European Commission Proposal for Data Protection Regulation Delayed Again

Posted by Monika Kuschewsky on May 06, 2013

An important vote in the European Parliament has been postponed for the second time. The vote of the LIBE committee, the lead committee for the proposed EU General Data Protection Regulation, which was initially scheduled for the end of April, had already been postponed until the end of May 2013 (see InsidePrivacy European Parliament's Lead Committee for the Proposed EU General Data Protection Regulation Postpones Vote, March 21, 2013).

Now, Mr. Albrecht, the rapporteur for the proposal in the European Parliament, has announced that in view of the huge number of proposed amendments, the May date is no longer tenable. A new date for the vote has not yet been scheduled, but Mr. Albrecht still aims at voting on the proposed Regulation before the summer break. Despite some progress made, numerous compromises still have to be struck before the European Parliament can start negotiations with the Council, which also still has to agree on a common position.

Google Fined by German Data Protection Authority Over WiFi Data Collection

Posted by Monika Kuschewsky on April 23, 2013

The data protection authority in Hamburg, Germany, issued an administrative fine in the amount of € 145,000 against Google for its illegal WiFi data collection activities. This fine fell just short of the maximum amount for such fines under German data protection law, which is € 150,000 (in cases of negligence).  Between 2008 and 2010, Google Street View vehicles collected WiFi data while at the same time recording images for Google’s Street View program.  Google recorded the content of communications, including e-mails, passwords, photographs and chat-logs.

When these facts were first discovered in 2010, a German prosecutor initiated proceedings against Google.  Those proceedings were terminated in November 2012, but the Hamburg data protection authority subsequently investigated the same facts in the framework of administrative offence proceedings.  That data protection authority ultimately held that Google acted negligently in its unauthorized collection and storage of personal data and imposed the above-referenced administrative fine.  Google also was ordered to delete all illegally collected data and Google confirmed such deletion.

FTC Announces Workshop On The "Internet of Things"; European Commission Publishes Report

Posted by Libbie Canter on April 18, 2013

Yesterday, the Federal Trade Commission announced that it would hold a public workshop on November 21, 2013 on “the growing connectivity of consumer devices, such as cars, appliances, and medical devices”―also known as, “the Internet of Things.”  The FTC will accept public comments (due June 1, 2013) in advance of the workshop.

In describing the Internet of Things, the FTC noted that consumers can already use mobile phones to adjust thermostats and open car doors and that these types of services and technologies are rapidly developing.  While the FTC recognized that these functionalities may have benefits for consumers, the FTC is seeking input on the “unique privacy and security concerns associated with smart technology and its data.”  For example, in a blog entry on the workshop, the FTC’s Business Center Blog asks, “What if when we drive near a grocery store, our refrigerator lets us know we’re low on milk?  Would that be convenient?  Disconcerting?  Or maybe a little bit of both?” 

Among the questions that the FTC is seeking specific input are the following:

Continue Reading

Article 29 Working Party Releases New Opinion on Purpose Limitation

Posted by Ezra Steinhardt on April 15, 2013

By Ezra Steinhardt and Oliver Grazebrook

On April 2, the Article 29 Working Party (the “Working Party”) approved a new Opinion on a principle of European data protection law known as the “purpose limitation”.  The principle (which stems from Article 6(1)(b) of the Data Protection Directive) requires that data controllers only collect data for “specific”, “explicit” and “legitimate” purposes, and not process the data for further purposes that are incompatible with the purposes for which data were originally collected.  As each of these terms have been interpreted differently in different Member States, causing potential confusion for data controllers operating in multiple jurisdictions, one of the main aims of the Working Party paper is to provide clearer, more harmonized interpretations of the principle.  The paper also aims to generally clarify the current legal framework and assist policy makers in drafting the new EU data protection legal framework, and offers guidance on specific scenarios (such as so-called “Big Data” processing). 

Continue Reading

German Government Proposes Cybersecurity Law

Posted by Monika Kuschewsky on March 22, 2013

Following the German Government’s adoption of a cybersecurity strategy back in February 2011, and only a couple of weeks after the publication of the European Commission’s CyberSecurity Strategy and proposal for a Directive on Network and Information Security (see InsidePrivacy EU Adopts CyberSecurity Strategy and Proposes Network and Information Security Directive, February 7, 2013), Germany has put forward its own proposal for a cybersecurity law.

On 5 March 2013, the German Interior Minister, Hans-Peter Friedrich, presented a draft IT Security Act, which would impose certain minimum IT security standards on operators of critical infrastructure as well as telecommunications and information society service providers.  The measure would introduce mandatory reporting obligations.

Continue Reading

European Parliament's Lead Committee for the Proposed EU General Data Protection Regulation Postpones Vote

Posted by Monika Kuschewsky on March 21, 2013

The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament (EP)-- the EP’s lead committee for the European Commission’s legislative proposal for a General Data Protection Regulation to replace the current EU Data Protection Directive--was supposed to vote at the end of April on the proposed amendments to the draft Regulation. However, since the release of the rapporteur’s draft report on the proposed Regulation (see InsidePrivacy Draft report on the proposed EU Data Protection Regulation released, January 8, 2013) more than 3,000 amendments have been proposed by the different parliamentary committees involved in the process. The rapporteur, Green Member of the EP (MEP) Albrecht, has now been tasked to boil the proposed changes down to 100 compromise amendments. The date for the LIBE Committee vote has therefore been postponed to 29 May 2013.

Despite this delay, MEPs are still hopeful to find an agreement with the EU Member States in the Council on the proposal before the elections in May 2014. This will require a huge effort by both the EP and the Council, which both seem to be split into two camps:  on the one hand those who are pushing for a stricter set of rules, which reinforces both obligations of companies and rights of consumers and provides for increased enforcement powers, and on the other hand those who want to lower the burden for businesses. The latter camp seems headed in the same direction as the Council with its recent calls for introducing a more risk-based approach into the proposal (see InsidePrivacy The Battle Lines are Clearing Up: The Irish Presidency Note on the Proposed General Data Protection Regulation, March 11, 2013).

EU Data Protection Working Party Sets Out App Privacy Recommendations

Posted by Dan Cooper on March 15, 2013

By Dan Cooper and Philippe Bradley

This week the Article 29 Working Party released its Opinion 2/2013 on apps on smart devices (WP 202), a 30-page report on mobile app privacy and data protection considerations. This development follows on the Working Party’s Statement on the draft General Data Protection Regulation on 27 February 2013 (which we previously discussed here). 

The report sets out several sets of prescriptive, but non-binding, recommendations that target app developers, app stores, OS and device manufacturers, and other third party participants in app ecosystems, such as advertisers and network operators that bundle apps with devices. 

This short post sets out a summary of some of the report’s less conventional prescriptions and recommendations, which could present participants in the European digital/mobile ecosystem with significant compliance challenges.

Continue Reading

Article 29 Working Party Releases Further Comments on EU Data Protection Reform

Posted by Ezra Steinhardt on March 13, 2013

By Oliver Grazebrook and Ezra Steinhardt

On 27 February 2013, the Article 29 Working Party published its latest statement regarding the draft General Data Protection Regulation (the “Regulation”), which continues to undergo revision in the European Parliament and Council.  (The latest European body to comment on the draft was the European Parliament's Committee on Employment and Social Affairs (EMPL), which published its opinion on the draft Regulation late last week.)

The Working Party statement stakes out the Working Party’s position on six key areas of the reform, including rules on consent, regulation of the public sector, and data transfers.  The statement was also accompanied by in-depth discussions about an “exemption for personal or household activities” and about how the “one-stop shop” rules will work when a controller is processing data in multiple jurisdictions. 

Continue Reading

Must Google Forget You?

Posted by Mali Friedman on February 27, 2013

The Court of Justice of the European Union (“CJEU”) in Luxembourg heard argument yesterday concerning the “right to be forgotten”—specifically, whether search engines such as Google must block search results when asked by European citizens to remove references to themselves. 

This particular case—which is representative of approximately 200 similar cases in Spain—came before the CJEU when Google declined to comply with an order from the Spanish Data Protection Authority.  A Spanish citizen, Costeja, wanted Google to de-list references to a publication in a Spanish newspaper in 1998, which discussed the auction of Costeja’s house in connection with his failure to pay social insurance contributions.

Google has taken the position that search engines should not be obligated to remove links to valid (i.e., non-incorrect, defamatory, or otherwise illegal) material that exists online.  Rather, only the original publisher can make the decision to remove such content, at which point it will disappear from the search engine index once removed from source webpages. 

Continue Reading

ICO fines Sony £250,000 following the 2011 Playstation Network Platform data breach

Posted by Ezra Steinhardt on January 25, 2013

On 24 January 2013, the UK Information Commissioner’s Office (ICO) announced that Sony Computer Entertainment Europe Limited (Sony) would be fined £250,000 following a data breach of the Playstation Network.  The breach occurred in 2011 when hackers accessed the personal details of “millions” of Playstation Network customers, including names, dates of birth, passwords, and other categories of data. 

Following an investigation, the ICO declared that the breach had been “preventable” had software been kept up to date, and stated that “[Sony] is a business that should have known better”. 

The monetary penalty notice redacts key details of the breach -- such as the precise number of Sony Playstation accounts affected -- but nevertheless reveals interesting details about how the ICO reached the decision to fine Sony £250,000, that other companies should take note of.

In particular, the notice cites aggravating factors, including, for example, the “vast amount” of personal data affected, and the ICO’s belief that Sony “should have been aware of the software vulnerability” that led to the breach.  The notice also cites mitigating factors, that presumably reduced the scale of the fine, including, for example, the complexity of the Sony Playstation Network, a lack of previous security breaches, the fact that no complaints were received by Sony after the breach, and Sony's behaviour following the breach (Sony voluntarily reported the breach to the ICO, informed data subjects, and fully cooperated in the investigation).

A short Youtube video of David Smith, Deputy Commissioner and Director of Data Protection at the ICO, commenting about the breach, was also released, and is available here.

The ICO Responds to the Leveson Report

Posted by Dan Cooper on January 09, 2013

By Dan Cooper, Helena Marttila & Fredericka Argent

Following the 2011 News International phone-hacking scandal, the UK government commissioned an in-depth inquiry into the accusations made against the British press to be conducted by Lord Justice Leveson.  The “Leveson Inquiry” was a full-scale investigation, which culminated in an approximately 2000-page report published in November 2012.  The report  recommends significant, wide-ranging changes to the structure and regulation of news media reporting in the UK, including changes to the UK’s Data Protection Act 1998 (the “DPA”) and the role of the UK’s data privacy regulator, the ICO.   

On 7 January 2013, the ICO published a response to the Leveson report. The first half of the ICO’s response deals with Leveson’s recommendations concerning the ICO, including the suggestion that the ICO should improve its understanding of the data protection regime regarding the press. In its response, the ICO promises to issue numerous policies and guidance relating to the use of personal data by the press. These include, for example, the introduction of a new dedicated section on the ICO website providing the public with information on their data rights regarding the media, the publication of a Code of Practice to be observed by the press when processing personal data, and an Annual Report to Parliament which provides regular updates on the effectiveness of any ICO guidelines and other measures.

Continue Reading

Draft report on the proposed EU Data Protection Regulation released

Posted by Kristof Van Quathem on January 08, 2013

by Monika Kuschewsky and Kristof Van Quathem

On January 8, 2013, MEP Jan Philipp Albrecht released his draft report on the proposed EU Data Protection Regulation.  Albrecht, of the European Green Party, is rapporteur for the Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament, the lead Committee for the proposal.  His draft report will now be considered by the Committee members, who have until the end of February to table amendments before it will be discussed in plenary. They will need this time as Albrecht has tabled a total of 350 amendments to the proposed Regulation.  Those who expected a conciliatory report searching for compromise and practical solutions will be disappointed, as many of the proposed amendments will strengthen the rights of individuals and supervisory authorities and reinforce existing, or impose additional, obligations on companies.  As a result, the draft report is expected to be heavily criticized and amended in the months to come.

In terms of content, it is noteworthy that Albrecht puts greater emphasis on the Internet.  A number of the proposed amendments are closely related online practices.  This is rather worrisome as the proposed Regulation is not limited to online data processing, and care should be taken not to turn the General Data Protection Regulation into an Internet Data Protection Regulation. 

We review the key points of the draft report after the jump. 

Continue Reading

EDPS Suggests Amendments to the Commission Proposal for a new Regulation on Clinical Trials on Medicinal Products for Human Use

Posted by Ezra Steinhardt on January 08, 2013

On 19 December 2012, the European Data Protection Supervisor (EDPS) and the Assistant Supervisor, M. Giovanni Buttarelli, published a new Opinion that sets out their views on the Commission proposal for a new Regulation on Clinical Trials on Medicinal Products for Human Use (the Regulation).  The Commission proposal, released in July 2012, touches on a variety of data protection issues, ranging from the legal basis that clinical research organisations (CROs) must rely on when processing sensitive health data gathered in clinical trials to the establishment of a centralized database at the European Medicines Agency (EMA) that is intended to store records of clinical investigators and adverse event reports from across Europe.

In general, the EDPS appears to have welcomed the Commission’s approach;  apparently, the Commission draft was altered to adapt to early informal EDPS criticisms, and so already contains provisions that are relatively sensitive to data privacy concerns.  Perhaps surprisingly, the EDPS also refrains from commenting extensively on the Regulation’s approach to the issue of how clinical trial participants may provide informed consent to their participation in the trial.  However, the EDPS nevertheless does make a number of suggestions about how the draft Regulation should be further modified.  We discuss the particular suggestions after the jump.

Continue Reading

ENISA Publishes New Guidelines for Smart Grid Cyber Security

Posted by Ezra Steinhardt on December 31, 2012

By Jacqueline Clover and Ezra Steinhardt

In December 2012, the European Network and Information Security Agency (ENISA) published a set of (non-binding) Guidelines titled, “Appropriate security measures for smart grids; Guidelines to assess the sophistication of security measures implementation”.  The Guidelines are intended to help EU Member States and smart grid stakeholders improve the resilience of smart grid cyber security systems against cyber threats and attacks, and follow on from a pair of European Commission initiatives that have called for improved security of European electricity networks:  the Commission’s Standardization Mandate to support European Smart Grid Deployment, released in March 2011, and the Commission’s Recommendation on the roll-out of smart metering systems, released in March 2012.  The latter document encourages EU Member State electricity network providers to consult the ENISA Guidelines when implementing smart grid security measures.

The Guidelines stress the importance of data privacy for smart grid stakeholders, and note that many such stakeholders “still have little experience in these areas”.  The Guidelines do not set out to address data privacy concerns per se, but the information security measures proposed by the Guidelines will also be of use to controllers, who must take adequate organizational and technical measures to protect personal data under European data protection law. 

The Guidelines aim to harmonise and establish minimum cyber security standards and best practices for European smart grids.  The Guidelines identify ten smart grid security issue areas and make security recommendations for each area.  To take into account different smart grid characteristics, such as the size of the grid or the types of services provided, and correspondingly different risk profiles, the Guidelines accommodate varying degrees of security measure implementation (“sophistication levels”).  Some security measures (or security issues) discussed by the Guidelines include:

  • Protection of sensitive information processing facilities;
  • Encryption methods for sensitive data during storage and transmission;
  • Controlling access to critical asset information, and the use of secure remote access methods;
  • Precautions against malware and viruses;
  • Timely technical upgrades to smart grid information systems;
  • Segregation of information services and information systems into groups and networks;
  • Protection of security audit information;
  • Security policies and monitoring of grid information systems;
  • Staff cyber security training programs, personnel risk assessments, and staff security responsibilities and oversight;
  • Third party agreements (e.g., with external suppliers and contractors) and monitoring of third parties to preserve confidentiality;
  • Communication with relevant authorities and cyber security interest groups (i.e., to stay ahead of the latest vulnerabilities and threats);
  • Maintaining updated inventories of all smart grid components and systems;
  • Management of authentication credentials, user names, etc.; and 
  • Policies for secure disposal of smart grid components and systems.

The smart grid provider should conduct a risk assessment when determining how to implement and maintain the above measures. 

 

Google Executives Acquitted in Italian Privacy Case

Posted by Kristi Cercone on December 21, 2012

On Friday, an Italian appeals court in Milan overturned the 2010 criminal conviction of three Google Inc. executives for violating the privacy of a disabled boy by allowing a video of students bullying him to appear on Google Video. In February 2010, a court handed down six-month prison sentences to three senior Google executives—Senior Vice President and Chief Legal Officer David Drummond, Global Privacy Counsel Peter Fleischer and former Google Italy board member George De Los Reyes. None of the executives were based in Italy, and Google has said the executives had nothing to do with the upload.

The convictions stemmed from a video that four students at a Turin school uploaded to Google Video in 2006 showing them bullying the disabled boy. The prosecutors accused Google of negligence, saying the video remained online for two months even though some Web users had already posted comments asking for it to be taken down. The 2010 ruling set a precedent in Europe for one of the most sensitive issues facing video sites such as Google’s YouTube: whether Internet operators can be held liable for content that is posted on video sites by third parties.

The executives did not attend Friday’s hearing. Their original sentences had been suspended pending the outcome of the appeal, so none of them were imprisoned. Reasons for Friday’s decision will be made public in 60 days.

ICO Releases New Guidance on Destruction of Electronic Equipment

Posted by Ezra Steinhardt on December 07, 2012

By Bonnie Drury and Ezra Steinhardt

The Information Commissioner’s Office (ICO) has produced new guidance on “IT asset disposal for organisations” to help data controllers understand their responsibilities relating to the destruction and disposal of electronic equipment.  The guidance, which addresses one of the areas where organizations are most frequently fined under the UK Data Protection Act 1998 (DPA), explains how controllers should create an asset disposal strategy, take measures when engaging IT disposal companies, and assign responsibility for IT asset disposal within their organization.  These measures are intended to help controllers comply with the seventh principle of the DPA, known as “information security”, which requires data controllers to take measures to ensure the security of the personal data they process. 

There are three main elements to the ICO’s guidance:

  • Create an asset disposal strategy. The organisation should formulate an information security policy that includes a section on procedures for IT asset disposal and data deletion.  This section should include information about the devices used by the organization to process personal data; the nature of such personal data; how the devices will be disposed of when they are no longer needed; and how the risks associated with the disposal process will be assessed.
  • Engage an IT disposal company. If the organization employs a specialist asset disposal company to deal with the devices, this company will likely be defined as a “data processor” under the DPA. As a result, a written contract should be put in place between the parties, detailing the organization’s instructions for disposal of the assets. The organization should monitor and audit the disposal process to ensure that the asset disposal service provider is complying with its instructions.
  • Designate an asset disposal champion. A member of the organization with a suitable level of authority should have responsibility for IT asset disposal. This person should be aware of which devices leave the organization, what personal data is stored on them, and who has responsibility for erasing the personal data.

EU Competition Commissioner: Data Privacy Could Become a Competition Issue

Posted by Josephine Liu on November 27, 2012

Speaking in Brussels yesterday on “Competition and Privacy in Markets of Data,” EU Competition Commissioner Joaquín Almunia observed that privacy is “becoming one of the central debates of our time.”  Technological and commercial developments have strengthened companies’ ability and incentive to “gather, manipulate and trade personal data.”  Because “personal data are a type of asset for many companies,” Almunia noted that “in time, personal data may well become a competition issue.” 

For example, concentration concerns could exist if a company has “exclusive access to personal data in a given market.”  Almunia noted that the investigation of the 2008 Google-DoubleClick merger examined whether the combination of information on search behavior and web-browsing behavior would provide a competitive advantage in the advertisement business unavailable to other firms lacking similar web-usage data. 

Almunia pointed to data portability as another area that could fall under competition regulators’ purview, “if customers were prevented from switching from a company to another because they cannot carry their data along.”  Data portability is currently a significant issue of contention in Europe, in part because the proposed Data Protection Regulation would grant data subjects the right to obtain and export data in a standardized format.  Some companies in the IT sector oppose the proposed right to data portability on the ground that lock-in should not be treated as a data privacy issue, and should instead be dealt with under competition rules. 

Commissioner Reding Speaks to the European Council on the Proposed Data Protection Regime

Posted by Ezra Steinhardt on November 02, 2012

By Fredericka Argent and Ezra Steinhardt

On 26 October, 2012, Commissioner Viviane Reding, the Vice President of the European Commission, gave a speech in Luxembourg following the conclusion of a meeting of the Justice Council (a body of ministers representing Member State justice and home affairs departments, and part of the European Council).  The speech covered a variety of topics, including an update on Commissioner Reding’s positions on the proposed new data protection regime. In particular, businesses may be interested to learn that Commissioner Reding offered to review the number of “delegated act” provisions in the legislation, potentially reducing the scope for future uncertainties.  The Commissioner acknowledged a variety of concerns raised by the Member States, and observed that the legislative  negotiations in the European Parliament and Council were now at a “crucial stage”. 

The Commissioner used the speech as an opportunity to describe three “proposed solutions” to the criticisms of the bill levied to date.  Each solution represents a change from the Commission’s previous negotiating position, and also possibly a step towards compromise among the three law-making European institutions.

Continue Reading

The European Court of Justice Rules That Austria's Data Protection Authority Is Not Sufficiently Independent

Posted by Dan Cooper on October 18, 2012

On 16 October 2012, the Court of Justice of the European Union (“CJEU”) ruled in favour of the European Commission in its claim against Austria that the Austrian Data Protection Authority, the Datenschutzkommission (“DSK”), was not independent from the Austrian government as required under Article 28 of the EU’s Data Protection Directive. The Commission’s action was supported by the European Data Protection Supervisor ("EDPS"); Austria’s defence was supported by Germany.

Article 28, which was the focus of the case, requires data protection authorities to “act with complete independence in exercising the functions entrusted to them”. This principle is also made clear in the Charter of Fundamental Rights of the EU and in the Treaty on the Functioning of the EU ("TFEU").

Continue Reading

CNIL and Article 29 Working Party Release Report on Google Privacy Policy

Posted by Dan Cooper on October 17, 2012

By Dan Cooper & Ezra Steinhardt

On 16 October, 2012, the French data protection authority, the CNIL, released a report on behalf of the Article 29 Working Party that examines Google’s compliance with European data protection law.  The report marks a new stage in an investigation which began nine months ago, when Google announced that it intended to change its online privacy policy.  The report finds that Google’s new privacy policy (which came into effect on March 1) does not yet comply with European law in a number of important respects, and challenges Google to commit publicly to certain European data protection principles, including principles of “purpose limitation” and “data minimization”. 

The report, released together with an annex, makes a number of recommendations to Google, including, for example, recommendations:

  • That Google enhance its notices to users by becoming more specific about what types of data Google processes and combines, and for which services; by introducing new interactive privacy notices; by adding more in-product and product-specific privacy information; and so on.
  • That Google simplify the various opt-out mechanisms that it provides to users, and to make them available in “one place”;
  • That Google obtain explicit user consent for the combination of user data for certain purposes.

A variety of other recommendations are also made in the Annex (for example, Google is asked to clarify that users are not required to sign up to Google Accounts using their real names).

In a morning press conference, CNIL President Isabelle Falque-Pierrotin said that she would allow Google a period of “a few months” to respond to the recommendations.  If Google takes no action by that time, she said the CNIL will consider litigating against Google in national French courts.

In a separate letter, other data protection authorities, from Australia, Canada, Mexico, Hong Kong and Macao (representing the Asia Pacific Privacy Authorities Forum) also endorsed the findings.

Older Posts