Header graphic for print

Technology's Legal Edge

A Technology, Privacy, and Sourcing Blog

European Data Protection Supervisor Issues Big Data Opinion

Posted in EU Data Protection

Written by: Robert Clark, DLA Piper UK LLP

The European Data Protection Supervisor (EDPS) has issued a preliminary opinion that addresses some of the issues and convergences in EU data protection, consumer protection and competition laws that are not up to date with the current development of big data. The EDPS aims to open the floor towards international regulators and experts in these fields to promote growth and innovation as well as consumers’ welfare, including a workshop in Brussels on 2 June 2014.

Recently there has been a huge growth in the marketing of “free” online services that require the provision of personal data in exchange, which calls for the need for enhanced consumer protection. Also, in markets where powerful players may refuse access to personal information and apply inconsistent privacy policies, there is a need to define the standard of consumer harm and market dominance within the anti-competition rules. The EDPS believes that these issues must be explored together with regulators and experts in this field to support consumer choice and privacy, and stimulate the market for privacy-enhancing services in Europe.

The preliminary opinion sets out the background to the digital economy, the legal framework for data protection, competition and consumer protection and the interfaces between these areas. For more information, see the link to the preliminary opinion.

 

Net Neutrality in the EU – latest status

Posted in Telecoms

The European Parliament has (on 3rd April) voted (at first reading) on a legislative proposal which includes new rules on “net neutrality”[1]. The text of this is not yet available in English but this note is based on our own informal English translation.

The heart of these new rules is contained in paragraph 5 of the proposed Article 23. This says as follows (emphasis added):

Providers of internet access services and end-users may agree to limit data volumes or speeds for internet access services.  Providers of internet access services shall not restrict the freedoms provided for in paragraph 1 [which provides for access to information and services across the European Union] by blocking, slowing down, altering, degrading or discriminating against specific content, applications or services, or specific classes thereof, except in cases where it is necessary to apply traffic management measures.

According to this text then, ISPs, MVNOs and other network operators (whether fixed or mobile) would seem to be prevented from deliberately slowing or blocking specific content and preferring competing content services  unless it could be justified as “traffic management” (which is only permitted on the basis of protecting the network in a proportional way, or where required by a court order).  This would prima facie prevent  what is currently the fairly common practice by some operators (especially mobile operators) of, for example, blocking some OTT (Over The Top) services like Skype or WhatsApp on their networks.

However note also the proposed text for paragraph 2 of Article 23 (emphasis added):

2. Providers of internet access, providers of electronic communications to the public and providers of content, applications and services shall be free to offer specialised services to end-users. Such services shall only be offered if the network capacity is sufficient to provide them in addition to internet access services and if they do not interfere with the availability or quality of internet access services. Providers of internet access to users shall not discriminate between functionally equivalent services and applications.

This creates an exception allowing operators to offer “specialised services” so long as they do not impact on the network quality for other services. Examples might perhaps include network infrastructure investments into a parallel Content Delivery Network (CDN) in partnership with providers like Netflix. However it is not clear what the impact of the emphasised text about “functionally equivalent” services would be – this could be read, for example, to mean that operators can’t offer a “specialised service” for Netflix content unless they also offer the same service in respect of “functionally equivalent services” like, in this case, Lovefilm (Amazon Prime Instant Video)

The result, if the text remains unchanged in its final version, is certainly very confusing. On the one hand it seems clear that operators would be permitted to set up separate classes of “specialised service” but on the other they would not be able to do this if it amounted to discrimination between functionally equivalent services (Article 23 para 2) or if they discriminate against certain types of content (para 5) . Facebook has, for example, suggested that it might like to do deals with mobile operators allowing Facebook content to be downloaded free of charge (ie without using up any of the data elements of a user’s plan). Such a service might in future fall foul of the rules against “discrimination”.  If so then the scope to rely on paragraph 2 to establish a “specialised service” would seem to be very limited, other than in respect of pure quality of service measures (such as bandwidth or latency).

It is to be hoped that these issues will be clarified before the regulation reaches its final form in the coming weeks.

We have a full English translation of the whole of Article 23 – contact me for details.


[1] http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2014-0190&language=EN (Committee report tabled for plenary, 1st reading/single reading dated 20 March 2014)

http://www.europarl.europa.eu/sides/getDoc.do?type=TA&language=EN&reference=P7-TA-2014-0281 (Decision by Parliament, 1st reading/single reading dated 3 April 2014- not yet available in English)

EU – International data transfers from processors to processors made easier, good news for cloud providers and outsourcers

Posted in Cross-Border Transfers

By Patrick Van Eecke and Elisabeth Verbrugge

Working Party 29 issued a working document on model clauses for personal data transfers from EU data processors to non-EU sub-processors. This is an important step towards creating a more comprehensive framework for contract-based personal data transfers outside the EEA.

European data protection laws in principle prohibit the transfer of personal data to countries outside the EEA which are not deemed to offer an adequate level of protection. As only a very limited number of countries are deemed to offer such adequate level of protection, the processing of personal data in global companies or in a cross-border context in general, often proves to be a challenge. Indeed, transfers to such third countries are only permitted in case an exception applies, or in case the data controller adduces additional safeguards, e.g. via conclusion of a data transfer agreement. The European Commission has approved three sets of model clauses which can be used as a basis for such data transfer agreements. Subject to local notification and approval requirements, transfer agreements based on those model clauses will typically provide a sufficient legal basis for data transfers. To date, the European Commission has only approved model clauses governing “controller-to-controller” and “controller-to-processor” transfers.

However, practice demonstrates that companies are often confronted with an EU controller – EU processor – non-EU sub-processor set-up. The transfer of personal data outside the EEA only occurs in the processor – sub-processor relationship, and not in the controller – processor relationship. In such case, companies are often forced to rely on one of the exceptions permitting data transfers (which is often a challenge as the exceptions can rarely be invoked in relation to large-scale data transfers), or to create a customised data transfer agreement (which offers less legal security and/or is subject to burdensome approval processes).

We therefore welcome Working Party 29′s initiative to take the first steps towards creating model clauses for processor-to-processor data transfers. Indeed, such model clauses will complement the existing model clauses framework and facilitate compliance with European data protection laws. It should, however be noted that these draft new model clauses have not yet adopted been by the European Commission and therefore do not constitute a new official set of model clauses. Use of these new model clauses will not yet guarantee compliance with data transfer requirements. It can, however, be expected that using these draft new model clauses could facilitate approval from the local data protection authority in countries where customised transfer agreements are subject to such data protection authority approval.

For more information, contact Patrick Van Eecke (Patrick.VanEecke@dlapiper.com) or Elisabeth Verbrugge (Elisabeth.Verbrugge@dlapiper.com).

Bill of law on Internet-related matters is voted in Brazil

Posted in Cross-Border Transfers, New Privacy Laws, Privacy and Data Security

Written by Adriano Chaves  and Maria Paula Souza, Campos Mello Advogados law firm (Brazil)*

The so-called “Marco Civil da Internet” (i.e. the Bill of Law 2,126/2011, which establishes a civil rights framework for the Internet) was voted and approved by the Brazilian House of Representatives (Câmara dos Deputados) this week. Now it will be submitted to the Senate (Senado). The rumor is that the Government will press the senators to vote the bill with urgency, preferably before the Global Multistakeholder Conference on the Future of Internet Governance, which will be held in Brazil on April 23 and 24, 2014.

In order to have the Bill of Law voted this week, the Executive Branch agreed to exclude the provision that would oblige Internet application providers to store data of Brazilian users in servers in Brazil. In response to alleged surveillance of Brazilians’ data, at the end of last year the Executive Branch had requested the inclusion of an “storage localization” provision; however, the proposal faced  strong opposition of many industry associations, Internet players and congressmen.

Instead of a forced “storage localization” provision, the final version of the Bill of Law contains several other provisions aiming at increasing and ensuring the protection of personal data and privacy. For instance, article 11 establishes that the collection, process or storage of records, personal data or communications by Internet connection providers and Internet application providers in Brazil will be subject to Brazilian law, even if performed by a foreign entity. The Bill also establishes specific penalties in case of violation of such provisions.

Briefly, the Bill of Law (i) establishes and confirms individual rights in the Internet environment (e.g. protection of privacy, freedom of speech and expression, protection of personal data, etc.) and principles like preservation and assurance of neutrality and participatory nature of the Internet; (ii) establishes rules regarding civil liability of intermediary parties (e.g. Internet connection providers and Internet application providers); and (iii) establishes some principles for the action of public authorities in connection with Internet issues.

The final version of the Bill of Law establishes, for instance, that the Internet connection providers are (i) obliged to keep records of the connection access logs in a safe place for one year and (ii) forbidden to keep records of application access logs or to disclose access records to third parties without the person’s consent or a judicial order. There is also a provision obliging Internet application providers that carry out their activity in an organized, professional manner, with economic purposes to keep records of application access logs in a safe place for six months.

One of the most controversial points discussed before the voting was the regulation of the principle of Internet neutrality. Regardless of the pressure from telecom companies, the principle was maintained. According to article 9, the person or entity responsible for transmission, switching or routing of Internet traffic is obliged to treat equally all data packages – i.e. Internet connection providers are not allowed to provide different services or data packages based on the content, origin or destiny of data. Any exception to such principle will need to be regulated by the President through a Decree, after consulting with The Brazilian Internet Steering Committee and The National Telecommunications Agency (ANATEL), and may only result from (i) technical requirements essential to the adequate provision of services and applications; and (ii) prioritization of emergency services.

We cannot anticipate when Marco Civil da Internet will be finally enacted as law, but the expectation is that this will occur soon. We will follow up this voting closely.

* Adriano Chaves and Maria Paula Souza are, respectively, partner and associate with Campos Mello Advogados, an independent law firm in Brazil.

Belgium: Beware of the barking Privacy Watchdog, she’s biting

Posted in EU Data Protection, International Privacy, New Privacy Laws, Privacy and Data Security, Security Breaches

MORE ENFORCEMENT POWERS FOR BELGIAN PRIVACY COMMISSION

By Patrick Van Eecke and Julie De Bruyn (DLA Piper – Brussels)

The quietness in the privacy landscape in Belgium is about to drastically change. Reason for the change of pace are the recent major data breaches that were published by the media. The Privacy Commission announced it will establish a dedicated task force to carry out proactive audits focusing on different sectors, such as financial and insurance institutions, hospitals and other health providers, and telecom operators.

Draft Belgian legislation will grant the Privacy Commission the power to independently impose monetary fines and other sanctions, such as the blocking of access to certain databases by non-compliant companies, or the withdrawal of the permits to make use of such (public) databases. The expansion of powers would transform the Privacy Commission from passive bystander to an actual ‘Privacy Police’.

Continue Reading

European Parliament passes the Data Protection Regulation

Posted in EU Data Protection

Written by: Emma Thomas

In a vote today, the European Parliament has given its formal approval to its version of the new European Data Protection Regulation. With an approval given by 621 for, 10 against, 22 abstentions, the path is now set for the next phase of negotiation and agreement concerning the proposals.

Although many groups will be pleased with the outcome, there remains concern in the business community on the practical implications of implementing the text in its current draft form. The process of determining the final framework of the reform is now dependent upon agreement being reached at Council level, with Member States still seemingly far away from a consolidated approach. Outstanding issues include the approach to third country data transfers, the use of automated profiling, the obligations of the controller and processor and the concept of the ‘one-stop-shop’, amongst others.

The objective which has now been set in the European Union is to seek agreement at Council level before the Ministerial meeting scheduled in June 2014, with a view to establishing a common position at this point. By keeping to this timetable, the process of the trilogue negotiation between the three EU institutions can commence to find an agreed approach to the new legal framework after the summer recess period this year.

Review related prior entries:

EU Member State Leaders Vote to Delay Adoption of New Data Protection Framework  (Oct. 25, 2013)

EU Data Protection Regulation: Do you move data across borders? New EU Amendments (Oct. 23, 2013)

 

 

DLA Releases Global Prize Promotions Across the World Handbook

Posted in Uncategorized

Our global Advertising Group is pleased to present the 2014 edition of our Prize Promotions Across the World Handbook, covering 20 jurisdictions.

The Handbook intriduces some of the key requirements surrounding prize promotions, from the management of the early stages, to issues which are potentially problematic.

To access the Handbook, please click here.

For more information please contact Siân Croxon, Claire Bailey, Scott Pink or Richard van Schaik

Contract Drafting Tip

Posted in Technology and Commercial

The next time you review a contract that refers to a “breaching party” and a “non-breaching party” in the ‘Termination for Breach’ section, keep in mind a recent California case Power Technology v. Tessera.  In that case, Tessera had breached the parties’ contract.  Powertech was also in breach of the contract as it had stopped paying royalties.  When Powertech tried to terminate, the court decided Powertech was not itself a “non-breaching party” and therefore couldn’t terminate the agreement.

The clause at issue read:  “Either party may terminate this Agreement due to the other party’s breach of this Agreement…however, the non-breaching party may terminate this Agreement if such breach is not cured or sufficiently mitigated (to the non-breaching party’s satisfaction) within sixty (60) days of notice thereof.”

If you already have this formulation in your contracts, the obvious take-away is to make sure that you are not in breach of the agreement before you try to terminate it.  If you are drafting a new contract or amending an existing one, an easy fix would be to the change the words “the non-breaching party” to “the other party.”

 

FRANCE: The CNIL adopts new rules on whistleblowing, simplifying significantly hotline implementation in France

Posted in EU Data Protection, International Privacy

In a decision published on February 11, 2014, the French Data Protection Authority (CNIL) has for the first time adopted truly sweeping changes to its Single Authorization No. 004 on Whistleblowing.

The CNIL has vastly simplified formalities for most employers by allowing companies that are not subject to Sarbanes-Oxley Section 301(4) to be eligible to self-certify their hotline compliance under the Single Authorization. The CNIL has enlarged considerably the scope of permissible whistleblowing subjects to include workplace discrimination, harassment and safety, as well as environmental protection. The CNIL has also modified its requirements for anonymous hotline reports.

Historically, the CNIL has been exceptionally circumspect about whistleblowing. The enactment of Sarbanes-Oxley (SOX) in 2002- a consequence of the Enron scandal that unfolded in the U.S. in 2001 – required publicly-listed U.S. companies and their French subsidiaries to set up anonymous whistleblowing hotlines. The CNIL took the position that anonymous whistleblowing hotlines were not proportionate to their purported purpose and created risks that employees would be slandered. These opposing viewpoints put publicly-owned U.S. groups with French subsidiaries between the proverbial “rock and a hard place”, essentially ensuring those groups would have to choose between violating SOX, or violating French data protection law.

In 2005, the CNIL found a solution by adopting Single Authorization No. 004, providing a blanket authorization for whistleblowing systems that adhere to a strict set of conditions set forth by the CNIL. Among those conditions: Being subject to SOX Section 301(4), and limiting the scope of permissible reportable subjects to SOX requirements, e.g., accounting irregularities, as well as finance, banking and anti-bribery violations. Single Authorization No. 004, like all CNIL Single Authorizations, also had the critical advantage of allowing employers to self-certify, in a short and simple form, their compliance with the conditions set forth by the CNIL. Hotlines not meeting those conditions require a specific authorization from the CNIL (a much more complicated and lengthy process).

In 2010, partially as a response to increasing specific authorization requests, the CNIL expanded Single Authorization No. 004 to include companies governed by Japanese SOX, and subjects related to competition (anti-trust) violations.

With whistleblowing hotlines gaining credibility as a necessary element of an effective compliance program, there has been an explosion in the number of specific authorization requests for whistleblowing hotlines: Almost 100 hotlines were authorized by the CNIL in 2012 and 2013. This number should decrease in 2014 because revised Single Authorization No. 004 will apply far more broadly than its predecessors.  The CNIL has also clarified requirements for anonymous reports, providing that persons filing reports must identify themselves, but that a report from a person who wishes to remain anonymous can be accepted if the seriousness of the alleged facts is demonstrated, if those facts are sufficiently detailed, and if the report is processed with additional precautions such as a preliminary examination by a sole reviewer.

EUROPE: EU Commissioner Reding introduces her Eight Principles of Data Protection

Posted in EU Data Protection

By Patrick Van Eecke

On Data Protection Day, EU Commissioner Viviane Reding introduced the so-called “Data Protection Compact”, her 8 principles of Data Protection that should govern the way personal data is processed by the public and the private sector.

Principle 1: Europe must establish a robust Data Protection legal framework that can be the gold standard for the world. Otherwise others will move first and impose their standards on Europe.

Principle 2: The Data Protection legal framework should not distinguish between the private and the public sector. Citizens would simply not understand a split in times when the public sector collects, collates and sometimes even wants to sell private data.

Principle 3: Drafting data protection rules require public debate because they relate to civil liberties online. Data protection should be the subject of a public information campaign leading to joint discussions between citizens, civil liberties groups, companies and governments.

Principle 4: Blanket surveillance of electronic communications data is not acceptable. Data collection for surveillance purposes should be targeted and be limited to what is proportionate to the objectives that have been set.

Principle 5: Laws need to be clear and laws need to be kept up to date. It cannot be that States rely on outdated rules, drafted in a different technological age, to frame modern surveillance programmes. Such laws give citizens little or no idea about what is actually going on.

Principle 6: National security should be invoked sparingly. It should be the exception, rather than the rule. The need to protect national security can justify special rules. But not everything that relates to foreign relations is a matter of national security. It undermines the legitimacy of laws that are vital for our security.

Principle 7: Judicial oversight is necessary to ensure that the pendulum does not swing too far. Executive oversight is good. Parliamentary oversight is necessary. Judicial oversight is key.

Principle 8: Data Protection rules should apply irrespective of the nationality of the person concerned. Applying different standards to nationals and non-nationals makes no sense in view of the open nature of the internet.

Should you have any further questions regarding to the above, please contact Patrick Van Eecke(patrick.van.eecke@dlapiper.com).

Back to Top of Page