UK Government prepares new legislative proposal to modernise communications data monitoring law

Posted by Dan Cooper on April 13, 2012

On 1 April, 2012, the UK press reported that the UK Home Office is preparing to propose new legislative reform of the communications data monitoring law, in the Queen’s Speech in May.  The press reports, and the response from the Home Office on 3 April 2012, provided some further details on a programme that was first announced (without detail) by the current Government in October 2010 in the Strategic Defence and Security Review.  The programme, which resembles a predecessor plan under the prior Labour Government named the “Interception Modernisation Programme”, is now known as the “Communications Capability Development Programme” (CCDP). 

Continue Reading

European Mobile Operators Agree to App Privacy Guidelines

Posted by Kerry Monroe on March 01, 2012

This week, the U.K.-based GSM Association unveiled voluntary app privacy guidelines, which are being implemented by several major European mobile telephone service operators for their own branded applications.  According to the GSM Association, the companies adopting these guidelines includes Deutsche Telekom, France Telecom - Orange, Telecom Italia, Telefónica, and Vodafone.  This development  follows last week's announcement of an agreement by Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion to ensure that mobile device apps that collect personal information contain privacy policies.

The GSM Association guidelines are designed to apply to all parties in the app or service delivery chain that are responsible for collecting and processing a user's personal information, including developers, device manufacturers, platforms, mobile operators, and advertisers.  The guidelines encourage the development, delivery, and operation of mobile apps that help users understand what personal information an app may access, collect and use; what the information will be used for, and why; and how users may exercise choice and control over this use.

Examples illustrating practices the GSM Association considers compliant and noncompliant with these guidelines are also provided.

UK ICO Issues Updated Guidance on the Rules on Use of Cookies and Similar Technologies

Posted by Dan Cooper on December 22, 2011

By Dan Cooper and Maria-Martina Yalamova

On December 13, 2011, the UK data protection authority (the “ICO”) issued updated guidance on the new cookie rules (Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011) implemented as part of the review of the EU e-Privacy Directive.  The guidance is intended to help website operators and those using cookies understand how the rules apply.  As we reported earlier, when the rules were first introduced in May 2011, the ICO made it clear that it would be unlikely to take formal action against those who are taking steps to comply with the rules during a 12 month lead-in period.  When this transition period ends in May 2012, the regulator will expect companies that have not yet achieved full compliance to be able to provide a clear timescale for when compliance will be achieved and demonstrate that steps are being taken to make that happen.  Highlighted below are some of the more notable aspects of the guidance.

Scope.  The guidance confirms that the rules will apply to websites using cookies and other similar technologies for sharing information, such as Local Shared Objects (so-called “flash cookies”), web beacons, bugs, and so forth.  The requirements apply equally to cookies set on computers, mobile devices, and other terminal equipment, such as enabled televisions and games consoles.

New obligations.  The ICO has made it clear that under the new rules, organizations deploying cookies (and similar technologies) must:

  • inform  subscribers and users that the cookies are there;
  • explain what the cookies are doing; and
  • obtain  subscriber or user consent to store a cookie on a device.

The ICO makes it clear that providing information about cookies by means of company privacy policies or website terms and conditions will no longer be sufficient to achieve compliance.  Organizations will need to be more pro-active in providing information to subscribers and users.

Exceptions.  Under UK law, some exceptions will apply to the notice and consent rules, notably where the use of the cookie is:

  • for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
  • where such storage or access is strictly necessary (i.e., essential, rather than reasonably necessary or important) for the provision of an information society service requested by the subscriber (i.e., the person who pays for Internet connection) or the user (i.e., the person using a computer or a mobile phone to browse the Internet).

An “information society service” is defined in Article 2(1), Electronic Commerce (EC Directive) Regulations 2002 as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing and storage of data, and at the individual request of a recipient of a service”.  These exemptions are the same that appear in the EU-level directive, the e-Privacy Directive 2002/58.

Consent.  Absent an applicable exception, the cookie rules require that a subscriber or a user consents to the deployment of a cookie on their device.  Prior consent is not expressly required (and may not be technically feasible in some cases), but website operators must be able to demonstrate that they have expended effort to reduce the amount of time before a subscriber or user receives information about cookies and is provided with clear options.  At present, the ICO discourages websites from relying on implied consent due to the relatively low user awareness of the functions and use of cookies.  However, as consent mechanisms evolve and user awareness improves, there is a suggestion that the position may change.

Obtaining consent in practice.  The ICO paper highlights a number of consent mechanisms that companies may rely on to achieve compliance, such as pop ups or “splash pages”; message and header/footer bars (particularly in the case of occasional website visitors); information on cookies in terms and conditions presented when a user signs up to a service; settings-led consent (e.g., “remember me?” prompts); and feature-led consent.  The ICO discourages the use of browser settings as a means to obtain valid consent on the basis that today’s browsers are not sophisticated enough to adequately reveal a subscriber or user’s informed consent. 

Notice.  Under the guidance, there is no prescribed format for furnishing adequate notice, but text must be sufficiently full and intelligible for subscribers and users to understand the potential consequences of accepting cookies.  When a website allows third parties to set cookies on a subscriber or user’s device, it must provide clear and comprehensive information to the individuals and allow them to make an informed choice. 

Analytical cookies.  Setting analytical cookies on a user’s device also will require consent as they do not fall within the “strictly necessary” exception criteria.  Where websites do not have a relationship with users (e.g., users simply visit the site to browse), they must ensure information about cookies is highlighted in a prominent place (not just made available via a general privacy policy link).  Where the information collected from a subscriber or user is shared with third parties, this should be made absolutely clear.

Responsibility for compliance.  As a general rule, the organization setting the cookie is responsible for compliance with the UK rules.  However, where third-party cookies are set through a website, both parties are jointly responsible for compliance, but either party may obtain consent. 

House of Lords Calls for a Privacy Commissioner

Posted by Dan Cooper on November 29, 2011

By Dan Cooper and Maria-Martina Yalamova

An amendment to a discussion tabled in the House of Lords relating to the Protection of Freedoms Bill 2010 - 2011 has called for the creation of a dedicated Privacy Commissioner.

The proposed establishment of a single Privacy Commissioner seeks to correct the existing proliferation of UK commissioners with strictly circumscribed powers and create an organization that is sufficiently flexible to navigate through the ever-changing technology and privacy policy landscapes.

If the Bill receives Royal Assent and becomes law, the new Commissioner will supersede the current UK Information Commissioner and reflect a more holistic approach of protecting individual privacy in all of its aspects rather than regulating personal data alone.

Continue Reading

UK Government Opens a New Consultation on Access to Public Data

Posted by Dan Cooper on August 04, 2011

On 4 August, 2011, the Cabinet Office of the UK Government opened a new public consultation on disclosure and access to public sector data.  The consultation, which seeks to "establish a culture of openness" in the public sector, comes soon after a statement from the ICO suggesting that public sector organisations should respond to Freedom of Information requests even when they are made via Twitter.  

The consultation will explore ways to make government more transparent, both by increasing rights of data access for individuals, businesses and organisations, and by enhancing transparency standards within government to increase government accountability.  The consultation will also ask stakeholders whether they believe the Information Commissioner's Office has sufficient powers to enforce government transparency (primarily through Freedom of Information Act legislation).  

In an effort to make government data more useful to individuals, NGOs, and industry, the document also envisages the release of more useful and compatible data sets, so that better use can be made of public data.  In this context the consultation will explore whether standards for data publication can be established, how the release of different datasets should be prioritised, and how government should use (and allow the use of) its data inventories.

Responses to the consultation must be received by 27 October 2011.

Commission Launches Enforcement Proceedings Against 20 Member States on "Cookie" Rules

Posted by Dan Cooper on July 20, 2011

On July 19, 2011, the European Commission announced that it sent formal requests for further information to 20 Member States regarding their failure to implement the EU's new package of telecoms rules.  The rules, which include amendments to the E-Privacy Directive to create new consent requirements for the use of most web cookies, were required to be enacted by the Member States by May 25, 2011.

On 19 July, 2011, the European Commission announced that it sent formal requests for further information to 20 Member States regarding their failure to implement the EU's new package of telecoms rules.  The rules, which include amendments to the E-Privacy Directive (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:EN:PDF) to create new consent requirements for the use of most web cookies, were required to be enacted by the Member States by 25 May, 2011.
As we described here (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF) previously, the problem is that in many Member States the new measures have been delayed over questions regarding how such consent requirements and breach notifications will work in practice.  Some Member States are also clearly hoping that new browser settings will be developed in order to obtain adequate user consents.  Meanwhile other Member States have implemented the new rules but subsequently also adopted a cautious stance over enforcement of the new rules.  As we reported previously (http://www.insideprivacy.com/international/united-kingdom/on-first-day-of-new-uk-cookie-rules-ico-issues-a-1-year-moratorium-on-enforcement/), the UK's rules are now in force, but the UK ICO added on the legislation's first day that it would not substantively enforce the new cookie rules until May 2012.  Although the UK does not appear to be in the firing line, the Commission is clearly taking a dim view of such ongoing concerns.  It is unusual for enforcement proceedings to be launched so quickly and against so many Member States.
The Commission has taken other recent actions in relation to the e-Privacy amendments.  Fearing the birth of new divergences in national laws as they languish in the legislatures, on 14 July, 2011, Commissioner Neelie Kroes launched a new consultation on how the new data breach notification requirements for electronic communication service providers should be carried out in practice.  The consultation (http://ec.europa.eu/information_society/policy/ecomm/library/public_consult/data_breach/index_en.htm) will focus on the circumstances that trigger a data breach notification obligation, the practical procedures that should be followed when making a notification, and the information that such notifications will include.  Responses can be submitted until September 9, 2011.

As we described here previously, the new measures have been delayed in many Member States over questions regarding how such consent requirements and breach notifications will work in practice.  Some Member States are also clearly hoping that new browser settings will be developed in order to facilitate adequate user consents.  Meanwhile, other Member States have implemented the new rules but subsequently also adopted a cautious stance over enforcement of the new rules.  As reported previously, the UK's rules are now in force, but the UK ICO has indicated that it will not substantively enforce the new cookie rules until May 2012.  Although the UK does not appear to be in the firing line, the Commission is clearly taking a dim view of such ongoing concerns.  It is unusual for enforcement proceedings to be launched so quickly and against so many Member States.

This enforcement action comes on the heels of other significant Commission activity in relation to the e-Privacy amendments.  On July 14, 2011, Commissioner Neelie Kroes launched a new consultation on how the new data breach notification requirements for electronic communication service providers should be carried out in practice.  The consultation will focus on the circumstances that trigger a data breach notification obligation, the practical procedures that should be followed when making a notification, and the information that such notifications will include.  Responses can be submitted until September 9, 2011.

UK ICO Calls for More Privacy Audits

Posted by Mark Young on July 06, 2011

The U.K. Information Commissioner's Office (ICO) issued a press release yesterday calling on companies to undergo more data protection audits.  (Currently, only some public sector entities in the UK can be made to undergo audits -- the ICO can effectively only request to audit a private sector company).  The ICO issued the "warning" after releasing new figures that show that the private sector was responsible for almost a third of all data breaches in 2010/2011, and that only 19% of private sector organisations voluntarily accepted to undergo audits by the ICO (compared to 71% in the public sector).  The Information Commissioner Christopher Graham proceeded to single out lenders and direct marketing companies as the worst culprits, saying that "many of them are still resisting our offer to undergo audits."

The ICO also released new figures about the progress of such audits, which show that the ICO performed 26 audits in 2010/2011 -- a 60% increase on the previous year.  The figures also reveal that over 90% of ICO recommendations were acted upon following an audit.

Additionally, the ICO released its full Annual Report and held an online webcast and Q & A session on its annual performance.  While further questions can still be submitted, one colourful answer by the Commissioner regarding the new cookie rules (see our previous posts here, here and here) has already been published:  "Website operators", he said, "[should] take their 'consent' obligations seriously under the Privacy and Electronic Communications Regulations -- because I'll be after them if they don't."

On First Day of New UK Cookie Rules, ICO Issues a 1-year Moratorium on Enforcement

Posted by Dan Cooper on May 26, 2011

Late yesterday the UK ICO issued a new press release and guidance on its plans to enforce the new UK "cookie regulation," which was enacted by the UK Government to implement the EU's e-Privacy Directive.  

The new release, which follows previous ICO guidance outlining how businesses might comply with the new rules (see my previous post), declared that the ICO intends to pursue enforcement with a "light touch" and promised that the ICO will not take enforcement actions against businesses using cookies in the UK without user consent for a 'lead-in' period of one year.  The new rules, which come into effect today, require websites to obtain consent from users when placing cookies on the user's devices. The UK Government has interpreted this requirement to entail specific opt-in consent from users, but it has also specified that consent can be obtained after the cookie has been placed on the user's device, i.e., retroactively.  Businesses will now have a grace period for compliance, but the ICO has warned that those who "do nothing" for this period will find that factor being taken into account when the ICO begins enforcement actions next year.

Christopher Graham, the Information Commissioner, said of the new policy that "I have said all along the new EU rules on cookies are challenging….Browser settings giving individuals more control over cookies will be an important contributor to a solution. But the necessary changes to the technology aren’t there yet."  The ICO's new release was accompanied yesterday evening by an open letter from Ed Vaizey, the Minister for Culture, Communications and Creative Industries, in which the Department for Culture, Media and Sport endorsed the ICO's new approach and explained its take on the new regulation.

Another effect of the new regulation is the granting of new powers to the ICO is that the Commissioner will now have increased powers to impose financial penalties on telecoms and Internet service providers who suffer data breaches without telling the ICO; audit service providers without their consent (although consent will still be sought before this power is used according to new guidance); and impose civil penalties, especially on businesses sending unwanted marketing calls and text message spam.

UK ICO Issues New Guidance Clearly Requiring Opt-In Consent for Cookies

Posted by Dan Cooper on May 10, 2011

Following its vague warning on cookies in March, and confirmation last month that the UK would adopt the amended EU rules on cookies verbatim, the UK ICO has now issued new guidance that makes it clear that websites must obtain users' consent before storing cookies on devices.  The guidance, which relates to amendments to the UK e-privacy legislation that come into force on 26 May, 2011, issues a stark warning to companies that they "cannot ignore these rules".

The new guidance focuses on new European rules that require businesses to obtain user consent before placing cookies on their computers.  Previous measures, which included informing users that cookies were being used and offering 'opt-out' procedures, will no longer be sufficient.  The guidance sets out various ways in which the user's consent may be validly obtained, including via pop-ups, terms and conditions of use, and 'feature-led' consent.  The guidance notes that the list of methods for obtaining consent is not exhaustive, though states that browser settings currently are not "sophisticated enough" to allow websites to assume that users have given consent.

There is an exception to the new rule -- user consent will not be required if the use of the cookie is 'strictly necessary' for the operation of the service requested by the user.  Examples include cookies that enable online 'shopping baskets', for example, where a site needs to remember what was placed in the 'basket' before it is paid for by the user.  However, the ICO does warn that this exception should be interpreted "quite narrowly".

In terms of enforcement, the guidance suggests that businesses which show they are considering how to change their policies to comply with the new rules will not face penalties if they have not fully implemented the change by 26 May, 2011.  This reflects an earlier statement from the UK Communications Minister, Ed Vaizey,  that the government does not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.  The ICO has stated that further detailed guidance on enforcement procedures is also in the pipeline.

UK Information Commissioner Issues (Vague) Warning on Cookies

Posted by Mark Young on March 08, 2011

Since the 2009 amendments to Article 5(3) of the ePrivacy Directive (2002/58/EC) regarding cookies and consent, there has been considerable debate over what web sites and ad networks must do in order to deploy cookies lawfully, and over what constitutes informed consent from users (e.g., opt-in versus opt-out).  For a flavour, see the Article 29 Working Party Opinion 2/2010 on online behavioural advertising, strong opposition to this opinion from industry (pointing out that an opt-in consent regime for cookies would seriously disrupt online services), and even comments from the rapporteur for the Directive, Alexander Alvaro, trying to clear up what is required. 

Member States have until May of this year to implement these changes to the Directive in national law.  Following early indications that the UK would reject an opt-in system for cookies and simply copy the wording of the Directive leaving it to the UK Information Commissioner (“ICO”) to adjust to changes in usage and technology, the ICO today issued a warning to businesses and other organisations that run websites in the UK that they are going to have to “wake-up” to the fact that changes are being made soon. 

Although it is still not clear exactly what they are going to have to “wake up” to, industry may take some solace from the ICO's statement that “changes must not have a detrimental impact on consumers nor cause an unnecessary burden on UK businesses,” and that “one option being considered is to allow consent to the use of cookies to be given via browser settings.”   Ed Vaizey, Minister for Culture, Communications and the Creative Industries, also said that the Government does not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies.

It therefore remains to be seen how the law will be implemented and enforced in the UK (as well as in the other Member States).  The Internet Advertising Bureau has issued a reaction to the ICO statement, expressing concern about confusion for consumers and businesses following the ICO's warning, and emphasising that industry is working hard with the UK Government, the ICO and other stakeholders on potential solutions to help meet the informed consent provisions of the law.

UK Extends CAP Code Restrictions to Online Businesses

Posted by Dan Cooper on March 04, 2011

On March 1, the scope of the UK's Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing ("CAP Code") was significantly expanded to apply to a variety of new technologies, including online social networks, online video advertisements, viral advertisements, in-game advertisements, and advertisements transmitted via web widgets, and online sales promotions and prize promotions.  The Code regulates non-broadcast marketing communications in the UK, and includes rules intended to prevent misleading or deceptive advertising, as well as to protect vulnerable classes, including children. 

Going forward, advertisements and other marketing communications by or from companies, organizations or sole traders on their own websites, or in other non-paid-for space online under their control, that are directly connected with the supply or transfer of goods, services, opportunities and gifts will fall under the Code. 

The CAP Code underpins the UK's self-regulatory framework for regulating marketing and promotional communications over non-broadcast mediums, and the Committee of Advertising Practice (CAP) and the UK's Advertising Standards Authority (ASA) oversee its application and enforcement, with backstop enforcement provided by the UK's Office of Fair Trading. 

UK Government Opts In to EU Fingerprint Database

Posted by Shamma Iqbal on January 17, 2011

This past week, the United Kingdom Minister of State for Immigration, Damian Green, announced that the UK will join the Eurodac fingerprint database, a large centralized database containing the fingerprint data of asylum seekers and illegal border crossers who are found within EU territory.  Accordng to Green, the move will assist Europe in streamlining its immigration processes. The Eurodac regulation, which governs the operation of the fingerprint database, is designed to prevent abuse of asylum processes by helping European governments ascertain the most appropriate jurisdiction for asylum applications, thus making it difficult for asylum seekers to make applications for asylum in several Member States at once. 

Predictably, this move has met with criticism from privacy rights organizations who have voiced concerns over the government’s readiness to share personal information with foreign states whose law enforcement systems display varying degrees of accountability.  For their part, immigration control advocates applaud the move as an important law enforcement and argue that adequate controls are in place to avoid abuses of the Eurodac system.

Come Clean on Paid-For Tweets, says UK Authority

Posted by Shamma Iqbal on January 12, 2011

The Office of Fair Trading, the UK's answer to the FTC, has established its position on paid-for plugging on social media websites.  According to an announcement issued last month by the OFT relating to an enforcement action pursued against a small UK media firm, online advertising and marketing that fails to disclose that it contains paid-for promotions or commentary on particular products is misleading to the public and potentially violatory behavior under UK consumer protection laws.  This applies not only to traditional marketing, but to commentary about services and products published on web blogs and microblogs such as Twitter. 

There is some anticipation that the OFT will launch a crackdown on celebrities who are given financial incentives to "tweet" about their favorite products.  When questioned, though, a spokeperson for the OFT was tight-lipped about its enforcement approach going forward.  Importantly, no concrete guidelines on appropriate behaviour have been developed in the UK yet.  The FTC, however, released guidance more than a year ago on product testimonials and celebrity endorsements.  For more information, please refer to Covington & Burling's client e-alert discussing these guidelines.