Upload
marc-gallardo
View
1.062
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Hot topics on IT and data protection laws
Citation preview
| Global network of attorneys specialized in emerging technology law
Barcelona Conference September 28, 2012
#lexingbcn
First international network of lawyers focused on information technology law
Data Protection 30’ Cloud Computing 30’
Social Media 30’ Cookies 30’
New Domain Names 15’
Q & A
General Presentation … 20’
| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
Privacy, Cloud, Social Media & CookiesOverview of Spanish Law
Marc GALLARDO [email protected]
BARCELONA, FRIDAY, SEPTEMBER 28, 2012
# Data Protection
# Cookies
# Social Media
# Cloud Computing
SDPA (‘99 & ’07 & ‘10) / AEPD High and Stringent Enforcenment !€ 20.000.000 / 4000 proceedingsDraft EU Regulation (January 2012)
SDPA applies / AEPD – No specific regulationsAEPD Guidelines (June 2012) / EU Guidelines (July 2012)
SDPA applies / AEPD – No specific regulationsNo general Guidelines / EU Guidelines
Eprivacy Rule in LSSI / AEPD No general Guidelines / EU Guidelines (June 2012)
Data Controller
Data Processor
Data subjectData subject
Spanish Data Protection Law (SDPL)
rights obligations
Notification requeriments Information provision
obligations Legal basis for processing
data Confidentiality & Security Data Protection Principles
contract
OrganicLaw 1999
Regulation
2007
Legitimate interest
✓ Consent✓ Contractual relations✓ Requirements of the law
✓ Emergencies✓ Public Interest✓ Legitimate interest
Ruling Feb. 2012
legitimate interest DC
data subjectrights
DP principles
Key Obligation: process personal data lawfully
Consent: not always available or reliable criteria Legitimate interest criterion not properly incorporated The data should apeared in public sources ! Now void ->
Consent: not always available or reliable criteria Legitimate interest criterion not properly incorporated The data should apeared in public sources ! Now void ->
Cloud Computing
AmazonAWS
IBM
Microsoft
Salesforce
Oracle
Arsys
Dropbox
Apple
Cloud definition
LACK OF CONTROL
LACK OF INFORMATION
Main risks
Public
Jun
Guidelines
June 2012 www.agpd.es
July 2012
No specific law regulating cloud computing but … data protection law is applicable
No specific law regulating cloud computing but … data protection law is applicable
# User is the Data Controller
# CC Provider is the Data Processor
contra
ctGuidelines
Tools & Services that facilitate conversation
General View
SNS impact on all branches of law
๏ Privacy๏ Intellectual Property๏ Marketing and Consumer Protection๏ Contests and Promotions
๏ Employment๏ Free speech๏ Children protection๏ E-reputation
Internal: SM used within a company Hosted: Public SM controlled by a company Public: Public SM outside the control of a company
SNS Providers
Company as a User
Situation > 1st April
Problems
#1 Audit
#2 Put in Place Policies & Programs
#3 Implement and review
✓ Conduct a comprehensive and thorough risk assessment✓ Identify risks
✓ Evaluate the risks✓ Address the risks
✓ Implement + Review on a regular basis✓ Train employees and monitor compliance✓ Demonstrate it: a policy must be reflected in concrete practices !
Bottom line is …
| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
Proposed EU General Data Protection Regulationof January 25, 2012:
State of Play
ALAIN BENSOUSSAN [email protected]
BARCELONA, FRIDAY, SEPTEMBER 28, 2012
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 25
What are the stakes?– harmonize the protection of personal data in the EU– ensure the effectiveness of such protection
Issue– a stronger and more coherent data protection framework in the EU
Situation– uncertain
News – International mobilization and debate on personal data protection
Introduction
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 26
1. Strengthen the rights of individuals
2. Simplify processes for businesses
3. Extend liability
4. Impose stiffer sanctions
Agenda
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 27
1. Strengthen the rights of individuals
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 28
2. Simplify processes for businesses
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 29
3. Extend liability (1)
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 30
3. Extend liability (2)
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 31
Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |[email protected]
Page 32
€1,000,000 or
2% of annual
worldwide turnover
| France | Me Alain Bensoussan | [email protected]
ALAIN BENSOUSSAN AVOCATS 29 rue du colonel Pierre Avia Paris 15 FRANCE Tel. : 33 1 41 33 35 35 Fax : 33 1 41 33 35 36 [email protected]
Alain Bensoussan D.L : 33 1 41 33 35 09 Mob. : 33 6 19 13 44 46
Contact
| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
Data Protection in the United StatesRecent Developments
Françoise GILBERTManaging Director – IT Law Group
Silicon Valley, California +1 [email protected] | www.globalprivacybook.com | francoisegilbert.com | @francoisegilbrt
BARCELONA, FRIDAY, SEPTEMBER 28, 2012
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 35
– Background– Overview of US data protection laws– Role of the US federal and state agencies– Recent US Government initiatives– Recent enforcement actions– Hot issues
Agenda
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 36
– No national data protection law; but dozens of Federal sectoral laws• 1890: “Right to Privacy” defines the concept• 1966: Freedom of Information Act (access to information held by government• 1968: Wiretap Act (interception of aural communications and disclosure of these communications in court)• 1970: Fair Credit Reporting Act (credit reporting agency disclosure of credit reports)• 1974: Privacy Act (disclosure of government records)• 1974: Family Educational Rights and Privacy Act (disclosure of school records)• 1978: Right to Financial Privacy Act (banking and financial transactions)• 1978: Foreign Intelligence Surveillance Act (electronic surveillance; foreign intelligence)• 1986: Computer Fraud & Abuse Act (to reduce hacking, use of viruses)• 1986: Electronic Communication Privacy Act (stored or in transit information)• 1996: Health Insurance Portability and Accountability Act (health information)• 1998: Children Online Privacy Protection Act (children information)• 1999: Financial Services Modernization Act (GLBA) (financial information)• 2003: CAN SPAM Act (commercial messages)
– Hundreds of State sectoral laws (+ some states have constitutional rights)• Protect individuals residing in a specific state• Security breach disclosure laws• Security measure requirements• Protection of driver’s license information, medial records, etc.
US Data Protection Laws
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 37
– No “national data protection agency”• Numerous federal agencies play role similar to that of the Data
Protection Agencies in European Union– Federal Trade Commission– Department of Health & Human Services– Financial Services Agencies– Securities & Exchange Commission
• Numerous state agencies, play similar role at the State Level– State Attorney General– Other State Agencies
– Substantial cooperation between State and Federal Agencies
Federal & State Agencies
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 38
– Significant penalties in case of violation• FCRA: up to $500,000 total penalty per violation
– Actual penalties• Google (breach of FTC consent decree) $22.5million• ChoicePoint (breach of security) $15million• Massachusetts General Hospital (HIPPA) $4.3million• Sony $1million (COPPA)• Xanga $1million (COPPA)• CVS, Rite Aid pharmacies $1million (HIPAA + lack of security)• Spokeo $800,000 (FCRA)
Significant Penalties
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 39
– Federal Trade Commission (FTC):• Top regulator in the US with respect to protection of personal
information• Powers under FTC Act (§5), COPPA, FCRA, HIPAA
– Numerous actions against companies for:• Failure to comply with privacy promises• Failure to provide adequate security measures for personal
information• Unclear and deceptive terms, which concealed important disclosure
regarding un-anticipated use of personal information• Failure to comply with requirements of Fair Credit Reporting Act• Failure to comply with COPPA requirements
Federal Trade Commission
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 41
– White House Consumer Bill of Rights (Feb. 2012)• Restates Fair Information Practice Principles
– Federal Trade Commission Report on Consumer Privacy (March 2012)
• Privacy by Design, Privacy by Default, Online Behavioral Tracking and Advertising
– Federal Trade Commission Report on Children and Mobile Apps (February 2012)
• Guidelines on mobile apps for children – Federal Trade Commission Guidelines on Mobile Apps (August 2012)
• General guidelines on the publication of mobile apps– Participation in APEC Cross Border Privacy Rules System
Recent US Efforts on Privacy
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 42
– FTC v. Google (August 2012)• $22.5 million fine• Violation of pre-existing consent decree with FTC• FTC looked at promises made in Privacy Policy or about privacy
measures, including in Google’s representations that it complied with the NAI Code of Conduct
– FTC v. Facebook (August 2012)• Violation of representations made in Privacy Policy• Including representation that FB followed the Safe Harbor
Principles• 20-year supervision by Federal Trade Commission
Recent Enforcement Actions
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 43
– Mobile• Mobile apps, mobile payments, mobile privacy
– BYOD• Bring your own device (to work)
– Social Media• Potential employer access to social media account
– Behavioral Marketing• Tracking devices, cookies, tags, zombie cookies
– Big Data– Cloud Computing
• Reform of Electronic Communications Privacy Act
Other Hot Issues
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 44
Françoise GilbertIT Law Group
Palo Alto, California, USA
Email: [email protected]: +1 650-804-1235
IT Law Group: itlawgroup.comBlog: francoisegilbert.com
Book: globalprivacybook.comTwitter: @francoisegilbrt
| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
CLOUD COMPUTINGLEGAL ISSUES UP IN THE AIR
Raffaele ZALLONE - Sébastien [email protected] - [email protected]
BARCELONA, FRIDAY, SEPTEMBER 28, 2012
CLOUD COMPUTING
NATIONAL INSTITUTE OF STANDARD AND TECNOLOGY:A MODEL FOR ENABLING CONVENIENT, ON-DEMAND NETWORK ACCESS TO SHARED POOL OF COMPUTING RESOURCE
SOFTWARE AS A SERVICES SAAS OFFERS ACCESS TO A SERVICE (ES: MAIL, ACCOUNTING, SPREADSHEET)
PLATFORM AS A SERVICES PAAS OFFERS ACCESS TO DEVELOPMENT TOOLS
INFRASTRUCTURE AS A SERVICES IAASOFFERS HW+SW ON DEMAND (MEMORY, PROGRAMS, ETC)
WHAT IS CLOUD COMPUTING
THERE ARE 3 DIFFERENT SERVICES MODELS
CLOUD COMPUTING
PRIVATE CLOUDSOFFERS SERVICES TO ONE CUSTOMER ONLY MORE SIMILAR TO DATA CENTERS
PUBLIC CLOUDSAN INFRASTRUCTURE USED TO SERVE SEVERAL CUSTOMERS (ES: GMAIL)
HYBRID CLOUDSSERVICE OFFERING WITH MIXTURE OF PRIVATE / PUBLIC
CLOUD COMPUTING
CLOUD COMPUTING
CLOUD COMPUTINGMAIN ISSUES
SECURITY
CONTRACTUAL ISSUES
PRIVACYISSUES
CLOUD COMPUTING
CONTRACTUAL ISSUES: MANY ARE THE SAME AS PER OUTSOURCING CONTRACT
SERVICE LEVELS AND RELATED MEASUREMENTS
WHAT TO MEASURE AND HOW CONSEQUENCES PENALTIES
PROTECTION OF DATA (AVAILABILITY, RELIABILITY)
DATA MUST ALWAYS BE AVAILABLE, IS SUPPLIER REL IABLE?
SUB CONTRACTING: WHO AND FOR WHAT WIDE USE OF SUBCONTRACTING IS STD NEED TO HAVE AGREEMENT ON HOW TO MANAGE PROCESS AN CONTROLS
CONTINUITY OF SERVICE BACK UPS? WARRANTIES?
CHANGES OF PLATFORM / SW UPGRADES NEED TO IMPLEMENT CHANGE MANAGEMENT CONTROLS
DURATION OF CONTRACT LONG TERM vs SHORT TERM: PRO’S AND CON’S
TERMINATION OF CONTRACT AND TRANSITION TO NEW SUPPLIER
NEED TO IMPLEMENT APPROPRIATE MANAGEMENT AND PROCESSES
CLOUD COMPUTING
SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES
LICENSE vs SERVICE IF THERE IS NO LICENSE, TERMINATION OR TRANSITION TO NEW SUPPLIER MAY BE A REAL PROBLEM
AUDITABILITY - AVAILABILITY MUST HAVE DATA ALWAYS AVAILABLE FOR AUDITSMUST BE POSSIBLE TO AUDIT SUPPLIER ITSELF
LOCATION OF DATA PRIVACY AND LIABILITY ISSUE
SUB CONTRACTORS RIGHT TO APPROVE AND AUDIT
CLOUD COMPUTING
SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES
INTELLECTUAL PROPERTY MAKE SURE CRITICAL I.P. IS PROTECTED
OPEN vs PROPRIETARY SWITCHING TO NEW SUPPLIER MAY BE A PROBLEM
CHANGE MANAGEMENT SUPPLIER MAY DECIDE TO CHANGE SW, PLATFORM, SUBCONTRACTORS? HOW AND WITH WHAT RIGHTS/NOTICE
STANDARD CONTRACTUAL TERMS NEED OF CONTROL / FLEXIBILITY / REGULATION OF SPECIFIC ISSUES
DATA PRIVACY ISSUES ATTITUDE OF SUPPLIERS
CLOUD COMPUTING
DATA PRIVACY ISSUES
WHERE ARE THE DATA? KNOWING THE LOCATION OF DATA IS ESSENTIAL UNDER UE PRIVACY LAWS
CAN SUPPLIER TRANSFER DATA? SAME AS ABOVE
MANAGEMENT OF SUBCONTRACTORS
MUST BE APPOINTED AS DATA PROCESSORS AND MUST BE AUDITABLE, BY CUSTOMER, BY PRIVACY AUTHORITY OR OTHER BODIES
SECURITY MEASURES AUDITABILITY – LIABILITY
ACCESS DATA ARE PERSONAL DATA WHERE ARE THEY, WHO CAN ACCESS THEM, HOW LONG ARE THEY STORED FOR
OBLIGATION NOT TO USE DATA SUPPLIER AND SUBCONTRACTOR
RETURN OR DESTRUCTION OF DATA SUPPLIER AND SUBCONTRACTORS
CLOUD COMPUTING
LEGAL ISSUESLIABILITY OF CLOUD PROVIDER FOR ILLEGAL CONTENT ?
NO LIABILITY IF THE PROVIDER HAS NO KNOWLEDGE OR AWARENESS OF ILLEGAL NATURE AND REMOVES OR BLOCKS ILLEGAL DATA WHEN IT DOES GAIN KNOWLEDGE OR BECOME AWARE OF ILLEGAL NATURE (NOTICE AND TAKEDOWN)
JURISDICTIONAL ISSUES AND APPLICABLE LAW
THE CHOICE OF THE COMPETENT COURT AND OF THE APPLICABLE LAW ARE FUNDAMENTAL; IF OUTSIDE OWN COUNTRY, ANY LITIGATION CAN BECOME PROHIBITIVELY EXPENSIVE
DISPUTE RESOLUTION ARBITRATION MUST BE CONSIDERED AS ONE INTERESTING OPTION KEEPING CONFIDENTIALITY AND AVOIDING PROBLEMS LIKE CHOICE OF ANOTHER APPLICABLE LAW BY COURT
CLOUD COMPUTING
LEGAL ISSUESINTRODUCTION OF HARMFUL CODE (VIRUSES AND OTHER MALICIOUS CODE)
NEED TO RELY ON THE PROVIDER APPLYING SUFFICIENT PROTECTION AGAINST THESE DANGERS; NECESSITY OF IMPOSING OBLIGATIONS TO THE PROVIDER
US PATRIOT ACT In certain circumstances, the US PATRIOT Act allows the US government to obtain data held anywhere in the world by US companies or companies with sufficient connections to the US. This would extend to data centres based in UE that are operated by US companies and data centres based in the US operated by non-US companies.
IT PROPERTY OWNERSHIP NECESSARY TO ENSURE THAT THE AGREEMENT DOES NOT TRANSFER IP OWNERSHIP
CLOUD COMPUTING
LEGAL ISSUESISSUES PARTICULAR TO REGULATED INDUSTRIES
RULES THAT LIMIT THEIR ABILITY TO OFFSHORE THEIR OPERATIONS; EX: BANKING OR INSURANCE COMPANIES; TEST THE WATERS WITH THEIR REGULATOR BEFORE PROCEEDING WITH CLOUD COMPUTING SERVICE SOLUTIONS
SUBCONTRACTORS ALL THE RELEVANT OBLIGATIONS MUST THEREFORE APPLY ALSO TO THE SUB-PROCESSORS THROUGH CONTRACTS BETWEEN THE CLOUD PROVIDER AND SUBCONTRACTOR REFLECTING THE STIPULATIONS OF THE CONTRACT BETWEEN CLOUD CLIENT AND CLOUD PROVIDER
SPECIAL PRECAUTIONS BY THE PUBLIC SECTOR
EUROPEAN GOVERNMENTAL CLOUD AS A SUPRA NATIONAL VIRTUAL SPACE WHERE A CONSISTENT AND HARMONIZED SET OF RULES COULD BE APPLIED?
CLOUD COMPUTING
CONCLUSIONS AND RECOMMENDATIONS
CLEARLY IDENTIFY THE DATA AND THE PROCESSING THAT WILL BE ENTRUSTED TO THE CLOUD PROVIDER
EX: HEALTH DATA, WHICH CAN ONLY BE STORED BY A CLOUD PROVIDER LICENSED BY THE FRENCH MINISTRY OF HEALTH
UNDERTAKE A RISK ANALYSIS TO ENSURE THAT THE CUSTOMER IS GETTING THE RIGHT LEVEL OF SECURITY
UPDATE THE RISK ANALYSIS REGULARLY
REFER TO THE GUIDELINES OF ENISA (EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY) WHEN CONDUCTING THE RISK
BE SURE TO IDENTIFY THE RIGHT KIND OF OFFER THAT IS APPROPRIATE FOR A CLOUD CUSTOMER'S BUSINESS
SAAS, PAAS, OR IAAS, PUBLIC, PRIVATE OR HYBRID CLOUD SOLUTIONS
CLOUD COMPUTING
CONCLUSIONS AND RECOMMENDATIONS Choose a cloud provider with sufficient service and privacy level guarantees
essential elements that should appear in the cloud contracts
Rethink YOUR own IT security policy such as rules on authentication of users, and employees' use of mobile devices to access the employer's network…
Ensure that the customer defines its own requirements on the technical and legal security aspects of the processing
Localization of the data, reversibility and data portability
Social Media 30’ Cookies 30’ New Domain Names 15’
Q & A
| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
Some issues on Social Networks
Jean-François [email protected]
BARCELONA, SEPTEMBER 28, 2012
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 60
1. How to manage issues on Social NetworksA. First, the easy wayB. Then the hard way
2. How to react if your content is removed
3. Community management, a new business
Some issues on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 61
• Social networks are not an apart world.• Almost all the annoyances of society can be
found there, but some more often :• Defamation• Harassment • Copyright infrigement • Privacy breach• …
Some issues on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 62
A. Soft Law
How to react ?
1. How to manage issue on Social Networks
B. Hard Law
Use the tools provided by social networks themselves
Use letter of formal notice, cease-and-
desist order, lawsuit,…
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 63
Internet is a particular area where :Old fashioned legal tools are good, but…
Nothing is forgotten
Everything can be reproduced indefinitely
from a single copy
There is always someone on the lookout
1. A How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 64
Beware of the Barbara Streisand’s effect
1.A How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 65
Lawyers need to be careful when using letters of formal notice or lawsuits•There is a significant risk of bad publicity•There is a significant risk to attract much more attention due to a inadequate or bad reaction than to the first event in itself
1.A How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 66
• Be quick but do not rush• Be ready to communicate if things go
wrong• Use the reporting tools implemented by
social networks• It is fast• It tackles the problem at the roots• It prevent (partly) the spread of the problem• Main issue Completely arbitrary
Some guidelines
1.A How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 67
• First, the abuse must be defined• Break of terms and policies• Copyright (or other IP right) infrigement • Defamation• Privacy matter• Harassment• …
• Then, follow the adequate procedure
Tools to report abuse
1.A How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 68
• Linkedinhttp://www.linkedin.com/static?key=copyright_policy&trk=hb_ft_copy
• Facebookhttp://en-gb.facebook.com/help/?page=178608028874393&ref=hcnav
• FlickRhttp://www.flickr.com/abuse/
1.A How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 69
• Google +http://support.google.com/plus/bin/answer.py?hl=en&answer=1253377
• YouTubehttp://www.youtube.com/t/copyright_notice?gl=BE
• Google.comhttps://www.google.com/webmasters/tools/removals?pli=1
1.A How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 70
If :•Social network does not comply with your request, or not fast enough•You feel you need a stronger action
Unholster the usual lawyers
When the easy way is not enough
1.B How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 71
• Easy if his real name is disclosed• May be really hard if he uses a nickname
• In Belgium, it is almost impossible∟ Due to recent case law, only the criminal judge
have the power to compel providers to disclose the identity of a user (>< Spain)
∟ But, in Belgium, criminal justice is totally overtaken and doesn’t really care about or is not really efficient to handle these cases
First issue : Identify the perpetrator
1.B How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 72
And is in a place where you can reach him…
Then you can sue him using :∟ Criminal law if defamation or harassment
(Art. 443 and following of B. Criminal Code)∟ Copyright law∟ Civil law (Art. 1382 – 1383 of B. Civil Code)∟ Commercial law
The perpetrator is known
1.B How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 73
Often, the first idea when faced with a problem (such as defamation) on a social network is to use Criminal Law
But (in Belgium at least):•You are not in control•Criminal procedure can be really slow•It may paralyse civil procedure
A word about Criminal Law
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 74
Or you can’t reach him
Lodge a Criminal complaint against X
At the same time, act against the provider (social network company in this case) but :
∟ they may benefit from the exemption from liability∟ they can oppose the argument of freedom of speech∟ they can claim that they did not commit any fault
The perpetrator is unknown
1.B How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 75
Introduced by Directive 2000/31/EC on electronic commerce
You have to prove that:•they do not fit into the category of intermediary service providers (hoster in this case) as provided by the Directive•they had previous knowledge of the illegality or had not responded adequately when they were made aware of this illegalityInjuction are still possible
Exemption from civil liability
1.B How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 76
This right is crucial to our societies, but not absolute
You have to prove that your case stays into one of these right's limitations
Freedom of speech
1.B How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 77
You need to prove that, once the provider has been made aware of the illegality, he commits a fault if he doesn’t react quickly to remove or to disable access to the information
The lack of fault
1.B How to manage issue on Social Networks
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 78
It may be hard and expensive to achieve a result (suppression of the content, not even talking of
compensatory damages) with the hard way
1.B How to manage issue on Social Networks
Intermediary conclusions
Get yourself organised to control the places of discussion
Use the soft way
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 79
• Identify the pretext used to justify the removal
• Use the counter-notice pages and tools offered by social networks
• Act at the same time against the person who lodged the complaint (when his identity is known) and try to obtain from him that he withdraws his complaint
What if your content is removed
2. How to react if your content is removed
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 80
• A new profession related to the advent of social networks
• This business consists in managing and maintaining a community of “fans” of a brand, a company, a people,… on social networks
Community Management
3. Community management
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 81
• Little or no education to become a community manager
• Often a poor understanding of the risks from the executives
• Risks are even greater than with spokesman• Speed and spontaneity of responses• Rapid dissemination to the community and beyond• Fans can focus on personality of the Community manager
rather than on the brand
Issues
3. Community management
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 82
• In most cases, application of labor law (if the manager is an employee) or standards liability rules
• In Belgium, except for gross negligence, the employee will not be held responsible
• Particular attention should be paid to contract !
Issues
3. Community management
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 83
• Who owns the contents produced by the Community Manager in case of break of contract ?
• In Belgium, transfer of IP rights has to be formally provided in the contract (>< Spain)
• Who owns the community’s members that he has attracted in case of break of contract ?
Upon hiring, it must therefore be decided
3. Community management
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 84
• Who got the ownership and access codes to the account ?
• When possible, it’s better that executive opens the account themselves and then gives (limited) admin rights to the community manager + Executive should keep moderating powers in case of emergency
• It should be a good idea to write down in the contract the unique ID of the account
Upon hiring, it must therefore be decided
3. Community management
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 85
• Social networks are powerful tools for communication, advertising and marketing
• Social networks are now part of our everyday life and you should use them, with care, like every other tool
Don’t Panic !
Conclusions
| Belgium | Me Jean-François HENROTTE | [email protected]
Page 87
• Picture of Barbara Streisand : By Allan warren (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], via Wikimedia Commons
Credits
| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
Regulating Cookies in Canada
Jean-François De RicoLanglois Kronström Desjardins llp
BARCELONA, FRIDAY, SEPTEMBER 28, 2012
CookiesCookies
web beacons web beacons
supercookies
device datadevice datazombie cookies
Online Online Behavioural Behavioural AdvertisingAdvertising
Cookies
• File created by browser and saved on a user’s computer by website
• The cookie uniquely identifies, or “records” user information/preference
PurposesPurposes
Measuring web site usage to• Improve functionality of the site; • Fraud prevention; and • Online behavioral advertising;
Information collectedInformation collected
• IP address; • pages visited; • length of time spent on each page;• advertisements viewed; • articles read; • purchases made; • search terms; • user preferences; • operating system; • geographical location.
CLOUD COMPUTING
Europe
CanadaPage 93
Europe
Obligation to provide explanation of the type and function of cookies and obtain a user's explicit consent before installing a cookie
Canada
Based on relaxed “opt-out” framework.
Anti-spam law (CASL)An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain
activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the
Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23)
Anti-spam law (CASL)
Expressly allows cookies to be installed on a user's computer ….provided the user's behaviour suggests he or she would consent to the installation…
(?)
General prohibitionGeneral prohibition
Installation of computer program8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless– (a) the person has obtained the express consent of the owner or an
authorized user of the computer system and complies with subsection 11(5); or
– (b) the person is acting in accordance with a court order.
“computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;
Cookie ExceptionCookie Exception
• 10 (…) (8) A person is considered to expressly consent to the installation of a computer program if
• (a) the program is– (i) a cookie,– (ii) HTML code,– (iii) Java Scripts,– (iv) an operating system,
– (v) any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or
– (vi) any other program specified in the regulations; and
• (b) the person’s conduct is such that it is reasonable to believe that they
consent to the program’s installation.
Withdrawal of consent Withdrawal of consent
Policy Position on Online Behavioural Advertising
Application of PIPEDA to the collection/use of data about individuals’ web activities for the purposes of online behavioural advertising (OBA) only.
OPC will generally consider information collected for OBA to be PI, considering that:
the purpose is creating profiles to serve targeted ads;
means available for gathering and analyzing disparate bits of data and serious possibility of identifying individuals;
The conditions under which opt-out consent to OBA can be considered acceptable are:
• Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy, at or before the time of collection and provided with information about the various parties involved in OBA;
• Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;
• The opt-out takes effect immediately and is persistent;• The information collected and used is limited, to the extent practicable, to
non-sensitive information ; and• Information collected and used is destroyed as soon as possible or
effectively de-identified
JurisdictionJurisdiction
Canadian businesses, to the extent they process and use data about individuals in the European Union, through websites that offer goods and services to European viewers or use cookies to monitor European viewer behaviour, will need to comply with the more stringent directive.
| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
COOKIESEU & UK LAW PERSPECTIVE
Daniel PREISKELPreiskel & Co LLP
5 Fleet Place London EC4 7RDUnited Kingdom
BARCELONA, 28 SEPTEMBER 2012
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 107
• Essentials of Cookies
• Definition• EU & UK Legal Framework• EU & UK Independent Authorities• Key Issues• Enforcement & Penalties• Compliance
Table of Contents
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 108
What is a cookie?• According to the Information Commissioner’s Office (ICO) - that is
the independent authority in UK dealing with privacy and data protection - a cookie is “a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device”
• There are several type of cookies depending on their specific features, for instance there are session cookies and persistent cookies
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 109
Legal Framework• EU Directives: European Directive - 2002/58/EC - which is concerned
with the protection of privacy in the electronic communications sector, which has been amended by Directive 2009/136/EC
• UK Regulations: the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 110
Legal Framework• Both the Directives and Regulations apply to cookies and similar
technologies for storing information
• The legal framework states that the use of cookies is only allowed if an end user has been provided with clear and comprehensive information about the purposes for which each cookie is stored and accessed on to his/her computer or mobile device and the user has given his or her informed consent
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 111
Legal Framework• There is an exception to the requirement to provide information
about cookies and obtain consent where the use of the cookie is:
• for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
• where such storage or access is strictly necessary (i.e. essential) for the provision of an information society service requested by the subscriber or user. For instance it is likely to fall within the exception a cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 112
EU & UK Independent Authorities• European Data Privacy Supervisor is an independent supervisory
authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies
• Article 29 Working Party on the Protection of Individuals, that is an independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC
• The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 113
Key issues• Cookie audit:
• Identify which type of cookies are used• Confirm the type of cookies and how intrusive they are• Confirm the purpose(s) of each cookie and whether each cookie would be
necessary to perform the services requested• Identify what data each cookie holds, and confirm whether the cookie is linked
to other data that the cookie owner holds about a user• Confirm the lifespan of each persistent cookie• Confirm whether the cookie is a first-party or third-party cookie• Double check that the company has an adequate privacy policy posted on its
website with accurate and clear information about each type of cookie used by the company
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 114
Key issues• Ensure information about cookies and mechanisms for making
choices, are as easily accessible as possible for users of devices in which cookies are stored, so as to obtain valid and well informed consent by using:
• Prominent links• Legal foot notes and privacy policy• News items and blog posts• A clickable image or icon
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 115
Key issues• Cookies as “equipment” and applicable law
• Use of technologies “similar” to cookies, for instance the apps to access the user’s location and/or personal information
• Multi-jurisdictional issues in the interpretation, application and enforcement of the law
• Continuing dialogue with authorities
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 116
Enforcement & Penalties• In cases where organisations refuse or fail to comply voluntarily with
the Regulations the ICO and the Courts have a range of options to available to them to take formal action where this is necessary
• For instance the ICO may request:
• Information Notice• Undertaking• Enforcement Notice• Monetary Penalty Notice
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 117
Compliance• The person setting the cookie is primarily responsible for compliance
with the requirements of the law
• Where third party cookies are set through a website, both parties (the website owner and the person setting the cookie) will have the responsibility for ensuring users are clearly informed about cookies and for obtaining consent
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 118
Compliance• Providers must obtain users' consent:
• Before the cookie is set• Through an affirmative step
• For instance, providers may use pop-Up windows, message bars, header bars or splash pages, browser settings, terms and conditions, setting-led consent and/or feature-led consent just to name a few
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 119
Conclusion
• Data protection is a complex area• Penalties & Reputational damage• Compliance is key
Essentials of Cookies
COOKIES - EU & UK LAW PERSPECTIVE
| United Kingdom| Daniel PREISKEL| [email protected]
Page 120
Daniel [email protected]
Essentials of Cookies
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
Trademark Rights Protection Mechanisms for New gTLD´s
Enrique OchoaLanglet, Carpio y Asociados
BARCELONA, 28 SEPTEMBER 2012
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
New GTLD´s- .love- .app- .microsoft- .barcelona- .nyc- .lawyer
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
- Legal Rights Objections (LRO).
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
WIPO Arbitration and Mediation Center has been appointed by ICANN as the
exclusive provider of dispute resolution services for trademark based “pre-
delegation” Legal Rights Objections
under ICANN’s New gTLD Program.
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
ICANN offers three other types of pre-delegation objection-based dispute resolution procedures which are not administered by WIPO:
- “String Confusion Objection,” - “Limited Public Interest Objection,” and - “Community Objection.”
ICANN has furthermore established a process for the ICANN Governmental Advisory Committee (GAC) to provide “GAC Advice on New gTLDs” concerning applications identified by governments as problematic.
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
Trademark protection mechanisms available after new gTLDs are approved. “Rights Protection Mechanisms” (RPMs).
- Trademark Clearinghouse (for use in connection with Sunrise periods and Trademark Claims services)
- Uniform Rapid Suspension system (URS), and - Post-Delegation Dispute Resolution Procedure (PDDRP).
In addition, the existing Uniform Domain Name Dispute Resolution Policy (UDRP) will be applicable to all new gTLDs.
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
Enrique [email protected]
| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland
| Global network of attorneys specialized in emerging technology law
GermanyBuse Heberer Fromm RechtsanwälteBernd Reinmüller, Tim Caesar & Stephan MenzemerNeue Mainzer Strasse 2860311 Frankfurt Am MainT. 0049 699 71 09 71 00F. 0049 699 71 09 72 [email protected]
BelgiumPhilippe & PartnersJean-François Henrotte & Alexandre [email protected] http://lexing.philippelaw.eu
LiègeBoulevard d’Avroy, 2804020 LiègeT. 0032 4 229 20 10F. 0032 78 15 56 56
BrusselsAvenue Louise, 2401050 BruxellesT. 0032 2 250 39 80F. 0032 78 15 56 56
CanadaLanglois, Kronström, DesjardinsRichard Ramsay & Jean-François De Ricojean-francois.derico@lkd.cawww.langloiskronstromdesjardins.com
Montreal1002, rue Sherbrooke Ouest, 28e étageH3A3L6 MontréalT. 0015 148 42 95 12F. 0015 148 45 65 73
Quebec801, Grande Allée Ouest, Bureau 300G1S1C1 QuébecT. 0014 186 50 70 00F. 0014 186 50 70 75
SpainAlliant Abogados Asociados SLPMarc GallardoGran Via Corts Catalanes 70208010 BarceloneT. 0034 93 265 58 42 F. 0034 93 265 52 [email protected]
USAIT Law GroupFrançoise Gilbert555 Bryant Street #603Palo Alto, CA 94301T. 0016 508 04 12 35F. 0016 507 35 18 [email protected]
FranceAlain Bensoussan, Isabelle Tellier& Frédéric Forsterwww.alain-bensoussan.com
Paris29, rue du Colonel Pierre AviaF75508 Paris cedex 15T. 0033 141 33 35 35F. 0033 141 33 35 [email protected]
Grenoble7, place Firmin GautierF38000 GrenobleT. 0033 476 70 09 95F. 0033 476 70 09 [email protected]
IsraelLivnat, Mayer & CoRussell D. MayerJérusalem Technology Park, Building 9, 4th FloorP.O. Box 48193 Malcha91481 Jérusalem T. 0097 226 79 95 33F. 0097 226 79 95 [email protected]
ItaliyStudio Legale ZalloneRaffaele Zallone31 Via Dell’Annunciata20121 MilanoT. 0039 229 01 35 83F. 0039 229 01 03 [email protected]
LuxembourgPhilippe & PartnersMarc Gouden & Jean-François Henrotte41 avenue de la Liberté1931 LuxembourgT. 00352 266 886F. 00352 266 887 00 [email protected]://lexing.philippelaw.eu
MoroccoBassamat & AssociéeFassi-Fihri Bassamat30 rue Mohamed Ben Brahim Al Mourrakouchi20000 CasablancaT. 00212 522 26 68 03F. 00212 522 26 68 [email protected]
MexicoLanglet, Carpio y AsociadosEnrique OchoaTorre Axis Santa FeProlongación Paseo de la Reforma # 61, PB-B1Col. Paseo de las Lomas01330 Mxico, D.F.T. 0052 55 25 91 10 70F. 0052 55 25 91 10 [email protected]
NorwayFøyen Advøkatfirma DAArve FøyenPostboks 7086 St. Olavs pl.0130 OsloT. 0047 21 93 10 00F. 0047 21 93 10 [email protected]
United KingdomPreiskel & Co LLPDanny Preiskel5 Fleet PlaceLondon EC4M 7RDT. 0044 20 7332 5640 F. 0044 20 7332 [email protected]
SwitzerlandSébastien Fanti Avocat & Notaire8B rue de Pré-Fleuri, CP 4971951 SionT. 0041 27 322 15 15F. 0041 27 322 15 [email protected]
South AfricaMichalsonsLance Michalson and John [email protected] www.michalsons.co.za
JohannesburgGround FloorTwickenham BuildingThe Campus, 57 Sloane & Cnr Main Road2021 BryanstonT. 0027 11 568 0331F. 0027 86 529 4276 Cape TownBoyes DriveSt James7945 Cape TowT. 0027 21 300 1070F. 0027 86 529 4276
TunisieCabinet Younsi & YounsiYassine Younsi4, Rue Petite Malte1001 TunisT. 00 216 71 346 564 [email protected]://younsiandyounsilawfirm.e-monsite.com
ArgentinaEstudio MilléAntonio & Rosario MilléSuipacha 1111 - piso 11C1008AAW Buenos AiresT. 0054 11 5297 7000F. 0054 11 5297-7009 [email protected]