| 
| 
Mon, 28 June 2010 11:33:02 GMT
BEHAVIOURAL ADVERTISING: EU DEMANDS OPT IN: HOW TO COMPLY
Webinar: Thursday 15th July 2010 at 4pm BST / 11am ET / 8am PT / 5pm CEST
Behavioural advertising, which drives more than 23 billion dollar revenues on the Web, must change its approach to collecting data on web users and must stop delivering advertising to children according to a 22 June report from European data privacy regulators.
"Technology companies and web advertisers will have to take this seriously", said Lindsey Greig, Managing Editor of DataGuidance, the global data privacy compliance database. "Regulators and politicians in Europe and internationally are picking up on growing public concern about online data privacy".
Leading data transfer expert Eduardo Ustaran, Partner at Field Fisher Waterhous, DataGuidance Expert Panelist and Editor of Data Protection Law & Policy, will examine how companies need to respond to the Article 29 Working Party's latest policy statement on Behavioural Advertising.
Key topics addressed include:
What does the Article 29 Working party actually require?
What counts as informed consent?
What changes need to be made in the data collection process?
What are the opportunities to engage in dialogue with the Committee?
To reserve your place: contact Claire Singleton at:
claire.singleton@dataguidance.com or +44 (0) 207 012 1397.
Fri, 25 June 2010 13:33:42 GMT
EU: Art. 29 WP: 'opt-out is not sufficient' to comply with 'lethal' cookie consent clause
The Article 29 Data Protection Working Party (Art. 29 WP) stated in a 22 June 2010 Opinion on online behavioural advertising that 'opt-out is not sufficient' to comply with article 5(3) of the revised e-Privacy Directive (2002/58/EC).
"The Art. 29 WP's interpretation of article 5(3) is clear cut", Eduardo Ustaran, Head of the Privacy and Information Law Group at Field Fisher Waterhouse LLP, told DataGuidance. "Prior informed consent is required before a cookie is placed and/or information stored in the user's terminal equipment is collected. Ultimately, ad network providers should swiftly move away from opt-out mechanisms and create opt-in mechanisms."
Under article 5(3) of the ePrivacy Directive - as amended by the Council of the EU in October 2009 - 'the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his/her consent'. Industry representatives defined the new provision as 'potentially lethal' for online business.
"In practice, today's commercial websites rely on cookie technology as a matter of routine to distinguish between computers", said Ustaran. "Cookies are vital to internet traffic and fundamental to the online advertising industry which funds much of the content we see on the web. If the obligation under the new article 5(3) were to be interpreted as an absolute opt-in-type consent obligation, it would simply collapse the normal downloading process of every major website on the internet."
The 22 June Opinion also recommends a total ban on behavioural advertising directed at children.
'While the [Art. 29 WP] does not question the economic benefits that behavioural advertising may bring for stakeholders', reads the Executive Summary to the Opinion, 'it firmly believes that such practice must not be carried out at the expense of individuals' rights to privacy and data protection. The EU data protection regulatory framework...must be respected.'
According to the Opinion, 'data subjects cannot be deemed to have consented simply because they acquired/used a web browser...which by default enables the collection and processing of their information...In general users lack the basic understanding of the collection of any data...As a result, in practice very few people exercise the opt-out option, not because they have made an informed decision to accept behavioural advertising, but rather because they do not realise that by not using the opt out, they are in fact accepting'.
The Art. 29 WP's Opinion clarified that Recital 66 of the e-Privacy Directive - which indicates that a user's consent may be expressed through the appropriate setting of a web browser when technically possible and effective - 'is not an exception to article 5(3) but rather a reminder that, in this technological environment, consent can be given in different ways'.
The European privacy watchdog however said it is 'conscious of the current practical problems related to obtaining consent, particularly if consent is necessary every time a cookie is read for the purpose of delivering targeted advertising. To avoid this problem...users' acceptance of cookies could be understood to be valid not only for the sending of the cookie, but also for subsequent collection of data arising from such a cookie. In other words, the consent obtained to place the cookie and use the information to send targeted advertising would cover subsequent "readings" of the cookie that take place every time the user visits a website partner of the ad network provider which initially placed the cookie'.
Fri, 25 June 2010 12:16:11 GMT
PRESS RELEASE: ARTICLE 29 DATA PROTECTION WORKING PARTY
Brussels, 24 June 2010
Opt-out is not sufficient
European Data Protection Authorities clarify EU rules on online behavioural advertising
The European Data Protection Authorities (the Article 29 Data Protection Working Party) today published an Opinion clarifying how EU rules apply to online behavioural advertising.
(http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf)
Behavioural advertising is defined as the continuous tracking of individuals across multiple websites. Commonly, tracking cookies are being used to collect information about individual surfing behaviour and to send users targeted advertisements.
Monitoring of individuals while they surf the Internet can give third parties a very detailed picture of a person’s online life. The Opinion states that although online behavioural advertising may bring advantages to online business and users alike, its implications for personal data protection and privacy are significant. In particular, the Opinion stresses that online behavioural advertising providers, when they use cookies, are bound by the new EU rules on electronic privacy. The revised ePrivacy Directive introduces the obligation for informed consent of users before tracking devices such as cookies are installed on users’ computers.
Addressing online behavioural advertising networks and browser vendors, the European Data Protection Authorities call for simple and effective mechanisms for users to affirmatively give their consent for online behavioural advertising. Equally simple and effective mechanisms should be established for users to withdraw their consent. Currently, three out of the four most widely used browsers have as default setting to accept all cookies. Not changing a default setting can not be considered, in most cases, as meaningful consent. Advertising networks and publishers should provide information about the purposes of tracking in a clear and understandable manner to enable users to make informed choices about whether they want their browsing behaviour to be monitored.
Taking into account the vulnerability of children, the Opinion takes the view that online behavioural advertising networks should not serve behavioural advertising to children.
Background information
The European Data Protection Authorities (the Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data) is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive 95/46/EC. It is composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor and the European Commission. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC. The Article 29 Working Party is competent to examine any question covering the application of the data protection directives in order to contribute to the uniform application of the directives. It carries out this task by issuing recommendations, opinions and working documents.
http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm
Fri, 3 June 2010 10:41:11 GMT
Ireland: All breaches involving more than 100 individuals 'must be reported'
The Irish Data Protection Commissioner published a Draft Data Security Breach Code of Practice, on 31 May 2010, requiring data controllers to notify his Office of 'all incidents of loss or control of personal data' affecting more than 100 individuals within two working days of becoming aware of the breach.
The draft code of practice - which will be subject to public consultation until 18 June 2010 - follows a consultation paper on data breach notification issued in 2009 by the Data Protection Review Group - a reform group appointed by the Irish Ministry for Justice, Equality and Law Reform.
'The reporting obligations of data controllers in relation to data breaches should be set out in a statutory Code of Practice', read the Data Protection Review Group's consultation paper.
Under the Data Protection Commissioner's draft code of practice, all breaches involving more than 100 data subjects 'must be reported to the Office of the Data Protection Commissioner...within two working days of becoming aware of the incident', unless the data leaked can be considered to be 'inaccessible in practice' due to strong security measures such as encryption or remote memory wipe features.
'The Office of the Data Protection Commissioner will investigate the issues surrounding the data breach', reads the draft code. 'Investigations...could lead to...a recommendation or requirement to inform data subjects.'
Breaches affecting less than 100 individuals which do not involve sensitive personal data or financial data that could be used for identity theft purposes must not be notified 'where the full extent and consequences of the incident has been reported without delay directly to the affected data subject(s)'.
"Once the consultation process is concluded we'll review the submissions and adjust the code if it's necessary or constructive to do so once we've taken all the comments on board", a spokesperson for the Data Protection Commissioner told DataGuidance. "At that point it is for the Minister for Justice and Law Reform to decide to lay the code before each House of the Oireachtas (the National Parliament). If each House passes a resolution approving the code, it will have the force of law."
EU: EU report highlights lack of independence of data protection authorities
The EU Agency for Fundamental Rights published a report, on 7 May 2010, revealing that European Data Protection Authorities (DPAs) are not sufficiently independent, with many 'data protection officers...directly appointed by the Government with no involvement of the opposition in Parliament'. The report specifically calls for a more comprehensive definition of 'independence' in the Data Protection Directive (95/46/EC), which already states that DPAs have to act with complete independence in exercising their functions.
'At the functional level, understaffing and a lack of adequate financial resources among several Data Protection Authorities constitutes a major problem', reads the report. 'At the operative level, a major problem is represented by the limited powers of several Data Protection Authorities. In certain Member States, they are not endowed with full powers to investigate, intervene in processing operations, offer legal advice and engage in legal proceedings'. The Article 29 Working Party raised similar issues in its Work Programme 2010/2011, pledging to develop and improve the methodology for investigations, as well as to harmonise the powers of DPAs.
"The report is an analysis of [the DPAs'] crucial role with respect to the fundamental right of data protection, and encompasses an assessment of their effectiveness, functioning and independence", said Morten Kjaerum, Director of the EU Agency for Fundamental Rights. "This report is timely because data protection has acquired the status of a separate fundamental right in the EU, in the text of the Charter of Fundamental Rights (Article 8), and is now related to, but distinct from, the right to respect for private and family life."
The independence of DPAs was also the subject of a European Court of Justice (ECJ) ruling on 9 March 2010. The ECJ stated that DPAs must 'enjoy an independence allowing them to perform their duties free from external influence'. Germany was ruled to have narrowly interpreted Directive 95/46/EC by allowing its regional DPAs to be scrutinised by the government. It argued that state scrutiny did not constitute as an external influence, but rather as an 'internal monitoring mechanism'.
USA: FTC delays enforcement of Red Flags Rule to 31 December 2010
The Federal Trade Commission (FTC) delayed enforcement of the Red Flags Rule to 31 December 2010, while Congress considers legislation that would affect the scope of entities which are covered by the Rule.
'Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule - and to fix this problem quickly', read an FTC statement of 28 May 2010. 'We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift.' The original deadline for the FTC to start enforcing the Rule was set at 1 June 2010.
The American Medical Association (AMA) welcomed the delay, stating that 'for two years, the AMA has made the case that physicians are not creditors like banks and lenders, and the misguided Red Flags Rule should not apply to them'. On 21 May 2010, the AMA, the Osteopathic Society and the Medical Society of the District of Columbia filed a lawsuit against the FTC requesting that they be exempted from complying with the Rule. According to the lawsuit, the Rule requires them to set up identity theft prevention and detection programs which 'aren't necessary', and that the FTC was 'arbitrary and capricious' in extending the application of the law to them.
The AMA lawsuit also makes reference to a 2009 Order of the District Court of the District of Columbia, which states that the Rule does not apply to attorneys and that the FTC exceeded its statutory authority in interpreting that law practices are 'covered entities' under the Rule. "If lawyers are exempted, why are other professionals such as those in healthcare included?" said Robert Mills, an AMA spokesperson.
The Red Flags Rule requires all financial institutions and creditors having 'consumer-type' accounts to create and implement identity theft prevention programs.
Fri, 27 May 2010 08:56:14 GMT
Canada: Federal breach notification bill tabled in Parliament
Canadian Industry Minister, Tony Clement, tabled in Parliament on 25 May 2010 new legislation which would introduce a federal data breach notification requirement for businesses. Banks, retailers and 'other companies' would be required to notify the Privacy Commissioner if they experience a 'material data breach', reads a statement from . If the breach poses a significant risk of harm, such as identity theft, they would also have to notify affected customers.
The bill - which would amend the Personal Information Protection and Electronic Documents Act (PIPEDA) - would 'complement the government's recently enacted identity theft legislation and encourage better information security practices on the part of organisations', read a statement from Industry Canada.
Other amendments brought by the proposed legislation are intended to protect the privacy of minors and other vulnerable individuals online, clarify and streamline rules for businesses, and support effective investigations by law enforcement and security agencies. "[W]e are working toward a safer and more secure online environment for both consumers and businesses - essential in positioning Canada as a leader in the digital economy", said Minister Clement in a statement.
UK: OFT report on behavioural advertising promotes industry self-regulation
The Office of Fair Trading (OFT) said 'it is proportionate to focus on improving and supporting self-regulation' in its report on behavioural advertising, published on 25 May 2010. The report however warns that 'should industry action prove ineffective, the OFT and the Information Commissioner's Office (ICO) are strengthening the effectiveness of regulation by seeking to agree a memorandum of understanding to establish in which circumstances the ICO or the OFT would take enforcement action'.
Focusing on the Internet Advertising Bureau (IAB)'s Good Practice Principles on behavioural advertising, the report states that self-regulation has 'benefits for consumer protection and adds real value to the functioning of efficient markets'. The OFT, however, recommends improvements in the area of transparency, and requests the IAB to 'provide clearer guidelines around sensitive information and the use of that data for behavioural advertising'. It also recommends that the IAB consider whether its Good Practice Principles should include a commitment to the maximum length of data storage. The IAB is the trade association for online advertising.
"The OFT report suggests that, by and large, most consumers are either in favour of or unconcerned by online targeted advertising", Phil Lee, Associate with Osborne Clarke, told DataGuidance. "This mirrors the findings of a global Online Behavioural Advertising Report recently published by Osborne Clarke. However, while the OFT supports the IAB's welcome efforts to educate consumers and promote effective self-regulation, it has said that more needs to be done to enhance consumer transparency and to hold non-compliant advertisers to account. In effect, it has drawn a line in the sand and warned that advertisers who cross this line can expect to feel the OFT's enforcement wrath."
The Article 29 Working Party is expected to issue an Opinion on behavioural advertising in early June. The Opinion would analyse opt-in in the context of online behavioural advertising, and the means and ways in which this could be delivered.
EU - Viviane Reding, the EU Commissioner for Justice, Fundamental Rights and Citizenship, said she wants to achieve "an ambitious agreement" with the US, after the European Commission adopted a draft negotiating mandate on 26 May 2010. The draft - which must be approved by the Council of the EU before any negotiations begin - would 'give the Commission the power to negotiate a new data protection agreement for personal data transferred to and processed by enforcement authorities in the EU and the US', read a statement from the European Commission. The proposal would also 'commit the Commission to keeping the European Parliament fully informed at all stages of the negotiations'. In a resolution adopted on 6 May, Members of the European Parliament (MEPs) said that bulk transfers of data to the US 'infringe EU legislation'. MEPs also claimed that the rights guaranteed to US citizens under the US Privacy Act 1974 should be extended to EU citizens whose data is transferred to the US enforcement authorities. The US Privacy Act 1974 allows US citizens to access and amend information relating to them collected by the US Government. Citizens can also sue the government over violations of the Act. 'The rights guaranteed under the...Act can be invoked only by citizens and permanent residents of the United States', read a statement from the European Parliament. The 26 May draft mandate put forward by the Commission would ensure 'an individual right of administrative and judicial redress regardless of nationality or place of residence'.
FINLAND - Doctors are expected to start using a national e-prescription system this spring. Under the new system, doctors will issue and sign prescriptions electronically to patients, and store their records in a centralised system. A database which will archive the health records of all Finnish citizens is also expected to be launched in 2012. This database will allow medical professionals to access patients' data anywhere in Finland. Patients must consent to having their details stored on the database, and will be able to decide which information to disclose and to which organisations. They will also be able to view their health records through the eAccess Portal, as well as monitor which organisations are accessing and processing their data.
UK - The Information Commissioner's Office (ICO) has approved a new Binding Corporate Rule (BCR) application, submitted by IMS Health, under the mutual recognition procedure. The ICO also recently approved the BCR applications of JP Morgan Chase & Co and BP. The total number of authorisations made so far by the UK regulator is seven, with some 20 more applications still under consideration.
GERMANY - The German Government is currently working on new regulations clarifying the conditions under which employee monitoring is allowed. The regulations will address the recruitment and selection process, the use of biometric data in the workplace, video surveillance, and the validity of consent. The new provisions - intended to consolidate the existing case law into one single piece of legislation - follow the recent introduction into the German Data Protection Act of a new Section 32, which specifically regulates the protection of employee data.
NETHERLANDS - A bill on the use of electronic health records is currently under discussion in the Upper House of the Dutch Parliament, after the House it struck out a bill which would have deployed the nationwide use of smart meters for gas and electricity in 2009 due to privacy concerns.
For more information and other news on DataGuidance please contact Claire Singleton at
DID YOU KNOW THAT..?
Google Analytics is now offering website owners the option of allowing visitors to their sites to anonymise IP address information sent to Google. Google Analytics uses the IP addresses of website visitors to provide general geographic reporting to websites. 'Website owners can now choose to have Analytics store and use only a portion of this IP address...keeping in mind that this may reduce the accuracy of geographic data', read a Google statement. Website visitors are now also given the opportunity to opt out of Google Analytics. 'The opt-out provides users with a choice of whether information about website visits is collected by Google Analytics', continued the statement. '[It] stops data being sent from your computer when you visit websites that use Google Analytics to track usage.'
EVENTS:
DATA PROTECTION ON THE FINANCIAL SERVICES SECTOR
18 November 2010 | London | Sidley Austin LLP
This unique, incisive event will focus on data protection issues specific to the financial services sector. Data Protection in the Financial Services (DPFS) brings together industry pioneers to share the knowledge gained through their hard-won experience, as well as regulators and lawyers, to ensure your organisation is compliant with current regulatory requirements and prepared for future developments.
Topics to be discussed include:
- Current and Future DP Challenges for the Financial Services Sector
- Outsourcing: Managing the Data Protection Risks and Challenges
- Information Security: Data Breaches & Security
- Data Security and Data Breach Notification Requirements
- Regulator's Perspective on Challenges for the Industry
- ICO Enforcement: Current and Future Plans
- Data Protection and the FSA
For more information please contact Karl Behrouz on +44 (0)20 7012 1384 or at karl.behrouz@e-comlaw.com.
DATA TRANSFER & DATA BREACH NOTIFICATION BRIEFING
20 September 2010 | London | Field Fisher Waterhouse LLP
DataGuidance is organising a special two-part seminar, providing expert advice on these essential areas of data privacy. The seminars may be booked either individually or as a full day conference.
Morning: International Data Transfers
Lead by Eduardo Ustaran, Partner, Field Fisher Waterhouse LLP Expert Industry Speakers tbc
Interactive Presentations and Informed Discussion on:
- Binding Corporate Rules
- Model Contracts
- Safe Harbor: Transfers to the USA
- Current EU Policy
Afternoon: Data Breach Notification
Lead by Stewart Room, Partner, Field Fisher Waterhouse LLP Expert Industry Speakers tbc
Interactive Presentations and Informed Discussion on:
- Recent Developments in Breach Notification
- Pros and Cons of Notification
- Developing a Data Breach Program
- Accountability
- Auditing & Data Security
- ICO Expectations in Data Breach Response
For more information please contact Karl Behrouz on +44 (0)20 7012 1384 or at karl.behrouz@e-comlaw.com.
Mon, 24 May 2010 17:36:14 GMT
4th ANNUAL DATAGUIDANCE EUROPEAN DATA PROTECTION INTENSIVE SPECIAL
EU: EDPS: not the time to reinvent privacy principles
The European Data Protection Supervisor (EDPS), Peter Hustinx, said in a keynote speech at the DataGuidance Annual Data Protection Intensive today that "this is not the time to reinvent the privacy principles". Hustinx said that the current review of the European data protection legal framework should instead focus on "fine-tuning and implementing" the existing data protection principles. "The emphasis [of the review] should be on data accountability and data governance", said Hustinx.
The European Commission is expected to issue a set of proposals to reform the EU’s data protection legal framework by the end of 2010.
The EDPS said that he "would like to see ‘privacy by default’, as well as ‘privacy by design’, implemented" into the new EU privacy framework. The default settings of RFID systems, online advertising and cloud computing offered to private customers "should be opt-in as opposed to opt-out", he said.
Hustinx also urged for the elaboration of data protection rules in specific areas such as e-health and e-transport. "We are living in a society becoming increasingly dependent on pervasive technology", he said. "We are becoming more vulnerable - more effectiveness in data protection is what we need." The EDPS said decisive steps in the right direction can be made by taking advantage of opportunities such as the recent enactment of the Lisbon Treaty, which incorporated the European Chart of Fundamental Rights, therefore making the right to privacy - encapsulated in Art. 8 - binding on EU institution and Member States. "We are working on the basis of a binding direct right to privacy", said the EDPS.
EU: Member States may go for cookie opt-in
"Some EU Member States are considering implementing the cookie opt-in clause contained in Article 5(3) of the Directive on Privacy and Electronic Communications", said James Mullock, Partner at Osborne Clarke, while speaking at the DataGuidance Annual Data Protection Intensive today. Mullock also announced the release of an Osborne Clarke report which details consumer and regulatory concerns of privacy specialists from 40 countries on online behavioural advertising.
‘[W]hile regulators in several countries (including the UK) have indicated that they do not see the amended language [in the Directive] changing the current opt-out regime for cookies, uncertainty remains as to how this Directive will be transposed into national law’, reads the report. ‘Only time will tell.’ The new cookie consent clause - amended in 2009 - now requires Member States to ensure that the ‘storing of information, or the gaining access to information already stored, in the terminal equipment of a user’ is only allowed on condition that the user gives his or her consent, having been provided with clear and comprehensive information.
The report also reveals that the number of privacy specialists indicating that their local regulators are ’very concerned’ about behavioural advertising has fallen by 10%, upon comparison with a similar report published in 2009. The report also shows that the level of concern amongst consumers has fallen by 14%. ‘[This] may be indicative of a wider phenomenon: that as consumers and regulators become more exposed to - and better educated about - behavioural advertising technology, they begin to get more comfortable with it’, continues the report. ’Notwithstanding this...the overall level of regulatory concern remains quite high. Over three-quarters of the survey respondents reported that their [national data protection authority] is either "very concerned" or a "bit concerned"’
Nick Stringer, Director of Regulatory Affairs at the Interactive Advertising Bureau (IAB), who also took part in the discussion, said: "Advertising plays a significant role in online technology. If we are going to have advertising to pay for content, it might as well be relevant to consumers".
IN BRIEF:
UK - The ICO is no "toothless bulldog", said David Smith, Deputy Information Commissioner at the Information Commissioner’s Office (ICO), speaking at the DataGuidance Annual European Data Protection Intensive. Responding to criticism on the ICO’s lack of enforcement teeth - and despite the ability for the ICO to impose higher enforcement fines since 6 April 2010 - Smith said the "ICO’s primary focus is still encouraging education, awareness and good practice".
EU - The Article 29 Working Party is expected to issue an Opinion on behavioural advertising in early June. The Opinion would analyse opt-in in the context of online behavioural advertising, and the means and ways in which this could be delivered. "We are closer than ever to a common view on opt-in with regards to behavioural advertising", said Eduardo Ustaran, Partner at Field Fisher Waterhouse, speaking at the DataGuidance Annual European Data Protection Intensive. "The impact of such an opinion would be similar to that on the definition of personal data."
Wed, 24 Feb 2010 17:31:31 GMT
Google: Italian sentence 'attacks very principles of freedom' on which the Internet is built
Google has vigorously defended three executives, after Milan Judge, Oscar Mali, handed down six-month suspended prison sentences for breach of the Italian Data Protection Code. Google said in a statement: 'we are deeply troubled. [This conviction] attacks the very principles of freedom on which the Internet is built'.
The Google executives - Global Privacy Counsel Peter Fleischer, Chief Legal Officer David Drummond, and George de Los Reyes, a former Google Italy Board member - were initially charged with criminal defamation, under art. 40 of the Italian Penal Code, as well as of breaching the Italian Data Protection Code, in particular, article 3, on the general obligation for fair and lawful processing of personal data, article 17, on 'processing operations carrying specific risks [to the data subject]', and article 26, on the 'safeguards applying to sensitive data'. The judge found them not guilty of the criminal defamation charges. Arvind Desikan, former head of Google Video Europe, was acquitted
Bridget Treacy, Partner at Hunton & Wiliams' London office, said the Italian case "risks ridiculing privacy issues, particularly to a non-EU audience. Many already consider our EU privacy laws to be unworkable. To suggest that Internet service providers should vet content or seek prior consent to uploading third party content is simply silly. The Internet would come crashing down. It is perhaps notable here that the Italian data protection authority was not involved in the case".
The Italian data protection authority, Garante per la Protezione dei Dati Personali, declined to comment on the decision before the official publication of the judgment.
'In essence, today's ruling means that employees of hosting platforms like Google Video are criminally responsible for content that users upload', read Google's statement. 'These are important principles, which is why we and our employees will vigorously appeal this decision.'
The case goes back to November 2006, when Italian association Vivi Down, a charity that supports people affected by Down's syndrome, was notified of a 'humiliating' video featuring a child with Down's syndrome being bullied by his classmates at school. The charity immediately requested the Milan Prosecuting Attorney remove the video, featured in the top 30 of Google Italia's 'Funny Videos', and assesses the criminal responsibilities of those involved.
'The video was totally reprehensible and we took it down within hours of being notified by the Italian police', read Google's statement. 'We also worked with the local police to help identify the person responsible for uploading it...that's where our involvement would normally end.'
Italian Attorney Guido Camera, who represented Vivi Down in the case, told DataGuidance that today's ruling "has nothing to do with freedom of expression or censorship".
"The judge's decision does nothing but implement the Italian Data Protection Code", he said. "The full text of the judgment will be released in three months - until then, any comment or interpretation of the decision is speculation. Nevertheless, it must be clarified that the main point of today's ruling is not whether or not to limit freedom of expression on the internet - it is striking a balance between the freedom of expression and the protection of another fundamental right, the right to privacy, as laid down in the Italian Data Protection Code."
He continued: "The judge found that the Google executives are personally responsible for ignoring some of the provisions of the Data Protection Code 'for the sake of advertising profit'. In particular, there was no privacy policy on the Google Video website detailing the conditions to upload a video. Secondly, the video in question revealed very sensitive data - data on the health conditions of the bullied child. Under the Data Protection Code, this would have required his consent."
Wed, 24 Feb 2010 15:31:31 GMT
DATA GUIDANCE EMERGENCY WEBINAR: Google Case Italy: Could it happen to you?
Thursday March 4, 2010
UK: 5pm GMT, USA: 9am PST, 12pm EST, EU: 6pm CET
£115+VAT / €132 +VAT / $179. DataGuidance subscribers free.
DataGuidance is organising an Emergency Webinar on the implications of the Google case for both corporations and privacy professionals who have responsibility for data privacy in Europe.
The Webinar will hear from:
Italian Attorney Guido Camera, who represented Vivi Down, the Downs syndrome charity in the Google case.
Italian Attorney Rocco Panetta, partner at Panetta & Associati, who spent seven years with the Italian data protection authority, Garante per la Protezione dei Dati Personali, will give an Italian privacy professional perspective on the Google decision.
Bridget Treacy, a partner from Hunton &Williams, London will give a pan-European take on the implications, including whether corporations and privacy professionals could face similar penalties in other European jurisdictions.
Lisa Sotto, a partner from Hunton & Williams, Washington will give a US take on the issue and a perspective on what US corporations should be doing to minimise risk both to them and their employees.
To reserve your place: contact Claire Singleton at claire.singleton@dataguidance.com or +44 (0) 207 012 1397.
or visit:
http://www.e-comlaw.com/dataguidancewebinars/
© 2010 Cecile Park Publishing Ltd.