Lawyer at the Brussels Bar Lecturer at the University of Strasbourg Assistant at the University of Brussels Data Protection & Electronic Communications Paul Van den Bulck Brussels 23 March

Introduction & Overview European Framework Data Protection General: Directive 95/46 on protection of personal data Particular: communication: Directive 2002/58 on privacy and electronic communications

General & sector specific regulations General: 95/46 Protection of personal data General data protection principles Scope? Online and offline Public & private networks Specific 2002/58 Privacy & electronic communications Specific obligations (e.g., cookies, spam) Scope? Communication service Public networks

1. General Protection: Directive 95/46 Scope: 9 Principles of Data protection Sensitive data Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. Case Studies Privacy Policy Collection of information Delivery of information

Scope: Processing of personal data personal data: Information concerning a data subject identifiable natural person Direct or indirect Controller (EIC) or third party Legal entity: SME? IP address? Processing: any operation performed upon personal data In the EU? Quid question on Israël?

Data Protection Principles Data must be: fairly and lawfully processed; processed for specified, detailed and legitimate purposes; adequate, relevant and not excessive; accurate; not kept longer than necessary; processed in accordance with the data subject's rights; Secure and remain confidential; not transferred to countries without adequate protection (outside EU); Processing activities « must » be notified to the supervisory authority.

Case study 1: Privacy Policy Legally required? Contents The name and address of the controller and processor (contract) Purposes of the processing activity The kind of data processed: « sensitive data » The means to collect and process data (cf. cookies) Inform the data subject on his/her rights and the way he/she can exercise them The technical and organizational measures adopted to ensure the secure and confidential character Reference to general information on data protection legislation, e.g., FAQ, or the contact details privacy officer info.org.uk)

Case Study 2: collection of information Processing « shall mean any operation … whether or not by automatic means, such as collection, recording, organization, storage, disclosure by transmission, dissemination or otherwise making available, etc. » Means of collection: Data subject is aware,e.g., webform Data subject is not aware, e.g., spy ware

Case Study 3: disclosure of personal data Broad an open notion of « processing » includes « disclosure by transmission, dissemination or otherwise making available » Must be careful if you disclose personal information in a newsletter or on your website, e.g., personal contact details Lindqvist case (Sweden –European Court of Justice (2003))

2. Sector Specific regulation Directive 2002/58/EC on privacy and electronic communication One of the Directives of the new « Telecom Package » Update of Directive 97/66 on privacy and telecommunications Overview: scope contents Articulation with general framework

Sector Specific regulation Scope: « This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. » Public networks: no private or corporate networks « Individual » communication: no broadcasting Includes: protection of the legitimate interests of subscribers who are legal persons (SME). Scope is not always very clear & distinction sometimes too academic.

Sector specific regulation Contents: clarification of some principles Cookies, spy ware Security and confidentiality Traffic & location data Directories of subscribers, e.g., yellow pages SPAM

Sector Specific regulation  Pragmatic Approach and articulation:  Directive 95/46 applies to all networks  Obligations imposed by Directive 2002/58/EC, “covered” by Directive 95/46/EC  Example: traffic data: 2002/58 (art 6) Traffic data relating to subscribers… must be erased or made anonymous when it is no longer needed for the purpose of the transmission of a communication 95/46 (art 6 (e)) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.

& Q UESTIONS c OMMENTS

Question I am the manager of a Belgium EIC and to facilitate the navigation on my site, I consider to install a cookies on the PC of the visitors. This way, I can display my site in the official language of their place of establishment (SME) or residence (German, Dutch French).

Answer: « However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment (recital 25 of Directive 2002/58/EC) »