got privacy?  Musings on the state of Privacy in a connected world.
 
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.

On April 12th, 2010, the Honorable Judge Oscar Magi, Judge for the Tribunale Ordinario de Milano, in composizione Monocratica, Sezione 4 Penale (Milan Court) filed a document entitled Sentenza N. 1972/2010.  

 This Sentenza may be regarded as the most shocking event in the field of privacy duties imposed on Data Controllers (DC) and data controller's officers, since the enactment of Directive 95/46/EC of the European Parliament and of the Council of the 24 October 1995 (privacy directive).

The document created by Judge Magi was in direct result to a guilty verdict imposed on : a) David Carl Drummond, b) George De Los Reyes, and c) Peter Fleischer under Legge 31 Diciembre 1996 n. 675 as punishable under article 167, comma Secondo del DLgs 30 Giugno 2003 n. 1996 (criminal charge).The guilty verdict was handed down by the Honorable Judge Magi on February 24th, 2010.

A fourth person, named Arvind Desikan, was accused under the same cause number for the same crimes, but was found not guilty of all charges.7 When the Sentenza was filed, Judge Magi had already sentenced, in absentia, all of the defendants to a six months prison term with all of the time suspended.

The sentenza handed down by Judge Magi raises a multiplicity of issues. Problematic are the exposure to criminal liability and the freezing effect this decision will bring.

The attached thesis analyzes the following areas:

Nature of the Charges: This section will explain the three different charges brought against the defendants and the ultimate resolution for each of the charges.

The Facts of the Case: This section will discuss the facts as they were found by the court. The role for each defendant and Google Inc. will be presented in different sections.

Background For User Generated Content Providers (UGCP's): This section will explore the roots of the movement and the technologies behind the movement.

Conflict Of Laws: This section will discuss the specific issues created when one or more countries' laws affect the outcome of a dispute. This discussion will be divided in two sections 1) jurisdiction and 2) choice of law.

The Privacy Directive: This section will explore the roots of the privacy directive, the inherit struggle between United States laws and European Union directives, and the amalgamation of laws. Most importantly, this author will explain the basis of jurisdiction for wholly non European Union based Data Collectors.

Jurisdictional Issues: Should Italian law and European Union Directives be applied to the Google case, even though Google's servers and data uploaded are located outside of the jurisdiction of Italy and the European Union.

Personal Data: Did the Italian court apply the wrong criteria for the classification of personal data, and would it make any difference in the outcome. 

Exemption Under Host-Service Provider Classification: Does the European Union directive 2000/31/EC (e-commerce directive)protect Google from liability. 

If you would like to contact Raul, either email raulmendez1@earthlink.net  or call 206.264.0849
thesis.pdf
File Size: 915 kb
File Type: pdf
Download File
 
 
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
On the 29th of this month, IAPP will have a webcast regarding the newly enacted Mexican privacy law.  The speakers will have a more in depth discussion.

THE UNITED STATES OF MEXICO’S PRIVACY LAW

On April 27th, 2010, the Senate for the Republic of the United States of Mexico (Mexico) enacted their first Personal Privacy Protection Law.  It is entitled Ley Federal de Proteccion de Datos Personales en Posesion de los Particulares (Law).[1]    According to Professor Lina Ornelas, General Director for Classified Information and Personal Data (IFAI, Mexico)[2], the law is the culmination of restless efforts.[3]   

THE GOAL

The law’s goal is to provide individuals with the tools needed to enforce their right to protect their personal data.  The right to protect one’s Personal data is considered a Third Generation right.[4]   Third Generation Rights emanate from a framework of multi-national Human Rights declarations and treaties.  Examples are: The Declaration of the United Nations Conference on the Human Environment (Stockholm Declaration)[5]  and the 1992 Rio Declaration.[6]

The concept of Third Generation Right was coined in Europe and is considered “Soft Laws” by many.  Experts and scholars in the Human Rights field disapprove of the term “Soft Laws.”   They are called “Soft Laws” because they are not formally part of any written Statute.  However, countries have actually codified some Third Generation Rights.  Privacy is the perfect example of former “Soft Law” which has been codified.

THE RIGHT TO PROTECT ONE’S PERSONAL DATA

Mexico, just like the European Union, has codified the privacy rights of individual persons.  There are two concepts which are included in the right to protect one’s Personal Data:

1)     Protection of the fundamental right of individuals to protect their own person in the context of the processing of personal data.

2)     The power of determining who is able to receive and access one’s personal data, where the Personal Data will be stored, and for what reason.[7]

The European Union Privacy Directives and the Privacy Law in Mexico aim at including the above mentioned concepts.  It could be said that countries that adequately protect an Individual’s Privacy share these concepts.     

THE MONTEVIDEO MEMORANDUM

One of the major driving forces in the shaping and forming of the Privacy Law in Mexico may be attributed to the commitment of Professor Lina Ornelas.  Professor Ornelas obtained her Law Degree from the Faculty of Law at the University of Guadalajara, Mexico. She then obtained her Masters in Law and International Cooperation from the Vrije Universiteit Brussel in Belgium.  Professor Ornelas has also developed her professional skills in the public sector in Mexico and Europe.  She has successfully held positions in the Ministry of Economy, the State Department in Mexico and in the European Commission.[8]  Due to her educational background and professional experience, one may state that she is an expert in the field of Personal Privacy Data Protection and International Human Rights.  Additionally, she is in agreement with the protection of Third Generation Privacy Rights.

 

On March 2010, Professor Ornelas, published an article in the Privacy Advisor for the International Association of Privacy Professionals.  In this article, Professor Ornelas discussed many issues regarding the Montevideo Memorandum.[9]  Professor Ornelas was one of the creators of the memorandum.

The Montevideo Memorandum is a project sponsored by the Canadian Government through an agency called Centro Internacional de Investigaciones para el Desarrollo and the Agencia Canadiense de Desarrollo Internacional, Ottawa, Canadá.[10]  The Memorandum composed of  recommendations.[11]   The recommendations are meant to increase the protection of children who use Social Networks on the internet.

 

Other memorandum participants included Brazil, Spain, Uruguay, Ecuador, Chile, Colombia, Argentina and Mexico.  Neither the FTC nor any agency of the U.S. sponsored or participated in the drafting of the Memorandum.  However, representatives for Microsoft and Google and other members of the industry attended the workshop. 

 

According to Professor Ornelas,  Microsoft and Google pledged that they fully supported any initiative that ensured the creation of a safer internet for children.  She also indicated that the Congress of the Republic of Mexico, at the time, emphasized that Mexico needed a Federal Law which protected personal data.  The Congress expressed that the Federal Law would include the Montevideo Memorandum's principles  and it would include other international privacy standards.

 

Thus, it could be said that the protection of children may had been one of the many catalyst which made Congress create the Privacy law.  The framework is one that seeks to protect children and adolescents within a larger general law a Lex Generalis.  A perfect example of such generalized law is the European Union Privacy Directive.[12]

THE EUROPEAN INFLUENCE

On page 27 of the Montevideo Memorandum, under the heading "General Considerations,"  it states that in order to find consensus, rationality and a balance of privacy rights, and the risks involved in the information and knowledge society, it considered the following documents:

1)     Settlement of the judicial conflict between the Federal Public Ministry of Brazil and Google (dated July 1st, 2008);

2)     the Child Online Protection Initiative of the International Telecommunication Union (dated 18 May, 2009);

3)     Opinion 5/2009 on online social networking, by the Article 29 of the European Working Group (dated June 12th, 2009);

4)     the Report of Findings into the Complaint Filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) against Facebook Inc. (dated July 16th, 2009).[13]

COPPA was not included as one of the documents considered. 

MADRID RESOLUTION

On November the 6th, 2009, fifty DPA's from around the world announced the Madrid Resolution.  The resolution was created in a closed door meeting.  All country's DPA's agreed with the resolution.  Additionally ten different Multi National corporations agreed to implement the resolution.[14]  The Mexican Privacy Law is almost a mirror image of the Madrid Resolution.  Presumably, all 50 members will have to make their laws support the resolution. 

The Working party has called upon the European Union Commission to reform the European Union Privacy Directives.  The Working Party expressed that "[t]he basic principles for data protection, as laid down in the ‘Madrid Resolution’, should be the universal basis for such legislation."[15]  It is fair to conclude that the Madrid Resolution will eventually become the standard for Privacy throughout the world.  In theory, if ad networks, software makers and hardware makers create products, which comply with the Madrid Resolution, there will be no conflict.

SIMILARITIES BETWEEN THE MEXICAN LAW AND THE EUROPEAN UNION PRIVACY DIRECTIVE

When the Mexican Privacy Law and the European Union Directives are compared, there are many similarities present.  For example; Chapter 1, Article 3. V, defines personal data in the same manner the European Union Privacy Directives define personal data.  Under the same chapter and article VI, Sensitive Personal Data is defined in the same manner it is defined in the European Union Privacy Directives.

Additionally, the promotion of an “Information Society” is of great importance.  The Law's concern for the “Information Society” appears to be as consistent as it is in the European Union Directives.  Unfortunately, the definition of  an "Information Society" is not included in the Law or the European Union Privacy Directives.

Article 1 commences by describing the purpose of the Law.  The last sentence of Article 1 indicates that one of the objectives of the Law is to ensure privacy.  Privacy is not defined in the law, and it is mentioned thirty four times.  The European Union Directives also fail to provide a definition for privacy.

One other similarity is the Corporate Binding Privacy Rules.  The law allows the use of Corporate Binding Privacy Rules for the transfer and sharing of Protected Data.  Data controllers are not required ask for permission from the Data Protection Authority when using Corporate Binding Privacy rules.  The flow of information within a corporation and third parties may take place freely, as long as the corporation and third parties adhere to the Law and the Privacy Notice provided and authorized by the user.  The user must be fully informed and must agree by his own volition to the dissemination, use and storage of his Personal Data.

After reviewing the Law, one may conclude that the Privacy Law of Mexico is influenced by human rights opinions and treaties, the Madrid Resolution, the European Union Privacy Directives, Working Party’s opinions, Working Party’s adopted documents, and case law developed in the European Union.

Presumably, Mexico’s privacy law will be applied just as consistently as it has been applied today by the European Union and governments who have decided to protect privacy as a fundamental right.

EXPECTATIONS FROM THE DATA CONTROLLERS AND DATA PROCESSORS

The Privacy law requires strict adherence to the following principles:

  • legality
  • consent
  • notice
  • quality
  • purpose
  • fidelity
  • proportionality
  • Accountability under the law
 Under these principles, all Data Controllers and Processors must promote full transparency.  When transparency is used as a core concept, Data Controllers and Processors may be considered to be in the right path to full compliance.

I found some of the principles to be more problematic than others.  For example, there is a need to have a written document if Sensitive Data will be processed.  This document may be a physical document with the signature of the User, but it is also acceptable to use an electronic signature or any other method of authentication.

When sensitive personal data is processed, there has to be a justification for the processing.  There have to be concrete and lawful reasons for the processing of the data.  Data Controllers and processors shall afford users the same level of protection data Controllers and Processors use for their own data.

WHAT MAY BE ENCOURAGING ABOUT THE LAW

I do not believe that this law may be more restrictive than laws currently used by some of the European Union Members.  Most importantly, THERE IS NO COOKIE DIRECTIVE.[16]  However, it remains to be seen if the Law assumes that the cookie directive is already built into the Law as written.

As stated above the exchange of information may be seamless when Data Controllers and processors adhere strictly to the privacy policies authorized by the user.  Corporations may communicate data with all other branches located in Mexico or abroad if they subject themselves to Binding Corporate Rules, but there is no need to request approval or file any document with the Institute.  Whether or not this will be allowed under the administrative rules, it is not known.

Additionally, the law supports self regulation.  It encourages industry to create rules and regulations that may be adopted into a deontological code.  Copies and issuance of symbols of conformity may be issued and communicated to the authorities.

RIGHTS OF THE USERS

Users shall have the right to access, rectification, cancelation and objection of the data which is held by a controller.   Nonetheless, this is subject to verification of identity.  The rights of users are also extremely similar to the Madrid resolution.[17]

PENALTIES

CIVIL penalties are varied and the law lists a total of nineteen possible infractions.  Whether or not the violations are all inclusive, I am not sure.  What I know with certainty is  the possible fines that may be imposed.  Fines will vary between 100 minimum daily wages and 640,000 minimum daily wages.  The minimum wage rate used shall be the one applied in Mexico City.   The current minimum wage is about $6.00 dollars a day.  Thus, the minimum fine is $600.00 dollars and the maximum is $3,880,000.00 dollars.

When it come to criminal penalties, the grid below explains the possible criminal sanctions for violations of the law.  The only criminalized offense is the illegal processing of protected data.  The actual processing must take place for guilt to be found.
Picture
CONCLUSION

All things considered, the Mexican Privacy Law is not as strict as some of the European Union member's privacy law.   One benefit is that nothing has to be kept in file with the Institute.  The only instance when something must be filed is when a complaint is launched, or there is an action taken by any authority.  
Currently, it is difficult to make accurate predictions how the law will be enforced since rules and regulations are yet to be known by the public in general.  Let's just hope that other countries, who choose to follow the Madrid Resolution, will enact laws that are not stricter.  If you want to contact me, you may email me at raulmendez1@earthlink.net or call 206.264.0849. 

[1] http://www.ifai.org.mx/pdf/pot/marco_normativo/LFPDPPP.pdf

[2]Federal Institute of Access to Public Information (IFAI)

[3] Ms. Lina Ornelas is general director of classified information and data protection at the Federal Institute of Access to Public Information in Mexico. https://www.privacyassociation.org/publications/2010_04_30_mexico_passes_federal_data_protection_act/

[4] http://www.youtube.com/watch?v=zE0G7q7DrbA

[5] http://www.unep.org/Documents.multilingual/Default.asp?DocumentID=97&ArticleID=1503

[6] http://www.un.org/geninfo/bp/enviro.html

[7] Supra, Footnote 3.

[8]As Deputy General Director of the Unit for Legislative Studies at the State Department, she was part of the group that first wrote the initiative of the Access to Information Act presented by President Fox to Congress, and then negotiated for its approval. She was later Deputy General Director for the Promotion and Defense of Human Rights at said State Department. Since 2003, Mrs. Ornelas is the General Director of Classified Information and Personal Data at the Federal Institute of Access to Public Information (IFAI), where she jointly drafted with the National Archives the general archival standards that apply to the federal government in Mexico. She currently is member of the Ibero-American Net for the Protection of Personal Data.

[9] http://www.iijusticia.org/esp_port_eng_fran.pdf

[10] Id..

[11]Memorandum sobre la protección de datos personales y la vida privada en las redes sociales en Internet, en particular de niños, niñas y adolescentes

[12] Directive 95/46/EC

[13] Supra, Footnote 1 at 27

[14]www.gov.im/lib/docs/odps//madridresolutionnov09.pdf

[15]The Future of Privacy Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data, WP 168

[16] http://www.chiefprivacyofficers.com/1/post/2010/07/analysis-of-the-ec-cookie-directive.html

[17] Supra Footnote 14
 
 
Marcus Morissette, Managing Director, Concise Consulting

In a follow-on from an earlier post on this blog, Marcus Morissette continues to dig into the interpretation and applicabity of Washington State HB1149.

In order to understand who should be concerned about the provisions contained in this law, and who benefits from this law, we must identify the cast of characters. The following entities are defined in the law:
·         Financial Institutions
·         Businesses
·         Processors
·         Vendors

Let us review its definitions first, and then compare them with the legal definitions/obligations contained in the PCI DSS.  I am going to list the definition from HB1149 and then follow it with the definition from PCI DSS.

Who benefits?
HB1149 leverages the definition of a financial institution contained in RCW 30.22.040, which states that a "Financial institution" means a bank, trust company, mutual savings bank, savings and loan association, or credit union authorized to do business and accept deposits in this state under state or federal law.

PCI DSS: In the context of the damage recovery language contained in bill, it can be assumed this means primarily issuing banks (i.e. those financial institutions that, in the event of a breach, would have damages relating to the reissuance of cards).

Who pays?
HB1149 defines a “business” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that processes more than six million credit card and debit card transactions annually, and who provides, offers, or sells goods or services to persons who are residents of Washington [emphasis added]. 

PCI DSS – Level 1 Merchants
HB1149 defines a “processor” as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity, other than a business as defined under this section, that directly processes or transmits account information for or on behalf of another person as part of a payment processing service.

PCI DSS: Level 1 and 2 Service Providers
Vendor is defined as an individual, partnership, corporation, association, organization, government entity, or any other legal or commercial entity that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own.

So, who really should be concerned?

So only “businesses” that are subject to these provisions are Level 1 Merchants as defined by the PCI DSS (based on a transaction volume of 6,000,000).  Further, it means that all Level 1 merchants across the country that provide, sell or even “offer” goods or services to Washington residents are subject to liability, if they fail to use reasonable care to guard against unauthorized access to account information. However, the law contains a Safe Harbor provision for PCI DSS compliance, which would seem to exclude every Level 1 Merchant with an ounce of business sense and self-preservation.  This is because Level 1 merchants are required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. (See next week’s post for a discussion of Reasonable Care and Safe Harbor.)

However, as defined in HB 1149, vendors and processors of all sizes and transaction levels are liable to financial institutions for their failure to use reasonable.  This means that Level 1 and 2 Service Providers as defined in the PCI DSS are subject to potential liability under this new law. However, Level 1 Services providers (300,000 transactions or VisaNet processors) are also required to have a Qualified Security Assessor attest to their compliance with the PCI DSS annually. They should be well within the Safe Harbor provisions. Level 2 service providers are allowed to validate their compliance with the PCI-DSS via a Self-Assessment Questionnaire (SAQ).

Vendors who develop payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.  Such application vendors would have their development procedures and their products reviewed under the PA-DSS.  Vendors that comply with the PA-DSS, should also be “compliant” and protected by the Safe Harbor provisions (again, HB1149’s Safe Harbor will be discussed in detail later).

So, a summary of these “definitions” would seem to make it about as clear as mud who is actually liable for damages under HB1149.  It would appear that likely candidates are:
·         Level 2 Service Providers who failed to submit a valid SAQ
·         Application Vendors that were somehow able to sell, distribute or license a payment application without somehow obtaining PA-DSS compliance.
·         Level 1 Merchants and Level 1 Service providers that have made the decision to not comply with the PCI-DSS, and/or who have somehow been unable to comply with it.

The liability provisions would seem to be another very good reason for all merchants and service provides to comply with the PCI DSS and to properly validate such compliance as required by the brands.

UPDATE: 8/25: Our conclusion after talking to colleagues regarding this law is that a logical next step is to engage with the legislators who drafted the law, and who are in a position to collate and present changes so that a future version may appear with these issues resolved.  This may be a lengthy process, but if we make progress, it will be posted here.
 
 
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.

The Bavarian Lager case could possibly represent the biggest hurdle in achieving transparency for European Union institutions. 
If transparency is to be achieved, the Access to Documents Regulation[1] must be amended.  The amended regulation should take into consideration the Opinion issued by the European Data Privacy Supervisor (EDPS) on June of 2008. [2]

TRANSPARENCY
Article 255 of the Treaty establishing the European Community, as amended by the treaty of Amsterdam gave any resident or citizen of the Member States the right to access all documents from the parliament, the Commission and the Council.  This right was set to be regulated by Regulation (EC) No 1049/2001.[3] 

There were two additional important features included in Regulation1049/2001:
1)     The EU institutions are assigned the same rights and obligations as the member state’s Institutions have in the context of access to all documents;
2)     The EDPS, an independent Officer, is created.  His duties include the monitoring and the implementation of access to European Union documents.
It is fit to recognize that before 2001, the EU institutions were not required to have an open records regulation.

THE AMENDMENT
By 2007, a body of law had been formed.  The agencies also gained the necessary experience in handling document requests. 

The Commission then proposed the rewording of the regulation.  The aim was to require more transparency.  The intention was an effort to have a better informed society with better processes. 

The EDPS issued an opinion regarding the changes.  The EDPS disagreed with the wording of several parts of the regulation.  The opinion was partially based on the body of law that had been developed so far.

POWER TO INTERVENE
One of the rights the EDPS has is the power to intervene in any privacy related lawsuit.  The EDPS has intervened in Bavarian Lager and in at least 13 other cases.

Thus, the EDPS has been highly influential in the interpretation of the law.  It is the position of the EDPS that the standard used, when evaluating the release on information against the Data Protection Directives, should be one of harm of privacy rather than the requirement of necessity for the release of the data.  The standard set by the court creates a big hurdle for applicants.

IMPORTANCE OF TRANSPARENCY
Transparency was provided by the Amsterdam Treaty amendments.  Before the inception of the treaty, the European Union Institutions were exempted from the release of information requirements. 

Transparency is a right that must be protected.  It is a corner stone of a good government.

HOW TRANSPARENCY HAS BEEN SUCCESSFUL IN SWEDEN
In Sweden, Governmental Agencies are required to release any document in their possession, free of charge, when requested.  These documents include electronic data bases or documents’ meta-data.

If agencies are of the opinion that the data should not be released, there is a court mandated review.  The request and objection to the release are reviewed by a special court which applies the right to access in a broad and liberal manner.  If the court finds for the applicant, the decision is final and it may not be appealed.

The system has allowed for a better Government.  Agencies can be scrutinized and held accountable for their actions.  Sweden’s system has allowed the citizenry to discover wrongful actions and cover ups.  Transparency allows citizens to feel more confident in trusting their government.

The European Union should follow Sweden’s lead.  The review of the regulations has to be revisited.  The Commission is currently assessing the language and possibly the rewording the regulation.[4]  Balance between privacy and transparency has to be achieved, and there must be consistency.

If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.

[1] Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ 2001 L 145, p. 43).
[2] Opinion of 30 June 2008 on the Proposal for a Regulation regarding public access to European Parliament, Council and Commission documents, OJ C 2, 7.01.2009, p. 7
[3]Regulation (EC) No 1049/2001 regarding public access to European Parliament, Council and Commission documents, which became applicable on 3 December 2001.
[4]http://www.edps.europa.eu/EDPSWEB/edps/EDPS?lang=en (last visited on July 6th, 2010) 
 
 
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.
e-Privacy Directive 2009/136/EC (cookie directive)[1]
The Cookie Directive is the most recent amendment of  Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation.  This particular directive has to be included into the member States' laws by May of 2011.
Even though the cookie directive is yet to be enforced and adopted by all of the Member States, it is necessary for all Data Controllers and Data Processors to be prepared.  It is imperative and urgent that ad networks, publishers and browser makers coordinate their efforts at reaching a solution which complies with the cookie directive.

 THE COOKIE DIRECTIVE'S ORIGINS
In this author's opinion, the cookie directive may be traced from two events:
1) the enactment of the Lisbon Treaty.[2]
2) the Working Party's contentions.

THE LISBON TREATY.
The Lisbon Treaty became fully enacted on 1 December 2009, and the Charter of Fundamental Rights is now binding upon all European Union Members. Article 8 of the Charter provides a right of protection of personal data.   Thus, it is the duty of European Parliament and the Council to enact rules relating to the protection of individuals when their personal data is processed by Union institutions, bodies, offices, agencies, and Member States.
The European Union has a strong tradition for the protection of Human Rights.  This tradition has been embedded in the directives.  Before the enactment of the Lisbon Treaty, the Working party had expressed that the Privacy Directive had a broader protection than the Charter of Human Rights in the fields of private and family life.[3]  The Working Party has also expressed that the " Charter of Fundamental Rights of the European Union enshrines the protection of personal data in Article 8 as an autonomous right, separate and different from the right to private life."[4]

WORKING PARTY'S CONTENTIONS
One may say that the cookie directive is the latest attempt, by the European Union, to make Data Controllers and Data Processors comply with the privacy directives.[5]  Since its inception, the Working Party has insisted that the use of cookies is regulated by the Privacy Directives.  The Working Party has also tried to rally cooperation between the hardware and software makers in order to adapt their products to the European Union Privacy Directives.

On February 23rd, 1999 the Working Party adopted Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware."[6]  The recommendation  was a polite call for the software and hardware industry to adapt their products to do the following :

" 1. The Working Party encourages the software and hardware industry to work on Internet privacy-compliant products that provide the necessary tools to follow the European data protection rules;"[7]

 "2. Internet software and hardware products should provide the Internet users information about the data that they intend to collect, store or transmit and the purpose for which they are necessary."[8]

 "3. The configuration of hard- and software products should not, by default, allow for collecting, storing or sending of client persistent information;"[9]

"4. Internet hard- and software products should allow the data subject to freely decide about the processing of his/her personal data by offering user-friendly tools to filter (i.e. to reject or to modify) the reception, storage or sending of client persistent information following certain criteria (including profiles, the domain or the identity of the Internet server, the kind and the duration of the information being collected, stored or sent and so on)."[10]

 "5. Internet software and hardware products should allow the users to remove client persistent information in a simple way and without involving the sender."[11]

Recommendation 1/99 is almost a mirror image of the new cookie directive, and it was solely directed to the hardware and software industry.  The new cookie directive, on the other hand, is a direct demand for compliance made to Data Controllers and Data Processors.  The cookie Directive creates a series of rights obligations and specific duties applied to the Data controllers and Data Processors.  Before analyzing the specific requirements of the cookie directive one must evaluate what are the current duties and obligations are for Data Controllers and Data Processors.

DUTIES REQUIRED BEFORE THE COOKIE DIRECTIVE
Generally, before the cookie directive, the owner of a webpage had to inform the user of the following:
 1)  without any jargon, explain to the user that cookies were about to be installed and fully explain  how the cookies are used and for what purposes the cookies were about to be installed.  This information was supposed to be included in the Privacy Policy;
2) request permission to install the cookies in the of user's computer;
3) inform the user about her right to refuse the cookies, and explain how to refuse them using the browser.
 Of course, all the requirements only applied when there was an exchange of data which was protected by the Privacy Directives.

 DUTIES REQUIRED BY THE NEW COOKIE DIRECTIVE
The new Cookie Directive applies in a addition to the privacy directives.  It does not matter if protected data is exchanged or not.  Thus the new directive applies at all times.
The most problematic aspect of the new directive is that there has to be consent before any Cookie is sent.  Today, the cookie is sent, and then the permission is requested.  Under the new directive, the consent has to be provided before any cookie is sent.  Article 5(3) states that:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing.  This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”[12]

Thus, the visitors of a webpage must now be advised of their privacy rights in a two tier framework designed to protect the privacy rights of the users.  The first one requires the clear and comprehensive waiver of the cookie refusal rights.

The elements of valid cookie consent are :
 i) it has provided the user with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing and;
ii ) it has obtained the user's consent to the storage of or access to information on his or her terminal equipment, after having provided the information requested under i).[13]

Assuming that the user waived her rights in the first step, the user must still be informed of her privacy rights if any protected data is to be exchanged.

RECITAL 66 (browser privacy settings)
 It is necessary to point out that there is a way a user may express an implied waiver of the first tier requirement.   Recital 66, of the new cookie directive says that the browser filter settings may be sufficient indication of consent.  The caveat is that this may only apply when technically possible.[14]
 According to the Working Party, in WP171, browser settings is not an exception.  It is just a presumption that could not be solely replied upon.  The WP indicates that, from all the four major browsers, only one may qualify under the provisions of recital 66.[15] 
Assuming that the browser settings are technologically available, and set by the user to allow all cookies, consent under the Privacy Directives still has to be requested.
 The browser settings' possible assumption of acceptance is only good for the first phase.  The Working Party still holds the position that further waivers have to be requested for the exchange of protected data.  On page 14, of WP171, the Working Party expressed, "[t]he responsibility for [cookie] processing cannot be reduced to the responsibility of the user for taking or not taking certain precautions in his browser settings."[16]  Additionally, the Working Party requests that browser makers and advertising agencies take urgent action before May 2011. [17]

CHILDREN ARE NOT CAPABLE OF GIVING INFORMED CONSENT
THEREFORE: NO MORE BEHAVIORAL ADVERTISING FOR CHILDREN

One disturbing factor expressed by the working Party is the one found in 4.1.4.  In this section, the working party indicates that " In the light of the above and also taking into account the vulnerability of children, the Article 29 Working Party is of the view that ad network providers should not offer interest categories intended to serve behavioural advertising or influence children."[18]

Today, ad networks request parents' consent when the child will engage in some Social Network or the like.  This comment seems to say that behavioural  advertising can only be used when interest category are those which are not intended for children.  In addition, no more influencing of children.  Potentially one may no longer be able to create campaigns which influence children to say no to drugs, no to smoking and no to drinking and driving.

PARTIES

According to the Working Party, there are several possible actors, Ad Networks, publishers and advertisers.  WP 171 is solely directed at Ad networks, and Publishers.
The Working Party states the following:

"• Ad network providers are bound by the obligations of Article 5(3) of the ePrivacy Directive insofar as they place cookies and/or retrieve information from cookies already stored in the data subjects' terminal equipment. They are also data controllers insofar as they determine the purposes and the essential means of the processing of data.

Publishershave certain data controller related responsibilities regarding the processing that takes place in the first phase of the processing, i.e., when by virtue of the way they set up their web sites they trigger the transfer of the IP address to ad network providers (which enable the further processing). Such responsibility entails"[19]

TORTS AND CONSUMER PROTECTION ADDITIONAL OBLIGATIONS
The Working Party has also expressed that the failure to provide adequate notice and permission may create liabilities.  These liabilities are in the tort, contract and consumer protection areas.  The Working Party specifically mentions "Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive)."[20]

WHAT THE FUTURE HOLDS
The Working Party has advised that that "[a]t the end of a certain "discussion" period, the Article 29 Working Party will evaluate the situation and take the necessary and appropriate measures."[21]
The appropriate measures are difficult to imagine since the Working Party does not have any Judicial, Prosecutorial, or legislative powers.
For the time being, the Working Party proposes the following courses of action
I      to limit the scope of the consent in terms of time;
II    mitigation by providing additional information;
III  freely given consent can always be revoked.

Let us hope that all the issues may be resolved.

[1]Directive 2009/136/EC of the European Parliament and of the Council (of 25 November 2009) amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
[2] Supra, Footnote 90.
[3]  Opinion 4/2007 on the concept of personal data, Page 7 "On the other hand, the rules on protection of personal data go beyond the protection of the broad concept of the right to respect for private and family life."
[4] Id..
[5] Opinion 2/2010 on online behavioural advertising, Adopted on 22 June 2010, WP171
[6] Recommendation 1/99 "on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware"
[7] Id..
[8] Id..
[9] Id..
[10] Id..
[11] Id..
[12] Supra, Footnote 5, at 48.
[13] Supra, Footnote 5, at 14.
[14] Supra, Footnote 5, 48
[15] Supra, Footnote 5
[16] Supra, Footnote 5
[17] Supra, Footnote 5, at page 15.
[18] Supra, Footnote 5, at page 17
[19] Supra, Footnote 5, at 22
[20] Supra, Footnote 5, at Footnote 29.
[21] Supra, Footnote 5, at 22

If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.
 
 
By Raul Mendez, LLM Information Technology Law, Digital Privacy Professional.

Background
On the 29th of this month, the European Court of Justice declared a judgment in Case C-28/08 P Commission v Bavarian Lager.  The Court upheld the Commission's decision to blank out the names of 5 members of a meeting that settled matters regarding the importation regulation set by the Guest Beer Provision (GBP).

When I first read the case, I failed to see the relevance regarding the protection of personal data.  I actually doubted whether any significant decision had taken place.  Upon reading it again, I realized that the judgement allows for identities of public employees' to be blanked out from any public document if the employee declines to give consent.  The requirement of consent may not be ignored,  "Unless the recipient establishes that the data are necessary for the performance of a task carried out in the public interest or subject to the exercise of public authority."

Particulars of Case

In Commission v Bavarian Lager, Bavarian Lager was created for the sole purpose of selling German bottled beers to public houses in the United Kingdom.  The sales were difficult because public houses were subject to the exclusive purchasing of bottled beers from United Kingdom breweries.  The sale of imported beers could take place, but the beers were subject to a cask-condition limitation.   This was known as the Guest Bottle Provision (GBP). 

Bavarian Lager filed a complaint with the Commission, and the Commission started an action against the United Kingdom.  Representatives of the Community and British administrations, and of the Confederation des Brasseurs du Marche Commun (‘CBMC’) took part in a meeting held on 11 October 1996.  Bavarian Lager sought to participate, but the Commission denied the request.

At the October 1996 Meeting the British authorities represented to the commission that they were going to amend the GBP to allow the sales of bottled beers.  The Commission then dismissed proceedings against the United Kingdom.

Bavarian Lager then requested the minutes of such meeting.  The minutes were provided, but 5 names were deleted since three of the members refused to give consent and two others were not found.  Bavarian Lager sought a judgment, but the Court found in favor of the Commission.

The decision does not make sense to me, but the Commission was held to be right.  According to the Court, the identity is protected by the Privacy Directives.  It sounds wrong, but this decision is actually consistent with the Working Party's interpretation of what Personal data should be considered. WP 136 Opinion 4/2007 on the concept of personal data, June 20th, 2007.

On page 12 of WP 136, the Working Party included  "Example No. 9: information contained in the minutes of a meeting."  I recall, when I read this example for the first time, I thought this example could never be an issue.  Well, it turns out that it was.  As a practicing attorney in the USA, I feel extremely dissatisfied with this outcome, but now the precedent has been set.  The legal systems in the USA and the EU are, at times, so opposite to each other that from a perspective in the US, it is hard to predict what kinds of decision will be next.  Perhaps the Cookie Directive will be an inevitable action by the Commission?

If you would like to contact Raul please use either 206-264-0849 or raulmendez1@earthlink.net.
 
 
Marcus Morissette, Managing Director, Concise Consulting

HB 1149, oddly titled “Protecting Consumers from Breaches of Security” is intended to encourage financial institutions to reissue credit and debit cards to consumers when appropriate, and to permit financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. It allows financial institutions to recoup data breach costs associated with the reissuance from large businesses and card processors who are negligent in maintaining or transmitting card data. 

HB 1149 amends Washington State’s current Data Breach Notification Law (19.255 RCW) [emphasis added]. According to some published commentaries, it purportedly incorporates the Payment Card Industry Data Security Standard (PCI DSS) into Washington State Law. Several aspects of the law and certain definitions contained in it, however, lead this author (an experience and trained PCI DSS security assessor) to question the drafting process and research that went into (or did not go into) HB 1149.

Instead of leveraging accepted definitions and concepts from the payment card industry, HB 1149 creates new definitions and creates new or additional liabilities for those merchants and service providers (PCI DSS definitions) already subject to the compliance requirements of the PCI DSS imposed by the card brands.

I have so many concerns with this new law that I will have to address them in a series of blog posts.  The first of these will be posted tomorrow.

UPDATE 6/30

As it turns out, I did not have nearly as much time today as I thought I would to complete the second part of this post. I am now aiming for the end of this week. I plan on following with future installments in the weeks to come.  The more I pull the string on this new law, the more potential issues I uncover with it.  So stand by…

 
 
A little bit off topic, but having just got back from RSA, and with a bunch of other conferences coming up, I thought I would share this checklist that I pulled together a while ago.  Conferences are usually expensive, and you can miss out on many opportunities if you just attend the sessions and then go home. This checklist gives you some tips on how you can maximize the time that you spend at a conference and make sure that you walk away with more than just another folder for your shelf.

Before the Conference

  • Plan which sessions to attend.  Note who the speakers are for all of the sessions as well as the content (you generally have access to this information before the conference).  Check for target clients, alliance partners and competitors and decide whether it’s worth going to a presentation to be able to get to talk to someone from a key target, or to find out what they are doing. 
  • Sort out your logistics.  Book flights that give you time to get to the conference allowing for flight delays.  If the conference is in a hotel (and they often are), try to make sure that you stay in that hotel to a) get the special discounts that the conference will obtain for you and b) make it a lot easier for you to get between your room and the sessions.
  • Clear your ‘to-do’ list.  Easier said than done, but taking conference calls during the sessions and working in the breaks means missing networking opportunities and not getting value for money.
  • Divide and Conquer.  Try to find out if anyone else from your company is attending the conference, make contact with them and try to split target sessions between you, compare notes etc.
  • Take a lot of business cards. They're easy to carry, and if you don't use them, so what?
  • Know what to say.  Sooner or later, someone will ask you about your company.  Work out what you are going to say about the firm and your role.
 During The Conference

  • Timing is everything.  Try to be around in the general area before the sessions start and during breaks.  You never know who you might meet, or what you might find out.
  • Be an Ambassador.  If appropriate for the dress code, consider wearing branded (or otherwise 'conversation worthy' clothing so that you’re noticeable).  At RSA, a woman walked up to me and literally asked for the shirt off my back.  Note: This is not always a good thing - and I do have witnesses!
  • Work out what you want to get out of each session.  Do you want to talk to the speaker afterwards?  Would you like a demonstration?  How does the session add to what you already know?
  • Collect business cards.  When you speak to someone, who you might want to contact again, be sure to collect a business card.  Write on the back a little about that person (business & personal info), what you discussed and any other useful information to jog your memory when you get back.
  • Enter all vendor raffles.  You never know what you might win.
  • Work the crowd.  Sit next to different people at each session and introduce yourself to them.  If possible, review the attendee list and be strategic in who you sit next to.
  • Maintain a ‘to do’ list.  Whenever something strikes you as interesting or you should follow up on, make sure you write it down and then action it when you return to your office.
 After the Conference

  • Get business cards into your CRM system.  A business card in your bag is not much use.  In your company CRM system, it shows other people who come into contact with that person who else knows them.  
  • Follow up.  Write personalized emails where appropriate to people that you met, either sending them information that might be of value to them, or suggesting a follow up discussion or meeting.
  • Be timely.  Make follow-up calls / emails within a week of the end of the conference.
  • Keep your CPE certificate.  You may be audited one day and be glad you did.
  • Share your knowledge.  Tell other people in the office what you found interesting, and keep the course material in a place that other people can use it. 

    Congratulations!  If you follow these steps then you will find that you get a lot more out of conferences, both for yourself and the company.
 
 
While many organizations have a strong desire to make their web-sites useable and accessible for as many people as possible, most likely do not realize that this can result in some loss of privacy for users.

Accessibility can work in a number of ways, either through active involvement by a user choosing certain options on the site, or passively without direct user interaction through good site design, color palette selection and similar.  Where active involvement by a user is required, this may be achieved either with them making a conscious choice at the time of using a site, or they may already have made a selection (e.g. choice of browser, screen resolution, use of screen reader) which is communicated to the site at the time of use.  For users with disabilities, the availability of appropriate and useable accessibility options may mean the difference between them being able to use a site, or looking elsewhere.

How this overlaps with privacy may not be immediately obvious.  Privacy refers to the amount of control that we have over our personal information, and how this is shared and used.  On the Internet, Privacy can be taken to mean that you are aware of the information that you are sharing, and this information is used in a way that you are comfortable with until it is destroyed.

Browser Information Leakage
So how can accessibility compromise privacy?  By knowing that a user is visually impaired, and combining that information with other information, for example that they are located in a certain area (from their IP address, or GPS or other location), you could compromise an individual’s privacy.  Research has already indicated that between 63% and 87% of Americans can be uniquely identified by birth date, gender and 5-digit zip code (see here and here for the research and here for some analysis by the Electronic Freedom Foundation).  If you’re not convinced – check out the Panopticlick “browser fingerprinter”, also from the EFF.  When I just tested my browser, its fingerprint was unique amongst nearly 800,000 configurations tested so far. 

Logon Information Leakage
Other accessibility options, such as reading text aloud, may be appropriate for an application being used at home, but may impact privacy if they are used in a location such as a library or a bank lobby, or may not even work if the appropriate hardware is not in place.  Developers must give thought to where a website may be used when developing privacy options, particularly when the website grants access to sensitive information.

How Privacy can impact Accessibility
Restrictions on sharing information about people’s health and health conditions may impact the ability to plan appropriately accessible services for them.  As a result, companies may not have the information that they need to know how to adapt their sites to their user base, reducing their ability to provide accessible information for all.

While none of these issues are insurmountable, the fast evolving fields of Accessibility and Privacy mean that practitioners must be conscious of these areas when designing new applications as in many places there is no standard for managing the overlap of these two fields.

 
 
 
Marcus Morissette, Managing Director and Privacy Practice Lead, Concise Consulting Group

I have become increasingly concerned lately with some common misconceptions around the practicality and effectiveness of the Safe Harbor Framework, in particular its Self-Certification approach to compliance.  Technically, there are two Safe Harbor frameworks, US/EU and US/Switzerland, but for the purposes of this argument I will focus on the US/EU variation, which is what people typically mean when talking about Safe Harbor.

As a data privacy professional and attorney, I often am faced with advising clients on the scope and benefits of seeking self-certification under the Safe Harbor framework.  Lately it has become apparent to me that there is some serious misunderstanding about the benefits of self-certifying under the Safe Harbor framework.  I have experienced a widely held belief by both companies (and unfortunately some “privacy” attorneys), that self-certifying and “complying” with the 7 Safe Harbor Requirements is somehow a direct replacement for complying with the EU Data Protection Directive (EU Directive).

Safe Harbor Self-Certification is insufficient for Direct Collection of Personal Data from an EU Data Subject.

US/EU Safe Harbor Self-Certification allows a US company to receive transfers of personal data from an EU data collector if it meets the Seven Safe Harbor Requirements with regards to the collection, processing and storage of personal data.  Safe Harbor was created to facilitate the continuation of cross-Atlantic data transfers across the very different data protection regimes of the European Union and the United States.  

It is assumed that the personal data collected will be collected by a registered data collector in the EU in a manner compliant with the EU Directive and any applicable national/sub-national implementation of that directive.

Safe Harbor does not allow a self-certified US company to directly collect (act as a data collector) personal data from an EU data subject. In other words, self-certification with the Safe Harbor framework is not a substitute for compliance with the EU Directive and national/sub-national implementation of the EU Directive where a US company directly collects data from EU data subjects (e.g. over the Internet).

If a US Company will be directly collecting personal data from EU data subjects, it will be responsible for direct compliance with the EU Data Directive, each applicable member states national implementation of that directive, and potentially each sub-state’s implementation of the national member state data protection law (if these are more restrictive than the EU Directive).

While this interpretation seems to be clear from reviewing the materials posted at the Safe Harbor website (http://www.export.gov/safeharbor/), it is apparent that considerable confusion exists.  This could be detrimental to a company that relies on incorrect advice, and proceeds to collect personal data from the EU under the guise of its Safe Harbor program. It could lead to legal sanctions from the U.S. government (FTC action for deceptive trade practices), and/or legal action from the European Union and EU member states.

So, my advice to those professionals responsible for their organization’s privacy and Safe Harbor programs: make sure your privacy ship is truly anchored in a Safe Harbor, and not heading for the rocks.