Data Protection ComplianceData Protection Compliance

Professor Ian WaldenProfessor Ian WaldenInstitute of Computer and Communications Law,Institute of Computer and Communications Law,

Centre for Commercial Law Studies, Queen Mary, University of LondonCentre for Commercial Law Studies, Queen Mary, University of London

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Introductory RemarksIntroductory Remarks

Personal data– ‘processing’: collecting, using, disclosing &

transferring personal data

Compliance– data controller

• ‘determines purpose and means’– e.g. SWIFT case

– data processor• e.g. Web host

– “shall be in writing or in another equivalent form” (art. 17(4))” (art. 17(4))

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Transparency Transparency

Obligation– fair processing (art. 6(1))

– when using networks to store information or gain access to information stored on users terminal equipment (02/58/EC, art. 5(3))

• e.g. ‘cookies’• ‘provided with clear and comprehensive information’

Timing– when collected from data subject (art. 10)

– when not obtained from data subject (art. 11)• unless already has it

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Transparency Content of notification

– identity, purposes, recipients, consequences, right of access

Right of access (art. 12)– personal data

– meta-data• purposes, disclosures, source

– right of rectification, erasure, blocking• notification of third parties

Notification to national authority (art. 18)

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Transparency

Related legislation– Distance-selling Directive 97/7/EC: art. 4 (prior information), art. 5

(written confirmation)• Distance-selling of financial services Directive 02/65/EC: art. 3 (prior

information), art. 4 (additional requirements), art. 5 (communication of terms & information)

– eCommerce Directive 00/31/EC: art. 5 (general), art. 6 (commercial communications), art. 10 (contract process)

Form– ‘durable medium’

• “which enables the consumer to store information addressed personally to him in a way accessible for future reference” (02/65/EC, at art. 2(f))

– ‘easily, directly and permanently accessible to the recipients of the service’

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Processing Personal Data

ConsentConsent– ““freely given, specific and informed”freely given, specific and informed”

Ex anteEx ante– as one ground for legitimising processingas one ground for legitimising processing

– as sole ground for legitimising processingas sole ground for legitimising processing• use of traffic data for ‘marketing’ or ‘provision of value added use of traffic data for ‘marketing’ or ‘provision of value added

services’ (02/58/EC, art. 6(3))services’ (02/58/EC, art. 6(3))

Ex postEx post– right to object to processing for the purposes of ‘direct right to object to processing for the purposes of ‘direct

marketing’ (art. 14(b))marketing’ (art. 14(b))

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Processing Personal DataProcessing Personal Data

– naturenature• implied (opt-out) & explicit (opt-in)implied (opt-out) & explicit (opt-in)

– ‘‘unambiguously’ unambiguously’

• ‘‘special categories of data’ (art. 8)special categories of data’ (art. 8)• Directive 99/93/EC, art. 8(2) re: certification service providersDirective 99/93/EC, art. 8(2) re: certification service providers

– timingtiming• prior prior

– Directive 02/58/EC, art. 13(1): unsolicited communicationsDirective 02/58/EC, art. 13(1): unsolicited communications

Alternative groundsAlternative grounds– performance of a contract (transactional)performance of a contract (transactional)

– compliance with a legal obligation (regulatory)compliance with a legal obligation (regulatory)

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Problem of Children From marketing to social networking sites, e.g. Bebo,

Facebook When is a child independent?

– OIC: 12 yrs; FEDMA: 14 yrs

Children’s Online Privacy Protection Act of 1998– directed at children under 13, or knowingly collects

– otherwise, not under a duty to investigate age of visitors

– ‘verifiable parental consent’• e.g. email with digital signature

– enforcement• UMG Recordings $400,000 and Bonzi Software $75,000

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Transferring DataTransferring Data

Question of applicable law (art. 4)Question of applicable law (art. 4)– ““..for purposes of processing personal data makes use of ..for purposes of processing personal data makes use of

equipment..”equipment..”• transit exceptiontransit exception• web-based formsweb-based forms

– Lindqvist Lindqvist (2003)(2003)• uploading to web does not mean ‘transfer’ (para. 68)uploading to web does not mean ‘transfer’ (para. 68)

‘‘Adequate level of protection’ (art. 25)Adequate level of protection’ (art. 25)– ‘‘in the light of all the circumstances’in the light of all the circumstances’– Community findings (art. 25(6)) of adequacyCommunity findings (art. 25(6)) of adequacy

• Switzerland, Hungary, Canada, Argentina, US ‘Safe Harbor’Switzerland, Hungary, Canada, Argentina, US ‘Safe Harbor’

iccl

@cc

ls.e

duic

cl@

ccls

.edu

Transferring Data

Derogations (art. 26)– consent

– specified need, e.g. “on important public interest grounds, or for the establishment, exercise or defence of legal claims;”

• But SWIFT case: “only important public interests identified as such by the national legislation applicable to data controllers established in the EU are valid in this connection.” (WP 128)

– authorised by national authority• e.g. contractual provisions, binding corporate rules