EC Proposal For New Data Protection Regulation

Posted on January 27, 2012 by Peta-Anne Barrow

The European Commission (the “EC”) has announced its anticipated comprehensive reform of EU data protection rules, intended to strengthen online privacy rights and boost Europe's digital economy. The proposal is intended to update and modernize the principles enshrined in the 1995 Data Protection Directive. If approved, unlike the current rules which give each of the 27 member states of the EU (the “member states”) some flexibility as to how the 1995 Data Protection Directive is implemented in their jurisdiction, the new law would apply directly so that there would be an entirely uniform set of data protection standards across the EU.

Key changes include...

  • Extra-territorial reach: The rules would apply to any processing of personal data related to EU citizens and non-EU citizens living in the EU, even where the data controller is located in a country outside of the EU. Further, Binding Corporate Rules (which have, to date, been used to legitimize transfers among members of the same corporate group only) are also explicitly addressed in the proposed rules, lending them additional support as a mechanism to transfer personal data and simplifying the approval process.
  • Data Protection Regulator: Data controllers and data processors would be regulated by the data protection regulator in the EU country where they have their “main establishment,” creating a simplified “one-stop-shop” approach.
  • Data Protection Officers: Public authorities and private companies with more than 250 employees would have to appoint a data protection officer to ensure data protection compliance.
  • Reporting Obligations: The current obligation requiring companies to notify data protection supervisors of all data protection activities would be repealed. A company would however be required to notify its national data protection regulator of a personal data breach without undue delay and, where feasible, not later than 24 hours of becoming aware of it.
  • Right to Data Portability: Individuals would have easier access to their own data and be able to transfer personal data from one service provider to another more easily. This change is intended to improve competition among services.
  • Right to be Forgotten: Data controllers would be required to delete an individual’s personal data if that person explicitly requests deletion or otherwise when there is no other legitimate reason to retain it.
  • Powers of National Data Protection Authorities: The powers of national data protection authorities would be strengthened so they can better enforce the EU rules in their jurisdictions. They would be empowered to fine companies that violate certain EU data protection rules up to €1 million or up to 2% of the company’s global annual turnover.
  • Explicit Consent: Consent to process data would be required to be explicit (rather than merely assumed). Further, parental consent would be required to be obtained when processing personal information from children who are under 13 years old.
  • Obligations to Demonstrate Compliance: Companies would be required to adopt measures to document and demonstrate compliance with the new rules.

The EC’s proposals (including this Regulation Proposal and this Directive Proposal) have been passed from the EC to the European Parliament and EU member states for discussion. It is anticipated that the new rules will take effect two years after they have been adopted—hence they are unlikely to be effective prior to 2014.
Tags: , , , , ,

Oh, behave: EU cracks down on behavioral targeting in the U.K.

Posted on April 17, 2009 by Proskauer Rose LLP
The European Commission announced this week that it might sue the United Kingdom if that country fails to limit the tracking and collection of users’ Internet browsing habits and personal information without prior consent. The United Kingdom until now has adopted a self-regulatory approach similar to that followed by the Federal Trade Commission (we reported on the FTC’s revised behavioral marketing principles in this blog post). However, the European Commission has suggested that such an approach is insufficient because user consent is not obtained prior to collection.

According to reports, the Commission appears to be concerned that the U.K.’s failure to require that behavioral marketers obtain user consent before tracking Internet behavior violates the European Union’s strict Data Privacy Directive. The Directive prohibits the "processing" (very broadly defined) of EU residents’ personal information (also very broadly defined) without such residents’ consent.

Tags: , , ,

European Commission Data Protection Working Party Issues Opinion on Search Engine Data Protection

Posted on April 22, 2008 by S. Montaye Sigmon
The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

  • Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;
  • Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights

The Working Party found that users of search engines have the right to inspect and correct, where inaccurate or unnecessary, all their personal data collected by search engine providers.
Tags: , , , , , , , , , , , , , ,