January 5th, 2011 by Monique Altheim
A colleague of mine,
Cédric Laurant, recently posted an interesting question on a LinkedIn group that I manage, the
European Data Protection Forum :
“Do
some iPhone and Android smartphone application makers… violate the
consent requirement of the e-Privacy Directive (2009/136)?”
Apple, Inc. got sued on
Dec. 23 in federal court in San Jose, California. The suit claims the
California-based Apple’s iPhones and iPads are encoded with identifying
devices that allow advertising networks to track what applications users
download, how frequently they’re used and for how long. Apple iPhones
and iPads are set with a Unique Device Identifier, or UDID, which can’t
be blocked by users, according to the complaint.
“Some apps are also selling additional information to ad networks,
including users’ location, age, gender, income, ethnicity, sexual
orientation and political views,” according to the suit.
The suit was filed shortly after the publication of the WSJ’s Dec. 18 article
Your Apps Are Watching You .
Some excerpts of above mentioned article:
“Among all apps tested, the most widely shared detail was the unique
ID number assigned to every phone. It is effectively a “supercookie,”
says Vishal Gurbuxani, co-founder of Mobclix Inc., an exchange for
mobile advertisers.
On iPhones, this number is the “UDID,” or Unique Device Identifier.
Android IDs go by other names. These IDs are set by phone makers,
carriers or makers of the operating system, and typically can’t be
blocked or deleted.
“The great thing about mobile is you can’t clear a UDID like you can a
cookie,” says Meghan O’Holleran of Traffic Marketplace, an Internet ad
network that is expanding into mobile apps. “That’s how we track
everything.”
To my knowledge, no lawsuits have been filed yet in the EU against
Apple, Google-Android or against the application makers/third party
advertisers.
Since Apple’s and Google’s headquarters are located in the USA, and
most app makers are also located outside the EU/EEA, the question arises
whether the European Data Protection Laws even apply to data processed
by Apple or by Google/Android in a EU/EEA member state. The same applies
for app makers: most of hem are located outside the EU.
In other words: Can Apple, Google and app makers be sued on the basis of EU Data Protection Laws?
The EU Data Protection framework is “controller centric”. The
defining criterion is the location of the data “controller”: is
it/he/she located within the EU/EEA, either physically or symbolically?
If yes, the controller is subject to the EU Data Protection framework.
Contrast this to the US model, which is “consumer centric”: The
defining criterion for most US privacy laws, like e.g. COPPA, is the
targeted market. Is the company targeting children in the US market? If
yes, the US laws, in this case COPPA, are applicable, regardless of
where the data controller is located.
The key provision on applicable law under the EU data protection framework is Article 4 of
EU Directive 95/46/EC,
which determines which national data protection law(s) adopted pursuant
to the Directive may be applicable to the processing of personal data.
The present case would be governed by the
EU Directive 2002/58/EC, the so called
e-privacy directive on privacy and electronic communications, as amended by the
EU Directive 2009/EC , the so called
cookie directive. The
EU Directive 2009/EC has not been implemented in all members states’ national laws yet, and the deadline is June 2011.
A controversial provision in this directive is the amendment
that says that member states shall ensure that “the storing or access to
information already stored in the terminal equipment of a subscriber or
user is only allowed on the condition that the subscriber or user
concerned has given his or her consent, having been provided with clear
and comprehensive information … about the purposes of the processing.”
This has been understood by many as a requirement for websites to
provide opt-in consent before installing cookies on a user’s device.
It needs reminding though, that according to the
EU Directive 95/46/EC, processing of
sensitive data requires explicit consent from the user!
Sensitive Data are data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs,
trade-union memberships or data concerning health or sex life. I dare
say that in light of this definition, most data posted on social
networking sites (SNS) are to be considered of a sensitive nature. So
are some of the data transmitted by smartphone apps to third parties.
However, the
EU Directive 2002/58/EC, as amended by the
EU Directive 2009/EC , does not contain an applicable law and jurisdiction provision, but instead refers to Article 4 of the Directive 95/46/EC.
Article 4 (1) EU Directive 95/46/EC stipulates that the national law shall apply where:
(a) the processing is carried out in the context of the
activities of an establishment of the controller on the territory of the
(EU) Member State.
…
(c) the controller is not established on the Member State’s
territory, and, for purposes of processing personal data makes use of
equipment, automated or otherwise, situated on the territory of the said
Member State…
For the sake of simplifying an extremely complex set of laws, I have
left out provisions that do not directly apply to the situation
discussed in this article.
But even so, the above mentioned rules have created many difficulties in application and interpretation by member states.
” The legal rules for determining whether EU law applies to business
activities, if so which national law, and where jurisdiction lies, are
extraorinarily complex, and involve a number of difficult questions for
which there are no definite answers.” Christopher Kuner,
European Data Protection Law, Corporate Regulation and Compliance, (2nd edition, Oxford University Press) 109.
Also, “No provision of Article 4 (or indeed, of the entire General
Directive) has caused more controversy than Article 4(1)(c)”. ibid 118.
So, finally, on Dec. 16, 2010, the
Article 29 Working Party released an
Opinion 8/2010 on applicable law regarding the applicability of the EU Directive 95/46/EC.
The WP explains why it thought its opinion had become so necessary:
“The complexity of applicable law issues is also growing due to
increased globalisation and the development of new technologies:
companies are increasingly operating in different jurisdictions,
providing services and assistance around-the-clock; the internet makes
it much easier to provide services from a distance and to collect and
share personal data in a virtual environment; cloud computing makes it
difficult to determine the location of personal data and of the
equipment being used at any given time.
Clarifying the concept of applicable law is of great importance,
independently of possible amendments to the current provisions of the
Directive in the future. Current provisions will remain valid until
amended, and to the extent that they are not amended. Therefore
clarification of the applicable law provisions will help to ensure
better compliance with the Directive pending any amendment of the
legislation. In addition, in preparing this opinion the Working Party
has been able to draw on the experience of applying the current
provisions with a view to providing guidance to the legislator to assist
in any future revision of the Directive.
But the clear connection between the applicable law and the
controller can be a guarantee of effectiveness and enforceability,
especially in a context in which it can be difficult, or sometimes
impossible, to locate a file (as may be the case for cloud computing).
Clear guidelines as to applicable law rules should help address new
developments: technological (internet; network based files/cloud
computing) and commercial (multinational companies).”
Indeed, to make a complicated situation even worse, the entire
European Data Protection framework is up for review this year. ( See
this previous blog post ).
But, as the WP mentioned, the current law still remains in effect as of now, until and if it is amended.
According to article 4, the main criteria in determining the applicable law are the location of
the establishment of
the controller, and the location of
the means or
equipment being used when the controller is established outside the EEA.
Article 4 (1) EU Directive 95/46/EC
1.
a) “…an establishment of the controller on the territory of the Member State …”
Article 29 WP: “It is … important to emphasise that an establishment
need not have a legal personality, and also that the notion of
establishment has flexible connections with the notion of control. A
controller can have several establishments, joint controllers can
concentrate activities within one establishment or different
establishments. The decisive element to qualify an establishment under
the Directive is the effective and real exercise of activities in the
context of which personal data are processed.
The notion of establishment is not defined in the Directive. The preamble of the Directive indicates however that
“establishment
on the territory of a Member State implies the effective and real
exercise of activity through stable arrangements (and that) the legal
form of (..) an establishment, whether simply branch or a subsidiary
with a legal personality, is not the determining factor in this respect”
(recital 19).
Concerning the freedom of establishment under Article 50 TFEU (former
Article 43 TEC) the European Court of Justice (ECJ) has considered that
a stable establishment requires that “both human and technical
resources necessary for the provision of particular services are
permanently available”.
The strong emphasis put in the preamble of the Directive on
“effective and real exercise of activity through stable arrangements”
clearly echoes the “stable establishment” referred to by the Court of
Justice at the time of the adoption of the Directive. Although it is not
clear whether this and subsequent interpretations by the ECJ as regards
the freedom of establishment under Article 50 TFEU could be fully
applied to the situations covered by Article 4 of the Data Protection
Directive, the interpretation of the Court in those cases can provide
useful guidance when analysing the wording of the Directive.
This interpretation is used in the following examples:
- Where “effective and real exercise of activity” takes place, for
example in an attorney’s office, through “stable arrangements”, the
office would qualify as an establishment. This induces a broad scope of
application, with legal implications extending beyond the EEA territory:
the Directive – and national laws of implementation – apply to the
processing of personal data outside the EEA (where carried out in the
context of activities of an establishment of the controller in the EEA),
as well as to controllers established outside the EEA (when they use
equipment in the EEA). As a consequence, the provisions of the Directive
can be applicable to services with an international dimension such as
search engines, social networks and cloud computing.
C) “…for purposes of processing personal data makes
use of equipment…
situated on the territory of the said Member State.“
This provision becomes relevant when the controller has no presence
in EU/EEA territory which may be considered as an establishment for the
purposes of Article 4(1)(a) of the Directive, as analyzed above.
This provision is especially relevant in the light of the development
of new technologies and in particular of the internet, which facilitate
the collection and processing of personal data at a distance and
irrespective of any physical presence of the controller in EU/EEA
territory.
Article 4(1)(c) will also apply where the controller has an
“irrelevant” establishment in the EU. That is to say, the controller has
establishments in the EU but their activities are
unrelated to the processing of personal data. Such establishments would not trigger the application of Article 4(1)a.
The crucial element which determines the applicability of this
Article and thus of a Member State’s data protection law is the use of
equipment situated on the territory of the Member State.
The Working Party has already clarified that the concept of “making
use” presupposes two elements: some kind of activity of the controller
and the clear intention of the controller to process personal data.
Therefore, whilst not any use of equipment within the EU/EEA leads to
the application of the Directive, it is not necessary for the controller
to exercise ownership or full control over such equipment for the
processing to fall within the scope of the Directive.
Working Party recognized the possibility that personal data
collection through the computers of users, as for example in the case of
cookies
or Javascript banners, trigger the application of Article 4(1)c and
thus of EU data protection law to service providers established in third
countries.
The WP brings the following example:
Geo-location services:
A company located in New-Zealand uses cars globally, including in EU
Member States, to collect information on Wi-Fi access points (including
information about private terminal equipment of individuals) in order to
provide a geo-location service to its clients. Such activity involves
in many cases the processing of personal data.
The application of the Data Protection Directive will be triggered in two ways:
- First, the cars collecting Wi-Fi information while circulating on
the streets can be considered as equipment, in the sense of Article
4(1)c;
- Second, while providing the geo-location service to individuals,
the controller will also use the mobile device of the individual
(through dedicated software installed in the device) as equipment to
provide actual information on the location of the device and of its
user.
Both the collection of information with a view to provide the
service, and the provision of the geo-location service itself, will have
to comply with the provisions of the Directive.
Notes: I wonder if the Article 29 WP might have been alluding to the
Google Street View cases? And would the WP have included an app example,
if it had waited two more days to publish its opinion? (The opinion was
published on Dec. 16, and the WSJ article came out on Dec.18).
Conclusion:
To get back to our original question:
“Do some iPhone and Android smartphone application makers violate the
consent requirement of the e-Privacy Directive (2009/136)?”
The answer, of course, depends first on whether the European Data
Protection Laws apply on the personal data processed by Apple or
Google/Android and by third parties located outside the EU/EEA through
smartphones.
In light of the above analysis of
Article 4 (1) EU Directive 95/46/EC, it
would seem that the EU Data Protection laws are indeed applicable to
IPhone and Android and their application makers, whose apps send
personal data like age, gender, location and phone identifiers to
various ad networks.
In this case, either the
EU users smartphone’s unique ID or the apps downloaded on the smartphone
would be the “equipment” situated on the territory of a member state,
that the app makers would use in order to process personal information.
Even though most of the
companies creating these apps are startups, located outside the EEA,
without any establishment within the EEA, they could be sued based on
article 4(1)(c) of the Directive.
Article 4(1)(c) will also
apply where the controller has an “irrelevant” establishment in the EU.
That is to say, the controller has establishments in the EU but their
activities are unrelated to the processing of personal data. Such establishments would not trigger the application of Article 4(1)a.
Apple’s headquarters are located in California, USA, and it has many
“establishments” all over the EU, but the “establishments” may not be
related to the processing of personal data on the iPhones. The same
applies to Google
. So, even for Apple and Google, article 4(1)(c) will provide the legal basis for applicability of EU law.
Once, the applicability of
the EU Data Protection framework has been established, the answer to
the question whether these apps violate the EU Data Protection laws is
pretty clear.
The unique smartphone ID is like a “supercookie,” (see above), and the downloaded app itself can act like a cookie.
Under the EU Directive 2002/58/EC, it is acceptable to use cookies for legitimate purposes if the users are provided “with clear and precise information” about the purposes of such use,
“so as to ensure that users are made aware of information being placed on the terminal equipment they are using.
Smartphone apps that
transmit the phone’s unique device ID, and/or other personal data to
other companies without giving the user proper notice would be violating
the directive, and the national EU member state laws.
When the data that are transferred consist of sensitive data, there has to be, in addition, opt-in consent from the user.
Under the EU Directive 2009/EC, in addition to notice, “consent” is required as well.
Even though there is
controversy concerning the interpretation of the type of consent
required under this directive (opt-in v. opt-out consent), the total
absence of any type of consent in relation to apps on smatphones would
indicate a violation of this directive and its current and future
implementation by the member states national laws. The many apps that
don’t even offer an opt-out option to users would certainly be violating
the directive and its national implementations.
The
Article 29 Working Party in its
Opinion 8/2010 on applicable law ends with some recommendations for the overhaul of the EU data Protection framework:
“Additional criteria should apply when the controller is established
outside the EU, with a view to ensuring that a sufficient connection
exists with EU territory, and to avoid EU territory being used to
conduct illegal data processing activities by controllers established in
third countries. The two following criteria may be developed in this
view:
− The targeting of individuals, or “service oriented approach”: this
would involve the introduction of a criterion for the application of EU
data protection law, that the activity involving the processing of
personal data is targeted at individuals in the EU. This would need to
consist of substantial targeting based on or taking into account the
effective link between the individual and a specific EU country. The
following examples illustrate what targeting could consist of: the fact
that a data controller collects personal data in the context of services
explicitly accessible or directed to EU residents, via the display of
information in EU languages, the delivery of services or products in EU
countries, the accessibility of the service depending on the use of an
EU credit card, the sending of advertising in the language of the user
or for products and services available in the EU. The Working Party
notes that this criterion is already used in the field of consumer
protection: applying it in a data protection context would bring
additional legal certainty to controllers as they would have to apply
the same criterion for activities which often trigger the application of
both consumer and data protection rules
.
− The criterion of the equipment/means: this criterion has shown to
have undesirable consequences, such as a possible universal application
of EU law. Nonetheless, there is a need to prevent situations where a
legal gap would allow the EU being used as a data haven, for instance
when a processing activity entails inadmissible ethical issues. The
equipment/means criterion could therefore be kept, in a fundamental
rights perspective, and in a residual form. It would then only apply as a
third possibility, where the other two do not: it would address
borderline cases (data about non EU data subjects, controllers having no
link with EU) where there is a relevant infrastructure in the EU,
connected with the processing of information. In this latter case, it
might be an option to foresee that only certain data protection
principles – such as legitimacy or security measures – would apply. This
approach, which obviously would be subject to further development and
refinement, would probably solve most of the problems in the current
Article 4(1)(c).”
December 30th, 2010 by Monique Altheim
The European Commission is planning a review of the
Data Retention Directive of 2006,
which could include a harmonization and reduction of the periods when
public authorities can access citizens’ private data held by
telecommunication companies for security matters.
The directive allows for retention periods between 6 months and 24
months. Most member states have implementd the directive into their
national law with retention periods varying from 6 months to 24 months.
Peter Hustinx, the European Data Protection Supervisor, declared
recently that this directive is ” the most privacy invasive instrument
ever adopted by the EU in terms of scale and the number of people it
affects.”
Today was the last day of the sold out
27th Chaos Communication Congress (27C3), the annual four day conference organized by the
Chaos Computer Club (CCC) in Berlin, Germany.
One of the many interesting lectures, titled:
“Data Retention in the EU five years after the Directive: Why the time is now to get active” dealt with the many flaws inherent in the Data Retention Directive.
The panel consisted of Ralf Bendrath, Patrick Breyer, Katarzyna Szymielewicz, and axel.
The entire presentation was recorded and posted on YouTube, and I posted it below. It is certainly worth watching.
Ralf Bendrath explained how the directive turns the idea of a free society on its head.
In a free society, people may expect not to be constantly monitored
and identified. With the directive, monitoring becomes the norm for
everyone, and suddenly you have 500,000 million suspects in Europe. A
study in Denmark calculated that every EU citizen is recorded in some
manner 225 times a day, or on average every 6 minutes. Each time one
makes or receives a phone call, each time one sends or receives an
email, one is on record.
This constant monitoring affects several basic rights, like freedom
of information, freedom of expression, freedom of assembly and freedom
of organization. Some people may be hesitant to exercise those rights
out of fear of being blacklisted by the government. This kills the idea
of a free society.
Germany’s Federal Constitutional Court (
Bundesverfassungsgericht) has recently overturned the German implementation of the Data Retention Directive and has declared it to be unconstitutional.
Romania’s Constitutional Court has declared the directive in breach
of article 8 of the European Convention of Human Rights (ECHR).
There are constitutional cases regarding the directive pending in Hungary and Ireland.
The directive has also become a source of abuse:
In Germany, a TMobile employee sold a list of 17 million subscribers’
addresses on the black market. In Poland, four jounalists were being
tracked in order to trace back their sources.
The panel ended with a call for a anti-data retention campaign in all
27 EU member states, before the announced review by the Commission.
This will be the last opportunity to attack the core principles of the
directive.
More than a hundred NGOs are petitioning against the directive. One of them is
EDRI, the organization for European Digital Rights.
December 17th, 2010 by Monique Altheim
Yesterday, an international conference on data protection of personal data took place in Tunis, as reported in this
article .
The theme of the conference was: Data Protection of Personal
Information in a world without borders and the challenges of new
technologies.
Tunisian Minister of Justice and Human Rights, Mr. Lazher Bououini,
reaffirmed Tunisian’s President Zine El Abidine Ben Ali’s special
interest in the protection of personal data and the fact that in
Tunisia, it has the status of a constitutional right.
In Tunisia, the protection of personal data is covered by a comprehensive law of July 27, 2004.
On November 27, 2007, Tunisia created a Data Protection Supervisory Office.
The minister identified as a major challenge in coming years the
protection of the security and privacy of personal information on the
internet, especially concerning vulnerable categories of people like
children.
Breaking News on EFF Victory: Appeals Court Holds that Email Privacy Protected by Fourth Amendment
Social Networking Cartoons 
