Tag Archive: enforcement

EUROPE: ECJ – Dynamic IP addresses may constitute personal data

By Jan Pohle and Jan Spittka

In its landmark decision in the case Breyer v. Federal Republic of Germany (decision dated 19 October 2016, case number C-582/14), the European Court of Justice (ECJ) not only ended the long and tricky debate whether dynamic IP addresses constitute personal data even if the data controller processing the IP addresses does not hold the means to link it to the respective data subject. The court also came to the conclusion the provisions of German law dealing with the processing of personal data in the online environment do not comply with the EU Data Protection Directive (Directive 95/46/EC) as these provision do not provide for a statutory permission to process personal data based on a balancing of interest between legitimate interest of the data controller and the interest of the data subjects.

 

Background

The case has been presented to the ECJ by the German Federal Court of Justice (Bundesgerichtshof – “BGH“). The claimant Mr. Breyer had sued the German Federal Department of Justice and Consumer Protection (Bundesministerium für Justiz und Verbraucherschutz – “BMJV“) to cease-and-desist the registration and storing of his dynamic IP address after visiting the BMJV’s websites. The BMJV argued that IP addresses have to be retained after the end of the visit of the website to protect itself against cyberattacks. The BGH asked the ECJ whether dynamic IP addresses constitute personal data with respect to an “online media service provider” (i.e. the operator of a website), if only a third party (here the internet service provider) holds the additional data necessary to identify a visitor of this website. Furthermore, the BGH asked whether the operator of a website has the possibility to collect and subsequently use visitors’ personal data in order to ensure the general operability of its website.

Ruling of the ECJ

The ECJ decided that a dynamic IP address does not only constitute personal data with respect to the internet service provider (which has the means to link the IP address to the individual behind the address in any case), but also with respect to the operator of a website, if this website operator has legal means to identify the visitor with the help of additional information from the visitor’s internet service provider. The ECJ confirmed this with respect to German law. Although the operator of a website does not have any direct claims against an internet service provider to provide the name of an individual behind an IP address, the court found it to be sufficient, if the website operator can obtain the information required to identify the visitor of the website from the internet provider via a competent authority which requests the information to prepare criminal proceedings, e.g. in the event of cyberattacks. As a consequence, the processing of IP addresses by website operators is subject to and has to comply with the applicable member state data protection requirements. Beyond this specific case, the ECJ has provided sufficient tools to determine whether information constitutes personal data, if the information cannot be directly linked to an individual, but only by using additional information which is held by a third party. According to the ECJ, this is not the case, if  the identification of the data subject was

  •  prohibited by law or
  •  practically impossible on account of the fact that it requires a disproportionate effort in terms of time, cost and man-power, so that the risk of identification appears in reality to be insignificant.

The classification of dynamic IP addresses as personal data required the ECJ to have a closer look on the German data protection rules dealing with the processing of personal data in the online environment. Currently applicable law allows the processing of personal data without the data subject’s consent only in specific comprehensive cases. A general provision which provides for the possibility of a balancing of interest in a particular case is not included. According to the ECJ, this lack of a statutory permission is not complaint with Article 7 lit. f) of the Data Protection Directive. This finding also has a fundamental impact going beyond the case at hand as all member state data protection laws now have to be reviewed whether they allow for balancing of interests, at least in individual cases.

Conclusion

The decision of the ECJ forces all operators of websites, irrespective of whether they are public administration or private businesses, to review the collection, processing and use of IP addresses in connection with their websites. However, the ECJ has also strengthened IT security as it pointed out that member state law has to provide for the possibility to process personal data without consent for cybersecurity purposes.

Jan Spittka and Jan Pohle

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/ecj-dynamic-ip-addresses-constitute-personal-data-and-german-law-not-compliant-with-data-protection-directive-by-jan-spittka-and-jan-pohle/

UK – GOVERNMENT REPORT RECOMMENDS STRONGER POWERS FOR THE ICO

Background

 

On 17 June 2016 the House of Commons Select Committee for Culture, Media and Sport (“The Committee”) published its report on the inquiry into the current state of cyber security and protection of personal data. The inquiry was triggered by a cyber attack which compromised the data of TalkTalk customers, on 21 October, 2015. TalkTalk is a UK based telecommunications provider.

 

The Committee considered the problem of the increasing size and frequency of cyber-attacks upon personal data. The report recognised the limits of the current powers of the Information Commissioner’s Office (“ICO”), the UK’s personal data regulator, and made a number of recommendations concerning how the ICO could become both more proactive in dealing with attacks.

 

ICO’s Current Powers

Under UK law, the ICO helps companies comply with UK data protection law in a number of ways, including:

  •  through ensuring the proper collection, use and storage of personal information;
  •  through enforcing the Privacy and Electronic Communications Regulations in respect of electronic marketing;
  •  maintaining a register of companies processing personal data as “data controllers”; and
  •  by helping public bodies to correctly apply various Freedom of Information and Environmental Information  laws, regulations and codes.

In order to achieve these aims there are a range of powers available to the ICO including the ability to bring criminal proceedings, non-criminal enforcement, consensual audits, impose fines (up to a maximum of £500,000), and make assessments of good practice. Despite the powers available to the ICO, the current volume of attacks suggests that the body needs reforming to better address cyber security concerns.

 

Report Recommendations

The Committee recognised the limits to the powers of the ICO and made a number of recommendations for improvement. These are focused around early prevention, increasing consumer awareness of privacy protection and increased capabilities to provide deterrence through more serious repercussions where a breach occurs.

In order to facilitate prevention of attacks the Committee recommended that the ICO be enabled to undertake non-consensual audits of companies, particularly in the health and local government sectors. It also recommended annual reports on the preventative measures that a company is taking. The combination of these should help to keep the ICO informed as to whether or not there are issues of compliance with data protection regulation and enable a more proactive approach to data protection.

The Committee also proposed that the ICO needs more powers to increase customer awareness of their data protection rights. The report recommended imposing fines where a company does not offer adequate guidance to customers on how to verify the authenticity of communications. Under the Committee’s plans, this would be complemented by the proposed ‘privacy seal’ which would work on a traffic light system, demonstrating to consumers that a company follows high compliance standards, is making progress towards this, or is “yet to have taken the issue seriously.” These recommendations should help the ICO to ensure that consumers are able to make informed decisions on whether or not a company demonstrates “good privacy practice” in handling their personal data.

Finally, where an attack has already taken place it was recommended that the ICO needs to be able to access a broader range of remedies, such as custodial sentences by bringing into force sections 77 and 78 of the Criminal Justice and Immigration Act 2008. This would discourage individuals from disregarding the proper handling of data by treating it as “merely” a corporate compliance obligation. The committee also recommended introducing fines for failure to report breaches which would increase dependant upon the time taken to report an incident, therefore incentivising early reporting.

 

Implications of the GDPR

The Committee made a number of recommendations which overlap with the changes that will come into force in 2018 through the EU wide General Data Protection Regulation (“GDPR“).

The GDPR will increase the powers of the ICO in a number of ways. Companies who commit serious infringements will be liable to pay fines of up to 4% of global annual turnover or €20 million, whichever is the greater amount. The regulations will also introduce mandatory reporting for personal data breaches within a 72 hour timeframe of the breach taking place. Finally, the GDPR will empower the ICO to place greater emphasis on ensuring the transparent handling of personal data by companies, and on the importance of having clear, easily digestible but also comprehensive privacy notices, which tell individuals about how their personal data is used and the rights that they have under the GDPR.

The Committee report acknowledged that the GDPR will “help focus attention on data protection” but sought to make its own recommendations to complement these and increase the ICO’s powers further.

 

Conclusion

The direction of travel indicated by both the Committee’s report and the changes in EU legislation are clear. We are moving towards a world where personal data handling is treated with the utmost seriousness by regulators. Those regulators will have a mandate to ensure that individuals are provided with clear, upfront information about how their data is looked after, and that strong redress is taken when things go wrong. It is the companies who take a pro-active approach – who engage with their customers, their suppliers and their regulators to ensure that they are providing accurate information about data processing, and that they have the right information security systems in place – that will be best placed to survive in this new landscape.

 

 

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/uk-government-report-recommends-stronger-powers-for-the-ico/

GERMANY: Government proposes draft law introducing class actions for data protection violations

On 4 February 2015, the German federal government published a draft law on the improvement of enforcement of data protection provisions protecting consumers (Entwurf eines Gesetzes zur Verbesserung der zivilrechtlichen Durchsetzung von verbraucherschützenden Vorschriften des Datenschutzrechts) (“Draft Law”). Provided the Draft Law passes the German parliament, consumer protection associations and industry chambers will be able to file class actions against companies violating data protection provisions protecting consumers.

 

According to its reasoning, the new law intends to protect consumers from increased threats due to recent technical developments. As a result of the continuous development of information technology, it has become simpler and faster to collect and process personal data. Personal data are often used for purposes different from the original purpose for which the data were collected, without sufficient information being given to the data subjects or obtaining proper consent. For example, service providers offering free online services through apps or social networks use the personal data originally collected for the purpose of providing their service for profiling, advertising, data warehousing, and market research, with the aim of making their service more profitable.

 

Under the existing laws, consumer protection associations have very limited means to act in the case of data protection violations: they may only file cease and desist orders against companies whose general terms and conditions violate data protection laws. In particular, class actions are not permissible since, to date, courts have not recognized data protection laws as laws protecting consumers.

 

According to the Draft Law, the existing Injunctions Act (Unterlassungsklagegesetz, “UKlaG”) applicable to consumer protection laws will be extended to explicitly cover provisions regulating the admissibility of collecting and processing consumers´ personal data in the following areas: advertising, market and opinion research, scoring, creating personality and user profiles, as well as data warehousing (i.e. selling address data and other personal data for commercial purposes). As a result of this change, consumer organizations will be entitled to file for a cease and desist order if a company violates data protection laws to the disadvantage of consumers by collecting or using personal data for any of the above commercial purposes. However, it should be noted that the Draft Law protects the collective interests of consumers. Such interests are affected only if the significance and weight of the violation of data protection laws goes beyond the individual case. This applies especially if a large number of consumers are affected.

 

As a result of the proposed law, companies processing personal data for one or more of the mentioned commercial purposes should be prepared to face severe consequences for inadmissible practices. Consumer protection associations are likely to focus on consumer data protection compliance in the future. This will lead to an increased risk that non-compliance with data protection laws will be detected, which may not only lead to financial damages but also to competitive disadvantages and loss of reputation. Companies are well advised to review and adapt relevant data processing practices in order to be prepared once the new law enters into force.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/germany-government-proposes-draft-law-introducing-class-actions-for-data-protection-violations/

GLOBAL: Sweep Day 2014: Global Coordinated Enforcement

Read here an article by DLA Piper Partner Carol Umhoefer, published in E-Commerce Law & Policy in July 2014 discussing how Internet Sweep Day illustrates trends in the data protection regulatory space.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/sweep-day-2014-global-coordinated-enforcement/