March 2010 Roundup

1)     Commissioner Reding outlines key issues for the Data protection Directive Review Commissioner Reding reaffirmed in a speech on the 18^th March that the review of the general Data Protection Directive (95/46/EC) is a priority. Her services are currently analysing the contributions to the public consultation and will present a legislative proposal to review the directive before the end of the year. Commissioner Reding announced that the new legal framework should address “new challenges of the information age, such as globalization, development of information technologies, the internet, online social networking, e-commerce, cloud computing, behavioral advertising, data security breach, etc”. Commissioner Reding also strongly considers establishing the principle of Privacy by Design in the revised framework.  

2)     EDPS publishes its opinion on fostering Data Protection and Privacy on the internet The European Data Protection Supervisor (EDPS) published its opinion on “Promoting Trust in the Information Society by Fostering Data Protection and Privacy”. The EDPS suggests to the European Commission the  introduction of a new, mandatory legal provision, Privacy by Design. This shall serve as legal basis to mandate restrictions on Online Behavioural Advertising (default browser settings to block 3^rd parties cookies) and Social Networking. On self-regulation in the area of RFID, the EDPS states that it is conceivable that self-regulation will not deliver the expected results. The opinion of the EDPS carries special weight, as the EDPS is leading the drafting of the Art. 29 WP opinion on OBA (expected to be published in June) and at this moment, the Commission reviews the general Data Protection directive (94/46/EC). EDPS Opinion: http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2010/10-03-19_Trust_Information_Society_EN.pdf 

3)     Digital to play a key role in Europe 2020 Strategy for economic growth  On March the 3^rd, the European Commission unveiled its proposal for a Europe 2020 Strategy to go out of the crisis and prepare EU economy for the next decade. One of the three key drivers for growth identified is the so called “smart growth” based on knowledge and innovation in which the digital sector is mentioned to play an essential role. Consequently, the Digital Agenda for Europe will be one of the flagship initiatives that the Commission proposes to meet the targets. The Directorate General for Information Society  is currently working on it. It will aim “to deliver sustainable economic and social benefits from a Digital Single Market based on fast and ultra fast internet and interoperable applications” as well as an highly increased access to internet for European households. In order to create a true single market for online content and services the EU will work on content markets, privacy, security, copyright and digitisation. An efficient spectrum policy should also be put into place. Proposal for a Europe 2020 Strategy: http://ec.europa.eu/europe2020/pdf/complet_en_barroso_-_europe_2020_en.pdf

 4)     IP address : personal data or not personal data? On 24^th of March, the privacy platform met in the European Parliament to discuss around the theme “Freedom on the internet”. The three strike approach to fight against piracy was particularly debated. It is in this context that concerns were raised about privacy as IP addresses would be used to identify the household under suspicion of piracy. Mr. Buttarelli from the European Data protection Supervisor (EDPS) declared that “IP-address should be in all cases without a doubt considered as personal data” and as a result the collection and monitoring of IP addresses should comply to the Data Protection Directive (95/46/EC). He also affirmed that on commercial scales this kind of monitoring should be checked by national Data Protection Authorities and that alternative business models should be tested. After IAB’s intervention that the approach whether IP address constitutes personal data or not should be more nuanced, Mr. Buttarelli stated that IP address would indeed not always be personal data but in this context (intellectual property enforcement) they were. 

5)     Consumer rights directive: maximum harmonization for distance contracts On 16^th March, Commissioner Reding exchanged views on the Consumer Rights Directive with the Internal Market and Consumers Committee of the European Parliament. The discussions focused on the need to differentiate between distance and direct selling and in particular between online and offline transactions. Commissioner Reding declared considering the option of more targeted harmonization where it is practical. In particular she suggested to go for fully harmonized rules on distance contracts. Commissioner Reding pointed that a fully harmonized legislation for the online world would boost e-commerce as needed presently and stated that Members States were willing to move forward in this area especially on what concerns rules of delivery, remedies and guarantees and the question of who assumes the risk in online transactions. The rapporteur, MEP Schwab (Germany/EPP), agreed on the possibility of differentiating between distance selling and face to face transactions. He aims to put forward a document covering Chapters I (Definitions) and II (Consumer Information) by April and to have the most of the report in a reasonable shape by summer.

In its opinion, the Working Party recognises the difficulties in applying the definitions of the EU data protection directive (the “Directive”) in a complex environment where a formal interpretation of controller and processor does not easily lend itself to factual application where the parties, alone or jointly, have different degrees of autonomy and responsibility.  As such, a factual rather than formal analysis is recommended when determining where responsibility for data processing activities occurs.

Although it may not be easy to distinguish which party is a data controller and which a data processor, the distinction is nevertheless extremely important:  The first and foremost role of the concept of controller, states the opinion, is to allocate responsibility by determining who will be responsible for compliance with data protection rules and how data subjects can exercise their rights in practice.

The concept of controller is also an essential element in determining which national law is applicable to data processing activities since national provisions of Member States are applied to “the processing of personal data, where... carried out in the context of the activities of an establishment of the controller...”.[1]  Therefore, if we know who the controller is, we can determine:

·  Who has responsibility for compliance with data protection rules;

·  Which Member States’ data protection rules apply; and

·  The means by which data subjects can exercise their rights (i.e. who is “controlling” their data).

Determination and rules of thumb

The overriding element that should be considered in the context of controller designation is a party’s capacity to “determine”.  In order to do this, it is helpful to ask, “why is this processing taking place?  Who initiated it?”.  Thus it is an analysis of the factual elements which is paramount to making the correct determination.

This concept of “determination” is key:  Determination of the “purpose” of processing is reserved to the “controller”.  Whoever makes this decision is therefore de facto the controller. The determination of the “means” of processing can be delegated by the controller, as far as technical or organisational questions are concerned.  Substantial questions which are essential to the core of lawfulness of processing are reserved to the controller.  A person or entity who decides, for example, on how long data shall be stored or who shall have access to the data processed is acting as a “controller” concerning this part of the use of data, and therefore has to comply with all obligations imposed on controllers.

Despite the Working Party’s emphasis on looking at the factual rather than formal classification of controller, the opinion recognises that rules of thumb and practical presumptions are needed to guide and simplify the application of data protection law.  The opinion identifies three such situations:

1.      Control stemming from explicit legal competence such as an obligation in law on a company or public authority to retain or provide certain data.

2.      Control stemming from implicit competence where the capacity to determine is not explicitly laid down by law but stems from common legal provisions or established legal practice.  Examples include the employer (as controller) in relation to data on employees; the publisher in relation to data on subscribers and the association in relation to data on members or contributors.

3.      Control stemming from factual influence – essentially an exercise in common sense involving an assessment of the factual circumstances.  For example, a contract may be silent on who is the controller but there may be sufficient elements to assign the responsibility of controller to a party that apparently exercises a dominant role in that respect.

Even if the contrary is agreed between parties to a contract, it is the fact itself that somebody determines how personal data are processed that gives rise to the qualification of data controller.  Other elements of the contract may be useful to determine the controller in case of doubt such as the degree of actual control exercised by a party, the image given to data subjects and reasonable expectations of data subjects on the basis of this visibility.

Joint controllers

The opinion also recognises there may be situations where there is more than one data controller in a single data processing operation.  In such a situation, the assessment of joint control should mirror the assessment of “single” control, although the opinion goes to some length in demonstrating that this may not always be straightforward.  The overriding factor to be guarded against where there are joint controllers is eliminating uncertainties as to who has responsibility.  Joint and several liability for all parties involved is proposed as a means of achieving this.  Moreover, this should be assumed only in so far as an alternative, clear and equally effective allocation of obligations and responsibilities has not been established by the parties or does not clearly stem from factual circumstances.

On the other hand, the concept of “processor” plays an important role in the context of confidentiality and security of processing as it serves to identify the responsibilities of those who are more closely involved in the processing of personal data, either under direct authority of the controller or elsewhere on his behalf.

There is also another important consequence of determining who the processor is, both for the processor and the controller: the applicable law for security of processing is the national law of the Member State where the processor is established.[2]

Qualification as a “processor” is determined by two basic conditions:

·  Being a separate legal entity with respect to the controller; and

·  Processing personal data on his behalf.

Other factors may be helpful in making such an assessment such as the level of prior instruction given by the data controller, the monitoring by the data controller of the level of the service, the visibility towards data subjects, the expertise of the parties and the autonomous decision-making power left to the various parties.

Conclusion

In its analysis, the Working Party emphasized the need to allocate responsibility in such a way that compliance with data protection rules will be sufficiently ensured in practice.  The opinion goes into some detail into how this may be done, with particular emphasis on looking at the factual scenario as opposed to formally designating roles.  However, the Working Party did not find any reason to think that the current distinction between controllers and processors is no longer relevant and workable.