Roger Tym's comments on the data breach notification rules elicited a number of comments. Would data breach notifications lose their effectiveness if customers receive too many of them? How can a company notify a data protection authority within 24 hours when it may take several weeks to fully understand the nature of a data breach and its potential consequences? Quentin Archer stressed that the new obligations on data controllers will create significant costs for businesses and that it is not clear that the Commission has fully taken into account these additional costs in its impact assessment. A number of large corporations will already have data protection officers and "accountability" procedures in place, but for many businesses, this would be an entirely new concept. Winston Maxwell pointed out that the proposed Regulation would apply to some businesses outside the EU, but the criterion of "offering goods and services" to EU residents seems to be different from "targeting EU users," the standard developed by the European Court of Justice for IP infringement.

If you would like to receive a copy of the February 29 presentation, please contact Quentin Archer, Roger Tym or Winston Maxwell.

•  the Commission's choice of a Regulation as opposed to a Directive,
•  the new obligations that would be imposed on companies including
  • the accountability principle;
  • Privacy by Design; and
  • the obligation to conduct privacy impact assessments (PIA) for certain kinds of processing. 

The article describes:

•  the proposed changes to the rules on applicable law, which are designed to bring certain non-European websites within the scope of European privacy rules;
•  the proposed "right to be forgotten";
• and the right to data portability. 

The original French version of the article, published in Edition Multimedi@, is available here.

A draft bill circulated by Rep. Ed Markey (D-Mass) would require the

One particularly noteworthy element of the Markey bill is the definition of monitoring software that spurs a host of new regulations.

The term monitoring software means software that has the capability automatically to monitor the usage of a mobile telephone or the location of the user and to transmit the information collected to another device or system, whether or not such capability is the primary function of the software or the purpose for which the software is marketed.

This broad definition would encompass a wide array of mobile apps and services available today.

Under the draft Mobile Device Privacy Act, the FTC would have one year to issue regulations requiring carriers and device retailers to disclose at the point of sale in a clear and conspicuous manner the fact that monitoring software is installed, the type of information the software is capable of collecting and transmitting, the identity of parties with which the information will be shared, and how the information will be used.  If the monitoring software is installed after the consumer purchases the device or service, the entity installing the software or providing the software download (e.g., carrier, equipment manufacturer, operating system provider, website operator, or other online service provider) would have to make the disclosure. 

The bill would also require parties to obtain express consent from consumers before the monitoring software begins collecting and transmitting data.

In addition, the bill would impose new information security requirements.  The FTC would have one year to adopt regulations requiring recipients of the monitoring data to establish information security policies and procedures to protect the data.  Parties that enter into agreements to share the monitoring data would have to file those agreements with the FTC and the Federal Communications Commission (FCC).

The Markey bill would also establish joint FTC and FCC enforcement, with the FCC having enforcement authority over commercial mobile service providers, mobile broadband service providers, and mobile telephone manufacturers and the FTC having authority over other parties.  The bill also provides for state attorney general suits and a private right of action.

France's Data Protection Authority, the Commission Nationale de l’Informatique et des Libertés (CNIL) announced on September 23, 2011 that it had found the French provider of universal telephone directory services, “Pages Jaunes,” guilty of violating several provisions of the French data protection law. The CNIL did not fine Pages Jaunes, but published a detailed warning, listing each privacy violation that the CNIL had identified during its investigation of Pages Jaunes’s activities. 

At issue was Pages Jaunes’s web crawler function, which Pages Jaunes has discontinued. The crawler captured information contained in Facebook, Twitter and LinkedIn profiles of persons having the same name as the person being looked up in the directory service. For example, if someone were to look up the telephone number of Pierre Dupont. Pages Jaunes would show Mr. Dupont’s phone number, and would also show information on social media sites relating to persons named Pierre Dupont. The information may include photos, the name of Dupont’s employer, the schools he attended, his geographic location, his profession, etc.

Pages Jaunes argued that the persons whose profiles were copied had been duly informed and consented, because the general terms and conditions of the social media sites indicate that information posted on public profiles may be accessible to search engines. 

The CNIL dismissed this argument. First, a number of the profiles that were being accessed were profiles of minors, and the informed consent of minors for this type of activity cannot be deemed to exist in these circumstances. Second, the reference to “search engines” in the social media sites’ general terms and conditions cannot be deemed to extend to companies whose principal activities are not that of a search engine. The CNIL pointed out that Pages Jaunes is a telephone directory and not a search engine. According to the CNIL, if the terms of use of the social media sites expressly mentioned that data in public profiles could be re-used by Pages Jaunes, that might constitute sufficient information and consent to allow Pages Jaunes to extract data from those sites. The CNIL pointed out that Pages Jaunes had entered into an agreement with one social media site called Trombi pursuant to which Trombi expressly mentioned on its site that data could be accessed and used by Pages Jaunes. For the major social media sites, however, no such agreement with Pages Jaunes existed. 

The CNIL also found that Pages Jaunes had breached its obligation to ensure that only accurate and updated data are processed. According to the CNIL, the profile data that was presented by Pages Jaunes was in many cases outdated by 4 to 12 months.

Pages Jaunes argued that it provided data subjects with the ability, on the Pages Jaunes website, to ask that their profile data not be accessed by Pages Jaunes, but the CNIL found that the procedures put in place by Pages Jaunes were too burdensome. A person must fill out a form and submit to Pages Jaunes proof of his or her identity for each social media site that the person wants to block. The CNIL also criticized Pages Jaunes for keeping logs of IP addresses and the time and date of queries made on the Pages Jaunes site. According to the CNIL, the retention of these data is excessive and not required under French law because Pages Jaunes is neither a telecommunications operator nor a hosting provider. Finally, the CNIL found that Pages Jaunes had violated its obligations with respect to the telephone directory data that it processes, because Pages Jaunes used that data to help refine the results of the social media profile searches. Under French law, universal directory providers are prohibited from using telephone directory data for any purpose other than providing a universal directory service. Pages Jaunes’s use of these data exceeded the scope permitted under French law.

The CNIL’s decision is a useful analysis of issues that are arising when collecting data publicly available on social media sites.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

Sanctions: The criminal sanction for failing to notify data breaches is up to 5 years in prison and three hundred thousand euro (300,000 €) fine. The sanction is in line with other criminal sanctions for failure to comply with French data protection legislation. With regards to the fine, it should be noted that the maximum sanction for companies is multiplied by five (5), thus bringing the maximum sanction to up to one and a half million euro (1,500,000 €).  

Security Audits. The Ordonnance empowers the French government to order security audits of any operator's networks, systems and services. The operator must bear the cost of the audit, and must give the government approved auditors access to all relevant equipment and to the operator's "documents relating to its security policy." A future decree will be adopted to provide details on these requirements. However, one takeaway from this new provision is that operators should probably conduct preventive data and network security audits and make sure their security policies are up to date and applied.

Cookies. Implementing the revised ePrivacy Directive, the Ordonnance provides that users of electronic communications services must not only receive clear information about the use of cookies and tools available to block them (this was already a requirement under French law), but also that users give their consent before the cookies or similar measures are implemented. The Ordonnance states that "the consent can result from appropriate parameters in [the user's or subscriber's] connection system or any other system under [the user's or subscriber's] control." This suggests that browser settings might constitute sufficient prior consent, although the recent Article 29 Working Party opinion on consent (Opinion 15/2011) appears to take a different view.

As before, an exception exists for cookies that are designed to facilitate the communication, or that are strictly necessary for the provision of the Internet application or service requested by the user.

• By a financial institution to communicate with or service the financial institution's customers
• By the financial institution's employees in their personal or professional capacities
• By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

The European Union's Article 29 Working Party published on April 11, 2011 an opinion on smart metering, recommending Privacy by Design, data minimization, and consumer interface options that give customers increased control over their data and privacy settings.

The opinion indicates that most data collected by smart meters will be considered "personal data" under the Data Protection Directive because the data will be associated with a unique identifier such as a meter identification number, which in turn can be linked to a living individual. The opinion states that the "data controller" will in most cases be the energy supplier, but that the grid operator may also be controller, as may be the third party service provider (so-called Energy Service Companies, or ESCOs). As mentioned in the Art 29 WP's opinion 1/2010 on data controllers and processors, it is not infrequent for there to be more than one controller.

Data collected by smart meters may be processed based on consent, but the opinion warns that consent must be made on a "fully-informed" basis. The Art 29 WP recommends that the household control panel for smart meters include a push button consent option to help consumers exercise their consent options, and change the options over time. 

The opinion goes into considerable detail on some issues, commenting for example that a smart meter with a small, text only, user interface would provide consumers with insufficient access to their own data, in particular to load graphs.  The opinion also describes how the collection of data from the smart meter should be minimized, for example by keeping load graph data within the smart meter until the data actually needed by the energy supplier.  Many of the recommendations resemble existing practices in the telecoms industry for the handling of traffic data and location data.  For example, smart meter data should be deleted as soon as they are no longer needed. Controllers should develop written policies on data retention and evaluate each purpose for which smart data are needed and ensure that only the minimum data necessary for that purpose are retained, while other data are deleted. For example, some customers may request historic year-to-year consumption comparisons. For those customers, and those customers only, the controller may retain historic consumption data.

The opinion strongly recommends the implementation of Privacy by Design, including privacy impact assessments, security and privacy audits.

See the authors' previous blog entry on smart meters and privacy on design.

On 18 October 2010 the Constitutional and Mainland Affairs Bureau (the "CMAB") published a consultation paper which summarises the responses to the consultation of the review of the Ordinance undertaken last year and puts forward the current proposals for reform. The CMAB has proposed 37 amendments to the Ordinance and the public are invited to comment on the proposals until 31 December 2010.

The Octopus case

As outlined previously in this blog, Octopus Holdings Ltd. and its related companies including Octopus Rewards Limited (collectively referred to as "Octopus") operate the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets.

The Privacy Commissioner's investigation was focussed on the use and collection of personal data in relation to a rewards program that is linked to the Octopus card, whereby card holders may earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). Card holders must register with Octopus in order to take advantage of the Rewards Program and were requested to supply a broad range of personal information on the registration form (some of which was required for the application to proceed).

Octopus provided the personal information of almost 2 million card holders to six business partners for direct-marketing over nearly eight years, earning the company HK$44 million in revenue.

Findings of the Privacy Commissioner

On 18 October 2010, the Privacy Commissioner issued his final determination on the matter. In his report, the Privacy Commissioner found that as the personal data was collected in connection with a rewards program whereby customers benefit from redemption of goods and services in addition to direct marketing offers, the purposes of collection of personal data under the Rewards Program was lawful. However, the Privacy Commissioner found that Octopus had breached two of the six Data Protection Principles set out in the Ordinance.

Data Protection Principle 1 ("DPP1") relates to the purpose and manner of collection of personal data and clearly states that data should only be collected if it is necessary and not excessive for a lawful purpose directly related to the activity of the data user. DPP1 also requires that where personal data is collected from the data subject, he or she should be informed of: (i) the purpose of collection; (ii) the classes of persons to whom the data may be transferred; (iii) the right to, and practicalities of, access to the data; (iv) whether it is obligatory to supply the data; and (v) if so, the consequences of not doing so.

The Privacy Commissioner found that while the data was collected by Octopus for a lawful purpose, the collection of data such as Hong Kong identity card number, passport number, birth certificate number as well as month and year or birth was excessive for the purpose of customer identification. It was found that Octopus could have conducted customer authentication using less intrusive data (e.g. name, telephone numbers and home address) and accordingly Octopus was held to have contravened DPP1.

Further, the Privacy Commissioner found that Octopus did not take all reasonable steps to inform its customers of the classes of persons to whom the personal data may be transferred (thereby contravening DPP1). This was partly attributable to the fact that classes of transferees were referred to in vague terms such as "any person who is under a duty of confidentiality to us", and partly because the Personal Information Collection Statement ("PICS") was printed in unreasonably small font.

The Privacy Commissioner also held that Octopus contravened Data Protection Principle 3 ("DPP3"). DPP3 relates to the use of personal data and requires that personal data should only be used for a purpose directly related to the purpose for which it was collected, unless the data subject expressly consents to another use. DPP3 was breached because customers' personal data was shared with business partners for monetary gain without the consent of Octopus's customers, as the sale of personal data was not stated as a purpose of data collection in the PICS published by Octopus in relation to the Rewards Program. The sale of personal data is not prohibited by the Ordinance as such and can be a legitimate purpose for which data is collected but this has to be made clear at the time the data is collected. In the present case the Privacy Commissioner held that the "sale of data" may not be considered to be the purpose of the data collection (or a directly related purpose). Therefore Octopus was found to be in breach of DPP3.

A further interesting finding as a result of the investigation was that Octopus Holding was held liable for the acts of its subsidiary Octopus Rewards which is the Octopus entity that operated the Rewards Program.

Under the Ordinance as it currently stands, a breach of a data protection principle is not an offence and the only action the Privacy Commissioner may take is to serve an enforcement notice on a party that is found to be contravening the Ordinance. Only in the event that a party contravenes an enforcement notice will they be penalised. The Privacy Commissioner however found that it could not issue an enforcement notice as Octopus had ceased or suspended all arrangements with business partners to sell customers' personal data and had undertaken to implement various changes to its practices in relation to the collection and use of personal data, in order to comply with the requirements of the Ordinance.

Proposals for reform

As we reported previously in this blog, the CMAB published the Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, and received public comments on the proposed amendments until 30 November 2009. 

The CMAB published the Report on Public Consultation on Review of the Personal Data (Privacy) Ordinance (the "Report on Public Consultation") on 18 October 2010 and the public are invited to provide comments on the proposed amendments until 31 December 2010. The Report revealed that the Government has adopted 37 of the 55 amendments proposed in the initial Consultation Document, including amendments relating to direct marketing, data security, statutory powers and functions of the Privacy Commissioner, offences and sanctions and rights of data subjects.

As a result of the Octopus case, a number of further amendments have been proposed specifically dealing with the transfer of personal data for direct marketing purposes, requiring a data user to communicate a clear Personal information Collection Statement outlining its intent to use the personal information for direct marketing and clearly identifying the class of transferees and the kinds of data to be transferred, as well as requiring the data user to provide an opt-out function for people who do not wish their personal information to be used for direct marketing. A further amendment is proposed which would make it an offence if a data user failed to comply with the requirements of the Ordinance in relation to direct marketing and subsequently used the personal information for direct marketing.

Guidance Note

On the same day the final report came out, the Privacy Commissioner issued a guidance note entitled "Guidance on the Collection and Use of Personal Data in Direct Marketing ("Guidance Note"). The Guidance Note is designed to provide practical guidance on direct marketing.

The Guidance note replaces the Fact Sheet on "Guidelines on Cold-Calling" and the Guidance Note on "Cross-Marketing Activities" previously published by the Privacy Commissioner. The Guidance Note covers a number of issues which have been included in the latest round of proposed amendments to the Ordinance but also provides guidance on compliance with the Ordinance as it currently stands. It is expected that the Privacy Commissioner will either revise the Guidance Note or replace it with a new Code of Practice, if and when the proposed amendments are adopted.

The Guidance Note sets out, among other things, the following requirements:

• Collection of personal data for direct marketing should be related to the original purpose of data collection
• Personal data should not be excessively collected (name and contact details should generally be sufficient for the purposes of direct marketing)
• Collection of additional personal data for direct marketing should be voluntary (and the data subject should be informed of the voluntary nature of collection)
• Personal data should not be collected using deceptive/misleading means (e.g. bundled consent)
• The PICS should be effectively communicated to the data subject (taking into account layout, presentation, language etc.)
• The purpose of use of personal data and the classes of transferees should be clearly defined using specific terms. Terms such as "such other purposes as the Company may from time to time prescribe" should not be relied upon to cover direct marketing as a purpose of collection. Similarly, terms such as "such other agents as the Company may from time to time appoint" or "all business partners" should not be used when defining the classes of transferees.

The Guidance Note also contains recommendations relating to the use of personal data from public registers; managing and maintaining opt-out requests; direct marketing activities conducted by agents, contractors and business partners; and the sale of personal data to third parties for direct marketing purposes.

The Octopus case has exposed dubious and lax practices in relation to data protection adopted by many companies in Hong Kong. In response to a request from the Privacy Commissioner, the financial regulator, the Hong Kong Monetary Authority, has issued three circulars between 12 August 2010 and 25 October 2010. The circulars restate recommendations made by the Privacy Commissioner in relation to the collection and use of personal data, in the wake of the Octopus case. HKMA has requested that all approved financial institutions in Hong Kong undertake reviews of their privacy policies and that they suspend all transfer of data to unconnected third parties for marketing purposes, until legal advice on this is sought and discussed with and approved by the authorities.

So where to now? The Ordinance is set for a review, and for now all data users in Hong Kong are advised to revamp their personal data polices and take heed of the advice provided in the Guidance Note if they use such data for direct marketing.

Gabriela Kennedy (Partner) (gabriela.kennedy@hoganlovells.com) and Heidi Gleeson (Registered Foreign Lawyer), Hogan Lovells, Hong Kong.