Category

Online Privacy

20 February 2014

Broker-Dealers Need to Respond to Recent Focus on Cybersecurity Threats

Recent data breaches at retailers like Target have increased awareness about growing cybersecurity threats. Broker-dealers in particular need to reevaluate their own cybersecurity preparedness in light of several recent events:

  1. FINRA’s launch of a cybersecurity sweep, publicly announced on the FINRA website on February 6, 2014;
  2. The inclusion of cybersecurity as a priority in the SEC’s National Examination Program for 2014 and FINRA’s 2014 Annual Regulatory and Examination Priorities Letter;
  3. The White House’s February 12, 2014 release of the much-anticipated Framework for Improving Critical Infrastructure Cybersecurity; and
  4. An upcoming SEC public roundtable on cybersecurity issues, to be held in Washington, DC on March 26, 2014.

(more…)

SHARE
EmailPrintShare
15 January 2013

Business Concern over Amendments to Proposed EU Data Protection Regulation

The European Parliament’s Civil Liberties Committee has published its draft report on the proposed EU Data Protection Regulation that is causing concern for many corporations. http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.

The report sets out amendments to the draft EU data protection regulation published by the European Commission last January (the “Regulation”)
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.

Despite being one of the most lobbied pieces of European legislation, many will be disappointed that as amended the draft Regulation still imposes very significant burdens on businesses that are in the EU, or which are outside the EU but offer goods or services to EU customers, with fines of up to 2% of annual worldwide turnover.

Although there has been considerable debate on the proposed Regulation, there is still time for those concerned to make their views known to the European legislature. A summary of the main elements of the proposed regulation as amended by the Committee are set out below.

Scope of Regulation and Enforcement

  • The Regulation will apply expansively to all global businesses, including any Internet company with more than 500 European customers. To be specific, it would apply to “data controllers” established in the EU or operating from outside the EU where the processing activities are aimed at the offering of goods or services to individuals in the EU irrespective of whether payment is required. A data controller outside the EU will need to appoint a representative in the EU if it processes personal data of 500 or more individuals a year, irrespective of whether payment is required for the goods or services.
  • For the first time, the regime will directly affect software and hardware development. So called “producers” (i.e. hardware and software developers) that produce systems to process personal data must take measures to ensure data protection compliance when designing systems.
  • Provisions for fines of up to 2% of annual worldwide turnover for violations of the Regulation remain, although additional criteria are proposed that would be taken into account by Data Protection Authorities (DPA) when determining the administrative sanction.
  • There are a number of amendments to strengthen the position on collective redress: Bodies or associations acting in the public interest would be able to go to court on behalf of data subjects to seek damages and damages will now also be permitted for non-pecuniary loss such as distress.

International Data Transfers

  • Transfers of personal data from the EU to countries that are not deemed to provide an adequate level of protection (such as the United States) should be on the basis of binding legal instruments (such as Binding Corporate Rules and the EU’s standard contractual clauses). The ability of the European Commission to decide that a particular industry sector provides an adequate level of protection (such as the U.S. healthcare industry) has also been rejected.
  • The U.S.-EU Safe Harbor and other previous adequacy decisions as well as decisions relating to standard contractual clauses will remain in force for only two years after the Regulation takes effect. This may lead to companies needing to assess whether their prior compliance efforts remain valid.
  • International investigations will become significantly more complicated. An important new provision will require that a controller’s representative must notify the DPA and obtain an authorization for transfer pursuant to the requests or orders of a court, tribunal or authority of any country outside the EU.

Consent, Legitimate Interest and Data Protection Notices

  • Compliance will also become more complex given that consent may not be available in the employment context. Although the report emphasizes the importance of consent, it adds the condition that consent should not be valid if there is a significant imbalance between the position of the data controller and the data subject (i.e. the individual) remaining in the Regulation. However, incentives are also included for data controllers to use pseudonymous data (e.g. key coded) for which lighter consent obligations will apply.
  • More detail is also provided on when it is possible for a data controller to rely on the legitimate interest ground to process personal data with the controller required to publish why it believes its interests override those of the data subject. The legitimate interests of the data controller include enforcement of legal claims.
  • Data protection policies are to be communicated using multi-layered formats and icons with full information available on request. Data subjects also have a right to be informed about the disclosure of their personal data to a public authority.

Right to be Forgotten, Data Portability and Profiling

  • The Right to be Forgotten (i.e. to have personal data erased) remains in the Regulation but has been amended so data controllers would no longer have to take reasonable steps to contact third parties to request them to erase copies of the data if the personal data has been transferred or made public based on legal grounds (such as legitimate interest).
  • The Right to Data Portability (i.e. to obtain a copy of the data being processed and to move the data to another platform) has been merged with the Right of Subject Access (i.e. the right for confirmation whether personal data is being processed). The Right of Subject Access has also been amended so data subjects now have a right to be informed if their personal data has been disclosed to public authorities.
  • Targeted Internet advertising could also face significant impacts. Profiling will only be permitted with the data subject’s consent or based on an express statutory provision.

Documentation, Impact Assessments, Security and DPOs

  • The requirement in the proposed Regulation for data controllers and processors to retain detailed documentation on the processing has been merged with the requirement to provide information to individuals about how their personal data are processed. The exemption on small businesses employing less than 250 persons from having to retain such documentation has been removed.
  • In the case of a security breach the period to notify the DPA is extended from 24 to 72 hours while the obligation to notify data subjects has also been extended to require that information be included regarding the rights of the data subject including redress.
  • The obligation to appoint a Data Protection Officer (DPO) has been amended so a DPO is required where a legal entity processes personal data on more than 500 persons. The DPO must be a direct report to the head of management, such as the CEO, and the minimum appointment of the DPO is also extended from 2 years to 4 years. The DPO will also have an obligation to report suspected breaches to the DPA.
  • The requirement to carry out data protection impact assessments where data involves specific risks (such as health data and data on children) remains as does the obligation to seek the views of data subjects. However, instead of having to consult with a DPA it is now proposed that a data controller can consult with their DPO.

Life Sciences and Scientific Research

  • Importantly the report provides a comment that processing of sensitive data (e.g. health data) for the purposes of historical, statistical and scientific research are “not considered as urgent or compelling as public health or social protection.” This is of particular concern for the life sciences industry and other industries carrying out research including academic research.
  • The provisions in the Regulation on processing of sensitive data (including health data) for the purposes of historical, statistical and scientific research are also amended to provide that such processing shall only be permitted with the consent of the data subject, but Member States may legislate for exceptions to the requirement of consent for research that serves an exceptionally high public interest, if that research cannot possibly be carried out otherwise. The amendments go on to provide that “The data in question shall be anonymized, or if that is not possible for the research purposes, pseudonymized under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects.” The possibility of EU Member States determining when scientific research is permitted, where consent has not been obtained, will also be of concern to the life sciences industry.

New One Stop Shop, Codes of Conduct and Certification Schemes

  • A modified ‘one stop shop’ approach to regulation is proposed under which a DPA is competent to supervise processing operations within its territory or affecting data subjects resident in its territory. Where the processing activities of a controller or processor are established in more than one EU Member State or affecting data subjects in several Member States, the authority of the Member State of the main establishment of the data controller will be the lead authority acting as a single contact point for the controller or processor.
  • Some of the powers of the European Commission to adopt delegated acts (i.e. to provide more detailed requirements) for certain provisions have been removed.
  • Industry Codes of Conduct and data protection certification schemes are encouraged with a formal procedure required to be set down for the issue and withdrawal of a data protection seal or mark and to ensure the independence of the issuing organization.

The next steps in the EU legislative timetable include: (i) February 27, 2013: deadline for tabling amendments by MEPs on the Civil Liberties Committee; (ii) end of April 2013: vote by the Civil Liberties Committee; and (iii) from May 2013 on: (depending on progress in the EU’s Council of Ministers) negotiations between European Parliament, the Council and the Commission (the so called “Trilogue”).

For further details on the proposed EU Data Protection Regulation, please contact William Long (wlong@sidley.com) or John Casanova (jcasanova@sidley.com). Edward McNicholas (emcnicholas@sidley.com) in Washington, D.C. is also available to assist U.S. companies in addressing the potential conflicts between U.S. and EU requirements.

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Prior results do not guarantee a similar outcome.

SHARE
EmailPrintShare
29 May 2012

EU Website Cookie Consent Requirements Now Being Enforced

The deadline of 26 May 2012 for businesses to comply with new EU website cookie consent requirements in the UK has now passed. Under the EU’s amended e-Privacy Directive 2002/58/EC new rules were introduced last year for businesses to obtain the consent of website users to place cookies on a user’s computer. Although EU Member States were required to implement the consent requirements by 25 May 2011, the UK’s Information Commissioner’s Office (“ICO”) gave businesses a 12 month grace period to become compliant with the new law which ended on 26 May 2012. Many other EU Member States have still to implement the cookie consent requirements with only 20 of the 27 Member States having so far implemented the requirements into their national laws.1

The new EU cookie consent requirements contain an exception where the website is using a cookie “that is strictly necessary” to provide the service explicitly requested by the user. The ICO considers this exception should be narrowly interpreted and cannot, for example, be used to exclude cookies used for analytical purposes, such as counting the number of visits to a website, from the new consent requirements. Failure to comply with the EU cookie consent requirements can lead to enforcement action including fines from national data protection authorities.

UK Guidance

The cookie consent requirements under the amended ePrivacy Directive were implemented in the UK through “The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (the “UK Regulations”). The ICO has published helpful guidance on implementing the UK Regulations entitled “Guidance on the rules on use of cookies and similar technologies” (the “UK Guidance”).

Regarding the scope of the UK Regulations, the UK Guidance states that websites based outside of the EU, designed for the European market or providing products or services to customers in the EU, should consider that their users in the UK and the EU will clearly expect that information about cookies will be provided to them and their consent to set cookies obtained.

Providing clear and comprehensive information to the user

In addition to obtaining consent, the requirements under the ePrivacy Directive include that the user is provided with “clear and comprehensive information” about the purposes for which the information, such as that collected through cookies, is used.

The ICO suggests that wherever possible, the placing of cookies on a user’s terminal equipment should be delayed until the user has had the opportunity to understand what the cookies are being used for and so they can make their choice to accept the cookies or not. However, the ICO acknowledges that obtaining prior consent might be difficult as many websites set cookies as soon as a user accesses a website. The ICO therefore states that at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with the option to accept the use of cookies.

Responsibility for compliance

Although the UK Regulations do not define who should be responsible for complying with the new requirements, the ICO clearly states in the UK Guidance that “where a person operates an online service and any use of cookies will be for their purposes, it is clear that that person will be responsible for complying with this Regulation”. The ICO also makes it clear that where third party cookies are used through a website, the person operating the website and the third party should be responsible for complying with the UK Regulations. However, the ICO acknowledges that it could be challenging in practice for third parties to comply, and therefore proposes that a third party using cookies on a website should consider putting a contractual obligation into agreements with the website provider “to satisfy themselves that appropriate steps will be taken to provide information about the third party cookies and obtain consent.”

Potential solutions to gain the consent of the user:

The UK Guidance refers to a number of potential solutions to obtain consent for use of cookies including:

Use of pop ups and similar techniques, such as header or footer bar on the home page – while using a pop up to directly ask a user if they agree to the use of cookies will amount to consent if they click yes, as the ICO acknowledges this could spoil the user experience if the website uses several cookies. Moreover, the ICO comments that some users might not click on the options available and go straight to another part of the website. In these circumstances it may be possible to infer consent from the fact that the user has seen a clear notice and actively indicated that they are comfortable with cookies by clicking through and using the site.

Terms and conditions – when users open an online account or sign in to use the services, they could consent through terms and conditions to the use of cookies. The ICO specifies that changing the terms of use alone to include consent for cookies is not sufficient even if the user had previously consented to the global terms. To satisfy the new rules on cookies, the website operator must make users aware of the changes and specifically that the changes refer to the use of cookies. The website operators will then need to gain a positive indication that users understand and agree to the changes. The positive indication is commonly obtained by asking users to tick a box.

Settings-led consent – some cookies are set up when a user confirms what he/she wants to do or how he/she wants the site to work, for example, when selecting a feature such as the language of the website. The website should, during that process, explain to the user that by allowing the website to remember the user and the way he/she wants to use the website, the user gives the website consent to use cookies.

Feature-led consent – some information is stored in the user’s computer when the user decides to use a particular feature of a website such a watching a video or when the website remembers what the user did on a previous visit in order to personalise the content of the website. In these cases the website can ask for the consent to set a cookie at this point.

Browser settings – the view of the ICO is that most browser settings are not currently sophisticated enough to allow a website provider to assume that the user has given his consent. The UK Guidance confirms that the ICO and the UK Government are currently working with the major browser manufacturers to establish a new browser solution.

Steps to take now

Many businesses have been considering the best ways to obtain consent to the use of cookies for some time. For those businesses that have not yet implemented a cookie consent solution for their websites it is important that they do so now, particularly as the UK deadline has now passed. According to the UK Guidance the first steps should be:

Cookie Audit – businesses should check what cookies they are using on their websites, confirm the purposes, what data each cookie holds and the type of cookie (i.e. session or persistent and first or third party cookie). This could involve carrying out a comprehensive audit of the websites. The cookies used should also be analysed to determine which, if any, are “strictly necessary” and therefore might not need consent.

Cookie Assessment of Intrusiveness – the more intrusive a cookie the more priority should be given to getting meaningful consent. Some analytical cookies may have a limited privacy impact while cookies involved in creating detailed profiles of an individual’s browsing activity can have a significant privacy impact. An assessment of the intrusiveness of the cookies used should also be undertaken.

Cookie Consent Solution – in addition to deciding on the most appropriate of the cookie consent options, which are referred to above, it is also necessary to consider the information on cookies that should be provided to users. According to the ICO, for most users it may be helpful to provide a broad explanation of the way cookies operate and the categories of cookies that are used on the website.

If you have any questions regarding this update, please contact:

John Casanova, Partner
jcasanova@sidley.com
+44 20 7360 3739

William Long, Counsel
wlong@sidley.com
+44 20 7360 2061


1 Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Greece, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Malta, Slovakia, Spain, Sweden The Netherlands and the UK.


 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.   

SHARE
EmailPrintShare
09 December 2011

First Look: Leaked Draft of New EU Data Protection Regulation Suggests Significant Impacts for Global Businesses

A draft of a new EU Regulation on Data Protection to replace the existing EU Data Protection Directive was released un-officially earlier this week. The draft Regulation once adopted will have a significant impact on virtually all businesses established in the EU, or who carry on business with the EU, introducing significant internal compliance requirements and fines that range up to 5% of worldwide turnover.

In an article published by the Bureau of National Affairs, John Casanova and William Long of the London office of Sidley Austin and Alan Raul and Ed McNicholas of the Sidley Washington office provide their initial analysis of this significant new EU development. For further information on this development and other EU data protection requirements please contact John Casanova or William Long and for counseling in relation to US privacy issues please contact Alan Raul or Ed McNicholas.

Reproduced with permission from Privacy & Security Law Report, Vol. 10 PVLR No. 48, 12/12/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

View Article

SHARE
EmailPrintShare
16 August 2011

Business Concern Over New EU Consent Requirement to Use Website Cookies

New EU cookie consent requirement

Amendments to the EU’s ePrivacy Directive have meant that since 25 May 2011 the EU has required website operators to obtain the consent of users to the use of cookies. This is a significant development and it is causing considerable concern among businesses. The new consent requirements for use of cookies, which consist of small text files that are used by virtually every website to recognise a user’s computer and collect information on a user’s activities and preferences, has caused a storm of debate as regulators and businesses struggle to find a practical way of obtaining consent.

There is also particular concern regarding compliance with the new requirements in relation to so called “third party” or “tracking” cookies used in behavioural advertising, where information from cookies is shared with third parties. In these circumstances obtaining consent may be more complex and care needs to be taken to make sure users are made aware of what data are being collected and by whom.

There is only one exception to the new EU consent requirement where the website is using a cookie “that is strictly necessary” to provide the service explicitly requested by the user. However, this is a narrow exception covering, for example, use of a cookie to allow the website to remember items placed in a virtual shopping basket and would not apply, to use of cookies to collect website analytics data.

Confused transposition process in the EU

Another particular concern is the lack of a harmonised approach to implementation of the new consent requirements in different EU Member States. Despite the 25 May 2011 implementation deadline only ten EU Member States have yet implemented the requirements into their national laws, including Estonia, Finland, Ireland, Latvia, Lithuania, Malta, Sweden, Hungary, Luxembourg and the UK. The table on page 3 summarises the current position.

There is also a lack of clarity on how in practice consent may be obtained and in particular whether browser settings can be used to obtain consent. It is understood that in Ireland, Luxembourg, Sweden and the UK the implementing legislation or guidance expressly provides that consent may result from the browser settings. Of these early adopting Member States national guidance has only been published, so far, in Ireland, Sweden and the UK although further national guidance may be published in due course.

In the UK, the Information Commissioner’s Office (the “ICO”) has issued guidance on what may constitute a sufficient opt-in consent:

  • Pop ups and similar techniques – using pop ups on the website screen for users to click that they consent to use of cookies, although the ICO acknowledges that this could spoil the user experience.
  • Terms and conditions – when users open an online account, or sign in to use the services, they could consent through terms and conditions to operation of the account and to use of cookies but a positive indication of consent is required such as through the user ticking a box.
  • Settings–led consent – obtaining consent as part of the process by which the user confirms what they want to do, or how they want the site to work, for example, when selecting a feature as to the size of text they want displayed.
  • Feature–led consent – placing text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when wanting to set a cookie on the user’s device.
  • Browser settings – using browser settings to obtain consent, although the view of the ICO is that most browser settings are not sophisticated enough to allow a website provider to assume that the user has given their consent to the website using a cookie.

To allow businesses to achieve compliance the UK has a grace period of 12 months until May 2012 during which time the ICO will refrain from using its enforcement powers although businesses are expected to take steps to comply with the new requirements. It is also understood that in Sweden a grace period, expected to be around 6 months, will also be applied.

Another question that is still not clear is whether national Member State laws implementing the new cookie consent requirement will apply to website operators not established in a Member State, for example a US website accessed by French consumers.

Practical steps to be considered by businesses now

While there are still some unanswered questions concerning the implementation and scope of the new EU cookie consent requirement it is important that website operators start to consider the new requirements now and how they may apply to their business. Some practical steps that can be taken now include:

  • monitoring the implementation of the cookie consent requirement in different Member States over the next few months;
  • carrying out an audit of the business use of cookies, including the type of cookies used (e.g. first party or third party cookies, session only cookies or persistent cookies);
  • updating privacy policies to include more explicit disclosures on the use and ability to opt-out of use of cookies;
  • evaluating consent options, taking into account customer impact, costs and applicable laws; and
  • reviewing existing arrangements with service providers concerning the collection of data and use of cookies.
For further details on the current implementation of the EU cookie consent requirements please contact:

John Casanova at jcasanova@sidley.com or on +44 (0)20 7360 3739, Jens Rinze at jrinze@sidley.com or on +49 69 22 22 1 4020, William Long at wlong@sidley.com or on +44 (0)20 7360 2061, or the Sidley lawyer with whom you usually work.


1 Based on adopted or draft legislation or based on views of Government authorities or national Data Protection Authorities. Some of the information in this update is based on views of local counsel which is likely to change and where Sidley Austin LLP is not admitted.


 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Some of the information in this update is based on views of local counsel which is likely to change and where Sidley Austin LLP is not admitted. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.

SHARE
EmailPrintShare
12 December 2003

New Legal Requirements in Online Marketing

The online environment has led to an increased level of sophistication in marketing activities carried out by businesses. The technology exists for businesses to develop very accurate profiles of the interests and preferences of their users. This information can be exploited to identify potential customers of their products and services. Businesses can then target large numbers of consumers efficiently and cost-effectively in their marketing campaigns.

(more…)

SHARE
EmailPrintShare
06 July 2003

EU Regulation of E-Commerce under the E-Commerce Directive

The EU Commission has stated it believes that between 2001 and 2003, the number of people engaged in business online will have trebled and the number of transactions to buy and sell goods and/or services over the Internet will have multiplied by twenty. The UK’s Department of Trade and Industry estimates that the e-commerce industry is worth in excess of £57 billion in the UK alone. One of the difficulties experienced by businesses that wish to conduct e-commerce is the increasing need to know not just about the legal requirements of their own jurisdiction, but also the legal requirements of those jurisdictions where their customers are located. Whilst for consumers one of the biggest hurdles is the continued lack of trust and confidence in the Internet as a means of purchasing goods and services.  (more…)

SHARE
EmailPrintShare
13 April 2003

UK Regulation of Online Financial Promotion

This paper will deal with the application of:

  • section 21 of the Financial Services and Markets Act 2000 (the “FSMA“);
  • the Financial Services and Markets Act 2000 (Financial Promotion) Order 2001 (the “Financial Promotion Order“) and amendments thereto; and
  • the financial promotion rules in the Conduct of Business Sourcebook (“COBS“).

This paper is intended to give an overview of the main aspects of the above rules and how they apply to online financial promotions.

View Paper

SHARE
EmailPrintShare
11 April 2003

Privacy Policies

Most organisations that conduct their business online will collect data relating to individuals at some stage during their operations, whether in relation to customers, target clients, or even their own employees. Personal data can be collected on websites by a variety of means: registration pages, requests for details when goods or services are ordered, competitions and surveys, or by the use of various tracking devices such as cookies. Whenever personal data is collected, the organisation responsible for the use of such data (known as the ‘data controller’) will need to comply with various legal requirements, and may be advised to follow certain good practice guidelines, all of which are designed to protect the privacy of the individual whose data is being collected.

(more…)

SHARE
EmailPrintShare
XSLT Plugin by BMI Calculator