1

Wilson Sonsini Goodrich & Rosati, LLP

European Data Protection Briefing

Cédric Burtonwww.wsgr.com

Meeting at Google Russia

Moscow, March 20, 2013

2

Outline

I. Overview of EU privacy and data protection legal framework

II. EU privacy regulatory approach

III. The future of data protection in the EU – draft data protection regulation

IV. EU privacy & data protection compliance in practice

V. Focus on a few selected issues

– Secrecy of electronic communications

– Approach to user protection and user identification

– Security requirements

3

Overview of EU Privacy & Data Protection Legal Framework

• Article 8 European Convention of Human Rights

• Article 16 Treaty on the Functioning of the European Union

• EU Data Protection Directive (95/46/EC)

– General principles

– Applies to all sectors

• E-Privacy Directive (2002/58/EC as amended by 2009/136/EC)

– Rules for telecoms

– Cookies and spamming regulation

• Data Retention Directive (2006/24/EC)

• Various national privacy and data protection laws implementing these Directives

• Additional national law requirements such as secrecy of electronic communications

• The EU Data Protection Directive is currently being reviewed (draft Data Protection Regulation)

4

EU Privacy Regulatory Approach

• Privacy & Data Protection is a Fundamental Human Right

• Omnibus legislation (transversal approach) – Applies to all entities in all sectors

– Technological neutrality

• Informational Self-Determination – Individuals at the center of the regulation. Put individuals in control!

• Very broad scope of application

• Different roles and responsibilities for various players

• 10 general principles with some flexibility

1. Legal basis

2. Proportionality

3. Sensitive data

4. Notice

5. Individuals’ rights

6. Data transfers

7. Data processing

8. Security

9. Data retention

10. Registration with DPAs

5

EU Privacy Regulatory Approach

• Authorities oversight– Independent supervisory data protection authorities

Independent from government (German case, Belgium); Legislative branch

– Roles

– Subject to fair trial rules

• Regulation / Co-regulation / Self-regulation– Incentives for codes of conduct in the EU legal framework– A few selected success stories:

Marketing & OBA (FEDMA, IAB Europe)

ICO has been very active (consultation & codes of conduct)

Privacy seals

Incentives for codes of conduct and certification in the new draft legal framework

• Power of investigation and fines

• Right to seize the public prosecutors

• Consultative role

• Ex-post control & little prior checking

6

EU Privacy Regulatory ApproachLearning from EU Privacy Rules

Advantages

• Omnibus legislation

• Users at the center of the legislation

• Some level of harmonization

• Some flexibility regarding main data protection principles including legal basis, data transfer mechanisms and security measures

• Technological neutrality

Disadvantages

• Lack of full harmonization – differences under national laws

• Too prescriptive and little effectiveness

• Too bureaucratic (e.g., registration)

• Lack of real incentives for self-regulation

• Focus is sometimes more on documentation than on actual compliance

7

The Future of Data Protection in the EU – Draft Data Protection Regulation

• Complex and raises many political issues

• Impacts all sectors, in particular the online business worldwide

• Large impact on non-EU companies– Potential to affect core businesses of non-

EU companies– Applies to non-EU companies offering

goods/services to or monitoring behavior

of EU citizens

• Intended to replace national data protection laws, but will likely include numerous exemptions for national law (e.g., employee data)

• Imposes new obligations on companies – Extensive documentation– Data minimization– Accountability– Privacy by design and by default– Breach notification– DPO requirements

• Amends the rules on international data transfers

• Enhances cooperation among regulators and enforcement

• Fines can be levied up to 2% of a company’s worldwide turnover

8

The Future of Data Protection in the EU – Draft Data Protection Regulation

Pro’s• No registration with DPAs & one lead

authority

• More legal certainty (more harmonization)

• Promote self-regulation and industries initiative

• Introduction of data minimization principle, pseudonyms and anonymous data

• Focus is more on internal compliance than completing forms

Con’s• Still too prescriptive

• Role of consent is too central

• Issues related to procedural rules

and competence of DPAs

• More was expected regarding data

transfers issue

• Very broad and sometimes unclear

scope of application

9

The Future of Data Protection in the EU – Draft Data Protection Regulation

• Latest trends: – Increasing focus on data minimization: the less data the better!

– Pseudonymous data (personal data, pseudonyms, anonymous data): incentives

(less strict rules) to avoid identification of individuals!

– More self-regulation and co-regulation

– Risk-based approach

– Less documentation requirements

• Status and next steps:– Discussions in EU Parliament and Council of the EU

– May/June 2013: Final vote in the EU Parliament plenary

– Mid 2013: Begin of negotiations between EU Parliament and Council of the EU

– Timing: Political agreement by end of 2013? Second reading?

– Into force two years after its adoption (at the earliest in 2016)

10

EU Privacy & Data Protection Compliance in Practice

• Difficult to comply with all requirements from various data protection laws– Risk assessment is central

– Applicable law issue is crucial – Comply with the strictest requirements as a rule?

• Some flexibility on how to apply the main data protection principles– Legal basis, proportionality, data transfers, security measures

– Necessary since there are many grey areas

• A good privacy notice is key– Difficult to provide clear information about complex data processing activities

– Layered approach

– Best practices come from industry (regulators even call out the industry to work together

and find practical solutions – see article 29 WP Opinion on mobile apps):

Facebook: http://www.google.co.uk/intl/en/policies/

Google: http://www.google.co.uk/intl/en/policies/

Microsoft: http://www.microsoft.com/privacystatement/en-gb/core/default.aspx

Yahoo!: http://info.yahoo.com/privacy/uk/yahoo/

11

12

13

EU Privacy & Data Protection Compliance in Practice

• Consent as a legal basis has some limits:– Difficult to implement in practice

Specific requirements for consent to be valid (freely given, specific, informed)

Many different types of consent (e.g., implied, explicit, opt-in, opt-out, prior consent)

Multiple consents may be required

Little effectiveness of consent

– In practice, general consent to the terms of use and privacy policy, except in certain

limited situations (e.g., location data, cookies)

• Focus on Internet companies:– From trade-off between innovation and data protection to data protection as an asset– Improved cooperation between regulators and Internet companies– Education and awareness raising: individuals & regulators– Exoneration of responsibilities for Internet intermediaries (e.g., hosting provider,

cache provider, mere conduit) except if actual knowledge

14

Focus on a few selected issues

• Secrecy of electronic communications

– Differences depending on applicable national data protection law and context (e.g., HR context, Internet companies)

– General trends: Rationale: protecting against wiretapping

Old legislation not aimed at applying to the electronic world

Scope (in most EU countries):

– Only during the transmission of a communication

– Once e-mail is on a company server the protection stops

Consent as a basis for allowing access to content of e-mails

– There is no violation of secrecy of electronic communications if users consent to the access

– In the commercial context, consent is usually obtained through terms of service

– In the HR context, specific consent is often required because of labor law requirements

– Difficult to apply in practice

15

Focus on a few selected issues

• Approach to user protection and user identification

– Individuals’ informational self-determination – Put users in control!

– Companies are free to require identification or not, but usually no identification for IT

services. To the contrary, clear trend towards less or no identification!

Data minimization principle

Individuals have the right to request deletion of personal data

Use of pseudonyms

Freedom of expression

– Facebook German case

– Massive case law related to IPR enforcement and conflict with privacy/data protection –

little success of graduated response schemes

– Example of industry best practices: Google Incognito mode

16

Focus on a few selected issues

• Security

– Broad and general obligations

– Data controllers are responsible for protecting the data with appropriate security

measures and are accountable in case of breach

– Level of protection is determined by state of the art and specific risks

– Industry is best placed to assess level of protection and adapt to new and fast

moving technologies (little DPA guidance on this issue)

– As a result, best practices come from the industry:

Facebook: Family Safety Center – http://www.facebook.com/safety

Google: Good to know – http://www.google.co.uk/intl/en/goodtoknow/

Microsoft: Safety & Security Center – http://www.microsoft.com/security/default.aspx

Yahoo!: Security at Yahoo! – http://info.yahoo.com/privacy/uk/yahoo/security/

17

18

Conclusions

1. Detailed prescriptive requirements are not workable and not efficient to

protect individuals privacy & security

2. Focus should be more on practical internal compliance

3. Some key core principles with flexibility in implementation is best

4. Industry is better placed to protect individuals privacy & security and

companies have a strong interest in doing so

5. Clear trends towards data minimization, online anonymity, right to deletion,

pseudonym data in Europe

6. Less or no identification protects individuals privacy & limit the security risks

19

Questions?

Thank you!

Cédric Burton

Associate

cburton@wsgr.com

WSGR EU Data Protection Regulation Observatory, http://www.wsgr.com/eudataregulation