Toward a Mandatory Requirement for EU Business Organizations to Notify of Data Security Breaches

Viviane Reding, Vice-President of the European Commission, spoke on Monday at the Data Protection and Privacy Conference of the British Bankers’ Association in London.

Ms. Reding acknowledged that the current EU legal frame work protecting personal data may no longer be appropriate to a world which has much changed since 1995 (when Directive 95/46/EC, the data protection Directive, was first published) as individuals “leave digital traces with every move [they] make.” The European Union now “needs a more comprehensive and more coherent approach in its policy for the fundamental right to personal data protection.”

Businesses must also play their part. The way they collect, process, store, and use personal data must be done in a more transparent way than it is right now. Ms. Reding alluded to the recent Sony PlayStation Network data breach, which affected some 70 million users worldwide, whose personal information, name, address, email, and birth date have been compromised. According to Ms. Reding, “this incident highlights why companies need to reinforce the security of the information they hold. Frequent incidents of data security breaches risk undermining consumers’ trust in the online economy. “

Companies must better protect personal data against security breaches and identity theft. Ms. Reding stated that “they should immediately notify breaches of data security and confidentiality” and that she does intend to introduce a mandatory requirement for business organizations to notify data security breaches.

 As of today, Directive 2009/136/EC, which introduced mandatory data breach notification in the EU legal framework, makes it a requirement only to providers of publicly available electronic communications services to report data breaches. Business organizations do not however, have to report them.

This is likely to change soon, as Ms Reding wants to introduce this requirement for all sectors, including banking and financial services. She expressed hope that “[i]t would … create a stronger incentive for business to conduct serious risk assessments to protect personal data and to implement the appropriate security measures protecting the confidentiality, the integrity and the availability of personal data.”

Changes are ahead, as new EU data protection legislation proposals should be finalized in the upcoming months.

Categories: EU Data Protection | Permalink.

Article 29 Working Party Adopts Opinion on Geolocation Services on Smart Mobile Devices

The Article 29 Working Party (Article 29 WP), an independent European advisory body on data protection and privacy, adopted on May 16 its “opinion 13/2011 on Geolocation services on smart mobile devices” to clarify the legal framework applicable to the three main different geolocation infrastructures, GPS, GSM base stations (antennas) , and WiFi. The opinion provides short, but clear explanations of these three technologies.

How personal data stored on smart mobile devices can be collected

The explanation on what is WiFi is particularly interesting to read, as it explains why WiFi access points can be used as a source of geolocation, and how their location can be calculated. That technology is not without privacy risks, as the MAC address (unique identifier) of a WiFi access point can be collected by broadly recording all WiFi frames transmitted by access points, “which can lead to the collection of data exchanged between access points and the devices connected to them” (p. 6).

Behavioral patterns

Geolocation service providers may be able “to gain an intimate overview of habits and patterns” of the owner of a smart mobile device, such as sleep patterns (when user does not use device), where user works (he drives every day around 9:00AM to the Acme Inc. building), health issues (all these visits to the hospital!), religious affiliation (regular visits to a place of worship), or even sex life (regular visitor of a certain pink store at the edge of town). Such pattern can then be made into profiles, which are of great interest for companies. Indeed, the Article 29 WP points out in the introduction of the document that, “[i]n general, the value of information increases when it is connected to a location,” and that all kinds of information may be connected to a location, including health or financial data (p.3).

European Legal Framework

The relevant legal framework is the Directive 95/46/EC, the data protection directive, because of its broad scope, that is, every case where personal data is being processed. Its article 2(a) defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

The Article 29 WP points out that there many available means to identify an individual, as people disclose more and more personal location data, whether it is done voluntarily or not, and thus it is easier now to “link a location or behavioural pattern to a specific individual” (p.10).

However, even if identification of an individual by combining the MAC address of a WIFi access point with its calculated location would require “unreasonable effort,” it does not preclude concluding that such data is personal. Therefore, “the data controller should treat all data about WiFi routers as personal data” (p.11). Looking beyond geolocation issues for a moment, could that mean that the WP29 would consider anonymized data as personal, even if de-anonymizing it would require “unreasonable effort”?

Directive 2002/58/EC, the e-privacy Directive, only applies to processing of base station data by telecom operators (p. 8). Indeed, its article 2(c) provides a definition of “location data” as “any data processed in an electronic communications network or by an electronic communications service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service.”

If a company provides “location services and applications based on a combination of base station, GPS and WiFi data,” it is an information society service company. Such company is explicitly excluded from the scope of the e-privacy directive, and“[t]he e-Privacy directive does not apply to the processing of location data by information society services, even when such processing is performed via a public electronic communication network” (p. 9).

Even though this opinion does not assess web 2.0 geotagging technology (p.4), networking sites “enabling the (further) processing of location data” have the “important responsibility” to decide which default settings they offer to their users.

User consent

Telecom operators need to obtain prior consent of the user before using base station data, and the user must be informed about the terms of data processing (p.14). Also, because of the sensitivity of location data, information society services companies also must obtain prior consent from their customers before processing such data, which must be given “freely” pursuant to article 2(h) of the data protection Directive. However, a default setting allowing such processing “should not be mistaken for freely given consent” (p.14).

Data subject rights

Data subjects have the right not only to access their location data, but also the profile based on this data:

Data subjects have a right to obtain from the different controllers access to the location data they have collected from their smart mobile devices, as well as information on the purposes of the processing and the recipients or categories of recipients to whom the data are disclosed. The information must be provided in a human readable format, that is, in geographical locations, instead of abstract numbers of for example base stations.

Data subjects also have a right to access possible profiles based on these location data. If location information is stored, users should be allowed to update, rectify or erase this information.(p.18)

Categories: EU Data Protection | Permalink.

The European Data Protection Supervisor on data breaches, data portability, and the right to be forgotten

 

The European Data Protection Supervisor (EDPS) published last month an opinion about the European Commission’s Communication reviewing the EU legal framework for data protection. It discusses, among other topics, the introduction of personal data breach notification in EU law.  The EDPS also declares it is in favor of introducing the right to data portability and the right to be forgotten in the EU legal framework.

 

The new legal framework must support an obligation to report security breaches

 

The EDPS supports the extension of the security breaches report obligation which is currently included in the revised ePrivacy Directive, as it is proposed in the Commission’s Communication.

 

As of now, the revised ePrivacy Directive only requires providers of electronic communication services to report security breaches. However, no other data controllers are covered by the obligation. The EPDS notes that “[t]he reasons that justify the obligation fully apply to data controllers other than providers of electronic communication services.” (§75)

 

Indeed, “[s]ecurity breach notification serves different purposes and aims. The most obvious one,

highlighted by the Communication, is to serve as an information tool to make individuals

aware of the risks they face when their personal data are compromised. This may help them to take the necessary measures to mitigate such risks,” such as changing passwords or canceling  their accounts. (§76) Also, these notifications “contribute (…) to the effective application of other principles and obligations in the Directive. For example, security breach notification requirements incentivize data controllers to implement stronger security measures to prevent breaches,” and thus enhance data controllers‘accountability. Such notifications also serve as a tool for the enforcement by Data Protection Authorities (DPAs), as such notification may lead a DPA to investigate the overall practices of a data controller. (§76)

 

The new legal framework must support data portability and the right to be forgotten

 

The Communication vowed that the Commission would examine ways of complementing the rights of data subjects “by ensuring ’data portability’, i.e., providing the explicit right for an individual to withdraw his/her own data (e.g., his/her photos or a list of friends) from an application or service so that the withdrawn data can be transferred into another application or service, as far as technically feasible, without hindrance from the data controllers.” (Communication, p.8)

According to the EDPS, “Data portability and the right to be forgotten are two connected concepts put forward by the Communication to strengthen data subjects’ rights.”(§83)  As “more and more data are automatically stored and kept for indefinite periods of time, “the data subject has very limited control over his personal data. The Internet has a “gigantic memory.” (§84) Also, “from an economic perspective, it is more costly for a data controller to delete data than to keep

them stored,” and thus [t]he exercise of the rights of the individual therefore goes against the natural economic trend.” §(84)

 

“Both data portability and the right to be forgotten could contribute to shift the balance in

favour of the data subject” by giving him more control of his information. The right to be forgotten “would ensure that the information automatically disappears after a certain period of time, even if the data subject does not take action or is not even aware that the data was ever stored.”(§85) This "right to be forgotten" would ensure that personal data are deleted and at the same time it would be prohibited to “further use them, without a necessary action of the data subject, but at the condition that this data has been already stored for a certain amount of time. The data would in other words be attributed some sort of expiration date.” (§88)

 

This new "right to be forgotten" should be connected to data portability. (§89) Data portability is “the users’ ability to change preference about the processing of their data, in connection in particular with new technology services.”(§86)  “Individuals must easily and freely be able to change the provider and transfer their personal data to another service provider.”(§87)

 

The EDPS considers that existing rights “could be reinforced by including a portability right in particular in the context of information society services, to assist individuals in ensuring that providers and other relevant controllers give them access to their personal information while at the same time ensuring that the old providers or other controllers delete that information even if they would like to keep it for their own legitimate purposes.” (§87)

 

Whether the right to be forgotten online will become part of the EU data protection framework remains to be seen. However, several EU countries recognize, or plan to recognize soon, such a right. Google argued last month in a Spanish court that deleting search results, in order to respect, the country’s right to be forgotten, "would be a form of censorship." France is considering recognizing such a right as the French Congress is in the process of implementing the reviewed ePrivacy Directive. As the deadline for implementing the directive, May 25, 2011, approaches, it will be interesting to see how many Member States actually add he right to be forgotten to their legal systems.

Categories: EU Data Protection | Tags: Data Breaches, ePrivacy Directive, European Commission, European Data Protection Supervisor, Right to be Forgotten | Permalink.

The UK Information Commissioner’s Office Issues First Fines Under the Data Protection Act.

The UK Information Commissioner’s Office (“ICO”) utilized its new power to issue monetary penalty notices for the first time last week in response to two serious breaches of the UK Data Protection Act (“DPA”), one case involves misdirected faxes and the second involves theft of a laptop. 

 

Since April 6, 2010, the ICO has had the power to issue a fine up to £500,000 if a data controller commits a serious violation of the DPA which is (1) likely to cause substantial damage or distress, and (2) the violation was either deliberate, or the data controller knew or should have known there was a risk that a violation could occur and failed to take reasonable steps to prevent it. The first prong can be met by merely showing that substantial damage or substantial distress is likely, and the ICO has taken the position that “distress” means “any injury to feelings, harm or anxiety suffered by an individual.” Thus, as these two cases demonstrate, careless mistakes coupled with lack of reasonable procedures or reasonable technological protections could lead to significant fines, even if actual harm does not occur.

 

In the first case, the Hertfordshire County Council was fined £100,000 for two violations of the DPA where council employees in its Childcare Litigation Unit accidentally faxed highly sensitive information to the wrong recipients.  The first fax was sent without a cover sheet containing instructions on what the recipient should do if the fax was misdirected. It contained confidential and sensitive personal data of seven individuals related to a child sexual abuse case and was sent to a member of the public, who reported the fax to the Council and the ICO.  In response, the Council obtained a court injunction to prevent disclosure of the details in the fax. The second fax, sent by a different employee within two weeks of the first, was sent to a barrister’s chambers instead of a court, and contained confidential and sensitive personal data of 18 individuals related to care proceedings of three children, including names and birthdates, records of domestic violence, and the opinions of care professionals regarding things such as the adults’ personal relationships and ability to care for children. This time the fax was sent with a cover sheet, and clerk in the barrister’s chambers which received the fax contacted the Council and confirmed that the fax had been destroyed without reading it. 

 

The Hertfordshire County Council voluntarily reported both incidents to and worked with the ICO to improve their processes for sending faxes with highly sensitive information. Despite this, and despite the fact that there is no indication that the misdirected faxes led to actual damage or distress, the ICO ruled that the £100,000 was appropriate because (1) the Council’s procedures failed to stop two serious breaches where access to the data could have cause substantial damage and distress, and (2) after the first breach occurred, it failed to take sufficient steps to reduce the likelihood of another breach.

 

The second case involved the theft of an unencrypted laptop from the home of an employee of A4e Limited, and resulted in a fine of £60,000. A4e operates community legal advice centers in two UK cities and provides laptops to employees to work at home or remotely. The stolen lap contained sensitive information of approximately 24,000 individuals who had used the advice centers, including full names, dates of birth, postcodes, employment status, disability status, ethnicity, income level, information about alleged criminal activity and whether an individual had been a victim of violence. Although A4e was aware of the risk of issuing unencrypted laptops to its employees for use outside of the office and had started a program to roll out encryption, the stolen laptop was unencrypted and only protected by a password. A4e reported the breach to the ICO and notified the individuals whose data may have been accessed.  The ICO ruled that the £60,000 fine was appropriate because (1) access to the data could have caused substantial distress and substantial damage; and (2) issuing the employee an unencrypted laptop was unreasonable given the type and amount of data that would be processed on it.

 

Links to PDFs of the ICO’s monetary penalty notices for both cases are on its website.

Categories: Breach Response, Data Security, Enforcement, EU Data Protection, Identity Theft, International | Permalink.

European Commission Announces Overhaul of Privacy Laws

On November 4, 2010, the European Commission (“Commission”) released proposed revisions to the European Union’s (“EU”) Data Protection Directive.  The purpose of the Commission’s proposed revisions is to “set out a strategy on how to protect individuals’ data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU.”  Key recommendations include:

• Requiring entities that collect consumers’ personal information to inform consumers “in a clear and transparent way” about how their data will be used;
• Providing consumers the “right to be forgotten” by allowing consumers to fully delete digital information, such as social networking profiles, upon request or after there is no longer a legitimate purpose to retain the data;
• Ensuring consumers are guaranteed data portability, which would allow a consumer to transfer his or her personal data (e.g., e-mail lists, photos, documents) from one application or service to another application or service without hindrance from the data controllers;
• Requiring entities that experience a data breach affecting personal information to notify individuals whose information is compromised;
• Strengthening penalties for violations of the EU’s privacy rules, such as imposing criminal penalties for serious law breaches and allowing data protection authorities and civil society associations to bring an action for violations of data protection provisions before the national courts; and
• Expanding the role of the EU’s Article 29 Working Party—a committee comprised of data protection authorities from the EU’s 27 member states—to help ensure that EU privacy laws are applied consistently across member countries.

Businesses, privacy advocates, and other interested parties can submit comments regarding the Commission’s proposed privacy law changes until January 15, 2011.  More information regarding the Commission’s proposed revisions can be found in the Commission’s press release announcing its changes.

Categories: EU Data Protection | Permalink.

Online Behavioral Marketing, Interception of Communications, and the European Union e-Privacy Law

 

The European Union Commission has decided to refer the United Kingdom to the European Union Court of Justice for not fully implementing rules laid down in both Directive 2002/58/EC (the “ePrivacy Directive”) and Directive 95/46/EC (the “Data Protection Directive”). Under European Union law, a Directive is not directly enforceable, but must be implemented by each Member State in its national legislation. A directive is binding, however, as to the result to be achieved.

British Telecom admitted in 2008 that it had carried out in 2006 and 2007 secret testing of Webwise, a behavioral advertising technology developed by Phorm. Webwise tracked and constantly analyzed users’ Internet activity to determine their interests in order to provide them with targeted advertising.

Users complained about what they thought were unlawful interceptions of communications. They complained to the Information Commissioner’s Office (ICO), which is UK’s independent authority on personal data protection, and to the police.

The EU Commission inquired into the UK government action to respond to these complaints. It grew concerned that data protection EU laws protecting the confidentiality of communications by prohibiting interception and surveillance without users’ consent had not been adequately implemented by the UK.

Recital 24 of the ePrivacy Directive states that the use of devices which can be used to gain access and store information located on terminal equipment of users of electronic communications networks is allowed only “for legitimate purposes, with the knowledge of the users concerned.”

Article 5(1) of the ePrivacy Directive requires Member States to ensure, through national legislation, the confidentiality of electronic communications. They must prohibit listening, tapping, storage or other kinds of interception or surveillance of communications, unless the users consent to it.

Under the UK Regulation of Investigatory Powers Act of 2000 (RIPA), it is a crime to intercept communications intentionally. It is legal, however, to intercept a communication if the interceptor has “reasonable grounds for believing” that consent to intercepting has been given.

RIPA thus does not comply, in view of the Commission, with the definition of “data subject’s consent,” set out by article 2(h) of the Data Protection Directive as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.” Article 7(a) of the Data Protection Directive states that the data subject must have given his consent “unambiguously.”

The Commission also considered that UK law does not comply with EU rules on enforcement by supervisory authorities, as the UK does not have an independent national supervisory authority supervising the interception of communications.

The Commission has the power to commence an infringement proceeding against a Member State which the Commission believes infringes EU law. The Commission opened an infringement proceeding against the UK in April 2009, by sending a letter of formal notice, which is the first stage of an infringement proceeding. The Commission, not satisfied by UK response to the letter of formal notice, moved to the second stage of an infringement proceeding in October 2009 by announcing it would send the UK a reasoned opinion on the matter.

The Commission found the reply to the reasoned opinion unsatisfactory, and referred the case to the Court of Justice this last September. If the Court of Justice establishes an infringement, the UK will be required to take the necessary measures to comply with the judgment.

It will be interesting to follow how the EU Court of Justice will decide this case. Could it be possible that online behavioral advertising programs would be considered unlawful interception of communication, if users do not consent to it?

The issue of Internet users’ consent is hotly debated right now in the UK. Should users consent to cookies being stored their computers? Directive 2009/136/EC, nicknamed the “cookie directive,” entered into force on December 19, 2009, and must be transposed by Member States by May 25, 2011.  Recital 66 of the Directive states that “users must be provided with clear and comprehensive information when engaging in any activity which could result in storing or gaining of access [to their equipment].” The new article 5(3) of the ePrivacy Directive, as amended by the “cookie directive,” requires a user’s consent before storing cookies, after the user has been provided “with clear and comprehensive information.” How Member States will implement this requirement, and how the European Court of Justice will rule in the Phorm case,  will be watched closely in the next months by online behavioral marketers.

Categories: EU Data Protection | Permalink.

Global Privacy Enforcement Authorities Launch Cooperative Network and Website

The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws. On September 21, 2010, GPEN unveiled its new website, https://www.privacyenforcement.net/, designed to educate the public about the network. The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for government agencies interested in participating in GPEN. It also sets forth GPEN’s action plan and mission of “sharing information about privacy enforcement issues, trends and experiences; participating in relevant training; cooperating on outreach activities; engaging in dialogue with relevant private sector organizations on privacy enforcement and outreach issues; and facilitating effective cross-border privacy enforcement in specific matters by creating a contact list of privacy enforcement authorities interested in bilateral cooperation in cross-border investigations and enforcement matters.”

In his remarks about the network, which was officially launched in March, FTC Chairman Jon Leibowitz stated that “to protect consumers’ privacy in today’s global economy, all of us who work in law enforcement around the world need to cooperate with each other. We at the FTC are looking forward to working closely with our colleagues overseas to make this happen.”

Categories: Enforcement, EU Data Protection, Federal Trade Commission | Permalink.

Fallout for Google from the Street View Data Collection

The number of Google searches on Google must have dramatically increased in the past few weeks as a result of Google’s announcement that its Street View cars had collected “payload data.”  Google’s aptly-named Street View cars take photographs to create a street map with eye-level photographs.  While driving the streets of numerous countries, the cars were collecting information about the name and location of wireless networks to improve applications that provide location information, such as GPS functionality on smartphones. 

 

This new information revealed that Google had collected, not just the name and location of wireless networks, but also information sent over unsecured wireless networks, which is called payload data.  Google has said that the collection of payload data was unintentional and the result of software code mistakenly included in the Street View cars program.  Google also noted that, because the cars are on the move and the software that the cars use rapidly changes channels, the chance that Google captured data containing anything fragments of data is unlikely. 

 

Continue reading →

Categories: Companies, Data Security, Data Sharing, EU Data Protection | Permalink.

UK Regulator Approves Hyatt Hotels BCR – First Approval under the Mutual Recognition Procedure

On September 23, 2009, the Information Commissioner’s Office (the "ICO"), the UK’s data protection regulator, issued a press release announcing the approval of the Hyatt Hotels Corporation’s binding corporate rules ("BCR") under the new mutual recognition procedure. Hyatt is the first UK applicant to receive approval under the mutual recognition procedure.

Mutual recognition was devised to speed up the process of BCR approval by EU Data Protection Authorities ("DPAs"). Under "mutual recognition," one EU Member State’s DPA acts as the lead authority on a company’s BCR application. Once approved by the lead authority, the other participating members of the procedure automatically approve the BCR application.

To review the ICO’s approval, click here.  To read more about BCRs and the mutual recognition procedure, click here and here.

Categories: EU Data Protection | Permalink.