s qualification of IP addresses as personal data in this context is uncontested.   ISPs which allocate IP addresses to their subscribers, can indeed link these IP addresses back to the subscribers.  This in contrast to most information society services (such as websites, internet e-mail services, etc.), which do not allocate IP addresses.  Their ability to link IP addresses to individual users is much less clear.  Whether or not IP addresses are personal data in the latter context has given rise to diverging case law throughout the EU.

On October 26, 2011, the French Data Protection Authority, the CNIL, published guidance on the implementation of the new cookie rules arising from the amendments to the EU e-Privacy Directive 2002/58/EC (the “Directive”).  The new cookie rules have been implemented into French national law via the ordinance of August 24, 2011, relating to electronic communications (the “Ordinance”).

Under the old rules, companies offering websites, mobile applications and other online offerings had to inform users that cookies were utilized and to supply them with information as to how to “opt-out” if the users objected to the cookie being created on their devices.  Companies would often incorporate this information into the website’s main privacy statement.

According to the new rules, it is not permitted to deploy cookies (i) without the user’s prior consent (“opt-in”), and (ii) without the user having been provided with clear and comprehensive information about the cookies.  Apart from suggesting in the interpretative language of the Directive that browser settings might be used to obtain a user’s consent, the Directive does not specify how these requirements should be met.  Instead, the interpretation of the rules is left for individual member states.

Continue Reading

The representatives of IAB Europe and EASA, European advertising and marketing industry associations, met with the Article 29 Working Party, a group of European data protection authorities, on 14 September 2011 to discuss the industry’s self-regulatory code on Online Behavioural Advertising.  As we blogged here, the Article 29 Working Party had previously voiced concerns over some of the aspects of the code in its letter to the Online Behavioural Advertising Industry published in August.  These concerns were reiterated during the meeting, as the Working Party emphasized that consent for the use of cookies on user’s equipment (a requirement under the new ePrivacy Directive) cannot be implied from the user’s inaction or silence.  As the Working Party had stressed in its recent opinion, only statements or actions can constitute valid consent.

The Working Party explained that the code should be amended to provide compliance with European and national legal requirements after the industry admitted that the code was mainly intended to provide a level playing field.  The chairman of the Working Party was concerned that companies might wrongly consider the code as a “safe haven” when it in fact falls short of legal requirements.

The industry representatives were also invited to address the privacy concerns raised by the Working Party in its August letter.  The Working Party would take the industry’s answers into account when it prepares its official opinion on the Code  - to be finalized by the end of the year.

On July 19, 2011, the European Commission announced that it sent formal requests for further information to 20 Member States regarding their failure to implement the EU's new package of telecoms rules.  The rules, which include amendments to the E-Privacy Directive to create new consent requirements for the use of most web cookies, were required to be enacted by the Member States by May 25, 2011.

As we described here previously, the new measures have been delayed in many Member States over questions regarding how such consent requirements and breach notifications will work in practice.  Some Member States are also clearly hoping that new browser settings will be developed in order to facilitate adequate user consents.  Meanwhile, other Member States have implemented the new rules but subsequently also adopted a cautious stance over enforcement of the new rules.  As reported previously, the UK's rules are now in force, but the UK ICO has indicated that it will not substantively enforce the new cookie rules until May 2012.  Although the UK does not appear to be in the firing line, the Commission is clearly taking a dim view of such ongoing concerns.  It is unusual for enforcement proceedings to be launched so quickly and against so many Member States.

This enforcement action comes on the heels of other significant Commission activity in relation to the e-Privacy amendments.  On July 14, 2011, Commissioner Neelie Kroes launched a new consultation on how the new data breach notification requirements for electronic communication service providers should be carried out in practice.  The consultation will focus on the circumstances that trigger a data breach notification obligation, the practical procedures that should be followed when making a notification, and the information that such notifications will include.  Responses can be submitted until September 9, 2011.

The European Parliament approved the report of rapporteur Axel Voss yesterday.  Titled "Personal data protection in the European Union", the report endorsed the Commission's aim of reforming the Data Protection Directive (95/46/EC) and suggested specific directions for the upcoming reform.  Among other positions explored by the report, the European Parliament:

• Repeated calls for more regulation of behavioural advertising and "profiling" (as enabled by, for example, discount and loyalty scheme cards).  The Parliament also mentioned its concern over profiling in relation to "abuses stemming from online behavioural targeting" and "social network websites"), and called on the Commission to define the term "profiling" -- presumably to enable more regulation of the practice under an amended data protection law; 

• Acknowledged the need for more clarity in a number of areas, including what law is applicable to data processors and data controllers and the roles, rights and responsibilities of cloud computing service providers and cloud computing consumers; 

• Supported a number of new individual rights, including the notion that data subjects should be able to "fully enforce" their data protection rights even when their data is transferred and processed in third countries beyond the EU, a right of data portability for data subjects and the well-known "right to be forgotten", which the report also stated should be "clarified in detail";

• Requested further consideration of the addition of new categories of potentially sensitive data, including biometric and genetic data, and further caution when such data would be processed together with new technologies such as cloud computing; 

• Called for further harmonisation of the powers of the national data protection agencies; and 

• Endorsed Commissioner Viviane Reding's aim of creating a new mandatory data breach notification obligation.  The Parliament took the position that any such obligation should not become a "routine alert for all sorts of breaches", but nevertheless it also recommended that the new obligation require "all breaches without exception" to be recorded to aid in data breach investigations.

The report will now be forwarded to the European Council and European Commission -- both bodies are now responsible for developing the report into a set of concrete legislative proposals in the next stage of the reform.

Earlier this week the European group of national data protection authorities, collectively the Working Party 29 ("WP 29"), released a new opinion on data protection issues relating to the prevention of money laundering and terrorist financing.  The new paper features a slew of new recommendations from the WP 29 that are designed to enhance privacy and data protection in this area.  Among the most prominent of the recommendations are proposals to:

• review the overarching framework of anti-money laundering and anti-terrorist financing laws at the EU and national levels to ensure compatibility with privacy rights and data protection; 
• increase EU harmonisation of anti-money laundering and anti-terrorist financing laws, in part to enshrine the "purpose limitation principle" that stands behind data retention, protection and privacy laws; 
• provide clearer and enhanced guidance for bodies involved in the collection and processing of personal data where terrorist financing or money-laundering issues are prominent; 
• better balance "tipping off" rules to enhance compatibility with data protection; 
• introduce "stress tests" for organisations that use BCRs; 
• introduce "required benchmark" tests for adequacy findings for international transfers; and 
• improve coordination between financial authority regulators, data protection authorities and financial intelligence units.

Although scant detail is given, the paper ends with a promise by WP 29 to "follow up" on the proposals.

On Monday, the Article 29 Working Party released its new Opinion on geo-location data collection and processing in smart mobile devices.  The paper comes on the heels of a recent furor over the extent to which smart phones collect, process and transmit location data without the full knowledge and consent of the phone's users.  It represents the first collective response by European regulators to the concerns raised by those revelations.

As well as confirming that location data on smart mobile devices is personal data, and potentially even sensitive data, the paper marks out "best practices" seen by the Working Party as fully compliant with the EU's data protection regime.  Examples include:

• As well as clearly requesting user consent for the use of location data, smart phone applications should display an on-screen icon to remind users that location data is being collected and transmitted; 
• Location data from such devices should be retained for a maximum period of 24 hours; 
• Data subjects must be informed in advance of any application that "phones home" geo-location data, and the reason for which they are transmitting the data; 
• WiFi base-station owners must be allowed to "opt-out" of any database that has collected the location of their base stations. 

Smartphone Location Data

Last week two UK-based researchers revealed that Apple iPhones record location-based data in an unencrypted file stored on each phone. The information, gleaned from WiFi routers and cellular towers within the phone's signal range, has been collected without the knowledge of the phones' owners, and would allow Apple to track each phone's approximate location. Evidence suggests the data is sent back to Apple from the phones on a periodic basis. The researchers used the unencrypted information to reconstruct over a year of each smartphone's movements. The Wall Street Journal reports that turning off the phone's location-based services does not stop the phone from collecting and storing the data. In a recent press release, Apple answered several questions posed by this discovery, and explained that a software bug in its traffic-prediction software was responsible for the year-long retention period. Apple also said it would release a fix for the bug.

Nevertheless, the revelations have piqued European regulatory interest. German, French and Italian data protection authorities have now opened investigations into whether Apple has breached EU privacy rules regarding the tracking and storing of user location data. The Irish authority has said it is actively examining the issue after receiving complaints. The South Korean government authority has also said it will look into the issue, while meanwhile South Korean police arrested three men on 27 April for illegally collecting the location and movements of hundreds of thousands of South Korean smartphones, for use in mobile advertising.

In the United States, Apple and a number of other technology companies have been asked to respond to inquiries from Congress regarding the extent to which they collect, use and retain data in connection with their provision of location-based services.

Sony Declares Breach

In a separate matter this week Sony announced that the 76-million user PlayStation Network had been hacked. The company confirmed that data had been stolen from the system, potentially including sensitive data such as payment records, user names, and credit card details. The PlayStation Network has been shut down since 21 April, but until Tuesday the company hadn't verified the reason for the shut down.

Irish, UK and Austrian data protection authorities have already confirmed their concern over the breach, and all three authorities have now opened investigations into Sony's data security practices.

Today the European Commission adopted an evaluation report on the Data Retention Directive.  This Directive requires EU Member States to ensure that telecommunications service providers retain certain categories of data for the purpose of investigations, detection and prosecution of  serious crime, as defined by the national law of the Member States.  Since its adoption in 2006, the Directive has been the subject of much criticism and to date five Member States still have not transposed the Directive into their national laws. 

The European Commissioner for Home Affairs, Cecilia Malmstrom, indicated that "our evaluation shows the importance of stored telecommunications data for criminal justice systems and for law enforcement".  But she adds that data retention represents a significant limitation on the rights to privacy and the Commission therefore will consider more stringent rules for storage, access to and use of the retained data.  To that effect the Commission will enter into consultations with law enforcement authorities, the judiciary, data protection authorities, industry and civil society.  Malmstrom indicated that a proposal may come out later this year but the final version is "likely to be years away". 

Data retention will not disappear, Malmstrom insisted, adding that even if EU legislation were scrapped, Member States would most likely have national laws on the books and operators would also keep data for commercial purposes.  While not everybody may agree with this viewpoint, the upcoming consultation in any case provides another opportunity for all interested parties to voice their concerns and make their views known.  An inserting debate, no doubt.

The EU Art 29. Working Party finished its 80th plenary meeting in Brussels last week.  This week, the Party released a series of new policy opinions produced during the plenary.  The highlights included:

• A declaration that, in WP 29's opinion, New Zealand's data protection regime is now "adequate" for the purposes of international data transfer.  This opinion will now be taken into account by the Commission when it decides whether or not to officially declare New Zealand as an "adequate" jurisdiction for the purposes of transferring data out of the EU.
• A paper expressing WP 29's concern with the proposed EU passenger data directive.  WP 29 deplored the too-wide scope of the proposal, which would collect data from all passengers on all flights entering or leaving the EU.  The opinion also expressed scepticism about the Commission's plan to 'anonymise' data after 30 days, and claimed that the data would not actually be anonymised, but merely available to fewer people.
• An opinion on "smart meters", providing guidance on issues such as how to define a "data processor" in a smart energy grid, whether data subject consent is needed to transfer metered information back out to the energy company, and encouraging smart meter systems to be designed in accordance with the ideals of "privacy by design" and "privacy by default".
• An expression of support for the Commision's communication last November calling for the reform of the currently patchy data breach notification regime.  Right now Member States all have different requirements in regards to data breaches - for example, some Member States require no notification under any circumstances, while some, such as Germany, have strict "harm" thresholds that must be passed before a company must notify either the affected data subjects, or the national authority.  The WP 29 paper expressed support for an expansion of the data breach regime seen in the E-Privacy Directive, and lent its support to this reform effort.

Today the European Commission, European data protection and information security authorities, NGOs and industry groups signed the Privacy and Data Protection Impact Assesment Framework for RFID Applications, which establishes a self-regulatory mechanism for ensuring data protection in the field of RFID (Radio Frequency Identification).  RFID technology – so called “smart tags” – can be found in a growing number of products.  When a RFID tag is brought near a “reader” the tag is activated and data is exchanged, raising potential privacy risks.

Under the agreement, companies will conduct an assessment of privacy risks and take measures to address any risks identified in the assesment before a new RFID application is introduced on the market.  The agreement includes detailed procedures for this process that should enable the delivery of RFID applications in compliance with the Data Protection Directive (95/46/EC) and the e-Privacy Directive (2002/58/EC).

The Commission called on industry in 2009 to develop a RFID impact assesment framework that would meet the requirements of the Article 29 Working Party, comprising EU Member State data protection authorities and the European Data Protection Supervisor.  The agreement signed today is the culmination of those efforts.

“This is truly a historic moment, and I want to thank our industry and civil society partners,” said Digital Agenda Commissioner Neelie Kroes.  “It is obvious that technology evolves faster than legislation.  The various parties gathered today have recognized this and decided that this … Framework was the most effective and efficient way to protect the privacy of European citizens without stifling innovation when using RFID applications.”

On March 17, the French data protection authority, the Commission nationale de l'informatique et des libertes (CNIL), imposed a 100,000 Euro fine on Google, for privacy violations arising from its collection of personal data with respect to its Street View product and its Latitude geolocation service.  This is the largest fine assessed by CNIL since it obtained the power to impose financial penalties in 2004.

The CNIL imposed this fine as a result of Google's unlawful collection of personal data, as well as its failure to comply with agency requests that Google disclose information about the computer program used to obtain information on WI-FI network users.  The CNIL also cited Google's continued collection of data on Wi-Fi access points through smart phones connected to its Latitude service, without notifying users, in its decision.  Google has two months to appeal the decision to the French State Council. 

Last July, the Irish Data Protection Commissioner formalized and approved a Code of Practice for organizations suffering information security breaches:  the Personal Data Security Breach Code of Practice. The Code specifies that all data security incidents should be reported to the Data Protection Commissioner, except in very limited cases, and sets out additional risk minimization measures. 

Although the intention was that the Code of Practice would have legal force, the Irish Data Protection Commissioner has revealed that, at the current time, the Code is still not legally binding in Ireland because the final parliamentary measure that would have bestowed the Code with legal status was never undertaken.  Speaking at an Irish Computer Society event this week, Commissioner Hawkes said that "the code of practice that exists now is not legally binding - it's just strong recommendations."

Any Irish-based or multinational organization affected by a data security breach will want to consider this statement in assessing its reporting obligations.  For more information, see this article from the Irish Times.

The European Commission has proposed a Passenger Name Record Directive that would require airlines to provide EU Member States with data on passengers arriving from, or departing to, countries outside the EU.  Under the proposal, copies of such PNR data held on an airline’s reservation system would be transferred to a dedicated “Passenger Information Unit” in the Member State of arrival or departure, for the purpose of fighting serious crime and terrorism.  The Passenger Information Unit would be an authority (or a branch of an authority) with responsibility for preventing, detecting, investigating or prosecuting such offences.  The Directive would also require the Commission to undertake a study on applying these PNR transfer requirements to internal EU flights.

PNR is defined to mean “a record of each passenger’s travel requirements which contains information necessary to enable reservations to be processed and controlled by the booking and participating air carriers.”  According to the Commission, this would include data already collected by airlines for their own commercial purposes such as travel dates, itinerary, ticket information, contact details, means of payment and baggage information.  The Commission says that airlines would not be required to retain additional data under the Directive.  Transfer of “sensitive data” such as information revealing a traveler’s religious beliefs or political views would be prohibited.

The proposal could, however, face a tough review from the European Parliament, where arrangements to transfer PNR and financial data to the US have come under criticism on privacy grounds.  The European Data Protection Supervisor has also questioned the consistency of such PNR transfer requirements with individuals’ data protection rights, in particular the principle of proportionality.

The Commission maintains that access to PNR data is critical for combating serious crime and terrorism.  The Commission also notes that several Member States already have or are implementing PNR transfer requirements.  The Directive, the Commission says, will ensure a harmonized approach.

It is expected to take two years for a final agreement on the proposal to be reached with the Parliament and the Council, which represents Member States.

Following on from ENISA's recent report on cloud computing in government, Commissioner Neelie Kroes set out some further thoughts on a European Cloud Computing Strategy last week at Davos.  In an encouraging sign for cloud providers and European industry more broadly, Commissioner Kroes spoke positively about the need to ensure that effective data protection and the EU's Single Market do not clash with cloud computing, and her wish to make Europe "not just 'cloud-friendly' but 'cloud-active'."  To help achieve these goals, Commissioner Kroes indicated that her strategy would cover three broad areas: the legal framework regarding data protection and privacy; technical and commercial fundamentals, including research, security and technical standards; and the market, e.g., support for pilot projects aiming at cloud deployment.  Commissioner Kroes will be inviting cloud providers and cloud users to Brussels "for a series of intense consultations" in the spring.         

Hot on the heels of its report on data breach notifications in the EU, the EU's cyber security regulator, ENISA, published yesterday a new report on cloud computing in the government.  The report is targeted at senior managers of public bodies who are considering cloud computing platforms and services, and it aims to highlight the pros and cons of different cloud models with regard to information security and resilience.  The report summarizes relevant legal and regulatory considerations, and bases its analysis and conclusions on the examples of a healthcare authority and local public administration migrating to the cloud, and the creation of a governmental cloud infrastructure.

The report acknowledges that cloud computing has the potential to offer public administrations substantial benefits and improvements over current IT provisioning, such as increased availability and reliability, stronger security and better value.  However, the report recommends private and community clouds over public clouds, and ultimately urges European governments to adopt a staged approach in integrating cloud computing into their operations.

The European Parliament has approved a resolution asking the Commission to carry out an in-depth study of “new advertising practices.”  Parliament is concerned about “the routine use of behavioral advertising and the development of intrusive advertising practices (such as reading the content of e-mails, using social networks and geolocation, and retargeted advertising) which constitute attacks on consumers’ privacy.”

The resolution also calls on the Commission to ensure that existing rules are enforced and to undertake a number of additional actions, including: (i) prohibiting the reading of e-mail content by third parties for advertising or commercial purposes; (ii) ensuring the application of techniques making it possible to distinguish advertising tracking cookies from other cookies, and (iii) developing an EU website labeling system certifying a site’s compliance with data protection laws. 

The Commission is not obliged to take action in response to Parliament’s requests.  The Commission is, however, currently reviewing the European data protection framework and it's possible that the resolution could influence reform proposals expected next summer.

In 2009, 12 percent of EU businesses suffered security incidents due to hardware or software failures, according to a study released by Eurostat, the statistical office of the European Commission.  By contrast, incidents involving the destruction or corruption of data due to malicious software infection or unauthorized access were only reported by five percent of enterprises.  One percent of enterprises suffered a loss of data because of intrusion, pharming or phishing attacks.  The study also found that 50 percent of EU companies use a strong password (8 or more characters that are a mix of uppercase, lowercase, alphanumeric and special characters) or a hardware token to protect data.

The report has been issued as network and information security is once again moving onto the agenda of EU policy makers.  Parliament is expected to begin considering beefed-up legislation on cyber crime in the new year.  A breach notification provision applicable to all EU businesses is also widely anticipated to be included in the Commission's proposals to amend the Data Protection Directive, which are expected in the summer of 2011.