International E-news - January 2011
- Online Behavioural Advertising: Compliance seal to be introduced
- France: Companies to be publicly named and shamed
- Binding Global Codes suggested as a solution to data transfers outside the European Economic Area
- Spain: Google to go to court over Internet contentConsultation on DP Directive closes this SaturdayData Retention Directive: shorter retention periods on the cards
- Poland amends its DP Act
Industry is putting forward proposals on how to implement the new requirements for online behavioural advertising (OBA). The self-regulatory approach now under discussion with the European Commission was developed by publishers, advertisers, agencies, and online advertising and media companies though the European Advertising Standards Alliance (EASA). The proposal incorporates and complements the principles in the Online Behavioural Advertising Framework of the Interactive Advertising Bureau (IAB) Europe. It will introduce a “visible enhanced notice” for use on OBA advertisements, and compliance seals.
EASA invites comments by 25 February.
The EU Commission has asked that organisations with plans to improve education on, and awareness of, OBA send suggestions to firstname.lastname@example.org by the end of February, with the view of it raising the issues with national administrations and the EU Article 29 Data Protection Working Party. The EU Commission says that it may be possible that individuals can consent to cookies by browser settings.
Read more about this topic in the next issue of PL&B International, to be published in the second half of February.
France’s National Assembly is proposing changes to the Data Protection Act that would authorise the DP Authority, the CNIL, to publish its enforcement actions. A Bill was preliminarily adopted by France’s National Assembly on 13 January, reports law firm, Hunton & Williams. The CNIL would notify the organisations beforehand.
The Bill proposes that the CNIL should obtain a court order to conduct an on-site inspection if the organisation in question objects to the inspection. In certain circumstances, an unannounced inspection may be carried out.
Changes are also proposed to the role and powers of the President of the CNIL.
To learn more about these proposed amendments, and other changes that affect companies’ data protection law compliance in France, register now to attend PL&B’s Privacy Officers’ Roundtable in Paris 5-6 April 2011. The programme includes an in-depth briefing by leading privacy lawyers and a separate meeting with representatives of the CNIL.
3. Binding Global Codes suggested as a solution to data transfers outside the European Economic Area
The Centre for Information Policy Leadership has made concrete proposals on how to review the rules on transborder data flows. The group, which includes the former UK Information Commissioner, Richard Thomas, proposes replacing Binding Corporate Rules with a more flexible system, namely a Binding Global Code. The legally binding Code would be drawn up by companies themselves and rather than going through the time consuming approval process with a DPA, companies could self-certify or use a third-party accountability agent. The DPAs would be able to investigate and impose meaningful sanctions if companies fail to meet the requirements of their own code.
The group proposes that the European Commission looks into this option in its current revision of the EU DP Directive.
Read more about this topic in the next issue of PL&B’s International Newsletter.
Following an order by Spain’s DP Authority to remove almost 100 online articles from its search listings, Google has decided to take the matter to the courts. According to The Guardian, the case will be heard this week, and Google will challenge the order to remove links that the subjects have complained breach their privacy.
Google has said that the request has a "profound, chilling effect" on freedom of expression. Google says it acts only as an intermediary, and therefore it cannot be held responsible for all content on the internet. Google found itself in a similar position last year in Italy, where it was held accountable for sensitive content.
Spain is also debating "the right to be forgotten" – a concept introduced in France and on the cards to be included in the revision of the EU Data Protection Directive.
The EU’s consultation on how to review the current Data Protection Directive runs until 15 January 2011. The Commission plans to propose legislation later this year. Organisations are invited to comment on a wide range of issues including proposals to introduce mandatory internal data protection officers, an obligation to carry out privacy impact assessments and a mandatory personal data breach notification.
The European Commission is to publish its evaluation report on the EU Data Retention Directive early this year, and will propose amendments to the Directive in due course.
EU’s Home Affairs Commissioner Cecilia Malmström said in December last year that she will consider the following:
1. The purpose of data retention, including the types of crime that the Directive covers
2. More harmonised, and possibly shorter, retention periods
3. Who may access the data and according to which procedures? Should there be a central contact point in each Member State? Should judicial authorisation be compulsory? What about cases of urgent need for access?
She said that she was not in favour of widening the scope of the Directive, but would look into possible compensation by the State for the costs incurred.
Currently, the Directive obliges Member States to ensure that data is retained for a minimum of 6 months and a maximum of 24 months. The Commission is now considering whether there should be different retention periods for mobile telephony, fixed telephony, and Internet data (including email).
Commissioner Malmström said that the Commission’s evaluation shows that data retention is useful for law enforcement. Evidence from Member States shows that many criminal investigations would not have been successful, had it not been for data retention.
Twenty Member States have now implemented the Directive and others are expected to do so soon. However, implementation varies across Member States on, for example: how long data is retained for, the purposes for which data can be accessed, thand e procedures which govern access to the data. For example, six EU Member States retain data for just six months, and others have a retention period of 2 years.
Although serious privacy concerns have been raised by many stakeholders, the Commissioner says that there is no evidence of any cases where law enforcement agancies would have violated privacy.
The DP Act in Poland has been amended to give the Data Protection Authority a fining power up to PLN 10,000 (€2,500) on a natural person and up to PLN 50,000 (€12,500) on a legal person. The amendments will enter into force in February.
More information about this and other amendments to the Polish DP Act, as well as changes to Russian DP law can be found in the next issue of PL&B International, to be published at the end of February.
Wojciech Wiewiórowski, Poland’s General Inspector (Commissioner) will speak at PL&B’s 24th Annual International Conference in Cambidge UK, 11-13 July 2011.
For further details on the Privacy Laws & Business International Newsletter, please click here.
Copyright Privacy Laws & Business 2011