Tag: Data Protection Directive (page 1 of 2)

The ‘Safe Harbor’ Decision ruled invalid by the CJEU

Safe harbor?!? Not anymore.

Safe harbor?!? Not anymore.

Unfortunately, I hadn’t had the time to address the ruling of the CJEU issue last October, by which the ‘Safe Harbour’ scheme, enabling transatlantic transfers of data from the EU to the US, was deemed invalid.

However, due to its importance, and because this blog is primarily intended to be about privacy and data protection, it would be shameful to finish the year without addressing the issue.

As you may be well aware, article 25(1) of Directive 95/46 establishes that the transfer of personal data from an EU Member State to a third country may occur provided that the latter ensures an adequate level of protection. According to article 25(6) of the abovementioned Directive, the EU Commission may find that a third country ensures an adequate level of protection (i.e., a level of protection of fundamental rights essentially equivalent to that guaranteed within the EU under the directive read in the light of the Charter of Fundamental Rights) by reason of its domestic law or of its international commitments.

Thus said, the EU Commission adopted its Decision 2000/520, by which it concluded that the “Safe Harbour Principles” issued by the US Department of Commerce ensure an adequate level of protection for personal data transferred from the EU to companies established in the US.

Accordingly, under this framework, Facebook has been transferring the data provided by its users residing in the EU from its subsidiary in Ireland to its servers located in the US, for further processing.

These transfers and, unavoidably, the Decision had been challenged by the reference to the CJEU (judgment in Case C-362/14) following the complaint filed by Max Schrems, a Facebook user, before the Irish DPA and subsequently before the Irish High Court. The main argument was that, considering the access electronic communications conducted by its public authorities, the US did not ensure adequate protection of the thus transferred personal data.

According to the AG’s opinion, “the access enjoyed by the United States intelligence services to the transferred data constitutes an interference with the right to respect for private life and the right to protection of personal data”.

Despite considering that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU, the CJEU considered that the decision fails to comply with the requirements established in Article 25(6) of Directive and that the Commission did not make a proper finding of adequacy but merely examined the safe harbour scheme.

The facts that the scheme’s ambit is restricted to adhering US companies, thus excluding public authorities, and that national security, public interest and law enforcement requirements, to which US companies are also bound, prevail over the safe harbour principles, were deemed particularly decisive in the assessment of the scheme’s validity.

In practice, this would amount to enable the US authorities to access the personal data transferred from the EU to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.

As a result, the Court concluded that enabling public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life.

The Court stated that the decision disregards the existence of such negative interference on fundamental rights, and that the lack of provision of limitations and effective legal protections violates the fundamental right to effective judicial protection.

Upon issuance of this ruling, the Art29WP met and concluded that data transfers from the EU to the US could no longer be legitimized by the ‘Safe Harbor’ decision and, if occurring, would be unlawful.
While its practical implications remain unclear, the ruling undoubtedly means that companies relying on the ‘Safe Harbor’ framework for the transfer of personal data from the EU to the US need to rely, instead, on another basis.

In this regard, considering that not all Member States accept the consent of the data subject or an adequacy self-assessment as a legitimizing legal ground for such cross-border transfers, Model Contractual Clauses incorporated into contracts and Binding Corporate Rules (BCR) for intragroup transfers seem to be the most reliable alternatives in certain cases.

Restrictions on data transfers are obviously also foreseen in the GDPR, which, besides BCRs, Standard Contracts and adequacy decisions, includes new data transfer mechanisms such as certification schemes.

You can find the complete version of the ruling here.

Monitoring of employees in the workplace: the very private parts of a job in the EU private sector

Let us all see what you are doing.

Let us all see what you are doing.1)Copyright by MrChrome under the CC-BY-3.0

Whilst not all employers in the U.S.A. monitor their employees’ communications and activities, the majority do so, namely to evaluate their professional performance, to protect trade secrets, to prevent information security breaches or to avoid or reduce their liability in lawsuits.

So, incoming and outgoing email correspondence, telephone calls, websites visited and documents saved on the computer may be only some of the data accessed in this context.

This surveillance of employees’ electronic communications and activities over employer-provided facilities are generally deemed unlawful under the European Union law. Member States legal systems usually include constitutional laws, telecommunications laws, labour laws and criminal laws which are intended to be dissuasive.

Currently, there is no specific EU legislation regarding the privacy and protection of workers’ personal data at work.

Nevertheless, Article 31(1) of the Charter of Fundamental Rights of the European Union, whose application is mandatory whenever Member States apply EU law, states: “Every worker has the right to working conditions which respect his or her (…) dignity”.

In parallel, there are two EU Directives which can be applicable in these professional contexts. Although they do not specifically deal with any aspect of employment relationships nor address employee monitoring, they establish some privacy principles which are applicable regarding surveillance at workplace. These provisions are then furthered by Member States through their national legislation.

Firstly, we have the 95/46/EC Directive which relates to the protection of individuals with regard to the processing of personal data. Under this framework, data subjects are provided control over the collection, transmission, and use of their personal information. In fact, this instrument foresees that data subjects have the right to be notified of collection of personal information.

In this context, employers have to ensure that their surveillance is legitimate and restricted and must be transparent regarding any surveillance conducted. Any monitoring of the employees communications and activities, namely regarding the use of e-mail, the internet or phones, without their employee’s knowledge or consent, is unlawful.

Secondly, the 2002/58/EC Directive relates to the processing of personal data and the protection of privacy in the electronic communications sector. The interception of  communications over private networks, including e-mails, instant messengers, and phone calls, and generally private communications, are not covered as the instrument only refers to publicly available electronic communications services in public communication networks.

The European Convention for the Protection of Human Rights and Fundamental Freedoms (hereafter ‘ECHR’), in its article 8, reads as follows: “Everyone has the right to respect for his private and family life, his home, and his correspondence”.

Whilst the right to privacy at work has not yet be considered by the Court of Justice of the European Union, the European Court of Human Rights (hereafter ‘ECtHR’) has already ruled that the right to privacy right is not restricted to the household and extends to the workplace environment.

In fact, in Köpke v Germany, the Court stated as follows: “(…) that the concept of private life…may include activities of a professional or business nature and may be concerned in measures effected outside a person’s home or private premises(…)”.

In the Niemietz v. Germany case, the ECtHR included business relations, e-mails, and any other form of electronic communication in the concept of ‘private life and correspondence’, no distinction being made between private or professional correspondence.

In Halford v. UK Gov., the ECtHR held that the employer’s surveillance of the employee’s calls at work unjustifiably interfered with the employee’s right to privacy and correspondence. Communications via e-mail, fax, wireless, and any technological means is covered by the concept of correspondence.

Moreover, in the ruling Copland v United Kingdom, the ECtHR concluded that the fact that the calls or the e-mail usage occur in the office and, at least in theory, are business related, was irrelevant. Business correspondence and telephone calls may contain personal information, which is protected by human rights and by data protection law.

It also found that, even if the telephone monitoring was limited to “the date and length of telephone conversations” and “the numbers dialled,” and do not involve the content of the communications, it still violates article 8 of the ECHR.

The Court stated as well that article 8 is infringed where the monitoring is not previously communicated to the employees, as they have, in consequence, a “reasonable expectation” that they will not be.

However, a worker’s right to privacy at work is not absolute.

In Benediktsdóttir v. Iceland, the ECtHR concluded that the right to privacy and to correspondence has to be balanced with the other rights, namely those of the employer.

In this context, although not legally binding, the Article 29 Working Party (hereafter WP29) opinions provide important guidance. In fact, national data protection authorities take them into account when applying and enforcing national laws.

The WP29 issued an opinion on the processing of personal data in the employment context in 2001, concluding that “[t]here should no longer be any doubt that data protection requirements apply to the monitoring and surveillance of workers whether in terms of email use, internet access, video cameras or location data.” Therefore, monitoring must be proportionate, not excessive for the intended purposes, and carried out in the least intrusive way possible. Furthermore, it stated that, under the Data Protection Directive, employers may process data concerning their employees only with “unambiguous consent” or if the processing is “necessary.”

In 2002, the WP29 issue a Working Document on the surveillance of electronic communications in the workplace, in which was argued that the employee’s right to privacy should be balanced with the legitimate rights and interests of the employer, such specific and important business need, as efficiency or the right to protect the employer from harm caused by employees’ actions. Therefore, the monitoring activities should be necessary, proportionate and transparent.

In the WP29’s viewpoint, any monitoring of electronic communications should be exceptional, namely when necessary to obtain to obtain proof of certain actions of the worker; detect unlawful activity; detect viruses; or guarantee the security of its systems. Therefore, concealed or intrusive monitoring is generally unlawful.

In 2005, in its annual report, the WP29 has affirmed that “[i]t is not disputed that an e-mail address assigned by a company to its employees constitutes personal data if it enables an individual to be identified.

The WP29 stressed, in another Opinion, in 2006, that all online communications in the workplace are subjected to confidentiality protection, including those sent from workplace equipment for private as well as professional purposes. It suggested seven principles to ensure a proper monitoring: necessity regarding a specified purpose; a specified, explicit and legitimate purpose; prior notice to employees about the monitoring; the monitoring should be aimed to safeguard employer’s legitimate interests; personal data processed in connection with any monitoring must be adequate, relevant, and not excessive with regard to the purpose for which they are processed; data must be accurate and not retained for longer than necessary; and appropriate technical and organisational measures shall be implement regarding security.

The requirements at stake may vary according to the monitoring technologies used as some will require stricter standards according to the extent of interference with private life. For instance, in Uzun v. Germany, the ECtHR concluded that the monitoring via GPS is not as intrusive telephone tapping.

Considering that the data collected by the employer may constitute sensitive data, it can only be processed in the cases foreseen in Article 7 of the Directive 95/46. In this context, considering the disparity in the contractual positions at stake the employee’s consent may not deemed to legitimize the processing.

In this context, it is quite advisable for private employers established in the EU to set up clear and acknowledged internal policies or guidelines regarding the use of Internet and electronic equipment in the workplace, for instance as part of the work contract.

This legal and jurisdictional context highlights the challenge that companies and other organizations face when doing business in the European Union, especially those which also operate under U.S.A. law.

References   [ + ]

1. Copyright by MrChrome under the CC-BY-3.0

Microsoft or the rider on a white horse of modern times

My hero!

My hero!

Microsoft has been challenging a USA search warrant, issued within an ongoing narcotics trafficking related investigation, seeking to access the content information of the electronic communications of one of its customers, which are stored exclusively outside the jurisdiction of the USA authorities, more specifically hosted in a data centre in Dublin, Ireland.

The abovementioned warrant would require an extraterritorial search and seizure of data stored in Microsoft’s Dublin datacenter. The very particular question at stake is if and to what extent a USA warrant compels a USA communications service provider to provide data stored abroad. What is to determine territoriality for a USA based provider with data stored abroad: the location where the data is stored or where the company is headquartered?

As any other service provider company, Microsoft stores the e-mail messages sent and received by its users and related information in datacenters, both in the USA and abroad, according to the users own location and proximity, given at registration, in order to increase the quality of the communications and decrease the network latency1)The concept refers to the time it takes for data to get from one designated point to another..

In this specific case, considering that the content is hosted outside the EUA, it is quite possible that the customer at stake is a non-US citizen. And this makes this issue all the worse in the post-Snowden age.

In fact, this situation is not so vaguely reminiscent of the statements of Robert Hannigan, the head of the GCHQ, which qualified tech companies as ‘the command and control networks of choice’, precisely because they do not agree to cooperate on some very dubious terms. Or those of James Comey, the FBI director, a strong opponent of the growing market for secure private telecommunications, namely through data encryption technologies that companies such as Apple and Google have inserted to their Smartphone operating systems.

Needless to say that a “trapdoor” access to the tech companies networks by intelligence agencies and law enforcement authorities, in order to collect information about its users, is not a good idea. With such a free access door, there is no guarantee about who else would be able to gain access to these networks.

And it is quite hard to accept the need of such doubtful mechanisms when existing legal mechanisms do exist and allow achieving the same result. They are called warrants.

But it seems that when even when using the proper legal mechanisms, some governments fail to understand its territorial limitations in regards of competence and jurisdiction. That is certainly why a USA court assumes to have the authority to issue warrants for the search and seizure of property outside the territorial limits of the United States.

According to the Court which issued the warrant, the specific nature of an SCA2)The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order. warrant differs from a normal warrant, compelling the service provider to gather and produce the data itself, rather than authorizing the entrance into the physical premises in order to conduct a search and seizure. In this context, it is not bound by the geographical restrictions of a search warrant and therefore no elements of extraterritoriality are at stake as Microsoft is merely required to produce information in its possession or control, regardless the location of that information.

The Court further considered that otherwise it would be sufficient for an individual intending to engage in criminal activities to give false residence information or to establish its residence abroad in order to have his account assigned to a server outside the USA and, thus, evade an SCA warrant.

There are, for what I managed to gather, substantial theoretical ambiguities regarding the interpretation and the historical drafting of the SCA. Nevertheless, there are others which are quite straightforward.

For instance, at an international level, such a unilateral initiative risks of negatively interfering with the sovereignty and jurisdiction of another country and may even damage diplomatic relations and foreign policies. The German Government has already stated that it will cease the storage of data in USA cloud providers.

There are indeed proper specific procedures established in bilateral agreements aimed at obtaining criminal evidence located in another country. Take for instance the Mutual Legal Assistance Treaty (MLAT), which is an international instrument designed to facilitate cross-border criminal investigations, concluded between Ireland and the USA. This is precisely because a USA Court Order is no more binding in Ireland as an Irish Court Order would be in the US. For this very reason, the data shouldn’t be transferred from Ireland to the USA other than through such a formal and official channel of co-operation.

However, this mechanism was deemed “slow and laborious” by the USA Court, which also outlined the possibility for one of the parties to decline the request for assistance as a negative feature. Apparently, the main issue is that the requested party may oppose “the exercise of jurisdiction which is in its view extraterritorial and objectionable”. The same Court considered that the fact that some MLAT require the execution of a search warrant to be operated in accordance with the laws of the requested party to be an issue.

Humm, quite self-explanatory, isn’t it? The intention is to access private emails of any customer of a USA based service provider disregarding where the data is located, and without the knowledge or consent of the subscriber or the relevant foreign government where the data is stored.

The interpretation according to which the search of digital data occurs where the data is remotely accessed is just a not so smart and very unfortunate attempt of bypassing the proper existing mechanisms. And it opens the door for legal uncertainty.

The search of digital data undoubtedly occurs where the data is stored when the company at stake is required to copy the data from the server. The location should dictate the competent jurisdiction. If the court has no competence to obtain through a court warrant some evidence, it cannot circumvent that limitation by compelling Microsoft to do what it has no authority to do itself.

Considering that USA-based companies can be constricted to produce documents stored anywhere worldwide – just because they are based in the USA – fails to acknowledge that different laws apply depending on the jurisdictions where the user is located. For instance, Microsoft would be compelled to breach EU data protection laws, namely the Data Protection Directive3)Directive 95/46/EC and the Framework Decision which regulates data transfers to non-EU Member States4)The Council Framework Decision 2008/977/JHA.

In this context, in a statement issued last November, the Article 29 WP stated as follows:

a public authority in a non-EU country should not have unrestricted direct access to the data of individuals processed under EU jurisdiction, whatever the conditions of this access and the location of the data. Conflicts of jurisdiction shall be resolved only under certain conditions–e.g. through prior authorisation by a public authority in the EU or through a mutual legal assistance treaty, respectively covering access by foreign law enforcement authorities to data transferred from the EU or to data stored in the EU. Foreign requests must not be served directly to companies under EU jurisdiction.

Moreover, allowing for the USA government such an access would create a dangerous precedent, potentially leading other countries to disregard the existing legal mechanisms to seek data stored abroad. Such an anarchy is certainly not a desirable outcome to be achieved!

Anyway, considering the company’s previous relation with the National Security Agency (NSA), I must admit this came as a surprise. After all, among the several very inconvenient and ugly truths, namely regarding the PRISM program, the documents provided by Edward Snowden revealed that Microsoft has collaborated closely with USA intelligence services in order to allow users’ communications to be intercepted, including enabling the NSA to circumvent the company’s own encryption.

This can really be the first time that a company challenges the USA government over a domestic warrant for data held overseas. In the meantime, the Irish government has already manifested its support, along with several other tech companies and consumer privacy advocates.

While this situation outlines the increasing role of private companies as the ultimate defendants our rights, it brings to the spotlight that the right of protection against illegal access, search and seizure of physical property needs to clearly apply also to the digital world. I mean, if governments are not entitled to freely conduct searches in a building located in another country, I cannot fathom any reason for considering that this power of search would be bestowed to them in regard of the content of an email stored overseas. The information located in the cloud should be covered by an equally high standard of protection and any exchange should be covered by a strict framework. Otherwise, it is the very cloud model that is put at risk and we all know that the trust of customers has been quite challenged already.

References   [ + ]

1. The concept refers to the time it takes for data to get from one designated point to another.
2. The Stored Communications Act, which authorizes the Government to seek the contents of information stored through a warrant, a subpoena or a court order.
3. Directive 95/46/EC
4. The Council Framework Decision 2008/977/JHA

Game of drones or the not so playful side of the use of RPAS for recreational purposes

I am watching you.

I am watching you.1)Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic

If one of the gifts you have found underneath the Christmas tree was a drone 2)The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace., and it happens to have some camera installed on it, you should prepare yourself to embrace your new status of a data controller and face a new set of obligations regarding privacy and safety.

Indeed, whilst drones can be a lot of fun, there are serious considerations at stake which should not be ignored. In fact, the extensive range of their potential applications3)Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids., the proliferation of UAVs with a camera, the collection of data and the subsequent use of such data, namely by private individuals for personal and recreational purposes raise concerns about the impact of these technologies on the safety, security, privacy and the protection of personal data.

As a matter of fact, a drone in itself does not imply the collecting and the processing of any personal data until you attach a camera to it. However, drones are increasingly equipped with high definition optical cameras and therefore are able to capture and record images of the public space. And while there are no apparent privacy concerns regarding the recording of landscapes, having a drone filming through the sky over your neighbourhood might lead to a very different conclusion. Drones have a high potential for collateral or direct intrusion regarding privacy, considering the height at which they operate, allowing to monitor a vast area and to capture large numbers of people or specific individuals. Despite individuals may not always be directly identifiable, their identification may still be possible through the context in which the image is captured or the footage is recorded.

It must be noted that people might not even be aware that they are being filmed or by whom and, as a result, cannot take any steps to avoid being captured if such activity is not made public. People ought not to know that the device is equipped with optical imaging and has recording capabilities. Moreover, because the amateur usage of a drone may not be visible, there is a high risk of being directed to covert and voyeuristic recording of their neighbours’ lives, homes and back gardens. How would you feel if a drone was constantly looming near your windows or in your backyard? Indeed, there is no guarantee regarding the legitimacy of the end to be achieved with the use of drones. None withstanding the fact that a drone may actually pose a threat to people’s personal safety, belongings and property, considering that it may fall, its increasing popularity as a hobby outlines the issue of discriminatory targeting, as certain individuals, such as children, young people and women, are particularly vulnerable to an insidious use of RPAS. This is particularly relevant considering that the images or footage is usually intended to be made publicly available, usually on platforms such as Youtube.

Furthermore, the recording may interfere with the privacy of individuals as their whereabouts, home or workplace addresses, doings and relationships are registered. In this context, the use of drones for hobbying purposes may have a chilling effect on the use of the public space, leading individuals to adjust their behaviour as they fear their activities are being monitored.

Thus considering, the use of this type of aerial technologies is covered by Article 7 and Article 8 of the EU Charter of Fundamental Rights which respectively establish the respect for private life and protection of personal data. Taking into account the abstract nature of the concept of privacy, the main difficulty will be to define when there is a violation at stake.

In addition, there are obviously data protection implications at stake where the drone is capturing personal data. EU data protection rules generally govern the collection, processing and retention of personal data. The EU Directive 95/46/CE and the proposed General Data Protection Regulation are applicable to the collection, processing and retention of personal data, except where personal data is collected in the course of a purely personal or household activity. Hence, the recreational use of drones is a ‘grey area’ and stands almost unregulated due to this household exemption.

Nevertheless, due to the risks at stake, both to privacy and to data protection, the extent to which the ‘household‘ exemption applies in the context of a personal and private use must be questioned.

In a recent ruling, the CJEU concluded that the partial monitoring of the public space carried out by CCTV is subjected to the EU Directive 95/46, even if the camera capturing the images is “directed outwards from the private setting of the person processing the data”. As already analysed here, the CJEU considered that the processing of personal data involved did not fall within the ‘household exemption’ to data protection laws because the camera was capable of identifying individuals walking on a public footpath.

As the RPAS operations may be quite similar to CCTV, but more intrusive, because they are mobile, cover a larger territory, collect a vaster amount of information, it is not a surprise that they may and should be subjected to the same legal obligations. Subsequent to this ruling, these technologies should be considered as potentially privacy-invasive. Consequently, private operators of drones in public spaces should be ready to comply with data protection rules.

Of course, the footage needs to contain images of natural persons that are clear enough to lead to identification. Moreover, and in my opinion, it is not workable to consider, in order for the household exemption to be applied, the images collateral and incidentally captured. Otherwise, selfies unwillingly or unknowingly including someone in the background could not be freely displayed on Facebook without complying with data protection rules. The footage must constitute a serious and systematic surveillance on individuals and their activities.

Therefore, information about the activities being undertaken and about the data processing (such as the identity of the data controller, the purposes of processing, the type of data, the duration of processing and the rights of data subjects), where it does not involve disproportionate efforts, shall be given to individuals (principle of transparency). Moreover, efforts should be made in order to minimize the amount of data obtained (data minimization). Moreover, the controller might need to ensure that the personal data collected by the drone camera is anonymised, is only used for the original purpose for which it was collected (purpose limitation), will be stored adequate and securely and will not be retained for longer than what is necessarily required.

In this context, individuals having their image captured and their activities recorded by the camera of a drone should be given guarantees regarding consent, proportionality and the exercise of their rights to access, correction and erasure.

Thus said, depending on where you are geographically located in the EU, there are obviously different rules regarding the legal aspects related to the use of drones. It is therefore important for individuals intending to operate a drone to get informed and educated about the appropriate use of these devices and the safety, privacy and data protection issues at stake in order to avoid unexpected liability.

References   [ + ]

1. Copyright by Don McCullough under the Creative Commons Attribution 2.0 Generic
2. The term drone is used to describe any type of aircraft that is automated and operates without a pilot on board, commonly described as unmanned aerial vehicles (UAV). There are two types of drones: those which can autonomously follow pre-programmed flight routes and those which have remotely piloted aircrafts systems (RPAS). Only the latter are currently authorised for use in EU airspace.
3. Despite drones were firstly used for military activities, they are increasingly used across the EU for civilian purposes. The civil use usually refers to those commercial, non-commercial and government non-military activities which are more effectively or safely performed by a machine, such as such as the monitoring of rail tracks, dams, dykes or power grids.

CCTV: household security or how to be a data controller at home

CCTV, walking the thin line of protecting yourself or becoming a data processor.

CCTV, walking the thin line of protecting yourself or becoming a data processor.1)Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

Having suffered several attacks, in which the windows of the family home had been broken on several occasions, by persons unknown, Mr Ryneš, a Czech citizen, installed a CCTV camera under the eaves of his home. In a fixed position, the camera recorded the entrance to his home, the public footpath and the entrance to the house opposite. The system allowed only a visual recording, which was stored on a hard disk drive. Reaching its full capacity, the device would record over the existing recording, erasing the old material. Although the images would not be monitored in real time, this video surveillance system made it possible to identify two suspects, who were subsequently prosecuted.

However, despite the happy outcome, the operation of this camera system, installed by an individual on his household, for the purposes of protecting the property, health and life of the owner and his family, raised some questions due to the continuous recording of a public space.

One of the suspects challenged the legality of Mr Ryneš recording of the images. The Czech Data Protection Authority (hereafter DPA) considered that this operation infringed data-protection rules because the data collection of persons moving along the street or entering the house opposite occurred lacked their consent; individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data; and this processing was reported to the Office as mandatory.

Mr Ryneš brought an action challenging that decision in court, which was dismissed. The case was appealed to the Czech Supreme Administrative Court which referred to the Court of Justice of the European Union (hereafter CJEU) for a preliminary ruling.

In this context, in its judgment in Case C-212/13, the CJEU addressed the application of the ‘household exception’, for the purposes of Article 3(2) of Directive 95/46/EC, which refers to the data processing carried out by a natural person in the course of a purely personal or household activity.

The CJEU considered that the image of a person recorded by a camera constitutes personal data within the meaning of the Directive 95/46 inasmuch as it makes it possible to identify the person concerned.

Moreover, the Court considered that video surveillance falls within the scope of the above mentioned directive in so far as it constitutes automatic processing, i.e., an operation which is performed upon personal data, such as collection, recording, storage.

Considering that the main goal of the this Directive is to guarantee a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, as foreseen in article 7 of the EU Charter of Fundamental Rights, the CJEU recalled that derogations and limitations must be strictly necessary.

Therefore, the Court deemed that the ‘household exception’ must be narrowly construed and applicable when the data processing activity is carried out ‘purely’ private and household context, even if it incidentally concerns the private life of other persons, such as correspondence and the keeping of address books.

In this context, the CJEU concluded as follows:

(…)the second indent of Article 3(2) of Directive 95/46 must be interpreted as meaning that the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision.

However, Mr Ryneš’s concerns, which motivated the installation of the camera, were not overlooked by the CJEU. Indeed, the Court outlined that the Directive itself allows, where appropriate, to consider the legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself. This reflection is in line with the Opinion of the Article 29 Working Party in this regard as security was mentioned as an example of a legitimate interest of the data controller.

This implies that, even if the household exception is not applicable in this very particular case, a CCTV camera recording activity such as the one in the proceedings is lawful in the light of article 7(f) of the Directive. Thus said, the referring Court will now have to take this interpretative guidance into consideration and decide if the recording and processing at stake were legitimate, for instance, in regards of article 10 of the instrument. It is possible that the Czech Court may still consider that because no information regarding the recording was provided to the public (individuals were not informed of the processing of that personal data, the extent and purpose of that processing, by whom and by what means the personal data would be processed, or who would have access to the personal data) and considering that this processing was not reported to the Office constitute a breach of the data protection rules.

This is particularly relevant considering that, precisely for security purposes, individuals are equipping their households with CCTV systems which capture public space. Only time will tell how this decision will be applied to individuals in practice. Most certainly, DPAs across the EU will update their recommendations regarding the weighing between the necessity of the recording and storing of the data to pursue an interest deemed legitimate and the interests for fundamental rights and freedoms of the data subject.

At this point, it is expectable that householders who have surveillance cameras that capture public space will need to ensure that their collection and further use of any footage which contains images of identifiable individuals complies with the data protection requirements. Thus, they will have, for instance, to at least inform people of this monitoring and ensure that no footage is illegally retained.

References   [ + ]

1. Copyright by Nïall Green under the Creative Commons Attribution-Share Alike 1.0 Generic

(Un)Safe Harbour

Safe harbour for who?

Safe harbour for who?

As a general rule, the EU Data Protection Directive (Directive 95/46/EC) prevents businesses from transferring personal data from the EU to third-countries. Therefore, EU citizens’ personal data cannot be processed or hosted outside the EU, except if those countries do provide an adequate level of data protection. This adequacy requirement is met only when the European Commission recognize the data recipient country as providing an adequate level of protection. These decisions are commonly referred to as ‘adequacy decisions’.

It is deemed that the USA do not meet the above mentioned EU adequacy requirement, i.e., do not provide an adequate level of protection for data transfers to be accepted. Nevertheless, data can still be transferred from companies located in the EU on the basis of the Safe Harbour mechanism. In fact, by reason of the EU Data Protection Directive, the European Commission adopted a Decision (the “Safe Harbour decision”) recognising that the Safe Harbour Privacy Principles and the ‘Frequently Asked Questions’ provide an adequate protection for the purposes of personal data transfers from the EU to the USA.

The EU-USA Safe Harbour is an agreement concluded in 2000 which enables European data controllers to transfer personal data for commercial purposes, from companies located in the EU to companies in the USA that have signed up to the Principles. The framework aims to ensure that such transfers dully comply with the EU data protection law. To that end, USA companies pretending to lawfully receive personal data from the EU are required to self certificate the compliance of their personal data policies and practices to the Safe Harbour. Companies which voluntarily adhere to a set of principles issued by the Federal Trade Commission (FTC) are therefore presumed to qualify for the Safe Harbour ‘adequacy’.

This Framework has been greatly criticized since its implementation. Indeed, the Safe Harbour scheme has been used for the transfer of the personal data of EU citizens from the EU to the USA by companies required to give in data to USA intelligence agencies under the USA intelligence collection programmes. Moreover, some EU Data Protection Authorities manifested strong reservations about the rigour of the Safe Harbour framework, namely regarding the self-certification requirement. These concerns were echoed in the opinion of the Article 29 Working Party on Cloud Computing issued in July 2012, where it was suggested that EU data exporters could not rely on cloud provider’s self-certification regarding compliance.

As a result, it is no surprise that the framework has been reviewed twice, back in 2002 and 2004. Nevertheless, the Safe Harbour framework was endorsed by the European Commission, in January 2012, regarding the draft Data Protection Regulation, where adequacy decisions taken under the current Directive 95/46/CE would remain in effect unless amended, repealed or replaced by the Commission.

By contrast, the European Parliament’s LIBE (Civil Liberties, Justice and Home Affairs) Committee has proposed amending the proposal so that such adequacy decisions would only remain in force for five years after the Regulation comes into effect.

In the wake of the Snowden revelations regarding the USA covert surveillance programme, PRISM, for the interception and access to the electronic communications of EU citizens on a large scale, namely personal data that was transferred to online service providers in the USA under the Safe Harbour, the European Data Protection Authorities (DPAs) and the European Commission have been increasingly manifesting serious concerns regarding the safety of this agreement.

This led Viviane Reding, former Justice Commissioner, to argue that “the Safe Harbor agreement may not be so safe after all” and that it “could be a loophole for data transfers because it allows data transfers from EU to U.S. companies – although US data protection standards are lower than our European ones.” Vivian Reding further announced that the Commission would conduct an assessment of the EU-USA Safe Harbour agreement.

In July 2013 the European Parliament considered that the PRISM program constituted a “serious violation” of the Safe Harbour agreement and called on the European Commission to review the framework. Last March, following its report on mass surveillance activities, the European Parliament approved a resolution calling for the reversion or suspension of the EU-USA Safe Harbour scheme, considering that it fails to provide adequate protection for EU citizens.

Instead, in November 2013, the European Commission put forward a series of 13 recommendations for the USA to put into practice, which would make the Safe Harbour safer, if implemented. Nevertheless, the most controversial features of the framework, such as the voluntary adherence, were not adequately addressed. The expected conclusion of the discussions on the 13 recommendations proposed by the European Commission was set for the end of last summer. The deadline passed without any further developments.

Last June, following a complaint brought by the Austrian campaign group Europe v Facebook regarding the company’s part on NSA’s mass electronic surveillance programme, a Irish court (the Facebook’s international headquarters are in Ireland) referred to the Court of Justice of the EU on the compliance of the Safe Harbour with the EU Charter of Fundamental Rights.

There has been extensive debate regarding the future of the Safe Harbour, considering that some DPAs no longer recognize it as a valid data transfer mechanism. DPAs can exceptionally suspend data transfers based on the Safe Harbour, namely when it is likely that the Safe Harbour Principles are being violated. To date, no DPA has done so. Considering the serious economic implications, I think that it is very unlikely that the Safe Harbour will be suspended or reversed. In the meantime, the decision of the European Commission on the adequacy of Safe Harbour remains in force, until specifically repealed or changed.

Věra Jourová, the new Justice Commissioner, already expressed strong doubts on the security of the Safe Harbour mechanism. However, she did not favour a suspension or a cancellation of the programme. Andrus Ansip, the new Commissioner for the Digital Internal Market, for its turn, did not exclude that possibility.

 

Are you ready for the Internet of Things?

Everything is connected.

Everything is connected. 1)Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

Imagine a world where people would receive information on their smart phone about the contents of their fridge; cars involved in an accident would call emergency services, allowing for quicker location and deployment of help; cars would suggest alternative routes in order to avoid traffic jam; personal devices would allow to monitor the health developments of patients or to control the regular medication of elderly persons; washing machines would turn on when energy demand on the grid would be lowest and where alarm clocks and coffee machines could automatically be reset when a morning appointment would be cancelled; a smart oven could be remotely triggered to heat up the dinner inside by the time you would reach home…

If it is true that these scenarios once belonged to the sci-fi world, it is not so hard to picture any of these technologies nowadays. The momentum we are living in and all the progress which is already involved in our lives brings the certitude that it is only a matter of time for us to reach such a future. Technological advancements are allowing achievements that once may have seemed impractical and are turning the sci-fi scenarios into reality.

We are smoothly entering in a new age… The age of the Internet of Things (hereafter IoT). The IoT might be indeed already start happening around us. It suffices to think about all the quite recent changes that we already accept as ordinary.

But what is the IoT all about?

The IoT is a concept which refers to a reality where everyday physical objects will be wirelessly connected to the Internet and be able, without human intervention, to sense and identify themselves to other surrounding devices and create a network of communication and interaction, collecting and sharing data. It  is therefore associated to products with machine-to-machine communication capabilities, which are called ‘smart’.

The high-tech evolution has made ‘smart’ more convenient and accessible and made the vast majority of us technologically dependent on several areas of our daily living. Connected devices have proliferated around us. Consider, for instance, the number of smart phones and other smart devices that most of us cannot conceive a life without anymore as it allows us to connect with the world as it was never possible before.

Similarly, our domestic convenience and comfort have been expanded in ways that once belonged to the imaginary. Homes, housework and household activity can be fully automatized in order to enable us to remotely control lighting, alarm systems, heating or ventilation. The domestic devices that can be connected to the Internet are usually referred to as “home automation” or “domotics”.

In parallel, we are currently able of the ‘quantified self’, which is commonly defined as the self knowledge acquired through self tracking with technology (for instance, pedometers, sleep trackers). One can now track, for example, biometrics as insulin and cortisol, or record more random information about our own habits and lifestyles, as physical activity and caloric intake. This monitoring can be done increasingly by wearables, i.e., computer-powered devices or equipment that can be worn by an individual, including watches, clothing, glasses and items alike. The Google glasses, Google Wear and the Apple Watch are the most famous recent examples.

Scarily enough, the number of objects connected to the Internet already exceeds the number of people on earth. The European Commission claims that an average person currently has at least two objects connected to the Internet and states that this is expected to grow to 7 by 2015 with 25 billion wirelessly connected devices globally. By 2020 that number could double to 50 billion.

However, every time we add another device to our lives, we give away a little more piece of ourselves.

Consequently, along with its conveniences, and due to the easy and cheaply obtained amount of data collection it allows, the idea of a hyper-connected world raises important concerns regarding privacy, security and data protection. To be true, while it is a relatively well-known fact that our mobile devices are frequently sending off data to the Internet, many of us do not understand the far-reaching implications of carrying around an always-on connection, let alone to have almost all your life connected to the Internet.

In fact, such objects will make it possible to access a humongous amount of personal data and to spread it around without any awareness nor control of the users concerned. From preferences, habits and lifestyle, to sensitive data as health or religion information, from geo-location and movements to other behaviour patterns, we will put out there a huge amount of information. In this context, the crossing of data collected by means of different IoT devices will allow the building of a very detailed user profile.

It is essential that users are given control over the data which directly refers to them and are properly informed of what purposes its processing might serve. In fact, currently, it is very common that the data generated is  processed without consent or with a poorly given consent. Quite often further processing of the original data is not subjected to any purpose limitation.

Moreover, as each device will be attributed an IP address in order to connect to internet, each one will be inherently insecure by its very own nature. Indeed, with almost everything connected to the Internet, every device will be at risk of being compromised and hackable. Imagine that your car or home could be subjected to a hacking attack through which it could take control of the vehicle or install a spying application in your TV. Imagine that your fridge could get spam and send phishing e-mails. The data collected through medical devices could be exposed. After all, it is already easier to hack routers and modems than computers.

Last but not the least, as IoT devices will be able to communicate with other devices, the security concerns would multiply exponentially. Indeed, a single compromised device could lead to vulnerability of all the other devices on the network.

Now imagine that all your life is embedded in internet connected devices… Think, for instance, fridges, ovens, washing machines, air conditioners, thermostats, light systems, music players, baby monitors, TVs, webcams, door locks, home alarms, garage door openers, just to name a few. The diversity of connected devices is just astonishing! So we may reach the point where you will have to install firewall for your toaster and a password to secure your fridge.

From a business point of view, questions regarding the security setup and software and operating systems vulnerabilities of devices that will be connected to the internet also have to be answered. Indeed, companies are increasingly using smart industrial equipment and IoT devices and systems, from cars to cameras and elevators, from building management systems to supply chain management system, from financial system to alarm system.

On another level, the security of nations’ critical infrastructures could also be at stake. Imagine, for instance, that the the traffic system, the electric city grid or the water supply can be easily accessed by a third party with ill intentions.

Of course, the EU could not be indifferent to this emerging new reality and to the challenges it presents.

In 2012, the European Commission launched a public consultation, seeking inputs regarding a future policy approach to smart electronic devices and the framework required in order to ensure an adequate level of control of the data gathering, processing and storing, without impairing the economic and societal potential of the IoT. As a result, the European Commission published, in 2013, its conclusions.

Last month, the European data protection authorities, assembled in the Article 29 Working Party, adopted an opinion regarding the IoT, according to which the expected benefits for businesses and citizens cannot come at the detriment privacy security. Therefore, the EU Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC are deemed to be fully applicable to the processing of personal data through different types of devices, applications and services in the context of the IoT. The opinion addresses some recommendations to several stakeholders participating in the development of the IoT, namely, device manufacturers, application developers and social platforms.

More recently, at the 36th International Conference of Data Protection, Data Protection Officials and Privacy Commissioners adopted a declaration on the Internet of things and a resolution on big data analytics.

The aforementioned initiatives demonstrate the existing concerns regarding Big Data and IoT and the intention to subject them to data protection laws. In this context, it is assumed that data collected through IoT devices should be regarded and treated as personal data, as it implies the processing of data which relate to identified or identifiable natural persons.

This obviously requires a valid consent from data subjects for its use. Parties collecting IoT devices information therefore have to ensure that the consent is fully informed, freely given and specific. The cookie consent requirement is also applicable in this context.

In parallel, data protection principles are deemed to be applicable in the IoT context. Therefore, according to the principle of transparency, parties using IoT devices information have to inform data subjects about what data is collected, how it is processed, for which purposes it will be used and whether it will be shared with third parties. Similarly, the principle of purpose limitation, according to which personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes, is also applicable. Furthermore, considering the data minimization principle, the data collected should not be excessive in relation to the purpose and not be retained longer than necessary.

Considering the vast number of stakeholders involved (device manufacturers, social platforms, third-party applications, device lenders or renters, data brokers or data platforms), a well-defined allocation of legal responsibilities is required. Therefore, a clear accountability of data controllers shall be established.

In this context, the Directive 2002/58/EC is deemed applicable when an IoT stakeholder stores or gains access to information already stored on an IoT device, in as much as IoT devices qualify as “terminal equipment” (smartphones and tablets), on which software or apps were previously installed to both monitor the user’s environment through embedded sensors or network interfaces, and to then send the data collected by these devices to the various data controllers involved…

Thus said, one can only rejoice that the enchantment about the possibilities of IoT does not surpass the awareness regarding the existent vulnerabilities. But it remains to be found how can these and the other data protection and privacy requirements be effectively implemented in practice.

We certainly are in the good way to dodge any black swan event. However, it won’t be that easy to find the appropriate answers for the massive security issues that come along. And one should not forget that technology seems to always be one step ahead of legislation.

So, the big question to ask is:

Are we really ready for the Internet of Things?

References   [ + ]

1. Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

The Google Affair – Crossing the Border

You will cross the border. Just saying.

You will cross the border. Just saying.

Today I am referring again to the famous Google Spain judgement, better known for ruling on what press has been popularly calling the ‘right to be forgotten’. The amount and the complexity of the questions raised in that decision enabled me to address all of them in the previous posts (here, here, here, and here)… And as I like to honour my promises, I will not  promise that this will be the last post regarding that matter.

So, although the worldwide attention has been focusing on the fact that individuals may directly address, to search engines, requests for deletion of links from search results, the ruling also dealt with a key topic that seemed to have been undervalued, even if as equally important for businesses.

I am specifically referring to the territorial scope of the Directive 95/46 1)Directive 95/46/EC of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, i.e., whether it applies to Google Spain, a subsidiary of Google Inc. or not, given that the parent company is based in Silicon Valley.

In order to fall within the territorial scope of the national provisions implementing the above mentioned Directive, the data processing shall be namely carried out in the context of the activities of an establishment of the data controller on the territory of the Member State, as stated in its article 4(1)(a).

As foreseen in its recitals, “establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements” and “the legal form of such an establishment, whether simply branch or a subsidiary with a legal personality, is not the determining factor.2)Recital 19 of the Directive

In this regard, the main relevant facts that the ECJ took into consideration were that Google search engine is operated by Google Inc. outside of the EU and that it has a subsidiary on Spanish territory which sells advertising connected to the Internet-related activities of Google Inc.

In parallel, the ECJ rejected the argument according to which Google does not carry out its processing of personal data activities in Spain and that Google Spain is a mere commercial representative for its advertising actions. Instead, the ECJ noted that, pursuant to recital 19 of the Directive, an establishment on the territory of a Member State implies the effective and real exercise of activity through stable arrangements. 3)Paragraph 48 of the ruling

Moreover, it held that Google Spain engages in such activity and, as a subsidiary of Google Inc., with its own legal personality, constitutes an establishment.4)Paragraph 49 of the ruling

According to the ECJ, Article 4(1)(a) of the directive does not require the processing of personal data to be conducted by the subsidiary itself, but only that it be carried out ‘in the context of the activities’ of the subsidiary.5)Paragraph 52 of the ruling That would be the case, for instance, if the subsidiary promotes and sells advertising space offered by the parent company which serves to make the service offered by that engine profitable.6)Paragraph 55 of the ruling Since the advertisements are displayed next to search results and finance the website, both activities are inextricably linked.7)Paragraph 56 of the ruling

Furthermore, the court considered that the very display of personal data on search results page constitutes processing of such data. As results are displayed, on the same page, with advertising linked to the search terms, the Court concluded that the processing of personal data is carried out in the context of the commercial and advertising activities of the controller’s establishment on the territory of a Member State.8)Paragraph 57 of the ruling

For all these reasons, the ECJ concluded that the processing of personal data in the context of the activities of a subsidiary of the controller established in a EU Member State, which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State, does fall within the territorial scope of application of the Directive.9)Paragraph 60 of the ruling

Last but not the least, the Court noted that, in light of the objectives of the Directive, the rules on its scope ‘cannot be interpreted restrictively’, and that it had ‘a particularly broad territorial scope’.

I must confess that I wasn’t particularly surprised by the conclusion that the Directive is applicable to companies based outside the EU, as long as it conducts a noteworthy local activity that has some link to the Internet activities of the parent body.

In fact, none withstanding the divergence of viewpoints regarding ‘right to be forgotten’ issue, the ECJ broadly confirmed the Advocate General opinion regarding jurisdiction.

The Advocate General had previously established the scope of application of the Directive, pointing out the very nature of the business model of search engines, and the inextricable link between Google Inc. and its subsidiary. Thus, the consideration according to which a controller should be treated as a single economic unit would lead to conclude that a controller is established in a Member State if the subsidiary which generates its revenues is established in that Member State. In this context, it was also disregarded that the technical data processing operations were conducted outside the EU. 10)Paragraphs 64, 65, 66 and 67 of the opinion

As a result, the ruling has broadened the territorial scope of the Directive. Not referring specifically to search engines, it applies to every data processing “in the context of the activities of an establishment”. Hence, it means that businesses with operations in the EU might generally be subjected to EU Data Protection rules.

The concept of establishment may therefore include non-EU businesses which have branches set up in a Member State. This is particularly relevant as it might affect foreign companies simply by virtue of having local sales subsidiaries in the EU. Moreover, it might potentially extend to every business that has a stable presence in the EU market, even if no European representation.

This is in line with the wider reach of the territorial scope of the forthcoming General Data Protection Regulation, which is intended to be applicable not only to businesses established in the EU. The Regulation will, in fact, introduce some key changes to the existing legal framework.

Firstly, while the current Directive applies to the data processing conducted by an establishment of a data controller in the EU, the new legislation will cover as well the personal data processing in the context of the activities of an establishment of a controller or a processor established in the Union.

In addition, the Regulation will also be applicable to the processing of personal data of individuals residing in the EU, by data controllers who are not established in the EU, when the processing activities are related to the offering of goods and services to data subjects in the EU or the monitoring of their behaviour (profiling), as far as their behaviour takes place within the EU.

If implemented, the proposed changes will bring all foreign companies who process EU citizens’ data, many of which have kept their data processing abroad to avoid being subjected to the current Data Protection Directive, within the scope of EU law.

As a consequence, non-EU based businesses will have to reconsider their arrangements for subsidiaries to ensure full compliance with EU Data Protection requirements.

References   [ + ]

1. Directive 95/46/EC of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
2. Recital 19 of the Directive
3. Paragraph 48 of the ruling
4. Paragraph 49 of the ruling
5. Paragraph 52 of the ruling
6. Paragraph 55 of the ruling
7. Paragraph 56 of the ruling
8. Paragraph 57 of the ruling
9. Paragraph 60 of the ruling
10. Paragraphs 64, 65, 66 and 67 of the opinion
Older posts

© 2017 The Public Privacy

Theme by Anders NorenUp ↑