U.S. Cross Border Ediscovery vs. EU Data Protection: Clash of the Titans

Thanks to my dual qualification as an attorney in the U.S., as well as in the EU, I am in a unique position to act as a bridge between the exclusively common law tradition of pre-trial ediscovery in civil litigation in the U.S.  and the EU tradition of data protection of personal data.

U.S. – EU Safe Harbor Framework News and Views

In 2000, the EU and the U.S. agreed on the Safe Harbor Framework as a means to ensure adequate protection for personal data, transferred from the EU to be processed by U.S. companies.

At the recent EU Conference on Privacy and Protection of Personal Data, held in Washington DC,  the last panel took the opportunity for taking stock and discussing the way forward for this agreement. In this session, businesses and regulators presented their views and experiences with the U.S.-EU Safe Harbor Framework.

Francoise Le Bail, Director-General for Justice, European Commission, started by reassuring all stakeholders that the current reform in EU Data Protection Law would not put the Safe Harbor Framework at risk as one of accepted ways for adequate transfer of personal data between the EU and the US, as was mentioned in the Joint Statement issued by EC Vice-President Viviane Reding and U.S. Secretary of Commerce John Bryson.
“In line with the objectives of increasing trade and regulatory cooperation outlined by our leaders at the U.S.-EU Summit, the United States and the European Union reaffirm their respective commitments to the U.S.-EU Safe Harbor Framework”.

The panelists considered the framework to be mostly a success story, with 3,000 US companies currently enrolled in the program, 50% of which are small and medium enterprises, but most agreed that the system could use some improvement.

David Smith of the British Data Protection Authority, the ICO, recounted the “absolutely awful” birth of the framework, the difficult young years and the current maturing into a working instrument for data protection interoperability between the US and the EU. “The mistrust is gone, as we believe the US is acting in good faith.” He did concede though, that a larger amount of audits would ensure better effective compliance by all companies.

Michelle O’Neill, of the Department of Commerce, added that in order to ensure better compliance, the supervising  departments needed more resources.

She announced that her department is currently discussing the expansion of the Safe Harbor Framework to non-profit organizations.

Hugh Stevenson, of the Federal Trade Commission, stressed the importance of enforcement and awareness raising in order to make compliance the norm, but deplored the lack of resources to achieve that goal. He appealed for more international enforcement cooperation as well.

Jan Philipp Albrecht, Member of the European Parliament, concurred that Safe Harbor was performing well but was in need of improvement on the compliance front. He suggested the granting of individual rights of action for consumers in order to ensure better compliance by the Safe Harbor certified companies. Currently, enforcement of Safe Harbor rests with the FTC, under section 5 of the FTC Act, which prohibits “unfair and deceptive trade practices”.

Nuala Kelly O’Connor, Senior Counsel – Information Governance & Privacy at General Electric, advocated for more global privacy interoperability, in addition to Safe Harbor, which is limited to the EU – US transfer of personal data.

For a complete overview of this panel, please watch this 4 Gigabyte HD video, which I taped and uploaded on my YouTube Channel EdiscoveryMap.

Moderator: Armgard von Reden, Lecturer at SRH and Quadriga University, Berlin
Participants, from left to right:
• Françoise Le Bail, Director-General for Justice, European Commission
• Michelle o’Neill, Deputy Under Secretary for International Trade,
US Department of Commerce
• Jan Philipp Albrecht, Member of the European Parliament
• David Smith, Deputy Information Commissioner, United Kingdom
• Hugh Stevenson, Deputy Director for International Consumer Protection, Federal Trade Commission
• Nuala O’Connor-Kelly, Senior Counsel – Information Governance & Privacy, General Electric

EU – US Privacy and Protection of Personal Data: Americans Are from Mars, Europeans Are from Venus

The High Level EU Conference on Privacy and Protection of Personal Data, held on March 19, was organized by the European Commission and hosted by the US Institute of Peace in Washinton D.C. The conference was held simultaneously in Brussels as well, via a video conference link.

This conference was meant to deepen transatlantic dialogue on commercial data privacy issues in order  to achieve further interoperability between the two systems at a time, when both the EU and the US have taken significant steps towards new data potection legislation.

On January 25, the European Commission had published a draft proposal for a new Data Protection Regulation , and on February 23, the White House had released its privacy blueprint, including the Consumer Privacy Bill of Rights.

On the occasion of this conference,  Commerce Secretary John Bryson and European Union Commissioner Viviane Reding announced in a joint statement a new commitment to collaborate on privacy issues and laws.

While most all panelists on the EU side insisted on the necessity of a binding set of laws, accompanied by individual rights of action in order to get significant privacy compliance from data controllers, most panelists on the U.S. side affirmed that voluntary codes of conduct, combined with enforcement by the FTC would achieve the same result, while allowing for more flexibility in adapting to the constantly changing technological landscape.

Even though the panelists went through great efforts to stress the common values and goals of the EU and U.S. policy makers, there is no denying that the European and American “privacy DNAs”remain vastly different. One major difference is the fact that, even in the commercial realm, privacy and data protection is a human and constitutional right in the EU, while in the U.S. it is at best considered a consumer right, if a right at all.

Did the conference achieve its goal of bringing the two sides a little bit closer together?

In order to enable those who could not attend the conference, either live or through video transmission, to judge for themselves, I wrote a “play” in three acts, based on the actual discussions that took place during three panels.

Americans Are from Mars, Europeans Are from Venus

Act 1: A Law or not a Law?

 Francoise Le Bail (EC): I realize I am in the Lion’s Den (giggle), but I shall be brave. It is critical to have a privacy LAW, so that people will TRUST the internet!

 Daniel Weitzner (White House): We will call on Congress to legislate in order to provide people with the necessary TRUST in the new information economy. But, meanwhile, we hope that the stakeholders will create their own little codes of conduct.

 David Vladeck (FTC): We all agree! Yay! By the way, did you know that in the U.S. Voluntary Codes of Conduct are just like Laws? We are so good, we even obey the law, when there is no law! And they are so flexible, to boot!

 Douwe Korff(EDRi): Waddya all talking about?? Did you know that in the EU, privacy is a human right? You need a CONSTITUTION to guarantee a human right! Voluntary codes of conduct, humph.

Mark Rothenberg (EPIC): I see a window of opportunity. I see legislation on the horizon.

Vivian Reding (EC): One-Stop-Shop!

John Bryson (White House): This will be a landmark year for data protection!

Ed Markey (D-MA): The Europeans are coming! I love them. We must legislate, especially my own very excellent proposal. Do it for the children, folks! It’s immoral not to.

APPLAUSE FROM THE EUROPEANS. END OF ACT 1.

Act 2: The Interoperability Dream

Lawrence Strickling (DoC): Yes, we can!

Jennifer Stoddart (Privacy Commissioner Canada): If the Europeans can do it with the Canadians, they can do it wit the Americans too!

Peter Hustinx (EDPS): Now wait, little children: first eat your voluntary codes, and make them binding, and then we shall see. I might have a surprise for you!

Daniel Pradelles (HP): Self Regulation Rocks! Plus, we at HP are the only ones to have BCRs approved by all DPAs of all the EU Member States.

Claus-Dieter Ulmer: (Deutsche Telekom): Will you make up your minds already?  The faster and the easier the solution, the better for us. Either way, we need to know.

Marie-Helene Boulanger (EC): First, second, third and finally, fourth. And if you Americans will get off your a..es and legislate already, well then, we might just become interoperable with you guys.

Axel Voss ((MEP): What we really need is global data traffic regulation.

Joe Alhadeff (Oracle): HOW on earth are you going to do all this?

END OF ACT 2. LUNCH.

Act 3: Let Me Count the Ways I Enforce Thee

Julie Brill (FTC): We at the FTC protect the Global Community with our fierce enforcement actions!

Cameron Kerry (DoC): The FTC is the Global Leader in enforcing privacy protection!

Paul Nemitz (EC): Global Leader?? Global Leader in P.R., ha!

Maneesha Mithal (FTC): Paul Nemitz, we make sure to publicize our daring dawn raids, so the bad guys will tremble in their board rooms, ha!

Jacob Kohnstamm (Dutch DPA) (with an inexplicable tired look on his face): We need to enforce to get compliance. And FYI, opt-out in OBA is NOT adequate. You give me explicit consent, I give you adequate, capice?

Kostas Rossoglou (BEUC): I wish we had class actions for data protection law suits.

Jeff Chester (CDD): The FTC enforces, and Google and Facebook are expanding their data collection like never before. Please listen to me, the entire world is analyzing the entire world!

Law Student Max Schrems (Europe v. Facebook) (fresh faced): I took Facebook to task, so why can’t you, old geezers?

Maneesh Mithal and Jacob Kohnstamm (in unison): if I were a rich man, lala lala lala la, all day long I’do nothing but enforce, la la la la la!

THE END

PANEL 3, moderated by Cedric Laurant, or where can be heard what really was said :

Safe Harbor, discussed during the fourth panel, will be the subject of a seperate post.

Attention EU Readers of EDiscoveryMap: We are bringing EDiscovery to Brussels on January 26

EDiscoveryMap is pleased to announce that Monique Altheim will moderate E-Discovery Sessions at the Computers, Privacy & Data Protection Conference (CPDP) in Brussels on January 26, 2012.

The panels will feature an international roster of thought leaders and practitioners in the field of Cross-Border E-Discovery and EU Data Protection:

Willem DEBEUCKELAERE, Privacy Commission (BE), Master Steven WHITAKER, Royal Court of Justice (UK), Chris DALE, e-Disclosure Information Project (UK), Amor ESTEBAN, Shook, Hardy & Bacon, LLP (USA), James DALEY, Daley & Fey LLP (USA), Nigel MURRAY, Huron Legal (UK), George RUDOY, Integrated Legal Technology LLC (USA), Monika KUSCHEWSKY, Van Bael & Bellis (BE), Natascha GERLACH, Cleary Gottlieb Steen & Hamilton (BE), Dr. David EVANS, Evans LLC (USA), Dominic JAAR, KPMG (CA), and Erik LUYSTERBORG, Deloitte (BE)

With the increased globalization of the economy, companies in the EU are often subject to litigation holds and requests for production of relevant data by US litigants. If those data contain personal information, there is a serious conflict with the EU Data Protection Laws, which deem preservation and production of such data in principle illegal.

Since the concept of pre-trial discovery is practically non-existent in the European Union member states with a Civil Code tradition, the session will start with a discussion of the general principles of the U.S procedure of discovery of electronically stored information (ESI) in civil litigation, for the benefit of EU attendees.

What triggers the duty to preserve data relevant to litigation? What are litigation holds? What is spoliation? What are the sanctions for non-compliant parties? These are some of the topics that will be addressed.

What happens when the data, relevant to U.S. litigation, contain personal information and are located in an EEA member state?

The second panel will explore these complicated conflicts between U.S. Ediscovery obligations and EEA Data Protection obligations and propose some practical solutions.

The just published Sedona Conference International Principles on Disclosure and Data Protection, as well as the draft EC Proposal for a Data Protection Regulation, and their impact on the future of Cross-Border Ediscovery will be discussed.

What technological innovations can be applied to minimize the personal data preserved and collected in EAA member states?

What happens when relevant data are located in the cloud, on social media sites or on mobile devices? Which national law applies to determine the applicable data protection regime?

These and other emerging topics in cross-border Ediscovery will be tackled by the last panel.

The CPDP Conference, titled “European Data Protection: Coming of Age” will run from Wednesday, January 25 until Friday, January 27. It will coincide with the official publication of the EC’s Proposal for EU Data Protection Regulation and with the European Privacy Day on January 28.

To take advantage of the early bird registration fee , register here before December 30.

Privacy and Data Protection Week in Mexico City

This past week was “Privacy Week” in Mexico City, where three seperate conferences were held back-to-back.

The Public Voice  conference, chaired by Lillie Coney of EPIC, had as its theme: “Privacy is Freedom”

One of the highlights was a discussion between David Benasar, Senior Legal Counsel Aticle 19 and Marc Rotenberg, President of EPIC, titled: Frame the Issues Related to Freedom of Expression. Here are some of the ideas that were expressed:

About the Right to Freedom of Expression claimed by business and Right to Privacy:

Right to Privacy is essentially a pre-requisite for Freedom of Expression: the right of anonymity, for example, is the right to withhold our identity so we can express our views. Think for example the Arab spring or the protests in London and Vancouver. On the other hand, to call the actions of businesses to do away with our privacy for the purpose of conducting business “a right to freedom of expression” is like putting a Halloween costume on something and calling it “the Right to Freedom of Expression.” (In other words, it is a travesty.)

About the Right to Freedom of Expression claimed by journalists and Right of Privacy:

There is in media law a tension between freedom of expression and privacy rights of public officials and private individuals. It is important to be able to talk publicly and critically, particularly about public officials. But on the other hand, newspapers which publish gossip in order to sell (like in the recent UK phone hacking scandals) have a less defensible case for breaching people’s privacy. Yes, the news may be “news”, but it is meaningless news. This should not be defendable as a “freedom of expression” excuse to breach privacy.

Another very interesting panel was “Cultures and Privacy around the World“, moderated by Alberto Cerda, ONG Derechos Digitales.

This panel considered whether privacy and data protection are culture dependent. From left to right: Jacob Kohnstamm, Chair Article 29 Working Party (EU), Moez Chakchouk, CEO, Tunisian Internet Agency (TUN), David Vladeck, FTC (USA), Alberto Cerda, moderator, Lara Ballard, Department of State (USA), Zhou Hanhua (CHN).
(Note: this video is edited; the moderator’s recap comments have been edited for lack of space.)

Interesting note: At around 11:00, David Vladeck declares that clicking through an opt-in consent without even reading the dozen or so pages of “gobbledygook” or “word barf”, (as most of us do), is not a meaningful “consent”.

The OECD Conference, held on November 1, had as its theme: “Current Developments in Privacy Frameworks: Towards Global Interoperability”

The international character of personal data flows have accentuated the cross-border dimension of privacy issues and the corresponding need for a truly global dialogue.

As the OECD Secretary-General Angel Gurriá noted in a videotaped message:

“We describe our activities on social networks. We disclose our interests through our Internet browsing habits and online purchases with credit cards. We are located in time and space through the mobile devices we use. Detailed digital profiles of each of us can be assembled, and they can affect our opportunities positively or negatively.

Secondly, today’s data flows are continuous and global. The hype around terms like “cloud computing” and “big data” remind us that we are facing dramatic transformations in the delivery of online services. These shifts challenge the governance mechanisms we created in the pre-Internet era.”

Three of the primary frameworks with an international dimension (OECD, European Union, and Council of Europe) are as a consequence currently under review, and a fourth (APEC) is developing new cross-border implementation arrangements.

The Terms of Reference of the review of the OECD Privacy Guidelines were released on November 1.

One of its primary objectives is to ensure the global interoperability of privacy frameworks. Although each national culture has its own vision and approach to privacy,  a level global playing-field is needed. Widespread agreement on core privacy principles is not sufficient. We also need to strengthen mutual recognition and co-operation in their implementation.

Finally, The 33rd International Conference of Data Protection and Privacy Commissioners (ICDPPC 2011), was held on November 1 and 2 and was titled “PRIVACY: The Global Age.”

Diego Rivera Mural; picture by Monique Altheim

Peter Schaar, Federal Commissioner for Data Protection in Germany, explained the need for global standards well:

He said that the EU Data Protection framework was based on a model, in which data are collected by a data controller in a data base in the EU and then sent cross-border. Today, however, most data are collected directly from the end-user by data collectors outside of the EU, which creates enforcement issues for the EU authorities.

The buzz words at the conference were: accountability, privacy by design, privacy by re-design, education, information governance, the obsolescence of “consent” in the age of “big data”. The term “global interoperability by design” was coined.

One of the livelier discussions occurred during the panel titled “How does the growth of data, its mining and application challenge the way privacy enforcement agencies protect individuals”.

Peter Schaar, Federal Commissioner for Data Protection in Germany, pointed to the need to protect consumers from automatic and algorithmic decision making from big data. For example, should credit institutions be allowed to predict the likelihood of someone paying back a loan, based on who his/her Facebook friends are?

There were a few points of agreement during the conference: There was unanimous consensus that the user/consumer/ customer/citizen should have control over the use of his/her data. The discussions turned more on how to achieve that goal. Most data protection authorities seemed to agree that, in the age of big data, and re-purposed uses of big data, the consent-model of control has become obsolete, because it has become impossible to give a truly informed consent concerning the uses of one’s data: it is today impossible to predict what use our data will be put to. For example, when one uses Google’s search engine, does one consent that, if one searches for a certain chronic disease, one’s insurance premium might go up because of those search terms? Or that no employer will hire someone, based on the presumption of chronic disease as created by the use of that search term? This has led some to push for more regulation of the use of data, as opposed to regulation of the collection of data.

Another point of agreement was the need for data protection authorities to avail themselves more of IT and forensic expertise as wel as the need to educate the ignorant masses.

A very interesting term was coined by Jose Clastornic from the DPA of Uruguay: Global interoperability by design; Global privacy interoperability by design means the incorporation of international privacy standards into a national privacy legislation. This will guarantee that nation a boomig service industry, since it will become the go-to place because of its interoperable, international standards of privacy protection. This seems to be a trend in most Latin American countries, as well as China and other Asian countries.

The Meaning of “Consent” in the EU Data Protection Framework: A New Article 29 Working Party Opinion

The Meaning of “Consent” in the EU Data Protection Framework: A New Article 29 Working Party Opinion

On July 13, 2011, the Article 29 Data Protection Working Party (hereafter Article 29 WP ) adopted Opinion 15/2011 on the Definition of Consent.

This opinion looks into the legal framework regarding the use of consent under Directive 95/46/EC and Directive 2002/58/EC in the context of the ongoing review of the Data Protection Directive.

A. GOAL of the ARTICLE 29 WP OPINION

This opinion aims to clarify the existing legal requirements and illustrate how they work in practice. At the same time, in doing so, it provides a reflection on whether the existing framework remains suitable in the light of the many new ways of processing personal data or whether changes to it may be necessary. Consent is also one of the subjects about which the Commission has asked for input in the context of the review of Directive 95/46/EC.

B.“VALID CONSENT” DIRECTIVES

The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive (Directive 95/46/EC) and in the e-Privacy Directive (Directive 2002/58/EC.)

Concerning the overlap between the two directives, the Article 29 WO states: “The general conditions for consent to be valid, as foreseen in Directive 95/46/EC, apply both in the off-line and in the on-line world. Directive 2002/58/EC specifies these conditions for some explicitly identified on-line services, always in the light of the general conditions of the Data Protection Directive.”

C. CONSENT AS LEGAL BASIS TO PROCESS PERSONAL DATA

According to the Directive, personal data cannot be handled at all, except on the basis of a very limited list mentioned in articles 7 and 8 of the Directive.

One legal basis that gives a data controller the right to “process” personal data is unambiguous consent by the data subject.” (Article 7. (a) Directive 95/46/EC).

There are 5 other legal grounds for processing personal data.

The processing of sensitive personal data requires explicit consent. (Article 8.2(a) Directive 95/46/EC).

There are 4 other legal grounds for processing sensitive personal data.

D. GENERAL PRINCIPLES OF VALID CONSENT

Article 29 WP:

• • Valid consent presupposes individuals’ capacity to consent. Rules regarding the capacity to consent are not harmonized and may therefore vary from Member State to Member State.
• • Individuals who have consented should be able to withdraw their consent, preventing further processing of their data. This is confirmed also under the ePrivacy Directive for specific data processing operations based on consent, such as the processing of location data other than traffic data.
• • Consent must be provided before the processing of personal data starts, but it can also be required in the course of a processing, where there is a new purpose. This is stressed in various provisions of Directive 2002/58/EC, either through the requirement “prior” (e.g. Article 6.3) or through the wording of the provisions (e.g. Article 5.3).

E. DEFINITIONS OF CONSENT IN THE DATA PROTECTION DIRECTIVE (Directive 95/46/EC).

SUMMARY

Article 2 (h) of Directive 95/46/EC defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.

Article 7 of the Directive, which sets forth the legal basis for processing personal data, sets out unambiguous consent as one of the legal grounds.

Article 8 requires explicit consent as a legal ground to process sensitive data.

Article 26.1 of Directive 95/46/EC and various provisions of the ePrivacy Directive require consent to carry out specific data processing activities within their scope of application.

1. GENERAL

Article 2 (h) of Directive 95/46/EC

defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.

a. Consent may be “any…indication of his wishes”

Article 29 WP: “The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller. The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action).”

Example: Bluetooth advertising boards

There is a developing advertising tool consisting of boards sending messages asking for the establishment of a Bluetooth connection to send ads to people passing nearby. The messages are sent to people that have activated their Bluetooth devices on their mobiles. The sole activation of the Bluetooth function does not constitute a valid consent (i.e. the Bluetooth function could be activated for other purposes). On the other hand, when someone is informed about the service and approaches a few centimeters from the board with his or her mobile, there is, normally speaking, an indication of a wish: this shows which people are really interested in getting the ads. Only those people should be considered as having consented, and only they should receive the messages on their phones.

b. Consent must be FREELY given:

Article 29 WP: “This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Data processing operations in the employment environment where there is an element of subordination, as well as in the context of government services such as health may require careful assessment of whether individuals are free to consent.”

Example – Electronic health records

In many Member States there is a move to create an electronic summary of patients’ health records. This will allow healthcare providers to access key information wherever the patient needs treatment. – In the first scenario, the creation of the summary record is absolutely voluntary, and the patient will still receive treatment whether or not he or she has consented to the creation of a summary record. In this case consent for the creation of the summary record is freely given because the patient will suffer no disadvantage if consent is not given or is withheld.

- In the second scenario, there is a moderate financial incentive to choose the e-health record. Patients refusing the e-health record do not suffer disadvantage in the sense that the costs do not change for them. It could be considered here as well that they are free to consent or not to the new system.

- In the third scenario, patients refusing the e-health system have to pay a substantial extra cost compared to the previous tariff system and the processing of their file is considerably delayed. This signifies a clear disadvantage for those not consenting, with the purpose to bring all citizens within the e-health system in a scheduled deadline. Consent is therefore not sufficiently free. One should therefore also examine the existence of other legitimate grounds to process the personal data or examine the application of Article 8.3 of Directive 95/46/EC.

Free consent in the context of employment:

Article 29 WP: “where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent…. An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid. The situation is even clearer cut where, as is often the case, all employers impose the same or a similar condition of employment.”

When the public authority is the data controller:

Article 29 WP:

“..when a public authority is the data controller, the legal ground for legitimising the processing will be the compliance with a legal obligation ex Article 7(c), or the performance of a task of public interest ex Article 7(e), rather than consent.”

Example: PNR data

The question of whether the consent of passengers can be validly used to legitimise the transfer of booking details (“PNR data”) by European airlines to the US authorities has been discussed. The Working Party considers that passengers’ consent cannot be given freely as the airlines are obliged to send the data before the flight departure, and passengers therefore have no real choice if they wish to fly.21 The legal basis here is not the consent of the passenger but, rather in accordance with Article 7(c), the obligations foreseen in the international agreement between the EU and the US on the processing and transfer of Passenger Name Record (PNR) data.

c. Consent must be SPECIFIC :

Article 29 WP:  “Blanket consent without determination of the exact purposes does not meet the threshold. Rather than inserting the information in the general conditions of the contract, this calls for the use of specific consent clauses, separated from the general terms and conditions.”

Also: “specific consent may be needed for processing beyond what is necessary for the performance of the contract.”

Example: social networks

The social network service offers the possibility to use external applications. The user is, in practice, often prevented from using an application if he does not consent to the transmission of his data to the developer of the application for a variety of purposes, including behavioural advertising and reselling to third parties. Considering that the application can run without it being necessary that any data is transferred to the developer of the application, the WP encourages granularity while obtaining the consent of the user, i.e. obtaining separate consent from the user for the transmission of his data to the developer for these various purposes. Different mechanisms, such as pop-up boxes, could be used to offer the user the possibility to select the use of data to which he agrees (transfer to the developer; added value services; behavioural advertising; transfer to third parties; etc).

d. Consent must be INFORMED:

Article 29 WP: “Articles 10 and 11 of the Directive lists the type of information that must necessarily be provided to individuals. In any event, the information provided must be sufficient to guarantee that individuals can make well informed decisions about the processing of their personal data. The need for consent to be “informed” translates into two additional requirements. First, the way in which the information is given must ensure the use of appropriate language so that data subjects understand what they are consenting to and for what purposes. This is contextual. The use of overly complicated legal or technical jargon would not meet the requirements of the law. Second, the information provided to users should be clear and sufficiently conspicuous so that users cannot overlook it. The information must be provided directly to individuals. It is not enough for it to be merely available somewhere.”

Example: crime mapping

Some police forces are considering publishing maps, or releasing other data, showing where particular types of crime took place. Usually safeguards built into the process mean that no personal data about the victims of crime is published, because crime is only linked to relatively broad geographical regions. However, some police forces want to pin-point crime more exactly, where the victim of a crime consents to this. In such a case it becomes possible to link more precisely the data subject with the place where a crime has been committed. However, the victim is not specifically told that identifiable information about him/her will be published openly on the internet and how this information can be used. Consent is therefore not valid in this case because victims may not fully understand the extent to which information about them is being published.

2. UNAMBIGUOUS:

According to the Directive, personal data cannot be handled at all, except on the basis of a very limited list mentioned in articles 7 and 8 of the Directive, as mentioned above.

One legal basis that gives a data controller the right to “process” personal data is “unambiguous consent by the data subject.” (Article 7.(a) Directive 95/46/EC).

Article 29 WP: “Unambiguous” calls for the use of mechanisms to obtain consent that leave no doubt as to the individual’s intention to provide consent. In practical terms, this requirement enables data controllers to use different types of mechanisms to seek consent, ranging from statements to indicate agreement (express consent), to mechanisms that rely on actions that aim at indicating agreement.

Example: on-line game

An on-line game provider requires players to provide age, name and address for the purposes of participating in the on-line game (distribution of players among ages and addresses). The website features a notice, accessible through a link (although access to such notice is not necessary to participate in the game), which indicates that by using the website (and thus providing information) players are consenting to their data being processed to deliver them marketing information, by the on-line game provider and by third parties.

Accessing and participating in the game is not tantamount to giving unambiguous consent to the further processing of their personal information for purposes other than the participation in the game. Participation in the game does not imply the individuals’ intent to consent to processing other than what is necessary to play. This type of behaviour does not constitute an unambiguous indication of the individual’s wish to have his/her data used for marketing purposes.

Example: default privacy settings

The default settings of a social network, which users do not necessarily need to access to use it, enable the entire “friends of friends” category making all the personal information of each user viewable to all “friends of friends”. Users who do not wish to have their information viewed by “friends of friends” are required to click a button. If they remain passive, or fail to engage in the action consisting in clicking a button, they are deemed by the controller to have consented to having their data viewable. However, it is very questionable whether not clicking on the button means that individuals at large are consenting to have their information viewable by all the friends of friends. Because of the uncertainty as to whether the lack of action is meant to signify consent, not clicking may not be considered unambiguous consent.

3. SENSITIVE PERSONAL DATA:

Sensitive personal data are personal data that reveal “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” and processing of such data is in principle prohibited, with a very limited list of exceptions (Article 8.2(a) of Directive 95/46/EC).

Article 8.2(a) Directive 95/46/EC requires explicit consent to process sensitive data.

EXPLICIT consent:

In legal terms “explicit consent” is understood as having the same meaning as express consent. The difference here is that, whereas with regular personal data, for consent to be valid it must be unambiguous, and explicit/express consent is but one of the many ways to show unambiguous consent, in case of sensitive personal data, explicit/express consent is the ONLY valid way to show valid consent.

Article 29 WP:  “meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent.”

Example: medical data for research

A patient who is informed by a clinic that his medical file will be transferred to a researcher unless he objects (by calling a number), will not meet the requirement of explicit consent.

Also: “Consent does not have to be recordable to be valid. However, it is in the interest of the data controller to retain evidence.”

F. UNAMBIGUOUS CONSENT AS LEGAL BASIS FOR TRANSFER OF PERSONAL DATA TO NON_ADEQUATE THIRD COUNTRIES (Article 26.1(a) of Directive 95/46/EC).

The article 29 WP repeats its opinion expressed in WP 114 that “Consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question” In case “ just one data subject subsequently decided to withdraw his consent…”, further transfers become invalid.

G. THE E-PRIVACY DIRECTIVE (Directive 2002/58/EC)

The recently amended e-Privacy Directive (Directive 2002/58/EC) applies to providers of publicly available electronic communication services only (e.g. providers of telephony, Internet service providers, etc).

1. CONSENT AND RELATION WITH DIRECTIVE 95/46 EC (Article 2(f)) Article 2 of the e-Privacy Directive explicitly states that the definitions of Directive 95/46/EC shall apply regarding Directive 2002/58/EC.

2. INTERCEPTION/SURVEILLANCE OF COMMUNICATIONS (Article 5(1)) Requires the consent of “all users concerned“, in other words, the two parties to a communication.

3. TIMING WHEN CONSENT IS REQUIRED (Articles 6(3), 9, 13 and 5(3)) Consent is to be provided prior to the processing. This is in line with Directive 95/46/EC.

4. THE RIGHT TO OBJECT AND ITS DISTINCTION FROM CONSENT (Article13(2-3)) If the addressee of the commercial communication is an existing client and the communication aims at promoting the provider’s own or similar products or services, the requirement is not consent, but ensuring that individuals “are given the opportunity to object” ex Article 13(2). Recital 41 explains the reasoning why the legislator, in this case, did not require consent: “Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services”. Thus, in principle, the contractual relationship between the individual and the service provider is the legal ground that allows the first contact by email.

5. POSSIBILITY TO WITHDRAW CONSENT (Articles6.3,9.3-4.)

H.  ARTICLE 29 WORKING PARTYS ASSESSMENT CONCERNING THE CURRENT DATA PROTECTION FRAMEWORK and RECOMMENDED CHANGES

The Article 29 WP deplores the lack of uniformity in implementation of the requirements for valid consent by the EU member states at the national level.

It suggests the following changes as part or the revision of the general data protection framework.

• Further clarification of the wording “unambiguous”. “Clarification should aim at emphasizing that unambiguous consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. At the same time it should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent. This is especially true in the on-line environment.”
• Include the word “unambiguous” in the general definition of consent of Article 2(h), in order to avoid confusion.
• “Unambiguous consent” which encompasses explicit consent but also consent resulting from unambiguous actions should remain the required standard. This choice gives more flexibility to data controllers to collect consent and the overall procedure may be quicker and more user friendly.
• Include wording reflecting interpretations of consent by case law and Article 29 WP Opinions.
• Include enhanced protection rules for individuals lacking legal capacity, such as children.

IAPP Global Privacy Summit 2010 – Hot Topics : Robert Rothman on the New EU Controller-to-Processor Model Clauses

At the recent IAPP Global Privacy Summit in Washington, D.C., many hot topics were addressed:

Privacy by Design, Behavioral Advertising, the new EU Cookie Consent Law, the Smart Power Grid, the Cloud, Web 2.0, the new EU Model Clause Agreements, Controllers, Processors and Sub-Processors, the recent Google convictions, to name just a few.

I interviewed a few prominent privacy professionals, attending and/or presenting at the summit on some of the important issues of the day.

Robert Rothman, President of Privacy Associates International, (PAI ), is an expert in Cross Border Data Transfers.

The EU Commission Decision of February 5, 2010, contains new rules on standard contractual clauses for the transfer of personal data from EU countries to processors established in third ( non-EU , and non- “adequate” )  countries. This decision comes into effect on May 15, 2010.

I asked Robert Rothman to explain the changes in the model clauses.

See also my previous post for a comprehensive coverage of the subject matter.

EU Cross Border Ediscovery, Standard Contractual Clauses, and Sub Processors: What Will Change on May 15, 2010?

How the New EU Rules on Data Export Affect Companies in and outside the EU

by Dr. Thomas Helbing

On 5 February 2010 the Commission of the European Union (EU) has updated the set of standard contractual clauses for the transfer of personal data to processors in non-EU countries. The old clauses are repealed with effect from 15 May 2010.

Standard contractual clauses are an important instrument for companies in the EU to comply with national data protection laws if information on individuals is transferred to or accessed by organizations outside the EU.

The EU Commission decision is relevant for all organization receiving personal data – for example customer or employee data – from subsidiaries, customers or vendors in the EU.

In addition, the new standard contractual clauses will also affect companies who indirectly receive personal data that originally comes from the EU, e.g. by providing services to companies which process EU data. This is because the new standard contractual clauses require from companies importing personal data from the EU to contractually impose the terms of the clauses on any subcontractor to which they transfer personal data or grant access.

In particular, agreements on outsourcing, cloud computing, software as a service (SaaS) or application service providing (ASP) and software like Human Resources Information Systems (HRIS) Customer Relationship Management (CRM) tools and Enterprise Resource Planning (ERP) software are affected.

Example “CRM”: CRM-Ready Inc. is a US-based company providing a Customer Relationship Management software that clients use remotely via a web browser (Software as a Service – SaaS). Best-Resell GmbH in the EU intends to use CRM-Ready’s system to store and manage its customer data. CRM-Ready Inc. and Best-Resell GmbH agree to conclude a contract with the EU standard contractual clauses to ensure Best-Resell’s compliance with local privacy laws.

Example “HR-Data”: Global Workers Ltd. is a multi-national company headquartered in Japan with subsidiaries in various EU countries. Names, functions and phone numbers of all employees are stored centrally in a firmwide database at Global Workers Ltd. in Tokyo. The EU subsidiaries and Global Workers Ltd. agree on the EU standard contractual clauses to ensure the lawfulness of the intra-group data transfers under EU laws.

In this article we answer the following questions:
• What is the Concept behind Standard Contractual Clauses?
• What are the Changes to the Standard Contractual Clauses?
• How Does the New Subcontracting Scheme of the Clauses Work in Practice?
• When Do the New Clauses Take Effect and Which Existing Agreements Need to be Updated?
• How Do the Clauses Affect Companies Outside the EU?

Read More

Cross Border EDiscovery

A new decision released on 8 January 2010 from the French high labor court (the Cour de Cassation Chambre Sociale) may provide some grounds for arguing that a party in France can review a French employee’s e-mails and electronically stored information to determine whether the data is relevant to a U.S. litigation, without the employee’s knowledge or presence.  This is a significant development in the perennial tension between EU privacy law and U.S. discovery principles.

To continue reading, click on this link:

http://www.hhdataprotection.com/2010/02/articles/litigation/new-french-case-removes-automatic-privacy-shield-from-employee-emails-making-them-more-amenable-to-us-discovery/