Greetings,

With much fanfare, the Obama administration released its proposed blueprint for consumer

privacy last week. It was a profound moment; I was in the Eisenhower Room to witness it.

Since then, reaction has rung far and wide, with some lauding it and others predicting its

failure.

Now begins the work to put the blueprint in play. More people—“stakeholders”—will be involved—industry,

advocacy, academia, technologists. There will be debate, lobbying, conciliation.

It was the second major policy paper to have been released so far this year. The European Commission in January

proposed a new data protection framework and has embarked on the lengthy process of getting it before the

European Parliament for a vote.

The U.S. Federal Trade Commission is expected to release its final staff privacy report in the coming weeks—

another big paper at a big time for privacy and data protection.

Much of this work, in the U.S., the EU and in many other locales around the world, is being conducted on behalf of

consumers, yet consumers are largely unaware of the issues over which those working on their behalf split hairs.

Outside of the bubble of our profession, most people are much less informed.

However, there are signs that this is changing. The Pew Internet & American Life Project just released a report

showing that more Americans are employing the privacy settings on social networks, and data privacy makes the

headlines of mainstream newspapers across the globe on a near-daily basis now, which will inevitably lead to

greater awareness among the general population.

The IAPP is about to pass the 10,000-member mark. It is remarkable that the profession has grown to this extent

given low citizen involvement in the issues. What will happen when civil society takes note?

I believe there will be great truth in that moment.

Sincerely,

J. Trevor Hughes, CIPP

President & CEO, IAPP

Five considerations before publicizing privacy policy updates

By Mehmet Munur, CIPP/US, Sarah Branam and Matt Mrkobrad, CIPP/US/G

Changes in the law, in practices of your industry or to your business’s or vendor’s data collection or use practices

may trigger a need to update your privacy policy. We recommend that you think about the following five

considerations when making changes to your privacy policy. These considerations should help you educate your

users; be transparent and accurate in disclosing your practices, and steer clear of regulatory scrutiny.

Abide by your own privacy policy terms

It is crucial that any entity revising its privacy policy abide by the provisions in its own privacy policy for revisions.

For example, if the current privacy policy states that users will be e-mailed about the revisions to the privacy

policy, then users should be e-mailed about the revisions to the privacy policy.

Some courts have concluded that privacy policies are, in fact, contracts and must, therefore, be revised according

to their terms. If your privacy policy is incorporated into your website’s terms of use, there may be an even greater

likelihood that it will be considered a contract. However, other courts have disagreed with this conclusion.

Nevertheless, this distinction may be irrelevant, as the Federal Trade Commission (FTC) believes that privacy

policies represent “privacy promises,” and you must abide by them or face enforcement actions from the FTC for

deceptive or unfair trade practices under Section 5 of the FTC Act. Therefore, failure to abide by the terms of the

privacy policy in revising the policy could result in arguments for breach of contract or enforcement actions for

deceptive or unfair trade practices. In particular, the FTC has focused extensively on retroactive applicability of

privacy policy changes, as will be discussed in greater detail below.

Note that you can significantly mitigate the challenges presented by revising a privacy policy through proper and

thoughtful initial drafting of a privacy policy. For example, if you currently do not share data with affiliates for

marketing purposes, but anticipate that you may in the future, it would be shortsighted to state in the initial

policy that you will not share with affiliates for marketing purposes. It is best to consider all potential data uses

and transfers and accommodate for those rather than continuously revise your policy.

Privacy policy effective date

All privacy policies should have an “effective date” or “last revised date” legend that is easily identifiable. Users

may easily identify revisions to a privacy policy if the effective date of the privacy policy has been changed. So, be

sure to revise the effective date to reflect the effective date of the new policy.

Moreover, providing advance notice of upcoming revisions to the privacy policy before they become effective for

already existing users may increase the enforceability of those revisions. During this period, users who are

dissatisfied with the revisions will have the opportunity to cease the use of the website or service without being

bound by the new revisions. If users continue using the website or service at the end of such a grace period, that

use may increase the likelihood that the revisions will be upheld in a court of law.

Notice of changes to users

If there are material changes to the policy, there may be additional considerations with respect to notice. As

discussed below, based on FTC investigations and orders, you should not use data previously collected for new

purposes unless you obtain express consent to do so. With respect to ways companies have provided notice of

revised privacy policies, some companies have used the privacy policy link on their website to draw the user’s

attention to the revised privacy policy. For example, Yahoo and Google websites often indicate that the privacy

policy has been updated by using a “Privacy Policy (Updated)” label instead of the “Privacy Policy” link to draw

attention to the updates. While the use of this technique is rather new, it is a very effective method of alerting

users that the privacy policy has been updated. Such a method uses only a small amount of resources, but the

impact on users is significant.

Further, sending e-mails to registered users alerting them to the revisions is also an option. Doing so should

increase the perceived adequacy of notice. However, this method may not be applicable to services that do not

require user registration. In those circumstances, posting on a blog regarding the revisions may prove more

helpful.This may also allow notice to be provided to individuals that have not received an e-mail update. For

example, Dropbox, Google, LinkedIn and Yahoo often include these updates on their blogs.

If feasible, you could also publish previous versions of your privacy policy. Doing so may increase transparency to

consumers by providing an easily identifiable method for an individual to ascertain what was previously covered in

a privacy policy and what is currently covered. Google, IBM and eBay provide the previous versions of their privacy

policies on their websites. This provides the user another opportunity to review and understand the differences

between the policies. Even if you are unable to publish previous versions of the policy, you should always keep the

previous versions archived as business records for consumer, business, regulatory or governmental inquiries.

A final possibility for notice is publishing a summary of the revisions to the privacy policy. This allows users to

identify the revisions to the privacy policy without doing a line-by-line comparison of the previous version with the

new version. For example, Google, Dell and LinkedIn provide a summary or a comparison version of their privacy

policies to enable users to understand the differences between the previous and the new privacy policy. However,

you should ensure that any summary is accurate. Otherwise, deceptive and unfair trade practices may result. In

fact, in its recent enforcement action of Facebook, the FTC cited Facebook’s Privacy Wizard for misrepresenting

the summary of revisions to its privacy policy.

Express consent for retroactive applicability

If you would like the privacy policy to apply retroactively to data previously collected, you must obtain express

consent from users. The FTC’s guidance on the issue of retroactive revisions to privacy policies is clear that

“companies may not unilaterally alter their policies and use previously collected data in a manner that materially

differs from the terms under which the data was originally collected.” Therefore, material revisions to a privacy

policy that are also retroactive in application require that you obtain the explicit consent of the user in order to

avoid enforcement actions by the FTC. You may do this through click-through boxes with provisions stating, “I

have read and agree to the revisions to the Privacy Policy” at login screens.

Consider implications of controversial changes to your privacy policy.

Finally, you should reconsider any controversial revisions to the privacy policy. GM’s reversal on the revisions to its

privacy policy regarding the tracking of users for its OnStar service is one example of the kind of revisions that

may require reconsideration. GM revised its privacy policy so that it would continue to track users who no longer

used its service and possibly sell anonymized data relating to those users. However, the public uproar and the

congressional attention resulted in a course change regarding these privacy policy revisions. Therefore, you

should reconsider any revisions that may be too controversial or result in negative publicity before making the

revisions to how you collect and use personal information. You should also be prepared to justify your revisions

where necessary.

In conclusion, taking these five considerations into account when updating your privacy policy should ease the

concerns that users may have when you publish the updates to your privacy policy and allow your organization to

transition smoothly. The time and resources spent will be well worth it.

Mehmet Munur is an attorney at Tsibouris & Associates, LLC; Sarah Branam is the privacy manager for Epsilon, and

Matt Mrkobrad, CIPP/US/G, is an associate at Vorys, Sater, Seymour and Pease LLP.

Data privacy in the cloud—A dozen myths and facts

By Lothar Determann

Corporate and consumer users are increasingly embracing hosted information technology

solutions. Business models and terminologies vary and include service, rental and advertising-

financed offerings, described as Software as a Service (SaaS), hosted solution, cloud computing

and with other labels. In line with current nomenclature, this article will use “cloud computing”

collectively for all hosted solutions that allow users to obtain additional functionality, storage or

processing capacity without having to buy additional devices or software copies. Instead, users access enhanced

software, computing power and data storage space on remote servers via existing computers and Internet

browsers. This typically means less upfront investment to users and opportunities for leverage, specialization and

economies of scale for providers.

While users increasingly embrace cloud computing, data privacy advocates, regulators and lawyers not so much.

Critics increasingly raise concerns due to perceived risks for privacy and security of personal data. To them, cloud

computing means primarily that users transfer data to faraway systems they do not understand, own or control.

As is often the case with respect to legally and technologically complex topics, oversimplifications,

overgeneralizations, buzz words and slogans are quickly established and (ab)used to pursue various policy and

competitive agendas, including keeping jobs in-country, protecting local industries and shielding established

business models from disruptive alternatives.

In this article, I am taking aim at a dozen myths that tend to cloud the decision-making process regarding data

privacy compliance challenges related to hosted solutions. In conclusion, it is a myth that cloud computing is

somehow bad or risky for privacy or that it raises insurmountable compliance hurdles. It is a fact that data is far

more secure and protected in some clouds than on traditional systems and devices and that compliance

requirements are often very manageable—if approached reasonably from the vendor and customer side. For

illustration purposes, a global human resources system (HRIS) shall serve as an example of a common application

that a multinational enterprise can patch together from decentralized legacy systems, host centrally itself or hire

a cloud computing vendor to host; e.g., Workday.

Myth 1: Cloud computing presents fundamentally new and unique challenges for data privacy and security

compliance

Fact is that consumers and companies have been entrusting specialized service providers with personal data for a

long time, including telecommunications companies, payment processors, accountants and various outsourcing

service providers; e.g., payroll, call centers and IT support. For nearly two decades, we have made the Internet an

integral part of our information society and economy—and the Internet is founded on the principle of

decentralized transfer of data across geographies, devices and connections. Even the very services and models

that are currently hyped as “cloud computing” have been promoted for 15 years or so by an up-and-coming

industry that initially referred to itself as “application service providers.” Transferring data to service providers and

remotely hosted solutions certainly creates challenges—but they are neither new nor unique.

Myth 2: Cloud computing involves more data sharing, and that is inherently bad for privacy

Fact is that transferring data to data processing agents—who process data only on behalf and in the interest of

the customer—is very different from transferring data to data controllers, who use data in their own interest and

possibly impair the data subject’s privacy. In fact, transferring data to processing agents is so different from

transferring to data controllers that German data protection laws define “transfer of personal data” specifically to

exclude sharing with data processing agents.

Data sharing with data processing agents is not inherently bad or good for privacy—it is neutral. Companies

always need people and data sharing. Companies are a legal fiction. When companies use and process personal

data, they have to act through human people, and such human people can be statutory employees, individual

independent contractors or employees or contractors of corporate contractors. In either one of these scenarios, it

is important that the individual person who processes the data acts on behalf and in the interest of the data

controller. And it is important that the data controller in turn complies with applicable data protection laws. It is

less relevant for privacy compliance purposes how the data controller company engages and compensates the

person who conducts the processing—as employee or independent contractor. It is important that the person

follows the law and applicable instructions.

For most companies, the switch from internally maintained human resources databases to an external cloud-

based HRIS solution does not result in more sharing or transmission to additional geographies. Most data these

days is transferred across geographical borders because it is needed in various locations. Traditionally, data has

been shared over the Internet, via myriad devices, connections and persons with access. Switching from paper

files, spreadsheets and e-mailing across legacy systems with varying degrees of data protection to a centralized

cloud computing solution with access controls will not add to the prevalence of data sharing. Usually, it just

means more orderly, organized and secure sharing.

Myth 3: Cloud computing is bad for data security

Fact is that employee malice and negligence; e.g., lost laptop, smart phone, etc., causes many data security

breaches, and hacks by cybercriminals are also on the rise. Whether personal data is safer on a system secured by

the data controller in house or an external vendor depends on security measures deployed by each particular

organization. Moving data to the cloud can be a bad thing for data security if the vendor is weak on security and

careless. It can be a good thing if the vendor brings better technologies to the table and helps the data controller

manage access, data retention and data integrity. And it can be neutral if the vendor’s cloud system is more

secure but the way the customer uses the system keeps exposing the data; e.g., because the customer does not

configure security to properly restrict data to the appropriate users, the customer uses unsecured connections or

the customer downloads data from the cloud to unsecured local devices.

Returning to the example of a global HRIS, each multinational employer needs to ask itself whether its own IT

capabilities and security policies are superior to the measures deployed by a specialized vendor that can leverage

economies of scale and is motivated by the risk of reputational harm to keep data of its customers secure. If the

vendor has better security measures, systems and processes, then cloud computing should be good for data

security. If the employer instructs its worldwide employees to stop using spreadsheets on local devices and paper

printouts, and instead limits access to data in the HRIS on a need-to-know basis and subject to differentiated

controls, then ultimately the risk of unauthorized access, inadvertent disclosures and outdated or inaccurate data

should diminish.

Myth 4: Cloud computing causes additional issues under privacy law because data is transmitted

internationally

Fact is that most companies are already transmitting data internationally because they use the Internet—for

example, to e-mail spreadsheets to various office locations— or because they have subsidiaries, customers,

suppliers or channel partners in other jurisdictions. In most cases, data transfers occur because data is needed in

different jurisdictions not because of where the data is stored. With respect to employee data in a global HRIS,

companies need to cause personal data to be transferred across borders to populate the system—whether they

host it themselves or engage a cloud computing service provider.

Myth 5: Data in the U.S. is endangered by the USA PATRIOT Act

Fact is that the United States enacted the Uniting and Strengthening America by Providing Appropriate Tools

Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) in October 2001, following the September

11 terrorist attacks, to help fight terrorism and money laundering activities and to provide certain additional

investigative powers to U.S. law enforcement officials. But:

These powers are not relevant for most types of data in cloud computing arrangements;

The government is much more likely to obtain the data directly from the data controllers; i.e., users of

cloud computing services;

If the data controller is not based in the United States and has no strong nexus to the United States,

chances are the U.S. government is not interested in the data regardless of whether the data is hosted in

the United States;

If the U.S. government is interested, it can usually obtain access to the data through foreign

governments through judicial assistance and cooperation treaties, regardless of where the data is

hosted;

Similar powers exist in most other countries and data is typically much more at risk of being accessed by

governments at the place where the data controller is based, and

The USA PATRIOT Act issue is raised to support unrelated agendas, such as protecting local companies

or unionized jobs from global competition.

The information that the U.S. government seeks to fight terrorism and money laundering is not what most

companies store or process in the cloud. Returning to our global HRIS example, it seems quite unlikely that the

U.S. government would be interested in the kind of data that resides in a HRIS system. Even if the U.S.

government were interested, it would more likely turn to the employer first to obtain the data, because the

employer is more closely connected to the data subjects and may have additional information, and the

government would not know initially what cloud services the employer uses. If the employer is located in another

country, the U.S. government can typically exercise pressure through some kind of nexus—even Swiss and other

foreign banks, for example, had to turn over banking details to the U.S. government due to pressure on their

market presence and activities in the United States.

Also, the U.S. government can obtain information through cooperation with foreign governments. The U.S. has

entered into mutual legal assistance treaties with over 50 countries, including Canada, Mexico, Australia, Hong

Kong and a majority of the EU Member States, as well as a mutual legal assistance agreement with the EU. The

cooperation under mutual legal assistance arrangements can include substantial sharing of electronic information

between law enforcement authorities in the two countries. Similarly, the G8 nations (Germany, France, the

United Kingdom, Italy, Japan, the U.S., Canada and Russia) recently reaffirmed their commitment to enhance the

exchange of information and judicial cooperation with respect to individuals involved in acts of terrorism.

Accordingly, in most cases, even if information is stored outside of the U.S., it is still possible for U.S. law

enforcement authorities to obtain such information through existing treaties or agreements with the jurisdiction

in which the information is stored.

In some cases, the additional hurdles established by jurisdictional complications will make a difference, but this

difference works both ways. For example, a U.S. bankruptcy court recently refused to hand over e-mails to and

from a German resident to the German government. In this case, the German resident’s privacy was better

protected due to the fact that his e-mails were stored in the United States. The German government would have

easily gotten access to his e-mail if he had used a German Internet service provider. Most countries around the

world allow law enforcement access to private information to a similar extent as in the United States, and many

countries have updated their privacy laws to provide for minimum data retention requirements—European

telecommunications laws go beyond what the U.S. requires—and otherwise lowered privacy protection

standards.

In one of the first cases that raised concerns regarding the USA PATRIOT Act in the context of international

outsourcing, a trade union in Canada, the British Columbia Government Service and Employee’s Union, sued the

British Columbia Ministry of Health Services. The union tried to prevent the British Columbia government from

contracting out the administration of the province’s public health insurance program to a U.S.-based service

provider. The union argued that the proposed outsourcing would contravene British Columbia’s public-sector

privacy law (FOIPPA) by making the personal health information of British Columbians accessible to U.S.

authorities pursuant to the provisions of the USA PATRIOT Act. The court dismissed the case, and the trade union

initiative has since been cited as an example of privacy concerns being raised as an excuse for other agendas, such

as local job or industry protectionism.

Myth 6: Record keeping laws require data to stay local

Fact is that some tax, bookkeeping and corporate laws in some jurisdictions historically required certain records to

stay in country, but such requirements apply only to certain kinds of records and they do not prohibit the transfer

of data into the cloud so long as originals or backup copies are also kept local. If and to the extent such laws were

to apply to employment records, which is not typically the case in most major jurisdictions, the global employer

and HRIS user could still upload copies of the records in to the global HRIS—whether self-hosted or hosted by a

cloud computing service provider.

Myth 7: U.S.-EU Safe Harbor doesn’t apply to service provider arrangements

Fact is that the Safe Harbor Principles expressly state that data processors may participate and achieve adequacy

through certification, and that the EU Commission ordered European Economic Area (EEA) Member States to

consider companies ‘adequate’ if they certify under the U.S.-EU Safe Harbor program, whether they act as data

controllers or processors. The U.S.-EU Safe Harbor program has been heavily criticized over the years, and the

head of a data protection authority in one German state has even called for a rescission of the program. However,

attention-grabbing calls by local politicians do not seem much more relevant and noteworthy as the occasional

buzz around plans by Bavaria to cede from Germany or Texas to cede from the United States. Until the European

Union or the United States cancels the Safe Harbor arrangement, all data protection authorities in the 30 EEA

Member States are legally obligated to accept that Safe Harbor-certified cloud computing service providers in the

United States are as “adequate” as EEA-based service providers.

Of course, data controllers need to verify that each particular service provider can be trusted with personal data,

but this requirement applies equally if such provider is based in the United States and Safe Harbor-certified or not

certified and based in a Member State of the EEA. When comparing the relative strengths and weaknesses of data

protection technologies and laws across geographies, it is worth recalling that the EEA does not only consist of

France and Germany, which historically pride themselves of relatively high data protection law and technology

standards, but also 28 other countries, some of which have joined the EEA only recently and do not have much of

an information technology industry or history of data protection laws.

As a data protection law practitioner and scholar in both Germany and California, I am troubled by calls for an end

to cloud computing and data transfers to the United States by German politicians, singling out highly respected

global technology leaders headquartered in California with unsubstantiated attacks, while accepting, without any

additional scrutiny, the free flow of data in the EEA. Why should a multinational employer assume that its global

HRIS is more secure in Bulgaria and Romania—the youngest EEA Member States—compared to California?

Nothing from a data protection law, industry and policy perspective supports such double standards.

Unsubstantiated attacks do not help advance the discussion but risk provoking concerns regarding local

protectionism and national arrogance.

Myth 8: Contractual clauses are unnecessary if the service provider is Safe Harbor-certified

Fact is that the Safe Harbor certification only qualifies a service provider outside the EEA as adequate as a service

provider within the EEA is presumed to be. But, European laws require particular contractual clauses for data

transfers to any service provider—whether the provider is in the EEA or outside.

A company has to take on three hurdles before it may transfer European personal data internationally—into the

cloud or otherwise. First, the collection and use has to be permitted, based on consent, contractual duties,

statute, etc. Second, the transfer has to be justified, and third, the recipient has to achieve adequacy if it is not

based in the EEA or a country that has been declared adequate by the EU Commission. By certifying under the

U.S.-EU Safe Harbor, a U.S.-based service provider helps its customers over the third hurdle—adequacy—but the

Safe Harbor certification does not justify the transfer as such. Whether a recipient is in the U.S. or in the EEA, the

customer has to justify any transfer. In the context of data transfers to other data controllers; i.e., recipients that

want to use the data in their own interest, data controllers typically have to obtain consent from the data subject

or rely on statutory data transfer obligations. But, when a company transmits data to a service provider, it does

not have to obtain consent so long as it retains control over the data via an adequate contractual arrangement.

This is where the need for certain particular contractual clauses comes into play.

One option is to sign the Standard Contractual Clauses promulgated by the EU Commission for data transfers to

data processors. These are not absolutely required if the service provider is certified under the U.S.-EU Safe

Harbor program, because the Safe Harbor certification already provides adequacy. But, the alternative would be

to implement agreements that satisfy the national law requirements for agreements with service providers. The

templates promulgated, blessed or prescribed by the various data protection authorities in the 30 EEA Member

States vary quite a bit, and it is less clear how binding such clauses are and whether they will be accepted without

questions and scrutiny in data protection authority approval processes. Consequently, any customer or service

provider opting for “self-made” or “national government templates” should be prepared for time- and cost-

consuming legal analysis, lengthy negotiations and ultimately a multitude of agreements. By comparison, the

European Commission’s SCC may appear more attractive, because all EEA Member States are supposed to accept

this form as assuring “adequacy,” it is in both parties’ best interest not to negotiate or modify the SCC—to

preserve the preemptive blessing of the commission regarding adequacy—and one form agreement can be used

for the entire EEA.

Myth 9: Data privacy and security law compliance is the provider’s responsibility

Fact is that data privacy and security laws primarily hold the data controller responsible for compliance; i.e., the

customer in a service provider relationship. The customer has to ensure that the data made available to the

service provider has been legally collected, data subjects have consented or received notice, filings have been

made, etc. The service provider has typically only two duties under data privacy laws: The processor has to follow

its customer’s instructions and keep the data secure against unauthorized access. The second duty—data

security—is also and foremost on the data controller. Therefore, it is important for customer and vendor to reach

a reasonable agreement about what level of security is appropriate for particular types of data and who should be

doing what. For example, if a customer hires a service provider to store archival statistical data, music files or

strongly encrypted information in the cloud, it may not be necessary for the vendor to invest heavily in security

features because unauthorized disclosure of such data would not typically harm the data subjects. On the other

hand, backup copies of credit card transaction information should be very carefully guarded because such

information is actively pursued by hackers to steal identities and commit fraud. Data in an HRIS can also include

highly sensitive information; e.g., U.S. Social Security numbers—a primary target for identity thieves and hackers,

even though most of the data typically stored in HRIS is of little or no interest to hackers.

If the service provider offers a specialized application for certain types of data that are typically sensitive and

worth protecting, the service provider should take the initiative and either implement certain security measures

itself, for example, encryption, or recommend that its customers do. Customers should also take the initiative to

identify the various compliance obligations that apply to a particular type of data processing activity and then

consider which of these obligations can or should efficiently be handled by service providers and which are better

discharged by the data controller itself. In the end, the various compliance obligations on the data controller

depend on where the data controller is located, and if the data processor is based in another jurisdiction, the data

controller will need to educate and instruct the data processor about the compliance requirements that need to

be satisfied.

Myth 10: Cloud service providers cannot cede control to their customers

Fact is that many organizations find it difficult to stay in control over modern IT systems, whether they hire

service providers to provide IT infrastructure or whether they host, operate and maintain systems themselves.

Even with respect to self-operated systems, most companies usually have to work with support service providers

who have to be granted access to the systems and data to analyze performance problems, troubleshoot errors

and provide support and maintenance. Most companies find it prohibitively expensive to customize systems—

whether self-hosted or hosted by a service provider—beyond the configuration options provided by the vendor as

part of the standard offering. Consequently, there are significant limits to the degree of control that users can and

want to exercise over their systems, whether self-hosted or hosted by a provider.

Yet, from a legal perspective, it is imperative that the service provider remains in the role of a data processor and

the customer in the role of the data controller. If the service provider obtains or retains too much discretion about

aspects or details of the processing, the service provider could become a co-controller, which is not acceptable for

either party. The service provider would suddenly assume all kinds of compliance obligations, including to issue

notices to data subjects, assure data integrity, grant access and correction requests, submit filings to data

protection authorities, ensure compliance with data retention and deletion requirements, etc. A cloud computing

service provider cannot discharge these data controller obligations because it does not know the data subjects or

what data is uploaded into its systems. And, if the service provider did in fact qualify as data controller, then the

customer would typically violate statutory prohibitions and privacy policy promises regarding data sharing.

Therefore, both provider and customer have to work toward an arrangement that keeps the provider limited to

the role of a data processor.

In the context of self-hosted systems, it tends to be easier to prove that the provider retains little or no control

over the system after delivery. In the cloud computing scenario, on the other hand, the data resides on servers on

location that the provider controls. But, it is important to note that “control” from a data protection law

perspective refers to “control” of the data—not “control” of the premises where data resides. Landlords, for

example, are not viewed as data controllers merely because they own a building where data is stored and have

access and repossession rights under contract and statutory law regarding the building and tenant property.

The focus of control regarding cloud computing is to ensure that the customer decides what data to upload,

download, access, transfer, delete and otherwise process. This is the case with respect to most cloud computing

offerings because the service providers tend to offer a platform or software functionality as a service, without any

interest, knowledge or influence regarding data types and processing purposes. For example, with respect to a

hosted HRIS, the service provider does not have any interest to view or use the data that the customer uploads

and processes, but the customer may need to provide to access data in order to provide support for technical

issues. If the parties contractually and technologically assure that the vendor’s personnel only access data on the

system to provide the service and prevent support issues, then the customer is nearly as much in control as the

customer can be with respect to self-hosted systems.

Nearly, because with respect to self-hosted systems, the customer can monitor and safeguard physical safety and

access limits—albeit that in practice, many companies outsource premises security in any event to security service

providers. To keep the customer in control, the cloud computing service provider has to provide key information

about storage locations, processing practices and subcontractors. Some service providers withhold such

information based on trade secret protection objectives and this can create friction with respect to the objective

to keep the customer in control for purposes of data protection law compliance.

To resolve such conflicts and keep the service provider in the “processor” role, vendors could disclose to their

customers key aspects of their data processing practices, equipment locations and significant subcontractors with

access to the customer’s personal data. Also, any contractual clauses to safeguard control and data protection

need to be passed on to the subcontractors. In connection with cost-efficiently designed, standardized cloud

computing solutions, it can be very difficult and expensive for providers to accommodate customization requests

by individual customers. But, a customer can also remain in control over data processing if the customer retains a

right to receive prior notice regarding all relevant details of the data processing and changes thereto, so that the

customer can withdraw data or change the use of a cloud solution in case changes are not acceptable for certain

kinds of data. Or, the customer could agree or instruct the provider to update service and technology from time to

time, as the provider deems appropriate, on the condition that the provider will not lessen the security and

privacy measures set forth in the agreement. Whether customers and providers also agree on contract

termination rights and early termination fees is a commercial point and not prescribed from a data protection

compliance perspective.

Myth 11: Vendor has and should accept unlimited liability for data security breaches

Fact is that service providers may not always be able to limit their liability vis-à-vis the data subjects in scenarios

where they contract with corporate customers and not the data subjects themselves. If hackers gain unlawful

access to employee information residing in a global HRIS, the service provider may be liable directly vis-à-vis the

employees under negligence theories—if and to the extent economic harm resulting from data access is covered

by tort liability under a particular jurisdiction’s laws.

But, data protection laws do not prescribe the allocation of commercial liabilities between the parties.

Sophisticated companies usually slice and dice exposure in various ways in indemnification, limitation of liability

and warranty clauses. It is quite common to differentiate in risk allocation clauses based on whether customer

and/or service provider contributed primarily to a breach or resulting harm; whether the service provider was in

compliance with its contractual obligations, its information security policies and applicable law, and whether a risk

materialized that could have affected any other company, including the customer.

Also, cloud service providers are increasingly mindful that they can be held liable for violations of laws by their

customers or their customers’ customers, for example in the context of uploaded viruses, illegally copied files and

pornographic materials. Such risks are then shifted contractually from the provider to the customer.

Myth 12: Customer needs to have the right to access the provider’s data centers and systems for audit

purposes

Fact is that customers need to reserve a right to audit the cloud service provider’s compliance measures. But, it is

also a fact that the service provider may not let customers into its data centers or systems because that would

impair the security of other customers’ data. Also, individual audits would be unnecessarily disruptive and costly.

As a compromise, cloud service providers can arrange for routine, comprehensive audits of their systems by a

generally accepted audit firm and make the results available to all customers. If customers demand additional

topics on the audit list, providers can expand the scope of the next scheduled audit, if the customers are willing to

pay for the additional effort and the controls are within the scope of the service.

Beyond generally applicable compliance and audit requirements, there can occasionally be additional needs with

respect to particular types of data processing arrangements or industries. For example, European laws

implementing the Markets in Financial Instruments Directive (2004/39/EC, MiFID) require that regulated entities

perform due diligence on their vendors "when relying on a third party for the performance of operational

functions which are critical for the performance of regulated activities, listed activities or ancillary services." But,

in the context of such special regulatory requirements, it is important to differentiate what types of data and

processing services are within and outside scope. If a regulated financial services firm chooses to use a hosted

solution for human resources data relating to its own employees, this can hardly be considered a “critical

operational function” under financial services regulations. If the same firm were to outsource core functions such

as calculations of its funds values, the additional audit requirements may come into play.

Prof. Lothar Determann practices data privacy and technology law as a partner in Baker & McKenzie’s Palo Alto

office and teaches data privacy, e-commerce and computer law at the University of California, Berkeley School of Law

(Boalt Hall), Hastings College of Law, Stanford Law School and Freie Universität Berlin.

Obama administration and Congress step up efforts to protect against cyber threats

By Heidi Salow, CIPP/US

After years of discussion and several false starts, 2012 is shaping up to be the year that national

cybersecurity legislation may become a reality in the U.S. Several recent proposals from the

White House and both houses of Congress have revealed a sense of urgency and strong

bipartisan support for strengthening the nation’s private and public infrastructure from cyber

attack. The parameters of any final legislation, however, remain very much in debate. Proposals

have ranged from bills designed simply to facilitate the sharing of cyber-threat information between the private

and public sectors to comprehensive schemes granting the executive branch broad powers to declare a national

cyber emergency and to compel private companies to implement a response plan. To further complicate matters,

in both the Senate and House, numerous committees and subcommittees claim some jurisdiction over

cybersecurity.

When the president released his Cyberspace Policy Review almost two years ago, he declared that the “cyber

threat is one of the most serious economic and national security challenges we face as a nation.” Members of both

parties have also recognized this challenge—approximately 50 cyber-related bills were introduced in the last

session of Congress.

Given the rapid pace of recent developments and the potential impact of federal legislation in this area, it is

important for companies in critical sectors—such as telecommunications, defense, energy, transportation and

information technology—to monitor these developments closely and consider getting involved in the policy

discussions.

Bipartisan momentum for cybersecurity legislation is building

In the White House, President Barack Obama has identified cybersecurity as one of the most serious economic

and security challenges facing the nation today. In his recent State of the Union Address, the president

highlighted the growing dangers of cyber threats and called on Congress to act on proposed legislation submitted

by the White House last May. On February 1, the administration held a classified briefing with Senate leaders to

stress the urgent need for legislative action.

In the Senate, several cybersecurity bills have been introduced. Senate Majority Leader Harry Reid (D-NV) has

said that he considers cybersecurity a top priority. Last year, Reid and Minority Leader Mitch McConnell (R-KY)

took the unusual step of exchanging public letters on the subject and formed a bipartisan cybersecurity working

group in an attempt to overcome the committee turf battles that have plagued earlier efforts.

Meanwhile, the Cybersecurity and Internet Freedom Act (CIFA-S 413), sponsored by Sens. Joe Lieberman (I-CT),

Susan Collins (R-ME) and Thomas Carper (D-DE), gained a good deal of attention in 2011. It has been replaced by

a new bill, S 2105, resulting from the joint efforts of several committees—Homeland Security and Government

Affairs, Commerce and the Select Committee on Intelligence.

Just this month, a group of bipartisan senators introduced a pre-publication version of S 2105, the Cybersecurity

Act of 2012. This bill is an attempt to bring together CIFA (S 413) and other Senate bills, such as one introduced by

Chairman Jay Rockefeller (D-WV). S 2105 calls for the Department of Homeland Security (DHS) to assess risks and

vulnerabilities of computer systems running at critical infrastructure sites and to work with the operators of such

systems to develop security standards.

Under S 2105, the DHS would determine which systems fit the definition of “critical infrastructure,” namely those

“whose disruption from a cyber attack would cause mass death, evacuation or major damage to the economy,

national security or daily life.” Companies would have the right to appeal the designation. Owners or operators of

critical infrastructure systems would be able to determine how to best meet performance requirements and

would either "self-certify" compliance or use a third-party assessor for certification.

The bill also contains provisions for information sharing between the government and the private sector, and it

would reform the Federal Information Security Management Act (FISMA). FISMA would “focus on continuous

monitoring of agency information systems and streamlined reporting requirements rather than overly

prescriptive manual reporting.” The DHS would consolidate its cybersecurity programs into a National Center for

Cybersecurity and Communications office.

Sen. Dianne Feinstein (D-CA) introduced separate legislation this month. The Cybersecurity Information Sharing

Act of 2012 (S 2102) would have required the federal government to designate a single focal point for

cybersecurity information sharing. This bill was later incorporated into S 2105 as Title VII of that bill, so S 2102 is

unlikely to be acted upon separately unless S 2105 is defeated or substantially amended.

S 2102—and now Title VII—would create “cyber exchanges” (CEs). CEs are organizations established “to

efficiently receive and distribute cybersecurity threat indicators.” The DHS Secretary would be required to

establish, by regulation, at least one governmental CE as the lead CE. It would act as “the focal point within the

federal government for cybersecurity information sharing among federal entities and with non-federal entities.”

Title VII also affirmatively provides private-sector companies the authority to monitor and protect the information

on their own computer networks and encourages information sharing about cyber threats within the private

sector by providing a good faith defense against lawsuits. It establishes procedures for the government to share

classified cybersecurity threat information with companies that can effectively use and protect that information.

The DHS secretary, in consultation with privacy and civil liberties experts, would have to develop policies for the

receipt, retention, use and disclosure of cybersecurity threat information by federal entities to minimize the

impact on privacy and civil liberties and to safeguard personal information.

In the House of Representatives, Republican leadership formed a Cybersecurity Taskforce in June of 2011. The

taskforce was asked to make recommendations to House Republican leadership on four issues: critical

infrastructure and incentives; information sharing and public-private partnerships; updating existing cybersecurity

laws, and legal authorities. In October, the taskforce unveiled its recommendations in a report to House

leadership.

Meanwhile, two cybersecurity bills are rapidly making their way through the House of Representatives. The Cyber

Intelligence Sharing and Protection Act (CISPA-HR 3523) was introduced on November 30 and garnered over 50

cosponsors and 20 letters of support from industry leaders. CISPA was marked up and approved by the House

Intelligence Committee by a commanding vote of 17-1. The next step for the bill is the House floor.

On December 15, Rep. Dan Lungren (R-CA) introduced the Promoting and Enhancing Cybersecurity and

Information Sharing Effectiveness Act (PrECISE-HR 3674). It was marked up and unanimously passed on February

1 by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security

Technologies. The bill, discussed in more detail below, will now be sent to the full committee.

The shape of final legislation is uncertain

Although there is broad consensus that cybersecurity legislation is needed, there are obviously many emerging

proposals, and much has yet to be decided.

The House Intelligence Committee’s CISPA bill and Sen. Feinstein’s Cybersecurity Information Sharing Act appear

to be the least controversial and least ambitious of the legislative proposals. The primary purpose of these bills is

to facilitate the confidential sharing of cyber-threat information between the federal government and the private

sector by various means. They authorize and expedite security clearances for qualified private-sector entities,

protect private disclosures from Freedom of Information Act requests, restrict the government’s use of

information received from the private sector and limit liability for entities’ sharing and use of cyber-threat

information.

Like the CISPA, the House Homeland Security Committee’s PrECISE Act would facilitate the confidential sharing

of cyber-threat information between the public and private sectors. It calls for the creation of a nonprofit

organization called the National Information Sharing Organization (NISO)—with a majority private-sector

board—to serve as a secure, confidential clearinghouse for the exchange of cyber-threat information between

public and private entities. The PrECISE Act goes further than the CISPA, however, by empowering the DHS to

conduct risk assessments and collect existing security standards to evaluate the best methods to mitigate risks.

Notably, it is intended to create as little new regulation as possible, instead requiring regulators to assess current

critical infrastructure protection regulations against DHS-identified risks. Gaps would be identified and

redundancies eliminated.

In the Senate, last year’s CIFA legislation weighed in at more than 200 pages. Its successor, S 2105, is equally

comprehensive. Much like the PrECISE Act, it would give the DHS power to conduct risk assessments and

determine cybersecurity performance requirements but only for critical systems that are not already

appropriately secured. Owners of “covered critical infrastructure” would have flexibility in meeting performance

requirements as they deem fit.

Although Majority Leader Reid wants quick floor action on S 2105, a group of top Republicans, including Minority

Leader Mitch McConnell and Sen. John McCain (R-AZ), have expressed concern that the measure is being rushed.

They have stated that the bill “does not satisfy our substantive concerns, nor does it satisfy our process concerns.”

Given the numerous legislative proposals under consideration—with more on the way—and the continuing

jurisdictional debates, it is unlikely that any cybersecurity legislation will make headway in the near future.

Nevertheless, there is clear bipartisan recognition that something needs to be done quickly to protect this

country’s critical infrastructure.

Heidi Salow, CIPP/US, is an expert in privacy and data security,intellectual property, e-commerce and global data

protection laws, having focused on these areas for well over a decade. Her experience as a negotiator includes

legislative advocacy, negotiating complex transactions and compliance counseling. She has represented numerous

clients on regulatory and public policy matters before Congress, the administration and federal and state agencies.

Facial recognition technology: Should faceprints be considered personally identifiable

information?

By Jedidiah Bracy, CIPP/US

A little more than two decades ago, the idea that technology could be capable of

recognizing an individual’s face was merely the stuff of science fiction. Yet, at the dawn of a

new decade, facial recognition technology has not only become a reality, it is becoming

commonplace—from security surveillance to social media photo tagging.

Like the tips of our fingers, our face, when coupled with the appropriate algorithm and database, becomes a

unique biometric identifier. Yet, unlike fingerprints and other biometric identifiers, a faceprint can be captured

from a distance without an individual’s knowledge.

Experts discussed the implications of this technology last December at a roundtable hosted by the Federal Trade

Commission (FTC). The forum made it clear that the new technology creates a vast array of opportunities for

business and law enforcement but also raises concerns about privacy and anonymity.

One expert suggests faceprints be considered personally identifiable information.

This seemingly simple assertion to what has been considered a complex problem was posed by one of the

inventors of facial recognition technology. As vice chairman of the International Biometric & Identification

Association (IBIA)—a biometrics trade association—Joseph Atick has spent the last 20-plus years leading several

companies in the identity management industry.

Atick says it’s critical for individuals to have control over their faceprints. A complex system of assigning fair

information practices to varying facial recognition applications “can be resolved and addressed if you give the

consumer the control over the faceprint and say no application can exploit the faceprint without (the consumer’s)

explicit consent.”

In other words, our faces should be copyrighted.

Atick says despite the vast deployment of the technology, a generic approach such as legislating that a faceprint

is PII gives weight to responsible use and makes companies liable if they do not appropriately protect faceprints—

similar to the practices for health or financial records.

“If we limit regulations to a faceprint equals PII, then industry self-regulates to police that. It creates liability and

allows the legal system to do the enforcement,” says Atick.

“Privacy advocates on the (FTC) panel talked about a careful tiered approach to privacy,” says Pam Dixon, but

Atick pointed out that it is difficult to police facial recognition. Dixon is an author, researcher, and founder of the

World Privacy Forum. She wrote a report on digital signage and facial recognition technology, The One-Way

Mirror Society, and has led an effort to create the first set of collaborative consumer privacy principles for digital

signage.

Where is the technology being used? Is it collecting and storing faceprints? This can be solved by making faceprint

processing a liability when misused.

“What Dr. Atick was saying was a wake-up call.”

“He’s not a privacy advocate,” she says. “He was there to advocate for companies using it. So for him to say that

was stunning.”

In its comments to the FTC, the World Privacy Forum wrote, “Dr. Atick’s approach provides an important avenue

of thinking that we urge the FTC to explore further. We believe it holds significant promise and has the most

potential for a positive and fair outcome. The policy dialogue around facial recognition and detection

technologies has been overlaid by approaches with roots in past technologies from past eras. Much of the policy

discussions to date have not been informed by Dr. Atick’s level of knowledge and, as such, have not taken into

sufficient account the uniqueness of the faceprint, the nature of the technology and the manner in which it is

being deployed.”

Dan Solove agrees that faceprints should be considered PII. “Faceprints are specifically designed to be identifiable

to a person and to be a means of identifying a person, and thus I believe they should be considered PII.”

As John Marshall Harlan Research Professor of Law at George Washington University Law School, Solove is

considered to be one of the world’s leading experts in privacy law. He says a “combination of self-regulation as

well as legislation and agency supervision” will be the best solution. “Self-regulation alone lacks the teeth and

uniformity to be effective, but when combined with reasonable and flexible legislation, self-regulation can be

effective in many ways.”

The Software & Information Industry Association (SIIA) has a different take on privacy legislation. In its comments

to the FTC, the SIIA asserts that “there is no need to develop specialized privacy principles for facial recognition or

facial detection technologies.”

“Privacy is context-dependent, not technology-specific,” the SIIA contends.

SIIA Public Policy Vice President Mark MacCarthy says facial recognition and detection technologies “raise

different privacy issues depending on the context in which they are used.” Digital signage that does not collect

faceprints “might call for notice,” while “more advanced use of facial recognition technology such as tagging

pictures on a social network might call for some kind of consent. There doesn’t need to be legislation specific to

faceprints,” he contends, “because the technology can be used in so many different contexts it would be

impossible to write meaningful privacy protections.”

MacCarthy also says, “In the contexts where the technology is being used now, such as digital signage or tagging

photos on social networks, the industry has struck a pretty good balance.”

Speaking at the FTC roundtable, Facebook Director of Privacy Erin Egan raised the notion of context as well. The

social networking site came under fire from privacy advocates when it introduced facial recognition software to

streamline photo tagging.

“We’re not automatically identifying you,” Egan said. “We’re just suggesting people who might be in your photos

so we can make tagging easier for you. I mean, that’s the context…even in that context, there are important

principles around notice, around control, around security…I still think these framework principles apply, but again,

I think that when we look at how they should be applied, it should depend on the context and users expectations.”

Last October, Atick published Face Recognition in the Era of the Cloud and Social Media: Is it Time to Hit the Panic

Button? In it, Atick describes the “perfect storm” that gives him reason for concern. The combination of

“enthusiastic participation in social media,” increased use of digital cameras and improved facial recognition

algorithms “opens the door for potentially achieving the unthinkable: the linking of online and offline identities.”

Dixon questions whether Pandora is already out of the box regarding facial recognition technology. “We

proceeded down a path unconsciously because the market is already capitalizing.” Dixon has spent time in India

for the government’s biometric identification system and in Japan during the implementation of its smart grid.

“One thing I’ve learned about biometrics: once it’s out there, the game is up. You can’t take it back.”

She points out that the Fair Credit Reporting Act and the Equal Credit Opportunity Act were both pieces of U.S.

legislation that rolled back discriminatory market practices to protect consumer rights. Dixon thinks something

similar could help roll back current market practices to help protect individual identities.

Dixon thinks these new technologies call for a new way of thinking about our privacy rights. When in public, our

expectation of privacy is naturally diminished, but in the past, we’ve often had some form of anonymity. As facial

recognition becomes more ubiquitous in the public space, our expectation of privacy and anonymity could be

eradicated, she warns.

The recent U.S. Supreme Court ruling on GPS tracking, the United States v. Jones, sheds light on the new privacy

paradigm for Dixon. In particular, Dixon cites Justice Sonia Sotomayor’s concurring opinion. “More

fundamentally,” wrote Sotomayor, “it may be necessary to reconsider the premise that an individual has no

reasonable expectation of privacy in information voluntarily disclosed to third parties…This approach is ill-suited

to the digital age, in which people reveal a great deal of information about themselves to third parties in the

course of carrying out mundane tasks.”

Dixon says Sotomayor’s concurring opinion “forms the threshold of what we need to be looking at.”

In comments to the FTC, the Electronic Privacy Information Center (EPIC) recently called for a moratorium on

commercial deployment of facial recognition technology. “While the use of facial recognition technology has

increased over the past several years, few legal safeguards currently protect consumer privacy and security.”

EPIC cites two existing state laws--in Illinois and Texas--that have biometric statutes in effect, but adds that the

U.S. Constitution “only protects individuals from privacy intrusion by the state, not private companies or other

individuals.” Internationally, the new EU data protection framework mandates any organization processing

biometric data needs to conduct a “data protection impact assessment” as well as meet personal data obligations.

As such, EPIC is asking the FTC to require companies “collecting, handling, storing and transmitting” biometric

data “to adhere to a framework of Fair Information Practices.”

When asked if current EU and UK legislation appropriately protects individuals from facial recognition’s misuse, a

spokesman from the UK Information Commissioner’s Office said, “Images of individuals are likely to be regarded

as personal data and therefore UK laws require organisations to have a legitimate purpose for processing this

information. In some cases this may be in the legitimate business interest of the organisation but in others this

will require the consent of the individual. UK and EU law is clear that consent must be both freely given and

informed. Other aspects of the Data Protection Act such as subject access and the right to object to processing

will also apply to facial recognition technologies.”

For Atick, the solution resides in legislation requiring faceprints to be considered PII. Once this is done, and

liability becomes a driving factor for companies to ensure it is protected, then industry can self-regulate. He says

facial recognition technology is helpful for fighting crime and terrorism and for other security needs. It has proven

helpful in Ontario, Canada, for problem gamblers who opt in to the Ontario Lottery Gaming Corporation’s

voluntary self-exclusion program.

Atick says the industry has been “fully behind” the IBIA, but adds, it is concerned about “rogue applications” that

use the technology “to make a name for themselves.” He says many of the newer social media sites and Internet-

based companies are exploiting facial recognition technology. “We’ve reached out and asked them to use the

technology responsibly.”

The biggest concern, according to Atick, is the construction of large databases of faceprints. “We need to address

the root cause of this threat to privacy by focusing on the ease with which identification databases can be built

through automated harvesting of identity-tagged images over the web,” he writes. Changing the attitudes of data

handlers—like social media and image sharing sites—and elevating faceprints to the level of PII can help.

Legal analysis of the new proposed EU regulation on data protection

By Fabio Di Resta and Nicola Fabiano

In the new proposed regulation on EU data protection law, there are many important provisions. Most of them are

necessary to address the future challenges of data protection in the Internet environment. The principles of

effectiveness; i.e., stronger powers to DPAs, PIAs, mandatory appointment of DPOs, the principles of privacy by

design and by default; accountability, and transparency are the founding stones on which the new proposed

regulation was built.

The main objective of the regulation draft is to fulfill the ambitious harmonisation of the data protection laws of

EU Member States and enhance consumers’ trust on the Internet through stronger data protection rules at the EU

level.

In this article, different legal aspects of the proposed framework will be analysed.

Extra-territorial criterion: More specific exemptions

With respect to external scope, it should be considered that the main reason of the broad scope of the existing

95/46/EC Directive is to ensure that individuals are not deprived of EU data protection law and to prevent actions

to circumvent the EU law.

The choice of the European Commission to enhance the threshold—as recently amended in the published draft—

to trigger the application of EU law outside the EU/EEA seems appropriate to address the future challenges of the

Internet but still could use some amendment, such as more structured exemptions to prevent discriminating

against complex organisations. In respect of this point, different situations are exempted from the EU law

application—Article 3 par. 2 and Article 25: Any controller established in third countries which ensures an

adequate level of data protection; any public body; any controller only occasionally offering goods and services to

data subjects residing in the EU, and all enterprises employing fewer than 250 persons.

This last exemption—which refers particularly to SMEs— also could use some amending. The complexity of

organisations that operate through the Internet, where single departments or business units sometimes

operate—with limited staff and an independent budget—as a controller, offering specific products or services,

should be considered. Thus, the quantitative or dimension criterion of 250 persons with regard to the overall

activity of big organisations should probably be rethought and the relevance—ancillary or otherwise—in the

specific organisation of the products or services offered in EU (recitals 20, 63 and 64 of the EC regulation draft)

should be taken into account.

The mandatory appointment of a representative established in the EU/EEA could have a negative impact on the

activity of these departments and business units if they are considered data processors rather than controllers,

and this provision could be considered too dissuasive by big organisations, which have only ancillary activity in

Europe, especially owing to the fact that these rules already apply to SMEs.

Consequently, without an enlargement of the exemption, there could be several negative effects; for example,

the representative appointment could be an economic barrier that restricts the choice of EU/EEA consumers who

will not be able to purchase online products and services coming from organisations located outside of the EU.

Cloud computing scenario: Comparative analysis under the existing 46/95/CE Directive and under the

regulation draft—one-stop shop and the main establishment criteria

In the following paragraphs, one scenario will be analysed—both under the existing EU/EEA directive and the new

regulation draft.

In this IT model, personal data are usually processed and stored on servers in several places around the world. The

exact place where the data are stored is not always known, and it can change over the time. In order to trigger the

applicability of EU law, the relevant information is the context of activity of the establishment within the EU

(principle of establishment) and the location of the equipment.

In order to deeply understand the applicable legal issues, the first step is to identify the data controller and its

activities. For example, the buyer of a cloud service could be a data controller. Say a company uses an online

agenda service, if the company uses the agenda service in the context of the activity of its establishment in the

EU, the EU law will be applicable. However, the cloud provider could also be, under some circumstances, a data

controller. Such is the case when it provides for an online agenda and document sharing, where private parties

can upload all of their personal appointments and contacts, synchronize them and upload documents to store or

share with selected persons. In this context, different key factors should be taken into account: the context of the

activity of the establishment, its degree of involvement and the nature of its activity. Let’s say the cloud provider

is a data collector located in the UK, Germany and Italy—and all of them are establishments—but server and

technical staff for the online agenda are located in the UK, while the servers, software and technical staff for the

document sharing activities are located in Germany. The establishment in Italy is not involved in this activity.

According to Article 4 of the existing directive, English law is applicable to the establishment located in UK and,

likewise, German law applies to the establishment located in Germany, with the further to obligation to deal with

German and English DPAs. Italian law is not applied as this data processing not being the Italian establishment

involved.

One of the implications of the approach mentioned above is the risk of overlapping national laws applicable to the

same data processing with the further consequence to deal with several jurisdictions and data protection

authorities. In order to overcome this problem and to give more legal certainty, in the EU regulation draft the

main establishment principle—also called one-stop shop criterion—was worded in such a way that it will apply

when a data controller or processor is established in more Member States (Recitals 13 and 98 – Article 51,

Paragraph 2).

This is a good principle because it gives legal certainty to companies that do business in Europe with the

possibility to comply with one law for the whole of the EU territory and to deal with a single data protection

authority (lead authority). Analysing the above-mentioned cloud computing scenario in light of the EU regulation

draft, once the context of establishments’ activity has been identified, the purpose, means and conditions should

be taken into account. Thus, it could be considered that all the services offered by the cloud provider to users—

who upload data for the agenda and documents for storing and/or sharing—has the same purpose, so it should be

regarded that only one process is operated. Furthermore, considering that the English establishment manages

the main activity—being the place of central administration, which decides in order of the processing of the

users—then only the English law will be applicable and the English information commissioner will be the lead

authority to address all complaints from data subjects residing in the EU territory.

The principles of privacy by design and default and the commission’s controls

The new data protection legal framework proposed by the European Commission introduces, with respect to the

Directive 95/46/EC, the reference to “data protection by design and by default” (Article 23 of the Proposal for a

Regulation and Article 19 of the Proposal for a Directive). Also, even though these articles do not describe the

data protection by design and by default, they compel the controller to “implement appropriate technical and

organisational measures and procedures” and to “implement mechanisms for ensuring that, by default, only

those personal data are processed which are necessary for each specific purpose of the processing…” The

commission preferred to describe the controller duties instead of setting legal status of data protection by design

and by default. It is very important to clarify the meaning of “data protection by design and by default,” focusing

on the true sense of these terms. On the other hand, it is as interesting to distinguish the expression “data

protection by design” from “data protection by default” and to find the actual meaning of each term, because the

phrase used by the commission seems to highlight a difference between the two terms. According to the text of

the article, it is clear that the commission shall consider “by design” and “by default” as different concepts, even if

they are used in the same sentence.

This approach seems quite different from the one officially used by the International Conference of Data

Protection and Privacy Commissioners, which last year adopted a resolution on Privacy by Design proposed by

Ontario, Canada, Information and Privacy Commissioner Ann Cavoukian.

In this context, the expression “Privacy by Design” is used to describe a method to deal with privacy issues in this

new era, where a correct approach to privacy is most valuable. In this respect, it should be said that in the EU legal

framework approach “by design” or “by default” the term “data protection” is used instead of “privacy.”

Furthermore, the commission’s proposal seems to pay a lot of attention to the technical and security aspects

instead of the legal concerns. The specific reference to “measures and procedures” seems oriented towards the

PETs (privacy-enhancing technologies), which are certainly important, but the future of privacy is Privacy by

Design. In conclusion, the hope is that the expression “by design and by default” will not represent a cutting-edge

movement or a system founded on technological and security support but a real, methodological approach to the

future handling of our privacy, according to the international commissioners’ statement, and to becoming a

worldwide privacy standard in the near future.

The right to judicial remedy against data controller

Article 75, Paragraph 2 provides that in case of infringements of data protection rights, “proceedings may be

brought before the courts of the Member States where the data subject has its habitual residence.”This article

also entails that jurisdictional and international issues will be also brought before the national courts, which will

decide on the compensation of damages of data subjects—requiring judges highly specialised both in EU data

protection law and in international issues, and even to decide in the event of an appeal of the decision of other

countries’ DPAs.

On the other hand, the new consistency mechanism increases the power of the European Commission a lot. It

becomes the ultimate supervisory authority on the protection of data subjects, with the power to suspend the

draft measures adopted by national DPAs through both the presence of serious doubts on their consistency with

the EU regulation and a reasoned decision. Furthermore, with regard to the cloud computing scenario analysed

above, more and more EU-based data subjects will be able both to access one national lead authority and to take

action against national courts of that country in which the main establishment is located. Lastly, as stated in

Paragraph 4 of Article 75, “all the Member States shall enforce final decisions by the courts.” This paragraph

underlines further consequences of the regulation draft adoption, both stronger free movements of judgements

on data protection and the need to assure the recognition of the judgments on data protection from other

countries’ courts.

Data protection officer requirement and its impact on the national laws

The EU legal framework introduces the data protection officer and, according to the article 35 of the proposal for

a regulation, this rule is mandatory if

processing is carried out by a public authority or body;

processing is carried out by an enterprise employing 250 persons or more;

core activities of the controller or the processor consist of processing operations which, by virtue of their

nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.

There is no doubt about the relevance of the choice to set up the data protection officer. This solution, strongly

hoped for by some Italian privacy professionals, shows how the European Commission has taken the data

protection officer into account, demonstrating that there is a great need to pay attention to privacy matters. It is

necessary for people dealing with privacy to have specific expertise and proficiency. This will obviously have

consequences on the national law that will need to be implemented to set up the data protection officer.

According to the EU legal framework, public bodies and enterprises will have a specific department for the

competence on privacy matters. Although not mandatory, the data protection officer rule should be regarded as

very important for organisations with less than 250 employees, too, because privacy is a fundamental right that is

not related to the size of a company. Furthermore, this measure would go in the direction of making the EU data

protection law more user-centred.

Data protection impact assessment requirement

A valuable concept introduced by the EU proposal is the assessment of the data protection impact. The main

reference is Article 33 of the proposal for a regulation, “where processing operations present specific risks to the

rights and freedoms of data subjects” the controller “shall carry out an assessment of the impact of the envisaged

processing operations on the protection of personal data.” Certainly the PIA (privacy impact assessment) is well-

known in the international context. Recently, EU public bodies began talking about impact assessments,

particularly about the PIA. The privacy legal framework in force (Directive 95/46/EC) does not contain reference to

the impact assessment, and there are only a few recent official European documents on this topic. Therefore, the

choice of the European Commission to include the data protection impact assessment in the proposal for a

regulation and directive is key. The aforementioned Article 33 describes when and how it is necessary to set up a

data protection impact assessment (DPIA).

Explicit consent requirement and navigation over the Internet

According to the aforementioned EU legal framework, Article 7, the controller shall acquire the data subject’s

consent for specified purposes and the “data subject shall have the right to withdraw his or her consent at any

time.” In this respect, Article 4 states that consent “means any freely given specific, informed and explicit

indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action,

signifies agreement to personal data relating to them being processed.” In case of minors, a “child below the age

of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child's parent or

custodian.” Last but not least, the provision about a right to be forgotten is very relevant in the Internet

environment, and this also guarantees users the right to withdraw their consent when “there are no other

legitimate grounds for retaining the data.”

The European Data Protection Board

The EU regulation shall establish a European Data Protection Board that, according to Article 66 of the proposal

for a regulation, “shall ensure the consistent application of this regulation...on its own initiative or at the request

of the commission.” This article describes different actions that the DPB can realise, and that it shall frequently

inform the commission about the outcome of its activities. Finally, it should be pointed out that this supervisory

authority will supersede the current Article 29 Working Party and it will play a relevant role in the consistency

mechanism to guarantee the unity of EU law application.

Conclusion

The European Commission’s proposal deserves to be appreciated especially because it addresses the main crucial

challenges for data protection law in a globalised world. However, a detailed analysis shows that this proposal

could use some amendments. Particularly, more attention should be paid to widespread involvement of all

stakeholders, especially multinationals and overseeing authorities, such as the U.S. Federal Trade Commission.

Furthermore, with respect to the extra-territorial jurisdiction of EU law, there is concern that all the provisions will

be considered mere theoretical principles by extra EU/EAA countries, without further international legal

agreements and worldwide cooperation, which will probably require an amended text in favor of the

enforceability of EU law.

Additionally, the implications of the DPA jurisdiction among the member states where the processor has the

registered office in one country while the data subject lives in another should be also considered; Likewise, the

rule of the EDPB (European Data Protection Board) should be deepened in order to avoid a European privacy body

depending only on the choices of “ivory tower” politicians who are far from the real privacy issues. Lastly, the

recent updating of the privacy policy by Google, Inc., seems to underline a relevant weakness in the worldwide

context of the new proposed regulation.

Fabio Di Resta is an attorney at Di Resta law firm where he specialises in data protection and ICT law. Nicola

Fabiano is an attorney at Studio Legale Fabiano; counsel at Panetta & Associati, and a Privacy by Design

Ambassador, and specialises in privacy and ICT.

Read more by Fabio Di Resta:

The European Commission’s new proposed regulation: From “equipment/means” to “directed to” criterion

Getting to know a privacy pro The Assistant General Counsel and Director of Data Privacy at Xcel Energy talks privacy, smart meters and New Year’s resolutions.

By Angelique Carson, CIPP/US

Megan Hertzler’s path to privacy was sort of an accident. Starting off at the Minnesota Attorney

General’s Office as counsel to the Minnesota Public Utilities Commission (PUC), she advised the

commission on matters relating to PUC regulation in the state, but, she says, there wasn’t a

great emphasis on customer privacy back in 1997. After working in private practice for a time,

Hertzler went to work for Xcel Energy in 2009 and, in response to significant data breaches being reported in the

media, got down to work on privacy pretty quickly.

“My chief information officer at the time was walking the hallways of the law department at about 7 p.m., and I

was the only attorney still working,” Hertzler remembers. “He came into my office and sat down and said, ‘We will

not be the next TJX,’ (a retailer whose 2007 data breach resulted in the theft of 45.6 million credit and debit card

numbers), and I had no idea what he meant. I thought, ‘I’ll Google it later.’ He told me that he was becoming more

and more concerned about what we needed to do to be proactive around data security and privacy, and he

wanted someone else to be up at night worrying about it, as he put it.”

When Hertzler focused in on the matter, she found that there was more to do than she originally imagined when it

came to data protection.

“It wasn’t that we were noncompliant, but we certainly were not being proactive in identifying

emerging privacy issues,”’ she said.

In 2010, Hertzler pitched to management that it create a position dedicated exclusively to

privacy, one Hertzler has held ever since. Writing her own job description was somewhat

difficult, she recalls, because there really wasn’t a model.

“It’s not usual for this type of stand-alone position to be a part of utilities’ standard operations,” she said. “I think

that will change because, more and more, utilities have to be thinking about privacy and data security proactively

in order to stay ahead of emerging data risks. And also, with the growing awareness of privacy issues for customer

energy use information, utilities will have to respond to a growing number of questions from regulators and

customers on their privacy practices. It is best if you have someone that is accountable for all of these issues.”

The Privacy Advisor caught up with Hertzler to ask about the key privacy challenges utilities are facing today—

namely as they increasingly deploy smart meters capable of capturing granular data on consumer energy usage—

to get her predictions on what 2012 will bring and to learn a bit more about the life of a privacy professional.

The Privacy Advisor: When it comes to privacy issues involving customer data, how should utilities get

proactive?

Hertzler: Privacy discussions need to occur at all levels of the organization so that business need and customer

expectations are both considered when developing internal policy. A good example of this for Xcel Energy was the

effort we made in 2010 around customer information, including their energy usage information. We formed an

internal task force made up of representatives from all the areas of the company where customer information was

collected, maintained or used. It was a very broad and diverse group of individuals.

The task force was charged with developing Xcel Energy’s privacy principles for customer information. We spent

10 months identifying the privacy issues Xcel Energy was facing, including, for example, how the company was

using customer information in providing service, how we would handle a request for the customer’s data and

whether our response would be different if the request was directly from a customer or from an unrelated third

party. By identifying these privacy issues and looking to the existing body of work around privacy, we developed

principles that accommodated Xcel Energy’s use of the information to provide service, allowed us to process the

data in a fair and transparent way, and maintain the trust our customers placed in us when they gave us the

information. We then translated these privacy principles into our company policies and procedures. For example,

we developed a data classification standard specific to customer information and a process for authorizing release

of customer information to third parties, including identifying necessary informed consent requirements.

Our task force also considered the big picture issues, such as the role Xcel Energy should play within the utility

industry in the area of customer privacy. When, prompted by the development of the Smart Grid, the Colorado

PUC later issued proposed customer information privacy rules in December of 2010, our internal privacy work

ensured that we were ready to provide the PUC with thoughtful, practical feedback, using our privacy principles as

the basis for our comments in that rulemaking.

The Privacy Advisor: Should we really be concerned with the privacy implications of smart meter data? Or is it

all hype?

Hertzler: It’s not hype. More granular energy data can reveal information on how energy is used in the home,

which in turn could identify routines or practices by the individual user.

Historically, utilities have typically afforded some level of privacy to the customer’s energy usage information.

What the implementation of smart meters and other advanced meter technology has changed is that the data has

more uses and is perceived to be more valuable to a broader group of interests. Once upon a time, no one would

have asked for energy usage information except to understand their own energy bill. Now, because the data is

much more granular, it has many more potential uses. We get quite a few requests from a variety of non-

customers for both individual and aggregated usage data to understand things like carbon footprints, the success

of energy efficiency programs or even possible criminal activity. Before releasing the data, we have to consider

who is making the request, what their relationship is to the customer, whether they have a legal authority to

compel the data and whether the possibility of that request is even transparent to our customers. Five years ago,

we weren’t even thinking about these issues because we were not getting these types of requests.

We have seen a lot of interest from our customers in our privacy practices based on the ongoing dialog around

these issues. YouTube has hundreds of videos on privacy and health issues for smart meters, including discussions

on whether these meters act as illegal surveillance devices on what people do in their home. What a scary idea. I

respond to many of these customer inquiries by providing assurances that we will only use the data to service, and

that we will not release this information to others except in limited circumstances, such as when we are legally

required or with the customer’s knowledge and consent.

One thing to keep in mind is that utilities “get” the importance of maintaining trust with their customers.

Electricity is an essential service. It is also a highly regulated service, with considerable oversight by state and

federal agencies. This puts us in a very different posture from some other industries. We collect and use customer

information to provide electric service. We are not collecting data so that we can sell it to others for their business

purposes. Instead, our focus is to implement privacy controls (such as transparency and consent) that we believe

provide appropriate privacy protections and make the release of data for non-utility purposes subject to law or the

customer’s choice.

The Privacy Advisor: Will 2012 be the year that utilities really get it right when it comes to smart meter

privacy?

Hertzler: We are going to hear a lot more about this issue in 2012. For example, the National Association of

Regulatory Utility Commissioners (NARUC) issued a statement last summer recommending that all state

regulatory commissions consider privacy in the context of information collected from smart meters and advanced

metering technology. I believe that this recommendation has started a domino effect that we will start to realize

in 2012. Prior to NARUC’s announcement, a handful of states, such as California and Colorado, were already

proactively looking at the privacy implication of smart meter deployment. But the NARUC announcement really

put this topic on the map. I would expect that in 2012 you will see even more dialogue around smart meter

deployment and privacy among federal agencies, state regulatory commissions, regulated utilities and other

stakeholders. In fact, the recent IAPP web conference on smart grid privacy in which I participated was part of the

dialogue. Each state will make a determination as to what the outcome of this dialogue will be, but the hope is for

a fairly uniform approach to privacy and smart meter deployment issues across state lines.

The Privacy Advisor: Okay, enough about smart meters. If you weren’t working in privacy, what would you do

for work?

Hertzler: I would try and talk myself onto Anthony Bourdain’s “The Layover” so I could go around the world, eat,

drink and talk about how great—or not—the particular local cuisine was. I think his honest, unfiltered assessment

of the food he tries on the show is refreshing. I also like his wicked sense of humor.

The Privacy Advisor: Are you big on privacy in real life?

Hertzler: While I deal with social media issues at work, in my personal life I am not on Facebook or Twitter, and I

still mail my bills. My family and friends have offered to set up a Facebook or a LinkedIn account for me, thinking

that my absence from social media is a time issue rather than a deliberate avoidance in my personal life. Their

conclusion that I don’t have time probably has a lot of merit. My life is full. In other words, this choice of mine may

not be so much a principle as a survival mechanism.

The Privacy Advisor: Have you had good mentors within your career?

Hertzler: I’ve had fantastic mentors in my career, including with my present employer. I don’t think you can

advance in a career without the benefit of having people invest in you and share with you their wisdom, and so I’ve

been really fortunate. I would say early on in my career, when I was a law student, I had a woman attorney who

mentored me at a time when I really needed someone to provide me with perspective on my career, and that

experience was incredibly valuable to me. Once I graduated, we moved on to a less formal mentor relationship, to

more of a friendship role. She said, “You need to mentor others. That is all I am asking you to do in recognition of

what I’ve done for you.” I’ve mentored law students and non-lawyers throughout my career to give back, and

found the process extremely rewarding.

The Privacy Advisor: Any New Year’s resolutions?

Hertzler: It’s sort of a developmental goal for me this year: I am signed up for CIPP certification, even though I had

promised myself after taking the bar exam that I would never take another test again. My goal is to pass the exam

with a solid score. Wish me luck!

Elevating data privacy within governments

The Privacy Advisor asks the OECD’s Andrew Wyckoff to expound

During remarks at an event in Mexico City in November, the Organisation for Economic Co-operation and

Development’s (OECD) director of science, technology and industry, Andrew Wyckoff, said the matter of data

privacy needs to be elevated within governments.

The OECD event, “Current Developments in Privacy Frameworks: Towards Global Interoperability,” was held in

conjunction with the 33rd International Conference of Data Protection and Privacy Commissioners.

The Privacy Advisor caught up with Mr. Wyckoff to ask some follow-up questions.

The Privacy Advisor: Has data privacy moved into the upper tier of any governments? In which jurisdictions

does it seem to have the most elevated status?

Wyckoff: With the growing prominence of the Internet economy, social networking and data breaches that affect

millions, the importance of data privacy has grown and has begun to extend beyond privacy specialists to leaders.

As Secretary-General of the OECD Angel Gurría said at the ministerial meeting on the Future of the Internet

Economy, “The currency of the Internet economy is personal information.”

The growing visibility of this issue is reflected in an OECD report released in 2011 that documents the dramatic

change of scale in terms of the role of personal data in our economies, societies and, of course, our lives over the

last 30 years. This report notes that OECD members agree on the need to elevate the importance of privacy to

the highest levels in governments through national privacy strategies. The OECD signaled a high-level

commitment to this idea when the OECD secretary-general delivered remarks for a conference on Privacy

Frameworks in November 2011.

Privacy frameworks, however, are in flux around the world. A number of governments are conducting reviews of

existing legislation, others are agreeing to new legislation and still others are working on whole-of-government

national strategies. The reviews at the international level, at the EU and Council of Europe as well as OECD, signal

a greater sense of urgency to better adapt privacy to the realities of modern data protection.

The Privacy Advisor: Whose job is it to bring data privacy matters up on governmental agendas?

Wyckoff: Governments face a wide and difficult array of policy challenges today. Pushing privacy up the priority

list is not easy—in part because its cross-cutting nature implicates so many aspects of government and the private

sector. All stakeholders must raise awareness about the pressing need for greater attention to this issue. The

OECD’s recent Recommendation on Internet Policy Making contains a principle on the importance of engaging all

stakeholders in the policy-making process. This engagement is key to ensuring effective policies. Each

stakeholder group can raise the visibility and attention within its own community, the combined effect of which

will raise visibility of privacy on governmental agendas.

The Privacy Advisor: In a separate session in Mexico City, New Zealand Privacy Commissioner Marie Shroff

suggested that in the age of big data, data protection authorities (DPAs) should move into more of a leadership

role and be “motivators of governments and businesses.” Do you agree with this? If so, how can DPAs motivate

their governments to focus on privacy and data protection when so many seemingly more important concerns

persist?

Wyckoff: Data protection authorities—we call them privacy law enforcement authorities —play a vital role in

making privacy regimes effective. In 2007, the OECD produced a Council Recommendation to address the role of

these authorities and, more particularly, to improve cross-border co-operation in the enforcement of privacy laws.

But, as Commissioner Shroff suggests, these authorities can also play an important role in raising the visibility of

privacy among governments and businesses. One method for enhancing their visibility is to work together to

share best practices and collectively call attention to pressing issues. In terms of their international role, we have

sought to involve these authorities directly in the policy making work at the OECD by inviting the International

Conference of Data Protection and Privacy Commissioners as an observer to our Working Party on Information

Security and Privacy. This gives privacy authorities an independent voice at the OECD table alongside

government authorities—as well as business, civil society and the technical community—and an opportunity to

impress on policy makers their perspective on the issues.

—IAPP Staff

CANADA—Bill would require TSPs to facilitate lawful interception

By John Jager, CIPP/US, CIPP/C

On February 14, the government of Canada introduced a bill in the House of Commons that, if

passed, will require telecommunications service providers (TSPs) to implement capabilities to

facilitate lawful interception of information transmitted by telecommunications and to provide

basic information about their subscribers. As stated in Section 3, Bill C-30, entitled The

Protecting Children from Internet Predators Act, has as its purpose to “ensure that telecommunications service

providers have the capability to enable national security and law enforcement agencies to exercise their authority

to intercept communications and to require telecommunications service providers to provide subscriber and other

information, without unreasonably impairing the privacy of individuals…” The bill requires TSPs to “provide

intercepted communications to authorized persons” and “provide authorized persons with the prescribed

information that is in the possession or control of the service provider respecting the location of equipment used

in the transmission of communications.” This requirement extends to communication where the intercepted

communication is “encoded, compressed, encrypted or otherwise treated by the telecommunications service

provider.” In such a case, the TSP must provide the communications in the form it was before it was treated, but

the bill provides an exemption if the TSP would be required to develop or acquire decryption techniques or tools.

All current and future software for any transmission apparatus must have the capability to meet the requirements

of the bill. The minister, at the request of the Royal Canadian Mounted Police (RCMP) or the Canadian Security

Intelligence Service (CSIS), may order a TSP to comply with a number of obligations under the bill, including to

meet an operational requirement in respect of transmission apparatus operated by the service provider that it

would not otherwise be required to meet. In such a case, the bill provides that the RCMP or CSIS must pay the TSP

an amount—that the minister considers reasonable—towards the expenses considered necessary—by the

minister—that the TSP will incur to comply.

On written request by a designated person, which includes the RCMP, CSIS and police departments, the TSP must

provide the identifying information in respect of the name, address, telephone number and electronic mail

address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol

address and local service provider identifier that are associated with the subscriber’s service and equipment. In

certain circumstances, such request may be made orally. No warrant or court order is required for a designated

person to make such a request to the TSP.

Wilful violations of the obligation to implement the capability to intercept communications may result in fines up

to a maximum of $500,000.

The bill has created, not surprisingly, a fair amount of negative reaction. The opposition parties strongly

expressed their concern about this bill, and media coverage has generally focused on the warrantless intrusion

into the online private lives of individuals. As the Conservative government of Prime Minister Stephen Harper has

a majority in both Houses, it is likely the bill will pass in much the same way it was tabled.

John Jager, CIPP/US, CIPP/C, is vice president of research services at Nymity, Inc., which offers Web-based privacy

support to help organizations control their privacy risk. He can be reached at john.jager@nymity.com.

FRANCE—CCTV systems diverted by employers

By Pascale Gelly, CIPP/E, and Caroline Doulcet

In two recent decisions, employers have been reminded of the limits of the use of CCTV systems in the workplace.

Following a complaint made by employees, the CNIL made an onsite investigation of a rather small company of

eight employees specializing in the supply of IT equipment for healthcare professionals. This company had

implemented no less than eight cameras with microphones and speakers on its premises; seven of them were

placed in rooms not available to the public—the workshop; the employees’ offices, where the cameras focused on

the computer screens and the employees themselves; the meeting room; the kitchen, and the corridor leading to

the offices.

These devices had actually been notified to the CNIL, as required by French data protection law. However, the

CNIL found in the course of its investigation that, contrary to what had been specified in the notification form, the

company did not use the CCTV to ensure the security of people and goods but to constantly monitor the activity

of employees by watching and listening to them all day long.

The CNIL, in its findings, pointed not only to this diversion of purpose of the CCTV devices but also to their

particularly disproportionate and intrusive use. It also noted, among others, the lack of retention policy for the

recordings and the lack of notice to employees. This resulted in a formal notice from the CNIL to the employer to

modify its devices within a given timeframe—here, six weeks. The CNIL decided to use its new power to publicize

its decision because of the seriousness of the breach, although no sanction has been decided yet, since the so-

called “litigation phase” before the CNIL will begin only if the company fails to comply within the allocated

timeframe.

The Supreme Court also had to deal with the issue of diversion of purpose of a CCTV device. In order to control

the working hours of its employees—cleaning staff working at a client’s site—a company had obtained from that

client the recordings of its CCTV cameras and used them to verify at which time the employees came in and out

and to make consistency checks with the entry logbook kept by the team manager.

On January 10, the Supreme Court (Social Chamber) considered such recordings as unlawful evidence. Indeed, the

purpose of the clients’ CCTV system was to ensure the security of people and goods, not to monitor employees.

Moreover, the concerned employees had not been informed of this CCTV system for monitoring purposes.

These two decisions show that, in France, the use of CCTV in the workplace is under stringent restrictions and

must be handled with care to remain within acceptable limits.

Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at pg@pascalegelly.com.

Caroline Doulcet, of the French law firm Cabinet Gelly, can be reached at cd@pascalegelly.com.

FRANCE—European regulation proposal under review at Parliament

By Pascale Gelly, CIPP/E, and Caroline Doulcet

On February 7, the Commission of European Affairs of the National Assembly—House of the Parliament elected

by the French people—has adopted a draft resolution in reaction to the proposal for European regulation on the

protection of personal data. It welcomes the objectives of modernization, harmonization and simplification of the

draft European regulation and the stress put on greater accountability of data controllers.

It acknowledges also a certain number of measures such as the right to be forgotten; the right to data portability;

consent based on positive action as opposed to silence or inaction, and mandatory appointment of DPO in public

sector and for companies above 250 employees.

However, the resolution points to provisions raising economical, political and legal concerns.

Some concerns are actually shared with the CNIL, the French Data Protection Authority—such resolution is in line

with the concerns previously raised by the CNIL—in particular regarding the competence given to the supervisory

authority (DPA) of the country of the main establishment of the data controller in the EU. The Commission of

European Affairs considers that DPAs must remain close to citizens, who must be provided with easy and rapid

means to defend their rights in their own country. It supports the alternative that a member state’s DPA must be

competent over any processing targeting specifically the population of that member state, wherever the data

controller is established.

The process of cooperation between DPAs, as described in the draft European regulation, is not sufficient to

provide effective and rapid solutions to data protection issues. For example, it is noted that in case of a security

breach, impacting several member states but notified only to the DPA having jurisdiction, it is not required that

such DPA informs the others. Concerns are also expressed with respect to sensitive data processing which would

require a “strengthened” cooperation for a more rigorous control.

It is also noted that with the centralization of powers in the hands of the European Commission, exclusively

competent for specifying the guidelines and implementation rules of the draft European regulation, the powers of

the DPAs will be necessarily limited. According to the Commission of European Affairs, a better balance should be

struck because of DPAs’ technical expertise on such matters.

The resolution is also in favor of stronger controls around international data transfers by preserving the possibility

for DPAs to provide prior authorizations.

Members of Parliament finally wish for the adoption of international instruments for the protection of personal

data beyond the geographic sphere of the European Union and call upon the French government to make sure

that the future, European framework better protects French citizens.

Similar review work is now ongoing at the Senate, the other house of the French Parliament, where a resolution

will be drafted and discussed on March 6.

Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at pg@pascalegelly.com.

Caroline Doulcet, of the French law firm Cabinet Gelly, can be reached at cd@pascalegelly.com.

FRANCE—Unlawful e-marketing campaign

By Pascale Gelly, CIPP/E, and Caroline Doulcet

The real-estate sector has once again caught the attention of the CNIL for questionable privacy practices. A

company had been sending text messages to numerous private property owners, without their consent, in order

to offer its real-estate analysis services. Several owners filed a complaint with the CNIL after having been unable

to unsubscribe several times.

After an onsite investigation, the CNIL found that the property owners’ contact details had been purchased from

providers of online real estate services who had merely captured advertisements. These were not opt-in lists of

contact details.

The CNIL pointed out that the company concerned, as a data controller, had to verify whether the contacts details

lists were opt-in. The real estate company could not hide behind the seller of the lists.

Moreover, the privacy notice provided to individuals was not compliant. The company unsuccessfully argued that

the elements of information legally required were too long to be included in text messages. The CNIL could refer

to other companies that managed to make the notice fit in one or two messages.

The CNIL noted also that the only means provided to data subjects to unsubscribe were not free of charge—need

to send a text message or to call a number—and not effective. Indeed, the requests for unsubscribing were not

taken into account by the company.

The CNIL sentenced the company to a pecuniary sanction of €20,000 and published its decision on the Internet.

Pascale Gelly, CIPP/E, of the French law firm Cabinet Gelly, can be reached at pg@pascalegelly.com.

Caroline Doulcet, of the French law firm Cabinet Gelly, can be reached at cd@pascalegelly.com.

GERMANY—Model consent and release from professional secrecy for the insurance

industry

By Flemming Moos

The Duesseldorfer Kreis, an informal association of the German data protection supervisory

authorities, and the German Insurance Association (GDV) have published an official model

consent and release from professional secrecy declaration for insurance companies. Such a

declaration is required whenever personal health data relating to an insured person or an

applicant shall be collected from third parties like hospitals and physicians, which is normally done for purposes of

risk assessment or verification of liability. The Duesseldorfer Kreis requests all insurance companies to replace

their currently used templates by declarations based on the model declaration.

A consent and release from professional secrecy is necessary because, under German law, the collection,

processing and use of personal health data relating to an insured person is subject to the conditions enshrined in

Sec. 213 Insurance Contract Act (Versicherungsvertragsgesetz), which requires opt-in consent.

The model declaration by the Duesseldorfer Kreis and the GDV provides for a certain extent of legal certainty in

this respect—especially as the German data protection supervisory authorities have agreed to them. This is

positive because, in practice, many of the consent wordings used by insurance companies in the past have not

been sufficient. Therefore, it is recommended to replace the currently used declarations. Yet, the model

declaration—even though it is eight pages long—still needs to be adapted to the particular case. Adaptions are

necessary in order to correctly reflect the data processing steps that actually take place at the individual insurance

company using the declaration; e.g., data collections from certain sources, data transfers to other group

companies and service providers, etc. Also, it must be indicated which health data are collected, processed and

used for which purpose. If the model declaration is not adapted carefully, considering all requirements under Sec.

213 Insurance Contract Act and the additional data protection law provisions, the consent and release from

professional secrecy declaration might be invalid and the processing of the health data would be unlawful.

Flemming Moos is a partner at Norton Rose in Germany and a certified specialist for information technology law. He

chairs the IAPP KnowledgeNet in Hamburg and can be reached at flemming.moos@nortonrose.com.

ITALY—Simplification interim law decree impact on DPS

By Rocco Panetta

On January 27, the interim law decree on urgent measures on simplification and development,

known as the “Simplification package,” was adopted by the Italian government. It provides for

further amendments toward the Legislative Decree of June 30, 2003, n. 196—the Personal Data

Protection Code. This is the third change in the data protection legislation passed in the last 12

months in Italy. The Simplification package, due to its nature of interim rule, should be confirmed by the

Parliament within 60 days; otherwise, it will expire with no further effect. At the time of this writing, it is also still

pending the publication of the Simplification package on the Italian Official Gazette. As a consequence, the

interim rule is formally not yet in force, and we have been provided with a provisional draft only.

However, if confirmed by the Parliament, the Simplification package would introduce into the system significant

changes with respect to one important data protection obligation and requirement: the security policy document

(DPS). In fact, according to the draft version of Section 47 of the Simplification package, “Paragraph 1, Letter G

and even Paragraph 1-bis of Section 34 are deleted,” and “within the technical specifications concerning minimum

security measures, referred to in Annex B, Paragraphs from 19 to 19.8 and 26 are cancelled.” In turn, Section 34 of

the code in force set forth that the personal data processing carried out throughout electronic means is only

allowed if all required minimum security measures are adopted, including the “keeping an up-to-date security

policy document.”

According to the Simplification package’s amendments, the data controller will no longer have to comply with the

duty of keeping and updating the DPS, since such a document would not represent any more a minimum security

measure that the data controller is required to comply with and adopt “in order to ensure a minimum level of

personal data protection.”

What such amendments imply

Under a practical point of view, the immediate effect of such a change—we recall again that the law decree will

come into force only after its publication on the Italian Official Gazette and for an interim period of 60 days until

the confirmation of the Parliament by means of the approval of an ad-hoc law—would imply the cancellation of

the mandatory obligation to draw up, keep and update the DPS on an annual basis every March 31.

Does such a change represent a substantial simplification in terms of security measures?

Under a general point of view, yes. Unfortunately, the DPS is just one of the various material activities required,

and its deletion does not imply any decreasing of the level and number of all mandatory requirements, obligations

and suggestions provided for by the code with respect to personal data processing and relevant security measures

to be adopted. In other words, each of us is aware about the function of the DPS; it has been and it is still a sort of

summon or picture of privacy policy adopted within and by a company.

Once prepared and rolled out, the DPS is a helpful tool aimed at providing to data protection officers, data

processors and persons in charge of data processing useful guidance that lists and collects all mandatory policies

and measures to be adopted.

In case of confirmation of the Simplification package, the DPS will be no longer required, but the relevant policies,

measures, requirement and obligations underneath and duly described in and attached to it will still be. More in

detail, we want to point out that, even though the DPS and related reference section of Annex B of the code

would be definitively cancelled, the further legal requirements that the data controller must comply with are still

all mandatory for all companies.

Can the company set definitively aside the DPS and its content?

The answer is yes in principle but no in concrete. In fact, our suggestion is not to definitely set aside a useful and

virtuous document like the DPS, especially for those companies that have invested time and money in it for years.

For sure, we will take benefits from the abolition of the annual updating, so that in the future we will be free from

being required to update the DPS by March 31—and running to meet the deadline. But, we want to recall once

again the purpose of such a document.

The DPS describes the organizational and management structure of the company as well as providing a clear

description of all kinds of personal data processed—common, sensitive or judicial data, and describes accurately

all kind of security measures—organization, physical, logical and informatics, which must be adopted by each

company. Therefore, even though the DPS could no longer represent a mandatory requirement for the data

controllers in the near future, its drafting and updating represent always the optimal vehicle in order to

summarize and consider all the existing security measures within each company, which otherwise would be

illogically allocated within the different functions of the company, and in absence of the DPS, their reviewing and

natural/necessary updating would become time- and cost-consuming activities.

At the same time, it is also the optimal vehicle in order to allow the specialized corps of the financial and fiscal

police—which are in charge of checking compliance with the provisions of Data Protection Code—to carry out

easily the due inspections with a strong reduction of risks of noncompliance for the company.

In conclusion, our opinion is that Section 47, Letters B and C of the Simplification package, if confirmed, would

likely generate a visible dyscrasia and confusion in the system rather than simplifying the personal data protection

requirements. In other words, the Italian legislature could have simplified the DPS’s drafting rather than excluding

it from the minimum security measures.

Our suggestion is, however, to always save and keep best practices in use within the company in order to avoid

the risk of severe sanctions—administrative and criminal—and/or request of compensations for data breaches and

relevant noncompliance with legislation in force at a national and EU level.

Rocco Panetta is an Italian lawyer and partner of Panetta & Associati Studio Legale in Rome. He is the former head

of legal at the Italian Data Protection Authority and a member of the IAPP Europe Advisory Board.

POLAND—Reform of Polish data protection law

By Joanna Tomaszewska

The amended provisions of the Polish Data Protection Act of 29th August 1997 entered into

force on 1 January. These reforms were necessitated by the enactment of new rules governing

the exchange of information between the law enforcement authorities of EU member states.

Transfers of personal data to third countries

The most significant changes to the act concern the provisions governing the transfer of personal data to third

countries; i.e., outside European Economic Area. Pursuant to the newly worded provisions, transfers of personal

data to a third country may only occur if the country of destination ensures an adequate level of personal data

protection in its territory. The amendment removes previous references to guarantees of the protection of

personal data at least the same as that in force in the territory of Poland. The criterion of an “adequate level of

protection” has been clearly defined—implementing the wording of Article 25 Paragraph 2 of the directive

95/46/EC.

Accordingly, the act clearly states that the adequacy of the level of personal data protection should be evaluated

taking into account all the circumstances concerning a data transfer operation, in particular the nature of the

data, the purpose and duration of the proposed data processing operations, the country of origin and the country

of final destination of the data as well as the legal provisions being in force in a given third country and the

security measures and professional rules applicable in that country. Despite this amendment, it seems that these

changes will not have a considerable impact on the practice of the Polish Data Protection Authority (DPA) when

evaluating an application seeking permission to transfer personal data to a third country which does not ensure an

adequate level of protection—a so-called DPA permit. This is due to the fact that the legislative provisions

governing DPA permits still refer to the transfer of personal data to a third country which fails to ensure at least

the same level of personal data protection as that in force in the territory of Poland.

Exception from the duty to register with the DPA

Other changes to the act include the introduction of an exception from the duty to register a data filing system

with the DPA where such data is processed by relevant organs on the basis of provisions governing the exchange

of information between the law enforcement authorities of EU member states.

Personal data of persons conducting economic activity

1 January also witnessed the repeal of earlier legal provisions of the Law on Economic Activity stating that

personal data; i.e., personal data of entrepreneurs being physical persons, contained in the business activity

register—now replaced by the central record on economic activity—fell outside the scope of protection of the act.

Therefore, currently, information identifying persons conducting economic activity, if in factual circumstances,

they constitute personal data within the meaning of the act, are subject to the provisions of the act.

Consequently, controllers of personal data of persons conducting economic activity will need to ensure that such

processing is done in compliance with the act. These would appear to be the most important practical changes

having entered into force in 2012.

Joanna Tomaszewska is an associate in the Intellectual Property, New Technologies and Protection of Information

Department of Spaczyński, Szczepaniak&Wspólnicy, Warsaw Office. She has experience in data protection and

privacy law, information technology law, media and advertising and intellectual property matters. She can be

reached at joanna.tomaszewska@ssw.pl.

Government agencies given tools for assessing third-party websites

By Jedidiah Bracy, CIPP/US

With the increased use of mobile devices, parts of both the healthcare and marketing sectors are

offering ways to increase user awareness of the privacy and security of personal information by

offering best practice guidance and recommendations for user-friendly language in policy

statements.

As part of its Privacy and Security Mobile Device project, the National Coordinator for Health Information

Technology’s Office of the Chief Privacy Officer, together with the U.S. Department of Health and Human

Services’ (HHS) Office for Civil Rights, is developing “good practices” to increase health information security on

mobile devices.

The project builds on the existing HIPAA Security Rule-Remote Use Guidance. “There have been a number of

security incidents,” states the security rule, “related to the use of laptops, other portable and/or mobile devices

and external hardware that store, contain or are used to access Electronic Protected Health Information under the

responsibility of a HIPAA-covered entity.”

In addition to providing privacy and security “good practices,” the project aims to communicate its findings to

healthcare professionals in streamlined and readable text.

HHS officials are also looking for input and will be hosting a roundtable on the subject in the coming months.

Similarly, after receiving industry input during a public comment period that ended last November, the Mobile

Marketing Association (MMA), a mobile industry trade association, has released finalized guidelines that provide

developers with a framework to promote more secure user experiences.

The MMA states that more than 58 percent of U.S. mobile device users are concerned about unauthorized access

to their personal information.

MMA Global CEO Greg Stuart said, “Mobile app developers asked for clear, transparent policy language that

consumers can quickly and fully understand.” The release, he says, is “the first in a series of privacy policy

guidelines that the MMA is creating with input from industry leaders” to give “the app development community

the meaningful support they need.”

The MMA Mobile Application Privacy Policy guidelines offer streamlined recommendations revolving around

“core privacy principles” and easy-to-read language for consumers. Among their suggestions, the guidelines offer

ways to educate consumers on how their data is collected and used as well as ways to appropriately secure the

collected data.

In a statement, MMA Privacy & Advocacy Committee Co-Chair Alan Chapell, CIPP/US, said, “Our guidelines offer

developers the foundation from which to craft a document that reflects the privacy practices of each of their apps

and helps them stay in compliance with applicable law and industry standards,” adding, “We urge app developers

to consult with their legal counsel when adapting these guidelines for their purposes.”

Grant helps professors create data-masking technology to ease tension between research

needs and privacy laws

By Angelique Carson, CIPP/US

Medical researchers often contend with a competing requirement when it comes to progress:

protecting privacy. Under the Health Insurance Portability and Accountability Act (HIPAA),

healthcare providers, health insurers and healthcare clearinghouses often have to obtain

additional documentation before disclosing health information to outside parties, making

researchers’ data collection practices cumbersome.

Thanks to a National Institutes of Health (NIH) grant and two researchers at the University of Massachusetts

Lowell’s Manning School of Business, some of that difficulty may soon be resolved.

The $700,000 NIH grant will help Profs. Xiaobai Li and Lutvai Motiwalla and two assistants create technology that

will resolve the tensions between adequate healthcare privacy provisions and research needs.

Called data-masking technology, it will allow researchers to access more meaningful data without having to

comply with rigid consent requirements under HIPAA. Healthcare providers must remove 18 points of sensitive

data—such as names, Social Security numbers and dates of birth before releasing information, unless an

established legal agreement precludes such requirements. But with data-masking technology, only five or six data

points must be removed.

“So it improves data quality, because more variables are released,” said Motiwalla. “It’s a win-win for both the

people sharing (the data) as well as people who are using the data for analysis, because the people releasing it

don’t have to be afraid of data compliance, and identity cannot be revealed.”

While data that’s been de-identified according to HIPAA’s standards can lawfully be shared without specific

authorizations, such data often proves less useful in conducting meaningful, comprehensive research, the

professors said.

“To analyze the data, you need to provide information,” said Li. “But at the same time, you want to protect the

individuals—like patients or even doctors. That’s the kind of tension that we try to address.”

The entire process starts with the data controller.

“So if a researcher wants data from a hospital, the hospital will run through the query and remove data from the

database,” Motiwalla explains. “Then, our software would be applied to the data, which would then mask it, and

the masked data would be released to the third party.”

Data masking is different from encryption, however, and addresses a problem thus far unresolved.

“If you encrypt the data, you cannot do any statistical analysis,” said Li.

Data masking can work in a couple of different ways. One is called statistical protobation. By either applying

statistical methods to the data or, for example, adding the same number to each data subject’s age, the data is no

longer a true value, but statistical. Alternatively, data swapping can be used, in which one person’s age, for

example, would be swapped with another in the database.

“So what is released of the data, in terms of age or date of birth, will not be a true value but in terms of a statistical

property data, it’s still the same,” Motiwalla said. Data can also be generalized so that instead of a street address,

a zip code with the first four digits truncated is used.

Motiwalla and Li are now in the process of collecting patient data available under HIPAA laws in order to identify

vulnerabilities. They hope to collect data from organizations in sectors other than healthcare as well, as data

masking could potentially be employed for myriad applications in a number of sectors, including for non-research

purposes, such as simply to keep databases safe from hackers or data loss.

Motiwalla and Li encourage organizations interested in getting involved to contact them.

In the end, say Motiwalla and Li, their purpose is to find a way for research to thrive while still maintaining

appropriate privacy protections for individuals.

“With data masking, that balance is possible,” said Li.

Marketing and healthcare sectors developing mobile device guidance

By Jedidiah Bracy, CIPP/US

With the increased use of mobile devices, parts of both the healthcare and marketing sectors are

offering ways to increase user awareness of the privacy and security of personal information by

offering best practice guidance and recommendations for user-friendly language in policy

statements.

As part of its Privacy and Security Mobile Device project, the National Coordinator for Health Information

Technology’s Office of the Chief Privacy Officer, together with the U.S. Department of Health and Human

Services’ (HHS) Office for Civil Rights, is developing “good practices” to increase health information security on

mobile devices.

The project builds on the existing HIPAA Security Rule-Remote Use Guidance. “There have been a number of

security incidents,” states the Security Rule, “related to the use of laptops, other portable and/or mobile devices

and external hardware that store, contain or are used to access Electronic Protected Health Information under the

responsibility of a HIPAA-covered entity.”

In addition to providing privacy and security “good practices,” the project aims to communicate its findings to

healthcare professionals in streamlined and readable text.

HHS officials are also looking for input and will be hosting a roundtable on the subject in the coming months.

Similarly, after receiving industry input during a public comment period that ended last November, the Mobile

Marketing Association (MMA), a mobile industry trade association, has released finalized guidelines that provide

developers with a framework to promote more secure user experiences.

The MMA states that more than 58 percent of U.S. mobile device users are concerned about unauthorized access

to their personal information.

MMA Global CEO Greg Stuart said, “Mobile app developers asked for clear, transparent policy language that

consumers can quickly and fully understand.” The release, he says, is “the first in a series of privacy policy

guidelines that the MMA is creating with input from industry leaders” to give “the app development community

the meaningful support they need.”

The MMA Mobile Application Privacy Policy guidelines offer streamlined recommendations revolving around

“core privacy principles” and easy-to-read language for consumers. Among their suggestions, the guidelines offer

ways to educate consumers on how their data is collected and used as well as ways to appropriately secure the

collected data.

In a statement, MMA Privacy & Advocacy Committee Co-Chair Alan Chapell, CIPP/US, said, “Our guidelines offer

developers the foundation from which to craft a document that reflects the privacy practices of each of their apps

and helps them stay in compliance with applicable law and industry standards,” adding, “We urge app developers

to consult with their legal counsel when adapting these guidelines for their purposes.”