European Privacy Law And Social Networking

Posted on July 7, 2009 by Cecile Martin

 

With social networking sites proliferating across international boundaries, privacy and data protection concerns are becoming increasingly relevant. With these concerns in mind, the Article 29 Working Party, an independent European advisory body on data protection and privacy, adopted an opinion on online social networking on June 12, 2009.

As noted by the Working Party, the personal information a user posts online combined with the data outlining the user’s actions and interactions with other people can create a rich profile of that person’s interests and pose major risks such as identity thefts, loss of employment or business opportunities.  In this new era of social networking, no longer are even the most secretive organizations free from the public eye. Just last Sunday, a British tabloid published revealing photos, taken off of a social networking website, of the soon-to-be chief of the country’s foreign intelligence service, MI6.

 

The opinion focuses on how the operation of social networking sites can meet the requirements of EU data protection legislation, and advises social network service (hereafter “SNS”) providers what measures must be in place to ensure compliance. Companies that make applications for or utilize social networking sites should be mindful of their obligations under EU law, as well.

 

An SNS is defined as an online communication platform which enables individuals to join or create networks of like-minded users. Usually, these services invite users to provide personal data, post their own material, and interact with other contacts who use the service. Well-known examples would include Facebook, Twitter, and MySpace. Under the EU’s 1995 Data Protection Directive (95/46/EC) (the "Directive), SNS providers are considered data controllers, which are subject to several of the Directive’s provisions, even if their headquarters are outside the European Economic Area. Among their obligations:

 

Security and Default Privacy Settings – Data controllers must take technical and organizational measures that will maintain the security of the users.  The Working Party recommends that SNS providers offer default privacy settings that restrict viewing the user’s profile to self-selected contacts.

 

Information to be Provided by SNS – SNS providers must inform users of their identity and their purposes in using personal data. The Working Party recommends that providers inform users of the privacy risks both to users and third parties of uploading information.  If third party information or pictures are uploaded, it should be done with that individual’s consent. They should also provide information and adequate warning to users about privacy risks when uploading data on the SNS.

 

Sensitive Data – Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health, or sex life may only be published with the explicit consent from the data subject or if he has made the data public himself. It is therefore incumbent upon the SNS to make it clear that answering any questions regarding such sensitive data is completely voluntary.

 

Processing Data of Non-Members – SNS providers may not use independently gathered information to create profiles for those who are not members of the service.

 

Third Party Access – When SNS providers offer additional applications on their service by third parties, or make their service available on third party hardware (mobile phones) or software (outside websites), they should ensure that the third parties only have access to necessary personal data and provide a mechanism whereby users can report concerns about applications.

 

Legal Grounds for Direct Marketing – Marketing activity by SNS providers is permissible, but it must comply with the Data Protection and ePrivacy Directives.

 

Retention of Data – Personal data of users should not be kept after their accounts are deleted.  When a user is inactive for a period of time, his profile should become invisible to the outside world and eventually the user should be notified that the data will be deleted.

 

Respecting the Rights of Users – Members and non-members whose information is processed by an SNS should have rights to access, correct, and delete their data. Further, because data is not to exceed the purposes for which it is being collected, SNS providers should consider giving users the choice of using pseudonyms in place of their real names.

 

Protecting Children – SNS providers should be especially attentive to protecting the data of minors. The Working Party recommends not asking minors for sensitive data in subscription forms, not directly marketing to minors, ensuring the prior consent of parents before subscribing, having suitable degrees of separation between communities of children and adults, and providing adequate age verification software.

 

Users of social networking sites are considered data subjects rather than data controllers, so they are generally exempt from the above responsibilities. However, this is not always the case. When a user processes personal data for more than purely personal or household activity, he or she is no longer covered by the so-called “household exemption” that excepts him or her from the Directive’s mandates. Examples of non-personal activity are using the SNS on behalf of a company or association, using the SNS mainly as a platform to advance commercial, political, or charitable goals, or having a high number of contacts, some of whom he may not actually know. When this occurs, the user assumes the full responsibilities of a data controller.

 

Thus, companies that do not operate an SNS may still governed by the Directive merely by virtue of using the service. Where the company is collecting personal information (e.g. through applications or otherwise), it should take heed of the foregoing recommendations, such as getting consent from parties before publishing their personal information and images, only using necessary personal data, deleting personal information after an account has been removed, and having a mechanism users can employ to voice privacy concerns about the application.

 

Proskauer summer associate Adam Freed contributed to this post.

Tags: , , , , , , ,

Google Execs Face Privacy-Related and Other Criminal Charges for Taunting Video

Posted on February 4, 2009 by Brendon Tavelli

Several Google executives, including the Company’s global privacy counsel, Peter Fleischer, will face criminal charges in Italian court stemming from Italian authorities’ two-year investigation of a video posted on Google Video showing a disabled teen being taunted by classmates. The video, posted in 2006, depicts four high school boys in a Turin classroom taunting a classmate with Down syndrome and ultimately hitting the young man over the head with a box of tissues. Google removed the video on November 7, 2006, less than twenty-four hours after receiving multiple complaints about the video. Nonetheless, Fleischer and his Google colleagues face criminal charges of defamation and failure to exercise control over personal information that carry a maximum sentence of three (3) years.

According to the International Association of Privacy Professionals, which broke the story on February 2, 2009, the charges against Fleischer are believed to be the first criminal sanctions pursued against a privacy professional for his company’s actions. Under European Union legislation that was incorporated into Italian law in 2003, Internet service providers (“ISPs”) are not responsible for monitoring third-party content posted to their sites, but are required to remove offensive content if a complaint is received. These laws offer to ISPs protections that are similar to those found under U.S. law in Section 230 of the Communications Decency Act of 1996. (See our Section 230 posts here.) But Italian authorities, specifically Milan public prosecutor Francesco Cajani, are prosecuting Google as an Internet content provider, rather than as an ISP, and Italy’s penal code states that such providers are responsible for third-party content on their sites. Cajani believes that Google, and its executives, violated this provision by allowing the 191-second clip to be uploaded to its video site.

On February 3, the Italian judge hearing the case -- which is expected to be ongoing for months -- suspended the proceedings until February 18 to consider procedural issues, but Google maintains that it did not violate any laws with respect to the video posting.  Also on February 3, the City of Milan joined the case with civil charges that Italian lawyers have cited as the rough-equivalent of class-action suit in the United States.  The city, according to Rocco Panetta, an Italian lawyer with Portolano Colella Cavallo, is representing several individuals it claims were injured by Google.

 

In a statement released on February 2, Google expressed sympathy for the victim’s family, but insisted that “We feel that bringing this case to court is totally wrong.  It’s akin to prosecuting mail service employees for hate speech letters sent in the post. What’s more, seeking to hold neutral platforms liable for content posted on them is a direct attack on a free, open Internet.  We will continue to vigorously defend our employees in this prosecution.” Google’s public policy counsel for Google Italia, Marco Pancini, further commented that “We are confident the process will end in our favor.”
Tags: , , , , , , , , , , , , , ,

U.K. ICO May Impose Fines for Data Breaches

Posted on May 27, 2008 by Proskauer Rose LLP

A new Act of Parliament gives the United Kingdom’s Information Commissioner’s Office (ICO) the authority to impose monetary penalties for misuse of personal data in violation of section 55 of the Data Protection Act of 1998 (DPA).

For some years, the ICO has had only limited means of securing compliance with section 55 of the DPA, which makes it a criminal offense to knowingly or recklessly obtain or disclose personal data without consent. While the ICO has had the power to take action against individuals who violated section 55, the imposition of a penalty was left to the courts.

All this changed on May 9, 2008 with the enactment of the Criminal Justice and Immigration Act. The Act grants the ICO the power to impose fines directly for violations of section 55 of the DPA. This increase in the ICO’s authority mirrors that of other U.K. regulators like the Financial Services Authority, which in 2001 obtained the power to impose fines on banks and other financial institutions for data security failures.

Proskauer summer associate Noemi Blasutta contributed to this post.
Tags: , , , , , , , , , , , , ,

European Commission Data Protection Working Party Issues Opinion on Search Engine Data Protection

Posted on April 22, 2008 by S. Montaye Sigmon
The European Commission Article 29 Data Protection Working Party (“Working Party”) recently released its opinion on data protection issues related to search engines. The opinion specifically addresses the applicability of the Data Protection Directive (95/46/EC) and the Data Retention Directive (2006/24/EC) to the processing of personal data by search engines.

Definition of Personal Data

According to an earlier opinion issued by the Working Party, personal data includes an individual’s Internet search history if the individual to whom it relates is identifiable. In this most recent opinion, the Working Party found that, although IP addresses are not usually directly identifiable by search engines, the necessary data usually is available to identify the user(s) of the IP address. Therefore, unless a search engine operator can ensure “with absolute certainty” that data corresponding to users cannot be identified, it must treat all IP information as personal data.  

Scope

Article 4 of the Data Protection Directive provides that each Member State will apply its national data protection law to data processing in certain circumstances. The Working Party concluded that the Data Protection Directive applies even where a search engine company’s headquarters is outside the European Economic Area. Where the search engine service provider is not based in one of the Member States, the Data Protection Directive applies where either: (a) the search engine provider has an establishment in a Member State; or (b) the search engine makes use of equipment in the territory of a Member State. “[U]se of equipment” includes a user’s personal computer.

Thus, in the case of multi-national search engine providers:

  • Those that are established in a Member State are subject to the Member State’s national data protection laws in which the search engine provider is established;
  • Those that are not established in a Member State are subject to the Member States’ national data protection laws in each Member State in which the service provider makes use of equipment in the territory of that Member state for the purposes of processing personal data (e.g., the use of a cookie).

The Working Party expressly excluded from its opinion search functions on websites that were limited to searching only the website’s own domain. 

Processing of Personal Data

The Working Party Opinion found that, in general, search engines must only process personal data for legitimate purposes and the amount of data processed and/or retained must be relevant to and not excessive in respect of the purposes to be achieved by the processing. Search engine providers are “fully responsible under data protection laws for the resulting content related to the processing of personal data.” Specifics are outlined below.

Collection and Processing

The Working Party found that collection and processing of personal data must be based on at least one legitimate ground. Legitimate grounds include:

(1)   Consent of the user for the search engine provider to use specified data for a specified purpose (Data Protection Directive Art. 7(a));

(2)   Necessary for the performance of a contract (Data Protection Directive Art. 7(b)) – however, the Working Party expressly rejected any argument that users enter into a de facto contractual relationship when using services offered by a search engine provider;

(3)   Necessary for the purposes of a legitimate interest pursued by the controller (Data Protection Directive Art. 7(f)):

(a)    Service improvement – however, this is not a legitimate reason for storing data that has not been anonymized;

(b)   Systems security – however, any personal data stored for system security must be subject to a strict purpose limitation and cannot be used for any other purpose;

(c)    Fraud prevention – however, the amount of personal data stored and/or processed and the amount of time it is retained depends on whether and for how long the data is necessary for fraud detection and prevention;

(d)   Accounting – the Working Party expressed “serious doubts that personal data of search engine users are really essential for accounting purposes” and called on search engine providers to develop accounting mechanisms that are more privacy-friendly;

(e)    Personalized advertising – the Working Party expressed its “clear preference for anonymi[z]ed data”;

(f)     Law enforcement and legal requests – the Working Party recognized that search engine providers must comply with legitimate requests from law enforcement and legal orders, but noted that “compliance should not be mistaken for a legal obligation or justification for storing such data solely for these purposes.”

Retention

The Working Party found as follows:

(1)   The Working Party sees no basis for a retention period of more than six (6) months in any instance and the retention period should be “no longer than necessary for the specific purposes of the processing.” Where data is retained for longer than six (6) months, a search engine provider must demonstrate that such retention “is strictly necessary for the service.”

(2)   Search engine providers must delete personal data when a legitimate purpose no longer exists; in the alternative, search engine providers may anonymize data as long as the anonymization is completely irreversible.

(3)   Search engine providers must inform users about the applicable retention policies for all types of user data they process.

Other Specific Practices

The Working Party found as follows:

(1)   Persistent cookies containing a unique user ID are personal data and should be defined to allow an improved web surfing experience and a limited cookie duration. Moreover, users must be informed about the use and effect of cookies.

(2)   Where search engine providers utilize a cache functionality, they should only retain content in a cache for the “time period necessary to address the problem of temporary inaccessibility to the website itself” – any caching period of personal data contained in indexed websites beyond this necessity of technical availability should be considered an independent republication.

(3)   Correlation of personal data across services and platforms for authenticated users can only be legitimately done based on informed consent by the user.

(4)   Search engine providers may not suggest that using their service requires a personalized account by automatically re-directing unidentified users to a sign-in form for a personalized account.

User Rights

The Working Party found that users of search engines have the right to inspect and correct, where inaccurate or unnecessary, all their personal data collected by search engine providers.
Tags: , , , , , , , , , , , , , ,

Dubai Becomes First Arab Nation to Enact Data Protection Law

Posted on April 19, 2007 by Jeremy Mittman

Dubai recently became the first Arab nation to enact a substantial Data Protection Law (DIFC Law No. 1 of 2007) that aims to protect the personal information of its citizens.  In a statement announcing the new law, Dubai called the enactment "pioneering in the region" and an examination of the law reveals that the description is rightly deserved.   The new law will have immediate implications for companies operating in Dubai (and especially those companies that transfer data from one office to another), such as Halliburton, the giant energy company, which recently announced that it is moving its global headquarters from Texas to Dubai.    

 

 

Following a period of public consultation, Dubai (the Dubai International Financial Center, or DIFC) strengthened its previous data protection law of 2004, giving it some extra teeth and enhanced enforcement powers by a newly created independent Office of Commissioner of Data Protection.   The law protects all "personal information", which is broadly defined as "any information relating to an identifiable natural person."  The law also protects "sensitive data" such as information about a person's political affiliation or racial identity.  

Arguably the most significant aspect of the new law is its international transfer provisions, codified at Articles 11 and 12, which govern the transfer of personal data out of the DIFC to third countries.  Like the European data directive, the Dubai law allows for the transfer of personal information to countries that offer an "adequate level of protection."  Transfer of information to countries that fall short of providing the adequacy requirement (such as, presumably, the United States) is permitted-- provided, however, the newly appointed data protection Commission gives its consent to the transfer.  

The new law's regulations specify that a data controller (e.g. an employer) must apply to the Commissioner of Data Protection for a permit to transfer the data to a country with less than adequate protection.  Unfortunately, however, the regulations do not specify which countries qualify as those that do offer an adequate level of protection-- although one would not be surprised if Dubai simply adopted the EU's list of "certified" countries, such as Argentina, Switzerland, Canada, and the Isle of Man.  

Fortunately, the application process is greatly simplified by a well-drafted and user-friendly application that may be filled out by the data controller and sent to the Commissioner (there is no fee for the application to seek a permit to transfer data; nor is there a fee to apply for a permit to process sensitive data, also required under the Act).    

While it remains to be seen how strictly the new data protection law is enforced, employers operating in Dubai would be well-advised to comply with its provisions.   Based on the text of the law and its similarities to the EU model, one would not be surprised to find the EU soon anointing Dubai as the first Arab nation to have a data protection law that offers substantially similar protections, allowing for the free transfer of data.
Tags: , , , , ,