The proposals retain the general principles of data protection law, but also introduce some significant changes around:

• Fines;
• Consent;
• Notification (including 24-hour notification of breaches);
• New obligations on data processors;
• Compulsory Data Protection Officers;
• Data subject rights;
• Collection of child data; and
• The “one stop shop” approach

Firstly, as Martin noted in his earlier blog on the impact for organisations engaged in outsourcing, the regulation has direct effect. Once passed, it will not be subject to local implementation in each member state. This is intended to ensure that the laws are applied consistently across the EU.

Powers to fine
The official announcement follows last month’s leaked proposals which suggested that companies breaching data protection law might face fines of up to 5% of their annual turnovers. While this level of fine is not advanced by the official proposal, companies will still be subject to a fairly stringent sliding-scale of fines:

• a maximum of 0.5% of annual turnover for failures such as not responding properly to requests by data subjects;
• a maximum of 1% of annual turnover for failures such as leaving inaccurate data uncorrected, or failing to adopt internal policies to comply with the new Regulation; and
• a maximum of 2% of annual turnover for the most serious violations, including “risky processing operations”, or failing to obtain data subject consent.

Consent
Another key change being proposed is that data controllers can no longer rely on implied consent. Instead, controllers will have to prove that they have been provided with “explicit” consent from the data subject, while consent may not be relied upon if there is a “clear imbalance between the data subject and the controller” (which will make it difficult for, for example, employers to rely on consent from employees, as grounds for processing).

As an alternative to obtaining explicit consent, “other legitimate interests” of a controller will provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.

Whilst this change is consistent with the opinions that have been issued by the Article 29 Working Party, this change will be particularly felt in the UK, where much of the UK Information Commissioner’s guidance has focussed on the concept of “implied consent”. For example, the Information Commissioner’s view on website privacy policies has generally been that the data controller does not need to flag up in flashing lights processing that is obvious. It will be interesting to see how guidance changes in this area.

Notification
Controllers will no longer have to notify data protection authorities that they are processing data -instead they will be asked to make available upon request evidence demonstrating their data protection policies and procedures, including “privacy by design and default” mechanisms, and privacy impact assessments.

Data breach notification
Controllers will also be expected to notify data protection authorities of data breaches within 24 hours. Where notification within 24 hours is not possible – and 24 hours looks like an onerous requirement – an explanation of the reasons for the delay should accompany the notification. Data processors, meanwhile, will be expected to “assist” controllers in cases of data breach or loss, and will be deemed joint controllers if they process personal data other than as instructed by the controller.

Data protection officers
All public sector bodies will be required to appoint a Data Protection Officer, as will private sector bodies with more than 250 staff (or whose core activities consist of processing operations).

The “right to be forgotten” and other new restrictions
Last month’s leaked document suggested that the new proposals would contain a controversial “right to be forgotten”, and many stakeholders were already pondering how such a right could possibly be guaranteed or enforced. The official proposals are less explicit regarding this right, proposing that a controller shall carry out erasure of data “without delay, except to the extent that the retention of the personal data is necessary” for a variety of grounds, including “public interest” and “compliance with a legal obligation”.

Potentially more interesting is a new right for data subjects not to be subject to a “measure based on profiling”, meaning that organisations will be potentially barred from profiling individuals based on automatic processing seeking to predict a person’s creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour. This may well impact upon Amazon’s religious beliefs patent (as blogged about by Martin last month).

It’s also worth noting that under the new proposals the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. This concept of a “child” and the parental consent requirements will almost certainly conflict with many organisations’ current practices.

The “one stop shop approach”
Finally, the draft proposes that controllers and data subjects will have a one stop shop in terms of regulators. If a data subject wishes to complain about processing by a data controller in another EU country, it will complain to its local regulator who will raise the issue with the regulator in the data controller’s home country.

Given that non-EU data controllers collecting data from EU data subjects will also be subject to the new regulation, this will surely increase the administrative burden on the various national regulators.

These are just some of the changes to the present European data protection regime which are being proposed. It’s worth remembering that these proposals will need to be approved by the European Union’s member states and ratified by the European Parliament before they can come into effect. Given the extent of the proposed changes, that process might take up to 2 years, if not longer.

What do you think? Is transparency and information about behavioural advertising an issue? Did you know how it would work when you accepted the cookie, or do you not care? Add your opinion in the commments.

Amongst the things monitored are the purchasing of gifts and “the gift wrap used by such other users when purchasing gifts for this user, such as when the gift wrap evidences the user’s religion (in the case of Christmas or Hanukkah gift wrap, for example)”.

So if someone orders me a gift from Amazon, has it gift wrapped and sent to me at some point in December, Amazon will apparently assume that I am of Christian belief.

That’s quite a leap of faith (pun intended), given that a substantial proportion of people who give Christmas presents are likely to class themselves as aethiest or ambivalent in their religious beliefs.

The preamble to the patent states that:

A computer-implemented matching service matches users to other users, and/or to user communities, based at least in part on a computer analysis of event data reflective of user behaviors. The event data may, for example, evidence user affinities for particular items represented in an electronic catalog, such as book titles, music titles, movie titles, and/or other types of items that tend to reflect the traits of users. Event data reflective of other types of user actions, such as item-detail-page viewing events, browse node visits, search query submissions, and/or web browsing patterns may additionally or alternatively be considered. By taking such event data into consideration, the matching service reduces the burden on users to explicitly supply personal profile information, and reduces poor results caused by exaggerations and other inaccuracies in such profile information. [emphasis added]

What about data protection rules?
This raises some interesting data protection questions.

In the EU, religious beliefs are one of the categories of personal information that are classified as “sensitive personal data”, and therefore subject to a stronger set of rules. In particular, a data controller may only process sensitive personal data if it can satisfy one of the specific conditions set out in Schedule 3 of the Data Protection Act. The majority of these grounds relate to things like processing that is required by law, processing that is necessary to protect the vital interests of the data subject or processing for the administration of justice.

None of these are applicable to Amazon.

Which means the only condition it could rely upon is the “explicit consent” of the data subject.

It’s difficult to reconcile this need for explicit (not implied) consent with the last sentence of the preamble, which states that the system will “reduce the burden on users to explicitly supply personal profile information” – in other words, it will allow Amazon to guess the things that users don’t tell it.

European data proctection rules make it clear that Amazon cannot activate this system in respect of a user unnless he has expressly given his informed consent. So if a user decided that it would like Amazon to profile him based on his religious beliefs, would that user rather tick a box saying “would you like Amazon to guess which (if any) religious beliefs you hold?” or simply complete the details in his personal profile?

And how does this guessing system equate with the fourth data protection principle, which states that personal data shall be “accurate and, where necessary, kept up to date”? Will Amazon periodically ask you to confirm its assumptions to check that they are up to date?

Organisations such as Amazon often apply to patent new ideas without necessarily ever putting them into practical appplications. In Europe at least, I suspect that this may be one such idea.

The video has provoked a lot of debate and the latest development is that the Big Man has been identified, and charged with assault.  I’m no criminal lawyer and I’ll leave the discussion about whether or not the Big Man’s actions constituted assault to the experts.

I’m more interested in considering what remedies both parties may seek.   Both probably wish the video had never existed, and are maybe wondering if they have any recompense against the person who posted the video and/or YouTube itself. 

Has the poster of the video on YouTube broken any law?
Murray v Big Pictures (the case involving tabloid photographs of JK Rowling’s son in his pram) makes it pretty clear that, in certain circumstances, the taking of photographs of somebody in a public place can infringe their rights to privacy.  It’s not impossible to imagine this precedent being extended to making a video clip of somebody in a public place.

Further, the processing of the parties’ data on YouTube is arguably contrary to the Data Protection Act, because the processing has been carried out without their consent. 

In reality the Information Commissioner is unlikely to respond to any data protection complaint by pursuing the poster for this type of content.

However breach of privacy rights could feasibly entitle both parties to claim damages. 

Has YouTube itself broken any law?
In the event of any claim or claims, YouTube would probably argue that it was a “mere conduit” under the E-Commerce Directive.  (This “mere conduit” defence provides that a web host isn’t liable for content on the basis that the host has no actual knowledge of illegal activity or information (provided that they act expeditiously to remove content if something or someone does alert them to illegality).)   YouTube would probably also say that they might well have removed the video if either of the parties had asked.

The catch is that the “mere conduit” defence doesn’t technically extend to privacy/data protection complaints.  This is at least partly why Italy is pursuing prison sentences for 3 executives of Google in relation to footage posted on Google Video in 2006.  (According to the San Francisco chronicle, an appeal will be heard early in 2012.)

As far as any financial liability is concerned, YouTube’s Terms of Service are drafted to protect the company from liability arising from user-generated content.  The Terms state that the user agrees to comply with all applicable laws. As discussed above, the user has possibly broken some laws.

The Terms also state that users are solely responsible for content and the consequences of submitting and publishing content, and that users indemnify YouTube against any and all “claims, damages, obligations, losses, liabilities, costs or debt, and expenses” arising from violation of the Terms.

What is likely to happen?
It’s impossible to predict how things will develop.

I imagine it’s pretty likely that charges may be quietly dropped, with both parties being encouraged to resume their normal (and private) lives.  

But it’s not impossible that this incident may come to have serious repercussions for “vigilantes”, “citizen journalists” and web hosts of user-generated content.

On 1 March the remit of the Adverting Standards Authority (ASA) was extended to include the claims companies make on non-paid for space online. This covers adverts for a company’s goods and services on its own website and on any social media sites within its control.

Since the ASA’s digital marketing remit was extended earlier this year the independent UK regulator has received a 40% increase in complaints.

The rules and criteria that are applicable to digital and online marketing are the same as those applicable to ‘traditional’ media, such as the obligation that the advert is not misleading, exaggerated or offensive. However, there are some particular things to look out for when advertising online, including via social media channels.

Here’s a quick list of do’s and don’ts to ensure that your company doesn’t have to explain itself to the ASA:

• Don’t exaggerate savings by comparing an offer to the most expensive alternative.
• Don’t say something is free if it isn’t. If the product is free, but postage is not, then say that upfront.
• Don’t include unnecessary price breakdowns for a product or service unless the costs being detailed are optional. If they are not optional then it is pointless explaining what they are.
• Don’t pick and choose customer reviews to appear on your website to make your company look good.
• Do include any surcharges, such as booking fees, upfront.
• Do make sure a discount is actually a discount. If the prices are the same before, during and after the promotion then it’s not really a promotion and is in breach of regulations.
• Do ensure that you have robust evidence of quality and performance if you are going to make claims about your product.
• Do state clearly that an offer may be extended at the company’s discretion if you think you may want to exercise this option.

For further information please contact me or get in touch with your usual Brodies contact.

These comments have been criticised for not being genuine reviews of the product but rather a marketing ploy to try to boost sales and customer opinion. This advertising ‘technique’ of masquerading as a genuine customer and making positive, inflated reviews about your own product (or, indeed, negative comments about a competitor’s product), coined astroturfing, is a risky strategy – not least because in many countries it is unlawful but also because if found out, it could be very damaging to your brand’s reputation.

The Nokia employee was found out because (in a not terribly covert manner) his ‘anonymous’ post was sent from an IP address that was owned by Nokia. This, of course, opens up a whole new can of worms because the Nokia IP address – and the employee’s email address – was released by the company that hosted the review website, presumably in breach of the site’s privacy policy.

The law in the UK
In the UK, advertising is broadly controlled and regulated by the Advertising Standards Agency (ASA). In March of this year the ASA remit was extended to include digital media which meant that restrictions were tightened around what companies could claim on their own website and other online media in their control, such as their Facebook or Twitter accounts.

In relation to product or service reviews, the ASA will address complaints made where websites are picking and choosing which reviews will appear on their website, so as to cast the company in a better light. Similarly, the ASA are currently investigating the transparency of the reviews that appear on the TripAdvisor website. TripAdvisor had stated that the reviews on its website were ‘trustworthy’ but in reality it is unlikely that TripAdvisor really knows whether the reviews are honest or not, so the endorsement has been taken off the site.

While the digital remit is a welcomed extension of the ASA’s powers, astroturfing – such as the Nokia Lumia incident, where one company posts fake review on another’s website – still falls through the cracks.

It won’t fall far though before being caught by the Consumer Protection from Unfair Trading Regulations 2008, which prohibits companies from falsely representing themselves as a consumer. The Regulations are enforced by the Office of Fair Trading (OFT) which can impose unlimited fines for a breach. On the face of it, the OFT has more bite than the ASA. However, the OFT may be less inclined to get involved in smaller, isolated cases – such as a couple of blog posts by employees where there doesn’t appear to be any evidence of a larger astroturfing strategy.

Remember though, that even if astroturfing doesn’t result in any formal fine or sanction it could still cause serious reputational issues for your brand. Nokia and Microsoft have learnt this the hard way.

As regular Techblog readers will remember, the new rules came into force without any clear guidance on how organisations should technically comply with them – even the ICO itself appeared to be unclear as to what was required. In recognition of this, the ICO announced a year long grace period for achieving compliance.

What does the updated guidance say?
The updated guidance builds on previous guidance issued by the ICO by giving a number of examples of how compliance can be achieved. Which of these is appropriate will depend upon what the cookie is used for (and the ICO generally leaves it to the organisation to work this out).

There are a couple of points to highlight:

• Consent needs to be informed – users need to understand the potential consequences of allowing each specific cookie to be used
• There is still no browser based solution to getting consent.
• Implied consent is unlikely to be sufficient – implied consent must be based on a “definite shared understanding of what is going to happen.” The ICO’s view is that consumers do not yet have this level of awareness, but that may change over time as consumter awareness increases.
• Wherever possible cookies should be delayed until users have had a chance to understand how they are used – they should not be set as soon as the user visits the site.
• There are no exceptions for analytical cookies – the ICO’s view is that analytical cookies do not fall into the “strictly necessary” category.
• However, cookies for online shopping baskets and those that are necessary to ensure security (for example, on online banking websites) are likely to fall within the exception.
• If cookies are used on more than one website (for example, for third party behavioural advertising purposes), then in order for consent to be valid it has to be “absolutely clear” which websites the cookies will be used on, what they are used for, and exactly what the user is agreeing to.
• You can copy what the ICO does on its website, but the ICO is giving no guarantees that this approach complies with the law.

This last point is particularly disappointing. The worked examples in the new guidance will be welcomed by organisations grappling with how best to comply with the new rules (in the absence of an acceptable browser-based solution), but the reluctance of the ICO to stand behind its own approach, gives organisations little comfort that the suggested approaches in the guidance will be compliant.

Enforcement
The ICO makes clear that the lack of clarity over how the law is supposed to apply will not be accepted as an excuse for non-compliance, and that it is not acceptable for organisations to simply sit back and wait for a browser-based solution.

We’re now six months in to the 12 month transitional period for compliance, after which the ICO will start investigating complaints. The ICO states that organisations now need to be able to show that they have carried out initial assessments over cookie use, and that “sensible, measured action to move to compliance” is being undertaken.

Jon kindly included some of my comments in his blog, which was published earlier today. Here is the long form version of what I said:

BS 8878 is undoubtedly a useful tool for providing organisations with a framework to follow when commissioning new websites and apps. In turn, this makes it an important tool in assisting organisations with complying with their obligations under the Equality Act 2010.

BS 8878 is unusual in that it is a British standard that has been driven primarily to help promote and improve equality and compliance by service providers, employers and educational institutions with their legal obligations under equality law. Often standards come into existence to codify/bring together good practice, and provide an objective way of comparing organisations or easily referencing a requirement in a contract, but it is less common for them to emerge to assist with complying with law. From a lawyer’s perspective, BS 8878 exists because, unlike the building of physical premises, the law does not mandate specific accessibility requirements when building a website. It is true to say that BS 8878 does not do that either, but it does at least provide website operators with a process to follow, issues to consider, questions to ask, and pointers to external technical guidelines like the W3C’s WCAG.

BS 8878′s current standing
But BS 8878 currently sits in an awkward place.

The development of its predecessor, PAS 78 was funded and led by the Disability Rights Commission (DRC), giving endorsement from the organisation mandated with promoting compliance with the Disability Discrimination Act (and therefore implicitly saying “follow this and you’ll be ok”). However, the successor body to the DRC, the Equalities and Human Rights Commission (EHRC) did not appear to formally particpate in the development of the successor standard. So, whilst BS 8878 is mentioned (here and here) on the EHRC website, it is not formally referenced in any of the codes of practice issued by the EHRC. This is despite the EHRC’s code of practice for service providers being published three months after the launch of BS 8878. I look forward to the EHRC updating its statutory codes of practice to include a reference to BS 8878 and provide organisations with clear guidance on what it expects.

The need for education
It is clear that there is still work to be done on educating people on the use of BS 8878. When referring to it in a recent blog, I was asked why I hadn’t referred to the W3C’s WCAG instead. My answer was that whilst that particular blog may have had a techie slant to it, the majority of people involved in procuring web and app design services (or responsible for internal legislative compliance) will find BS 8878 a far more accessible (no pun intended) document than the W3C’s technical guidelines, and provides a framework that goes beyond a list of technical design requirements. BS 8878 emphasises, and this is important, that simply complying with the WCAG guidelines is unlikely to meet the requirements of the Equality Act. As BS 8878 explains, organisations can’t simply carry out an automated tick box check of the HTML, but instead need to user test the site or app itself to ensure that it actually is accessible.

So happy birthday BS 8878. It’s been a good first year, but there is still much work to do to explain to the world how you fit into the legislative framework and to educate people on your true purpose.

The School of Computing takes quite a holistic view of teaching computing, and one of the modules covers the “real world”. The School asks external experts to come in and talk to the students about things like identity theft and security standards (such as PCI-DSS), and other laws and regulations that may impact upon what they do when they get out into the working world.

The area that I talk to students about each November is disability discrimination laws and accessible design for websites and mobile apps, an area I’ve been involved with for a number of years (my honours dissertation was on this). This particular talk dovetails with the School’s technical expertise in relation to accessible and usable design.

Rather than bore the students with a dry lecture on The Law, I try to show them how it is relevant to the future careers, and why having a good understanding of the relevant laws will make them more employable, and give their future employers a competitive advantage.

There are a number of key messages that I try to get across:

• if a website or app is not designed properly, it may be inaccessible to users with disabilities;
• operators of websites and providers of mobile apps have, in their capacity as service providers educators, and employers, legal obligations not to discriminate on the grounds of disability;
• failure to do this may lead to that organisation being sued and, perhaps more importantly for a big organisation, suffer damage to its reputation;
• web and software designers will be responsible for designing and delivering those websites/apps;
• even if you are working for an independent design company, that company will have contractual liability to the client, and if a site is poorly designed the client may have the right to sue;
• public sector organisations have a legal obligation to ensure that their ITTs set out requirements in relation to accessibility – if the designer doesn’t have the skills, then it may not get the work;
• therefore understanding accessible and usable design and the legal obligations applying to your employer/clients will give you a competitive edge – whether in the job market or in winning business.

If we are doing things right, then hopefully accessible and usable design will become second nature to the web and app designers of tomorrow.

If you are involved in commissioning a new website, or a mobile app, then I recommend that you read BS 8878, a new(ish) British standard on commissioning accessible websites. It’s not a technical document, but instead a process that organisations can follow to assist with appointing a designer with appropriate accessibility expertise, and to help ensure the final output is accessible to users with disabilities.

Brian reflected on his career in business, and offered thoughts on leadership.

During the Q & A following Brian’s fascinating talk, debate amongst attendees inevitably turned  to the decline of the High Street, and how to create a successful online business.

Some great tips emerged:

• Don’t be scared of playing with pricing to attract customers, even if it means offering a loss leader.
• Make available as wide a selection as possible, at as competitive a price as possible.
• Your website has to be transactional, and ideally should support transactions made via mobile devices.
• “Classic” kind of products may yield great sales/higher margins than you think.
• Your website has to be search engine optimised. If your site isn’t on the first page of a Google search result for the name of your business, or one of your principal products – then you’re in trouble.
• If you haven’t yet read The Long Tail by Chris Anderson – then read it.
• Don’t forget your legal obligations, not least the E-Commerce Regulations.

PS a short video about the event is here. It’s worth watching, if only to check out the really hunky guy who appears around 2:27.