Wednesday, February 24, 2010

Today's astonishing verdict in Milan

Google has already reacted to today's astonishing verdict in Milan. I'd like to add a few personal words.

I will vigorously appeal today's verdict in Milan. The judge has decided I am criminally responsible for the actions of some Italian teenagers who uploaded a reprehensible video to Google Video. I knew nothing about the video until after it was removed by Google in compliance with European and Italian law. I was very saddened by the plight of the boy in the video, not least as I have devoted my professional life to preserving and protecting personal privacy rights. Despite this a public prosecutor in Milan has spent 3 years investigating, indicting and successfully prosecuting me and 2 other Google colleagues.

This ruling also sets a very dangerous precedent. If company employees like me can be held criminally liable for any video on a hosting platform, when they had absolutely nothing to do with the video in question, then our liability is unlimited. The decision today therefore raises broader questions like the continued operation of many Internet platforms that are the essential foundations of freedom of expression in the digital age. I recognize that I am just a pawn in a larger battle of forces, but I remain confident that today’s ruling will be over-turned on appeal.

Monday, February 22, 2010

Austrian insights

I've been thinking about the conundrum of trying to fit all of the words data into two random black-and-white categories: "personal" data or "non-personal" data, or personally-identifiable information and non-PII if you prefer. The reason we're all trying to do this is because most of the world's legal regimes create these two categories, and only these two categories, even if it's obvious that many things sit uncomfortably in the gray zone between them. The big privacy debates generally turn on these gray-zone categories, which identify some things about an individual (e.g., speaks Spanish), but don't identify an actual human being. Think of the privacy debates around IP addresses, cookies, RFIDs etc, and you see that the debates can't be settled using only these two categories.

I think the way forward is the creation of a third-category, something we could call "indirectly identifiable data". Interestingly, Austrian law has already done that. Here are some insights into the Austrian law, the Austrian Federal Act concerning the Protection of Personal Data (Datenschutzgesetz 2000). Under Austrian Law, data is ‘only indirectly personal’ for a controller, a processor or recipient of a transmission when ‘the Data relate to the subject in such a manner that the controller, processor or recipient of a transmission cannot establish the identity of the data subject by legal means." In other words, the identity of the individual can be retraced but not by legal means.

When introducing the concept of indirectly personal data, the Austrian legislators referred on the face of the bill before Parliament to Article 2 (a) of the Directive and, in particular, to the phrase ‘…an identifiable person is one who can be identified, directly or indirectly…’. This suggests that a deliberate decision was made to distinguish between persons who can be identified directly (and for which the full force of the Austrian Law applies) and those persons who can only be identified indirectly – hence the concept of indirectly personal data. In the eyes of the legislators, indirectly personal data did not require the full range of protection that directly personal data required. There may additionally have been commercial and practical reasons considered by the legislators why to require organisations to treat indirectly personal data in the same way as directly personal data made no sense.

This is how I've been told Austrian Law treats indirectly personal data below:



8 (2)

Use of only indirectly personal data shall not constitute an infringement of the fundamental interest in secrecy that deserves protection under s. 1 (1).

9 (1) (2)

Use of sensitive data does not infringe interests in secrecy deserving protection only and exclusively if data are used only in indirectly personal form.

12 (3)

Transborder data exchange shall not require authorisation if data are transferred or committed that are only indirectly personal to the recipient

17 (2)

There is no requirement to notify the Data Protection Commission where the data application only contains indirectly personal data.

24 (4)

There is no duty to provide information to data subjects when collecting data where such data is not subject to notification under s. 17 i.e. this would include the use of indirectly personal data.


The rights granted under s. 26 – 28 cannot be exercised insofar as only indirectly personal data are used.

Section 26: right of access

Section 27: right of rectification/ erasure

Section 28: right to object

46 (1)

For the purpose of scientific or statistical research projects where the goal is not to obtain results in a form relating to specific data subjects, the controller shall have the right to use all data that are only indirectly personal for the controller.

46 (5)

Where the use of data in a form which permits identification of data subjects is legal for purposes of scientific research or statistics, the data shall be coded without delay so that the data subjects are no longer identifiable if specific phases of scientific or statistic work can be performed with indirectly personal data only

All of this is interesting, because I think privacy law will never adapt to the nuances of the real world if the entire real world has to be fit into only two black and white categories. Finding a legal category to deal with the gray zone is essential to getting privacy laws right, and the Austrian model is one of the most promising I've seen.

Friday, February 12, 2010

An American in Paris

A year ago, in the early phases of thinking about how or whether to suggest revisions to the European Data Protection Directive, the European Commission created a little "group of experts" to provide ideas. This unpaid group was formed after a public call for applications, and had no mandate other than to produce some ideas. Expert groups are a common process at the Commission. Since I'm very interested in this topic, and since I represent a technical/global/Internet perspective on things, I was happy to apply and even happier to be accepted to join it. But the group was disbanded after only one meeting, as reported here.

As an American who has lived in Paris for many years, I was more than a little startled to see French politicians launch a campaign to get the European Commission to disband this group because it contained..."Americans". Naturally, I thought it was odd to hear this anti-American rhetoric applied to me. It's hard to find an American more Francophile than me. One of the other guys on the experts' group was an American of German origin who has lived in Brussels for many years and is universally recognized as one of the world's great legal experts on European data protection law.

Of course, it was distasteful for me to hear French government officials engaging in conventional French political rhetoric against "Americans", but this was the first time in my professional life that I was the explicit target of it. I don't like xenophobia in any guise, even if it's just public posturing. But I also remind myself that anti-Americanism has long been one of the common threads of European data protection rhetoric, such as the endless posturing of the EU Parliament on SWIFT.

Privately, things are different. Privately, these same French audiences regularly invite me to discussions or hearings on privacy issues. In recent months, I've had separate meetings with committees focusing on modernizing privacy laws in the French Senate, with French politicians, and with the French Data Protection Agency. Privately, there's a very thoughtful debate underway in many French government circles on these important questions, and I'm privileged to be invited to participate in them. Privately, we all understand that the privacy debate has become global, and only global solutions will work in the long run.

Anyway, here are some excellent ideas from the European Privacy Officers Forum about what needs to be modernized in this window of review of increasingly obsolete European privacy laws. Had our "experts' group" not been disbanded, we might have made similar recommendations...

Monday, February 1, 2010

The new rules for cookies in Europe

Despite some inaccurate press, the revised text of the ePrivacy directive does not require an opt-in for cookies. However, the text of the revised directive may be misunderstood especially if the preamble of the new directive is not transposed into national law. So national governments need to take great care when implementing the new law, in order not to jeopardise the development of the Internet and the information society.

In its Article 5(3), the ePrivacy directive outlines strong safeguards to protect users from unwanted software such as adware, junk, or even viruses and spyware, requiring software vendors to seek their consent.

For cookies, the EU legislation's preamble specifically says that the control settings in a browser are sufficient to comply with the consent requirement. Even for cookies that cannot be controlled by browsers – for example, Silverlight and Flash cookies – the new law also recognises that the settings of specific control panels satisfy the consent requirement.

The directive’s new preamble contributes to legal certainty by clarifying that websites can rely on browser controls and similar applications to define the acceptance of cookies. This was not clear under the current law.

Member States will have 18 months to transpose the new ePrivacy directive into national law (i.e. until April 2011). It's important they take great care so as to avoid misinterpretations that would create new barriers to the EU's internal market, confuse consumers, and ultimately put Europe at a competitive disadvantage.

So now, if a user configures his or her browser to accept only cookies from certain websites, or automatically delete cookies when closing a browser, these settings will be sufficient as expressing the wish of the user. Websites technologically rely on browsers and other applications for cookie management. The current directive had a blind spot in this regard as it did not explicitly recognise cookie control tools as a way to comply with the law. The new directive clarifies this, but it's important that implementation into national laws follows the letter and spirit of this goal.