Privacy and Electronic Communications

1

• Privacy and Electronic Communications
• Corporate Counsel Symposium, Antwerp
• Tanguy Van Overstraeten
• 5 March 2009

2

• Introduction
• Technological developments
• e-Privacy Directive 2002/58/EC
• Selected issues
• e-Monitoring
• Spyware and cookies
• Unsolicited communications
• IP addresses
• RFID
• Security
• The road ahead

3

• Privacy - Old threats and new attacks
• Main e-privacy threats
• Identity disclosure
• User profile disclosure
• Linking data traffic with identity
• Location disclosure
• Other data disclosure
• Explosion of new technologies and products
  having privacy implications
• RFID
• Social networks and profiling

4
Examples of New services
5

• Examples of New services

6

• Examples of New services

7

• Legal context (1)
• General Privacy Directive (95/46/EC)
• Main data protection principles
• Specific e-Privacy Directive (2002/58/EC)
• Currently under review
• Initial proposal from the EU Commission
  (13/11/07)
• 1st reading by EU Parliament (24/09/08)
• Revised proposal from the EU Commission
  (6/11/08)
• Political agreement from the Council (20/11/08)
• Common Position from the Council (9/02/09)
• 2nd reading and vote by EU Parliament expected
  end April 2009

8

• Legal context (2)
• WP 29s review
• Opinion 8/2006 of 26/09/06
• Opinion 2/2008 of 15/05/08
• Opinion 1/2009 of 10/02/09
• EDPS review
• Opinion of 10/04/08
• Opinion of 9/01/09

9

• Selected e-privacy issues

10

• e-Monitoring (Art. 5)
• Principle
• Prohibition of listening, tapping, storing or
  otherwise intercepting of electronic
  communications (voice telephony, emails, etc.) by
  persons other than users
• Exceptions
• Consent of all users concerned
• Legal authorisation (e.g. criminal
  investigations)
• Evidence of a commercial transaction or of any
  other business communication (e.g. call centers)

11

• Spyware and cookies (Rec. 2425, Art. 5.3)
• No use of cookies or spyware unless
• Clear and comprehensive information provided as
  to such use
• Right to refuse (Opt-out)
• Exceptions
• Technical storage and access for the sole purpose
  of facilitating transmission of a communication
  (browsing experience)
• If strictly necessary in order to provide an
  information society service as per
  subscriber/users request
• Review of e-privacy Directive
• End-users should be informed of available
  precautions and be encouraged to protect their
  terminal equipment against viruses and spyware

12

• Unsolicited communications (Art.13)
• Direct marketing (automated calling system, fax
  or email)
• Prior consent required (opt-in)
• Exceptions existing customers similar products
  and services
• Identity of sender not to be concealed opt-out
  to be provided
• Opt-out or opt-in for use of telephone depending
  on Member State
• Review of e-privacy Directive
• Individual and legal entities to be granted legal
  action against spammers (civil proceedings)

13

• IP addresses
• Personal data?
• Yes unless service provider is in a position to
  distinguish with absolute certainty that the data
  correspond to users that cannot be identified
  (WP 29 Opinions 4/2007 of 20/06/07 and 1/2009
  of 10/02/09)
• Yes only if can be related to an individual
  alone or in conjunction with other data (LIBE -
  Opinion 2007/0248(COD) of 14/04/08)
• Google case and version 6 (IPv6)
• Review of e-privacy Directive
• IP addresses are essential to the working of the
  Internet
• To be followed closely (with consultation of WP
  29 and EDPS)

14

• RFID (1)
• Technology combining a tag to store data and a
  reader to collect them via radio waves (via an
  antenna)
• Can be embedded in any products (for storage,
  transport, retail, etc.)
• Issues
• Privacy impact assessment
• Need to inform data subjects
• User control (possibility to disable the device)
• Security measures (privacy by design)

15

• RFID (2)
• Various initiatives at EU level
• WP29 opinion No.105 (19/01/05)
• EU Commission Communication RFID in Europe
  steps towards a policy framework (15/03/07)
• EU Commission Recommendation (still under review
  by legal team of EU Commission)
• Review of e-privacy Directive (public network
  limitation)
• Standardisation mandate to CEN, CENELEC and ETSI
  (8/12/08)
• International initiative
• OECD Policy Guidance on Radio Frequency
  Identification

16

• Security (Rec. 20 Art. 4)
• Principles
• Technical and organisational measures to be
  adopted
• In case of risk of security breach, service
  providers must inform subscribers re. risk,
  including the potential relating costs
• Review of e-privacy Directive
• Personal data only accessible by authorised
  personnel
• Security policy
• Regular monitoring

17

• Security breach notification (1)
• New in e-privacy Directive
• Definition of personal data breach
• Who should notify?
• EU Commission and Council providers of publicly
  available electronic communications
• EU Parliament based on EDPS and WP 29s
  opinions proposition of extension to ISSPs (e.g.
  online businesses, online banks) and private
  networks
• To whom?
• EU Parliament first NRA (and, as the case may
  be, subscribers)
• EU Commission and Council NRA and subscribers

18

• Security breach notification (2)
• When?
• Without undue delay with diverging positions re.
  criteria for notification
• EU Commission when reasonable risk of harming
  subscribers and no appropriate technology
  measures in place (assessment by NRA)
• EU Parliament when likely to adversely affect
  subscribers privacy (initial assessment by
  provider possibly followed by NRAs assessment)
  providers to keep records of security breaches
• EU Council only when serious risk for
  subscribers privacy (providers own assessment)

19

• The road ahead
• Privacy enhancing technologies Privacy by
  design
• E.g. automatic anonymisation of data,
  cookie-cutters, encryption tools, anonymous web
  browsers
• EU Commission Communication on promoting DP by
  PETs (COM(2007)228) of 2/05/07
• Integration of privacy requirements as soon as
  possible in the product development lifecycle
• Commission staff working document on early
  challenges re. the Internet of Things
  (COM/2008)
• Privacy standards? Self-Regulation?
• Safer Social Networking Principles for the EU

20

• Conclusion
• Questions to be raised when developing new
  e-products/ services
• Do we need to collect any personal data at all?
• Can we work with anonymised data?
• If personal data are collected what is the
  minimum needed?
• Who need to access personal data?
• How can we limit and control access?
• How can individuals exercise their rights
  securely?
• DP Compliance could play as a competitive
  advantage

21
Questions?
Tanguy Van Overstraeten Partner Head of
Technology, Media and Telecommunications,
Belgium Global Head of Privacy tvanover_at_linklaters
.com 32 2 501 9405