You Are Viewing International

New UK Cookie Rule Tough to Swallow

Posted by fgilbert on May 10th, 2011

The United Kingdom’s Information Commissioner’s Office (ICO) has published an “advice” that explains the new rule for the use of cookie technologies for websites and mobile applications that are subject to the UK laws. As of May 26, 2011, companies will no longer be permitted to rely on consent implied from browser settings. They must obtain the user’s prior affirmative consent to the use of most cookies.

The ICO’s Advice invites companies to promptly conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain users’ consent. The ICO makes it clear that it expects companies to come up with a plan of action that shows that they have considered their obligations and that they have a realistic plan to respond to the new requirements and achieve compliance.

According to the ICO’s press release, this Advice was published in order to prompt organizations to start thinking about the practical steps that they need to take to respond to this new requirement. The ICO intends to provide additional guidance as innovative ways to acquire users’ consent are developed.

The New Rule, in Brief

The new Cookie Rule requires that UK website and mobile applications obtain their visitors’ affirmative consent to the use of cookies. This rule results from the implementation of the 2009 Amendment to the 2002 EU’s Privacy and Electronic Communications Directive into the UK laws. It will amend Regulation 6 of the Privacy and Electronic Communication Regulations 2003 (PECR).

Businesses and other entities will be permitted to use cookie technologies only if the user of the site or application (a) has received clear and comprehensive information about the purpose for the cookie in question; and (b) has given his or her consent to the use of the cookie. Once a user has consented to the use of a particular cookie, there is no need to ask permission each time the website needs to access that cookie. Cookies that are “strictly necessary” for the service requested by the user are not subject to the prior consent requirement.

The new rule requires that website obtain informed, affirmative consent to the use of almost any cookies that it would wish to install on a user’s machine or mobile device. The restriction applies both to the installation of the cookie and the subsequent access to the information stored on the cookie. Except for a small category of cookies that are “strictly necessary” for the proper operation of a site, or for providing a service requested by the user, such as shopping-cart type feature, all other cookies, including those that are used for analytics purposes require prior specific consent. Of course, flash cookies are also subject to the notice and consent requirement.

Until browser technology has made progress, it will not longer be possible to rely on browser setting as a method to show user’s consent. Even though the rule allows consent to be signified by the users amending or setting controls on their browsers, the ICO’s Advice clearly states that given the current state of technology, using browser settings is NOT a satisfactory method for expressing consent. The ICO’s Advice discusses several methods that might be used to implement the notice and consent requirement.

The ICO envisions a sliding-scale approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice. The ICO also suggests a tailored approach as opposed to the “one-size-fits-all” approach, commonly used currently in website privacy policies. The different models for expressing consent proposed by the ICO tend to be specific to a particular type of cookies, and the particular circumstances of its use.

The Basic Requirement

The previous rule on using cookies by UK entities – which was set out in Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR) – required that users be informed about the existence of cookies, and be given the opportunity to refuse the storage of, or access to, the cookie information stored on their computers. Most companies provided the relevant information in their website privacy statement, and informed their users that, by changing their browser settings, they could arrange to block cookies.

Under the new rule, companies must still provide clear and comprehensive information about the use of cookies. However, the cookies may only be placed on a machine or device after the user has given his affirmative consent.

The Exceptions

  • Repeated uses: The consent need not be given each time. Under the new rule, if the same information is stored or accessed by the same entity, regarding the same user, on more than one occasion, the consent need to be obtained only once.
  • Transmission of communications: Notice and consent are not required for a limited number of cookie categories. Cookies that are required for the sole purpose of carrying out the transmission of communications over an electronic networks are exempt from the notice and consent requirement.
  • Cookies that are “strictly necessary” : Cookies that are “strictly necessary” for the provision of a service requested by the user are also exempt from the notice and consent requirement. According to the ICO’s Advice, “strictly necessary” means that the use of the cookie must relate to the service explicitly requested by the user. The exception is narrow. It would apply, for example, to a cookie that is used in ecommerce applications when a user has selected goods to purchase and clicks the ‘add to basket’ or ‘proceed to checkout’ button, to ensure that the site remembers what was chosen, and post the information on the check-out page. On the other hand, as explained by the ICO, the exception would not apply, for example, to cookies used to track users to make the website more attractive because it remembers the users’ preferences, or cookies are used to collect statistical information about the use of the website.

Browser Settings Not An Approved Method

The rule allows consent to be signified by the user amending or setting controls on his or her browser, or by using another application or program to signify consent. However, the ICO does not agree that using browser settings is currently a satisfactory method to express consent.

The ICO recommends that organizations refrain from using browsers as a means for obtained consent because currently most browser settings are not sophisticated enough to allow a website to assume that the user has consented to the use of cookies. In addition, mobile application and other technologies do not rely on browsers.

How to Implement the New Rule

The ICO anticipates a phased approach to the implementation of these changes, and recommends that companies use the following steps:

  • Identify what types of cookies are used and why: Companies should conduct an audit of their website to determine what cookies or data files are used and for which purposes. This would allow identifying which cookies are strictly necessary and might not need consent.
  • Assess how intrusive these cookies are: The most intrusive cookies should be addressed first. For example, cookies that involve creating detailed profiles of an individual’s browsing activity are intrusive – the more privacy intrusive an activity, the more priority should be given to getting meaningful consent.
  • Identify the best solution for obtaining consent: For each category of cookies or uses, the best method for gaining consent should be identified. The most privacy intrusive activities will require that the most information be provided to the user.

Suggested Methods for Obtaining Consent

The ICO’s Advice provides a detailed analysis of the different methods available to obtain the user’s consent. It recommends more specific, targeted approach. Cookies used for analytics purposes and cookies shared with third parties are likely to cause the most significant problems.

1 – Pop ups and similar techniques

Pop-ups may be used to ask for consent. However, this practice may be annoying if numerous cookies are used. Thus, the ICO cautions that the use pop ups or ‘splash pages’ may become frustrating if too frequent.

2 – Terms and conditions

Consent could be obtained when a user first registers or signs up. In this case, the ICO recommends to make users aware of the changes and specifically that the changes refer to the use of cookies, then asking them to tick a box to indicate that they consent to the new terms. Specific information should be provided.

3 – Settings-led consent

Some cookies are deployed when a user chooses how the site works for them each time they visit the site; for example, a particular language, the size of the text displayed on the screen, the color scheme, or a “personalized greeting”.

In these cases, consent could be gained as part of the process by which the user confirms what she wants to do or how she wants the site to work. At that time, the user should be told that by allowing the website to remember her choice, she is also consenting to set the cookie.

4 – Feature-led consent

In the same manner as above where the user conducts a specific activity, there are circumstances were tracking technologies are stored when a user chooses to use a particular feature of the site such as watching a video clip, or when the site remembers what the user did on previous visits, in order to personalize the content that the user is served.

In these cases, the user is often invited to open a link, click a button or agree to the functionality being ‘switched on’. The ICO suggests to ask for the user’s consent to set a cookie at this point.

As for prior example, it should be made clear to the user that by choosing to take a particular action, certain things will happen that will be interpreted as the user’s consent. If the anticipated use of tracking technology is complex or intrusive, it will be important to provide more specific information. In particular, as discussed below, users should be told whether some features are provided by a third party.

5 – Analytics and other functional uses

Many websites collect information about access to, and use of the site, and time spent on a page. While the ICO acknowledges that cookies used for analytics purposes might not appear to be as intrusive as others that might track a user across multiple sites, it nevertheless requires consent.

In this case, the ICO’s Advice suggests that companies should make information about the use of analytics cookies more prominent, particularly in the period immediately following implementation of the new Regulations. In addition, the ICO also suggests that website should give more details about the use of these cookies, such as a list of cookies used with a description of how they work – so that users can make an informed choice about what they will allow.

If the information collected about website use is passed to a third party this information sharing must be made absolutely clear to the user. Any options available should be prominently displayed and not hidden away.

6 – Third party cookies

Finally, the ICO’s Advice addresses the use of third party cookies. When a website displays content from a third party from an advertising network or a streaming video service, this third party may send its own cookies to the user. While the process of obtaining consent for these cookies may be more complex, the ICO opines that nevertheless the user must be made aware of what is being collected and by whom. This is a challenging area for which the ICO expects that more research will be needed to find workable solutions.

How about the Remainder of the European Union?

The remainder of the European Union is also required to implement the new rules on the use of cookies that were outlined in the 2009 Amendment to the 2002 ePrivacy Directive.There is currently a lot of confusion throughout the European Union on how to interpret and implement this 2009 Amendment. The Advice published by the United Kingdom’s Information Commissioner’s Office clarifies the very confusing and controversial amendment.

It is highly likely that the ICO’s Advice will serve as guidance or a model to other data protection authorities who have been facing the same issues and need to implement the 2009 Amendment into their national laws. Thus companies that may not be subject to the UK laws, but otherwise do business in the European Union should read and understand the ICO’s Advice, as a way to prepare for their obligations to comply with the national laws of the countries where they operate.


The amendment to the UK rules comes into force on 26 May 2011. As a result of the implementation of this amendment into the UK laws, companies that operate websites in the UK must obtain informed consent from visitors to their websites and mobile applications in order to store and retrieve information on users’ computers through cookies or similar tracking technologies. Companies must provide clear and comprehensive information about the purpose for each cookie; and obtain the prior explicit consent to the use of the cookie. Until browser technology has made progress, browser settings can no longer be used as a method for expressing consent. While the ICO envisions a “sliding scale” approach, where the cookies that have the potential to be the most intrusive require the most specific and detailed notice, it also expects companies to delve promptly into implementation of the rule.

At a minimum, companies should promptly update their website privacy statements to clearly and conspicuously explain how cookies are used. In a second phase, companies should conduct an audit of their practices, assess the different types of cookies to determine how intrusive they may be, and identify workable solutions to obtain the requested consent.

The ICO has indicated clearly that it intends to enforce the new rule. While it concedes that full implementation will take time, the ICO wants companies to make every effort to start working on their use of cookie, and be prepared to provide tangible proof of their efforts to comply with the new rules.

Comments Off on New UK Cookie Rule Tough to Swallow

Mexico’s New Federal Law on the Protection of Personal Data

Posted by fgilbert on August 17th, 2010


Mexico’s New Federal Law on the Protection of Personal Data

Mexico’s new Ley Federal de Protección de Datos Personales en Posesión de los Particulares (Federal Law on the Protection of Personal Data Possessed by Private Persons) became effective on July 6, 2010. The Law is “of public order,” which means that contract provisions that conflict with it are unenforceable.

The Federal Institute for Access to Information and Data Protection (IFAI) is charged with issuing regulations and enforcing the Law. The regulations are expected to be issued within one year, and the Law will not be enforced until January 2012.

While the Law incorporates many principles found in the major privacy drivers such as the OECD Privacy Guidelines and the 1995 EU Data Protection Directive, it clearly opts to follow the guidance in the APEC Privacy Framework. This choice is especially evident with the provisions that address “accountability,” and the departure from the prohibition from data transfers to countries that do not offer an adequate level of privacy protection, which has been the hallmark of 1995 EU Data Protection Directive. Instead, for crossborder data transfers, the Mexican Law requires notice and consent of the data subjects, and makes the data controller responsible for ensuring that the recipient of the data abide by the same principles as those that are set forth in the sender’s privacy policy.

Scope of the Data Protection Law

The entities that are subject to the Law are individuals or legal persons that process personal data, other than credit information companies. In addition, like most other countries’ data protection laws, Mexico’s Law excludes from its scope individuals who collect, store, and use personal data for personal purposes.

The Law regulates the processing of personal data. The definition of the term “processing” encompasses a broad range of activities that include collection, use, disclosure, storage, access, management, transfer and disposal of personal data.

Protected Information

The Law applies to personal data that are processed, transferred, or disposed by private persons or entities. “Personal data” includes any information pertaining to an identified or identifiable natural person.

More stringent provisions apply to the handling of sensitive data, that is, those data that pertain to the race or ethnicity, health, genetic information, religion, philosophical and moral beliefs, union membership, political opinions and sexual preference of an individual. Further, even though financial and economic data are not included in the definition of “sensitive data,” their processing requires the express consent of the data subject.

Obligations of the Data Controller

The Law identifies restrictions to the collection and use of personal data. Most provisions apply to “data controllers,” the individuals or private corporations that determine how and by whom, personal data are processed.

Data controllers must collect and process personal data in a lawful manner. The data must be relevant, necessary, accurate, and updated for the purposes for which they were collected.

Data controllers may process personal data only for the purposes stated in their privacy notice unless the data subject consents to a new use of the data for a purpose that is not compatible with or analogous to the purpose that is set out in the privacy notice. Data controllers may keep the data only as long as necessary in order to fulfill the purposes for which the data were collected, and must delete any data that are no longer necessary for these purposes.

Conditions to the Collection and Processing

The general rule is that data controllers must obtain the consent of the data subjects in order to process their personal data. The consent may be expressed or implied. In the case of sensitive data, or financial and economic data, the expressed and written consent of the data subject is required.

There are several cases where the data subject’s consent is not required for the processing of personal data to be lawful. For example, consent is not required when the collection and processing of the data is provided by law or is necessary to comply with obligations derived from a legal relationship between the data subject and the data controller. There are other exceptions for data that have been anonymized, are included in publicly available sources, or are needed for medical care, prevention, diagnosis, or medical treatment while the data subject is unable to provide his consent.

Security and Breach of Security

Data controllers must have in place appropriate administrative, technical, and physical safeguards in order to ensure that personal data are protected from loss, damage, alteration, destruction, and unauthorized access or use. The safeguards must be at least as secure as those that the data controller uses to manage its own data. Further, data controllers must keep data in a manner that allows the prompt exercise of the data subjects’ rights.

In the case of a breach of security, the Data Protection Law requires that the data subjects be notified of the breach if the breach significantly affects the concerned data subjects’ economic or moral rights. The Law does not require that other entities or government agencies be notified as well.

Obligation to Inform the Data Subjects

Data controllers are required to give data subjects a privacy notice that identifies among other things, the entity that collects the data, what personal data are collected from them, the purposes of the collection and processing of their personal data and the proposed transfers of personal data. In addition, the notice must indicate the options and means that data subjects may use in order to control the use and disclosure of their personal data and the means by which they can exercise their rights of access, rectification, cancellation, or opposition.

The notice must be provided to the data subject when the data are collected, unless the data were not collected directly from the data subject. The notice can be in printed form, electronic form, or other format. Special provisions apply when personal data are collected through mobile phones or text messages.


In keeping with the APEC Privacy Framework, the Mexican Data Protection Law stresses accountability. Data controllers are held accountable for the personal that data they hold, even if a third party processes the data. They must ensure that the third party complies with all data protection provisions stated in the Law.

Data controllers, subcontractors, and any other parties that have access to personal data must ensure the protection of the confidentiality and security of the personal data, even after their relationship with the data subject is terminated, or in the case of subcontractors and third parties, after the relationship with the data controller is terminated.

Crossborder Transfer of Personal Data

On the issue of crossborder transfers of personal data, the Mexican Law significantly diverges from the principles set forth in the 1995 EU Data Protection Directive. Instead of requiring data controllers to ensure that, when data are transferred to a third country, the receiving country provide an adequate level of protection, the Mexican Law makes the data exporter responsible for ensuring the protection of the data.

Specifically, the transfer of personal data to a third country requires several components:

  • The data controller must inform the data subjects of the proposed transfer, and the data subject must consent to the transfer;
  • A data controller that intends to transfer personal data to a third country, other than to a subcontractor, must identify the purposes for which the data are transferred to the third party, and must inform the third party of the restrictions that are set forth in the data controller’s privacy notice; and
  • The third party that receives the data must assume the same obligations as those that apply to the data controller.

There are several exceptions were consent is not required. These exceptions include where the transfer is made to a subsidiary or affiliate, or to a parent company or an associated company that operates under the same processes and internal policies; and where the transfer is in the interest of the data subject in connection with a contract that has been, or is to be concluded between the data controller and a third party. Another exception allows for the crossborder transfer of personal data when necessary for the maintenance or fulfillment of a legal relationship between the data subject and data controller.

Rights of the Data Subjects

Data subjects have the right to consent to the processing of their personal data (unless an exception applies), and to be informed of how and by whom their personal data will be processed.

In addition, data subjects have the rights of “access, rectification, cancellation, and opposition” or ARCO rights. The right of access and rectification grants them the ability to access their personal data in the hands of data controllers, and have inaccurate or incomplete data pertaining to them rectified.

The right of cancellation allows individuals to require that their data be blocked in the database, which has the same effect as if the data were erased from the data controller’s database. If the data have been transmitted to a third party, the data controller must bring the correction or cancellation request to the third party’s attention.

The right of opposition entitles individuals to object to the processing of their personal data, with a valid reason.

Data Protection Official Required

The Law requires data controllers to designate a data protection official within their organization. The data protection official will be responsible for processing data subject requests for access, and for promoting the personal data protection within the organization.

Self-Regulation Schemes

Organizations are allowed to use binding self-regulation schemes or codes of conduct. These schemes need to measure the effectiveness of the protection that the organization provides to personal data and address the consequences and remedies for violations of the rules. The self-regulation schemes should also contain rules and standards that harmonize the data processing performed by the parties and facilitate the exercise of data subjects’ rights.


If a data controller does not solve a matter after receiving a complaint from an individual, the individual can submit his complaint to the IFAI for the dispute to be resolved. If the IFAI identifies a violation of the Data Protection Law, it will notify the data controller of its findings. The data controller has 15 days to respond and provide evidence proving that it has not breached the Law. The IFAI will make a decision within 50 days after the date on which the process began.

The Law provides for significant fines (up to $1.2 million) for violations such as collecting or transferring personal data without the consent of the data subject where such consent is required, or collecting data in a misleading or fraudulent manner. If sensitive data are involved, the penalties will be doubled. In the case of continued violations, an additional fine will be imposed.

In addition, the Law provides for imprisonment from three months to three years for data controllers who, for profit, cause a security breach of the database in their custody. The processing of personal data by deception or by taking advantage of a data subject’s mistake or the mistake of an authorized person may be sanctioned by six months to five year prison terms if done for profit.

Violators may also be liable for the payment of damages to the affected individual to compensate for harms or damages to the individual’s property or rights that result from the lack of compliance with the obligations of the data controller or its subcontractors.

Action Items

The new Data Protection Law of Mexico finds its roots and inspiration in many of the seminal documents that are the foundation of the global privacy and data protection framework. Thus, companies that have global operations and a global privacy program in place should be able to find numerous common elements with their existing structures. However, idiosyncrasies in the Law will also need to be addressed.

While the Law will not be enforced until January 2012, it is time for companies doing business in Mexico or with Mexico-based entities to begin evaluating their new obligations and start planning accordingly. The first step should be to conduct a survey of the personal data that the company collects or processes in Mexico, and of the purposes for which these data are collected. In addition, companies should start evaluating whether the collection or processing of these data meet the adequacy and relevancy requirements of the new Law, so that unneeded data can be weeded out from existing database. Companies should also start planning how they will respond to their obligation to provide individuals with access to their personal data, and the ability to have their data corrected or blocked.

Further, caution will be needed when trying to make the Mexican Law requirements fit within a global privacy program where they have to coexist with other laws that might be more restrictive. This is in particular the case for cross-border data transfers, where the Mexican law does not clearly and fully meet the restrictions and requirement for “adequate protection” that are set forth in the national laws that follow the principles of the 1995 EU Data Protection Directive. Thus, the processing of personal data that originate from EU and other countries that follow the Directive will continue to meet the hurdles of establishing the existence of the adequate protection.

Posted in International
Comments Off on Mexico’s New Federal Law on the Protection of Personal Data

Remaining in Safe Waters

Posted by fgilbert on June 7th, 2010

How to Ensure Continued Compliance with The Safe Harbor Requirements

The Safe Harbor created by the US Department of Commerce and the European Commission provides a convenient way for US companies with limited global transactions to address the “adequacy” requirement under the national laws of the European Union Member States. Being self-certified under the US Department of Commerce Safe Harbor allows them to reduce the amount of red tape that usually accompanies the transfer of personal data to the United States and from a European Union Member State, and EEA Member State or Switzerland.

However, the initial self-certification filing is only one of many obligations. In order for the self-certification to remain valid, the company must re-certify each year of its compliance with the Safe Harbor Principles and pay the related fee to the Department of Commerce. When a company wishes to renew its self-certification, it must go through the same due diligence as for the initial filing, and… much more.

Initial Self-Certification

Self-certification of a company’s compliance with the Safe Harbor Principles is a multiple step process. In order to prepare for the filing of the required documents with the US Department of Commerce, the company must go through a comprehensive analysis and evaluation that is necessary and appropriate to self-certify that its privacy policies and procedure comply with the Safe Harbor Principles

In its self-certification papers, the company represents that it does have the policies and procedures described in these documents. An “omission” or a misrepresentation exposes the entity to severe penalties for breach of Section 5 of the FTC Act, which prohibits unfair or deceptive practices.

Re-certification Process

Many companies are unaware of the extensive requirements and commitments that attach to the filing of the re-certification documents. These documents must be signed and approved by a corporate officer of the company (typically the CEO or the General Counsel), and must attest and verify that the company is complying with specific requirements. Thus, it is very important to pay attention to the many legal requirements that are associated with the recertification process.

Like for the initial filing, an error in the re-certification documents exposes the entity to enforcement action and severe penalties. The “error” could be found a “misrepresentation” and the company might be sued under Section 5 of the FTC Act for unfair or deceptive practices.

Annual Verification

The documents that are to be filed with the US Department of Commerce as part of the renewal of the certification must verify the following:

  • The published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented, and accessible;
  • The privacy policy conforms to the Safe Harbor Principles;
  • Individuals are informed of how complaints are handled, and the independent mechanisms through which they may pursue complaints;
  • The organization has in place procedures for training employees in its implementation, and disciplining them for failure to follow it;
  • The organization has in place internal procedures for periodically conducting objective reviews of compliance with the above.

Audit or Assessment

In order to be comfortable signing this statement, it is prudent that an “audit” or “privacy assessment” or “compliance review” be conducted. This audit should allow to verify and be satisfied that the statements and commitments made in the privacy policy are accurate, that appropriate training is conducted, and that a dispute resolution procedure in place.

Companies may elect to conduct this audit internally. Law firms and consulting firms that focus on information privacy and security matters also conduct these audits.

Companies should not wait until the last minute to conduct or have conducted this audit. They must plan sufficient time to address any of the deficiencies that the audit might have identified. Otherwise, the representations made in their self-certification renewal papers would be inaccurate, misleading, or fraudulent.

Record Keeping

In addition, to the representations listed above, the Department of Commerce requires companies to retain appropriate records on the implementation of their safe harbor privacy practices. In other words, not only must a company represent that it has in place the required processes, procedures and policy, but it must also have a written record that documents the investigation conducted, the deficiencies identified, and the actions taken.

These records are to be made available upon request in case of an investigation or a complaint about non-compliance, or investigation about unfair and deceptive practices by a law enforcement agency – most likely the Federal Trade Commission.

FTC Enforcement – Twenty-Year Injunction

The FTC has already conducted enforcement actions and has prosecuted businesses for their misrepresentations in connection with Safe Harbor self-certification. These companies were charged for falsely claiming that they held current certification under the Safe Harbor program. See, for example, this consent agreement (pdf):

The consent decrees with each of these businesses include reporting requirements, whereby marketing and advertizing documents claiming compliance with the Safe Harbor principles must be filed with the Commission. In addition, each company is enjoined for 20 years from misrepresenting in any manner that it complies with or adheres to any privacy, security, or other compliance program sponsored by the US government or any other entity.

For more information

For additional information on the Safe Harbor, see Chapter 9 of Francoise Gilbert’s two-volume treatise Global Privacy and Security Law

Comments Off on Remaining in Safe Waters

Coming Soon to the European Union: Security Breach Disclosure Requirements

Posted by fgilbert on May 30th, 2010
Directive 2002/58/EC (or “e-Privacy Directive”), which defines the restrictions that apply to the protection of personal data in the context of wire or Internet communications, was amended in late 2009. This amendment establishes the first mandatory security breach disclosure regime for the European Union and will soon be reflected in the national laws of the EU and EEA Member States.
While this new security breach disclosure regime affects only providers of a publicly available electronic communication services, it is likely that it will be the foundation for defining a security breach disclosure framework that applies to other personal data holders.
For example, when amending their national laws, some of the EU Member States may opt to apply this security breach disclosure regime to the entire spectrum of data controllers and data processors, rather than limiting it to the smaller subset of electronic communication service providers that are subject to the ePrivacy Directive. Further, when the 1995 EU Data Protection Directive is revised, it should be expected, as well, that the security breach provisions of the ePrivacy Directive (as amended), at a minimum, will serve as a starting point.
The amendments must be implemented in each of the national laws of the Member States of the European Union and the European Economic Area by June 2011.

1. 2009/136/EC Directive

Directive 2009/136/EC entered into force on December 19, 2009. This directive amends and supplements the ePrivacy Directive, i.e., Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.

The ePrivacy Directive provides a framework for responding to unsolicited commercial messages, the use of fax and similar technologies for telemarketing purposes, and defines the rules for the use of cookies, traffic data, location data, and public directories. With the 2009 Directive, existing provisions are amended to provide more protection for personal data. In addition, a new framework for the disclosure of a breach of security of data held by electronic communications networks and services is defined. While these provisions resemble those of the state security breach disclosure laws that have been adopted in the United States since 2003, there are significant nuances and discrepancies with the American model.

2. Security Measures

a.  2002 Draft

The 2002 version of the ePrivacy Directive requires covered entities to ensure adequate security. These provisions have been enhanced by the 2009 Amendment.
Under Article 4(1) of the e-Privacy Directive, Member States’ national laws must require publicly available electronic communications service providers to take appropriate technical and organizational measures to safeguard the security of their services. If necessary, these security measures must be taken in conjunction with the providers of the public communications network with respect to network security.
These security measures must take into account the developments in technologies, the new risks created by new types of attacks, and the cost of implementing the measures in relation to the risks. Security is appraised in light of Article 17 of 1995 Data Protection Directive.
Article 17 of the 1995 Data Protection Directive requires the implementation of “appropriate technical and organizational measures” to protect personal data against accidental or unlawful destruction, accidental loss, alteration, or unauthorized disclosure of, or access to personal data. In addition, when the processing is carried out by a subcontractor, the data controller must:
  • Conduct due diligence before entering into a contract with this third party;
  • Require in a written agreement that the third party act only on instructions from the data controller and use security measures to protect personal data; and
  • Verify compliance with adequate and relevant security measures for so long as the data processor holds personal data on behalf of the data controller.

b. 2009 Additional Requirement

The 2009 Directive supplements Article 4(1) of the ePrivacy Directive with specific and precise instructions. The new Article 4(1a) directs that the security measures must:
  • Ensure that personal data can be accessed only by authorized personnel for legally authorized purposes;
  • Protect personal data stored or transmitted against accidental or unlawful destruction, accidental loss or alteration, and unauthorized or unlawful storage, processing, access or disclosure, and;
  • Ensure the implementation of a security policy with respect to the processing of personal data.
In addition, the 2009 Amendment grants the relevant national authorities the ability to audit the measures taken by providers of publicly available electronic communication services and to issue recommendations about best practices concerning the level of security that these measures should achieve.

3. Notice of Risk of Breach of Security

The concept of disclosure of a breach of security already existed in the 2002 version of the e-Privacy Directive. Covered entities, however, only had to notify their customers of a “risk of breach of security.” This requirement was usually fulfilled by adding a provision in the entities’ terms of service, which stated that wire or electronic communications are not secure or confidential and instructed the customers to use other communications means when transferring sensitive or valuable data. The 2009 Amendment preserves the original version of Article 4(2) of the ePrivacy Directive, but it supplements it with a more specific requirement for the disclosure of the breach of security.
Under Article 4(2) of the ePrivacy Directive, Member States’ national laws must require providers of publicly available electronic communications services to inform subscribers of any special risks of a breach of the security of the network. Such risks may especially occur for electronic communications services over an open network such as the Internet or analog mobile telephony. If the risk lies outside the scope of the measures to be taken by the service provider, the provider must also inform subscribers of any possible remedies, and of the likely costs involved.
The preamble of the 2002 version of the e-Privacy Directive notes that providers of publicly available electronic communications services over the Internet should inform users and subscribers of the measures that they can take to protect the security of their communications, such as by using specific types of software or encryption technologies. This requirement to inform the subscriber, however, does not discharge a service provider from the obligation to take, at its own costs, appropriate and immediate measures to remedy any new, unforeseen security risks and restore the normal security level of the service.

4. Breach of Security

The 2009 Amendment goes beyond the mere notion of warning of a “risk of breach of security.” It defines the framework for a breach disclosure requirement that is similar to – but different from – the provisions that are in effect in the United States.

 a. Personal Data Breach

  The 2009 Amendment introduces the notion of “personal data breach.” The term is defined in the new Article 2(h) of the amended ePrivacy Directive as:
“A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available communications service.”

b. Notice Requirements

Article 4(3), which is introduced by the 2009 Amendment, requires providers of publicly available electronic communications services to give “without undue delay” a notice of the breach to the competent national authority. In addition, if the breach is “likely to adversely affect” the personal data or the privacy of a subscriber or individual, the service provider must also notify the subscriber or individual of the breach of security “without undue delay.”
Thus, in most instances, two categories of notices must be given:
* One to the competent national authority, and
* The other to the subscriber or individual whose personal data or privacy is likely to be adversely affected.
It is not clear whether the subscriber, once informed, has to provide notice to all individuals affected, and who would bear the cost of making this notification.
There must be a “likely adverse effect.” According to the preamble, a breach should be considered as adversely affecting the data or privacy of a subscriber or an individual if it could result, for example, in identity theft or fraud, physical harm, significant humiliation or damage to reputation.
Thus, service providers would have to conduct a risk assessment, and presumably, would have to keep track of the assessment made and the grounds for their determination that a notice to subscribers or individuals was not warranted.
This assessment must be conducted in an expedited manner. The Preamble of the 2009 Directive stresses that the provider should notify the breach to the competent national authority as soon as it becomes aware that the breach has occurred.
The competent national authority is given an important role. It may force a disclosure. If the service provider has not already notified the subscriber or individual of the breach, the competent national authority may require the service provider to do so, after the competent national authority has evaluated the likely adverse effects of the breach.

c. Exemption

There is an exemption to the obligation to notify subscribers or individuals of a breach. This happens if the provider of publicly available electronic communications services has demonstrated to the satisfaction of the competent national authority that it has implemented appropriate technological protection measures, and that these measures were applied to the data concerned by the security breach.
However, the service provider nevertheless would have to notify the competent national authority. An important aspect of this safe harbor is that the exemption applies only if the service provider has demonstrated to the competent authority that there was no adverse effect.
It should be noted, in addition, that the 2009 Directive grants the national authority the ability to require the service provider to make the notification, even if the service provider determined that it was not necessary, if the national authority has determined that the incident is likely to have an adverse effect.
In order to be able to take advantage of the exemption, the technological protection measures must be such that they render the data unintelligible to any person who is not authorized to access these data. There is no suggestion for the measures to be taken, and no specific requirement for the use of encryption. It is sufficient if the data are “unintelligible.” It is likely that the national law implementing the Directive will interpret this term differently, which in turn might cause significant discrepancies between the applicable regimes in the Member States.

d. Content of the Notice

The Directive specifies the content of the two notices that must be given, i.e., the notice that is to be provided to the competent national authority and the notice that is to be sent to the affected subscribers or individuals. Both notices must include the following information:
  • A description of the nature of the breach;
  • The contact points where information about the breach can be obtained; and
  • Recommended measures to mitigate the possible adverse effects of the breach.
In addition, the notice to the competent national authority must describe:
  • The consequences of the breach, and
  • The measure proposed or already taken by the provider to address the breach.

e. Inventory

  Under new Article 4(4), the national laws implementing the amendment must require service providers to maintain an inventory of breaches that comprise the facts surrounding the breach, the effects of the breach, and the remedial action taken. The information must be sufficient to enable the competent national authorities to verify compliance with the notice requirements.

f. Guidelines and Implementing Measures

Given the novelty of the requirement for most European Union Member States, the 2009 amendment provides several means to facilitate the implementation of these provisions. These include, the use of guidelines and instructions concerning the circumstances in which providers are required to make the notification, the format of such notification and the manner in which the notification is to be made. The 2009 Directive also suggests that implementing measures may be drafted in the future in order to specify the circumstances, format, and procedures applicable to the information and notification requirements.

The comments in the Preamble recommend that the rules concerning the format and procedures applicable to the notification of security breaches, should take into account the circumstances of the breach, including whether or not personal data had been protected by appropriate technical protection measures, effectively limiting the likelihood of identity fraud or other forms of misuse. Moreover, such rules and procedures should take into account the legitimate interests of law enforcement authorities in cases where early disclosure could unnecessarily hamper the investigation of the circumstances of a breach.
While the Directive itself does not provide for sanctions, it suggests that national laws may include appropriate sanctions for those who fail to make the required notification.

5. For More Information

For more information on the ePrivacy Directive and the 2009 Amendments, see Chapter 8 of Francoise Gilbert’s two-volume treatise Global Privacy & Security Law available through
Comments Off on Coming Soon to the European Union: Security Breach Disclosure Requirements