Opt Out Rejected by the EU Data Protection Authorities for Online Behavioral Advertising

Posted on July 22, 2010 by Cecile Martin

In an opinion issued on June 22, 2010, the EU Data Protection Authorities (Article 29 Working Party) clarified the legal framework applicable to online behavioral advertising – an activity that is becoming a hot topic for discussion as its popularity grows. Online behavioral advertising is, at its most basic level, the practice of gathering data, generally via cookies, about computer users for the purposes of serving tailored advertising. Some argue that such information gathering constitutes an invasion of people’s privacy. Most of the time, data subjects are not even aware that their personal data are being collected and used to create detailed user profiles and provide them with tailored advertising.

In order to remedy this lack of notice, it is becoming a common practice for advertising network providers to offer “opt-out” mechanisms so that users may, if they so wish, decline to receive targeted advertising.

Until now, the legality of such mechanisms under the EU Directive was questionable. That is no longer the case.

In its June 22 opinion, the Article 29 Working Party (the group responsible for overseeing the EU data protection regime) stated that, even if opt-out mechanisms were welcomed and should be encouraged, such mechanisms could not be regarded as complying with the EU Directive’s requirements regarding the necessity to deliver prior sufficient and effective notice to users and obtain the data subjects’ express consent before processing their personal data.

The Article 29 Working Party clearly took the position that it is incumbent upon advertising network providers to “create prior opt-in mechanisms requiring an affirmative action by the users indicating their willingness to receive cookies and the subsequent monitoring of their surfing behavior for the purposes of serving tailored advertising.”

According to Article 5(3) of the ePrivacy Directive, advertising network providers must obtain the informed consent of users to lawfully store information or to gain access to information stored in a user’s computer. According to the Article 29 Working Party, this means that prior to placing cookies or similar devices, advertising network providers must obtain the informed consent of the users.

Informed consent requires that users be informed about the identity of the advertising network provider, the purpose of the processing and the fact that the cookie will allow the advertiser to collect information about visits to other websites. Such information can be provided directly on the screen and it is recommended that it not be hidden in general terms and conditions or privacy statements. (see also our discussion of the Sears case here.)

However, the EU Data Protection Authorities are conscious that in practice it could be burdensome to obtain consent every time a cookie is read for the purposes of delivering targeted advertising. As such, they recommend:

  • limiting the time and the scope of the consent
  • offering the possibility to revoke it easily
  • creating visible tools to be displayed where the monitoring takes place.

Furthermore, when placing cookies or similar devices, advertising network providers must also abide by the principles of the EU Directive of 1995 relating to the processing and free movement of personal data if the data being collected are considered personal.

Consequently, advertising network providers may be considered data controllers and thus need to:
 

  • inform users beforehand of the purposes of the processing
  • guarantee to data subjects their rights of access, rectification, erasure, limitation of retention, confidentiality, and security
  • inform the appropriate Data Protection Agency of the processing to the extent necessary

The Opinion invites industry to suggest technical and other means to comply with the aforesaid legal obligations.

As far as France is concerned, it should be noted that in 2009 the French Data Protection Agency (CNIL) reminded everyone that:

  • online behavioral advertising systems were subject to the data protection regulations given that they enable collection of personal data;
  • the analysis of behaviors on the Internet was possible only if the Internet user had been duly informed of such a practice and could easily and quickly oppose it;
  • professionals of that sector were highly encouraged to issue codes of conduct
     
Tags: , , , , ,

EU Article 29 Working Party Clarifies Definitions of "Data Controller" and "Data Processor"

Posted on March 29, 2010 by Kevin Khurana

On February 16, 2010, the EU Article 29 Working Party published Opinion 1/2010, in which it clarified the definitions of “data controller” and “data processor” as those designations are used within the European Data Protection Directive (the “Directive”). The Working Party’s opinion is welcome guidance, not only because the designations determine who is responsible for compliance with data protection rules and how data subjects can exercise their rights, but also because the European Commission recently updated its Standard Contractual Clauses (which we blogged about here). Additionally, such designations are often difficult to apply in practice, especially given the increasing complexity of globalization, organizational differentiation, and information and communication technologies.

Data Controller:

The definition of data controller, under Article 2(d) of the Directive, is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data . . . .”

In clarifying the definition of controller, the Working Party analyzed its constituent parts. 

  • In its discussion of “joint control,” the Working Party stated that parties who act jointly have certain flexibility with respect to the allocation of obligations and responsibilities under the Directive. In its assessment, the Working Party said that the factual circumstances relating to the relationship must be considered.  It warned that joint control among multiple controllers may lead to a lack of clarity in the allocation of responsibilities, which could potentially result in a violation of the principle of fair processing.
  • In its discussion of “determines,” the Working Party advised that such an analysis should be factual, and should begin with the questions “why is this processing taking place? Who initiated it?” “[A] body which has neither legal nor factual influence to determine how personal data are processed cannot be considered as a controller.”
  • In its discussion of “purposes and means of processing,” the Working Party advised that the key questions that should be asked when analyzing purposes of processing are “why the processing is happening and what is the role of possible connected actors like outsourcing companies: would the outsourced company have processed data if it were not asked by the controller, and at what conditions?” It also stated that the key questions that should be asked when analyzing the means of processing include technical questions, like “which hardware or software will be used?” and organizational questions, like “which data shall be processed? For how long shall they be processed?” The Working Party went on to state that determining the purpose of processing is reserved solely to the controller, while determining the means of processing may be delegated by the controller to a processor. 

Data Processor:

Data processor, under Article 2(e) of the Directive, is defined as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.” The processor must be a separate legal entity with respect to the controller. In its assessment, the Working Party focused on the meaning of “on behalf of the controller.”  It called upon the legal concept of “delegation,” in that the processor is only permitted to perform data processing within the bounds of the mandate given by the controller. The Working Party stressed that should a processor exceed such bounds and begin to acquire a role in determining the purposes and means of processing, it may become a controller rather than a processor under the Directive. 
Tags: , , , , ,

EU Article 29 Working Party Elevates Israel to Rank of Select Few Countries That Are Deemed to Possess "Adequate" Data Protection Laws

Posted on January 11, 2010 by Jeremy Mittman

On January 5, 2010, the EU Article 29 Data Protection Working Party published an opinion finding that Israel provides an "adequate" level of data protection under the EU Data Protection Directive. Should the European Commission ("EC") adopt the Article 29 Working Party’s recommendation (and there is no reason to think that it would not), Israel will join the ranks of the select few countries that the EU has deemed to have an "adequate" level of data protection, such as Argentina, Canada, and Switzerland (notably, the United States is not on this list).

A determination that Israel provides an adequate level of protection means that a company transferring personal data from the EU to Israel does not need to enter into the "model contractual clauses" that the EC has ratified with an Israeli data importer, or develop "binding corporate rules" to transfer EU personal data.

The Article 29 Working Party analyzed Israel’s data privacy framework, with particular emphasis on the Israeli Privacy Protection Act ("PPA"). It found that the PPA provided data subjects with sufficient rights to access their personal data and avenues to rectify it if they believed it to be erroneous. The Article 29 Working Party also concluded that in several places where the statutory language of the PPA fell short of the rights provided under the EU Data Protection Directive, Israeli courts had developed a robust body of case law that had interpreted the PPA to provide for the protection of the privacy rights of data subjects.

Israel is not the only country whose privacy laws the Article 29 Working Party recently found to have an adequate level of protection; on January 5, it also published an opinion finding that Andorra satisfied the EU’s stringent requirements.
Tags: , ,

European Privacy Law And Social Networking

Posted on July 7, 2009 by Cecile Martin

 

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted by the Working Party, the personal information a user posts online combined with the data outlining the user’s actions and interactions with other people can create a rich profile of that person’s interests and pose major risks such as identity thefts, loss of employment or business opportunities.  In this new era of social networking, no longer are even the most secretive organizations free from the public eye. Just last Sunday, a British tabloid published revealing photos, taken off of a social networking website, of the soon-to-be chief of the country’s foreign intelligence service, MI6.

 

The opinion focuses on how the operation of social networking sites can meet the requirements of EU data protection legislation, and advises social network service (hereafter “SNS”) providers what measures must be in place to ensure compliance. Companies that make applications for or utilize social networking sites should be mindful of their obligations under EU law, as well.

 

An SNS is defined as an online communication platform which enables individuals to join or create networks of like-minded users. Usually, these services invite users to provide personal data, post their own material, and interact with other contacts who use the service. Well-known examples would include Facebook, Twitter, and MySpace. Under the EU’s 1995 Data Protection Directive (95/46/EC) (the "Directive), SNS providers are considered data controllers, which are subject to several of the Directive’s provisions, even if their headquarters are outside the European Economic Area. Among their obligations:

 

Security and Default Privacy Settings – Data controllers must take technical and organizational measures that will maintain the security of the users.  The Working Party recommends that SNS providers offer default privacy settings that restrict viewing the user’s profile to self-selected contacts.

 

Information to be Provided by SNS – SNS providers must inform users of their identity and their purposes in using personal data. The Working Party recommends that providers inform users of the privacy risks both to users and third parties of uploading information.  If third party information or pictures are uploaded, it should be done with that individual’s consent. They should also provide information and adequate warning to users about privacy risks when uploading data on the SNS.

 

Sensitive Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health, or sex life may only be published with the explicit consent from the data subject or if he has made the data public himself. It is therefore incumbent upon the SNS to make it clear that answering any questions regarding such sensitive data is completely voluntary.

 

Processing Data of Non-Members – SNS providers may not use independently gathered information to create profiles for those who are not members of the service.

 

Third Party Access – When SNS providers offer additional applications on their service by third parties, or make their service available on third party hardware (mobile phones) or software (outside websites), they should ensure that the third parties only have access to necessary personal data and provide a mechanism whereby users can report concerns about applications.

 

Legal Grounds for Direct Marketing – Marketing activity by SNS providers is permissible, but it must comply with the Data Protection and ePrivacy Directives.

 

Retention of Data – Personal data of users should not be kept after their accounts are deleted.  When a user is inactive for a period of time, his profile should become invisible to the outside world and eventually the user should be notified that the data will be deleted.

 

Respecting the Rights of Users – Members and non-members whose information is processed by an SNS should have rights to access, correct, and delete their data. Further, because data is not to exceed the purposes for which it is being collected, SNS providers should consider giving users the choice of using pseudonyms in place of their real names.

 

Protecting Children – SNS providers should be especially attentive to protecting the data of minors. The Working Party recommends not asking minors for sensitive data in subscription forms, not directly marketing to minors, ensuring the prior consent of parents before subscribing, having suitable degrees of separation between communities of children and adults, and providing adequate age verification software.

 

Users of social networking sites are considered data subjects rather than data controllers, so they are generally exempt from the above responsibilities. However, this is not always the case. When a user processes personal data for more than purely personal or household activity, he or she is no longer covered by the so-called “household exemption” that excepts him or her from the Directive’s mandates. Examples of non-personal activity are using the SNS on behalf of a company or association, using the SNS mainly as a platform to advance commercial, political, or charitable goals, or having a high number of contacts, some of whom he may not actually know. When this occurs, the user assumes the full responsibilities of a data controller.

 

Thus, companies that do not operate an SNS may still governed by the Directive merely by virtue of using the service. Where the company is collecting personal information (e.g. through applications or otherwise), it should take heed of the foregoing recommendations, such as getting consent from parties before publishing their personal information and images, only using necessary personal data, deleting personal information after an account has been removed, and having a mechanism users can employ to voice privacy concerns about the application.

 

Proskauer summer associate Adam Freed contributed to this post.

Tags: , , , , , , ,

Privacy Issues When "Computing in the Cloud"

Posted on November 26, 2008 by Kristen J. Mathews

When a company is considering using cloud computing in its IT infrastructure, there are some privacy issues that need to be addressed.

While the value of cloud computing certainly holds much promise, companies wishing to make the leap into the cloud would be well advised to consider the potential privacy issues.  Cloud computing, in its essence, is the migration or outsourcing of computing, hardware and storage functions to a third-party service provider, which hosts applications on the Internet through linked servers located worldwide.  Cloud computing has captured the attention of IT professionals because it offers the appealing option of reducing a company’s computer infrastructure and placing it in the hands of a vendor who can perform a company’s computing needs more cheaply and efficiently than the company can itself.

The very newness of cloud computing means that its privacy implications have only begun to be addressed, but one can be sure that as cloud computing becomes more commonplace, countervailing privacy obligations are sure to collide with this innovative concept.  Any company transferring its computing activities to the “cloud” risks running afoul of countries’ laws governing data protection, most notably in the European Union, which arguably has the world’s most stringent data protection laws.

In converting to cloud computing, companies are essentially handing over their data to third-party application service providers, who store and process such data in the “cloud,” which could be anywhere in the world—usually, a company computing in the cloud does not know at any given time in what country its data resides.  For example, instead of its data being stored on the company’s servers, data is stored on the service provider’s servers, which could be in Europe, in China, or anywhere else.  This central tenant of cloud computing conflicts with the EU’s requirements that a company know where the personal data in its possession is being transferred to at all times.  As a result, cloud computing poses special problems for multinationals with EU employees or customers, such as:

 

  • The EU Data Protection Directive places restrictions on the transfer of personal data from Europe to nations (such as the U.S.) whose data protection laws are not judged “adequate” by EU standards.  As a result, using cloud computing (in which, for efficiency, data may be housed on servers worldwide), could run afoul of EU data protection law unless measures are taken to bring the international data exports into compliance with European law.

 

  • The U.S. Safe Harbor Program — perhaps the most common means of compliance with EU requirements imposed when transferring the personal data of EU citizens to the US — may not satisfy a multinational’s EU legal obligations, because, in cloud computing, data could be stored on servers outside of both Europe and the U.S, making the Safe Harbor Program ineffective.

 

  • The use of Binding Corporate Rules — the newest method of EU international data transfer compliance — used alone also may be insufficient, because, in cloud computing, personal data will be transferred outside of the corporate “group” that is bound by the corporate rules.

 

  • International data transfer issues aside, companies also will need to consider other privacy concerns when computing in the cloud, such as the possibility that data stored with another entity may be subject to subpoena and disclosed to the government of the jurisdiction where the cloud servers are located, perhaps without the company’s permission or knowledge.


Of course, one way to comply with the EU Data Directive would be to ensure that EU personal data does not leave Europe in the first place.  In fact, one cloud computing application service provider offers its customers the option to store their data only on European servers (for a higher fee, naturally).  However, that will be an impractical solution as it will limit the very flexibility and efficiency that cloud computing was designed to provide.


This brief analysis is not to suggest that all instances of cloud computing are per se unlawful under European law.  However, the very qualities of cloud computing that make it so intriguing and useful as an alternative to standard computing configurations are also the same aspects that raise data protection concerns.  Given the enormous potential and benefits of computing in the cloud, it seems that, once again, the law needs to catch up to technology.
 
Tags: , , ,