Posted on January 26, 2012 by Greg Jacobs

Proposals for the Modernisation of European Public Procurement: Progress or Hindrance?

This post was written by Edward S. Miller, Marjorie C. Holmes, Katherine Holmes and Angela Gregson.

Background

The current European public procurement rules, intended to ensure open EU-wide competition for public contracts are contained in two directives:

  • The Public Sector Directive (Directive 2004/18) sets out the rules that apply to contracts awarded by public sector bodies (e.g. government, schools, and health authorities).
  • The Utilities Directive (Directive 2004/17) sets out a parallel set of rules that apply to contracts awarded by public utilities (or private utilities that have the benefit of special or exclusive rights) operating in the water, energy, transport and postal sectors.

The current rules have been criticised for their lack of clarity and efficiency and case law has substantially developed our understanding of the rules as set out in the directives. These factors, in combination with the developing public policy objectives of the European Commission (the "Commission") relating to the promotion of electronic communication, the development of small and medium sized enterprises (SMEs), and social, environmental and employment considerations, have prompted the Commission to embark on simplifying, codifying and modernising procurement regulation. As a result, the Commission launched a review of the procurement rules in April 2010 and a consultation followed.

Click here to read our recent client alert.

Tags:
Posted on January 25, 2012 by Greg Jacobs

EU Commission sends draft EU General Data Protection Regulation and Directive on Criminal Investigations and Judicial Proceedings to the European Parliament

This post was written by Cynthia O'Donoghue and Nick Tyler

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens' privacy protections in the age of the Internet.

There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.

Key provisions include:

A single notification to the data protection authority in the country where an organization has its principle establishment. There remains an obligation to notify and seek prior authorization for a range of processing activity considered to present specific risks, such as systematic and extensive profiling and large-scale video surveillance.

Accountability principle for those processing personal data, including impact assessments for SMEs and top-down accountability for all organisations.

Data breach notification to the national data protection authority if feasible within 24 hours, and to individuals if there is a risk of harm.

Increased individual control over their data includes seeking their explicit consent before data may be processed rather than it being assumed, and their ability to refer matters to the data protection authority in their country even if data is processed by a company based outside the EU.

Data Portability will mean that individuals will have easier access to their own data and be able to transfer it from one service provider to another more easily.

A right to be forgotten allows individuals, including children, the ability to delete their data if an organization does not have any legitimate grounds for retaining it. The right provides exemptions for legitimate historic data such as newspaper archives, and seeks to balance the right to privacy with the right to free speech.

The sanction regime has at least been watered down from the draft Regulation circulated in November 2011, which had proposed sanctions of up to 5 percent of worldwide annual turnover.

There have been some ‘business-friendly’ changes to the draft Regulation as compared with the earlier November draft. The proposal for an opt-in for commercial marketing has been substituted with an opt-out, and the provisions relating to children’s privacy now requires parental consent for under the age of 13, rather than 18.
In addition, while there is an emphasis on binding corporate rules for international data transfers outside of the EU, contractual clauses, EU standard contracts, and findings of adequacy, as well as international commitments by countries or international organizations such as U.S. Safe Harbor, will still apply. Given the changes contemplated under the draft Regulation, existing international data transfer mechanisms may need to be reviewed and amended if the draft Regulation is adopted.
The new European Data Protection Board will no longer act as a supernational regulator in relation to approving enforcement actions and sanctions as proposed in the November version of the draft Regulation. Instead, its powers will be limited to ensuring consistent application of the Regulation without the power to overrule decisions in individual cases.
The Commission's proposed draft Regulation and accompanying Directive now goes to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will only take effect two years after adoption by the European Parliament, and we would expect further changes as it makes its way through the legislative process. That means any changes are probably close to three years down the road.
 

Tags: , , , , , , , ,
Posted on January 25, 2012 by Greg Jacobs

Federal Trade Commission Announces Adjusted HSR Thresholds for 2012

This post was written by Debra H. Dermody, Gavin P. Eastgate and Michelle Mantine.

On January 24, 2012, the Federal Trade Commission announced the annual threshold adjustments for premerger filings under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (15 U.S.C. § 18a) (“HSR”). The new thresholds have increased the dollar amount required to trigger HSR notification with respect to both the size-of-transaction and size-of-person tests.

The revised HSR thresholds will apply to all transactions that close on or after the effective date, which is 30 calendar days following publication of the adjusted thresholds in the Federal Register. Publication will occur shortly, and the effective date will be in late February.  Click here to learn more about the Adjusted HSR Thresholds for 2012.
 

Tags: , , , ,
Posted on January 24, 2012 by Rosanne Kay

Another Bankruptcy Asset Sale Put On Hold Due to Privacy Concerns

This post was written by Kurt Gwynne, Mark Melodia and Frederick Lah.

Last year, we wrote a post about how a New York bankruptcy judge delayed the approval of Barnes and Noble's acquisition of Borders' database of customer information amid privacy concerns. The court later approved the transaction, requiring that Barnes and Noble give customers 15 days to opt out of the transfer by responding to an email that was sent when the deal closed. A copy of that email can be found here.

Those same privacy concerns are re-surfacing in another bankruptcy asset sale. Real Mex Restaurants Inc. ("Real Mex"), the operator of Chevys Fresh Mex and other Mexican restaurants, filed for Chapter 11 bankruptcy protection back in October 2011. In November, Real Mex received tentative court approval to auction off its assets. Last week, though, the U.S. Trustee, the administrative agency charged with enforcing the country's bankruptcy laws, asked the Delaware bankruptcy court to block the proposed sale of Real Mex's assets until privacy concerns were addressed.

The U.S. Trustee objected to the sale based on its opinion that it violated section 363(b)(1) of the Bankruptcy Code because no consumer privacy ombudsman had been appointed to protect individuals' personally identifiable information ("PII"). Section 363 permits the sale or lease of PII only when either (1) such a sale or lease is made consistent with the debtor's policy prohibiting the transfer of PII to persons that are not affiliated with the debtor or (2) the court appoints a consumer privacy ombudsman and, thereafter, approves the sale or lease after giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

As we reported in our last post, this is not the first time that would-be buyers of databases have faced judicial or regulatory scrutiny about privacy concerns. See, e.g., In re: Peter Ian Cummings and FTC v. Toysmart.com, LLC and Toysmart.com, Inc. Still, though, the Real Mex case serves as an important reminder: Companies looking to acquire or transfer assets containing customer information need to address the associated privacy risks with those transactions, ideally before the government raises the issue first.
 

Tags: , , , , , , ,
Posted on January 23, 2012 by Greg Jacobs

ZIP Code Privacy Litigation Update: Massachusetts

As part of a growing national trend, a Federal Court in Massachusetts recently held that ZIP codes are protected personally identifiable information, and therefore, retailers may not request a customer's ZIP code at the point of sale.

For more information, please read the issued Client Alert here.

Tags:
Posted on January 23, 2012 by Greg Jacobs

Equality for Women: Amending the Women-Owned Small Business Program to Ensure Consistency with the Other Small Business Administration Program

This post was written by Leslie A. Monahan.

On January 12, 2012, the Small Business Administration (“SBA”) issued an interim final rule amending certain regulations governing the Women-Owned Small Business (“WOSB”) Program. These amendments to threshold amounts and protest procedures make the WOSB Program more consistent with other SBA government contracting programs. Given the public benefit of consistency in small business programs, SBA found good cause to publish the changes in an interim final rule, as opposed to a proposed rule, and made the rule effective from the date of publication.

The WOSB Program, which was established by a final rule issued on October 7, 2010, authorizes contracting officers to set aside contracts for WOSBs and economically disadvantage women-owned small businesses (“EDWOSBs”) in certain industries where such concerns are shown to be underrepresented. To qualify as a WOSB, a business concern must be at least 51 percent unconditionally and directly owned by at least one woman who is a U.S. citizen. WOSB qualifications also require one or more women to control the management and daily business operations of the business concern. To qualify as an EDWOSB, a business concern must meet the same requirements as a WOSB and demonstrate that the owner or owners’ ability to compete in business has been impaired due to diminished capital and credit opportunities. Further, an EDWOSB owner’s personal net worth, adjusted gross yearly income averaged over the three years, and asset fair market value cannot exceed $750,000, $350,000, and $6 million, respectively.

Originally, under the WOSB Program, contracting officers could restrict competition for federal contracts not exceeding $5 million for manufacturing contracts and $3 million for all other contracts. The interim final rule changed those amounts to $6.5 million and $4 million, respectively, to be consistent with other SBA regulations. In addition, the interim final rule acknowledges the Federal Acquisition Regulation Council’s authority to adjust competitive thresholds for inflationary adjustments. These changes allow WOSBs and EDWSOBs to obtain larger contracts to grow their businesses.

In addition, under the interim final rule, contracting officers may now proceed with a contract award during the course of a protest, if necessary to protect the public interest, without having to make such a determination in writing. It also allows contracting officers to move forward with contract awards if the SBA does not respond concerning the status determination of the WOSB or EDWSOB filing the protest within 15 days from receipt of the protest. These changes allow contracting officers to award contracts more easily in protest situations.

Comments on the interim final rule are due by February 13, 2012.
 

Tags: , , , , ,
Posted on January 17, 2012 by Rosanne Kay

US wades into debate on revision to EU Data Protection Directive

This post was written by Cynthia O'Donoghue and Nick Tyler

The U.S. Federal Trade Commission (FTC) has waded into the political debate with an Informal Note on the draft EU Data Protection Regulation as reported by Statewatch. In addition, Digital Civil Rights in Europe has reported that the U.S. Department of Commerce engaged in significant lobbying of the European Commission in response to the leaked draft Regulation.

The FTC’s Informal Note, provided to the EC in December 2011, focused on “two overarching concerns”:

  • potential adverse effect on the global interoperability of privacy frameworks” – resulting in divergence rather than convergence of data privacy standards globally; and
  • serious implications for regulatory enforcement activities involving third countries” such as the U.S. – resulting in EU data protection laws presenting a significant obstacle to international enforcement cooperation.

In both respects, the Informal Note portrays the draft Regulation as a backward step that would have an adverse effect on the global interoperability of privacy regimes due to it increasing differences rather than promoting convergence. The FTC also raised concerns about the draft Regulation’s potential to adversely impact international investigations, hinder information sharing between regulatory agencies and undercut enforcement cooperation between the EU data protection authorities and similar privacy enforcement agencies round the world.

In doing so, the FTC’s Informal Note emphasises many of the issues highlighted in our two blogs and Client Alert following the leak of the draft Regulation. In particular, the following themes are highlighted:

  • Data breach notification – criticising the Regulation’s “focus on process, instead of on improving security practices”, the note concludes that this “may…dilute the effectiveness and credibility of all such notices.” This echoes a concern first raised by the UK Information Commissioner’s Office during the IAPP Summit in November 2011, relating to notification of all data breaches regardless of seriousness or number of persons affected.
  • The “right to be forgotten” – the FTC’s concern relates to a chilling effect on rights to free speech and intimates that a right to be forgotten is little more than a pipe-dream fraught with legal and practical obstacles that render it unfeasible. Basically, the ubiquity of the Internet means that the cat’s out of the bag and any attempt to put it back is doomed to fail.
  • The definition of “child” – the EU’s definition of child being anyone under the age of 18 runs counter to the U.S.’s longstanding regulation of children’s privacy (defined as under-13 in the Children’s Online Privacy Protection Act (COPPA)). The FTC refers the EC to its recent review of the COPPA Rule1suggesting it take a more modern and less paternalistic view by recognising:

…it would be difficult to require parental permission for teenagers because they’re independent, more sophisticated with new technologies than their parents are, and have access to computers outside the home, particularly with the increasing proliferation of mobile devices.”

  • Transfers to third countries – criticising the increased complexity in determining adequacy for transferring data outside the EU, the FTC believes that the draft Regulation only makes the process more burdensome, opaque and indeterminate rather than the EC achieving its stated objective of clarifying it. There is undoubtedly a degree of self interest in the FTC’s alarm at the possibility that a U.S. Safe Harbor certification may no longer be recognised (at least in its current form) as a lawful basis for transfers of personal information from the EU to the U.S., as we previously highlighted. The prospect that present lawful trans-border dataflow mechanisms will need to be replaced by new or re-vamped versions, including through the use of binding corporate rules, will alarm every U.S. organisation that has invested significantly in putting legal mechanisms in place to transfer data from the EU to the U.S.
  • International Investigations – the FTC raises concerns about the effect on international regulatory enforcement, effectively calling the draft Regulation a ‘blocking statute’, because data controllers will have to notify and receive prior authorisation from a data protection authority before disclosing personal data to any non-EU governmental or regulatory authorities or private litigants outside the EU. The FTC highlights the conflicts as well as perils such provisions will create for U.S. companies with a presence in the EU, especially if an investigation relates to anti-competitive activities, financial or consumer fraud. The FTC suggests that the draft Regulation incentivises “offshoring” evidence, resulting in untimely delays and potentially damaging the interests of consumers, including in the EU.

The FTC’s Informal Note, along with other voices loudly debating the draft Regulation, advocates a more balanced and proportional approach to privacy and data protection. 

Whether this US intervention will contribute to a delay in the EC publishing the draft Regulation, or whether, as recently restated by Ms. Reding’s office, publication will still take place on Data Protection Day on 28 January, we don’t have long to find out.


1 COPPA Rule Review Request for Comment, Fed. Reg. Vol. 76, No. 187, Sept 27 2011 at 5905, available at: http://www.ftc.gov/os/2011/09/110915coppa.pdf.

Tags: , , , , , ,
Posted on January 13, 2012 by Rosanne Kay

In an Olympic year the draft EU data protection regulation lacks "2020 vision" and stumbles at the first hurdle - publication postponed until the Spring (at least!)

This post was written by Cynthia O'Donoghue and Nick Tyler.

As reported yesterday by DataGuidance, it’s back to the drawing board for the Directorate-General for Justice (Justice) responsible for EU data protection law after they received strong “unfavourable” opinions from two key Directorates-General in response to the European Commission’s mandatory inter-service consultation process.

Publication of the draft EU Data Protection Regulation had been expected at the end of this month but has now been delayed until late February/March. The nature of the concerns raised by the Information Society and Media Directorate General (INFSO) and Directorate General for Trade (D-G Trade) mirror many of those highlighted in our earlier blog post and Client Alert following the leak of the draft Regulation last month.

INFSO’s concerns run to 22 pages and invoke some harsh criticism of the proposals and a perceived lack of openness and flexibility on the part of Justice. INFSO’s concerns include:

  • The broad scope of personal data, including geo-location data and online identifiers, without qualification;
  • The onerous requirements of proposed new data breach notification obligations;
  • The definition of “child” (under-18 threshold proposed) – unworkable in the online world;
  • The burdensome nature of the proposed new “right to be forgotten”;
  • A failure by Justice to take account of concerns about the continued burdens relating to data transfers, in particular those transfers described as “massive, frequent or structural”;
  • An increased risk of interference, contradiction and confusion within the draft regulation as a result of its addressing areas already covered by the ePrivacy Directive;
  • The proposed new sanctions regime.

The comments by INFSO represent a significant setback in the EU Commission’s attempts to re-shape European data protection law for the next generation. With the long-term future of enterprise and society in mind, INFSO rejects the draft regulation as:

“…an overly cumbersome legal framework which places new burdens and costs upon data controllers and processors, thereby acting as a deterrent for the development of new business models. INFSO is concerned that the proposal does not sufficiently take account of the economic climate and is at odds with the vision of Europe 2020.”

It’s not the first time (and won’t be the last) that data protection regulation has been blamed for standing in the way of progress but this opinion presents a significant challenge to the EU Commission’s efforts to complete the race to revise the EU Data Protection Directive.
 

Tags:
Posted on January 12, 2012 by Rosanne Kay

'Sunshine Act' à la française adopted on 29 December 2011. Healthcare and cosmetics companies will be subject to a tough transparency regulation in France

This post was written by Daniel Kadar.

A new rule, adopted on 29 December 2011 and published on 30 December 2011 after an unusually expedited procedure due to strong government pressure, will heavily modify the regulatory framework in which healthcare companies, but also to some extent cosmetics companies, operate in France.

Besides replacing (next August, but the law has immediately been enforced) the current government healthcare agency (AFSSAPS) with a new ‘National Agency for the Security of Drugs’ / ‘Agence Nationale de Sécurité des Médicaments’ (ANSM) which will have more control powers and will be able to fine non compliant actors, the new law sets out transparency requirements for healthcare and cosmetics companies that are comparable to those provided by the US ‘Sunshine Act’.

The new article L 1453-1 of the French Public Health Code imposes a general disclosure obligation on any company manufacturing or commercializing products with a medical or cosmetic purpose. The obligation concerns all agreements such companies may have with healthcare professionals, students of medicine and other healthcare related studies, clinics and hospitals, foundations, press and communication agencies/companies, software editors of drug prescription related softwares, as well as with educational companies in the healthcare area.

The obligation will require disclosure of any advantages in kind or in payment provided by the companies to such persons mentioned above (the threshold amount triggering this disclosure obligation is to be fixed by decree).

The law provides for fines for infringing the obligation of up to 45,000 Euros in respect of physical persons and up to 225,000 Euros in respect of legal persons.

In addition, the law requires the disclosure by those holding regulatory powers devolved to them by the French Ministry of Health, cabinet members and members of the new ANSM of any conflicts of interests when taking on their functions.

The new law also sets forth new pharmacovigilance requirements and provides more stringent rules concerning the advertisement of drugs as well as – this is new – medical and diagnostics devices.

More details will be provided in follow-up decrees to be made in the coming weeks. In many cases, this new regulation sets very stringent standards which will require all healthcare companies, but also to some extent (in particular in terms of the transparency requirements) all cosmetics companies, to restructure their businesses in France.

For more information, please read the issued Client Alert here.   

Tags: , , , ,
Posted on January 11, 2012 by Rosanne Kay

ICO Information Rights Strategy 2012 - UK regulator identifies information security as continuing priority while targeting Financial Services, Health and Telecoms/New Media for close attention

This post was written by Cynthia O'Donoghue and Nick Tyler.

The Information Commissioner’s Office (ICO), the UK’s data protection and freedom of information regulator, has launched a high level “Information Rights Strategy”.

In it, the ICO identifies the following priority areas: Internet and mobile services; health; credit and finance; criminal justice; and information security.

The ICO will focus on outcomes in the above areas that reduce risks to information rights (both data protection and freedom of information). The outcomes are aimed at raising the awareness and understanding of information rights and risks. The ICO seeks to raise awareness among individuals as well as those organisations responsible for meeting obligations under information rights law.

The ICO’s strategy applies internationally and recognises the pervasive risks arising from “global data flows and universal deployment of new technologies”. The ICO seeks to work with and influence fellow regulators at EU and global level in an effort to achieve a consistent and harmonised approach.

The ultimate objective of “good information rights practice” will depend in part on the ICO’s use of its enforcement powers. In identifying the five priority areas, the ICO clearly signals which industry sectors and compliance issues will receive “particular regulatory attention”.

While the area of information security will continue to be a priority compliance risk for all, organisations in the telecommunications/new media, health sector and financial services will fall under the regulator’s microscope.

In a stark warning to any who may be complacent about compliance, the ICO states: “We will actively seek out situations where organisations significantly fail to live up to their information rights responsibilities and use the full range of our powers to address these”.

Tags: , , , , , , , ,
Posted on January 10, 2012 by Rosanne Kay

When might a private email account become 'public property'? Freedom of information guidance may lead to erosion of privacy for employees

This post was written by Cynthia O'Donoghue and Nick Tyler.

There will always be a tension implicit in the relationship between freedom of information and data protection laws. In the United Kingdom this is usually alleviated by the fact that both are regulated by the same person/body, the Information Commissioner’s Office (ICO). However, recently published ICO guidance, aimed at public authorities under the Freedom of Information Act 2000 (FOIA), could provide an arguable basis for allowing private sector organisations to search their employees’ private email accounts for work-related communications or company business to respond to subject access requests made under the Data Protection Act 1998 (DPA) or other legitimate requests, such as e-discovery/disclosure.

The ICO guidance 1 was prompted by reports of government ministers, elected representatives and/or public sector officials using their non-work personal email accounts (e.g. Hotmail, Yahoo and Gmail) for work-related communications and official business. Concerns that this may have been done in a deliberate attempt to circumvent the FOIA regime prompted the regulator to act. The ICO guidance makes it clear that information held in such accounts and relating to official business of a public authority is “held by the authority” and/or “held by another person on behalf of the authority” and is therefore in scope of a request made under FOIA.

We wonder whether by ensuring no stone is left unturned to identify all information within the scope of FOIA requests this guidance might have some unintended consequences, by analogy, in the context of subject access requests made under the DPA.

The guidance requires public authorities that have established the existence of such information to ask the individual “to search their account for any relevant information”. A record of such action needs to be kept “to demonstrate, if required, that appropriate searches have been made in relation to a particular request”. This may arise in the course of the ICO’s investigation of a complaint under FOIA.

The guidance recommends clear policies for email/acceptable use of IT systems, and records management, in an effort to address the acknowledged “complications” arising from the onerous requirement to request “searches of private email accounts, and other private media”.

Addressing similar “complications” could lead to employers exerting their authority over their employees in attempting to either identify all personal data within the scope of a data subject access request or within the scope of a company’s legitimate business interest, such as would be required to respond to disclosure/discovery. The rationale behind the guidance could just as easily be applied, by analogy, to those occasions when the ICO deems it appropriate that such searches should extend to personal email accounts and home computers, where these have been used to process personal data for which the employer is the data controller.

Such unintended consequences inevitably raise genuine concerns about the erosion of privacy in the workplace. At this point such concerns are likely to surface in the public sector workplace, unless accepted as the inevitable price of greater openness in the public sector. 

 

1 “Official information held in private email accounts”, ICO, dated 15 December 2011
 

Tags: , , , , , , ,
Posted on January 6, 2012 by Rosanne Kay

The European Court of Justice rules twice in one day on data protection issues: Emerging clarity and consistency is in everyone's interests.

This post was written by Cynthia O'Donoghue and Nick Tyler.

“You wait for ages for one and then two turn up at the same time!” The European Court of Justice issued two significant rulings this past November.

The first addressed the manner in which Spain enacted the Data Protection Directive. In Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) v Administración del Estado (C-468/10) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado (C-469/10), the claimants challenged Spain’s national data protection law (Organic Law 15/1999) which imposed the extra condition that personal data must be in the public domain when processed, based upon a data controller’s legitimate interests. The ECJ ruled that Article 7(f) of the Data Protection Directive 95/46/EC was sufficiently precise to have direct effect in member states’ national laws because it sets out an exhaustive list of conditions to the processing of personal data and as such member states may not impose additional conditions.

The surprising aspect of this case, in our view, is that it has taken until now to gain a degree of consistency of interpretation for what is a relatively straightforward provision of EU data protection law. In our experience the misinterpretation of this provision in Spanish law has presented real practical difficulties to clients implementing run-of-the-mill applications involving non-sensitive personal data. The resulting emphasis in Spain on the need to gather consent has inevitably introduced increased bureaucracy and associated costs.

The other case, Scarlet Extended SA (Scarlet) v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (Case C-70/10), stemmed from a referral to the ECJ by the Belgian court and has important implications for the practical enforcement of copyright infringement cases. SABAM, a management company representing owners of copyright-protected works, took legal action against Scarlet, an Internet Service Provider (ISP), because Scarlet’s users were downloading works in SABAM’s catalogue through peer-to-peer networks/file sharing and so infringing copyright.

In the legal proceedings SABAM asked the Belgian courts to make an order requiring the ISP to stop such infringements “by blocking, or making it impossible for its customers to send or receive in any way files containing a musical work using peer-to-peer software without permission”. The technical solution would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content was sent, which may also result in the blocking of lawful content. The local Belgian court granted SABAM’s request for an injunction.

Scarlet appealed, claiming that the injunction would be unlawful on several grounds, most notably in the context of data protection and privacy by breaching Belgian laws implementing Directive 2000/31, prohibiting the monitoring of communications and the general surveillance of all communications passing through the ISP’s network, and Directive 95/46/EC because the filtering system would involve the processing of IP addresses, which are personal data.

The ECJ ruled that the technical solution did not strike a fair or proportionate balance between the protection of the intellectual property right holders and the freedom to conduct a business, such as ISPs, nor was a fair balance struck between the protection of copyright and the fundamental rights of individuals, in this case the ISP’s customers.

Crucially, the ECJ noted the impact on the ISP’s customers and the infringement of their fundamental right to protection of their personal data (Article 8 of the Charter of Fundamental Rights of the EU) and their freedom to receive or impart information (Article 11 of the Charter).

This ruling essentially validates the Art. 29 Working Party’s opinion that in the hands of ISPs, IP addresses are personal data because “they allow those users to be precisely identified.” What is unclear from the ruling is whether IP addresses are also considered to be personal data when processed by organizations that would not have access to names and account information that would enable such precise identification.

Tags: , , , , , , , ,
Posted on December 30, 2011 by Rosanne Kay

U.S. Federal Government Reverses its Stance on Online Gaming

Joseph Rosenbaum, Ramsey Hanna and Joshua Marker posted an update on our sister blog, Legal Bytes, regarding how the Department of Justice reversed its position on the U.S. Wire Act's applicability to online gambling that does not involve sports betting. Our interdisciplinary team of privacy specialists, technologists and marketing - focused attorneys have their eye on this development. The DOJ's statement has the potential to rev the data-intensive, multi-billion dollar online gambling industry back up in the U.S. market.

For more information, please visit our Legal Bytes blog or read the issued Client Alert here:  U.S. Federal Government Reverses its Stance on Online Gaming.

Tags: , ,
Posted on December 29, 2011 by Rosanne Kay

New EU Data Protection Framework

This post was written by Cynthia O'Donoghue, Nick Tyler and Katalina Chin.

The new proposed EU Data Protection Framework looks set to implement dramatic changes to the landscape and to affect any organisation that does business in the EU or that handles the data of its citizens. It has the potential to create even more regulatory burdens on business despite promoting a more self-regulatory regime. Although the new Framework is in draft and is making its way through the legislative process, it makes for sobering reading because failure to comply could result in sanctions of up to 5 percent of an organisation's annual worldwide turnover.

To view the entire alert, please click here.

 

Tags:
Posted on December 19, 2011 by Rosanne Kay

UK High Court challenges ICO's view on the scope of "domestic purposes" exemption - UK data protection regulator may now be expected to intervene and stop unlawful publication of offensive material on the Internet

This post was written by Cynthia O’Donoghue and Nick Tyler.

In a decision with potentially far-reaching consequences for the UK data protection regulator, a High Court Judge, Tugendhat J., questioned the legal basis upon which the Information Commissioner’s Office (ICO) declined to take action to stop the publication of defamatory and offensive material on the website solicitorsfromhell.co.uk. See, The Law Society and Others v Rick Kordowski [2011] EWHC 3185 (QB) (Judgment dated 7 December 2011).

The website was a forum for individuals to post comments about lawyers, most of which were libelous or defamatory, and could be posted anonymously without any moderation by the site’s publisher. The judge ordered that the site be taken down permanently and banned the web address from being transferred to anyone else.

Mr Kordowski failed to mount any credible defence to the raft of claims brought in the proceedings – the judge labelling him a “public nuisance”. The judge also highlighted the challenge faced by the administrative justice system by what he identified as a new breed of “vexatious litigant” – “defendants who mischievously provoke claims which they know they cannot defend”.

Tugendhat J. commented that he found it impossible reconcile the legal views of the ICO expressed in a letter to the Law Society with authoritative statements of the law, and found that the UK Data Protection Act 1998 (“DPA”) indeed envisages that the ICO should consider what is acceptable for one individual to say about another under the First Data Protection Principle since data must be processed lawfully.

The ICO based its position on the scope of the “domestic purposes” exemption in relation to individuals posting their views on third party websites. Section 36 of the DPA exempts all processing of personal data by an individual “only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. Even though the ICO had recognized “a growing social problem in individuals posting offensive material about each other”, the view expressed to the Law Society was that the DPA was both “out of step with technology” and “simply not designed to deal with [this] sort of problem”.

While the court did not review the ICO’s decision, the clear implication was that the ICO could, and perhaps should, have taken a more active role in exercising its regulatory powers. The court acknowledged that the ICO may often find itself in the difficult position of being asked to referee legal disputes which might better be resolved in the courts. In a clear-cut case, however, “where there is no room for argument that processing is unlawful [in this case defamatory and amounting to harassment]”, it is difficult to argue that the processing was not within the ICO’s enforcement powers.

The challenges faced by those charged with regulating the Internet are significant, and the court’s judgment aligns with the limited scope of the “domestic purposes exemption” set out in the draft EC Data Protection Regulation, which specifically carves out of the domestic purposes exemption instances when an individual posts personal data on the Internet that is “accessible to an indefinite number of individuals”.

Following this judgment, it will be interesting to see if the ICO follows the court’s interpretation of its ability to take a more robust view of its powers in relation to “lawful processing”. The ICO will certainly have to think twice about what qualifies as a “domestic” exemption, and there is a message in here to web site operators as well: they can no longer rely on the “domestic” use exception and will have to increase web site moderation and taken down obviously unlawful postings.

Tags: , , , , ,