Posted on May 13, 2011 by W. Scott Blackmer

Cookie-Cutter: UK Announces New Rules for Website Cookies

The United Kingdom Information Commissioner’s Office (ICO), which oversees compliance with privacy laws, announced this week new rules governing the use of website “cookies” that will come into effect on May 26, 2011, possibly following an as-yet unidentified grace period. The new rules will effectively require opt-in consent to use most kinds of cookies, and they will be particularly difficult to manage in the context of third-party cookies such as those employed by advertisers and advertising networks.

Since the new British rules are meant to implement amendments to the European Union’s ePrivacy Directive, this is an issue that will have to be addressed across Europe and is likely to impact any website aimed at a European market.

Cookies Everywhere

“Cookies,” small text files that a website automatically places on a visitor’s computer when the website is loaded, are ubiquitous on the Web. Session cookies track a user’s activity from page to page during a session, so that the user does not have to re-enter information or selections. Authentication cookies store logon credentials so that the user does not have to log on again after navigating to another website. Persistent cookies store user preferences for each successive visit to the website.

Tracking cookies may be used to collect analytic data on how an individual website is used, and some kinds of tracking cookies record the user’s activity across websites – which is more controversial from a privacy perspective. For example, “conversion tracking cookies” allow an advertiser to determine whether a user who clicks on a third-party advertising link ends up making an online purchase from the advertiser. Some behavioral marketing programs use cookies to collect information about the pages and sites visited by a consumer so that a profile can be constructed for targeted marketing purposes. Google Analytics uses cookies to create statistical reports for advertisers and website operators, without identifying the individual users other than by IP address.

The ePrivacy Directive

The European Union’s Privacy and Electronic Communications Directive (the “ePrivacy Directive”) essentially required transparency concerning cookies. Website visitors were to be informed about the website operator’s practices and available options to refuse or delete cookies. This has been the standard for website operators and advertisers since 2002.

In November 2009, the ePrivacy Directive was modified by amendments that included a revised Article 5(3) emphasizing the need for informed consent:

Member States shall ensure that the storing of or access to information already stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC [the EU Data Protection Directive], inter alia about the purposes of the processing.

There is an exception for storage or access that is “strictly necessary” to provide an explicitly requested service.

The UK Response

Member States were required to transpose the amendments into national law in 18 months. This explains the timing for the revision of Regulation 6 of the UK Privacy and Electronic Communications Regulations 2003 (“PERC”), which will require after May 25 that the user “has given his or her consent” to storing or accessing information on the user’s equipment.

ICO’s announcement this week concerning the rule change raises as many questions as it answers, and the announcement itself states that ICO will issue separate guidance on how it intends to enforce PERC with respect to cookies.

Key Issues

  • ICO expects that the more intrusive cookies (such as those that create profiles of users, especially across multiple websites) will require more explanation and well-documented consent. Conversion tracking and behavioral marketing uses of cookies are clearly in the crosshairs.
  • The recitals to the amended ePrivacy Directive discuss the possibility of relying on the user’s browser settings to accept or reject cookies. ICO rejects this as a current solution, however, given the variety of browsers and settings in use, their unfamiliarity to many users, and the increasing use of mobile devices to access websites.
  • ICO mentions several other possible ways of informing users about cookies and obtaining consent, such as highlighted or scrolling headers, footers, or splash screens; disclosures on pages requesting personal information or offering particular downloads such as videos; website terms and conditions or pop-ups that require a user to click “I agree” before proceeding; website “settings” that could be selected by a user once and then remembered (presumably using a cookie) for subsequent visits.
  • ICO frankly acknowledges that third-party cookies may present the most challenging compliance issues and simply concludes that “everyone has a part to play in making sure that the user is aware of what is being collected and by whom.” An ICO spokesperson mentioned the possibility of establishing advertising network policies and procedures that could be viewed (and consented to?) by clicking on an icon displayed with banner ads and other advertising links.
  • ICO says the exception for “strictly necessary” cookies will be interpreted narrowly. It gives one potential example: cookies used to keep track of a user’s purchases in a “shopping basket” until the user is ready to “check out” and pay for the purchases. ICO advises that it would not be acceptable to use cookies without consent simply to make the presentation of the website more attractive or collect statistics about the use of the website.

Implications for Website Operators

  • Websites hosted in Europe are clearly subject to the new rules as they are implemented in each country this year. Data protection authorities and courts in some European countries may also assert that websites hosted elsewhere but targeting European residents should conform to the new cookie rules. When a company offers a UK or EU version of a website, for example, it may be required (or at least expected by users) to follow the EU rules.
  • The trend toward requiring fuller disclosure and explicit consent, especially for behavioral tracking, is likely to be seen in the US as well, as suggested by the Federal Trade Commission’s December 2010 report on consumer privacy.
  • Website operators should stay abreast of official interpretations and enforcement policies, such as those promised by ICO, that may offer more detailed guidance on cookie notices and consent mechanisms.
  • It’s a good time to inventory your organization’s cookie practices, make sure they are fully disclosed in website privacy policies, and consider how to operationalize express consent requirements in Europe.  Watch how popular commercial websites in the UK adapt to the new rules.  (Right now, even the privacy policy on ICO's website would be inadequate!)
  • Contracts with third-party advertisers, advertising networks, providers of website and browsing statistics, and business partners involved in co-branded websites should clearly delineate who is responsible for providing cookie notices and obtaining (and preserving evidence of) consent where required.
Tags: , , , , , , , , , , , , , , , ,
Posted on November 4, 2010 by Boris Segalis

European Commission Announces Strategy for Revising EU Data Protection Rules

Earlier today, the European Commission released documents setting out the road map for revision of the European data protection rules, including the EU Data Protection Directive 95/46/EC. The strategy is based on the Commission’s position that an individual’s ability to control his or her information, have access to the information, and modify or delete the information are “essential rights that have to be guaranteed in today’s digital world.” The Commission set out a strategy on how to protect personal data while reducing barriers for businesses and ensuring free flow of personal data within the European Union.

The goal in revising EU data protection rules (which also apply to members of the European Economic Area) is to facilitate the establishment of clear and consistent data protection requirements as well as to modernize Europe’s data protection laws to meet the challenges raised by new technologies (e.g., behavioral tracking) and globalization. Europe's data protection laws are currently based in large part on the 1995 EU Data Protection Directive.

The Commission’s announcement comes on the heels of the Data Protection Commissioners Conference in Jerusalem, during which many participants highlighted the need to bring data protection legislation up to date, and raised concerns about inconsistent and complex data protection requirements in various countries (including among EU member states).

The Commission’s strategy to revise data protection rules is based on the goals of:

  • Limiting the collection and use of personal data to the minimum necessary;
  • Transparency as to how, why, by whom and for how long personal data is collected and used;
  • Informed consent;
  • Right to be forgotten;
  • Reducing administrative compliance burdens on businesses;
  • Uniform implementation of data protection rules in EU member states;
  • Improving and streamlining procedures for data transfers outside the EU;
  • Cooperation with countries outside the EU and promotion of high standards of data protection at a global level;
  • Strengthening enforcement of data protection rules by harmonizing the role and power of national data protection authorities;
  • Facilitating consistent enforcement of data protection laws across the EU; and
  • Implementing coherent rules for the protection of personal data in the fields of police and criminal justice.

Notably, many of these goals were announced at the Jerusalem conference.

The Commission’s review will serve as the basis for further discussions of data protection rules and, ultimately, new legislation, which the Commission expects to propose in 2011.

Please see the Commission’s press release, FAQs, and the strategy document for more details. The Commission is encouraging organizations and individuals to submit comments.

Stay tuned for more about the proposed revisions.
Tags: , , , , , , , , , ,
Posted on August 25, 2010 by W. Scott Blackmer

European Reservations?

German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That’s not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.

In April, the Düsseldorfer Kreis, an informal group of state data protection officials that attempts to coordinate approaches to international data transfers under Germany’s federal system, called on the US Federal Trade Commission to increase its monitoring and enforcement of Safe Harbor commitments by US companies handling European personal data. On July 23, Dr. Thilo Weichert, head of the data protection commission in the northernmost German state of Schleswig-Holstein (capital: Kiel), issued a press release provocatively titled “10th Anniversary of Safe Harbor – many reasons to act but none to celebrate.” Dr. Weichert cites an upcoming report by an Australian consultancy (Galexia) asserting that hundreds of American companies claiming to be part of the Safe Harbor program are not currently certified, and that many Safe Harbor companies fail to provide information to individuals on how to enforce their rights or refer them to costly self-regulatory dispute resolution programs. Dr. Weichert urges a radical solution: “From a privacy perspective there is only one conclusion to be drawn from the lessons learned – to terminate safe harbor immediately.”

Dr. Weichert also attracted international attention with another press release issued this summer, entitled (translating loosely) “Data protection in cloud computing? So far, nil!” The press release refers to his recently published opinion on “Cloud Computing und Datenschutz,” which is deeply skeptical about the ability of cloud customers to assure compliance with European data protection laws.
 

European Context

The European Union’s venerable Data Protection Directive, adopted 15 years ago, has had a huge impact on data privacy and security practices in the European Union and in the countries outside the EU, ranging from Russia to Canada to Japan, that have adopted national data privacy laws strongly influenced by the Directive. The Directive’s comprehensive approach to personal information privacy, based on widely accepted principles of fair information practices, contrasts with the US approach of legislating conditions on the collection and use of personal information only in specific contexts such as Social Security Numbers, credit reporting, financial accounts, and electronic health records. While the two systems sometimes produce similar results, the mismatch between Euro-style comprehensive data privacy laws and the detailed but sectoral regulation in the United States creates some challenges for organizations that conduct business across borders.

The EU Directive (Articles 25 and 26) directs member states to prohibit the transfer of personally identifiable data to countries whose laws are not deemed sufficiently similar, unless some other approved means of assuring adequate protection is employed. One response to the problem of assuring privacy protection overseas was the adoption of EU-approved standard contract clauses or “model contracts,” which were recently updated to better address the trend toward outsourced subprocessing (including cloud computing). Another was the EU-US “Safe Harbor” framework developed jointly by the European Commission and the US Department of Commerce, under which American companies can publicly certify compliance with a standard set of Safe Harbor Privacy Principles approved by the European Commission and enforced by American regulators, predominantly the Federal Trade Commission.

Some data protection officials in Europe have questioned whether these legal alternatives have been wholly effective in assuring the confidentiality and security of personal information from Europe that is stored or processed in the United States or other countries. Social networking and the popularity of cloud computing models for outsourcing data storage and processing have heightened these concerns, since there is often less clarity about where personal data are stored and by whom. Such concerns underlie the recent pronouncements by the German data protection authorities.

Behind the Drama

Dr. Weichert shows a flair for drama in calling for the immediate end of Safe Harbor and characterizing cloud computing users as scofflaws. His press release on Safe Harbor acknowledges that his radical proposal is unlikely to be adopted because “nobody in the EU seems to have the courage” to disrupt the close economic relations with the US. He complains that Google, Facebook, and other American companies encourage millions of Europeans to share personal information, without effective supervision or recourse. Dr. Weichert wants to reopen negotiations on the Safe Harbor principles and at least strengthen the enforcement mechanisms. An upcoming EU consulting report on Safe Harbor is likely to provide some ammunition for that argument, as it reportedly criticizes the FTC for taking action against only seven companies in the ten-year history of Safe Harbor, despite thousands of complaints.

On cloud computing, Dr. Weichert points out that customers do not always know where their data resides and who is handling it, making it impossible to assure compliance with the notice, security, and transborder obligations of data controllers under the national laws transposing the EU Data Protection Directive. Individual data subjects are supposed to be informed of material facts concerning the processing of their data, and this is usually interpreted to mean, among other things, that they must be told if the data are being processed outside the EU in countries with dissimilar legal protections for personal information. In such cases, the data controller is also responsible for assuring an adequate level of protection through model contracts, Safe Harbor, binding corporate rules, informed consent, or other approved methods. Where a cloud services provider is acting as a “processor” of the data on behalf of the European customer or data “controller,” which is typical in cloud computing arrangements, the data controller has an obligation under the national version of Article 16 of the EU Directive to conduct due diligence in selecting a provider and engage the provider with a written agreement that (a) forbids the processor from acting on the data other than according to the controller’s instructions and (b) requires the processor to maintain appropriate technical and organizational security measures. Dr. Weichert questions whether this routinely happens when a customer signs up for cloud services that are, in fact, provided in a variety of changing locations and sometimes by layers of different companies providing hosting facilities or software as a service (SaaS) applications.

Putting the Criticism in Perspective
 

State and national data protection authorities in Europe remain legally obliged to allow data transfers to Safe Harbor companies in the US, as the Safe Harbor decision was adopted through a legislative procedure requiring approval by the European Commission, consultation with the European Parliament, and a weighted majority vote by the member state governments. Any revision of the Safe Harbor decision must follow a similar process, even assuming the US were willing to reopen discussions on the jointly administered program. Thus, modifying or terminating the program would require extensive debate and negotiation. Meanwhile, state or national authorities can legitimately confirm that a company is currently certified under Safe Harbor, but they cannot prohibit data transfers simply because the parties rely on Safe Harbor rather than model contracts or another legal basis for transborder data flows from Europe.

Moreover, the Safe Harbor program has successfully attracted nearly 2000 American companies, including those that represent some of the largest trans-Atlantic data flows, and it is now paralleled by a virtually identical US-Switzerland Safe Harbor Framework. US and European authorities meet periodically to discuss the program and coordinate efforts to promote and enforce it. The Department of Commerce and the FTC are both engaged with European data protection authorities in this process, and any perceived gaps in enforcement are likely to be addressed in this dialogue rather than in an overhaul of the Safe Harbor Privacy Principles themselves. In a public conference on Safe Harbor held in Washington last November, European data protection authorities expressed satisfaction that the program had raised the awareness of American companies handling European personal information and helped ensure compliance on the part of the European entities collecting and using the data.

Similarly, although several data protection authorities have highlighted potential compliance problems with cloud computing solutions, none have taken legal or administrative action to prevent European companies from using them (not even in Schleswig-Holstein). Dr. Weichert participates in the Düsseldorfer Kreis, where his office takes the lead on examining insurance industry issues, but the group has not issued an opinion on the application of transborder data protection mechanisms to cloud computing. His comments, which have not been officially endorsed by other regulators, should be viewed as a caution to European cloud customers rather than as a legal or enforcement opinion.

Lessons for Global Companies

The German state authorities' comments come at a time when national data protection authorities in Europe are debating precisely how the EU Data Protection Directive should be updated to reflect developments in technology and information practices since the Directive was adopted 15 years ago. The European Commission had announced its intention to review scores of written comments submitted in a recent consultative process and then propose legislative revisions later this year. But the national DPAs, meeting with the Commission last month, prevailed on the Commission to postpone any proposals until mid-2011, according to an August 2 announcement by CNIL, the French data protection commission, which was later confirmed by EU Commissioner Viviane Reding. The Commission and the national authorities are reportedly concerned about divergences in national approaches in implementing the Directive and want to examine how best to apply the general principles of the Directive in an increasingly global, networked, and distributed computing environment.

Global companies must continue to assure compliance (and market acceptance) as they collect consumer data from users in Europe and handle European employee data in centralized enterprise resource management systems or outsourced applications. Safe Harbor is an efficient and widely accepted option for the companies themselves and for many of their vendors, and cloud services are often practical and cost-effective. However, given the concerns of European authorities (and possibly of European consumers and legislators), companies should carefully consider how to implement these solutions in a compliant manner:

• Keep Safe Harbor certifications up to date (they must be renewed annually) and make sure they accurately disclose the range of data transfers to be covered

• Conduct the required annual assessment of Safe Harbor compliance

• Publish a Safe Harbor privacy policy with conspicuous provisions for resolving individual questions and complaints

• Verify that US vendors (including cloud service providers) are Safe Harbor certified, or alternatively use EU-approved standard contract clauses

• Keep European personal information, especially sensitive data, out of any cloud or outsourcing arrangements with vendors that cannot or will not confirm compliance, recognizing that some vendors refuse to divulge their locations or sub-contractors

• Follow Dr. Weichert’s advice (and ours) to include a Security Service Level Agreement, Information Security Schedule, or other specific security requirements in any outsourcing or cloud agreement that involves European personal data.
 
Tags: , , , , , , , , , , , , , , , , ,
Posted on June 10, 2010 by W. Scott Blackmer

Do the New EU Processing Clauses Apply to You?

A new set of EU standard contract clauses  (“SCCs” or “model contracts”) for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU “Article 29” working group on the concepts of “controller” and “processor” under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.

I reported in February about the European Union adopting a new set of SCCs to legitimize the transfer of European personal data to foreign processors. From May 15 onward, the new SCCs must be used unless there is another legal basis for the transfers, such as the EU-US “Safe Harbor” program.

Here is a summary of the impact of this EU decision, in the form of FAQs:

Why Use Standard Contract Clauses?

The EU Data Protection Directive requires national authorities to forbid the transfer of personal information to countries outside the European Economic Area (EEA) unless the data will be adequately protected by law or a specific derogation, such as approved SCCs or the individual’s informed consent, applies.

The United States, India, China, the Philippines, Jamaica, South Africa, and other common destinations for outsourced data services do not have similar data protection laws and are not deemed to provide an “adequate level of protection.” US companies that participate in the “Safe Harbor” framework for handling European personal data in the US, or sending it onward for processing in a third country, are treated as offering adequate protection. So are multinationals that implement Binding Corporate Rules (“BCRs”) approved by each of the relevant European countries for data transfers within a corporate group. But apart from transfers to Safe Harbor companies or in certain narrow contexts such as express consent or BCRs, offshoring arrangements involving personal data typically do not comply with European national data protection laws unless the company in Europe enters into a contract with the foreign vendor that includes EU-approved SCCs.

(It is also possible to seek approval from each relevant country for a unique set of contractual clauses, but this is an uncertain and time-consuming alternative that few organizations pursue.)

There are good reasons for a US company to consider Safe Harbor or BCRs, although these are beyond the scope of this article. But in any event, there will almost certainly be contexts in which neither Safe Harbor nor BCRs will cover all the data transfers that the company requires, such as data transfers outside the corporate group or directly from Europe to vendors outside the United States. In those cases, SCCs will typically be required.

What Countries Accept the EU SCCs?

EU-approved SCCs are ostensibly a passport for personal data from all 27 EU member states plus the other three EEA countries – Iceland, Liechtenstein, and Norway. However, one EU member state, Hungary, has not yet conformed its national law to routinely allow data transfers based on SCCs (or on Safe Harbor or BCRs, for that matter); individual consent is still required in most cases in Hungary.

Outside the EEA, Switzerland and Israel, which have similar data protection regimes, allow the transfer of personal data abroad if the companies use EU-approved SCCs. There are also instances where other non-EEA countries, such as Russia, have approved data transfers under contracts employing the EU SCCs, on a case-by-case basis.

This does not mean that a company can sign an agreement including, or annexing, SCCs and just start transferring personal data to an affiliate or vendor in the US or India. Unlike transfers to “adequate” countries such as Canada or to US Safe Harbor companies, data transfers under SCCs require notification to the data protection authorities (DPAs) in many European countries, and in some countries the transaction must await prior approval by the local DPA. In the UK, notice is effected simply by checking a box on an online registration form. In France, Spain, or The Netherlands, on the other hand, the European company must submit details and await an official response. In Germany, the internal data protection officer must approve the transfers, and approval may also be required from a works council or labor union if the outsourcing involves employee data.

If a company does not vary from the text of the EU SCCs and attaches a satisfactorily detailed annex describing the data transfers, including any special provisions for protecting sensitive categories of personal information, authorization should be forthcoming. But authorization often takes as long as three or four months in some countries. This should be factored into project and contract timing.

What Do the SCCs Provide?

One of two different versions of EU-approved “controller-controller” SCCs must be used if the data controller in Europe is transferring personal data to a foreign data controller, such as a parent, affiliate, or business partner that will make its own use of the data. For transfers to a processor that is merely handling the data on behalf of a European data controller, the newly adopted version of “controller-processor” SCCs must be employed.

The SCCs, which must be made available to the authorities and affected individuals on request, identify the “data exporter” in Europe and the “data importer” overseas. In contracts with processors, the processor must agree to follow the instructions of the data controller and maintain the confidentiality and security of the data. In the case of contracts between data controllers, each of which can use the data for its own purposes, the relevant SCCs allow the parties to select the governing European data protection law or a minimum set of data privacy principles.

SCCs provide for third-party beneficiary liability to the affected individuals and allow the data exporter to terminate the entire data transfer agreement if the data importer fails to comply with the SCCs. The SCCs also require the parties to annex a description of the covered data transfers in a prescribed format.

What’s Different about the New Processing SCCs?

The chief difference between the new controller-processor SCCs and the prior version published in 2001 is that the new SCCs take account of the trends to subcontract storage, technical support, or specific processing functions to third parties. When such “subprocessing” is contemplated, the new SCCs require the vendor to obtain the customer’s consent to subprocessing and execute written agreements with the subprocessors placing them under the same obligations to protect the personal data. The customer is also required to maintain a list of such subprocessing agreements and make it available on request to the data protection authorities, who may audit any subprocessing.

Here are some examples where these changes will typically involve more investigation and documentation than previously:

• An outsourcing vendor in the US plans to have some contracted functions performed by its affiliates in India or China.

• A cloud computing vendor aggregates services and hosting provided by a network of third parties.

• A parent company in the US, which has been providing technical support to European affiliates under SCCs, plans to outsource some support functions to vendors.

Are Existing Vendor Contracts Grandfathered?

Yes. Contracts in place before May 15, using the older version of EU-approved processing SCCs, may continue without revision until they expire, or until the nature of the data transfers changes materially or the vendor seeks to add a subprocessor.

Should We Use the Controller or Processor SCCs?

Sometimes it’s hard to tell which SCCs to use, because it is a factual question whether the data importer is in some respects acting as a controller of the data as opposed to acting as a mere processor. Simply saying in the contract that the data importer is only a processor may not preclude a different opinion by the authorities or the courts.

A parent company in the US, for example, may support global communications and ERM functions on behalf of its European subsidiaries, similar to what an unrelated outsourcing vendor might provide. But if the US parent also has access to the European data for its own purposes – such as corporate planning, career development and succession planning, and perhaps global insurance, audit, or legal functions – the US parent looks more like a data controller with respect to those purposes. Thus, a US parent company might be viewed as both a controller and a processor of European data.

Similarly, a global company may retain a benefits provider, perhaps to manage an employee stock option program or administer a pension fund. To the extent that the benefits provider simply performs functions at the employer’s behest, it appears to be a processor. But if the benefits provider also markets and provides additional services directly to the employees, it seems to be taking on the role of a controller.

In most European countries, the parties could safely rely on the controller-controller SCCs in such cases of mixed use. However, DPAs (especially in Greece) sometimes insist on separating the functions and require the data importer to sign two SCCs, one as a controller and the other as a processor. European Commission staff reports have occasionally noted the potential ambiguities in this, and other, applications of the controller and processor concepts, but as yet there is not a uniform and predictable approach to the problem.

The EU Data Protection Directive primarily regulates data controllers. A controller is defined in Article 2 of the Directive as the natural or legal person or public agency that “alone or jointly with others” determines “the purposes and means of processing” personal data. A processor is a natural or legal person or agency that processes data on behalf of a controller. “Processing” is defined very broadly in the Directive to include collection, use, storage, manipulation, disclosure, disposal, and virtually any other action with personal data. A controller can decide either to process personal data itself or delegate some or all processing activities to a processor. International data transfer agreements using SCCs always involve a data controller in Europe transferring personal data to either a controller or processor abroad.

In February, the Article 29 Data Protection Working Party, comprised of data protection officials from the European Commission and each of the member states, issued Opinion 1/2010 on the concepts of “controller” and “processor.” The concepts are important, of course, not only in choosing which SCCs to use in international transfers, but more importantly in deciding who has ultimate responsibility for protecting and properly using personal data, and which country’s law applies.

The Article 29 Working Party Opinion identifies controllers as the entities that decide to have some personal data processed for their own purposes. It recognizes that multiple parties (such as a parent company and its affiliates or business partners) may collectively decide which data elements are needed and how they will be handled. They need not have equal voices in those decisions, and their respective responsibility and liability may be limited to their own decisions. The Working Party also concluded that a processor may have some discretion in determining “the most suitable technical and organizational means” to accomplish delegated processing, without becoming a controller.

The Opinion, in my view, supports the conclusions that many global companies have reached, that parent and affiliate companies in a group usually should be considered joint controllers of employee and customer data used for a variety of purposes within the group, and that third-party outsourcing vendors remain merely processors even if they propose and implement decisions about the means of processing, based on their expertise. When struggling with the controller/processor distinction, organizations should ask the basic questions, “who wants this personal data, and why?” as a guide to recognizing who is ultimately responsible for the data and who is merely crunching it on their behalf. Among other things, the answers to those questions will determine which set of SCCs to use for international data transfers.
 
Tags: , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on May 29, 2010 by W. Scott Blackmer

Social Networking: Setting Boundaries in a Borderless Brave New World

The explosive growth and morphing applications of social media such as Facebook and Twitter create new opportunities and challenges for individual users, parents, employers, organizations, governments, and marketers. Where a social phenomenon has such a wide and unpredictable impact, it almost inevitably attracts a retinue of lawmakers and regulators, as well as lawyers and HR managers struggling to craft appropriate policies for employees. And given the globalization of social media, those policies have to take account of the evolving rules in multiple jurisdictions.

When I was a kid in Las Vegas, I had a “pen pal” in France. We exchanged the occasional letter, painfully translating into each other’s languages and then trying to figure out how much postage to stick on the envelope. It seems quaint now.

Thanks to Facebook, LinkedIn, and Twitter, I’ve enjoyed meeting people with similar interests and reconnecting with people I knew socially or professionally in years past, in several countries. It’s usually pretty easy to look up people as you think of them, and there’s no postage and little delay.
Those services, and an array of other social media, have become truly international. Some 15% of the world’s Internet users are American, so even successful social media operators in the US naturally look abroad to expand their increasingly monetized networks. Competing with national and regional social networks throughout the world, leading social networking providers in the US, Europe, China, and India have turned social media into a global phenomenon. To take one prominent example, US-based Facebook now translates into more than 100 languages and reported this month at InsideFacebook.com that nearly 70% of its hundreds of millions of users reside outside the United States.

Facebook aggregates users’ self-reported demographic data and sells the information to advertisers, who are understandably eager to tap the advertising possibilities of social media.  In several developed countries, a third or more of the population uses Facebook, many on a daily basis.

Facebookers and other social networkers often end up sharing a large amount of personal and professional information over time with friends . . . and friends of friends, and friends of friends of friends, and ultimately with a lot of people they wouldn’t recognize across a restaurant. By some estimates, roughly a third of Facebook users ultimately divulge their home address and current employment to an unknown number of people who are perhaps not all really their friends. New York Senator Charles Schumer recently called on the Federal Trade Commission to develop guidelines for social networking sites, and the FTC has already had occasion to investigate the extent to which identity theft and fraud are attributable to bad hygiene, or bad policies, in social media.

Most of the social networking groups I belong to are professional ones, linking lawyers, business people, inventors, IT managers, academics, and government officials who share certain interests and follow developments in particular fields. Those who participate often share ideas and some personal and career information, and they sometimes comment about their own companies or organizations or the offerings of their competitors.

So, as a lawyer, it strikes me that some social networkers may be exposing themselves not only to embarrassment and unwanted solicitations but also to fraud or identity theft. They also may be setting themselves up for trouble with prospective employers, or with their current employers or business partners who feel the talkative social networker has violated confidentiality policies or nondisclosure agreements (in surveys, many large US employers acknowledge that they have fired or disciplined employees for the contents of their posts or blogs). Advertising thinly disguised as a Tweet or post may not conform to advertising rules in all the relevant states, provinces, or countries. An intemperate rant or sly aside, broadcast to a few hundred of the user’s “closest friends,” raises the potential of liability for defamation or commercial disparagement. Comments about associates or coworkers, especially in the context of social media that blur the lines between personal and professional life, may trigger sanctions under privacy and data protection laws. And thanks to the global nature of social media, the hapless social networker could conceivably run afoul of laws in multiple jurisdictions.

It’s not only the FTC that has started worrying about the dark side of social media. The Article 29 Data Protection Working Party (comprised of EU authorities and European national data protection commissioners) issued a statement this month declaring that Facebook’s new default privacy settings are dangerous. The group has also warned social media applications developers (such as FarmVille) to be careful in their handling of user data. Regulators on both sides of the Atlantic have expressed concern as well about behavioral marketing applications based on gathering information about an individual’s participation in social media.

It’s easy to over-react to the hazards of social media, of course. Some parents forbid their children from joining in (and some teens have created a “safe” MySpace page that their parents can see, while secretly maintaining a more dubious version to share with their peers). Some users decide to drop out entirely, finding the risks, or just the implied obligation to post and respond frequently, unmanageable; there is even a “Quitting Facebook” Community Page on Facebook itself. Reasonably careful social networkers simply look at the privacy policies and options and adjust their settings appropriately to their intended use – and then watch what they say about employers, competitors, and other sensitive types. Some corporations have blocked access to social networking sites from company computers and adopted policies against their employees saying, well, pretty much anything about the company or its competitors or regulators. But other companies have already designated a “director of social media” to help the organization make effective use of social networking, internally and externally.

It seems that the trend is for employers to expand their “acceptable use” policies on email and web browsing to encompass blogging and social media as well. This is a necessary step, but it is also fraught with concerns arising from labor law, privacy law, and rights of association and free expression, and the rules differ across the many jurisdictions that may be at issue.

It is possible to set some boundaries that will pass muster just about anywhere and articulate policies that guide employees toward safe and sensible use of social media. There is much to be learned in the way of evolving best practices, especially among large multinational employers. Just don’t forget to check with a knowledgeable lawyer when crafting such policies and determining how to enforce them.
 
Tags: , , , , , , , , , , , , , , , , , , , , ,
Posted on March 26, 2010 by W. Scott Blackmer

European Court Hands Google a Keyword Victory but Warns Online Advertisers

The European Court of Justice ruled this week in cases brought against Google France by Louis Vuitton Malletier and Viaticum that Google is not liable for selling advertising keywords (Google AdWords) based on brand names to the competitors of the brand owners. However, the court noted that advertisers themselves may violate trademark and unfair competition laws if they create confusion as to the source of advertised products, and a search provider may be liable if it does not act promptly to remove abusive advertising once it becomes aware of it.

Google and other search engine providers allow advertisers to purchase advertising keywords corresponding to trademarks – potentially including those owned by their competitors. Thus, a user typing in a brand name may be presented with “sponsored links” above or to the side of the search engine results, directing the user to websites operated by companies offering directly competing products.

National courts in Europe have reached differing conclusions about the fairness of this practice. Trademark and fair trading practices laws are national, but the EU Electronic Commerce Directive (Directive 2000/31/EC) limits the liability of “intermediary service providers.” (US laws such as the Communications Decency Act and the Digital Millennium Copyright Act include some similar provisions.) The French Cour de Cassation (the highest judicial court in France) referred the question of Google’s potential liability to the Court of Justice of the European Union (commonly known as the European Court of Justice or “ECJ”), which issued an opinion this week holding that reference search providers are generally not liable for infringement because of automated keyword advertising. The court observes that the advertiser itself may violate a competitor’s trademark rights, however, if the nature of the advertising does not clearly distinguish the source of the goods or services.

The key to immunity under Article 14 of the Electronic Commerce Directive is whether the service provider’s role is “merely technical, automatic and passive.”  The ECJ directed the French court to examine Google’s service in that light to determine if Google has “played an active role of such a kind as to give it knowledge of, or control over, the data stored.”

If it has not played such a role, that service provider cannot be held liable for the data which it has stored at the request of an advertiser, unless, having obtained knowledge of the unlawful nature of those data or of that advertiser’s activities, it failed to act expeditiously to remove or to disable access to the data concerned.” (para. 120)


Google claims this ruling as a victory, because its AdWords program is automated and user-controlled, and Google has procedures in place to handle complaints concerning trademark violations and advertisements for counterfeit goods. Without such conditions, an online service provider selling advertising could still be exposed to liability for direct or contributory trademark infringement.

As for the advertisers who buy and use keywords based on brand names, this practice, in the ECJ’s view, does not necessarily impair the advertising value of a trademark:

[W]hen internet users enter the name of a trade mark as a search term, the home and advertising page of the proprietor of that mark will appear in the list of the natural results, usually in one of the highest positions on that list. That display, which is, moreover, free of charge, means that the visibility to internet users of the goods or services of the proprietor of the trade mark is guaranteed, irrespective of whether or not that proprietor is successful in also securing the display, in one of the highest positions, of an ad under the heading ‘sponsored links’. (para. 97)


However, the content of the ad and the website linked from the ad may violate trademark or fair trading laws if it creates confusion as to the source of goods or affiliation with the brand owner, even if this is not expressly misstated:

In the case where the ad, while not suggesting the existence of an economic link, is vague to such an extent on the origin of the goods or services at issue that normally informed and reasonably attentive internet users are unable to determine, on the basis of the advertising link and the commercial message attached thereto, whether the advertiser is a third party . . . the conclusion must also be that there is an adverse effect on that function of the trade mark. (para. 90)


Thus, the Google opinion, while helpful for search providers with automated keyword bidding programs, does not change the legal landscape for companies that advertise online. An advertiser – whether it is a reseller or a competitor – must refer to a third-party brand in a way that avoids confusion as to who the advertiser is and what it is selling. Otherwise, a court may conclude that the advertiser is unfairly trading on the reputation of another party and misleading consumers.

Similar issues arise, of course, in the use of competitors’ brand names in website metatags and in domain names. Under trademark law in the United States and other major trading nations, domain name owners and website operators must be careful not to give a false impression that they are affiliated with the brand owner or acting under its authority. It is perilous to use a third-party’s brand in a domain name or metatag, where there is little opportunity to differentiate the source and avoid “initial interest confusion.” But it should be easier to avoid such confusion in the context of keyword advertising, with a little legal attention to the content of the advertising headers and text and the linked website.
 
Tags: , , , , , , , , , , ,