Instelling. Onderwerp. Datum

Transcription

1 Instelling Linklaters Technology Media and Telecommunications Issue 63 Onderwerp EU Guidance on which cookies are exempt from the new consent requirements Datum Juli 2012 Copyright and disclaimer De inhoud van dit document kan onderworpen zijn aan rechten van intellectuele eigendom van bepaalde betrokkenen, Er wordt u geen recht verleend op deze rechten. M&D Seminars geeft u via dit document informatie, maar verstrekt geen advies. M&D Seminars garandeert niet dat de informatie in dit document foutloos is. U gebruikt de inhoud van dit document op eigen risico. M&D Seminars, noch een van haar directieleden, aandeelhouders of bedienden zijn aansprakelijk voor bijzondere, indirecte, bijkomstige, afgeleide of bestraffende schade, noch voor enig ander nadeel van welke aard ook bij het gebruik van dit document en van de inhoud van dit document. M&D Seminars 2012 M&D SEMINARS Eikelstraat De Pinte T F info@mdseminars.be

2 July 2012 Technology Media and Telecommunications. Data Protection EU Linklaters obtains Binding Corporate Rules approval Linklaters binding corporate rules were approved by the UK Information Commissioner on 1 June 2012 (available here). Binding corporate rules are a set of group-wide binding privacy commitments. They allow worldwide transfers of personal data within Linklaters in full compliance with European data protection laws. A number of organisations in other industry sectors have adopted binding corporate rules but this is the first time that a law firm has obtained approval. Scope The binding corporate rules cover transfers of personal information about both clients and employees between Linklaters 28 offices in 20 jurisdictions worldwide. The rules were authorised under the mutual recognition procedure with the UK Information Commissioner acting as lead regulator and the Belgian Privacy Commission and German Hess data protection authority acting as co-lead regulators. Binding corporate rules are not the only means of achieving compliance with European rules on international transfers of personal data but they are the most flexible. Alternative approaches, which may suit certain organisations, include the use of intra-group agreements and adhesion to the US Safe Harbor. For other organisations, however, binding corporate rules are becoming an increasingly attractive option to achieve compliance. Revisions to European data law The proposed changes to European data protection laws also places a lot of emphasis on accountability, for example appointing data protection officers and ensuring that appropriate processes and procedures are in place. Binding corporate rules provide a helpful platform to prepare for these changes. Linklaters LLP has worked and continues to work on a number of other binding corporate rules applications for its clients, with further authorisations expected in the near future. By Tanguy Van Overstraeten, Brussels, and Richard Cumbley, London Contents EU Linklaters obtains Binding Corporate Rules approval... 1 EU How is the new cookie law being implemented across Europe?... 2 EU Guidance on which cookies are exempt from the new consent requirements... 7 EU New data protection mechanism to ease international outsourcings. 9 EU Working Party Opinion on developments in biometric technologies Belgium Implementation of the EU Telecom Package Belgium Court condemns identity theft on Facebook France The CNIL issues its investigation programme for France New data breach notification obligations take effect Germany Working Paper on cloud computing published UK Subject access requests & the problems with unstructured data UK Smeaton v Equifax: What must you do to ensure Issue 63 July personal data is accurate?... 28

3 EU How is the new cookie law being implemented across Europe? One of the more controversial amendments to the eprivacy Directive is the requirement to obtain consent for the use of certain cookies. This requirement should have been implemented by Member States over a year ago. Some have done so, but a significant minority have not. We look at different positions across Europe from early adopters, such as the UK and France, to the late developers, such as Belgium, Poland and Germany. The cookie law The cookie law continues to be controversial but it is hard to say it is new. The European Union added these provisions to article 5 of the eprivacy Directive in November 2009 as part of a major overhaul of the European telecoms laws framework. These changes should have been implemented in all Member States by May However, a significant minority have yet to do so. At the end of May, the European Commission decided to refer Belgium, the Netherlands, Poland, Portugal and Slovenia to the European Court of Justice for failing to implement these changes into their local law. The law itself only permits the storage of, or access to, information on the terminal equipment of a subscriber or user if that subscriber or user has been informed and has given consent. It therefore applies to a wide range of technology but most of the focus has been on http cookies. One of the most difficult issues with the new law is the need for consent. This has created a number of unresolved questions: > what is meant by consent? Does it need to be express or can it be implied? Does it need to be given prior to a cookie being set? > how should consent be obtained in practice? Is it best to use a banner advert, pop-up or notice on the website? > can consent be given through internet browser settings? The amended eprivacy Directive expressly recognises this as possible but are current browser settings sufficient? > consent is not needed if the access or storage is for the purpose of a communication or strictly necessary for a service explicitly requested by the user, but how does this exemption apply in practice? We consider this particular point elsewhere in this newsletter. We consider how these issues have been dealt with in a selection of Member States. Early adopter UK The UK s response to the cookie requirements is at quite an advanced stage. It implemented these requirements in May 2011 through amendments to the Privacy and Electronic Communications (EC Directive) Regulations Recognising that it would take some time for websites to comply with these Issue 63 July

4 requirements, the Information Commissioner adopted an informal moratorium on any enforcement action until May The law itself is a fairly faithful reproduction of the requirements of the eprivacy Directive and includes an express reference to consent being obtained through browser settings. The law has been supplemented by very full guidance from the Information Commissioner which has been updated on a regular basis. It is now in its third edition and is available here. The guidance provides an explanation about how cookies work and clarifies the Information Commissioner s interpretation of the law. In particular, the Information Commissioner considers that: > it might be possible to obtain implied consent to the use of cookies but this must normally be given prior to the cookie being set. It is hard to see how consent could be valid if it is given after the cookie is set; > there are a number of different ways in which organisations can obtain consent, particularly given that it may be possible to rely on implied consent. However, the more intrusive the cookie is, the greater the steps necessary to obtain consent; and > whilst it is possible to get consent through browser settings, current browsers are not sufficient for this purpose. The Information Commissioner is also concerned about the number of users likely to be using legacy browsers. The maturity of the UK s response to these laws is evidenced by the fact that it is already starting to enforce them. The Information Commissioner wrote to 50 organisations at the end of May asking for details of their compliance with these requirements. The response to those enquiries could well lead to further enforcement action. Early adopter France France is also relatively well advanced, having implemented these requirements though Ordinance n of 24 August 2011 on electronic communications. This amends the existing provisions on cookies in Article 32 II of the law n of 6 January 1978 (the French DPA ). The French implementation of the law again closely mirrors the amended eprivacy Directive and expressly mentions that consent may be granted by appropriate parameter settings in the user s connection device. It is supplemented by a recently issued opinion of the CNIL (the French Data Protection Authority) on the application of these laws in practice (available here). The guidance makes a number of interesting points, for example: > user s consent must be free, specific and informed, meaning that the user shall be able to choose which cookies are used and for what purpose. Consent need only be given or refused once. Accordingly, the CNIL suggests it may be possible to use a refusal cookie that, provided the user agrees to it, would remember the user s choice to refuse the storage of a cookie on their computer; Issue 63 July

5 > CNIL lists examples of ways to get consent such as a banner at the top of a web page, an area superimposed on a web page or boxes to check at the time of subscription to an online service. However, obtaining consent though general conditions of use is not likely to be valid and pop-up windows are not recommended because they are often blocked by browsers; and > the settings of the current browsers are not sufficient to demonstrate consent as they are difficult to use and differ significantly from one to another. In addition, websites do not have technical capabilities to accurately check browser settings. Thus, the CNIL considers that current browsers may not be considered as granting clear and complete information to the user when asking for consent. The guidance also stresses that all cookies are subject to the provisions of Article 32 II, including those which do not contain personal data. Recent implementation in Belgium Belgium is one of the Member States against whom enforcement action has been taken with the European Commissioner referring Belgium to the European Court of Justice at the end of May. It was at the time already in the process of implementing the cookie law and has now adopted the Law of 21 June 2012 introducing various provisions regarding electronic communications (the Belgian Law ). This law still needs to be published before coming into force. This will implement the cookie rule into Belgian law in Article 129 of the e- Communications Law. In doing so, it largely follows the text proposed by the amended eprivacy Directive. However, it distinguishes more specifically the two conditions required, i.e. (a) clear and specific information regarding the purposes of the data processing and the rights of the individual based on the Belgian legislation protecting personal data, and (b) the obtaining of the individual s consent after the above information has been provided. It also emphasises that the data controller must allow users to withdraw their consent free of charge. It specifies that compliance with the above requirements does not exempt the website operator from applying the other relevant provisions of the Belgian legislation protecting personal data. As in a number of other Member States, the Belgian Law does not set out how actually to obtain consent and so it will be up to the regulators to issue relevant guidance. A first indication of the Belgian position is that, during its review of the draft bill, the Belgian Privacy Commission indicated that consent may not be obtained through current browser settings (Opinion 10/2012 of 21 March 2012 regarding the draft bill). Poland suggest browser settings are sufficient Poland is another Member State against whom the European Commission has taken enforcement action. However, on 14 June 2012, the Polish Ministry of Administration and Digitalisation announced that it has adopted a project Issue 63 July

6 amendment to the Telecommunications Law act ( TE ), which includes, amongst other things, the new cookie law. The project amendment only changes the current provisions by introducing stricter information obligations for online service providers. The user must therefore be informed unambiguously and in an easily understandable manner, prior to placing the cookies, about: > the purpose of storing cookies; > the use of the content of the cookie; and > details of how the user can control the use of those cookies by modifying the internet browser s or the service s settings. The Ministry considers that an informed end-user expresses consent if he accepts the default browser s settings with respect to cookies, while the act of changing them should be understood as the end-user not granting consent. Therefore, the Ministry is of the opinion that this solution implements the consent requirements in the amended eprivacy Directive. Moreover, in the Ministry s view, there is no contradiction between the proposed amendment of the TE and its other provisions under which an end-user s consent may not be implied or inferred. During the public consultation on the new legislation, there was criticism that the projected amendment provides both insufficient protection of Internet users data and more complications for entrepreneurs, especially those in the advertising sector. The project amendment will now need to undergo normal legislative procedures in order to come into force. This may well lead to further amendments. No new cookie laws in sight yet in Germany Although Germany amended its Telecommunication Act (TKG) in early 2012 to implement many other amendments to the European telecoms framework, it has not yet published its new cookie laws. The German government explained that these requirements had to be discussed at a European level first as there were a number of unresolved questions about their implementation in practice. Other proposals by German political parties for the implementation of the relevant clauses were rejected by the German government. According to an opinion recently expressed by the German Federal Data Protection Commissioner Peter Schaar, the European cookie standards could now be applied directly and enforced in Germany in any event. Others expect that due to the unclear standards of the proposed cookie rules, the data protection authorities will refrain from enforcing such rules for the time being. Conclusions The incomplete and inconsistent implementation of the cookie law across Europe is aggravated by the lack of clear jurisdictional provisions in the Issue 63 July

7 amended eprivacy Directive. The considerable problems this causes for organisations operating on a pan-european basis is likely to persist for some time. By Sylvie Rousseau and Benoit Chevrel Barbier (Paris), Guillaume Couneson (Brussels), Lara White (London), Ingemar Kartheuser (Munich) and Gabriela Trebicka (Warsaw) Issue 63 July

8 EU Guidance on which cookies are exempt from the new consent requirements The amended eprivacy Directive includes a requirement to obtain consent to the use of cookies unless they are used for an exempt purpose. The Article 29 Working Party, the representative body for European data protection authorities, has recently issued an opinion on this exemption. Exempt cookies The first step in most cookie compliance projects is to conduct an audit to find out what cookies are set by a website and the purpose for which each cookie is used. This information can then be used to categorise each cookie to determine if it is used for an exempt purpose and, if not, how to obtain consent. The opinion considers the two exempt purposes in detail, namely: > cookies that are strictly necessary for the provision of an information society service explicitly requested by the subscriber or user. The working party interprets this exemption restrictively, stressing that the cookie must be necessary to enable the information society service i.e. without it the service would not work. The relevant service must also have been requested by the user through some positive action; and > cookies that are used for the sole purpose of carrying out the transmission of a communication over an electronic communication network. The working party again takes a restrictive approach, stating that it is not sufficient for the cookie to simply assist, speed up or regulate the transmission. An example of a cookie that is exempt is a load balancing session cookie. These are set where a user is allocated to a particular server in a pool of servers. The cookie ensures the user only deals with that server, which is important as it will be the only one with information on the status of that user s browsing session. The opinion also considers the different characteristics of cookies, for example, session or persistent and first party or third party. These characteristics affect the applicability of the exemptions and, as can be seen in the table below, it is unlikely that many persistent cookies will fall within these exemptions. Finally, where a cookie is used for a number of different purposes, all of those purposes must fall within the exemptions for the cookie to be exempt. Particular types of cookies An analysis of how these rules apply to particular types of cookies is also set out in the opinion and summarised below. The approach to first party analytics cookies is interesting. Whilst they do not fall within the exemptions, the Article 29 Working Party suggests that they are unlikely to present any privacy risks so long as they are only used to generate aggregated statistical data, and are accompanied by clear information and a user-friendly opt-out mechanism. This reflects the view of the UK Information Commissioner, who has indicated that it is very unlikely that he would take enforcement action Issue 63 July

9 over such cookies. However, this conflicts with an earlier opinion of the French CNIL which suggested that they might be exempt altogether. Hopefully the opinion will help to harmonise the application of these exemptions to these and other cookies. The Opinion 04/2012 on Cookie Consent Exemption is available here By Peter Church, London Purpose of Cookie Session Persistent User-input cookies e.g. shopping baskets Exempt (SN) No - unless limited to a few hours Authentication cookies e.g. to access a secure website User-centric security cookies e.g. to detect repeated failed log-ins Multimedia player cookies e.g. to record network speed, image quality or buffer information Load balancing cookies e.g. to allocate a user to a particular server to balance usage UI customisation cookies e.g. used to store preferences such as choice of language Social plug-in to share content (logged-in members) e.g. content sharing Social plug-in to share content (logged-out/non-members) e.g. content sharing Social plug-in tracking e.g. allows social network to track users on the internet Third party advertising e.g. behavioural advertising including frequency capping and click fraud First party analytics e.g. Google Analytics and other statistical measurement cookies Exempt (SN) Exempt (SN) Exempt (SN) Exempt (C) Exempt (SN) Exempt (SN) No No No No - but risk minimal for first party analytics No Exempt (SN) for limited periods No No No - unless limited to a few hours No No No No No - but risk minimal for first party analytics Exempt (SN): The cookie is exempt because it is strictly necessary for the provision of a service explicitly requested by the user. Exempt (C): The cookie is exempt because its sole purpose is to transmit a communication. Issue 63 July

10 EU New data protection mechanism to ease international outsourcings The Article 29 Working Party, the representative body for European data protection authorities, has issued its requirements for processor binding corporate rules. Outsourcing to service providers that implement these rules should become easier. Customers will be able to send personal data to the service provider and its sub-processors outside of the EU without the need for more onerous compliance mechanisms such as Model Contracts. We consider these rules in more detail below and their implications for the outsourcing market. Outsourcing and data protection In almost any outsourcing arrangement, a customer will want to ensure its information is held securely and that the supplier only uses that information to provide services to the customer. This means there is a close alignment between the intention of data protection laws and the commercial expectations of most outsourcing. However, complying with these laws in practice can be very burdensome. One of the reasons for this is the complex nature of many international outsourcings. They are often entered into for the benefit of a number of customer entities (typically all or part of the customer s group) and the services may be sub-contracted to a number of other entities, many of which may be based outside of the EU. This brings the restrictions on international transfers of personal data into play. There are a range of ways to comply with these restrictions depending on the exact structure of the outsourcing and the extent to which the parties are prepared to adopt a robust compliance solution. However, there are outsourcings in which Model Contracts (these are EU-approved data processing contracts) have been put in place between the majority of customer entities within the EU and the majority of the supplier entities outside of the EU. This web of contracts approach can require hundreds, if not thousands, of Model Contracts some of which will need to be notified or approved by local data protection regulators. This is clearly a burdensome exercise. Processor binding corporate rules The use of processor binding corporate rules would resolve many of these issues. The service provider (processor) would enter into a binding commitment to ensure all of the processing it carries out complies with data protection laws. The service provider commits to comply with these rules both through internally binding measures (such as intra-group agreement) and through its contract with its customer. The customer would then be able to transfer personal data to the service provider and its sub-processors, including those based outside of the EU, in full compliance with data protection laws. This should ease the compliance Issue 63 July

11 burden associated with any such outsourcing and could provide a competitive edge to suppliers who are able to offer this solution. Guidance from the Article 29 Working Party The Article 29 Working Party has recently issued a working document setting out its requirements for processor binding corporate rules. Whilst this is a significant step, it does not set out exactly how these frameworks will be adopted or approved in practice. For example, will the processor binding rules have to be approved by all of the data protection authorities from which personal data is transferred? If so, will service providers be able to use a mutual recognition process, similar to that used for binding corporate rules for controllers, to ease the application process? Is an approval even possible where the application is made by a processor rather than a controller? Finally, will controllers who rely on these rules still need to make their own notifications or seek their own approvals for these transfers? We understand that the Article 29 Working Party will issue further guidance to address these issues later on this summer. Requirements for processor binding corporate rules The working documents sets out the requirements for processor binding corporate rules in detail. The more important requirements can be summarised as follows: > Relevant exports and processing The rules must list out the entities that are subject to the rules and, at a high level, outline the nature of data likely to be transferred, anticipated purposes for which it will be processed and likely exporters. It appears this description can be general in nature and therefore not be tied to specific customers, thus allowing new customers to benefit from the rules when they obtain services from the service provider; > Internally binding The rules must be binding within the service provider s group and upon its employees, for example through the use of an intra-group agreement and appropriate provisions in employment contracts; > Externally binding The service provider should bind itself to the customer through a data protection service agreement under which it undertakes to comply with these rules. Importantly, the customer should have direct rights against all entities processing data. The service provider must also accept liability to individuals if the customer becomes insolvent or otherwise ceases to exist. The service provider must co-operate with data protection authorities including submitting to an audit by them; > Accountability The service provider must ensure that the rules are complied with in practice through a mixture of training programmes, Issue 63 July

12 complaint handling processes, audit and networks of data protection officers; > Safeguards The service provider must undertake a wide range of obligations to protect the personal data it processes including: (a) ensuring that personal data is processed securely; (b) only processing personal data on behalf of the customer and returning or destroying it at the end of that relationship; (c) co-operating with the customer to assist it to comply with data protection laws; and (d) being transparent where it is unable to comply with the rules due to changes in law or regulatory disclosure obligations; and > Updates and sub-processing The service provider can only change the processing conditions or sub-contract its processing with the customer s consent. This consent can be given in advance on a general basis but, even then, the customers must be notified of the change and have the option to object or terminate the contract. Service providers will need to consider these requirements carefully and determine if the benefit of implementing these rules outweighs the effort involved in obtaining and complying with them on an on-going basis. Some of the requirements, such as direct rights against members of the service provider s group and the ability for the customer to terminate where there is a change of sub-contractors, clearly have serious commercial ramifications. It will be interesting to see how the market influences the adoption of these rules. Use of these rules could become an expectation amongst customers keen to ease their own compliance burden and ensure their information is protected. If so, processor binding corporate rules could become the de facto standard in the outsourcing market. The Article 29 Working Party s paper is available here. Linklaters LLP has advised on five successful applications for binding corporate rules and has obtained approval for its own binding corporate rules. Linklaters is continuing to work on a number of other binding corporate rules applications for its clients, with further authorisations expected in the near future. By Tanguy Van Overstraeten, Brussels, and Sylvie Rousseau, Paris An extended version of this article will appear in the July edition of BNA World Data Protection Report (here). Issue 63 July

13 EU Working Party Opinion on developments in biometric technologies In April 2012, the Article 29 Working Party issued an Opinion on developments in biometric technologies, in particular vein pattern, fingerprints, facial and vocal recognition, DNA and signature biometrics (WP 193). The Opinion follows up on a working document of 2003 in which the working party had already explored the theme of biometrics (WP 80). The new Opinion aims to provide an updated framework of guidelines and recommendations on the implementation of data protection rules in biometric applications. The need for a revision and biometric technology The working party considers that particular care should be used when processing biometric data. It is closely linked to an individual s unique characteristics, may reveal sensitive data and allow tracking, tracing or profiling of individuals. Proper controls over the use of this data are increasingly important as, in recent years, biometric technology has been widely deployed in both the public and private sector for a variety of purposes (such as scientific research, forensics and access control) and is becoming much cheaper and faster to use. The Opinion provides a useful explanation of biometrics including a technical analysis of a number of specific biometric technologies, namely vein pattern, fingerprints, facial and vocal recognition, DNA and signature biometrics (i.e. a biometric analysis of an individual s signature). Biometrics and data protection Whilst new biometric technology can offer a range of benefits, it could lead to a gradual loss of privacy if adequate safeguards are not implemented. The working party notes that biometric data is in most cases personal data and its use must therefore comply with the applicable data protection principles. The following provisions of data protection law are particularly relevant: Legal ground for processing The processing of biometric data must, if it is personal data, satisfy a processing condition. The following provisions are likely to be relevant: > Consent. It is only possible to rely upon consent as a ground for processing if it is free and informed. The working party stresses that consent is not free in many cases in which biometric data is processed as there is no valid alternative to such processing. In addition, as biometric data may be used as a unique and universal identifier, information is crucial for consent to be valid. > Contract. The performance of a contract as a ground for processing is only likely to apply when pure biometric services are provided (e.g. DNA lab testing to match family members). Personal data is not an asset that can be asked for in exchange for a service (e.g. a social network which would make its use conditional upon biometric processing of users data, such as a picture). Issue 63 July

14 > Legitimate interests of the data controller. The working party considers that the use of biometrics for general security requirements can only be regarded as a legitimate interest if there are specific circumstances posing a considerable risk. The existence of these circumstances should be reviewed regularly. Informing data subjects - The working party stresses the importance of informing data subjects of the elements of processing, especially in view of the fact that some biometric technologies may operate unbeknownst to the data subject (e.g. facial recognition at a distance through CCTV). Role of national data protection authorities - Controllers who exploit systems that use biometric data as a key to interconnect multiple databases (which may lead to detailed profiling of an individual) should consult the competent national data protection authority before implementing such systems. Recommendations The Opinion contains a number of recommendations to the biometric industry. These include the following: Privacy by design - The working party urges the biometric industry to embed privacy proactively in the technology itself and, in particular, recommends that biometric systems be designed according to formal development lifecycles which include the following steps: > specification of requirements based on a risk analysis and/or a dedicated privacy impact assessment; > description and justification of how the design fulfils these requirements; > validation with functional and security tests; and > verification of compliance of the final design with the regulatory framework. This recommendation is interesting as it offers a practical methodology for implementing privacy by design, beyond the theoretical concept. Furthermore, the working party encourages the definition of certification schemes to ensure and enhance privacy by design. Privacy Impact Assessment (PIA) - The working party also encourages the biometric industry to perform PIAs to identify the risks of biometric technologies from a data protection perspective, provide adequate data protection measures and develop solutions to mitigate such risks. PIAs in the field of biometrics should, in particular, aim at avoiding or substantially limiting identity fraud, purpose diversion and data breaches. Issue 63 July

15 Technical and organisational measures Finally, the working party suggests a number of technical and organisational measures to prevent adverse effects in the event of a data breach. Technical measures include the storage of biometric data on a personal device rather than centralised, automated data erasure and biometric encryption (i.e. the use of biometric data as part of the encryption algorithm used to encrypt a specific identifier). As for organisational measures, the working party urges controllers to provide a clear procedure on who can access information and for what reasons, and the possibility to track all actions. In addition, the working party observes that outsourcing to external services is possible and increasingly popular due to the more frequent use of cloud computing. In such case, the working party believes that the controller must establish a detailed policy on how to control its contractors and must require specific guarantees. Conclusion The Opinion provides a valuable insight into issues relating to biometric technology from a data protection perspective and gives practical recommendations on how to address these. In addition, it offers a handful of useful definitions in the field of biometrics and a focused technical analysis of specific biometric technologies. The Opinion is available here. By Ronan Tigner, Brussels Issue 63 July

16 Belgium Implementation of the EU Telecom Package On 25 November 2009, the European Union adopted a revised regulatory framework for the European telecommunication sector, consisting of one Regulation and two Directives (together the EU Framework ). These Directives were due to be implemented in the EU Member States before 25 May However, the Belgian parliament has only recently adopted a law implementing the EU Framework into Belgian law (Law of 21 June 2012 introducing various provisions regarding electronic communications, hereafter the Law ). Once published and entered into force, the new Law will effect numerous changes. We look at how the Law implements two key provisions of the EU Framework under Belgian law, namely the data breach notification and the so-called EU cookie rule. Personal Data Breach Notification The eprivacy Directive already obliges providers of electronic communication services to implement appropriate technical and organisational protection measures to safeguard the security of their services (see Article 4(1)). The EU Framework goes a step further and obliges providers to notify personal data breaches, both to the competent national authority and to the individuals concerned by the breach. While notification to the regulator is required in all situations of breach, notification to individuals is required only when the breach is likely to adversely affect their personal data or privacy, but not when the regulator is satisfied that appropriate technological protection measures have been implemented (see Article 4(3)). The Law implements the notification regime by inserting a new Article 114/1 par. 3 in the law on electronic communications (Law of 13 June 2005 regarding electronic communications or e-communications Law ). Under the new rule, the notification must be made to the Belgian Institute for Postal Services and Telecommunications (the BIPT ), the supervisory body of the electronic communications sector. Although the Law transposes almost verbatim the provision of the EU Framework, it does contain a small but significant difference, namely that in the EU Framework a notification is triggered by a personal data breach, while under the Law, any endangering of the security of an electronic communication service with respect to personal data suffices to trigger the need for a notification. It is unclear how this provision would operate in practice but it is arguably wider and therefore could trigger the notification in a wider range of situations. The Cookie Rule Another heavily debated provision of the EU Framework is the so-called cookie rule. The storing of, or gaining access to, information on the terminal equipment of a subscriber, or user, is only allowed if they have been properly informed and have given their consent (Article 5(3) eprivacy Directive, as amended by the EU Framework). Issue 63 July

17 This provision regulates a range of technology including the use of cookies installed by website operators on the computers of users often without their knowledge. The key issue is how to obtain that consent. The eprivacy Directive suggests website operators may eventually be able to rely on the browser settings of the user, which may or may not prohibit the use of cookies. However, most Members States have concluded that current browser settings are not sufficient to demonstrate such consent, not least because the default setting is to allow cookies. The Law implements the cookie rule under Belgian law in Article 129 of the e- Communications Law. In doing so, it largely follows the text proposed by the EU Framework. However, it distinguishes more specifically the two conditions required, i.e. (a) clear and specific information regarding the purposes of the data processing and the rights of the individual based on the Belgian legislation protecting personal data, and (b) the obtaining of the individual s consent after the above information has been provided. The Law also emphasises that the data controller must allow users to withdraw their consent free of charge. It specifies that compliance with the above requirements does not exempt the website operator from applying the other relevant provisions of Belgian legislation protecting personal data. As in most other Member States, the Law does not consider how consent from users should be obtained and so it will be up to the regulators to issue relevant guidance. A first indication of the Belgian position is that, during its review of the draft bill, the regulator in charge of data protection indicated that consent may not be obtained through current browser settings (Privacy Commission Opinion 10/2012 of 21 March 2012 regarding the draft bill). Conclusion The Law demonstrates that, as in other Member States, the implementation of the EU Framework into local law is resulting in diverging positions. Although the Law does not specify how consent should be obtained with respect to cookies, Belgium seems inclined to follow a hard line and refuse current browser settings as a proper expression of consent. This is likely to negatively impact electronic business unless a more pragmatic approach is developed by the operators and accepted by the regulator. By Tanguy Van Overstraeten and Guillaume Couneson, Brussels This article first appeared in Global Business Magazine. Issue 63 July

18 Belgium Court condemns identity theft on Facebook In September 2011, the Ghent Court of First Instance found a woman guilty of creating false Facebook profiles to get back at her ex-employer, whom she alleged had repeatedly bullied her during employment. The decision is significant as it is one of the first times proceedings have been brought in Belgium for these activities. Creation of a false profile The fake profile was created by an ex-employee after being dismissed in She created a false Facebook profile of her ex-employer, added a picture of him and linked the profile to the company he worked in. In addition, she created two other Facebook profiles under the fictional names Daisy Seuil and Jeremy Boel, along with a profile picture for each she had taken off the internet. She then posted comments from the latter two profiles on the first profile which made it look like her ex-employer was having an adulterous relationship with Daisy Seuil and that Jeremy Boel was denouncing that affair. Criminal investigation The ex-employer filed a complaint with the examining magistrate, who conducted an investigation, identified the woman and summoned her before the Ghent Court of First Instance. The Court found the woman guilty of computer fraud (Art. 210bis of the criminal code), stalking (Art. 442bis of the criminal code), use of a false name (Art. 231 of the criminal code), attack on a person's honour or good name (Art. 444 of the criminal code) and use of electronic communications means to cause discomfort or harm to one s correspondent (Art of the law of 13 June 2005 on electronic communications). She was sentenced to seven months imprisonment (conditionally suspended) and a EUR 550 fine. It is interesting to note that the central issue in the judgment is a case of identity theft. However, there is currently no provision under Belgian criminal law which punishes identity theft as such. For example, notably, Article 231 of the criminal code in relation to the use of a false name aims primarily at ensuring individuals remain identifiable in society, rather than to punish identity theft. However, this did not prevent the Court from convicting the ex-employee through a combination of several existing criminal provisions. According to the Court: "social networks cannot be used to settle personal vendettas, to create fake profiles or even more so to assume the virtual identity of others. ( ). Social networks must be protected from users who create false profiles and usurp the identity of another with the sole intent of doing as much harm as possible to others, be it on the professional or private level" (unofficial translation). Issue 63 July

19 Discussions are currently ongoing in the Senate to amend the criminal law to explicitly make identity theft illegal. Meanwhile, the decision of the Ghent Court of First Instance remains significant as it is probably one of the first judgments in Belgium with respect to the creation and use of a false online profile and identity theft on a well-known social network such as Facebook. By Ronan Tigner, Brussels Issue 63 July

20 France The CNIL issues its investigation programme for 2012 The French data protection authority (the CNIL ) issued its investigations programme in April It intends to perform 450 on-site investigations in These investigations will focus on the following issues: smartphones, data breaches, security of health information, utilities, CCTV, police records and sport. Further details of these areas of investigation are set out below. Smartphones The CNIL intends to carry out an in-depth investigation into the monitoring of, and collection of personal data about, smartphone users. This will include the collection of personal data not only when subscribing to a provider, but also when downloading applications or using online services. The CNIL is concerned about the emergence of new uses for smartphones, and wishes to ensure the millions of users whose personal data is processed by providers and applications suppliers are properly protected. Data breach The CNIL also intends to investigate compliance with new breach notification requirements by providers of public electronic communication services (see Section 34 prime to the French Data Protection Act and Sections 25 and 26 of the decree of 30 March 2012). The new law includes strict notification requirements so it will be interesting to see how well these laws are complied with in practice. Security of health information The CNIL will also focus its investigation on medical research, online healthcare-related applications and health data hosting. Special attention will be given to remote storage of health records using cloud computing solutions. Several investigations are planned in large-scale healthcare infrastructures. Utilities In order to reassure citizens about the more routine processing of their personal data, investigations will be carried out on utility suppliers (such as water, gas and electricity) who handle the personal data of millions of customers. Motorway operators, who have deployed new technology such as contactless toll payments, anti-fraud measures and road safety measures, will also be investigated. CCTV Following on from its 2011 investigation programme, the CNIL plans to carry out 150 on-site inspections of organisations use of CCTV systems. The new inspections will be focused on large premises with large numbers of visitors and the use of CCTV to detect criminal offences. Issue 63 July

21 Police records In line with a recent parliamentary report, inspections will be conducted on the processing of personal data by several national and local police and gendarmerie services. Sport Further investigations will take place into the processing of personal data by sports federations regarding their licensees and spectators. The CNIL indicated that further time may be spent looking into anti-doping and into stadiums hosting sporting events. Overview of the investigation programme The CNIL s annual investigation programme allows it to keep up to date with the new methods and technologies used to collect and process personal data. It also provides a significant incentive to comply with French data protection laws considering the potential risks, both criminal and financial, that can result from a breach. Details of the investigation programme are available here (French only). By Sylvie Rousseau and Justine Massera, Paris Issue 63 July

22 France New data breach notification obligations take effect The obligation on providers of publicly available electronic communications services to notify data breaches has been brought into force. The changes implement the amended eprivacy Directive and have been made by the Ordinance of 24 August 2011, which inserts Section 34 prime into the Data Protection Act of 6 January Decree n of 30 March 2012 (the Decree ) provides further detail about the notification obligation and the CNIL has produced guidance on compliance with these new rules in practice ( Guidance ). Notification to the CNIL Under the new notification obligations, providers of publicly available electronic communication services (such as internet service providers and telecom operators) must notify without delay any breach of security leading accidentally or unlawfully to the destruction, loss and alteration, disclosure or unauthorised access to personal data, processed in the context of providing electronic communication services to the public. It is important to note that there is no de minimis threshold that might, for example, exclude less serious breaches from the notification obligation. The Guidance does, however, make it clear that the obligation only applies to information processed in the context of the provision of electronic communication services so, for example, the loss of data about the provider s employees would not trigger the notification obligation. The notification must be made by registered post and sent forthwith to the CNIL. The provider must specify the nature and consequences of the data breach, including an estimate of the number of people affected by the breach, and the steps taken or proposed to remedy the breach. In addition, the provider must provide the CNIL with details of any protective measures applied to the data and the impact of the data breach on the affected individuals. The CNIL will then assess, on a case-by-case basis, whether the security measures are appropriate and the gravity of the data breach. If the security measures are considered inappropriate or the CNIL does not respond within a twp month period, the provider will be required to notify the affected individual. Notification of the affected individuals The affected individuals only need be notified where: > the breach will adversely affect the personal data or privacy of that individual; and > appropriate measures were not in place to protect that personal data (e.g. encryption or anonymisation). Organisations can only rely on this exemption if the security measures are considered appropriate by the CNIL. Should the CNIL consider the security measures are Issue 63 July

23 inappropriate or fail to provide a response within the two-month timeframe, the provider should notify the affected individuals forthwith. The CNIL may issue a formal notice to the provider to notify the affected individuals in the event of a serious breach. The notification must specify the nature of the data breach and the provider must recommend measures to mitigate the negative fallout of this breach to the affected individuals. Conclusion The new decree of 30 March 2012 might be considered a step forward by encouraging organisations to take data security more seriously. However, the loose definition given to a data breach might result in an excessive number of notifications to data subjects, not to mention the risk the CNIL will be unable to deal with the administrative burden arising from the number of notifications submitted to it. The CNIL s guidance is available here (French only). By Thibault Soyer and Justine Massera, Paris Issue 63 July

24 Germany Working Paper on cloud computing published In April 2012, the non-governmental International Working Group on Data Protection in Telecommunications published a Working Paper on Cloud Computing Privacy and data protection issues Sopot Memorandum. The paper is broadly supportive of cloud computing as a means of achieving greater economic efficiency but makes a number of recommendations to ensure such arrangements also comply with data protection laws. Overview The paper is particularly interesting as some German data protection authorities have previously taken a very restrictive view of cloud computing. The group considers that cloud computing can be provided in compliance with the applicable data protection laws so long as appropriate measures are implemented to mitigate the risks of cloud computing. Accordingly, the group recommends implementing data protection agreements between the cloud provider and the data controller. Such agreements should address the following points: > It should be clear which locations are used to process personal data and to which recipients it is transferred. A location audit trail should be available to show such physical locations. > The data controller should ensure that the cloud provider only processes personal data in accordance with the data controller s instructions and for the data controller s purposes. > The data controller should have the right to conduct audits at the cloud provider either itself or by trusted third parties. > The data controller should perform a risk assessment prior to the start of the cloud services and regularly thereafter, based on the specific conditions and circumstances under which personal data will be processed by the cloud provider and its subcontractors. > The cloud provider should be obliged to implement effective and prompt procedures in order to enable the data subjects to exercise their rights of access, rectification, erasure or blocking of data. Effective technical and organisational measures should be provided. The data controller should consider whether at least one back-up copy of the data should reside outside the cloud provider s control. > In cases of data breaches, the cloud provider should be obliged to notify the data controller and/or the competent data protection authority. Existing requirements under German law The group s opinion is in line with existing requirements to commissioned data processing agreements under German legislation. As, in the group s view, cloud computing increases the risk of data protection breaches, the group puts even greater emphasis on the contractual standards and Issue 63 July