Upload
bart-van-den-brande
View
57
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Privacy & cookiesThe Reference CRM inspiration day 2013
Bart Van den Brande
Advocaat – partnerSirius Legal advocaten
www.siriuslegal.be
@BartVdBrande
Short update on privacy
Short update on privacy
Current Situation
Current privacy directive (including Belgian privacy law of 1992 based on that directive) is no longer effective
No unified rules between member states
Lack of control over big player (a.o. Ireland has very liberal rules)
Basic principle of server location or company location is no longer relevant in cloud computing era
Potential loss of business due to ineffective legal system: 2,3 billion euro/year according to EU
Short update on privacy
Basic principles of Belgian privacy law of 8 December 1992
There is no general “right to privacy”
Definition of personal data is very broad
Prior opt-in required for all data collecting and processing
“Free and informed” opt-in
Separate opt-in for data transfer to third party
Demand of opt-in by “data controller” (as opposed to “data processor”)
Declaration at privacy commission required in most cases
(online at www.privacycommission.be, cost is 25 euro)
Limited exceptions (if processing is unavoidably needed)
Short update on privacy
Basic principles of Belgian privacy law of 8 December 1992
Individual’s rights
Right to refuse
Right to access and correct
Right to oppose to future processing
Right to be informed (through privacy policy)
Short update on privacy
Proposal of new EU regulation
Regulation ≠ directive: uniform rules througout entire EU
Work in progress since 2012
First draft text released in May 2013
Currently being amended and voted by committees
LIBE Committee voted on 21 October 2013 (civil liberties, justice and home affairs)
Next steps: Agreement of Counsel of Ministers and Commission is sought
If no agreement, Plenary vote in EU Parliament in April 2014 (?)
Short update on privacy
Main objectives
One stop shop throughout EU
Greater hamonization
Strengthening individual rights
Less administrative burden
More effective enforcement of rules
Short update on privacy
Main principles
Applicable to anyone offering services on the EU territory (LIBE: “even free services”)
Personal data = any data allowing identification, including online identifiers, “pseudonymous data”
Consent has to be given explicitely (LIBE: “purpose limited”)
Extended information obligation (LIBE: use of standard icons)
Short update on privacy
Main principles
Obligation to notify data subjects and authorities of data breach (LIBE: “without undue delay”)
“Data protection by design” and “data protection impact assessment”
“Data protection officer” if + 250 employees, with obligation to document processes (LIBE: “or +5000 data subjects processed over last 12 months”)
Cross border data transfer: current system to remain in force for 5 more years
Sanctions: LIBE: up to 5% of annual sales or 100 million
Short update on privacy
Main principles
Right of erasure
Right of data portability
Prohibition against profiling
Article 29 Working party (advisory body) replaced by European Data Protection Board (official body)
Short update on privacy
Practical tips (if nothing changes)
Stay up to date with regulation drafts
Review notice forms, consent forms, privacy policies, data controller/data processor contracts
Implement data breach notification readiness
Implement data processing documentation system
Data protection by design and data protection by default
Conduct data processing impact assessment
Pseudonimize/Anonymize/encrypt data where possible to escape stringent rules
Secure personal data adequatly
One last time: the truth about cookiesAgain with the cookies?
One last time: the truth about cookiesAgain with the cookies?
Tools like Kméléo:
Remarketing/OBA tools
Do not use cookies
Read out users browser history just before page landing
Display advertisements based on that browsr history
Claim not to use personal data
Claim to escape cookie regulations
One last time: the truth about cookiesSo yes, once last time again with the cookies
A bit of background
What are cookies?
A bit of background
What are cookies?
A cookie is a small amount of data generated by a website and saved on your computer by your web browser.
Its purpose is to remember information about you, similar to a preference file created by a software application.
Why all the fuss about cookies?
In one word: privacy…
A bit of background
What are cookies?
first party cookies vs. third-party cookies placed by website placed by Google Analytics or ad brokers
functional cookies vs. non-functional cookies: log-in, registration, language statistics, remarketing, OBA
permanent cookies vs. session cookies remain present erased after surfing session
A bit of background
The legal small print
A bit of background
The legal small print
EU e-privacy directive 2002/58/EC
Obligation for member states to adapt national law before end 2012
Belgium: new article 129 in Telecom law since October 2012
A bit of background
The legal small print“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker is slechts toegestaan op voorwaarde dat :
1° de betrokken abonnee of gebruiker, overeenkomstig de voorwaarden bepaald in de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens, duidelijke en precieze informatie krijgt over de doeleinden van de verwerking en zijn rechten op basis van de wet van 8 december 1992;
2° de abonnee of eindgebruiker zijn toestemming heeft gegeven na ingelicht te zijn overeenkomstig de bepalingen in 1°.
Het eerste lid is niet van toepassing voor de technische opslag van informatie of de toegang tot informatie opgeslagen in de eindapparatuur van een abonnee of een eindgebruiker met als uitsluitend doel de verzending van een communicatie via een elektronische- communicatienetwerk uit te voeren of een uitdrukkelijk door de abonnee of eindgebruiker gevraagde dienst te leveren wanneer dit hiervoor strikt noodzakelijk is. De toestemming in de zin van het eerste lid of de toepassing van het tweede lid, stelt de verantwoordelijke voor de verwerking niet vrij van de verplichtingen van de wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens die niet opgelegd worden in dit artikel.
De verantwoordelijke voor de verwerking biedt de abonnees of eindgebruikers gratis de mogelijkheid om op eenvoudige wijze de gegeven toestemming in te trekken.“
A bit of background
The legal small print
Belgian law does not contain any further details on
How to warn and inform
How to obtain opt-in
How to enable opt-out
Who is responsible
Law is vague, unclear and leaves room for interpretation
Entire sector is waiting for clear guidelines from Privacy Commission or BIPT/IBPT
A bit of background
The legal small print
Meanwhile
EU standpoint is clear (directive + declarations commissioners Kroes and Reding)
“Working Party 29” standpoint is clear (Belgian Privacy Commission is part of WP29)
Neighbouring countries regulations are clear
What does this mean for you?
What does this mean for you?
By deduction:
Functional first party cookies (language, shopping cart, settings, password, technical):
No need to obtain opt-in, but obligation to inform (e.g. in privacy policy)
Non-functional cookies or third party cookies (remarketing and OBA, Google Analytics, …):
Obligation to inform prior to placing cookies
Obligation to obtain explicit opt-in prior to placing cookies
Possibility to opt-out in future
What does this mean for you?
By deduction:
What does this mean for you?
So, by deduction:
Opt-in has to be
Free of obligation (i.e. be able to visit website even without opt-in)
Explicite (requires active intervention of visitor)
Informed (requires prior information of visitor)
Given before any cookie is installed
Revocable
What does this mean for you?
So, by deduction:
From a practical point of view
Information on use of cookies, type of cookies used, aim of cookies (in privacy policy)
Clear warning upon first visit + link to information
Clear free choice for visitor to opt-in or not (possibility of layered approach)
Clear information about opt-out possibility (in privacy policy)
What does this mean for you?
So, by deduction:
Pop-up?
Splash screen?
Warning in banner or footer?
“Implicite opt-in”?
All seem acceptable as long as active decision by visitor is required and free choice is guaranteed (this excludes “by visiting this website you accept…”)
What does this mean for you?
What does this mean for you?
What does this mean for you?
What does this mean for you?
Oh, and also:
If cookie is used to store and/or process personal, prior opt-in under privacy law is required on top of cookie warning and privacy law applies…
This means
Declaration at privacy commission
Right to access, correct and oppose
Obligation of information through privacy policy
No transfer of data outside EU, unless under very strict conditions
Warning: almost all data is personal data, including IP address, browser history, any data that might allow to identify someone directly or indirectly
What does this mean for you?
Consequences of cookie law
What does this mean for you?
Consequences of cookie law
Not very effective
Disturbing for visitor
Loss of traffic and/or data for websites
What does this mean for you?
Consequences of cookie law
Trying to escape cookie law obligations
Alternative solutions sought
Browser fingerprinting (Kméléo and others)
Web beacons
What does this mean for you?
Browser fingerprinting
Does not use cookies
Reads out users browser history just before page landing
Displays advertisements based on that browser history
Claims not to use personal data
Claims to escape cookie regulations
What does this mean for you?
Browser fingerprinting
Unfortunately, article 129 Telecom law is quite clear:“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker…”
What does this mean for you?
Browser fingerprinting
Unfortunately, article 129 Telecom law is quite clear:“De opslag van informatie of het verkrijgen van toegang tot informatie die reeds is opgeslagen in de eindapparatuur van een abonnee of een gebruiker…”
As is the Working Party 29’s advise 1/2008 (doc 00737/NL WP 148), which confirms that browser history data should be considered personal data under privacy law
What does this mean for you?
Browser fingerprinting
Consequently, even if no cookie is placed, but data from a visitor’s computer is in any way collected, accesed or analysed, prior consent is required.
This includes browser fingerprinting, web beacons, plugins, …
What does this mean for you?
And what if I do not comply?
What does this mean for you?
International context
What does this mean for you?
International context
As many laws as there are member states
All differ slightly, definitions vary, opt-in requirements vary, …
Problem: as soon as you target audience in one member state, local authorities will claim te be competent (e.g. local extension, local language, local content, …)
Need to comply to most stringent legal systems seems to be the consequence
What does this mean for you?
International context
Working Party 29 advise of October 2013:
Basis for pan-European cookie requirements
Carefull: this is only an advise
What does this mean for you?
International context
Working Party 29 advise of October 2013:
Opt-in should concern only cookies (not combine privacy or direct marketing)Opt-in should occur prior to placing or activating cookieOpt-in requiers active decision (which may show through decision to continue visit to website)Opt-in should be free and may be layered Visit to website has to be possible without opt-in (although this seems to exclude “by visiting you accept…”?)
Explicite warning from WP29 for tracking cookies: if personal data is collected, prior and separate opt-in for data processing is required
Specific questions? Need quick advise?www.campaignchecker.be
Sirius Legal Campaign Checker service
Specific service for (digital) agencies, advertizers, sweepstake organizers, website owners, …
Quick legal check of campagne, campagne site, landing page, …
Pragmatical and useable advise
Online available
First contact within 1 hour
Advise within 24 hours
Fixed price: 300 euro
Specific questions? Need quick advise?www.campaignchecker.be
All questions concerning:
copyright
trademarks
Comparative advertising
Consumer protection rules
Contests, sweepstakes, lotteries
Privacy and cookies
Direct marketing actions and member-get-member actions
Actions via social media, respect for Facebook rules and guidelines, …
Viral actions
Need more elaborate help for your website?www.websitecertifier.be
Sirius Legal Website Certifier service
Extensive legal check of websites and webshops
Full analyses of website set up, legal documents and disclaimers, legals mentions, communication towards visitor/consumer
Analyses document
Changes to legal texts where needed or draft of general terms, disclaimer, privacy policy and cookie policy
2 languages NL/FR or NL/UK included
Fixed price: 650 euro
First contact withing 1 hour
Full report withing 5 business days
Need more elaborate help for your website?www.websitecertifier.be
Check includes
Obligatory mentions for all websites
Privacy law and cookies for all websites
Respect for market practices and consumer protection in e-commerce (pricing, delivery, 14 day cooling down period, sales) – comparative and misleading advertisement and information of consumers
Set up of your sales process in e-commerce
Content of your general terms of sale or use in e-commerce, auction sites, discussion forums
Privacy & cookiesThe Reference CRM inspiration day 2013
Bart Van den Brande
Advocaat – partnerSirius Legal advocaten
www.siriuslegal.be
@BartVdBrande