Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

In its June 22 opinion, the Article 29 Working Party (the group responsible for overseeing the EU data protection regime) stated that, even if opt-out mechanisms were welcomed and should be encouraged, such mechanisms could not be regarded as complying with the EU Directive’s requirements regarding the necessity to deliver prior sufficient and effective notice to users and obtain the data subjects’ express consent before processing their personal data.

The Article 29 Working Party clearly took the position that it is incumbent upon advertising network providers to “create prior opt-in mechanisms requiring an affirmative action by the users indicating their willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of serving tailored advertising.”

According to Article 5(3) of the ePrivacy Directive, advertising network providers must obtain the informed consent of users to lawfully store information or to gain access to information stored in a user’s computer. According to the Article 29 Working Party, this means that prior to placing cookies or similar devices, advertising network providers must obtain the informed consent of the users.

Informed consent requires that users be informed about the identity of the advertising network provider, the purpose of the processing and the fact that the cookie will allow the advertiser to collect information about visits to other websites. Such information can be provided directly on the screen and it is recommended that it not be hidden in general terms and conditions or privacy statements. (see also our discussion of the Sears case here.)

However, the EU Data Protection Authorities are conscious that in practice it could be burdensome to obtain consent every time a cookie is read for the purposes of delivering targeted advertising. As such, they recommend:

• limiting the time and the scope of the consent
• offering the possibility to revoke it easily
• creating visible tools to be displayed where the monitoring takes place.

Furthermore, when placing cookies or similar devices, advertising network providers must also abide by the principles of the EU Directive of 1995 relating to the processing and free movement of personal data if the data being collected are considered personal.

Consequently, advertising network providers may be considered data controllers and thus need to:
 

• inform users beforehand of the purposes of the processing
• guarantee to data subjects their rights of access, rectification, erasure, limitation of retention, confidentiality, and security
• inform the appropriate Data Protection Agency of the processing to the extent necessary

The Opinion invites industry to suggest technical and other means to comply with the aforesaid legal obligations.

As far as France is concerned, it should be noted that in 2009 the French Data Protection Agency (CNIL) reminded everyone that:

• online behavioral advertising systems were subject to the data protection regulations given that they enable collection of personal data;
• the analysis of behaviors on the Internet was possible only if the Internet user had been duly informed of such a practice and could easily and quickly oppose it;
• professionals of that sector were highly encouraged to issue codes of conduct
   

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

• Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;

• Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights