European Commission Publishes New Framework on Data Protection

As anticipated, and just days before Data Protection and Privacy Day, the European Commission has released its proposal to reform the European Union’s data protection framework. The reform—which takes shape via a regulation on data protection and a directive “protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences”—comes after years of public consultations and dialogue with stakeholders. “There is quite a buzz in Brussels today,” said IAPP Europe Managing Director Rita Di Antonio. European Justice Commissioner Viviane Reding held a press conference at 10:30 CET to announce the changes. She said the proposals will improve the protection of Europeans’ personal data, reduce administrative burdens and save companies’ money. The legislation defines personal data as “any information relating to an individual, whether it relates to his or her private, professional or public life,” including posts to social networking websites and computer IP addresses. Eduardo Ustaran, CIPP/E, partner at Field Fisher Waterhouse LLP, said the proposal “is the most radical global attempt ever to regulate the increasing exploitation of personal information.” The changes create “a single set of European rules—valid everywhere across the EU,” Reding said in the press conference. “So, one rule for the 27 member states and the 500 million people.” The new regulation sees national data protection authorities as the go-to regulators for organizations, meaning that an organization will only have to work with one DPA rather than many, or, as Reding described it in her press conference, “One DPA for one company—a one-stop shop.” She said this will eliminate unnecessary administrative burdens and costs to companies incurred as a result of the current need to deal with varying rules and authorities among member states. “This will save businesses around 2.3 billion euros per year,” Reding said. Other facets of the regulation include: A breach notification mandate: In the event of a serious breach, organizations must notify the national supervisory authority “as soon as possible (if feasible within 24 hours).” Increased enforcement powers for data protection authorities: DPAs will be able to fine organizations that violate the rules up to €1 million or “up to 2 percent of the global annual turnover of a company.” A data protection officer requirement: Companies with more than 250 employees and certain other organizations will be required to designate a data protection officer. A data protection impact assessment requirement: Organizations involved in risky data processing will be required to conduct data protection impact assessments. Explicit consent requirement: Wherever consent is required for data to be processed, it must be given explicitly, rather than assumed, according to the regulation. Extra-territorial reach: The regulation applies to “personal data handled abroad by companies that are active in the EU market and offer their services to EU citizens.” It is obvious, says Field Fisher Waterhouse’s Ustaran, that “the new law is targeted at companies operating on the Internet and aims to shake up the way they tackle privacy issues.” Ustaran adds, “The prospect of substantial monetary fines based on the annual worldwide turnover of a company may contribute to get the attention of some decision makers.” The Article 29 Working Party (WP)—the advisory body comprised of national data protection authorities from EU member states—issued a press release this morning stating that it welcomes the commission’s proposals, particularly the strengthened authority for DPAs and the data breach notification requirement, but WP Chairman Jacob Kohnstamm “regrets the commission’s level of ambition in the area of police and justice and underlines the need for stronger provisions in this field.” Under the new framework, the Article 29 Working Party would be “upgraded” and renamed the European Data Protection Board. Next, the proposal will be reviewed in the European Parliament and member states, via the Council of Ministers. “This is by no means the end of the road,” Ustaran says, predicting that “2012 will be a crucial year” in the continued evolution of the law. “Policy makers will be looking for input from all key stakeholders.” Sources: (directive) (regulation) (background documents and frequently asked questions)


Bilişim ve Teknoloji Hukuku Master Programımıza kayıtlı; kişiliği ile, dürüstlüğü ile, insanlığı ile mümtaz, yeri doldurulamayacak olan çok değerli öğrencim Sadi TİMURTAŞ'ı kaybetmenin derin üzüntüsü içindeyiz. Sadi'yi sadece ailesi kaybetmedi. Ben de; pırlanta gibi, bilişim ve bilişim hukukuna gönül vermiş, ileride adli bilişim alanında gerçekten söz sahibi olacağına ve başarılı olacağına yürekten inandığım çocuğumu kaybettim. Üniversitedeki tüm arkadaşları da çok değerli dostlarını kaybettiler. Sadi'ye Allah'tan rahmet, Ailesine sabırlar ve dayanma gücü diliyorum. Bilişim hukuku master programında tüm arkadaşlarının ve Ailesinin başı sağolsun.

Is a ZIP Code Personal Identification Information?

Mass. Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm—Tyler v. Michaels Stores (Tyler v. Michaels Stores, Inc., 2012 WL 32208 (D. Mass.; Jan. 6, 2012) Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute that restricted the type of information a retailer could collect. (See "California Supreme Court Rules That a ZIP Code is Personal Identification Information -- Pineda v. Williams-Sonoma.”) A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons. But having found that the retailer in this case technically violated the statute, the court dismissed the case on the basis that the plaintiff failed to allege a cognizable injury. Is a ZIP Code Personal Identification Information? Section 105(a) of Massachusetts General Laws provides: No person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form. Personal identification information shall include, but shall not be limited to, a credit card holder’s address or telephone number. The court looked to the legislative history behind the statute and said that the Massachusetts legislature’s intent was different from California’s. While the California legislature was concerned with retailers obtaining personal identification information and using it for marketing purposes, the Massachusetts legislature was more concerned about security and fraud prevention. Thus, while Pineda looked to whether a ZIP code could be used (together with the customer’s name) to locate the individual, the court in this case focused on whether recordation of this information by a retailer poses the risk of identity theft or fraud. The court looked to Massachusetts’ identity theft statute, which defines personal identifying information as “any name or number that may be used…to assume the identity of an individual.” The court said that inputting a ZIP code in the context of a credit card transaction is similar to inputting a PIN number in the context of a debit card transaction. Because the ZIP code is information that can be used along with other card holder information to commit identity theft and criminal fraud, the court said that the ZIP code is personal identification information for purposes of the statute. Did the Retailer Write the Information on a Transaction Form? Michaels argued that the statute does not cover electronically stored information and that the transaction form has to be a paper document. The court rejected this argument for several reasons. First, the statute applies to all credit card transactions, whether they are processed manually, electronically or through other means. The act does not distinguish between paper and electronic forms, and the court says that the risk of identity theft is present regardless of the type of transaction. The statute also permits the retailer to include information in the transaction form that is required by the credit card issuer. The retailer collects information during the transaction process (as required by the credit card issuer) and then issues the receipt, which may contain information different from the transaction form. (For example, the card number has to be truncated on the receipt under FACTA.) “The receipt is a printout of the permissible information on the transaction form, but it is not the transaction form itself.” (For what it’s worth, FACTA is also a statute aimed at curbing identity theft, but does not cover e-mailed receipts. Has Plaintiff Alleged Cognizable Injury? The statute in question does not provide for statutory damages. It says only that a violation of the statute is “deemed to be an unfair and deceptive trade practice.” A claim for unfair and deceptive trade practice requires a showing of “injury and loss” and a causal connection between defendant's practices and plaintiff's injury. Plaintiff had not been subject to identity theft, so she had to prove injury or loss in other ways. She did not argue that she has an increased risk of identity theft. Instead, she argued that Michaels used her name and ZIP code in conjunction with a commercially available database to determine her address and phone number. The court said that her allegations are insufficient because she does not allege that Michaels acted illegally in accessing the database. She also alleged that she was injured because she received “a deluge of unwanted mail.” The court said that this is not an injury cognizable under the statute since the statute was enacted to prevent fraud. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm.] Unjust Enrichment Plaintiff also brought a claim for unjust enrichment. This claim is similar to the "PII-as-valuable-property" claim brought by the RockYou plaintiffs. ("Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou.") Under this theory, her personal information is a valuable piece of property, so plaintiff should receive some compensation when she “exchanges” this information with the retailer. The court said there are two problems with this argument. First, the ZIP code is not itself valuable to Michaels. It derives value only due to “the independent work and cross-referencing necessary to obtain the full address.” Second, the court said that reasonable people would not expect compensation for turning over their ZIP code, and plaintiff did not allege that, had she known all the facts, she would have “charged” Michaels for the ZIP code. The conclusion that plaintiff did not state a cognizable injury was the most interesting. The court dropped a giant footnote, saying that it’s not deciding this case on the basis of Article III standing, but even if it were, the result would be the same (citing In re iPhone App Litigation; Specific Media; In re Facebook Privacy Litigation). There is a big gray area here—whether a violation of a state law alone is enough to support standing, or whether even when plaintiff makes out a prima facie violation of a state statute, a plaintiff has to separately prove damages as a threshold matter. Can state legislatures circumvent Article III standing requirements? Can Congress? The court said that these issues are not implicated since the unfair trade practice statute only confers standing upon those who show that they have been injured. (My gut feeling is that Congress and state legislatures should have the power to define when a plaintiff can sue; at least they do so routinely. The court says that clarity on the standing question is forthcoming, since the Supreme Court granted cert. in Edwards v. First Am. Corp.) The court’s conclusion on the unjust enrichment claim is also interesting. While one or two decisions accepted (at the motion to dismiss stage) the theory that personal information must be valuable because the defendant monetized it, later decisions, like this one, require plaintiff to more clearly articulate their misappropriation theories. Just because information is valuable in someone else’s hands, does not mean that their use of that information is a misappropriation of your property. It’s unclear whether the court’s rejection of plaintiff’s injuries is a result of the court’s construction of the credit card statute as aimed to combat identity theft and fraud, or whether it’s because Massachusetts unfair trade practices statute (like California’s) requires some out-of-pocket loss. Overall, this decision, like many privacy lawsuits, reflects reluctance by courts to recognize informational privacy claims where they don't easily see out-of-pocket losses. The risk of future identity theft is not getting much traction in courts. (See also, Reilly v. Ceridian, a recent 3rd Circuit case.) The “personal information as currency” is not getting much traction in courts either. When those two theories are taken out of the mix, the plaintiff is left only to allege that the defendant violated the statute and therefore plaintiff is entitled to damages. Courts are requiring privacy plaintiffs to allege more than this. For more on the California Supreme Court’s decision in Pineda v. Williams-Sonoma: California Supreme Court rules that ZIP codes are personal identification information (The Privacy Advisor, March 2011) Address Verification Service and privacy: The effect of the California Supreme Court ruling upon security (The Privacy Advisor, July 2011) Source: Venkat Balasubramani (