Header graphic for print

Privacy & Data Security Blog

Coverage and commentary on the latest developments in data protection and data security

Big Data (at risk of becoming “little data” in Europe?)

Author: Nick Graham published Posted in New Data Protection Regulation

What is Big Data?

Big Data is about using mathematical models to spot patterns or “footprints” in large datasets.  The area is gaining prominence.  Kenneth Cukier recently appeared on BBC Radio 4’s “Start the Week” to discuss it.  He has also teamed up with Viktor Mayer-Schönberger to publish a new book: “Big Data: A Revolution That Will Transform How We Live, Work and Think”.  The book discusses risks and benefits of Big Data and privacy concerns.  Interestingly, the authors also say that anonymisation is not possible when it comes to Big Data! 

Where can it be used?

There is no doubt that Big Data is big news.  You just have to think about data on the digital services you use or the TV and movies that you stream.  Twitter recently released a 20 page booklet for advertisers on trends in television viewing.  The data shows how people use Twitter when watching TV programmes and what they say about them.  Research from the University of Cambridge says that a person’s political leanings, age, gender and sexual orientation can be deciphered by studying their Facebook “likes”!  

Anonymisation is not the answer?

So Big Data is big news.  Let’s circle back to that new book.  It’s interesting that the authors say that anonymisation is not possible when it comes to Big Data. If that’s correct, then we have a problem.  Assume Big Data cannot escape compliance risk by de-identification / anonymisation. Then look at the draft General Data Protection Regulation. The new Regulation (currently about to collapse under the weight of its own amendments) includes proposed amendments about “profiling” (Article 20) proposed by the Albrecht Committee.

Albrecht proposal on “profiling”

Profiling is defined by Albrecht as: “any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural personal or analyse or predict in particular that natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour”.  This is pretty much any kind of profiling required for Big Data!  The Albrecht proposal is that you only “profile” people where (1) necessary to enter into or carry out a contract; (2) expressly authorised by EU law; or (3) based on the data subject’s consent.  This is a much broader prohibition than was in the original draft or than the current Data Protection Directive.

Other solutions?

Other amendments proposed by the other Committees take a different approach.  They prohibit profiling which results in decisions which are “unfair or discriminatory” (borrowing equivalent concepts from consumer law).  However it isn’t clear how the consumer law concepts would map across to the data protection world.  Other amendments specifically encourage the use of pseudonymised data.  But surely the use of pseudonyms would be good practice in any event (in line with the new principle of data minimisation)?

A technical point

Well, I have another thought: the new Regulation requires compliance with gateway conditions as per the current Directive.  The new consent gateway will require consents to be “explicit”. It will also be much harder to rely on “legitimate interests” as an alternative as you will have to specify the “legitimate interests” in privacy policies up front.  This pushes us firmly towards a “permission-based” model of which Big Data will have to form part. So we may be in a consent solution already.

What next?

Over prescription of Big Data could kill it off before it has begun.  Big Data becomes little data?  Isn’t it better to create a legal regime in which it can be implemented “safely” (by using pseudonyms and proper transparency) rather than making it subject to a prior consent or equivalent condition?

Google called before European privacy authorities

Author: Nick Graham published Posted in Article 29 Working Party, Data Protection Authorities, New Data Protection Regulation

In October 2012, the Article 29 Working Party highlighted their concerns about Google’s new consolidated privacy policy.  This converted a series of 60 legacy privacy policies into a single document.  The EU was led by the CNIL (the French data protection authority).  This week, the Article 29 Working Party has announced that they will call Google to appear before it.  The search engine has said that their privacy policy is compliant and allows simpler and more effective services.  Clearly, the data protection authorities are keen to pursue this issue and say they plan “significant progress” before the summer.  Expect to hear more about this soon.  And by the way, it is not clear that the Article 29 Working Party has any power to require a data controller to appear before it.  One presumes that any legal powers will be those exercisable by the CNIL in the fragmented world of DP regulation.

The other interesting aspect of this story is that it reflects a greater desire for the European data protection authorities to coordinate their activities.  Under the draft Data Protection Regulation there will be a new “consistency” mechanism under which decisions taken by individual regulators which could have a pan-European impact will be subject to consultation and review by a European Data Protection Board (EDPB).  The EDPB will, effectively, be a replacement for the Article 29 Working Party.  In addition, the new Regulation will introduce supra-national regulation.  So a controller or processor will be regulated by the data protection authority of the Member State in which that controller or processor has its “main establishment”.  Sound familiar?  The European data protection authorities currently seem to be on a “test drive” of the new “consistency” mechanism well in advance of implementation of the new Regulation.  2013 will show us how effectively the authorities can work together.

The EU Data Protection Regulation: timing

Author: Simon Elliott published Posted in New Data Protection Regulation

As we’re all aware the new Data Protection Regulation (the Regulation) was announced to much bombast a little over a year ago.  Of particular note was the aggressive timeframe for agreement and adoption that Viviane Reding was pressing.

Following on from our post below, and with today’s deadline for MEPs to propose further amendments to the draft report of the Committee on Civil Liberties, Justice and Home Affairs (LIBE) – the lead review committee, it seemed an appropriate opportunity to check where we are in the process and briefly review the factors that will determine the Regulation’s passage into law, including the chances of its adoption ahead of the European Parliament’s re-election in June 2014. 

Recent Developments

In June last year, rapporteur for LIBE, Jan Philipp Albrecht, issued a timetable that listed the key events in the process of enacting.  The following points should be noted:

  • in his timeline, the LIBE draft report’s publication was November 2012.  This was delayed until 17 December;
  • as a result, the deadline for tabling amendments to this report was pushed back from December 2012 to 27 February 2013;
  • given these delays, the Regulation’s readiness for “Trilogue” (i.e. the meetings of the European Commission, Council and Parliament, where final agreement on the wording is reached), originally pencilled in for Summer 2013, would seem likely to be delayed until Autumn 2013 at the earliest. 

This would seem to make any vote in plenary (i.e. vote to adopt the Regulation following the trilogue discussions) before the start of 2014 unlikely.

Even these timelines will only remain on track if the remaining stages in the committee review process aren’t delayed any further.  There is a discussion of the amendments to the report in LIBE Committee; a discussion with the four other committees reviewing the Regulation; and then the orientation vote of the LIBE Committee

If these stages are subject to further delay, there may be a limited window in which to schedule adoption before MEPs focus on their re-election campaigns from spring 2014. 

If a vote in plenary is achieved in time (and assuming the two-year implementation period for implementation is retained) it may be that the Regulation could be in force by early 2016.   However, if this shrinking window is missed, and adoption of the Regulation is pushed back until after re-election, implementation may not be finalised until around 2018. 

Ireland to the rescue?

At this point, it is difficult to assess whether the draft’s Regulation’s progress will be subject to further delays. 

However, a glimmer of hope for the Regulation’s swift progress is Ireland’s position as President of the European Council until 30 June 2013 which may give momentum to the process. 

With its cool climate, technological infrastructure and government initiatives, Ireland is fast becoming a key hub in Europe for data centres.  Over 25 leading technology multinationals (including Microsoft, IBM, Google, Intel, Twitter Amazon, Yahoo!, EMC2, BT, HP and Vodafone) have databases and operations in Ireland.  This puts it in a unique position to lead negotiations on the Regulation, much of which will be undertaken by the European Council over the next few months. 

If they prioritise the Regulation, and keep the process on schedule, a final vote before June next year may well be achievable.

European Data Protection Regulation: inflexible 2% turnover fines criticised

Author: Shona Harper published Posted in Fines, New Data Protection Regulation
On 20 February 2013, one of the Committees of the European Parliament charged with reviewing the new draft Data Protection Regulation (“the Regulation”) voted against the current proposal of fines for breaches of up to 2% of the global annual turnover of data controllers.  The ITRE Committee’s vote is part of its opinion on the Regulation, and is a welcome contrast to the strongly pro-consumer report from the one of the other Committees, the LIBE Committee.  The ITRE Committee agreed that the Regulation was needed to update data protection law in the EU, and also agreed that a “one-stop shop” for companies operating in more than one member state was necessary. These have to be good developments. It also favoured allowing more flexibility for small and medium sized enterprises, as these form a substantial part of the European economy and should face less red tape, not more.  This point also included allowing national regulators to determine the size of fines, so that they were more appropriate to the circumstances of the breach of the Regulation, rather than setting inflexible rules.  If this proposal is accepted by the European Parliament in its full vote later on this year, then it is likely to result in regulators setting their own fines as currently is the case rather than there being mandatory fines of 2% in all cases which had led to considerable lobbying in Brussels. 
 
The next stage of the draft Regulation’s progression through Parliament is the vote on the opinion of the Employment (EMPL) Committee, followed by the LIBE Committee (which is the lead committee of the four considering the draft Regulation) voting on its own report.  This is expected to take place by the end of April 2013.  Trilogue negotiations between the Parliament, Council and European Commission are expected to commence from May 2013 onwards.

New EU rules on security

Author: Nick Graham published Posted in Cloud Computing, Data Protection Compliance, Data Security

If you Google “EU law on security”, you’ll find the EU Data Protection Directive near the top of the search results. But search a little harder and you’ll find more.

This week saw the EU publish a new draft Directive on network and information security. However this isn’t about personal data or rules for particular sectors like telecoms. The proposed rules apply to all manner of digital platforms like e-commerce and payment platforms. They will also apply to a very broad range of critical infrastructure operators.

Who is covered by the new rules?

All “market operators” are caught. A “market operator” is defined as a provider of information society services (ISS) which enables the provision of other ISS. ISS, in this context, means an e-commerce service and this may include e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores. So, the rules will apply to those who provide any such services which underpin e-commerce services provided by others. But its’s still an incredibly broad list.

Market operators also include operators of critical infrastructure including providers of:

  • electricity, gas and oil
  • airlines, maritime transport, railways (even associated warehousing, cargo handling and support services)
  • banking
  • financial market infrastructure; and
  • healthcare

So what do the new rules say?

Market operators (ie. all of the above) have to ensure that appropriate technical and organisational measures (yes, that phrase from the Data Protection Directive) are in place to ensure network and information system security in particular to ensure business continuity for the services underpinned by their networks and services. So a cloud computing service has to comply where it has customers using it services to deliver services to end-users.  An electricity  company will have to comply as its services will almost certainly fall into this category. Have a look at Article 14 of the draft Directive for more detail.

Duty to Notify

Article  14 also requires market operators to notify the “competent authority” (to be set up or appointed by each EU member state) of any incidents having a “significant impact on the security of the core services they provide”. So if you’re hit by a cyber attack and this results in unscheduled downtime or a power outage, you would have to notify.

The Directive also deals with a range of information security requirements but it is the new duties to ensure security and notify a regulator that spell a broadening of the EU  rules in this area.

 

 

Privacy in the Middle East: new Cybercrime Law

Author: Joby Beretta published Posted in Data Security, Enforcement, Uncategorized

Privacy law is growing across the globe. The Middle East has seen its fair share too. Let’s take stock of some of the latest developments.

In the last 12 months the UAE Government enacted two new security laws: (i) Law No. 5 of 2012 Concerning Combating Information Technology Crimes (Cybercrimes Law) and (ii) Law No. 3 of 2012 on Establishing the National Electronic Security Authority (E-Security Authority Law).

The new laws complement other UAE e-security initiatives such as the establishment of the UAE Computer Emergency Response Team (aeCERT) and various awareness campaigns such as Salim.   The UAE’s achievements in e-security were recently recognised by an International Institute for Management Development (IMD) report, where it was ranked first regionally and fourth internationally in cyber security. 

Cybercrimes Law

The causes of this are well known: an increase in use of social media, online transactions and the associated rise in cybercrime has prompted the previous UAE federal cybercrimes law (Law No. 2 of 2006 Concerning Combating Information Technology Crimes) to be repealed within just six years of its enactment.  

The new Cybercrimes Law covers a wider range of offences than those included in the previous law.  Examples include using IT systems for hacking and phishing, forging electronic documents, amending or damaging electronic information and disabling access to an information network. Additionally the Cybercrimes Law criminalises disclosure of electronically stored information without permission, including medical information; credit card and bank account theft and fraud; blackmailing an individual through electronic means; preparing, distributing, publishing and republishing pornographic material, gambling material or anything that prejudices public morals; and defamation through electronic means.  The Cybercrimes Law also has various offences related to affecting or threatening state security and promoting terrorism.  Many of these offences are already included in the existing UAE Media Law (Law No. 15 of 1980 on Printed Matter and Publications) but have now been specifically updated for online activities. 

New Penalties

The new Cybercrimes Law has also increased the monetary penalties of some offences up to AED 3 million (GBP 520,000) and some offences can lead to imprisonment of up to 10 years. 

In addition, the courts have the power to confiscate devices, deprive access to IT systems, shut down illegal websites and deport any foreigners convicted of any offences.

National E-Security Authority

In conjunction with the new Cybercrimes Law a National E-Security Authority (the Authority) was established by Law No. 3 of 2012.  The stated goals and responsibilities of the Authority are “to organise protection for the Communication Network and Information Systems in the State and develop, amend and use the necessary methods in Electronic Security domain”.  The Authority has specific responsibilities for supporting federal and Emirate level government entities but its e-security ambit also extends to the private sector.  The Authority will co-ordinate with the relevant bodies such as the Telecommunications Authority (TRA) and the aeCERT to pursue its goals.  

 

 

 

Cookies: the UK ICO perspective

Author: Nick Graham published Posted in Cookies, Uncategorized

We’re now well past the UK grace period for cookie compliance. But what are companies actually doing about this? Are their “houses in order” as required by the UK Information Commissioner’s Office (ICO). The ICO’s introduction of a new cookies banner on its website is a good time to take stock.

The best source information is contained in the ICO Activity Report published on 18 December 2012. The majority of sites that the ICO looked at rely on implied consent and the inclusion of clear information on cookies used. In other words: the classic banner or pop up plus a cookies policy.

What about user perceptions? Well, it seems that cookie compliance was relatively low on the consumers’ radars with 550 reported concerns. Consumers were much more concerned about unwanted marketing (the ICO received 100 times more complaints about unwanted marketing communications in the same period).  Paradoxically (but perhaps not unsurprisingly), some users actually complained about the detrimental effect the rules were having on the usability of the websites.

Otherwise complaints fell into two categories, with consumers being unhappy with:

  • implied consent mechanisms (84% of respondents thought the mechanisms were inadequate); and
  • the level of information given about cookies generally (54% of respondents considered that no information about cookies had been given).

Between October and December 2012 the ICO also conducted visual audits of some 207 websites about which complaints had been received finding that:

  • 43% had taken steps to comply (in our view a “nod” from the ICO that it looks “ok”);
  • 33%  had taken limited steps to comply (in our view, an implicit ICO criticism);
  • 23% appeared to have taken no steps to comply! (in our view, an explicit ICO criticism).

The ICO then gave four examples of websites that it considered had taken significant steps to comply (implicit in this is that they had done a decent job)

So we’re increasingly clear on what the (not so new) rules require in practice. The new ICO banner now reflects this pragmatic market practice. Enforcement risk remains of course.

Leveson: Proposals for New Data Privacy rules in the UK

Author: Nick Graham published Posted in Data Protection Compliance, Information Commissioner's Office, New Data Protection Regulation
The Leveson Inquiry recently published its findings into UK press regulation. However Leveson also commented on the UK data privacy rules and the role of the ICO. The data privacy part of the report has been received with almost uniform disinterest (!) but for privacy geeks the detail is worth a read. The Inquiry’s recommendations include:
  • Ensuring that the data subject’s right to compensation for distress under section 13 of the Act is not limited to actual monetary loss but includes compensation for pure distress;
  • Bringing in a (long called for) custodial penalty for the Data Theft offence under section 55 DPA (unlawful obtaining of personal data) already on the statute book but not yet enacted.
  • Broadening the powers of the ICO by allowing it to prosecute for any breach of the data protection principles.
  • Reconstituting the ICO as an Information Commission, led by a Board of Commissioners
  • Tightening up the journalistic exemption under s 32 DPA and limiting the scope of the exemption so most of the Data Protection Principles will apply.
  • The ICO to publish guidance for the press
What is interesting about this is that a lot of what Leveson recommends is already proposed in the new EU Data Protection Regulation. The direction of travel towards stricter data privacy laws is being strenghtened!
 
We expect the formal ICO response in January.

FTC Settles “History Sniffing” Charges Against Advertising Network

Author: Andy Blair published Posted in Enforcement, Marketing, Online Behavioural Advertising
The FTC has announced a settlement with Epic Marketplace, a global digital marketing company, that bars Epic from engaging in a practice known as “history sniffing” and to destroy all data collected through use of the technique.  History sniffing involves using code embedded in web site advertisements to detect whether a consumer had previously visited particular web pages, based on how the web browser displays links to those web pages.  For example, most web browsers change the color of links that have been previously visited.  This color change is part of the HTML code used to display the site in the consumers browser, and was detected through code included in Epic’s history sniffing ads.
 
History sniffing is disfavored by the FTC because it bypasses most measures consumers can use to limit or prevent online tracking, such as deleting cookies.  The technique also allows advertisers to detect consumers’ visits to websites outside their own advertising network, data not normally available through use of standard cookie-based technologies. 
 
The FTC’s complaint alleged that Epic misled consumers because the privacy policy on Epic’s website detailed tracking techniques that Epic used in its ad network but failed to disclose the use of history sniffing.  This failure to disclose was, according to the FTC, a deceptive practice under § 5 of the FTC Act.
 
Notably, the FTC did not allege that the practice of history sniffing was unfair under § 5, which may imply that the FTC does not consider history sniffing to be per se unfair to consumers.  However, the Epic settlement reiterates that the FTC does     failure to adequately disclose tracking practices to violate § 5 through misrepresentation by omission.  The FTC’s agreement with Epic serves as one more reminder that advertisers and other web sites should take care to clearly explain privacy practices, especially how data is collected from consumers.

Senate Kills Lieberman-Collins Bill, Last Chance For Cybersecurity Legislation in 2012

Author: Andy Blair published Posted in Data Security

The US Senate has rejected a procedural motion to move forward the Cybersecurity Act of 2012, co-sponsored by Senators Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), by a vote of 51-47.  In a crowded field of cybersecurity proposals in 2012, the Lieberman-Collins bill was widely seen as the last chance  for the Senate  to pass cybersecurity legislation this year.

Avoiding objections among civil liberty groups to proposals for a military-led federal cybersecurity effort, headed by the NSA, the Cybersecurity Act taps the civilian Department of Homeland Security as the lead federal cybersecurity agency.  The most comprehensive bill put before Congress, the Cybersecurity Act embraces a dual approach to cybersecurity, facilitating information sharing between private actors and the government and granting DHS authority to issue security standards for industry sectors designated as “critical infrastructure.”  Also included in the bill are grants and other support for research, education and cybersecurity awareness programs.

Republican senators blocked the Cybersecurity Act in August over concerns that the minimum security standards would create  unnecessary and  burdensome new regulations, which were strongly opposed by the powerful U.S. Chamber of Commerce pro-business lobby, as well as interest groups representing nearly every sector of our economy.   Republicans also questioned the ability of the DHS to develop an effective regulatory regime that provided enough flexibility as to not stifle innovation. Republicans and the Chamber favored the Secure IT Act, introduced by Sen. John McCain (R-Arizona), which focused on an information sharing regime that offered incentives and liability protections for the private sector to share cyber threat information amongst themselves and the federal government.

President Obama expressed support for the Leiberman-Collins bill.  Rumors of an executive order implementing much of the Cybersecurity Act through existing agency authority have persisted since the Cybersecurity Act’s August stumble.  After this final blow to cybersecurity legislation in 2012, it is unclear whether the President will act now or wait for the 113th Congress to convene in January.  Stay tuned for further developments.

Todd Bertoson contributed to this post.