A colleague of mine, Cédric Laurant, recently posted an interesting question on a LinkedIn group that I manage, the European Data Protection Forum :

“Do some iPhone and Android smartphone application makers… violate the consent requirement of the e-Privacy Directive (2009/136)?”

Apple, Inc. got sued on Dec. 23 in federal court in San Jose, California. The suit claims the California-based Apple’s iPhones and iPads are encoded with identifying devices that allow advertising networks to track what applications users download, how frequently they’re used and for how long. Apple iPhones and iPads are set with a Unique Device Identifier, or UDID, which can’t be blocked by users, according to the complaint.

“Some apps are also selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views,” according to the suit.

The suit was filed shortly after the publication of the WSJ’s Dec. 18 article Your Apps Are Watching You .

Some excerpts of above mentioned article:

“Among all apps tested, the most widely shared detail was the unique ID number assigned to every phone. It is effectively a “supercookie,” says Vishal Gurbuxani, co-founder of Mobclix Inc., an exchange for mobile advertisers.

On iPhones, this number is the “UDID,” or Unique Device Identifier. Android IDs go by other names. These IDs are set by phone makers, carriers or makers of the operating system, and typically can’t be blocked or deleted.

“The great thing about mobile is you can’t clear a UDID like you can a cookie,” says Meghan O’Holleran of Traffic Marketplace, an Internet ad network that is expanding into mobile apps. “That’s how we track everything.”

To my knowledge, no lawsuits have been filed yet in the EU against Apple, Google-Android or against the application makers/third party advertisers.

Since Apple’s and Google’s headquarters are located in the USA, and most app makers are also located outside the EU/EEA, the question arises whether the European Data Protection Laws even apply to data processed by Apple or by Google/Android in a EU/EEA member state. The same applies for app makers: most of hem are located outside the EU.

In other words: Can Apple, Google and app makers be sued on the basis of EU Data Protection Laws?

The EU Data Protection framework is “controller centric”. The defining criterion is the location of the data “controller”: is it/he/she located within the EU/EEA, either physically or symbolically? If yes, the controller is subject to the EU Data Protection framework.

Contrast this to the US model, which is “consumer centric”: The defining criterion for most US privacy laws, like e.g. COPPA, is the targeted market. Is the company targeting children in the US market? If yes, the US laws, in this case COPPA, are applicable, regardless of where the data controller is located.

The key provision on applicable law under the EU data protection framework is Article 4 of EU Directive 95/46/EC, which determines which national data protection law(s) adopted pursuant to the Directive may be applicable to the processing of personal data.

The present case would be governed by the EU Directive 2002/58/EC, the so called e-privacy directive on privacy and electronic communications, as amended by the EU Directive 2009/EC , the so called cookie directive. The EU Directive 2009/EC has not been implemented in all members states’ national laws yet, and the deadline is June 2011.

A controversial provision in this directive is the amendment that says that member states shall ensure that “the storing or access to information already stored in the terminal equipment of a subscriber or user is only allowed on the condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information …  about the purposes of the processing.”

This has been understood by many as a requirement for websites to provide opt-in consent before installing cookies on a user’s device.

It needs reminding though, that according to the EU Directive 95/46/EC, processing of sensitive data requires explicit consent from the user!

Sensitive Data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships or data concerning health or sex life. I dare say that in light of this definition, most data posted on social networking sites (SNS) are to be considered of a sensitive nature. So are some of the data transmitted by smartphone apps to third parties.

However, the EU Directive 2002/58/EC,  as amended by the EU Directive 2009/EC , does not contain an applicable law and jurisdiction provision, but instead refers to Article 4 of the Directive 95/46/EC.

Article 4 (1) EU Directive 95/46/EC stipulates that the national law shall apply where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the (EU) Member State.

…

(c) the controller is not established on the Member State’s territory, and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State…

For the sake of simplifying an extremely complex set of laws, I have left out provisions that do not directly apply to the situation discussed in this article.

But even so, the above mentioned rules have created many difficulties in application and interpretation by member states.

” The legal rules for determining whether EU law applies to business activities, if so which national law, and where jurisdiction lies, are extraorinarily complex, and involve  a number of difficult questions for which there are no definite answers.” Christopher Kuner, European Data Protection Law, Corporate Regulation and Compliance, (2nd edition, Oxford University Press) 109.

Also, “No provision of Article 4 (or indeed, of the entire General Directive) has caused more controversy than Article 4(1)(c)”. ibid 118.

So, finally, on Dec. 16, 2010, the Article 29 Working Party released an Opinion 8/2010 on applicable law regarding the applicability of the EU Directive 95/46/EC.

The WP explains why it thought its opinion had become so necessary:

“The complexity of applicable law issues is also growing due to increased globalisation and the development of new technologies: companies are increasingly operating in different jurisdictions, providing services and assistance around-the-clock; the internet makes it much easier to provide services from a distance and to collect and share personal data in a virtual environment; cloud computing makes it difficult to determine the location of personal data and of the equipment being used at any given time.

Clarifying the concept of applicable law is of great importance, independently of possible amendments to the current provisions of the Directive in the future. Current provisions will remain valid until amended, and to the extent that they are not amended. Therefore clarification of the applicable law provisions will help to ensure better compliance with the Directive pending any amendment of the legislation. In addition, in preparing this opinion the Working Party has been able to draw on the experience of applying the current provisions with a view to providing guidance to the legislator to assist in any future revision of the Directive.

But the clear connection between the applicable law and the controller can be a guarantee of effectiveness and enforceability, especially in a context in which it can be difficult, or sometimes impossible, to locate a file (as may be the case for cloud computing).

Clear guidelines as to applicable law rules should help address new developments: technological (internet; network based files/cloud computing) and commercial (multinational companies).”

Indeed, to make a complicated situation even worse, the entire European Data Protection framework is up for review this year. ( See this previous blog post ).

But, as the WP mentioned, the current law still remains in effect as of now, until and if it is amended.

According to article 4, the main criteria in determining the applicable law are the location of the establishment of the controller, and the location of the means or equipment being used when the controller is established outside the EEA.

Article 4 (1) EU Directive 95/46/EC

1.

a) “…an establishment of the controller on the territory of the Member State …”

Article 29 WP: “It is … important to emphasise that an establishment need not have a legal personality, and also that the notion of establishment has flexible connections with the notion of control. A controller can have several establishments, joint controllers can concentrate activities within one establishment or different establishments. The decisive element to qualify an establishment under the Directive is the effective and real exercise of activities in the context of which personal data are processed.

The notion of establishment is not defined in the Directive. The preamble of the Directive indicates however that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements (and that) the legal form of (..) an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect” (recital 19).

Concerning the freedom of establishment under Article 50 TFEU (former Article 43 TEC) the European Court of Justice (ECJ) has considered that a stable establishment requires that “both human and technical resources necessary for the provision of particular services are permanently available”.

The strong emphasis put in the preamble of the Directive on “effective and real exercise of activity through stable arrangements” clearly echoes the “stable establishment” referred to by the Court of Justice at the time of the adoption of the Directive. Although it is not clear whether this and subsequent interpretations by the ECJ as regards the freedom of establishment under Article 50 TFEU could be fully applied to the situations covered by Article 4 of the Data Protection Directive, the interpretation of the Court in those cases can provide useful guidance when analysing the wording of the Directive.

This interpretation is used in the following examples:

– Where “effective and real exercise of activity” takes place, for example in an attorney’s office, through “stable arrangements”, the office would qualify as an establishment. This induces a broad scope of application, with legal implications extending beyond the EEA territory: the Directive – and national laws of implementation – apply to the processing of personal data outside the EEA (where carried out in the context of activities of an establishment of the controller in the EEA), as well as to controllers established outside the EEA (when they use equipment in the EEA). As a consequence, the provisions of the Directive can be applicable to services with an international dimension such as search engines, social networks and cloud computing.

C) “…for purposes of processing personal data makes use of equipment…situated on the territory of the said Member State.“

This provision becomes relevant when the controller has no presence in EU/EEA territory which may be considered as an establishment for the purposes of Article 4(1)(a) of the Directive, as analyzed above.

This provision is especially relevant in the light of the development of new technologies and in particular of the internet, which facilitate the collection and processing of personal data at a distance and irrespective of any physical presence of the controller in EU/EEA territory.

Article 4(1)(c) will also apply where the controller has an “irrelevant” establishment in the EU. That is to say, the controller has establishments in the EU but their activities are unrelated to the processing of personal data. Such establishments would not trigger the application of Article 4(1)a.

The crucial element which determines the applicability of this Article and thus of a Member State’s data protection law is the use of equipment situated on the territory of the Member State.

The Working Party has already clarified that the concept of “making use” presupposes two elements: some kind of activity of the controller and the clear intention of the controller to process personal data. Therefore, whilst not any use of equipment within the EU/EEA leads to the application of the Directive, it is not necessary for the controller to exercise ownership or full control over such equipment for the processing to fall within the scope of the Directive.

Working Party recognized the possibility that personal data collection through the computers of users, as for example in the case of cookies or Javascript banners, trigger the application of Article 4(1)c and thus of EU data protection law to service providers established in third countries.

The WP brings the following example:

Geo-location services:

A company located in New-Zealand uses cars globally, including in EU Member States, to collect information on Wi-Fi access points (including information about private terminal equipment of individuals) in order to provide a geo-location service to its clients. Such activity involves in many cases the processing of personal data.

The application of the Data Protection Directive will be triggered in two ways:

– First, the cars collecting Wi-Fi information while circulating on the streets can be considered as equipment, in the sense of Article 4(1)c;

– Second, while providing the geo-location service to individuals, the controller will also use the mobile device of the individual (through dedicated software installed in the device) as equipment to provide actual information on the location of the device and of its user.

Both the collection of information with a view to provide the service, and the provision of the geo-location service itself, will have to comply with the provisions of the Directive.

Notes: I wonder if the Article 29 WP might have been alluding to the Google Street View cases? And would the WP have included an app example, if it had waited two more days to publish its opinion? (The opinion was published on Dec. 16, and the WSJ article came out on Dec.18).

Conclusion:

To get back to our original question:

“Do some iPhone and Android smartphone application makers violate the consent requirement of the e-Privacy Directive (2009/136)?”

The answer, of course, depends first on whether the European Data Protection Laws apply on the personal data processed by Apple or Google/Android and by third parties located outside the EU/EEA through smartphones.

In light of the above analysis of Article 4 (1) EU Directive 95/46/EC, it would seem that the EU Data Protection laws are indeed applicable to IPhone and Android and their application makers, whose apps  send personal data like age, gender, location and phone identifiers to various ad networks.

In this case, either the EU users smartphone’s unique ID or the apps downloaded on the smartphone  would be the “equipment” situated on the territory of a member state, that the app makers would use in order to process personal information.

Even though most of the companies creating these apps are startups, located outside the EEA, without any establishment within the EEA, they could be sued based on article 4(1)(c) of the Directive.

Article 4(1)(c) will also apply where the controller has an “irrelevant” establishment in the EU. That is to say, the controller has establishments in the EU but their activities are unrelated to the processing of personal data. Such establishments would not trigger the application of Article 4(1)a.

Apple’s headquarters are located in California, USA, and it has many “establishments” all over the EU, but the “establishments” may not be related to the processing of personal data on the iPhones. The same applies to Google. So, even for Apple and Google, article 4(1)(c) will provide the legal basis for applicability of EU law.

Once, the applicability of the EU Data Protection framework has been established, the answer to the question whether these apps violate the EU Data Protection laws is pretty clear.

The unique smartphone ID is like a “supercookie,” (see above), and the downloaded app itself can act like a cookie.

Under the EU Directive 2002/58/EC, it is acceptable to use cookies for legitimate purposes if the users are provided “with clear and precise information” about the purposes of such use, “so as to ensure that users are made aware of information being placed on the terminal equipment they are using.

Smartphone apps that  transmit the phone’s unique device ID, and/or other personal data to other companies without giving the user proper notice would be violating the directive, and the national EU member state laws.

When the data that are transferred consist of sensitive data, there has to be, in addition, opt-in consent from the user.

Under the EU Directive 2009/EC, in addition to notice, “consent” is required as well.

Even though there is controversy concerning the interpretation of the type of consent required under this directive (opt-in v. opt-out consent), the total absence of any type of consent in relation to apps on smatphones would indicate a violation of this directive and its current and future implementation by the member states national laws. The many apps that don’t even offer an opt-out option to users would certainly be violating the directive and its national implementations.

The Article 29 Working Party in its Opinion 8/2010 on applicable law ends with some recommendations for the overhaul of the EU data Protection framework:

“Additional criteria should apply when the controller is established outside the EU, with a view to ensuring that a sufficient connection exists with EU territory, and to avoid EU territory being used to conduct illegal data processing activities by controllers established in third countries. The two following criteria may be developed in this view:

− The targeting of individuals, or “service oriented approach”: this would involve the introduction of a criterion for the application of EU data protection law, that the activity involving the processing of personal data is targeted at individuals in the EU. This would need to consist of substantial targeting based on or taking into account the effective link between the individual and a specific EU country. The following examples illustrate what targeting could consist of: the fact that a data controller collects personal data in the context of services explicitly accessible or directed to EU residents, via the display of information in EU languages, the delivery of services or products in EU countries, the accessibility of the service depending on the use of an EU credit card, the sending of advertising in the language of the user or for products and services available in the EU. The Working Party notes that this criterion is already used in the field of consumer protection: applying it in a data protection context would bring additional legal certainty to controllers as they would have to apply the same criterion for activities which often trigger the application of both consumer and data protection rules.

− The criterion of the equipment/means: this criterion has shown to have undesirable consequences, such as a possible universal application of EU law. Nonetheless, there is a need to prevent situations where a legal gap would allow the EU being used as a data haven, for instance when a processing activity entails inadmissible ethical issues. The equipment/means criterion could therefore be kept, in a fundamental rights perspective, and in a residual form. It would then only apply as a third possibility, where the other two do not: it would address borderline cases (data about non EU data subjects, controllers having no link with EU) where there is a relevant infrastructure in the EU, connected with the processing of information. In this latter case, it might be an option to foresee that only certain data protection principles – such as legitimacy or security measures – would apply. This approach, which obviously would be subject to further development and refinement, would probably solve most of the problems in the current Article 4(1)(c).”