Lexing Barcelona Conference

| Global network of attorneys specialized in emerging technology law

Barcelona Conference September 28, 2012

#lexingbcn

First international network of lawyers focused on information technology law

Data Protection 30’ Cloud Computing 30’

Social Media 30’ Cookies 30’

New Domain Names 15’

Q & A

General Presentation … 20’

| Argentina | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA

Privacy, Cloud, Social Media & CookiesOverview of Spanish Law

Marc GALLARDO [email protected]

BARCELONA, FRIDAY, SEPTEMBER 28, 2012

mailto:[email protected]

# Data Protection

# Cookies

# Social Media

# Cloud Computing

SDPA (‘99 & ’07 & ‘10) / AEPD High and Stringent Enforcenment !€ 20.000.000 / 4000 proceedingsDraft EU Regulation (January 2012)

SDPA applies / AEPD – No specific regulationsAEPD Guidelines (June 2012) / EU Guidelines (July 2012)

SDPA applies / AEPD – No specific regulationsNo general Guidelines / EU Guidelines

Eprivacy Rule in LSSI / AEPD No general Guidelines / EU Guidelines (June 2012)

Data Controller

Data Processor

Data subjectData subject

Spanish Data Protection Law (SDPL)

rights obligations

Notification requeriments Information provision

obligations Legal basis for processing

data Confidentiality & Security Data Protection Principles

contract

OrganicLaw 1999

Regulation

2007

Legitimate interest

✓ Consent✓ Contractual relations✓ Requirements of the law

✓ Emergencies✓ Public Interest✓ Legitimate interest

Ruling Feb. 2012

legitimate interest DC

data subjectrights

DP principles

Key Obligation: process personal data lawfully

Consent: not always available or reliable criteria Legitimate interest criterion not properly incorporated The data should apeared in public sources ! Now void ->

Consent: not always available or reliable criteria Legitimate interest criterion not properly incorporated The data should apeared in public sources ! Now void ->

Cloud Computing

AmazonAWS

IBM

Microsoft

Salesforce

Google

Oracle

Arsys

Dropbox

Apple

Cloud definition

LACK OF CONTROL

LACK OF INFORMATION

Main risks

Public

Jun

Guidelines

June 2012 www.agpd.es

July 2012

No specific law regulating cloud computing but … data protection law is applicable

No specific law regulating cloud computing but … data protection law is applicable

http://www.agpd.es/

# User is the Data Controller

# CC Provider is the Data Processor

contra

ctGuidelines

Tools & Services that facilitate conversation

General View

SNS impact on all branches of law

๏ Privacy๏ Intellectual Property๏ Marketing and Consumer Protection๏ Contests and Promotions

๏ Employment๏ Free speech๏ Children protection๏ E-reputation

Internal: SM used within a company Hosted: Public SM controlled by a company Public: Public SM outside the control of a company

SNS Providers

Company as a User

Situation > 1st April

Problems

#1 Audit

#2 Put in Place Policies & Programs

#3 Implement and review

✓ Conduct a comprehensive and thorough risk assessment✓ Identify risks

✓ Evaluate the risks✓ Address the risks

✓ Implement + Review on a regular basis✓ Train employees and monitor compliance✓ Demonstrate it: a policy must be reflected in concrete practices !

Bottom line is …

GENERAL PRESENTATION #END

| Spain | Marc Gallardo | [email protected]

Page 23

THANK YOU


Proposed EU General Data Protection Regulationof January 25, 2012:

State of Play

ALAIN BENSOUSSAN [email protected]


Eu GENERAL DATA PROTECTION REGULATION - FRANCE

| France| Me Alain BENSOUSSAN |[email protected]

Page 25

What are the stakes?– harmonize the protection of personal data in the EU– ensure the effectiveness of such protection

Issue– a stronger and more coherent data protection framework in the EU

Situation– uncertain

News – International mobilization and debate on personal data protection

Introduction




Page 26

1. Strengthen the rights of individuals

2. Simplify processes for businesses

3. Extend liability

4. Impose stiffer sanctions

Agenda




Page 27

1. Strengthen the rights of individuals




Page 28

2. Simplify processes for businesses




Page 29

3. Extend liability (1)




Page 30

3. Extend liability (2)




Page 31




Page 32

€1,000,000 or

2% of annual

worldwide turnover


| France | Me Alain Bensoussan | [email protected]

ALAIN BENSOUSSAN AVOCATS 29 rue du colonel Pierre Avia Paris 15 FRANCE Tel. : 33 1 41 33 35 35 Fax : 33 1 41 33 35 36 [email protected]

Alain Bensoussan D.L : 33 1 41 33 35 09 Mob. : 33 6 19 13 44 46

[email protected]

Contact





Data Protection in the United StatesRecent Developments

Françoise GILBERTManaging Director – IT Law Group

Silicon Valley, California +1 [email protected] | www.globalprivacybook.com | francoisegilbert.com | @francoisegilbrt



| Belgium | Me Jean-François HENROTTE | [email protected]

Page 35

– Background– Overview of US data protection laws– Role of the US federal and state agencies– Recent US Government initiatives– Recent enforcement actions– Hot issues

Agenda


Page 36

– No national data protection law; but dozens of Federal sectoral laws• 1890: “Right to Privacy” defines the concept• 1966: Freedom of Information Act (access to information held by government• 1968: Wiretap Act (interception of aural communications and disclosure of these communications in court)• 1970: Fair Credit Reporting Act (credit reporting agency disclosure of credit reports)• 1974: Privacy Act (disclosure of government records)• 1974: Family Educational Rights and Privacy Act (disclosure of school records)• 1978: Right to Financial Privacy Act (banking and financial transactions)• 1978: Foreign Intelligence Surveillance Act (electronic surveillance; foreign intelligence)• 1986: Computer Fraud & Abuse Act (to reduce hacking, use of viruses)• 1986: Electronic Communication Privacy Act (stored or in transit information)• 1996: Health Insurance Portability and Accountability Act (health information)• 1998: Children Online Privacy Protection Act (children information)• 1999: Financial Services Modernization Act (GLBA) (financial information)• 2003: CAN SPAM Act (commercial messages)

– Hundreds of State sectoral laws (+ some states have constitutional rights)• Protect individuals residing in a specific state• Security breach disclosure laws• Security measure requirements• Protection of driver’s license information, medial records, etc.

US Data Protection Laws


Page 37

– No “national data protection agency”• Numerous federal agencies play role similar to that of the Data

Protection Agencies in European Union– Federal Trade Commission– Department of Health & Human Services– Financial Services Agencies– Securities & Exchange Commission

• Numerous state agencies, play similar role at the State Level– State Attorney General– Other State Agencies

– Substantial cooperation between State and Federal Agencies

Federal & State Agencies


Page 38

– Significant penalties in case of violation• FCRA: up to $500,000 total penalty per violation

– Actual penalties• Google (breach of FTC consent decree) $22.5million• ChoicePoint (breach of security) $15million• Massachusetts General Hospital (HIPPA) $4.3million• Sony $1million (COPPA)• Xanga $1million (COPPA)• CVS, Rite Aid pharmacies $1million (HIPAA + lack of security)• Spokeo $800,000 (FCRA)

Significant Penalties


Page 39

– Federal Trade Commission (FTC):• Top regulator in the US with respect to protection of personal

information• Powers under FTC Act (§5), COPPA, FCRA, HIPAA

– Numerous actions against companies for:• Failure to comply with privacy promises• Failure to provide adequate security measures for personal

information• Unclear and deceptive terms, which concealed important disclosure

regarding un-anticipated use of personal information• Failure to comply with requirements of Fair Credit Reporting Act• Failure to comply with COPPA requirements

Federal Trade Commission


Page 40

FTC Enforcement Actions


Page 41

– White House Consumer Bill of Rights (Feb. 2012)• Restates Fair Information Practice Principles

– Federal Trade Commission Report on Consumer Privacy (March 2012)

• Privacy by Design, Privacy by Default, Online Behavioral Tracking and Advertising

– Federal Trade Commission Report on Children and Mobile Apps (February 2012)

• Guidelines on mobile apps for children – Federal Trade Commission Guidelines on Mobile Apps (August 2012)

• General guidelines on the publication of mobile apps– Participation in APEC Cross Border Privacy Rules System

Recent US Efforts on Privacy


Page 42

– FTC v. Google (August 2012)• $22.5 million fine• Violation of pre-existing consent decree with FTC• FTC looked at promises made in Privacy Policy or about privacy

measures, including in Google’s representations that it complied with the NAI Code of Conduct

– FTC v. Facebook (August 2012)• Violation of representations made in Privacy Policy• Including representation that FB followed the Safe Harbor

Principles• 20-year supervision by Federal Trade Commission

Recent Enforcement Actions


Page 43

– Mobile• Mobile apps, mobile payments, mobile privacy

– BYOD• Bring your own device (to work)

– Social Media• Potential employer access to social media account

– Behavioral Marketing• Tracking devices, cookies, tags, zombie cookies

– Big Data– Cloud Computing

• Reform of Electronic Communications Privacy Act

Other Hot Issues


Page 44

Françoise GilbertIT Law Group

Palo Alto, California, USA

Email: [email protected]: +1 650-804-1235

IT Law Group: itlawgroup.comBlog: francoisegilbert.com

Book: globalprivacybook.comTwitter: @francoisegilbrt


CLOUD COMPUTINGLEGAL ISSUES UP IN THE AIR

Raffaele ZALLONE - Sébastien [email protected] - [email protected]



CLOUD COMPUTING

NATIONAL INSTITUTE OF STANDARD AND TECNOLOGY:A MODEL FOR ENABLING CONVENIENT, ON-DEMAND NETWORK ACCESS TO SHARED POOL OF COMPUTING RESOURCE

SOFTWARE AS A SERVICES SAAS OFFERS ACCESS TO A SERVICE (ES: MAIL, ACCOUNTING, SPREADSHEET)

PLATFORM AS A SERVICES PAAS OFFERS ACCESS TO DEVELOPMENT TOOLS

INFRASTRUCTURE AS A SERVICES IAASOFFERS HW+SW ON DEMAND (MEMORY, PROGRAMS, ETC)

WHAT IS CLOUD COMPUTING

THERE ARE 3 DIFFERENT SERVICES MODELS

CLOUD COMPUTING

PRIVATE CLOUDSOFFERS SERVICES TO ONE CUSTOMER ONLY MORE SIMILAR TO DATA CENTERS

PUBLIC CLOUDSAN INFRASTRUCTURE USED TO SERVE SEVERAL CUSTOMERS (ES: GMAIL)

HYBRID CLOUDSSERVICE OFFERING WITH MIXTURE OF PRIVATE / PUBLIC

CLOUD COMPUTING

CLOUD COMPUTING

CLOUD COMPUTINGMAIN ISSUES

SECURITY

CONTRACTUAL ISSUES

PRIVACYISSUES

CLOUD COMPUTING

CONTRACTUAL ISSUES: MANY ARE THE SAME AS PER OUTSOURCING CONTRACT

SERVICE LEVELS AND RELATED MEASUREMENTS

WHAT TO MEASURE AND HOW CONSEQUENCES PENALTIES

PROTECTION OF DATA (AVAILABILITY, RELIABILITY)

DATA MUST ALWAYS BE AVAILABLE, IS SUPPLIER REL IABLE?

SUB CONTRACTING: WHO AND FOR WHAT WIDE USE OF SUBCONTRACTING IS STD NEED TO HAVE AGREEMENT ON HOW TO MANAGE PROCESS AN CONTROLS

CONTINUITY OF SERVICE BACK UPS? WARRANTIES?

CHANGES OF PLATFORM / SW UPGRADES NEED TO IMPLEMENT CHANGE MANAGEMENT CONTROLS

DURATION OF CONTRACT LONG TERM vs SHORT TERM: PRO’S AND CON’S

TERMINATION OF CONTRACT AND TRANSITION TO NEW SUPPLIER

NEED TO IMPLEMENT APPROPRIATE MANAGEMENT AND PROCESSES

CLOUD COMPUTING

SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES

LICENSE vs SERVICE IF THERE IS NO LICENSE, TERMINATION OR TRANSITION TO NEW SUPPLIER MAY BE A REAL PROBLEM

AUDITABILITY - AVAILABILITY MUST HAVE DATA ALWAYS AVAILABLE FOR AUDITSMUST BE POSSIBLE TO AUDIT SUPPLIER ITSELF

LOCATION OF DATA PRIVACY AND LIABILITY ISSUE

SUB CONTRACTORS RIGHT TO APPROVE AND AUDIT

CLOUD COMPUTING

SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES

INTELLECTUAL PROPERTY MAKE SURE CRITICAL I.P. IS PROTECTED

OPEN vs PROPRIETARY SWITCHING TO NEW SUPPLIER MAY BE A PROBLEM

CHANGE MANAGEMENT SUPPLIER MAY DECIDE TO CHANGE SW, PLATFORM, SUBCONTRACTORS? HOW AND WITH WHAT RIGHTS/NOTICE

STANDARD CONTRACTUAL TERMS NEED OF CONTROL / FLEXIBILITY / REGULATION OF SPECIFIC ISSUES

DATA PRIVACY ISSUES ATTITUDE OF SUPPLIERS

CLOUD COMPUTING

DATA PRIVACY ISSUES

WHERE ARE THE DATA? KNOWING THE LOCATION OF DATA IS ESSENTIAL UNDER UE PRIVACY LAWS

CAN SUPPLIER TRANSFER DATA? SAME AS ABOVE

MANAGEMENT OF SUBCONTRACTORS

MUST BE APPOINTED AS DATA PROCESSORS AND MUST BE AUDITABLE, BY CUSTOMER, BY PRIVACY AUTHORITY OR OTHER BODIES

SECURITY MEASURES AUDITABILITY – LIABILITY

ACCESS DATA ARE PERSONAL DATA WHERE ARE THEY, WHO CAN ACCESS THEM, HOW LONG ARE THEY STORED FOR

OBLIGATION NOT TO USE DATA SUPPLIER AND SUBCONTRACTOR

RETURN OR DESTRUCTION OF DATA SUPPLIER AND SUBCONTRACTORS

CLOUD COMPUTING

LEGAL ISSUESLIABILITY OF CLOUD PROVIDER FOR ILLEGAL CONTENT ?

NO LIABILITY IF THE PROVIDER HAS NO KNOWLEDGE OR AWARENESS OF ILLEGAL NATURE AND REMOVES OR BLOCKS ILLEGAL DATA WHEN IT DOES GAIN KNOWLEDGE OR BECOME AWARE OF ILLEGAL NATURE (NOTICE AND TAKEDOWN)

JURISDICTIONAL ISSUES AND APPLICABLE LAW

THE CHOICE OF THE COMPETENT COURT AND OF THE APPLICABLE LAW ARE FUNDAMENTAL; IF OUTSIDE OWN COUNTRY, ANY LITIGATION CAN BECOME PROHIBITIVELY EXPENSIVE

DISPUTE RESOLUTION ARBITRATION MUST BE CONSIDERED AS ONE INTERESTING OPTION KEEPING CONFIDENTIALITY AND AVOIDING PROBLEMS LIKE CHOICE OF ANOTHER APPLICABLE LAW BY COURT

CLOUD COMPUTING

LEGAL ISSUESINTRODUCTION OF HARMFUL CODE (VIRUSES AND OTHER MALICIOUS CODE)

NEED TO RELY ON THE PROVIDER APPLYING SUFFICIENT PROTECTION AGAINST THESE DANGERS; NECESSITY OF IMPOSING OBLIGATIONS TO THE PROVIDER

US PATRIOT ACT In certain circumstances, the US PATRIOT Act allows the US government to obtain data held anywhere in the world by US companies or companies with sufficient connections to the US. This would extend to data centres based in UE that are operated by US companies and data centres based in the US operated by non-US companies.

IT PROPERTY OWNERSHIP NECESSARY TO ENSURE THAT THE AGREEMENT DOES NOT TRANSFER IP OWNERSHIP

CLOUD COMPUTING

LEGAL ISSUESISSUES PARTICULAR TO REGULATED INDUSTRIES

RULES THAT LIMIT THEIR ABILITY TO OFFSHORE THEIR OPERATIONS; EX: BANKING OR INSURANCE COMPANIES; TEST THE WATERS WITH THEIR REGULATOR BEFORE PROCEEDING WITH CLOUD COMPUTING SERVICE SOLUTIONS

SUBCONTRACTORS ALL THE RELEVANT OBLIGATIONS MUST THEREFORE APPLY ALSO TO THE SUB-PROCESSORS THROUGH CONTRACTS BETWEEN THE CLOUD PROVIDER AND SUBCONTRACTOR REFLECTING THE STIPULATIONS OF THE CONTRACT BETWEEN CLOUD CLIENT AND CLOUD PROVIDER

SPECIAL PRECAUTIONS BY THE PUBLIC SECTOR

EUROPEAN GOVERNMENTAL CLOUD AS A SUPRA NATIONAL VIRTUAL SPACE WHERE A CONSISTENT AND HARMONIZED SET OF RULES COULD BE APPLIED?

CLOUD COMPUTING

CONCLUSIONS AND RECOMMENDATIONS

CLEARLY IDENTIFY THE DATA AND THE PROCESSING THAT WILL BE ENTRUSTED TO THE CLOUD PROVIDER

EX: HEALTH DATA, WHICH CAN ONLY BE STORED BY A CLOUD PROVIDER LICENSED BY THE FRENCH MINISTRY OF HEALTH

UNDERTAKE A RISK ANALYSIS TO ENSURE THAT THE CUSTOMER IS GETTING THE RIGHT LEVEL OF SECURITY

UPDATE THE RISK ANALYSIS REGULARLY

REFER TO THE GUIDELINES OF ENISA (EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY) WHEN CONDUCTING THE RISK

BE SURE TO IDENTIFY THE RIGHT KIND OF OFFER THAT IS APPROPRIATE FOR A CLOUD CUSTOMER'S BUSINESS

SAAS, PAAS, OR IAAS, PUBLIC, PRIVATE OR HYBRID CLOUD SOLUTIONS

CLOUD COMPUTING

CONCLUSIONS AND RECOMMENDATIONS Choose a cloud provider with sufficient service and privacy level guarantees

essential elements that should appear in the cloud contracts

Rethink YOUR own IT security policy such as rules on authentication of users, and employees' use of mobile devices to access the employer's network…

Ensure that the customer defines its own requirements on the technical and legal security aspects of the processing

Localization of the data, reversibility and data portability

Social Media 30’ Cookies 30’ New Domain Names 15’

Q & A


Some issues on Social Networks

Jean-François [email protected]

BARCELONA, SEPTEMBER 28, 2012


Page 60

1. How to manage issues on Social NetworksA. First, the easy wayB. Then the hard way

2. How to react if your content is removed

3. Community management, a new business



Page 61

• Social networks are not an apart world.• Almost all the annoyances of society can be

found there, but some more often :• Defamation• Harassment • Copyright infrigement • Privacy breach• …



Page 62

A. Soft Law

How to react ?

1. How to manage issue on Social Networks

B. Hard Law

Use the tools provided by social networks themselves

Use letter of formal notice, cease-and-

desist order, lawsuit,…


Page 63

Internet is a particular area where :Old fashioned legal tools are good, but…

Nothing is forgotten

Everything can be reproduced indefinitely

from a single copy

There is always someone on the lookout

1. A How to manage issue on Social Networks


Page 64

Beware of the Barbara Streisand’s effect

1.A How to manage issue on Social Networks


Page 65

Lawyers need to be careful when using letters of formal notice or lawsuits•There is a significant risk of bad publicity•There is a significant risk to attract much more attention due to a inadequate or bad reaction than to the first event in itself



Page 66

• Be quick but do not rush• Be ready to communicate if things go

wrong• Use the reporting tools implemented by

social networks• It is fast• It tackles the problem at the roots• It prevent (partly) the spread of the problem• Main issue Completely arbitrary

Some guidelines



Page 67

• First, the abuse must be defined• Break of terms and policies• Copyright (or other IP right) infrigement • Defamation• Privacy matter• Harassment• …

• Then, follow the adequate procedure

Tools to report abuse



Page 68

• Linkedinhttp://www.linkedin.com/static?key=copyright_policy&trk=hb_ft_copy

• Facebookhttp://en-gb.facebook.com/help/?page=178608028874393&ref=hcnav

• FlickRhttp://www.flickr.com/abuse/


http://www.linkedin.com/static?key=copyright_policy&trk=hb_ft_copy

http://en-gb.facebook.com/help/?page=178608028874393&ref=hcnav

http://www.flickr.com/abuse/


Page 69

• Google +http://support.google.com/plus/bin/answer.py?hl=en&answer=1253377

• YouTubehttp://www.youtube.com/t/copyright_notice?gl=BE

• Google.comhttps://www.google.com/webmasters/tools/removals?pli=1


http://support.google.com/plus/bin/answer.py?hl=en&answer=1253377

http://www.youtube.com/t/copyright_notice?gl=BE

https://www.google.com/webmasters/tools/removals?pli=1


Page 70

If :•Social network does not comply with your request, or not fast enough•You feel you need a stronger action

Unholster the usual lawyers

When the easy way is not enough

1.B How to manage issue on Social Networks


Page 71

• Easy if his real name is disclosed• May be really hard if he uses a nickname

• In Belgium, it is almost impossible∟ Due to recent case law, only the criminal judge

have the power to compel providers to disclose the identity of a user (>< Spain)

∟ But, in Belgium, criminal justice is totally overtaken and doesn’t really care about or is not really efficient to handle these cases

First issue : Identify the perpetrator



Page 72

And is in a place where you can reach him…

Then you can sue him using :∟ Criminal law if defamation or harassment

(Art. 443 and following of B. Criminal Code)∟ Copyright law∟ Civil law (Art. 1382 – 1383 of B. Civil Code)∟ Commercial law

The perpetrator is known



Page 73

Often, the first idea when faced with a problem (such as defamation) on a social network is to use Criminal Law

But (in Belgium at least):•You are not in control•Criminal procedure can be really slow•It may paralyse civil procedure

A word about Criminal Law


Page 74

Or you can’t reach him

Lodge a Criminal complaint against X

At the same time, act against the provider (social network company in this case) but :

∟ they may benefit from the exemption from liability∟ they can oppose the argument of freedom of speech∟ they can claim that they did not commit any fault

The perpetrator is unknown



Page 75

Introduced by Directive 2000/31/EC on electronic commerce

You have to prove that:•they do not fit into the category of intermediary service providers (hoster in this case) as provided by the Directive•they had previous knowledge of the illegality or had not responded adequately when they were made aware of this illegalityInjuction are still possible

Exemption from civil liability



Page 76

This right is crucial to our societies, but not absolute

You have to prove that your case stays into one of these right's limitations

Freedom of speech



Page 77

You need to prove that, once the provider has been made aware of the illegality, he commits a fault if he doesn’t react quickly to remove or to disable access to the information

The lack of fault



Page 78

It may be hard and expensive to achieve a result (suppression of the content, not even talking of

compensatory damages) with the hard way


Intermediary conclusions

Get yourself organised to control the places of discussion

Use the soft way


Page 79

• Identify the pretext used to justify the removal

• Use the counter-notice pages and tools offered by social networks

• Act at the same time against the person who lodged the complaint (when his identity is known) and try to obtain from him that he withdraws his complaint

What if your content is removed

2. How to react if your content is removed


Page 80

• A new profession related to the advent of social networks

• This business consists in managing and maintaining a community of “fans” of a brand, a company, a people,… on social networks

Community Management

3. Community management


Page 81

• Little or no education to become a community manager

• Often a poor understanding of the risks from the executives

• Risks are even greater than with spokesman• Speed and spontaneity of responses• Rapid dissemination to the community and beyond• Fans can focus on personality of the Community manager

rather than on the brand

Issues



Page 82

• In most cases, application of labor law (if the manager is an employee) or standards liability rules

• In Belgium, except for gross negligence, the employee will not be held responsible

• Particular attention should be paid to contract !

Issues



Page 83

• Who owns the contents produced by the Community Manager in case of break of contract ?

• In Belgium, transfer of IP rights has to be formally provided in the contract (>< Spain)

• Who owns the community’s members that he has attracted in case of break of contract ?

Upon hiring, it must therefore be decided



Page 84

• Who got the ownership and access codes to the account ?

• When possible, it’s better that executive opens the account themselves and then gives (limited) admin rights to the community manager + Executive should keep moderating powers in case of emergency

• It should be a good idea to write down in the contract the unique ID of the account

Upon hiring, it must therefore be decided



Page 85

• Social networks are powerful tools for communication, advertising and marketing

• Social networks are now part of our everyday life and you should use them, with care, like every other tool

Don’t Panic !

Conclusions


Page 86

Join us on

Conclusions


Page 87

• Picture of Barbara Streisand : By Allan warren (Own work) [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], via Wikimedia Commons

Credits


Regulating Cookies in Canada

Jean-François De RicoLanglois Kronström Desjardins llp


CookiesCookies

web beacons web beacons

supercookies

device datadevice datazombie cookies

Online Online Behavioural Behavioural AdvertisingAdvertising

Cookies

• File created by browser and saved on a user’s computer by website

• The cookie uniquely identifies, or “records” user information/preference

PurposesPurposes

Measuring web site usage to• Improve functionality of the site; • Fraud prevention; and • Online behavioral advertising;

Information collectedInformation collected

• IP address; • pages visited; • length of time spent on each page;• advertisements viewed; • articles read; • purchases made; • search terms; • user preferences; • operating system; • geographical location.

CLOUD COMPUTING

Europe

CanadaPage 93

Europe

Obligation to provide explanation of the type and function of cookies and obtain a user's explicit consent before installing a cookie

Canada

Based on relaxed “opt-out” framework.

Anti-spam law (CASL)An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain

activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the

Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act (S.C. 2010, c. 23)

Anti-spam law (CASL)

Expressly allows cookies to be installed on a user's computer ….provided the user's behaviour suggests he or she would consent to the installation…

(?)

General prohibitionGeneral prohibition

Installation of computer program8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless– (a) the person has obtained the express consent of the owner or an

authorized user of the computer system and complies with subsection 11(5); or

– (b) the person is acting in accordance with a court order.

“computer program” means data representing instructions or statements that, when executed in a computer system, causes the computer system to perform a function;

Cookie ExceptionCookie Exception

• 10 (…) (8) A person is considered to expressly consent to the installation of a computer program if

• (a) the program is– (i) a cookie,– (ii) HTML code,– (iii) Java Scripts,– (iv) an operating system,

– (v) any other program that is executable only through the use of another computer program whose installation or use the person has previously expressly consented to, or

– (vi) any other program specified in the regulations; and

• (b) the person’s conduct is such that it is reasonable to believe that they

consent to the program’s installation.

Withdrawal of consent Withdrawal of consent

Policy Position on Online Behavioural Advertising

Application of PIPEDA to the collection/use of data about individuals’ web activities for the purposes of online behavioural advertising (OBA) only.

OPC will generally consider information collected for OBA to be PI, considering that:

the purpose is creating profiles to serve targeted ads;

means available for gathering and analyzing disparate bits of data and serious possibility of identifying individuals;

The conditions under which opt-out consent to OBA can be considered acceptable are:

• Individuals are made aware of the purposes for the practice in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy, at or before the time of collection and provided with information about the various parties involved in OBA;

• Individuals are able to easily opt-out of the practice - ideally at or before the time the information is collected;

• The opt-out takes effect immediately and is persistent;• The information collected and used is limited, to the extent practicable, to

non-sensitive information ; and• Information collected and used is destroyed as soon as possible or

effectively de-identified

JurisdictionJurisdiction

Canadian businesses, to the extent they process and use data about individuals in the European Union, through websites that offer goods and services to European viewers or use cookies to monitor European viewer behaviour, will need to comply with the more stringent directive.


COOKIESEU & UK LAW PERSPECTIVE

Daniel PREISKELPreiskel & Co LLP

5 Fleet Place London EC4 7RDUnited Kingdom

[email protected]

BARCELONA, 28 SEPTEMBER 2012

COOKIES - EU & UK LAW PERSPECTIVE

| United Kingdom| Daniel PREISKEL| [email protected]

Page 107

• Essentials of Cookies

• Definition• EU & UK Legal Framework• EU & UK Independent Authorities• Key Issues• Enforcement & Penalties• Compliance

Table of Contents



Page 108

What is a cookie?• According to the Information Commissioner’s Office (ICO) - that is

the independent authority in UK dealing with privacy and data protection - a cookie is “a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originating website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device”

• There are several type of cookies depending on their specific features, for instance there are session cookies and persistent cookies

Essentials of Cookies



Page 109

Legal Framework• EU Directives: European Directive - 2002/58/EC - which is concerned

with the protection of privacy in the electronic communications sector, which has been amended by Directive 2009/136/EC

• UK Regulations: the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)




Page 110

Legal Framework• Both the Directives and Regulations apply to cookies and similar

technologies for storing information

• The legal framework states that the use of cookies is only allowed if an end user has been provided with clear and comprehensive information about the purposes for which each cookie is stored and accessed on to his/her computer or mobile device and the user has given his or her informed consent




Page 111

Legal Framework• There is an exception to the requirement to provide information

about cookies and obtain consent where the use of the cookie is:

• for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

• where such storage or access is strictly necessary (i.e. essential) for the provision of an information society service requested by the subscriber or user. For instance it is likely to fall within the exception a cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket




Page 112

EU & UK Independent Authorities• European Data Privacy Supervisor is an independent supervisory

authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies

• Article 29 Working Party on the Protection of Individuals, that is an independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC

• The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals




Page 113

Key issues• Cookie audit:

• Identify which type of cookies are used• Confirm the type of cookies and how intrusive they are• Confirm the purpose(s) of each cookie and whether each cookie would be

necessary to perform the services requested• Identify what data each cookie holds, and confirm whether the cookie is linked

to other data that the cookie owner holds about a user• Confirm the lifespan of each persistent cookie• Confirm whether the cookie is a first-party or third-party cookie• Double check that the company has an adequate privacy policy posted on its

website with accurate and clear information about each type of cookie used by the company




Page 114

Key issues• Ensure information about cookies and mechanisms for making

choices, are as easily accessible as possible for users of devices in which cookies are stored, so as to obtain valid and well informed consent by using:

• Prominent links• Legal foot notes and privacy policy• News items and blog posts• A clickable image or icon




Page 115

Key issues• Cookies as “equipment” and applicable law

• Use of technologies “similar” to cookies, for instance the apps to access the user’s location and/or personal information

• Multi-jurisdictional issues in the interpretation, application and enforcement of the law

• Continuing dialogue with authorities




Page 116

Enforcement & Penalties• In cases where organisations refuse or fail to comply voluntarily with

the Regulations the ICO and the Courts have a range of options to available to them to take formal action where this is necessary

• For instance the ICO may request:

• Information Notice• Undertaking• Enforcement Notice• Monetary Penalty Notice




Page 117

Compliance• The person setting the cookie is primarily responsible for compliance

with the requirements of the law

• Where third party cookies are set through a website, both parties (the website owner and the person setting the cookie) will have the responsibility for ensuring users are clearly informed about cookies and for obtaining consent




Page 118

Compliance• Providers must obtain users' consent:

• Before the cookie is set• Through an affirmative step

• For instance, providers may use pop-Up windows, message bars, header bars or splash pages, browser settings, terms and conditions, setting-led consent and/or feature-led consent just to name a few




Page 119

Conclusion

• Data protection is a complex area• Penalties & Reputational damage• Compliance is key




Page 120

Daniel [email protected]


| Germany | Belgium | Canada | Spain | USA | France | Israel | Italy | Morocco | Mexico | Norway | Switzerland

Trademark Rights Protection Mechanisms for New gTLD´s

Enrique OchoaLanglet, Carpio y Asociados

BARCELONA, 28 SEPTEMBER 2012


New GTLD´s- .love- .app- .microsoft- .barcelona- .nyc- .lawyer


- Legal Rights Objections (LRO).


WIPO Arbitration and Mediation Center has been appointed by ICANN as the

exclusive provider of dispute resolution services for trademark based “pre-

delegation” Legal Rights Objections

under ICANN’s New gTLD Program.


ICANN offers three other types of pre-delegation objection-based dispute resolution procedures which are not administered by WIPO:

- “String Confusion Objection,” - “Limited Public Interest Objection,” and - “Community Objection.”

ICANN has furthermore established a process for the ICANN Governmental Advisory Committee (GAC) to provide “GAC Advice on New gTLDs” concerning applications identified by governments as problematic.


Trademark protection mechanisms available after new gTLDs are approved. “Rights Protection Mechanisms” (RPMs).

- Trademark Clearinghouse (for use in connection with Sunrise periods and Trademark Claims services)

- Uniform Rapid Suspension system (URS), and - Post-Delegation Dispute Resolution Procedure (PDDRP).

In addition, the existing Uniform Domain Name Dispute Resolution Policy (UDRP) will be applicable to all new gTLDs.


Enrique [email protected]


| Global network of attorneys specialized in emerging technology law

GermanyBuse Heberer Fromm RechtsanwälteBernd Reinmüller, Tim Caesar & Stephan MenzemerNeue Mainzer Strasse 2860311 Frankfurt Am MainT. 0049 699 71 09 71 00F. 0049 699 71 09 72 [email protected]

BelgiumPhilippe & PartnersJean-François Henrotte & Alexandre [email protected] http://lexing.philippelaw.eu

LiègeBoulevard d’Avroy, 2804020 LiègeT. 0032 4 229 20 10F. 0032 78 15 56 56

BrusselsAvenue Louise, 2401050 BruxellesT. 0032 2 250 39 80F. 0032 78 15 56 56

CanadaLanglois, Kronström, DesjardinsRichard Ramsay & Jean-François De Ricojean-francois.derico@lkd.cawww.langloiskronstromdesjardins.com

Montreal1002, rue Sherbrooke Ouest, 28e étageH3A3L6 MontréalT. 0015 148 42 95 12F. 0015 148 45 65 73

Quebec801, Grande Allée Ouest, Bureau 300G1S1C1 QuébecT. 0014 186 50 70 00F. 0014 186 50 70 75

SpainAlliant Abogados Asociados SLPMarc GallardoGran Via Corts Catalanes 70208010 BarceloneT. 0034 93 265 58 42 F. 0034 93 265 52 [email protected]

USAIT Law GroupFrançoise Gilbert555 Bryant Street #603Palo Alto, CA 94301T. 0016 508 04 12 35F. 0016 507 35 18 [email protected]

FranceAlain Bensoussan, Isabelle Tellier& Frédéric Forsterwww.alain-bensoussan.com

Paris29, rue du Colonel Pierre AviaF75508 Paris cedex 15T. 0033 141 33 35 35F. 0033 141 33 35 [email protected]

Grenoble7, place Firmin GautierF38000 GrenobleT. 0033 476 70 09 95F. 0033 476 70 09 [email protected]

IsraelLivnat, Mayer & CoRussell D. MayerJérusalem Technology Park, Building 9, 4th FloorP.O. Box 48193 Malcha91481 Jérusalem T. 0097 226 79 95 33F. 0097 226 79 95 [email protected]

ItaliyStudio Legale ZalloneRaffaele Zallone31 Via Dell’Annunciata20121 MilanoT. 0039 229 01 35 83F. 0039 229 01 03 [email protected]

LuxembourgPhilippe & PartnersMarc Gouden & Jean-François Henrotte41 avenue de la Liberté1931 LuxembourgT. 00352 266 886F. 00352 266 887 00 [email protected]://lexing.philippelaw.eu

MoroccoBassamat & AssociéeFassi-Fihri Bassamat30 rue Mohamed Ben Brahim Al Mourrakouchi20000 CasablancaT. 00212 522 26 68 03F. 00212 522 26 68 [email protected]

MexicoLanglet, Carpio y AsociadosEnrique OchoaTorre Axis Santa FeProlongación Paseo de la Reforma # 61, PB-B1Col. Paseo de las Lomas01330 Mxico, D.F.T. 0052 55 25 91 10 70F. 0052 55 25 91 10 [email protected]

NorwayFøyen Advøkatfirma DAArve FøyenPostboks 7086 St. Olavs pl.0130 OsloT. 0047 21 93 10 00F. 0047 21 93 10 [email protected]

United KingdomPreiskel & Co LLPDanny Preiskel5 Fleet PlaceLondon EC4M 7RDT. 0044 20 7332 5640 F. 0044 20 7332 [email protected]

SwitzerlandSébastien Fanti Avocat & Notaire8B rue de Pré-Fleuri, CP 4971951 SionT. 0041 27 322 15 15F. 0041 27 322 15 [email protected]

South AfricaMichalsonsLance Michalson and John [email protected] www.michalsons.co.za

JohannesburgGround FloorTwickenham BuildingThe Campus, 57 Sloane & Cnr Main Road2021 BryanstonT. 0027 11 568 0331F. 0027 86 529 4276 Cape TownBoyes DriveSt James7945 Cape TowT. 0027 21 300 1070F. 0027 86 529 4276

TunisieCabinet Younsi & YounsiYassine Younsi4, Rue Petite Malte1001 TunisT. 00 216 71 346 564 [email protected]://younsiandyounsilawfirm.e-monsite.com

ArgentinaEstudio MilléAntonio & Rosario MilléSuipacha 1111 - piso 11C1008AAW Buenos AiresT. 0054 11 5297 7000F. 0054 11 5297-7009 [email protected]