Posted in Cybersecurity Privacy and Data Security

Presidential Commission Issues Recommendations for Improving Public and Private Sector Cybersecurity

Written by James Duchesne

The President’s Commission on Enhancing National Cybersecurity (the “Commission”) recently issued a thoughtful report on improving the United States’ cybersecurity posture.  (The full report can be read here.)  The majority of the Commission’s recommendations would require action by the Trump Administration but may nonetheless prove influential.   The Commission was charged under President Obama’s February 2016 Executive Order 13718 with “mak[ing] detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions” and enhancing partnerships between the private sector and all levels of government. The Commission recently issued a report detailing its recommendations.

As part of its cybersecurity study, the Commission conducted several open meetings and issued a request for information. The Commission also analyzed previous federal agency and legislative cybersecurity reports and initiatives, although it found that many of these previous reports’ recommendations were unrealistic. The Commission focused its study on ten topics: federal governance, critical infrastructure; cybersecurity research and development; cybersecurity workforce; identity management and authentication; Internet of Things (IoT); public awareness and education; state and local government cybersecurity; insurance; and international issues.

In preparing its recommendations, the Commission analyzed cybersecurity issues through a set of principles that are useful for any organization when considering cybersecurity issues. Some principles include:

  • Responsibility, authority, capability and accountability for cybersecurity and cyber risk management should be explicit and aligned within an enterprise’s risk management and governance strategy.
  • Effective cybersecurity depends on consumer and workforce awareness, education, and engagement in protecting their digital experience.
  • Technologies and products should make the secure action the easy option as users continue to rely on defaults and human behavior tends to follow the “easy” option.
  • Security, privacy, and trust must be primary considerations at the outset when new cyber-related technologies and policies are conceived.

The Commission identified a number of hurdles that create challenges—in both the public and private sectors—to implementing effective cybersecurity measures.

  • First to market pressures. The drive to bring products to market quickly often leads to cybersecurity being an afterthought. While security features may be added later through product updates, the result is a lower level of security when compared to products for which security was integrated into product development.
  • Flexible and mobile work environments introduce cyber risk. The myriad devices that now connect to an organization’s network, from employees’ personal mobile devices to vendors’ devices, hampers an enterprise’s ability to protect its networks. As the Commission stated, “[T]he classic concept of the security perimeter is largely obsolete.”
  • Many organizations and individuals fail to implement basic security measures.
  • Complexity creates vulnerabilities. As the size and complexity of software and devices and their supply chains grow, so too do the number of vulnerabilities. Systems and software must be managed and updated, which can become difficult as the environment expands, especially with legacy systems and even new systems, such as IoT devices.

The Commission organized its findings and recommendations into six issue areas. The areas and some of the key recommendations under each follow.

1.  Protect, defend, and secure today’s information infrastructure and digital networks:

  • The public and private sectors must collaborate to protect networks and infrastructure. The Commission recommends the creation of a National Cybersecurity Private-Public Program to define the cybersecurity roles of the respective sectors, share classified information, and conduct and improve training. The federal government should build on and improve its information sharing programs and should work with industry to identify statutes, rules, and policies that discourage the private sector from sharing cyber information (e.g., FOIA, use in civil discovery or regulatory enforcement action, waiver of attorney-client privilege). The new administration should build on the NIST Cybersecurity Framework, and regulatory agencies should harmonize their regulations with the Cybersecurity Framework (which would both simplify and enhance cybersecurity compliance).

2.  Innovate and accelerate investment for the security and growth of digital networks and the digital economy:

  • The federal government and private sector partners should work together to improve security in IoT devices, such as through the creation of voluntary standards, which agencies should consider when undertaking rulemakings. Federal agencies should initiate an interagency study to evaluate “the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations” to incentivize companies to design secure products.

3.  Prepare consumers to thrive in the digital age:

  • The private sector should work with the FTC to identify ways to provide consumers, through a public awareness campaign, with better information so consumers can make informed decisions when purchasing and using connected products and services. This campaign should be coupled with security improvements in devices and systems. The Commission recommends an independent organization develop a “cybersecurity nutrition label” for technology products and services. The FTC, working with industry and consumer advocates, should develop a Consumer’s Bill of Rights and Responsibilities for the Digital Age that would improve consumer education, clarify privacy protections and how information is used, and identify products’ security attributes.

4.  Build cybersecurity workforce capabilities:

  • The federal government should launch a national cybersecurity workforce program to train new cybersecurity practitioners.

5.  Better equip government to function effectively and securely in the digital age:

  • Federal civilian agencies should be allowed to consolidate and share network connections while moving to an enterprise risk management approach for handling cybersecurity. Government at all levels must clarify cybersecurity mission responsibilities across departments and agencies to protect, defend against, respond, and recover from cyber incidents; to accomplish this, the next administration should issue a National Cybersecurity Strategy while Congress should consider consolidating cybersecurity and infrastructure protection functions under a single federal agency.

6.  Ensure an open, fair, competitive, and secure global digital economy.

  • The Administration should work with the international community to harmonize cybersecurity policies and practices. The next administration should appoint an Ambassador for Cybersecurity to engage the international community on cybersecurity issues. NIST and the Department of State should work with international partners to develop cybersecurity standards and to promote the NIST Cybersecurity Framework’s risk management approach.

Most of these recommendations are both thoughtful and non-ideological. It remains to be seen whether the Trump Administration will embrace them, although they sketch out many areas for potential progress.  Its recommendations also make interesting reading for private sector businesses with regard to strategies to improve cybersecurity at the federal level as well as on private sector networks and products and services.

Posted in Data transfers EU Data Protection Privacy and Data Security

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

While WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g., WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.

Posted in Cybersecurity

U.S. Financial Regulators Propose Sweeping New Cybersecurity Regulations

Written by Sydney White

The U.S. Board of Governors of the Federal Reserve System, the U.S. Office of the Comptroller of the Currency (OCC), and the U.S. Federal Deposit Insurance Corporation (the “Agencies”), released an Advanced Notice of Proposed Rulemaking (“ANPR”) on October 20, requesting comments by January 17, 2017, on enhanced cybersecurity risk management rules for the financial sector, particularly companies that are interconnected with other industries. 

The ANPR proposes to apply new and enhanced cybersecurity standards to a giant swath of financial services companies and service providers.  The proposal is targeted at U.S. financial sector companies with $50 billion or more in assets or the U.S. operations of a foreign banking organization where the total U.S. assets are $50 billion or more.   The ANPR is also targeted at companies whose interconnectedness could result in systemic risk to the financial sector or risk of cybersecurity exposure to external stakeholders.  These larger companies would be subject to stringent “sector-critical standards.”  In addition, the ANPR would sweepingly apply to not only large banks but also regional banks, credit card companies offering checking or savings accounts, large insurers, transaction clearinghouses, and non-bank financial companies (referred to as “covered entities”) and indirectly to third party vendors and other service providers. 

The ANPR deviates from the voluntary and flexible nature of the National Institute of Standards & Technology U.S. Cybersecurity Framework (“Cybersecurity Framework”) as required under Executive Order 13636, “Improving Critical Infrastructure Cybersecurity”  issued in February 2013 (“Cybersecurity EO”) and the bipartisan Cybersecurity Enhancement Act of 2014, P.L. 113-274.  It ignores the Cybersecurity Framework’s explicit policy of allowing companies to adopt security practices appropriate to their own circumstances.

The ANPR seems to ignore another fundamental goal of the Cybersecurity EO and the Cybersecurity Framework, that of eliminating conflicting and duplicative cybersecurity regulations, rather than creating more of them.  The ANPR proposes to make several financial agency guidelines including the U.S. Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool into mandatory standards.  U.S. Financial regulators have already come under fire for increasing the cybersecurity regulatory burden on the sector beyond what is required under the Cybersecurity Framework and the ANPR goes even further.  The ANPR also mandates many practices already followed by the financial sector (i.e., adoption of a cyber resilience and incident response program, etc.). 

The Agencies plan to issue a formalized proposal in the Spring, which stakeholders will have another opportunity to comment on before a final rule is adopted.  One wild card in the process is the election of Donald J. Trump as President, which may create an interesting dynamic as this proposal moves forward.

Posted in Asia Privacy Privacy and Data Security

CHINA: Significant changes to data and cybersecurity practices under PRC Cybersecurity Law

Written by Carolyn Bigg

After a third deliberation, the Chinese government passed the new PRC Cybersecurity Law on 7 November 2016. The new law will come into force on 1 June 2017 and has significant implications for the data privacy and cybersecurity practices of both Chinese companies and international organisations doing business in China.

The new PRC Cybersecurity Law intends to combat online fraud and protect China against Internet security risks. In short, it imposes new security and data protection obligations on “network operators”; puts restrictions on transfers of data outside China by “key information infrastructure operators”; and introduces new restrictions on critical network and cybersecurity products.

The new law has been widely reported in both the local and international press. While Chinese officials maintain that China is not closing the door on foreign companies with the introduction of this new law, there has been widespread international unease since the first reading. Commentators have expressed concern that competition will be stifled; regarding the handover of intellectual property, source codes and security keys to the Chinese government; as to perceived increased surveillance and controls over the Internet in China; and in relation to the data localisation requirements. Other new obligations, including increased personal data protections, have been less controversial, but are a clear indicator of the increased focus within the Chinese authorities on data protection, and could signal a change to the data protection enforcement environment in China.

Some of the key provisions of the final law (which contains some changes to earlier drafts of the law) include (inter alia):

  • Chinese citizens’ personal information and “important data” gathered and produced by “key information infrastructure operators” (“KIIO”) during operations in China must be kept within the borders of the PRC. If it is “necessary” for the KIIO to transfer such data outside of China, a security assessment must be conducted pursuant to the measures jointly formulated by the National Cyberspace Administration and State Council unless other PRC laws permit the overseas transfer. While the final version of the law provides some guidance as to the industry fields that will be ascribed greater protection, such as public communications and information service, energy, transportation, water conservancy, finance, public service and e-government, the definition of KIIO remains vague and could potentially be interpreted to cover a broader range of companies and industry sectors. “Personal information” is defined as including all kinds of information, recorded electronically or through other means, that taken alone or together with other information, is sufficient to identify a natural person’s identity, including, but not limited to, natural persons’ full names, birth dates, identification numbers, personal biometric information, addresses, telephone numbers, and so forth. However, the types of information that might constitute “important data” is currently unclear. In any case, these data localisation rules are likely to create practical issues for international businesses operating in China.
  • A range of new obligations apply to organisations that are “network operators” (i.e., network owners, network administrators and network service providers). A “network” means any system comprising computers or other information terminals and related equipment for collection, storage, transmission, exchange and processing of information. Some commentators are suggesting that these broad definitions could catch any business that owns and operates IT networks/infrastructure or even just websites in China.
    • In terms of data protection, network operators must make publicly available data privacy notices (explicitly stating purposes, means and scope of personal information to be collected and used); and obtain individuals’ consent when collecting, using and disclosing their personal information. Network operators must adopt technical measures to ensure the security of personal information against loss, destruction or leaks, and in the event of a data security breach must take immediate remedial action and promptly notify users and the relevant authorities. They must also comply with principles of legality, propriety and necessity in their data handling, and not be excessive; not provide an individual’s personal information to others without the individual’s consent; nor illegally sell an individual’s personal data to others. The rules do not apply to truly anonymised data. There are also general obligations to keep user information confidential and to establish and maintain data protection systems. Data subject rights to correction of their data, as well as a right to request deletion of data in the event of a data breach, are also provided. While an earlier draft specifically provided protection to personal information of “citizens”, the final law does not make this distinction, and so seemingly offers a broader protection to all personal information. These requirements formalise as binding legal obligations some data protection safeguards that were previously only perceived as best practice guidance in China.
    • As regards network security, network operators must fulfil certain tiered security obligations according to the requirements of the classified protection system for cybersecurity, which includes (amongst other things): formulating internal security management systems and operating instructions; appointing dedicated cybersecurity personnel; taking technological measures to prevent computer viruses and other similar threats and attacks, and formulating plans to monitor and respond to network security incidents; retaining network logs for at least six months; undertaking prescribed data classification, back up, encryption and similar activities; complying with national and mandatory security standards; reporting incidents to users and the authorities; and establishing complaints systems.
    • Network operators must also provide technical support and assistance to state security bodies safeguarding national security and investigating crimes, and will be subject to government and public supervision. The form and extent of such co-operation is not currently clear, and international businesses have expressed concerns over the extent to which this may require them to disclose their IP, proprietary and confidential information to the Chinese authorities.
    • More general conditions on network operators carrying out business and service activities include: obeying all laws and regulations, mandatory and industry national standards, social mores and commercial ethics; being honest and credible; and bearing social responsibility. There are also requirements on network operators to block, delete and report to the authorities prohibited information and malicious programmes published or installed by users.
    • Network operators handling “network access and domain registration services” for users, including mobile phone and instant message service providers, are required to comply with “real identity” rules when signing up or providing service confirmation to users, or else may not provide the service.
  • Additional security safeguards apply to KIIOs, including: security background checks on key managers; staff training obligations; disaster recovery back ups; emergency response planning; and annual inspections and assessments. Further, strict procurement procedures will apply to KIIOs buying network products and services.
  • Providers of “network products and services” must comply with national and mandatory standards; their products and services must not contain malicious programs; must take remedial action against security issues and report them to users and relevant authorities; and must provide security maintenance for their products and services which cannot be terminated within the contract term agreed with customers. These new conditions will require providers of technology products and services to review and update their product and related maintenance offerings and, in particular, the contractual terms on which they are offered to customers.
  • Critical network equipment and specialised cybersecurity products must obtain government certification or meet prescribed safety inspection requirements before being sold or provided. This potentially catches a wide range of software, hardware and other technologies being sold – or proposed to be sold – by international companies in the China, since the definitions used in the law are drafted very broadly. Further guidance by way of a catalogue of key network products is expected in due course. There are concerns that this may create barriers to international businesses looking to enter the Chinese market.
  • Each individual and organisation shall be responsible for its own use of websites, and may not set up websites or communication groups for the purpose of committing fraud, imparting criminal methods, producing or selling prohibited items, or engaging in other unlawful activities. Again, there is scope for this to be interpreted and applied broadly.
  • Institutions, organisations and individuals outside China that cause serious consequences by attacking, interfering or destructing key information infrastructure of China shall be responsible for any damage, and the relevant public security department of the State Council may freeze assets and impose other sanctions against them. While these provisions would appear to have an extra-territorial effect, and could be interpreted very broadly, it is unclear what sanctions could in practice be enforced against organisations without a presence in China.
  • Other new rules relate to: network/online protections for minors; the establishment of schemes for network security monitoring, early warning and breach notification to relevant authorities and the public, as well as rights for individuals and organisations to report conduct endangering network security; opening of public data resources; and prohibitions on hacking and supporting activities.

While criminal sanctions, administrative penalties and civil liabilities potentially await those (both organisations and, in some circumstances, individual employees and officers) who violate the new law, unfortunately great uncertainties remain as to how the new legislation will be enforced, who exactly is caught by the various new rules, and the precise steps that organisations must take to comply with them. It is hoped that the Chinese authorities will publish more detailed, practical guidance in the coming months. In the meantime, organisations are strongly advised to review their data privacy and cybersecurity practices in China to ensure compliance with the new law before it comes into force on 1 June 2017, and to keep these under review as further guidance becomes available.

Posted in EU Data Protection

FRENCH LAW FOR A DIGITAL REPUBLIC ADOPTED – Part III: Significant Changes are in Store for Online Platforms, Telecom Operators and Online Communication Providers

Written by Carol A.F. Umhoefer and Caroline Chancé

As reported earlier here and here, France’s Law for a Digital Republic (“Law”) introduces important amendments to French data protection law. But once implementing decrees are adopted (expected later this year and in March 2017), the Law will also bring significant changes to online platform operators, telecom operators and online communication providers, as described below.

New consent requirement to ensure confidentiality of electronic correspondence

The Law amends the Postal and Electronic Communications Code by requiring telecom operators and online public communication service providers to maintain the confidentiality of user correspondence, which includes: the content of the message, the correspondents’ identity and, where applicable, the subject line and attachments. The automatic analysis of such correspondence for advertising, statistical or service improvement purposes is prohibited, except with the user’s express, specific and time-limited consent. The period of validity of such consent (which cannot be longer than one year) will be specified by an implementing decree expected by the end of 2016.

However, electronic correspondence can still be automatically analyzed without users’ express, specific and time-limited consent whenever the analysis is for purposes of displaying, sorting or dispatching messages, or detecting unsolicited content or computer malware.

Telecom operators and online public communication service providers will be required to inform their employees of the new confidentiality obligations.

New definition of “online platform operators”

The Law introduces in the French Consumer Code a new definition of online platform operators: Any individual or legal entity offering, on a professional basis, whether for free or for consideration, an online public communication service consisting of either (i) ranking or referencing content, goods or services offered or uploaded by third parties, by using computerized algorithms (e.g., online price comparison tools); or (ii) bringing together several parties (intermediation) for the sale of a good, the provision of a service or the exchange or sharing of content, a good or a service (i.e., marketplaces).

Enhanced transparency and fairness obligations vis-à-vis consumers

Under the Law, online platform operators are required to provide fair, clear and transparent information regarding (i) the general terms of use of any intermediation service, (ii) the referencing, ranking and dereferencing criteria for content, goods and services offered or uploaded, (iii) the existence of any contractual relationship, capitalistic relation or direct remuneration for the operator’s benefit that influences the classification or referencing of the content, goods or services offered or uploaded, (iv) any person acting as an advertiser and (v) when consumers are put in contact with professionals or non-professionals, the rights and obligations of each party under civil and tax laws. Implementing decrees are expected by March 2017 to specify these obligations.

In addition, online platform operators whose activity generates connections above a certain threshold (to be defined by implementing decree by March 2017) must establish and make available to consumers good practices guidelines aimed at strengthening the obligations of clarity, transparency and fairness mentioned above.

Marketplaces will be required to provide professionals with a space that allows them to comply with their own information obligations vis-à-vis consumers. The implementing decree specifying requirements for this space is expected in March 2017.

The regulator is empowered to conduct audits of platform operators’ business practices. The regulator will publish the results of these evaluations and a list of platform operators that do not comply with the information obligations.

Finally, websites that collect, moderate or disseminate consumer reviews or opinions will be required to provide a host of new information in a fair, clear and transparent manner regarding the conditions for publishing and processing these reviews or opinions. Here again, an implementing decree will specify the requirements for providing this information.

Posted in EU Data Protection International Privacy New Privacy Laws

France’s Law for a Digital Republic expands transparency rules – significant changes for platforms, telecoms, online providers

Written By Caroline Chancé and Carol A. F. Umhoefer

France’s newly published Law for a Digital Republic includes key provisions that aim to foster more consumer and user trust in the digital ecosystem by requiring enhanced transparency and fairness obligations for online platforms and heightened confidentiality of private electronic  correspondence. These provisions will be fully effective upon the adoption of implementing decrees, which are expected within the coming months.

New definition of “online platform operators”;  enhanced transparency and fairness obligations vis-à-vis consumers

The Law for a Digital Republic introduces in the French Consumer Code a new definition of online platform operators: any individual or legal entity offering, on a professional basis, whether for free or for consideration, an online public communication service consisting of either (i) ranking or referencing content, goods or services offered or uploaded by third parties, by using computerized algorithms (e.g., online price comparison tools); or (ii) bringing together several parties (intermediation) for the sale of a good, the provision of a service or the exchange or sharing of content, a good or a service (i.e., marketplaces).

Under the Law, online platform operators are required to provide fair, clear and transparent information regarding (i) the general terms of use of any intermediation service; (ii) the referencing, ranking and dereferencing criteria for content, goods and services offered or uploaded; (iii) the existence of any contractual relationship, capitalistic relation or direct remuneration for the operator’s benefit that influences the classification or referencing of the content, goods or services offered or uploaded; (iv) any person acting as an advertiser; and (v) the rights and obligations of each party under civil and tax laws when consumers are put in contact with professionals or non-professionals. Implementing decrees are expected by March 2017 to specify these obligations.

In addition, online platform operators whose activity generates connections above a certain threshold (to be defined by implementing decree by March 2017) must establish and make available to consumers good practices guidelines aimed at strengthening the obligations of clarity, transparency and fairness mentioned above.

Marketplaces will be required to provide professionals with a space that allows them to comply with their own information obligations vis-à-vis consumers.  The implementing decree specifying requirements for this space is expected in March 2017.

The regulator is empowered to conduct audits of platform operators’ business practices. The regulator will publish the results of these evaluations and a list of platform operators that do not comply with the information obligations.

Finally, websites that collect, moderate or disseminate consumer reviews or opinions will be required to provide a host of new information in a fair, clear and transparent manner regarding the conditions for publishing and processing these reviews or opinions. Here again, an implementing decree will specify the requirements for providing this information.

New consent requirement to ensure confidentiality of electronic correspondence

The Law introduces into the Postal and Electronic Communications Code a definition of online public communication service providers as any person making available content, services or applications that constitutes online communication to the public.

Telecom operators and online public communication service providers are required to maintain the confidentiality of user correspondence, including the content of the message, the correspondents’ identity and, where applicable, the subject line and attachments. The automatic analysis of such correspondence for advertising, statistical or service improvement purposes is prohibited, except with the user’s express, specific and time-limited consent. The period of validity of such consent (which cannot be longer than one year) will be specified by an implementing decree expected by the end of 2016.

However, electronic correspondence can still be automatically analyzed without users’ express, specific and time-limited consent whenever the analysis is for purposes of displaying, sorting or dispatching messages, or detecting unsolicited content or computer malware.

Telecom operators and online public communication service providers will be required to inform their employees of the new confidentiality obligations.

LexBlog