Sunday, January 27, 2013

"In the absence of the gold standard, there is no way to protect savings from confiscation through inflation. There is no safe store of value." - Alan Greenspan

Twitter Weekly Updates for EUdiscovery

Article 29 Working Party Opinion 8/2010 on Applicable Law, Article 4 (1) EU Data Protection Directive 95/46/EC and Smartphone Apps

A colleague of mine, Cédric Laurant, recently posted an interesting question on a LinkedIn group that I manage, the European Data Protection Forum :

“Do some iPhone and Android smartphone application makers… violate the consent requirement of the e-Privacy Directive (2009/136)?”
Apple, Inc. got sued on Dec. 23 in federal court in San Jose, California. The suit claims the California-based Apple’s iPhones and iPads are encoded with identifying devices that allow advertising networks to track what applications users download, how frequently they’re used and for how long. Apple iPhones and iPads are set with a Unique Device Identifier, or UDID, which can’t be blocked by users, according to the complaint.
“Some apps are also selling additional information to ad networks, including users’ location, age, gender, income, ethnicity, sexual orientation and political views,” according to the suit.
The suit was filed shortly after the publication of the WSJ’s Dec. 18 article Your Apps Are Watching You .
Some excerpts of above mentioned article:
“Among all apps tested, the most widely shared detail was the unique ID number assigned to every phone. It is effectively a “supercookie,” says Vishal Gurbuxani, co-founder of Mobclix Inc., an exchange for mobile advertisers.
On iPhones, this number is the “UDID,” or Unique Device Identifier. Android IDs go by other names. These IDs are set by phone makers, carriers or makers of the operating system, and typically can’t be blocked or deleted.
“The great thing about mobile is you can’t clear a UDID like you can a cookie,” says Meghan O’Holleran of Traffic Marketplace, an Internet ad network that is expanding into mobile apps. “That’s how we track everything.”

To my knowledge, no lawsuits have been filed yet in the EU against Apple, Google-Android or against the application makers/third party advertisers.
Since Apple’s and Google’s headquarters are located in the USA, and most app makers are also located outside the EU/EEA, the question arises whether the European Data Protection Laws even apply to data processed by Apple or by Google/Android in a EU/EEA member state. The same applies for app makers: most of hem are located outside the EU.
In other words: Can Apple, Google and app makers be sued on the basis of EU Data Protection Laws?

The EU Data Protection framework is “controller centric”. The defining criterion is the location of the data “controller”: is it/he/she located within the EU/EEA, either physically or symbolically? If yes, the controller is subject to the EU Data Protection framework.
Contrast this to the US model, which is “consumer centric”: The defining criterion for most US privacy laws, like e.g. COPPA, is the targeted market. Is the company targeting children in the US market? If yes, the US laws, in this case COPPA, are applicable, regardless of where the data controller is located.
The key provision on applicable law under the EU data protection framework is Article 4 of EU Directive 95/46/EC, which determines which national data protection law(s) adopted pursuant to the Directive may be applicable to the processing of personal data.
The present case would be governed by the EU Directive 2002/58/EC, the so called e-privacy directive on privacy and electronic communications, as amended by the EU Directive 2009/EC , the so called cookie directive. The EU Directive 2009/EC has not been implemented in all members states’ national laws yet, and the deadline is June 2011.
A controversial provision in this directive is the amendment that says that member states shall ensure that “the storing or access to information already stored in the terminal equipment of a subscriber or user is only allowed on the condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information …  about the purposes of the processing.”
This has been understood by many as a requirement for websites to provide opt-in consent before installing cookies on a user’s device.
It needs reminding though, that according to the EU Directive 95/46/EC, processing of sensitive data requires explicit consent from the user!
Sensitive Data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union memberships or data concerning health or sex life. I dare say that in light of this definition, most data posted on social networking sites (SNS) are to be considered of a sensitive nature. So are some of the data transmitted by smartphone apps to third parties.
However, the EU Directive 2002/58/EC,  as amended by the EU Directive 2009/EC , does not contain an applicable law and jurisdiction provision, but instead refers to Article 4 of the Directive 95/46/EC.
Article 4 (1) EU Directive 95/46/EC stipulates that the national law shall apply where:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the (EU) Member State.

(c) the controller is not established on the Member State’s territory, and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State…
For the sake of simplifying an extremely complex set of laws, I have left out provisions that do not directly apply to the situation discussed in this article.
But even so, the above mentioned rules have created many difficulties in application and interpretation by member states.
” The legal rules for determining whether EU law applies to business activities, if so which national law, and where jurisdiction lies, are extraorinarily complex, and involve  a number of difficult questions for which there are no definite answers.” Christopher Kuner, European Data Protection Law, Corporate Regulation and Compliance, (2nd edition, Oxford University Press) 109.
Also, “No provision of Article 4 (or indeed, of the entire General Directive) has caused more controversy than Article 4(1)(c)”. ibid 118.
So, finally, on Dec. 16, 2010, the Article 29 Working Party released an Opinion 8/2010 on applicable law regarding the applicability of the EU Directive 95/46/EC.
The WP explains why it thought its opinion had become so necessary:
“The complexity of applicable law issues is also growing due to increased globalisation and the development of new technologies: companies are increasingly operating in different jurisdictions, providing services and assistance around-the-clock; the internet makes it much easier to provide services from a distance and to collect and share personal data in a virtual environment; cloud computing makes it difficult to determine the location of personal data and of the equipment being used at any given time.
Clarifying the concept of applicable law is of great importance, independently of possible amendments to the current provisions of the Directive in the future. Current provisions will remain valid until amended, and to the extent that they are not amended. Therefore clarification of the applicable law provisions will help to ensure better compliance with the Directive pending any amendment of the legislation. In addition, in preparing this opinion the Working Party has been able to draw on the experience of applying the current provisions with a view to providing guidance to the legislator to assist in any future revision of the Directive.
But the clear connection between the applicable law and the controller can be a guarantee of effectiveness and enforceability, especially in a context in which it can be difficult, or sometimes impossible, to locate a file (as may be the case for cloud computing).
Clear guidelines as to applicable law rules should help address new developments: technological (internet; network based files/cloud computing) and commercial (multinational companies).”
Indeed, to make a complicated situation even worse, the entire European Data Protection framework is up for review this year. ( See this previous blog post ).
But, as the WP mentioned, the current law still remains in effect as of now, until and if it is amended.
According to article 4, the main criteria in determining the applicable law are the location of the establishment of the controller, and the location of the means or equipment being used when the controller is established outside the EEA.
Article 4 (1) EU Directive 95/46/EC
a) “…an establishment of the controller on the territory of the Member State …”
Article 29 WP: “It is … important to emphasise that an establishment need not have a legal personality, and also that the notion of establishment has flexible connections with the notion of control. A controller can have several establishments, joint controllers can concentrate activities within one establishment or different establishments. The decisive element to qualify an establishment under the Directive is the effective and real exercise of activities in the context of which personal data are processed.
The notion of establishment is not defined in the Directive. The preamble of the Directive indicates however that “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements (and that) the legal form of (..) an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor in this respect” (recital 19).
Concerning the freedom of establishment under Article 50 TFEU (former Article 43 TEC) the European Court of Justice (ECJ) has considered that a stable establishment requires that “both human and technical resources necessary for the provision of particular services are permanently available”.
The strong emphasis put in the preamble of the Directive on “effective and real exercise of activity through stable arrangements” clearly echoes the “stable establishment” referred to by the Court of Justice at the time of the adoption of the Directive. Although it is not clear whether this and subsequent interpretations by the ECJ as regards the freedom of establishment under Article 50 TFEU could be fully applied to the situations covered by Article 4 of the Data Protection Directive, the interpretation of the Court in those cases can provide useful guidance when analysing the wording of the Directive.
This interpretation is used in the following examples:
- Where “effective and real exercise of activity” takes place, for example in an attorney’s office, through “stable arrangements”, the office would qualify as an establishment. This induces a broad scope of application, with legal implications extending beyond the EEA territory: the Directive – and national laws of implementation – apply to the processing of personal data outside the EEA (where carried out in the context of activities of an establishment of the controller in the EEA), as well as to controllers established outside the EEA (when they use equipment in the EEA). As a consequence, the provisions of the Directive can be applicable to services with an international dimension such as search engines, social networks and cloud computing.
C) “…for purposes of processing personal data makes use of equipmentsituated on the territory of the said Member State.
This provision becomes relevant when the controller has no presence in EU/EEA territory which may be considered as an establishment for the purposes of Article 4(1)(a) of the Directive, as analyzed above.
This provision is especially relevant in the light of the development of new technologies and in particular of the internet, which facilitate the collection and processing of personal data at a distance and irrespective of any physical presence of the controller in EU/EEA territory.
Article 4(1)(c) will also apply where the controller has an “irrelevant” establishment in the EU. That is to say, the controller has establishments in the EU but their activities are unrelated to the processing of personal data. Such establishments would not trigger the application of Article 4(1)a.
The crucial element which determines the applicability of this Article and thus of a Member State’s data protection law is the use of equipment situated on the territory of the Member State.
The Working Party has already clarified that the concept of “making use” presupposes two elements: some kind of activity of the controller and the clear intention of the controller to process personal data. Therefore, whilst not any use of equipment within the EU/EEA leads to the application of the Directive, it is not necessary for the controller to exercise ownership or full control over such equipment for the processing to fall within the scope of the Directive.
Working Party recognized the possibility that personal data collection through the computers of users, as for example in the case of cookies or Javascript banners, trigger the application of Article 4(1)c and thus of EU data protection law to service providers established in third countries.
The WP brings the following example:
Geo-location services:
A company located in New-Zealand uses cars globally, including in EU Member States, to collect information on Wi-Fi access points (including information about private terminal equipment of individuals) in order to provide a geo-location service to its clients. Such activity involves in many cases the processing of personal data.
The application of the Data Protection Directive will be triggered in two ways:
- First, the cars collecting Wi-Fi information while circulating on the streets can be considered as equipment, in the sense of Article 4(1)c;
- Second, while providing the geo-location service to individuals, the controller will also use the mobile device of the individual (through dedicated software installed in the device) as equipment to provide actual information on the location of the device and of its user.
Both the collection of information with a view to provide the service, and the provision of the geo-location service itself, will have to comply with the provisions of the Directive.
Notes: I wonder if the Article 29 WP might have been alluding to the Google Street View cases? And would the WP have included an app example, if it had waited two more days to publish its opinion? (The opinion was published on Dec. 16, and the WSJ article came out on Dec.18).
To get back to our original question:
“Do some iPhone and Android smartphone application makers violate the consent requirement of the e-Privacy Directive (2009/136)?”
The answer, of course, depends first on whether the European Data Protection Laws apply on the personal data processed by Apple or Google/Android and by third parties located outside the EU/EEA through smartphones.
In light of the above analysis of Article 4 (1) EU Directive 95/46/EC, it would seem that the EU Data Protection laws are indeed applicable to IPhone and Android and their application makers, whose apps  send personal data like age, gender, location and phone identifiers to various ad networks.
In this case, either the EU users smartphone’s unique ID or the apps downloaded on the smartphone  would be the “equipment” situated on the territory of a member state, that the app makers would use in order to process personal information.
Even though most of the companies creating these apps are startups, located outside the EEA, without any establishment within the EEA, they could be sued based on article 4(1)(c) of the Directive.
Article 4(1)(c) will also apply where the controller has an “irrelevant” establishment in the EU. That is to say, the controller has establishments in the EU but their activities are unrelated to the processing of personal data. Such establishments would not trigger the application of Article 4(1)a.
Apple’s headquarters are located in California, USA, and it has many “establishments” all over the EU, but the “establishments” may not be related to the processing of personal data on the iPhones. The same applies to Google. So, even for Apple and Google, article 4(1)(c) will provide the legal basis for applicability of EU law.
Once, the applicability of the EU Data Protection framework has been established, the answer to the question whether these apps violate the EU Data Protection laws is pretty clear.
The unique smartphone ID is like a “supercookie,” (see above), and the downloaded app itself can act like a cookie.
Under the EU Directive 2002/58/EC, it is acceptable to use cookies for legitimate purposes if the users are provided “with clear and precise information” about the purposes of such use, “so as to ensure that users are made aware of information being placed on the terminal equipment they are using.
Smartphone apps that  transmit the phone’s unique device ID, and/or other personal data to other companies without giving the user proper notice would be violating the directive, and the national EU member state laws.
When the data that are transferred consist of sensitive data, there has to be, in addition, opt-in consent from the user.
Under the EU Directive 2009/EC, in addition to notice, “consent” is required as well.
Even though there is controversy concerning the interpretation of the type of consent required under this directive (opt-in v. opt-out consent), the total absence of any type of consent in relation to apps on smatphones would indicate a violation of this directive and its current and future implementation by the member states national laws. The many apps that don’t even offer an opt-out option to users would certainly be violating the directive and its national implementations.
The Article 29 Working Party in its Opinion 8/2010 on applicable law ends with some recommendations for the overhaul of the EU data Protection framework:
“Additional criteria should apply when the controller is established outside the EU, with a view to ensuring that a sufficient connection exists with EU territory, and to avoid EU territory being used to conduct illegal data processing activities by controllers established in third countries. The two following criteria may be developed in this view:
− The targeting of individuals, or “service oriented approach”: this would involve the introduction of a criterion for the application of EU data protection law, that the activity involving the processing of personal data is targeted at individuals in the EU. This would need to consist of substantial targeting based on or taking into account the effective link between the individual and a specific EU country. The following examples illustrate what targeting could consist of: the fact that a data controller collects personal data in the context of services explicitly accessible or directed to EU residents, via the display of information in EU languages, the delivery of services or products in EU countries, the accessibility of the service depending on the use of an EU credit card, the sending of advertising in the language of the user or for products and services available in the EU. The Working Party notes that this criterion is already used in the field of consumer protection: applying it in a data protection context would bring additional legal certainty to controllers as they would have to apply the same criterion for activities which often trigger the application of both consumer and data protection rules.
− The criterion of the equipment/means: this criterion has shown to have undesirable consequences, such as a possible universal application of EU law. Nonetheless, there is a need to prevent situations where a legal gap would allow the EU being used as a data haven, for instance when a processing activity entails inadmissible ethical issues. The equipment/means criterion could therefore be kept, in a fundamental rights perspective, and in a residual form. It would then only apply as a third possibility, where the other two do not: it would address borderline cases (data about non EU data subjects, controllers having no link with EU) where there is a relevant infrastructure in the EU, connected with the processing of information. In this latter case, it might be an option to foresee that only certain data protection principles – such as legitimacy or security measures – would apply. This approach, which obviously would be subject to further development and refinement, would probably solve most of the problems in the current Article 4(1)(c).”

Data Retention in the EU Five Years after the Directive

The European Commission is planning a review of the Data Retention Directive of 2006, which could include a harmonization and reduction of the periods when public authorities can access citizens’ private data held by telecommunication companies for security matters.
The directive allows for retention periods between 6 months and 24 months. Most member states have implementd the directive into their national law with retention periods varying from 6 months to 24 months.
Peter Hustinx, the European Data Protection Supervisor, declared recently that this directive is ” the most privacy invasive instrument ever adopted by the EU in terms of scale and the number of people it affects.”
Today was the last day of the sold out 27th Chaos Communication Congress (27C3), the annual four day conference organized by the Chaos Computer Club (CCC) in Berlin, Germany.
One of the many interesting lectures, titled: “Data Retention in the EU five years after the Directive: Why the time is now to get active” dealt with the many flaws inherent in the Data Retention Directive.
The panel consisted of Ralf Bendrath, Patrick Breyer, Katarzyna Szymielewicz, and axel.
The entire presentation was recorded and posted on YouTube, and I posted it below. It is certainly worth watching.
Ralf Bendrath explained how the directive turns the idea of a free society on its head.
In a free society, people may expect not to be constantly monitored and identified. With the directive, monitoring becomes the norm for everyone, and suddenly you have 500,000 million suspects in Europe. A study in Denmark calculated that every EU citizen is recorded in some manner 225 times a day, or on average every 6 minutes. Each time one makes or receives a phone call, each time one sends or receives an email, one is on record.
This constant monitoring affects several basic rights, like freedom of information, freedom of expression, freedom of assembly and freedom of organization. Some people may be hesitant to exercise those rights out of fear of being blacklisted by the government. This kills the idea of a free society.
Germany’s Federal Constitutional Court (Bundesverfassungsgericht) has recently overturned the German implementation of the Data Retention Directive and has declared it to be unconstitutional.
Romania’s Constitutional Court has declared the directive in breach of article 8 of the European Convention of Human Rights (ECHR).
There are constitutional cases regarding the directive pending in Hungary and Ireland.
The directive has also become a source of abuse:
In Germany, a TMobile employee sold a list of 17 million subscribers’ addresses on the black market. In Poland, four jounalists were being tracked in order to trace back their sources.
The panel ended with a call for a anti-data retention campaign in all 27 EU member states, before the announced review by the Commission. This will be the last opportunity to attack the core principles of the directive.
More than a hundred NGOs are petitioning against the directive. One of them is EDRI, the organization for European Digital Rights.

A Week’s Worth of Ediscovery, Privacy, Cloud and Social Media Tweets by @EUdiscovery

A Week’s Worth of Ediscovery, Privacy and Social Media Tweets by @EUdiscovery

The Social Media User’s Holiday Wish for Privacy (In Plain English)

“May 2011 see the universal inception of PbDs, PETs and SSL/TLS to refudiate the global sniffing and scraping of UDIDs, DPIs, URLs and all digital footprints by grizzlie cookies and other such monsters.
May we see lots of double rainbows in the cloud!”

P.S. Quick poll (this will help us enhance your online user experience):

1. Are you

A. a sofalizer
B. a cofficer?
C. none of the above
D. all of the above

2. In order to understand this wish in plain English, did you need the help of

A. This recent New York Times article
B. PbD = Privacy by Design
C. PET = Privacy Enhancing Technologies
D. UDID = Unique Device Identifier
E. DPI = Deep Packet Inspection
F. All of the above
G. None of the above
H. Some of the above?

3. Do you like

A. Cup cakes
B. Peanut butter sandwiches
C. Soft bristled tooth brushes
D. Sarah Palin
E. All of the above
F. None of the above
G. Some of the above
Thank you and HAPPY HOLIDAYS!

Twitter Weekly Updates for EUdiscovery

Tunisia: International Conference on the Protection of Personal Data in a World without Borders

Yesterday, an international conference on data protection of personal data took place in Tunis, as reported in this article .
The theme of the conference was: Data Protection of Personal Information in a world without borders and the challenges of new technologies.
Tunisian Minister of Justice and Human Rights, Mr. Lazher Bououini, reaffirmed Tunisian’s President Zine El Abidine Ben Ali’s special interest in the protection of personal data and the fact that in Tunisia, it has the status of a constitutional right.
In Tunisia, the protection of personal data is covered by a comprehensive law of July 27, 2004.
On November 27, 2007, Tunisia created a Data Protection Supervisory Office.
The minister identified as a major challenge in coming years the protection of the security and privacy of personal information on the internet, especially concerning vulnerable categories of people like children.

How to recover your data from the cloud

Where is my data? #@$%&*!
Follow Super Mario to find out!

RT @EFF Breaking News on EFF V…

RT @EFF Breaking News on EFF Victory: Appeals Court Holds that Email Privacy Protected by Fourth Amendment


  1. Did you know you can shorten your long links with Shortest and earn cash for every visitor to your shortened urls.

  2. Bluehost is ultimately the best website hosting company for any hosting services you need.


Related Posts Plugin for WordPress, Blogger...