Sunday, January 27, 2013

Best Website About People Privacy: http://ediscoverymap.com

“Embedded Devices: How Electronic Conveniences Affect Privacy and Discovery” at the Masters Series for Legal Professionals in NYC

August 11th, 2011 by Monique Altheim

This panel was presented at the Masters Series for Legal Professionals, recently held in NYC on July 19, 2011.
The panel was moderated by Steve Akers, CTO and Founder of Digital Reef, Inc. Panelists included Daniel Garrie, ESQ, Special Master and Mediator in eDiscovery and Daniel K. Gelb, Gelb & Gelb LLP.
The panel discussed issues arising when discoverable data are stored in the “cloud”, mobile apps, mobile phones, iPads, GPS tracking devices and more.


Tags: , , , , , , , . Cloud,Conferences,EDiscovery,Internet of Things,Online Privacy Closed

Twitter Weekly Updates for EUdiscovery

August 5th, 2011 by Monique Altheim

Tags: , , , , , , , , . Weekly Twitter Updates Closed

Twitter Weekly Updates for EUdiscovery

July 29th, 2011 by Monique Altheim

Tags: , , , , , , , , . Weekly Twitter Updates Closed

Online Directories and Privacy: The Story of Jo Average Jr., Part 1

July 28th, 2011 by Monique Altheim
Jo Average Jr. has just been laid off because of the recession and has started sending his resume to hundreds of potential employers. He has many years of experience in his field, but was careful not to go too much back in time on his resume, so as not to reveal his real age. Even though he looks ten years younger than his age, is fit and healthy, he is only too painfully aware of the prevalent “ageism” prejudice in the workplace.
When employer John Justlucky Sr. reads Jo’s resume, he is impressed by Jo’s qualifications and decides to quickly google his name and city. There is no one else with Jo’s name in his city, so it is easy to find him on google. On top of the first google results pages are two ads screaming for John’s attention: One says: Info on Jo Average Jr. It is by http://www.ussearch.com
The other one says: We found Jo Average Jr!!!!! It is by http://www.intelius.com.
How can John resist? After all, he is doing his due diligence. So he clicks on one of the links, types in Jo’s name, and up pops a profile page with Jo’s age in big letters: 57. John Justlucky Sr. quietly deletes Jo’s resume and proceeds to look at the next one.
After a few weeks of no responses Jo starts to wonder whether he is doing the right thing and decides to take a resume building class. The teacher advises the class to check their online search pages in order to make sure there are no embarrassing pictures from Facebook when potential employers google their name.
Jo is not on Facebook, so he knows he has nothing to worry about. He has an old LinkedIn page, that he created five years ago when he was unemployed for a couple of months. He found another job very quickly though, and never bothered to update his profile while he was so busy at his new work. But now he has the time and decides to spruce up his online image with a detailed report on his LinkedIn profile about his extensive experience accumulated over the past five years. Jo knows that potential employers and recruiters might look him up online and find his LinkedIn profile.
Jo finally gets around to check his Google search results, anticipating to see his updated LinkedIn profile on top of the list. But instead he sees the two ads, mentioned above, followed by an ad by http://www.spokeo.com/ promising to find Jo Average Jr.’s address, email, phone, family, friends, hobbies, age, you name it.
Jo nervously clicks on Spokeo.com, fills in his name, and one click away he is staring at a streetview picture of his home, his street, his entire neighborhood.
His wife’s and three children’s names and ages are also neatly displayed for all to see. For a couple of dollars he, or any complete stranger, can even find out how much money he makes, how many assets he has and how much money he owes.
Jo wonders how come he was never notified by Spokeo, Intelius, or Ussearch that he was going to be included in such directories, and why he was never given a choice whether to be included or not.
He now starts to think: If there are three online directories on the first Google search page, for sure there must be more on the following pages? He googles “online directories” and in a split second the results come up: 121 million search results…
Now he’s cursing out Google, and decides to check out Microsoft’s search engine, Bing. Maybe many employers use Bing.
When he searches his name, the same Intelius and Ussearch ads appear on top of the page.
Right below those two, there is a new link: Jo Average, Jr. http://www.yatedo.com
He clicks on the link, and to his utter consternation sees his old profile on LinkedIn, that he created five years ago, when he was unemployed, glaring at him. It makes him look as if he has been unemployed for the last five years. It also looks like Yatedo just copied and pasted his old profile on their site a few years ago and never looked at it again. On the right hand corner, a huge call-to-action window shouts: “This is ME!” , prompting him to claim his profile.
Jo is dumbfounded. He knows he must take action, but has no clue as where he should start. He heard about a company called Reputation.com and checks out the price list: it’s too expensive for someone like Jo Average Jr., especially now that he has lost his job.
Do you have any advice for Jo Average Jr.? Please don’t hesitate to comment.
In the next installment, some legal issues will be highlighted and some practical solutions will be proposed.


Tags: , , , , , , , , , , . FCRA,Online Privacy 4 Comments

Twitter Weekly Updates for EUdiscovery

July 22nd, 2011 by Monique Altheim

Tags: , , , , , , , , , , . Weekly Twitter Updates Closed

The Meaning of “Consent” in the EU Data Protection Framework: A New Article 29 Working Party Opinion

July 15th, 2011 by Monique Altheim

The Meaning of “Consent” in the EU Data Protection Framework: A New Article 29 Working Party Opinion

On July 13, 2011, the Article 29 Data Protection Working Party (hereafter Article 29 WP ) adopted Opinion 15/2011 on the Definition of Consent.

This opinion looks into the legal framework regarding the use of consent under Directive 95/46/EC and Directive 2002/58/EC in the context of the ongoing review of the Data Protection Directive.

A. GOAL of the ARTICLE 29 WP OPINION

This opinion aims to clarify the existing legal requirements and illustrate how they work in practice. At the same time, in doing so, it provides a reflection on whether the existing framework remains suitable in the light of the many new ways of processing personal data or whether changes to it may be necessary. Consent is also one of the subjects about which the Commission has asked for input in the context of the review of Directive 95/46/EC.

B.“VALID CONSENT” DIRECTIVES
The Opinion provides a thorough analysis of the concept of consent as currently used in the Data Protection Directive (Directive 95/46/EC) and in the e-Privacy Directive (Directive 2002/58/EC.)
Concerning the overlap between the two directives, the Article 29 WO states: “The general conditions for consent to be valid, as foreseen in Directive 95/46/EC, apply both in the off-line and in the on-line world. Directive 2002/58/EC specifies these conditions for some explicitly identified on-line services, always in the light of the general conditions of the Data Protection Directive.”

C. CONSENT AS LEGAL BASIS TO PROCESS PERSONAL DATA

According to the Directive, personal data cannot be handled at all, except on the basis of a very limited list mentioned in articles 7 and 8 of the Directive.
One legal basis that gives a data controller the right to “process” personal data is unambiguous consent by the data subject.” (Article 7. (a) Directive 95/46/EC).
There are 5 other legal grounds for processing personal data.
The processing of sensitive personal data requires explicit consent. (Article 8.2(a) Directive 95/46/EC).
There are 4 other legal grounds for processing sensitive personal data.

D. GENERAL PRINCIPLES OF VALID CONSENT

Article 29 WP:
  • • Valid consent presupposes individuals’ capacity to consent. Rules regarding the capacity to consent are not harmonized and may therefore vary from Member State to Member State.
  • • Individuals who have consented should be able to withdraw their consent, preventing further processing of their data. This is confirmed also under the ePrivacy Directive for specific data processing operations based on consent, such as the processing of location data other than traffic data.
  • • Consent must be provided before the processing of personal data starts, but it can also be required in the course of a processing, where there is a new purpose. This is stressed in various provisions of Directive 2002/58/EC, either through the requirement “prior” (e.g. Article 6.3) or through the wording of the provisions (e.g. Article 5.3).


E. DEFINITIONS OF CONSENT IN THE DATA PROTECTION DIRECTIVE (Directive 95/46/EC).

SUMMARY

Article 2 (h) of Directive 95/46/EC defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
Article 7 of the Directive, which sets forth the legal basis for processing personal data, sets out unambiguous consent as one of the legal grounds.
Article 8 requires explicit consent as a legal ground to process sensitive data.
Article 26.1 of Directive 95/46/EC and various provisions of the ePrivacy Directive require consent to carry out specific data processing activities within their scope of application.


1. GENERAL
Article 2 (h) of Directive 95/46/EC
defines consent as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.

a. Consent may be “any…indication of his wishes”

Article 29 WP: “The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller. The words “indication” and “signifying” point in the direction of an action indeed being needed (as opposed to a situation where consent could be inferred from a lack of action).”
Example: Bluetooth advertising boards
There is a developing advertising tool consisting of boards sending messages asking for the establishment of a Bluetooth connection to send ads to people passing nearby. The messages are sent to people that have activated their Bluetooth devices on their mobiles. The sole activation of the Bluetooth function does not constitute a valid consent (i.e. the Bluetooth function could be activated for other purposes). On the other hand, when someone is informed about the service and approaches a few centimeters from the board with his or her mobile, there is, normally speaking, an indication of a wish: this shows which people are really interested in getting the ads. Only those people should be considered as having consented, and only they should receive the messages on their phones.

b. Consent must be FREELY given:
Article 29 WP: “This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Data processing operations in the employment environment where there is an element of subordination, as well as in the context of government services such as health may require careful assessment of whether individuals are free to consent.”
Example – Electronic health records
In many Member States there is a move to create an electronic summary of patients’ health records. This will allow healthcare providers to access key information wherever the patient needs treatment. – In the first scenario, the creation of the summary record is absolutely voluntary, and the patient will still receive treatment whether or not he or she has consented to the creation of a summary record. In this case consent for the creation of the summary record is freely given because the patient will suffer no disadvantage if consent is not given or is withheld.
- In the second scenario, there is a moderate financial incentive to choose the e-health record. Patients refusing the e-health record do not suffer disadvantage in the sense that the costs do not change for them. It could be considered here as well that they are free to consent or not to the new system.
- In the third scenario, patients refusing the e-health system have to pay a substantial extra cost compared to the previous tariff system and the processing of their file is considerably delayed. This signifies a clear disadvantage for those not consenting, with the purpose to bring all citizens within the e-health system in a scheduled deadline. Consent is therefore not sufficiently free. One should therefore also examine the existence of other legitimate grounds to process the personal data or examine the application of Article 8.3 of Directive 95/46/EC.
Free consent in the context of employment:
Article 29 WP: “where consent is required from a worker, and there is a real or potential relevant prejudice that arises from not consenting, the consent is not valid in terms of satisfying either Article 7 or Article 8 as it is not freely given. If it is not possible for the worker to refuse it is not consent…. An area of difficulty is where the giving of consent is a condition of employment. The worker is in theory able to refuse consent but the consequence may be the loss of a job opportunity. In such circumstances consent is not freely given and is therefore not valid. The situation is even clearer cut where, as is often the case, all employers impose the same or a similar condition of employment.”
When the public authority is the data controller:
Article 29 WP:
“..when a public authority is the data controller, the legal ground for legitimising the processing will be the compliance with a legal obligation ex Article 7(c), or the performance of a task of public interest ex Article 7(e), rather than consent.”
Example: PNR data
The question of whether the consent of passengers can be validly used to legitimise the transfer of booking details (“PNR data”) by European airlines to the US authorities has been discussed. The Working Party considers that passengers’ consent cannot be given freely as the airlines are obliged to send the data before the flight departure, and passengers therefore have no real choice if they wish to fly.21 The legal basis here is not the consent of the passenger but, rather in accordance with Article 7(c), the obligations foreseen in the international agreement between the EU and the US on the processing and transfer of Passenger Name Record (PNR) data.



c. Consent must be SPECIFIC :

Article 29 WP:  “Blanket consent without determination of the exact purposes does not meet the threshold. Rather than inserting the information in the general conditions of the contract, this calls for the use of specific consent clauses, separated from the general terms and conditions.”
Also: “specific consent may be needed for processing beyond what is necessary for the performance of the contract.”
Example: social networks
The social network service offers the possibility to use external applications. The user is, in practice, often prevented from using an application if he does not consent to the transmission of his data to the developer of the application for a variety of purposes, including behavioural advertising and reselling to third parties. Considering that the application can run without it being necessary that any data is transferred to the developer of the application, the WP encourages granularity while obtaining the consent of the user, i.e. obtaining separate consent from the user for the transmission of his data to the developer for these various purposes. Different mechanisms, such as pop-up boxes, could be used to offer the user the possibility to select the use of data to which he agrees (transfer to the developer; added value services; behavioural advertising; transfer to third parties; etc).

d. Consent must be INFORMED:

Article 29 WP: Articles 10 and 11 of the Directive lists the type of information that must necessarily be provided to individuals. In any event, the information provided must be sufficient to guarantee that individuals can make well informed decisions about the processing of their personal data. The need for consent to be “informed” translates into two additional requirements. First, the way in which the information is given must ensure the use of appropriate language so that data subjects understand what they are consenting to and for what purposes. This is contextual. The use of overly complicated legal or technical jargon would not meet the requirements of the law. Second, the information provided to users should be clear and sufficiently conspicuous so that users cannot overlook it. The information must be provided directly to individuals. It is not enough for it to be merely available somewhere.”
Example: crime mapping
Some police forces are considering publishing maps, or releasing other data, showing where particular types of crime took place. Usually safeguards built into the process mean that no personal data about the victims of crime is published, because crime is only linked to relatively broad geographical regions. However, some police forces want to pin-point crime more exactly, where the victim of a crime consents to this. In such a case it becomes possible to link more precisely the data subject with the place where a crime has been committed. However, the victim is not specifically told that identifiable information about him/her will be published openly on the internet and how this information can be used. Consent is therefore not valid in this case because victims may not fully understand the extent to which information about them is being published.




2. UNAMBIGUOUS:

According to the Directive, personal data cannot be handled at all, except on the basis of a very limited list mentioned in articles 7 and 8 of the Directive, as mentioned above.
One legal basis that gives a data controller the right to “process” personal data is “unambiguous consent by the data subject.” (Article 7.(a) Directive 95/46/EC).

Article 29 WP: “Unambiguous” calls for the use of mechanisms to obtain consent that leave no doubt as to the individual’s intention to provide consent. In practical terms, this requirement enables data controllers to use different types of mechanisms to seek consent, ranging from statements to indicate agreement (express consent), to mechanisms that rely on actions that aim at indicating agreement.
Example: on-line game
An on-line game provider requires players to provide age, name and address for the purposes of participating in the on-line game (distribution of players among ages and addresses). The website features a notice, accessible through a link (although access to such notice is not necessary to participate in the game), which indicates that by using the website (and thus providing information) players are consenting to their data being processed to deliver them marketing information, by the on-line game provider and by third parties.
Accessing and participating in the game is not tantamount to giving unambiguous consent to the further processing of their personal information for purposes other than the participation in the game. Participation in the game does not imply the individuals’ intent to consent to processing other than what is necessary to play. This type of behaviour does not constitute an unambiguous indication of the individual’s wish to have his/her data used for marketing purposes.
Example: default privacy settings
The default settings of a social network, which users do not necessarily need to access to use it, enable the entire “friends of friends” category making all the personal information of each user viewable to all “friends of friends”. Users who do not wish to have their information viewed by “friends of friends” are required to click a button. If they remain passive, or fail to engage in the action consisting in clicking a button, they are deemed by the controller to have consented to having their data viewable. However, it is very questionable whether not clicking on the button means that individuals at large are consenting to have their information viewable by all the friends of friends. Because of the uncertainty as to whether the lack of action is meant to signify consent, not clicking may not be considered unambiguous consent.

3. SENSITIVE PERSONAL DATA:

Sensitive personal data are personal data that reveal “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life” and processing of such data is in principle prohibited, with a very limited list of exceptions (Article 8.2(a) of Directive 95/46/EC).
Article 8.2(a) Directive 95/46/EC requires explicit consent to process sensitive data.

EXPLICIT consent:
In legal terms “explicit consent” is understood as having the same meaning as express consent. The difference here is that, whereas with regular personal data, for consent to be valid it must be unambiguous, and explicit/express consent is but one of the many ways to show unambiguous consent, in case of sensitive personal data, explicit/express consent is the ONLY valid way to show valid consent.
Article 29 WP:  “meaning an active response, oral or in writing, whereby the individual expresses his/her wish to have his/her data processed for certain purposes. Therefore, express consent cannot be obtained by the presence of a pre-ticked box. The data subject must take some positive action to signify consent and must be free not to consent.”
Example: medical data for research
A patient who is informed by a clinic that his medical file will be transferred to a researcher unless he objects (by calling a number), will not meet the requirement of explicit consent.
Also: “Consent does not have to be recordable to be valid. However, it is in the interest of the data controller to retain evidence.”

F. UNAMBIGUOUS CONSENT AS LEGAL BASIS FOR TRANSFER OF PERSONAL DATA TO NON_ADEQUATE THIRD COUNTRIES (Article 26.1(a) of Directive 95/46/EC).

The article 29 WP repeats its opinion expressed in WP 114 that “Consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or even structural transfers for the processing in question” In case “ just one data subject subsequently decided to withdraw his consent…”, further transfers become invalid.


G. THE E-PRIVACY DIRECTIVE (Directive 2002/58/EC)
The recently amended e-Privacy Directive (Directive 2002/58/EC) applies to providers of publicly available electronic communication services only (e.g. providers of telephony, Internet service providers, etc).

1. CONSENT AND RELATION WITH DIRECTIVE 95/46 EC (Article 2(f)) Article 2 of the e-Privacy Directive explicitly states that the definitions of Directive 95/46/EC shall apply regarding Directive 2002/58/EC.
2. INTERCEPTION/SURVEILLANCE OF COMMUNICATIONS (Article 5(1)) Requires the consent of “all users concerned“, in other words, the two parties to a communication.
3. TIMING WHEN CONSENT IS REQUIRED (Articles 6(3), 9, 13 and 5(3)) Consent is to be provided prior to the processing. This is in line with Directive 95/46/EC.
4. THE RIGHT TO OBJECT AND ITS DISTINCTION FROM CONSENT (Article13(2-3)) If the addressee of the commercial communication is an existing client and the communication aims at promoting the provider’s own or similar products or services, the requirement is not consent, but ensuring that individuals “are given the opportunity to object” ex Article 13(2). Recital 41 explains the reasoning why the legislator, in this case, did not require consent: “Within the context of an existing customer relationship, it is reasonable to allow the use of electronic contact details for the offering of similar products or services”. Thus, in principle, the contractual relationship between the individual and the service provider is the legal ground that allows the first contact by email.
5. POSSIBILITY TO WITHDRAW CONSENT (Articles6.3,9.3-4.)



H.  ARTICLE 29 WORKING PARTYS ASSESSMENT CONCERNING THE CURRENT DATA PROTECTION FRAMEWORK and RECOMMENDED CHANGES

The Article 29 WP deplores the lack of uniformity in implementation of the requirements for valid consent by the EU member states at the national level.
It suggests the following changes as part or the revision of the general data protection framework.
  • Further clarification of the wording “unambiguous”. “Clarification should aim at emphasizing that unambiguous consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. At the same time it should be made clear that the use of default options which the data subject is required to modify in order to reject the processing (consent based on silence) does not in itself constitute unambiguous consent. This is especially true in the on-line environment.”
  • Include the word “unambiguous” in the general definition of consent of Article 2(h), in order to avoid confusion.
  • “Unambiguous consent” which encompasses explicit consent but also consent resulting from unambiguous actions should remain the required standard. This choice gives more flexibility to data controllers to collect consent and the overall procedure may be quicker and more user friendly.
  • Include wording reflecting interpretations of consent by case law and Article 29 WP Opinions.
  • Include enhanced protection rules for individuals lacking legal capacity, such as children.

Tags: , , , , , , , , , , , , , . Cross Border Data Flow,European Union Data Protection,Online Privacy Closed

Twitter Weekly Updates for EUdiscovery

July 15th, 2011 by Monique Altheim

Tags: , , , , , , , , , , . Weekly Twitter Updates Closed

Twitter Weekly Updates for EUdiscovery

July 8th, 2011 by Monique Altheim

Tags: , , , , , . Weekly Twitter Updates Closed

Twitter Weekly Updates for EUdiscovery

July 1st, 2011 by Monique Altheim

Tags: . Weekly Twitter Updates Closed

Twitter Weekly Updates for EUdiscovery

June 24th, 2011 by Monique Altheim
Posted by at
Labels: , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Related Posts Plugin for WordPress, Blogger...