Privacy and social networks

This article discusses the complex relationship between social networks and the EU Data Protection Directive (95/46/EC). After a concise introduction to the general privacy impact of social networks, it discusses how the Directive applies to users and operators of social networks and social network applications. Particular attention is drawn to the scope of the Directive (including the “household” exception), the obligations imposed on data controllers, the interpretation of the Directive by Working Party 29, as well as the difficulties that are encountered when applying the aging Directive to the technological reality of today’s social networks.     

Allocating responsibility among controllers,processors, and “everything in between”: the definition of actors and roles in Directive 95/46/EC

In Opinion 1/2010, the Article 29 Data Protection Working Party has provided additional guidance concerning the concepts of ‘controller’ and ‘processor’ contained in Directive 95/46/EC. This guidance aims to assist practitioners in their determination of whether an entity is acting as a controller or as a processor towards a particular data processing operation. Despite the fact that this opinion is informative, the existing framework still appears to leave room for a considerable amount of legal uncertainty. This uncertainty is attributable in part to the nature of the existing concepts, but also (and perhaps to a larger extent) to their apparent misalignment with current processing realities. In this paper, the author seeks to articulate why the existing concepts often remain difficult to apply in practice, in order to enable a constructive reflection on how these issues might be addressed in the future.     

The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals

The recent release by the European Commission of the first drafts for the amendment of the EU data protection regulatory framework is the culmination of a consulting and preparation process that lasted more than two years. At the same time, it opens up a law-making process that is intended to take at least as much time. The Commission has undertaken the herculean task to amend the whole EU data protection edifice, through the introduction of a General Data Protection Regulation, intended to replace the EU Data Protection Directive 95/46/EC, and a Police and Criminal Justice Data Protection Directive, intended to replace the Framework Decision 2008/977/JHA. This paper shall focus at the replacement of the EU Data Protection Directive by the draft General Data Protection Regulation. Due to the fact that the draft Regulation is a long (and ambitious) text, a selection has been made, with the aim of highlighting its treatment of basic data protection principles and elements, in order to identify merits and shortcomings for the general data protection purposes.     

The data protection framework decision of 27 November 2008 regarding police and judicial cooperation in criminal matters – A modest achievement however not the improvement some have hoped for

After more than three years in the making, that have witnessed much controversy, several working texts and at least two altogether different versions, the Data Protection Framework Decision “on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters” (hereafter, the DPFD) was finally adopted on 27 November 2008. The DPFD was supposed to be celebrated as the Data Protection Directive equivalent in European law enforcement (Third Pillar) processing. However, since its formal adoption, and even before that, data protection proponents (the European Data Protection Supervisor, the Article 29 Working Party, national Data Protection Commissioners, NGOs) lamented its adoption as the result of changes that ultimately compromised data protection. Is the DPFD a disappointment to the great expectations that accompanied its first draft, back in 2006? An attempt to address this question shall be undertaken in this paper.     

The Future of Consumer Web Data: A European/US Perspective

The article considers the subject of clickstream data from aEuropean/US perspective, taking into account the Data ProtectionFramework (Data Protection Directive 95/46/EC; Directive onPrivacy and Electronic Communications 2002/58/EC) and the USlegal framework and in particular, the Wiretap Act U.S.C. 2701(2004) and related statutes. It examines the extent to whichclickstream data is considered "personal data" within the DataProtection Directive and the implications to consumers and businesses.     

Spanish Supreme Court provides limited relief for data controllers

Earlier this year the Spanish Supreme Court gave judgment on an application to annul the data protection regulations set out in Royal Decree 1720/2007 and to refer the Spanish implementation of the Data Protection Directive to the European Court of Justice. The application was partially successful. Some sections of the Royal Decree have been annulled but much of it was upheld. The Supreme Court also referred the Spanish implementation of the legitimate interests processing condition (art. 7(f) of the Data Protection Directive) to the European Court of Justice. The European Court of Justice’s decision could have a material impact on data controllers in Spain. If the legitimate interest condition is finally recognised it should make data protection compliance significantly easier.     

“In the public interest”: The privacy implications of international business-to-business sharing of cyber-threat intelligence

This article reports on preliminary findings and recommendations of a cross-discipline project to accelerate international business-to-business automated sharing of cyber-threat intelligence, particularly IP addresses. The article outlines the project and its objectives and the importance of determining whether IP addresses can be lawfully shared as cyber threat intelligence.The goal of the project is to enhance cyber-threat intelligence sharing throughout the cyber ecosystem. The findings and recommendations from this project enable businesses to navigate the international legal environment and develop their policy and procedures to enable timely, effective and legal sharing of cyber-threat information. The project is the first of its kind in the world. It is unique in both focus and scope. Unlike the cyber-threat information sharing reviews and initiatives being developed at country and regional levels, the focus of this project and this article is on business-to-business sharing. The scope of this project in terms of the 34 jurisdictions reviewed as to their data protection requirements is more comprehensive than any similar study to date.This article focuses on the sharing of IP addresses as cyber threat intelligence in the context of the new European Union (EU) data protection initiatives agreed in December 2015 and formally adopted by the European Council and Parliament in April 2016. The new EU General Data Protection Regulation (GDPR) applies to EU member countries, a major focus of the international cyber threat sharing project. The research also reveals that EU data protection requirements, particularly the currently applicable law of the Data Protection Directive 95/46/EC (1995 Directive) (the rules of which the GDPR will replace in practice in 2018), generally form the basis of current data protection requirements in countries outside Europe. It is expected that this influence will continue and that the GDPR will shape the development of data protection internationally.In this article, the authors examine whether static and dynamic IP addresses are “personal data” as defined in the GDPR and its predecessor the 1995 Directive that is currently the model for data protection in many jurisdictions outside Europe. The authors then consider whether sharing of that data by a business without the consent of the data subject, can be justified in the public interest so as to override individual rights under Articles 7 and 8(1) of the Charter of Fundamental Rights of the European Union, which underpin EU data protection. The analysis shows that the sharing of cyber threat intelligence is in the public interest so as to override the rights of a data subject, as long as it is carried out in ways that are strictly necessary in order to achieve security objectives. The article concludes by summarizing the project findings to date, and how they inform international sharing of cyber-threat intelligence within the private sector.     

Camera/video phones in schools: law and practice

The emergence of mobile phones with built-in digital cameras is creating legal and ethical concerns for school systems throughout the world. Users of such phones can instantly email, print or post pictures to other MMS1 1. MMS stands for Multimedia Messaging Services. MMS is frequently used to send photos from camera phones to other MMS phones or email addresses. View all notes phones or websites. Local authorities and schools in Britain, Europe, USA, Canada, Australia and elsewhere have introduced outright bans on their use because of the problems or risks they pose if misused. Risks concerned with pupils surreptitiously photographing other pupils in changing rooms or photographing examination papers are obvious examples. The article examines some worldwide examples of the misuse of camera phones in schools and the issues and problems that emerged. A landmark decision concerning the European Data Privacy Directive (Directive 95/46/EC) in the case of Bodil Lindqvist by the European Court of Justice is explored and the implications for camera phones considered. The article concludes by stating that because of their ubiquity and social potency, it is probably a mistake and an overreaction for education authorities or schools to introduce blanket bans on the possession of camera phones. Rather they need to devise sensible agreements and policies on camera phone usage.     

Privacy,Data Retention and Domination: Digital Rights Ireland Ltd v Minister for Communications

In Digital Rights Ireland Ltd v Minister for Communications, the European Court of Justice found the EU Data Retention Directive, which required the retention of communications data for up to two years, to be incompatible with Articles 7 and 8 of the EU Charter of Fundamental Rights – the rights to privacy and to the protection of personal data. It is argued in this note that the decision ought to be taken as one that is concerned with the exercise of arbitrary power, a concern that is captured by the concept of domination.     

When is personal data not “personal data” – The impact of Durant v. FSA

The Data Protection Act 1998 (the “Act”), which implements the EU Data Protection Directive (95/46/EC), applies to personal data and governs the activities of data controllers and data processors in relation to such data. In Michael John Durant v. Financial Services Authority (2003), the scope of the Act was restricted. In particular, key provisions, including “personal data” and “relevant filing system”, became the subject of narrow judicial interpretation when the Court of Appeal sought to limit the “unjustifiable burden and expense” imposed on data controllers in complying with the Act. Although questioned by commentators and subject to investigation by the European Commission, the significant shift in approach initiated by Durant has been endorsed in two subsequent cases: (1) David Paul Johnson v. The Medical Defence Union (2004) and (2) Terence William Smith v. Lloyds TSB Bank Plc (2005). This article considers the main principles of the Act, how the Information Commissioner, the courts and the European Commission have responded to Durant and what happens next.     

The Data Subject's Right of Access and to be Informed in Finland: An Experimental Study

The EC Data Protection Directive 95/46/EC emphasises the roleof transparency in fair and lawful processing of personal data.This study describes the results from sending forty requestsfor access to data held and information on processing to controllersof personal data in Finland. The results show that there arestill difficulties in gaining access, in verifying the correctnessof information provided and in the procedures controllers employto provide information. These factors are discussed in lightof Finnish and EC regulation, as well as information systems.Proposals are put forward as to how the difficulties might beaddressed.     

Are works communicated through television sets in hotel rooms a 'communication to the public'?

The European Court of Justice makes it clear that, while themere provision of physical facilities does not as such amountto a communication within the meaning of the Copyright Directive(2001/29/EC), the distribution of a signal by means of televisionsets by a hotel to customers staying in its rooms, whatevertechnique is used to transmit the signal, constitutes communicationto the public within the meaning of Article 3(1) of the Directive.     

The Patients’ Rights Directive (2011/24/EU) – Providing (some) rights to EU residents seeking healthcare in other Member States

This article presents the main elements of Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare, commonly known as the Patient’s Rights Directive. It is the latest EU initiative with regard to European Health Care and the Single Market. The main elements of the Directive contain provisions related to the prior authorisation of health care in another Member State, the reimbursement of such health care and the removal of unjustified obstacles to achieving these aims.These provisions largely reflect the recent case law of the European Court of the Justice (ECJ). Amongst these are provisions involving the use of personal data. Such provisions will engage data protection issues and will have to be carried out according to the data protection directives. Alongside this primary aim of codifying ECJ case law the Patient’s Rights Directive also introduces novel initiatives aimed at fostering cross border cooperation between various elements of national healthcare systems.Part 1 of this contribution will describe the legal basis and the aims of the PRD, Part 2 will describe the principle obligations placed on the Member States with regard to reimbursement, Parts 3 and 4 will describe other informational and procedural requirements placed upon the Member States of Treatment and Affiliation. Finally Part 5 will outline some of the novel initiatives that have been included in the PRD.The increases in the frequency of cross border-treatment that this directive attempts to facilitate are likely to see a concurrent increase in cross-border patient information flows. Such data flows will be subject to the Union’s provisions on Data Protection. It remains uncertain whether the EU’s Data Protection regime will act as inhibitor to cross-border medical treatment or rather represent a gold standard that allows patients to engage in such activities with peace of mind. The Patient’s Rights Directive will form part of the EU’s future e-Health strategy which envisages a large increase in the fluidity of patient data. A discussion of this directive is therefore merited in this journal.     

Telecommunications terminal equipment: EEC commission opens the market

The 12 Member States of the European Economic Community (EEC) are legally obliged by the Treaty of Rome, as amended by the Single European Act, to abolish all of the remaining physical, technical and fiscal barriers between them by 31 December 1992. The Single European Act, which sets the 1992 deadline, defines the envisaged internal market as “an area without internal frontiers”.The creation of a common European market for telecommunications services and equipment is both an essential prerequisite and an important part of the “internal market”.In its Green Paper on the Development of the Common Market for Telecommunications Services and Equipment — “the Green Paper”¹⁾) — and a follow-up Communication²⁾, the Commission of the European Communities (“the Commission”) has set forth its main policy proposals in the telecommunications field. Implementation of these policy proposals by means of Community law directives is progressing rapidly, in particular with respect to terminal equipment. On 16 May 1988, the Commission issued a“Commission Directive on Competition in the Markets in Telecommunications Terminal Equipment” — “Terminal Equipment Directive” —³⁾ based on its regulatory powers under Art. 90(3) of the Treaty of Rome (“EEC Treaty”).This article explores the regulatory scope of the Terminal Equipment Directive which has recently been challenged by the French government before the European Court of Justice.     

Legal grounds to process personal data under Spanish legislation after the ECJ Judgment of 24 November 2011 (the ASNEF and FECEMD case)

Spanish law on personal data protection regulates (among other issues) the legal bases that permit the processing of data in a way that is similar to that set out in Directive 95/46/EC. Consent constitutes the general rule although data may be processed without it if necessary for administration functions, within the framework of a contractual relationship, in order to safeguard the vital interests of the data subject or if they are included in sources accessible to the public. However, unlike the Directive, legitimate interest is not recognised as an independent reason for processing data, whereas a legal ground that is not set out in community law is included, i.e., sources accessible to the public. This paper analyses these two cases, taking as its starting point consent, along with the consequences that the ECJ Judgment of 24 November 2011 regarding the interpretation of Article 7 of Directive 95/46/EC may have and giving attention to the revision of this Directive itself.     

Cursing the Cloud (or) Controlling the Cloud?

Inspired by the cloud computing hypes, this paper responds to some of the hypes, but not to all. The hype in this paper refers to the level of the adequacy of data protection and privacy in a cloud computing (the Cloud) environment. Paradoxically, this paper proffers observational insights that surround the Cloud from the perspectives of data protection and privacy. It examines briefly the efforts of January 2010 led by Microsoft and anticipating “liability” scenarios. The liability rhetorically refers to the illegal access in the Cloud. This paper does not focus entirely on the technology sophistication; however, it analyses two scenarios of illegal access. To mitigate the liability, it suggests a “Cloud Compliant Strategy (CCS)” being a proposed model to control the Cloud. The observational insights of this paper have also intertwined with the adequacy of data protection from the lenses of the European Union (EU) Data Protection Directive 95/46/EC (DPD) and Safe Harbor provisions (SH).     

EU General Data Protection Regulation: Changes and implications for personal data collecting companies

The General Data Protection Regulation (GDPR) will come into force in the European Union (EU) in May 2018 to meet current challenges related to personal data protection and to harmonise data protection across the EU. Although the GDPR is anticipated to benefit companies by offering consistency in data protection activities and liabilities across the EU countries and by enabling more integrated EU-wide data protection policies, it poses new challenges to companies. They are not necessarily prepared for the changes and may lack awareness of the upcoming requirements and the GDPR's coercive measures. The implementation of the GDPR requirements demands substantial financial and human resources, as well as training of employees; hence, companies need guidance to support them in this transition. The purposes of this study were to compare the current Data Protection Directive 95/46/EC with the GDPR by systematically analysing their differences and to identify the GDPR's practical implications, specifically for companies that provide services based on personal data. This study aimed to identify and discuss the changes introduced by the GDPR that would have the most practical relevance to these companies and possibly affect their data management and usage practices. Therefore, a review and a thematic analysis and synthesis of the article-level changes were carried out. Through the analysis, the key practical implications of the changes were identified and classified. As a synthesis of the results, a framework was developed, presenting 12 aspects of these implications and the corresponding guidance on how to prepare for the new requirements. These aspects cover business strategies and practices, as well as organisational and technical measures.     

Trade mark use in transit: EU-phony or cacophony?

Legal context The present article discusses the opinion of Advocate-GeneralJacobs in Case C-405/05 Class International BV v Unilever NVand others, according to which trade mark owners cannot opposethe entry into the European Union of grey market non-Communitygoods placed in external transit, on the grounds of Article5(1) of the Trade Mark Directive, or any equivalent provision,as such entry does not constitute trade mark use. Key points We examine the consistency of this approach withprior case law of the European Court of Justice, namely in theCommission v France, Rioglass, The Polo/Lauren and Rolex casesand draw a parallelism with Council Regulation (EC) 1383/2003. Practical significance We conclude that trade mark owners shouldbe allowed to prohibit the placing in transit of goods whichwould infringe an intellectual property right under the lawof the transit country, unless the owner or consignor of thelitigious goods can undeniably prove that the goods are notdestined for the internal market. Stop press. At the end of the article the authors provide abrief analysis of the European Court of Justice's decision of18th October 2005 in this case.     

Restriction of Hazardous Substances: On the Need for and the Limits of Comitology

This article demonstrates the need for and the limits of the so-called comitology procedure in the area of European waste legislation, using the example of Directive 2002/95/ EC on the restriction of the use of certain hazardous substances in electrical and electronic equipment (the RoHS Directive). The RoHS Directive prohibits the use of six hazardous substances in certain electrical and electronic equipment. The Annex to the RoHS Directive, which contains the exemptions from this prohibition, can be amended through the comitology procedure. This procedure is a widely used method in European Community law for the delegation of legislative power from the Council and the European Parliament to the executive branch, i.e. the European Commission. The authors conclude that the use of comitology is indispensable for highly technical issues for which the co-legislators are lacking the time, as well as the resources, to carry out the adaptation of the legislative acts. However, the Commission needs to handle comitology with care; otherwise it runs the risk that its decisions lack legitimacy.     

Mandatory implementation for in-vehicle eCall: Privacy compatible?

This article examines whether there are any objections to implementing a mandatory eCall system in the Community and how these could be dealt with. It starts with a short introduction to the motives why the European Commission considers a mandatory in-vehicle eCall. The art. 29 Working Party has issued a working document on eCall identifying several issues regarding personal data protection. The issues in this document will serve as a reference to determine whether there are any objections regarding data protection to implementing a mandatory eCall system. Additionally we will look at a possible eCall implementation in the Community.