Digital Law Conference Barcelona

#lexingbcn
Barcelona Conference
September 28, 2012
| G l o b a l n e t w o r k o f a / o r n e y s s p e c i a l i z e d i n e m e r g i n g t e c h n o l o g y l a w
First internaEonal network of lawyers focused on informaEon technology law
Interna(onal
17 members (worldwide) Same and unique methodology & procedures (cross-border projects) Law & Technologies (IT Law)
Integrated
Specialized

General Presenta(on

20
Data Protec(on Cloud Compu(ng Social Media Cookies
30 30
30
30
New Domain Names 15
Q & A
Privacy, Cloud, Social Media & Cookies Overview of Spanish Law

Marc GALLARDO
marc.gallardo@alliantabogados.com
| Argen(na | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA
BARCELONA, FRIDAY, SEPTEMBER 28, 2012
# Data Protec(on
SDPA (99 & 07 & 10) / AEPD High and Stringent Enforcenment ! 20.000.000 / 4000 proceedings Dra\ EU RegulaEon (January 2012)
# Cloud Compu(ng # Social Media # Cookies
SDPA applies / AEPD No specic regulaEons AEPD Guidelines (June 2012) / EU Guidelines (July 2012)
SDPA applies / AEPD No specic regulaEons No general Guidelines / EU Guidelines
Eprivacy Rule in LSSI / AEPD No general Guidelines / EU Guidelines (June 2012)
Data subject
Data Controller
contract
Data Processor
rights
obligations
Spanish Data Protection Law (SDPL)

" " " " " Notication requeriments Information provision obligations Legal basis for processing data Condentiality & Security Data Protection Principles
Organic Law 1999
Regulation 2007
Self-Employed ac(ng as traders

Professionals & Individual traders
Data rela(ng to contact persons

Secondary purpose for processing (B2B) Name, surname, job, address, tel. & fax number
Proper anonymiza(on
LegiEmate interest
Key ObligaEon: process personal data lawfully
Consent Contractual relations Requirements of the law Emergencies Public Interest Legitimate interest!
Consent: not always available or reliable criteria LegiEmate interest criterion not properly incorporated The data should apeared in public sources ! Now void ->
Ruling Feb. 2012!
data subject! rights!
legitimate ! interest DC! DP principles!
Cloud CompuEng

IBM Dropbox Amazon AWS Apple Google Arsys Salesforce
Oracle
Microsoh
Cloud deniEon
Main risks
LACK OF INFORMATION
LACK OF CONTROL
Guidelines
No specic law regulaEng cloud compuEng but data protecEon law is applicable
June ! 2012!
www.agpd.es
July ! 2012!
Jun
Guidelines
# User is the Data Controller

contract contract
# CC Provider is the Data Processor
General View
Tools & Services that facilitate conversa(on

Internal: Hosted: Public: SM used within a company Public SM controlled by a company Public SM outside the control of a company
SNS impact on all branches of law

Privacy Intellectual Property Marke(ng and Consumer Protec(on Contests and Promo(ons Employment Free speech Children protecEon E-reputa(on
SNS Providers
SNS: Informa(on Society Service

e-Commerce Liability Exemp(on No obliga(on to monitor infringements
SNS Provider is a data controller All obliga(ons rela(ng to privacy protec(ons

Children verica(on age procedures (under 14) = Authors of Apps + Adver(sers [SNS & Mobile]
Company as a User
In some circumstances, also Data Controllers

No household exemp(on
Soh Law to resolve certain disputes Intellectual Property Rights, Privacy, Iden(ty
theh, Defama(on & others
Electronic Commercial Communica(ons

Opt- in rule (B2B + B2C) & soh opt-in (if client)
Transparency (id. sender) Right to object (valid electronic address)
st April SituaEon > 1
Cookie is a small text le delivered by a website server onto the computer of visitor Mul(ple func(ons but typically used to taylor website oerings and facilitate targeted ads Rule: Informa(on + Consent before storing or gaining access to any cookie (not exempted)
Problems
Informa(on ? Consent ?
Browser / opt-out / opt-in
Guidelines on Exempted Cookies

a. Technical cookies & b. Strictly necessary cookies No enforcement over e-privacy consent rule (LSSI) ! Enforcenment possible if PD is collected (SDPA).
Bo/om line is
#1 Audit
Conduct a comprehensive and thorough risk assessment Iden(fy risks

#2 Put in Place Policies & Programs
Evaluate the risks

Address the risks
#3 Implement and review
Implement + Review on a regular basis Train employees and monitor compliance Demonstrate it: a policy must be reected in concrete pracEces !
GENERAL PRESENTATION #END
THANK YOU
Page 23
| Spain | Marc Gallardo | marc.gallardo@alliantabogados.com
Proposed EU General Data ProtecEon RegulaEon of January 25, 2012: State of Play
ALAIN BENSOUSSAN alain-bensoussan@lexing.eu
EU GENERAL DATA PROTECTION REGULATION - FRANCE
Introduc(on
What are the stakes? harmonize the protection of personal data in the EU ensure the effectiveness of such protection Issue a stronger and more coherent data protection framework in the EU Situation uncertain News International mobilization and debate on personal data protection

Page 25
| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu
Agenda
1. Strengthen the rights of individuals 2. Simplify processes for businesses 3. Extend liability 4. Impose s(er sanc(ons

Page 26
1. Strengthen the rights of individuals

Right to be forgouen
Right to data portability
Strengthen the rights of individuals
Clarica(on about consent
Clarica(on about the exercise of data subject rights
Page 27
2. Simplify processes for businesses

Cuvng red tape
Abolish the general obliga(on to no(fy processing
One-stop shop
Joint controllers
Mul(na(onals
Excep(on: data transfers outside the EU to a country without adequate level of protec(on
Main establishment of the processor (i.e. place of its central administra(on in the EU)
-purposes; -condi(ons; -means of processing
Joint deni(on of:
Excep(on: sensi(ve processing
Approval of BCR by one supervisory authority
Page 28
3. Extend liability (1)

Documenta(on (art. 28)
Maintain documenta(on of all processing opera(ons Obliga(on for each controller, processor and, if any, the controller's representa(ve. Content
Data protec(on ocer (art. 35)

Processing carried out by a public authority or body Processing carried out by an enterprise employing 250 persons or more Processing opera(ons which, by virtue of their nature, their scope and/or their purposes require regular and systema(c monitoring of data subjects Designated for a period of at least 2 years
No(ca(on of personal data breach (art. 31)

No later than 24 hours aher having become aware of it Otherwise, reasoned jus(ca(on should be given
Page 29
3. Extend liability (2)

Accountability (art.22)
Designa(on of a data protec(on ocer with variety of rules to ensure his independence Demonstrate by documenta(on compliance with rules on security, processing opera(ons and impact assessment Implement mechanisms to ensure the eec(veness of measures
Privacy by Design (art.23)

Deployed and implemented by default at the (me of the determina(on of the means for processing and at the (me of processing Ensure the implementa(on of data minimiza(on principle
Impact assessments (art. 33)

Specic risks presented by processing opera(ons to the rights and freedoms of data subjects This includes: informa(on on sex life, health, video surveillance, gene(c data, biometric data Content: a general descrip(on of the envisaged processing opera(ons, an assessment of the risks to the rights and freedoms of data subjects, safeguards, security measures, mechanisms to demonstrate compliance with the Regula(on
Page 30
4. Impose s(er sanc(ons (1)

- No mechanisms for requests by data subjects - No prompt response to requests by data subjects - Charging a fee for the informa(on or for responses to the requests of data subjects - Not providing informa(on, or providing incomplete informa(on, or not providing informa(on in a suciently transparent manner - Not providing access for the data subject, not rec(fying personal data, not communica(ng relevant informa(on to a recipient - Not complying with the right to be forgouen or to erasure - Not providing a copy of the personal data in electronic format - Not or not suciently maintaining documenta(on - Not or not suciently determining the respec(ve responsibili(es with co-controllers

250,000 or 0,5% of annual worldwide turnover 500,000 or 1% of annual worldwide turnover
Viola(ons

Page 31
4. Impose s(er sanc(ons(2)

- Processing personal data without any or sucient legal basis - Processing special categories of data in viola(on of the Regula(on - Not complying with an objec(on - Not complying with the condi(ons in rela(on to measures based on proling - Not implemen(ng accountability (Privacy by Design, Privacy Impact Assessment) - Not designa(ng a representa(ve - Processing data in viola(on of the Regula(on - Not aler(ng on or no(fying a personal data breach or not (mely no(fying the data breach - Not carrying out a data protec(on impact assessment - Not designa(ng a Data Protec(on Ocer - Carrying out or instruc(ng a data transfer to a third country without appropriate safeguards - Not complying with an order by the supervisory authority

1,000,000 or 2% of annual worldwide turnover
Page 32
Contact
" ALAIN BENSOUSSAN AVOCATS
Tel. : 33 1 41 33 35 35 Fax : 33 1 41 33 35 36 paris@alain-bensoussan.com
29 rue du colonel Pierre Avia Paris 15 FRANCE
" Alain Bensoussan
Mob. : 33 6 19 13 44 46 ab@alain-bensoussan.com
D.L : 33 1 41 33 35 09

| F r a n c e | M e A l a i n B e n s o u s s a n | alain-bensoussan@lexing.eu
Data ProtecEon in the United States Recent Developments

Franoise GILBERT
Managing Director IT Law Group Silicon Valley, California +1 650-804-1235
fgilbert@itlawgroup.com | www.globalprivacybook.com | francoisegilbert.com | @francoisegilbrt
Agenda
Background Overview of US data protec(on laws Role of the US federal and state agencies Recent US Government ini(a(ves Recent enforcement ac(ons Hot issues
Page 35
| Belgium | Me Jean-Franois HENROTTE | jenroue@philippelaw.eu
US Data Protec(on Laws

No na(onal data protec(on law; but dozens of Federal sectoral laws
1890: Right to Privacy denes the concept 1966: Freedom of Informa(on Act (access to informa(on held by government 1968: Wiretap Act (intercep(on of aural communica(ons and disclosure of these communica(ons in court) 1970: Fair Credit Repor(ng Act (credit repor(ng agency disclosure of credit reports) 1974: Privacy Act (disclosure of government records) 1974: Family Educa(onal Rights and Privacy Act (disclosure of school records) 1978: Right to Financial Privacy Act (banking and nancial transac(ons) 1978: Foreign Intelligence Surveillance Act (electronic surveillance; foreign intelligence) 1986: Computer Fraud & Abuse Act (to reduce hacking, use of viruses) 1986: Electronic Communica(on Privacy Act (stored or in transit informa(on) 1996: Health Insurance Portability and Accountability Act (health informa(on) 1998: Children Online Privacy Protec(on Act (children informa(on) 1999: Financial Services Moderniza(on Act (GLBA) (nancial informa(on) 2003: CAN SPAM Act (commercial messages)
Hundreds of State sectoral laws (+ some states have cons(tu(onal rights)

Protect individuals residing in a specic state Security breach disclosure laws Security measure requirements Protec(on of drivers license informa(on, medial records, etc.
Page 36
Federal & State Agencies

No na(onal data protec(on agency
Numerous federal agencies play role similar to that of the Data Protec(on Agencies in European Union
Federal Trade Commission Department of Health & Human Services Financial Services Agencies Securi(es & Exchange Commission
Numerous state agencies, play similar role at the State Level

State Auorney General Other State Agencies
Substan(al coopera(on between State and Federal Agencies

Page 37
Signicant Penal(es
Signicant penalEes in case of violaEon
FCRA: up to $500,000 total penalty per viola(on
Actual penalEes
Google (breach of FTC consent decree) $22.5million ChoicePoint (breach of security) $15million Massachuseus General Hospital (HIPPA) $4.3million Sony $1million (COPPA) Xanga $1million (COPPA) CVS, Rite Aid pharmacies $1million (HIPAA + lack of security) Spokeo $800,000 (FCRA)
Page 38
Federal Trade Commission

Federal Trade Commission (FTC):
Top regulator in the US with respect to protec(on of personal informa(on Powers under FTC Act (5), COPPA, FCRA, HIPAA
Numerous acEons against companies for:

Failure to comply with privacy promises Failure to provide adequate security measures for personal informa(on Unclear and decep(ve terms, which concealed important disclosure regarding un-an(cipated use of personal informa(on Failure to comply with requirements of Fair Credit Repor(ng Act Failure to comply with COPPA requirements

Page 39
FTC Enforcement Ac(ons

Google (Aug. 2012, Dec. 2011) Spokeo (Jun. 2012) MySpace (May 2012) RockYou (Mar. 2012) Facebook (Mar. 2011) Playdom/Disney (May. 2011) Twi/er (Mar. 2011) RiteAid Pharm (Nov. 2010) Lifelock (Nov. 2010) Sears (Sep. 2009) Sony BMG Music (Dec. 2008; Jan 2011) TJX (Aug. 2008) Reed Elsevier (Aug. 2008) ValueClick (Mar. 2008) ChoicePoint (Jan. 2006) BJ Wholesale (Sep. 2005) Microso\ (Aug. 2002) Geoci(es / Yahoo (1999)
Page 40
Recent US Eorts on Privacy

White House Consumer Bill of Rights (Feb. 2012) Restates Fair Informa(on Prac(ce Principles Federal Trade Commission Report on Consumer Privacy (March 2012)
Privacy by Design, Privacy by Default, Online Behavioral Tracking and Adver(sing
Federal Trade Commission Report on Children and Mobile Apps (February 2012)
Guidelines on mobile apps for children
Federal Trade Commission Guidelines on Mobile Apps (August 2012)

General guidelines on the publica(on of mobile apps
Par(cipa(on in APEC Cross Border Privacy Rules System

Page 41
Recent Enforcement Ac(ons

FTC v. Google (August 2012)
$22.5 million ne Viola(on of pre-exis(ng consent decree with FTC FTC looked at promises made in Privacy Policy or about privacy measures, including in Googles representa(ons that it complied with the NAI Code of Conduct
FTC v. Facebook (August 2012)

Viola(on of representa(ons made in Privacy Policy Including representa(on that FB followed the Safe Harbor Principles 20-year supervision by Federal Trade Commission
Page 42
Other Hot Issues

Mobile
Mobile apps, mobile payments, mobile privacy
BYOD
Bring your own device (to work)
Social Media
Poten(al employer access to social media account
Behavioral MarkeEng
Tracking devices, cookies, tags, zombie cookies
Big Data Cloud CompuEng

Reform of Electronic Communica(ons Privacy Act
Page 43
Franoise Gilbert
IT Law Group Palo Alto, California, USA
Email: fgilbert@itlawgroup.com Phone: +1 650-804-1235 IT Law Group: itlawgroup.com Blog: francoisegilbert.com Book: globalprivacybook.com Twiuer: @francoisegilbrt
Page 44
CLOUD COMPUTING LEGAL ISSUES UP IN THE AIR

Raaele ZALLONE - Sbas(en FANTI r.zallone@studiozallone.it - sebas(en.fan(@sebas(enfan(.ch
CLOUD COMPUTING
WHAT IS CLOUD COMPUTING

NATIONAL INSTITUTE OF STANDARD AND TECNOLOGY: A MODEL FOR ENABLING CONVENIENT, ON-DEMAND NETWORK ACCESS TO SHARED POOL OF COMPUTING RESOURCE
THERE ARE 3 DIFFERENT SERVICES MODELS

SOFTWARE AS A SERVICES SAAS OFFERS ACCESS TO A SERVICE (ES: MAIL, ACCOUNTING, SPREADSHEET) PAAS OFFERS ACCESS TO DEVELOPMENT TOOLS IAASOFFERS HW+SW ON DEMAND (MEMORY, PROGRAMS, ETC)
PLATFORM AS A SERVICES INFRASTRUCTURE AS A SERVICES
CLOUD COMPUTING
CLOUD COMPUTING
PRIVATE CLOUDS PUBLIC CLOUDS OFFERS SERVICES TO ONE CUSTOMER ONLY MORE SIMILAR TO DATA CENTERS AN INFRASTRUCTURE USED TO SERVE SEVERAL CUSTOMERS (ES: GMAIL) SERVICE OFFERING WITH MIXTURE OF PRIVATE / PUBLIC
HYBRID CLOUDS
CLOUD COMPUTING
CLOUD COMPUTING MAIN ISSUES
SECURITY
CONTRACTUAL ISSUES

PRIVACY ISSUES
CLOUD COMPUTING
CONTRACTUAL ISSUES: MANY ARE THE SAME AS PER OUTSOURCING CONTRACT

SERVICE LEVELS AND RELATED MEASUREMENTS PROTECTION OF DATA (AVAILABILITY, RELIABILITY) WHAT TO MEASURE AND HOW CONSEQUENCES PENALTIES DATA MUST ALWAYS BE AVAILABLE, IS SUPPLIER REL IABLE?
SUB CONTRACTING: WHO AND FOR WHAT WIDE USE OF SUBCONTRACTING IS STD NEED TO HAVE AGREEMENT ON HOW TO MANAGE PROCESS AN CONTROLS CONTINUITY OF SERVICE CHANGES OF PLATFORM / SW UPGRADES DURATION OF CONTRACT TERMINATION OF CONTRACT AND TRANSITION TO NEW SUPPLIER

BACK UPS? WARRANTIES? NEED TO IMPLEMENT CHANGE MANAGEMENT CONTROLS LONG TERM vs SHORT TERM: PROS AND CONS NEED TO IMPLEMENT APPROPRIATE MANAGEMENT AND PROCESSES
CLOUD COMPUTING
SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES

LICENSE vs SERVICE IF THERE IS NO LICENSE, TERMINATION OR TRANSITION TO NEW SUPPLIER MAY BE A REAL PROBLEM MUST HAVE DATA ALWAYS AVAILABLE FOR AUDITS MUST BE POSSIBLE TO AUDIT SUPPLIER ITSELF PRIVACY AND LIABILITY ISSUE
AUDITABILITY - AVAILABILITY
LOCATION OF DATA
SUB CONTRACTORS
RIGHT TO APPROVE AND AUDIT
CLOUD COMPUTING
SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES

INTELLECTUAL PROPERTY OPEN vs PROPRIETARY CHANGE MANAGEMENT MAKE SURE CRITICAL I.P. IS PROTECTED SWITCHING TO NEW SUPPLIER MAY BE A PROBLEM SUPPLIER MAY DECIDE TO CHANGE SW, PLATFORM, SUBCONTRACTORS? HOW AND WITH WHAT RIGHTS/NOTICE NEED OF CONTROL / FLEXIBILITY / REGULATION OF SPECIFIC ISSUES ATTITUDE OF SUPPLIERS
STANDARD CONTRACTUAL TERMS
DATA PRIVACY ISSUES
CLOUD COMPUTING
DATA PRIVACY ISSUES

WHERE ARE THE DATA? CAN SUPPLIER TRANSFER DATA? KNOWING THE LOCATION OF DATA IS ESSENTIAL UNDER UE PRIVACY LAWS SAME AS ABOVE
MANAGEMENT OF SUBCONTRACTORS MUST BE APPOINTED AS DATA PROCESSORS AND MUST BE AUDITABLE, BY CUSTOMER, BY PRIVACY AUTHORITY OR OTHER BODIES SECURITY MEASURES ACCESS DATA ARE PERSONAL DATA OBLIGATION NOT TO USE DATA RETURN OR DESTRUCTION OF DATA

AUDITABILITY LIABILITY WHERE ARE THEY, WHO CAN ACCESS THEM, HOW LONG ARE THEY STORED FOR SUPPLIER AND SUBCONTRACTOR SUPPLIER AND SUBCONTRACTORS
CLOUD COMPUTING
LEGAL ISSUES
LIABILITY OF CLOUD PROVIDER FOR ILLEGAL CONTENT ? NO LIABILITY IF THE PROVIDER HAS NO KNOWLEDGE OR AWARENESS OF ILLEGAL NATURE AND REMOVES OR BLOCKS ILLEGAL DATA WHEN IT DOES GAIN KNOWLEDGE OR BECOME AWARE OF ILLEGAL NATURE (NOTICE AND TAKEDOWN) THE CHOICE OF THE COMPETENT COURT AND OF THE APPLICABLE LAW ARE FUNDAMENTAL; IF OUTSIDE OWN COUNTRY, ANY LITIGATION CAN BECOME PROHIBITIVELY EXPENSIVE ARBITRATION MUST BE CONSIDERED AS ONE INTERESTING OPTION KEEPING CONFIDENTIALITY AND AVOIDING PROBLEMS LIKE CHOICE OF ANOTHER APPLICABLE LAW BY COURT
JURISDICTIONAL ISSUES AND APPLICABLE LAW
DISPUTE RESOLUTION
CLOUD COMPUTING
LEGAL ISSUES
INTRODUCTION OF HARMFUL CODE (VIRUSES AND OTHER MALICIOUS CODE) US PATRIOT ACT NEED TO RELY ON THE PROVIDER APPLYING SUFFICIENT PROTECTION AGAINST THESE D A N G E R S ; N E C E S S I T Y O F I M P O S I N G OBLIGATIONS TO THE PROVIDER In certain circumstances, the US PATRIOT Act allows the US government to obtain data held anywhere in the world by US companies or companies with sucient connec(ons to the US. This would extend to data centres based in UE that are operated by US companies and data centres based in the US operated by non- US companies. NECESSARY TO ENSURE THAT THE AGREEMENT DOES NOT TRANSFER IP OWNERSHIP
IT PROPERTY OWNERSHIP
CLOUD COMPUTING
LEGAL ISSUES
ISSUES PARTICULAR TO REGULATED INDUSTRIES RULES THAT LIMIT THEIR ABILITY TO OFFSHORE THEIR OPERATIONS; EX: BANKING OR INSURANCE COMPANIES; TEST THE WATERS WITH THEIR REGULATOR BEFORE PROCEEDING WITH CLOUD COMPUTING SERVICE SOLUTIONS ALL THE RELEVANT OBLIGATIONS MUST THEREFORE APPLY ALSO TO THE SUB- PROCESSORS THROUGH CONTRACTS BETWEEN THE CLOUD PROVIDER AND SUBCONTRACTOR REFLECTING THE STIPULATIONS OF THE CONTRACT BETWEEN CLOUD CLIENT AND CLOUD PROVIDER
SUBCONTRACTORS
SPECIAL PRECAUTIONS BY THE PUBLIC EUROPEAN GOVERNMENTAL CLOUD AS A SECTOR SUPRA NATIONAL VIRTUAL SPACE WHERE A CONSISTENT AND HARMONIZED SET OF RULES COULD BE APPLIED?

CLOUD COMPUTING
CONCLUSIONS AND RECOMMENDATIONS

CLEARLY IDENTIFY THE DATA AND THE EX: HEALTH DATA, WHICH CAN ONLY BE PROCESSING THAT WILL BE STORED BY A CLOUD PROVIDER LICENSED BY ENTRUSTED TO THE CLOUD PROVIDER THE FRENCH MINISTRY OF HEALTH UNDERTAKE A RISK ANALYSIS TO ENSURE THAT THE CUSTOMER IS GETTING THE RIGHT LEVEL OF SECURITY UPDATE THE RISK ANALYSIS REGULARLY REFER TO THE GUIDELINES OF ENISA (EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY) WHEN CONDUCTING THE RISK
BE SURE TO IDENTIFY THE RIGHT KIND SAAS, PAAS, OR IAAS, PUBLIC, PRIVATE OR OF OFFER THAT IS APPROPRIATE FOR HYBRID CLOUD SOLUTIONS A CLOUD CUSTOMER'S BUSINESS

CLOUD COMPUTING
CONCLUSIONS AND RECOMMENDATIONS

Choose a cloud provider with essen(al elements that should appear in the sucient service and privacy level cloud contracts guarantees Rethink YOUR own IT security policy such as rules on authen(ca(on of users, and employees' use of mobile devices to access the employer's network
Ensure that the customer denes its own requirements on the technical and legal security aspects of the processing
Localiza(on of the data, reversibility and data portability
Social Media Cookies
30
30
New Domain Names
15
Q & A
BARCELONA, SEPTEMBER 28, 2012
Some issues on Social Networks

Jean-Franois HENROTTE jenroue@philippelaw.eu
Some issues on Social Networks 1. How to manage issues on Social Networks

A. First, the easy way B. Then the hard way
2. How to react if your content is removed 3. Community management, a new business

Page 60
Some issues on Social Networks Social networks are not an apart world. Almost all the annoyances of society can be found there, but some more ohen :
Defama(on Harassment Copyright infrigement Privacy breach
Page 61
1. How to manage issue on Social Networks
How to react ? A. Soh Law

Use the tools provided by social networks themselves
B. Hard Law
Use leuer of formal no(ce, cease-and- desist order, lawsuit,

Page 62
1. A How to manage issue on Social Networks
Old fashioned legal tools are good, but
Internet is a par(cular area where :

There is always someone on the lookout Nothing is forgouen Everything can be reproduced indenitely from a single copy
Page 63
1.A How to manage issue on Social Networks
Beware of the Barbara Streisands eect
Page 64
Lawyers need to be careful when using leuers of formal no(ce or lawsuits There is a signicant risk of bad publicity There is a signicant risk to auract much more a/enEon due to a inadequate or bad reac(on than to the rst event in itself
Page 65
Some guidelines Be quick but do not rush Be ready to communicate if things go wrong Use the reporEng tools implemented by social networks
It is fast It tackles the problem at the roots It prevent (partly) the spread of the problem Main issue Completely arbitrary
Page 66
Tools to report abuse First, the abuse must be dened

Break of terms and policies Copyright (or other IP right) infrigement Defama(on Privacy mauer Harassment
Page 67
Then, follow the adequate procedure

Linkedin
hup://www.linkedin.com/sta(c?key=copyright_policy&trk=hb_h_copy
Facebook
hup://en-gb.facebook.com/help/?page=178608028874393&ref=hcnav
FlickR
hup://www.ickr.com/abuse/
Page 68
Google +
hup://support.google.com/plus/bin/answer.py?hl=en&answer=1253377
YouTube
hup://www.youtube.com/t/copyright_no(ce?gl=BE
Google.com
hups://www.google.com/webmasters/tools/removals?pli=1
Page 69
1.B How to manage issue on Social Networks
When the easy way is not enough If : Social network does not comply with your request, or not fast enough You feel you need a stronger ac(on Unholster the usual lawyers
Page 70
First issue : Iden(fy the perpetrator Easy if his real name is disclosed May be really hard if he uses a nickname
In Belgium, it is almost impossible
Due to recent case law, only the criminal judge have the power to compel providers to disclose the iden(ty of a user (>< Spain) But, in Belgium, criminal jus(ce is totally overtaken and doesnt really care about or is not really ecient to handle these cases
Page 71
The perpetrator is known And is in a place where you can reach him Then you can sue him using :
Criminal law if defama(on or harassment (Art. 443 and following of B. Criminal Code) Copyright law Civil law (Art. 1382 1383 of B. Civil Code) Commercial law
Page 72
A word about Criminal Law Ohen, the rst idea when faced with a problem (such as defama(on) on a social network is to use Criminal Law But (in Belgium at least): You are not in control Criminal procedure can be really slow It may paralyse civil procedure
Page 73
The perpetrator is unknown

Or you cant reach him
Lodge a Criminal complaint against X At the same (me, act against the provider (social network company in this case) but :
they may benet from the exemp(on from liability they can oppose the argument of freedom of speech they can claim that they did not commit any fault
Page 74
Exemp(on from civil liability

Introduced by Direc(ve 2000/31/EC on electronic commerce
You have to prove that:

they do not t into the category of intermediary service providers (hoster in this case) as provided by the Direc(ve they had previous knowledge of the illegality or had not responded adequately when they were made aware of this illegality Injuc(on are s(ll possible
Page 75
Freedom of speech
This right is crucial to our socie(es, but not absolute You have to prove that your case stays into one of these right's limita(ons
Page 76
The lack of fault

You need to prove that, once the provider has been made aware of the illegality, he commits a fault if he doesnt react quickly to remove or
to disable access to the informa(on

Page 77
Intermediary conclusions
It may be hard and expensive to achieve a result (suppression of the content, not even talking of compensatory damages) with the hard way Get yourself organised to control the places of discussion Use the soh way
Page 78
2. How to react if your content is removed
What if your content is removed IdenEfy the pretext used to jus(fy the removal Use the counter-noEce pages and tools oered by social networks Act at the same (me against the person who lodged the complaint (when his iden(ty is known) and try to obtain from him that he withdraws his complaint
Page 79
3. Community management
Community Management A new profession related to the advent of social networks This business consists in managing and maintaining a community of fans of a brand, a company, a people, on social networks
Page 80
Issues
Liule or no educa(on to become a community manager Ohen a poor understanding of the risks from the execu(ves Risks are even greater than with spokesman
Speed and spontaneity of responses Rapid dissemina(on to the community and beyond Fans can focus on personality of the Community manager rather than on the brand
Page 81
Issues In most cases, applica(on of labor law (if the manager is an employee) or standards liability rules In Belgium, except for gross negligence, the employee will not be held responsible

Par(cular auen(on should be paid to contract !

Page 82
Upon hiring, it must therefore be decided Who owns the contents produced by the Community Manager in case of break of contract ?
In Belgium, transfer of IP rights has to be formally provided in the contract (>< Spain)
Who owns the communitys members that he has auracted in case of break of contract ?
Page 83
Upon hiring, it must therefore be decided Who got the ownership and access codes to the account ?
When possible, its beuer that execu(ve opens the account themselves and then gives (limited) admin rights to the community manager + Execu(ve should keep modera(ng powers in case of emergency It should be a good idea to write down in the contract the unique ID of the account
Page 84
Conclusions
Dont Panic !
Social networks are powerful tools for communica(on, adver(sing and marke(ng Social networks are now part of our everyday life and you should use them, with care, like every other tool
Page 85
Conclusions
Join us on
Page 86
Credits
Picture of Barbara Streisand : By Allan warren (Own work) [CC-BY-SA-3.0 (hup:// crea(vecommons.org/licenses/by-sa/3.0) or GFDL (hup://www.gnu.org/copyleh/fdl.html)], via Wikimedia Commons
Page 87
RegulaEng Cookies in Canada

Jean-Franois De Rico Langlois Kronstrm Desjardins llp
web beacons device data

supercookies Online Behavioural Advertising
zombie cookies
Cookies
Cookies
File created by browser and saved on a users computer by website The cookie uniquely iden(es, or records user informa(on/preference
Purposes
Measuring web site usage to Improve func(onality of the site; Fraud preven(on; and Online behavioral adver(sing;
InformaEon collected
IP address; pages visited; length of Eme spent on each page; adverEsements viewed; arEcles read; purchases made; search terms; user preferences; operaEng system; geographical locaEon.
CLOUD COMPUTING
Europe
Canada
Page 93
Europe
ObligaEon to provide explanaEon of the type and funcEon of cookies and obtain a user's explicit consent before installing a cookie
Canada
Based on relaxed opt-out framework. AnE-spam law (CASL)
An Act to promote the eciency and adaptability of the Canadian economy by regulaEng certain acEviEes that discourage reliance on electronic means of carrying out commercial acEviEes, and to amend the Canadian Radio-television and TelecommunicaEons Commission Act, the CompeEEon Act, the Personal InformaEon ProtecEon and Electronic Documents Act and the TelecommunicaEons Act (S.C. 2010, c. 23)
AnE-spam law (CASL)

Expressly allows cookies to be installed on a user's computer .provided the user's behaviour suggests he or she would consent to the installaEon (?)
General prohibiEon
InstallaEon of computer program 8. (1) A person must not, in the course of a commercial ac(vity, install or cause to be installed a computer program on any other persons computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsec(on 11(5); or (b) the person is ac(ng in accordance with a court order.
computer program means data represen(ng instruc(ons or statements that, when executed in a computer system, causes the computer system to perform a func(on;
Cookie ExcepEon
10 () (8) A person is considered to expressly consent to the installaEon of a computer program if (a) the program is (i) a cookie,
(ii) HTML code, (iii) Java Scripts, (iv) an opera(ng system,
(v) any other program that is executable only through the use of another computer program whose installa(on or use the person has previously expressly consented to, or
(vi) any other program specied in the regula(ons; and
(b) the persons conduct is such that it is reasonable to believe that they consent to the programs installaEon
Withdrawal of consent
Policy PosiEon on Online Behavioural AdverEsing
Applica(on of PIPEDA to the collec(on/use of data about individuals web ac(vi(es for the purposes of online behavioural adver(sing (OBA) only.
OPC will generally consider informa(on collected for OBA to be PI, considering that:
the purpose is crea(ng proles to serve targeted ads; means available for gathering and analyzing disparate bits of data and serious possibility of iden(fying individuals;
The condi(ons under which opt-out consent to OBA can be considered acceptable are:
Individuals are made aware of the purposes for the prac(ce in a manner that is clear and understandable the purposes must be made obvious and cannot be buried in a privacy policy, at or before the (me of collec(on and provided with informa(on about the various par(es involved in OBA; Individuals are able to easily opt-out of the prac(ce - ideally at or before the (me the informa(on is collected; The opt-out takes eect immediately and is persistent; The informa(on collected and used is limited, to the extent prac(cable, to non-sensi(ve informa(on ; and Informa(on collected and used is destroyed as soon as possible or eec(vely de-iden(ed
JurisdicEon
Canadian businesses, to the extent they process and use data about individuals in the European Union, through websites that oer goods and services to European viewers or use cookies to monitor European viewer behaviour, will need to comply with the more stringent direc(ve.
BARCELONA, 28 SEPTEMBER 2012
COOKIES EU & UK LAW PERSPECTIVE

Daniel PREISKEL Preiskel & Co LLP
5 Fleet Place London EC4 7RD United Kingdom dpreiskel@preiskel.com
COOKIES - EU & UK LAW PERSPECTIVE
Table of Contents Essen(als of Cookies

Deni(on EU & UK Legal Framework EU & UK Independent Authori(es Key Issues Enforcement & Penal(es Compliance
Page 107

| United Kingdom| Daniel PREISKEL| dpreiskel@preiskel.com
Essen(als of Cookies What is a cookie?

According to the Informa(on Commissioners Oce (ICO) - that is the independent authority in UK dealing with privacy and data protec(on - a cookie is a small le, typically of le?ers and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originaFng website on each subsequent visit. Cookies are useful because they allow a website to recognise a users device

There are several type of cookies depending on their specic features, for instance there are session cookies and persistent cookies
Page 108
Essen(als of Cookies Legal Framework

EU DirecEves: European Direc(ve - 2002/58/EC - which is concerned with the protec(on of privacy in the electronic communica(ons sector, which has been amended by Direc(ve 2009/136/EC

UK RegulaEons: the Privacy and Electronic Communica(ons (EC Direc(ve) Regula(ons 2003 (SI 2003/2426) as amended by the Privacy and Electronic Communica(ons (EC Direc(ve) (Amendment) Regula(ons 2011 (SI 2011/1208)
Page 109

Both the Direc(ves and Regula(ons apply to cookies and similar technologies for storing informa(on

The legal framework states that the use of cookies is only allowed if an end user has been provided with clear and comprehensive informa(on about the purposes for which each cookie is stored and accessed on to his/her computer or mobile device and the user has given his or her informed consent
Page 110

There is an excep(on to the requirement to provide informa(on about cookies and obtain consent where the use of the cookie is:

for the sole purpose of carrying out the transmission of a communica(on over an electronic communica(ons network; or

where such storage or access is strictly necessary (i.e. essen(al) for the provision of an informa(on society service requested by the subscriber or user. For instance it is likely to fall within the excep(on a cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket
Page 111
Essen(als of Cookies EU & UK Independent Authori(es

European Data Privacy Supervisor is an independent supervisory authority devoted to protec(ng personal data and privacy and promo(ng good prac(ce in the EU ins(tu(ons and bodies

Ar(cle 29 Working Party on the Protec(on of Individuals, that is an independent European advisory body on data protec(on and privacy set up under Ar(cle 29 of Direc(ve 95/46/EC

The Informa(on Commissioners Oce is the UKs independent authority set up to uphold informa(on rights in the public interest, promo(ng openness by public bodies and data privacy for individuals
Page 112
Essen(als of Cookies Key issues

Cookie audit:

Iden(fy which type of cookies are used Conrm the type of cookies and how intrusive they are Conrm the purpose(s) of each cookie and whether each cookie would be necessary to perform the services requested Iden(fy what data each cookie holds, and conrm whether the cookie is linked to other data that the cookie owner holds about a user Conrm the lifespan of each persistent cookie Conrm whether the cookie is a rst-party or third-party cookie Double check that the company has an adequate privacy policy posted on its website with accurate and clear informa(on about each type of cookie used by the company
Page 113

Ensure informa(on about cookies and mechanisms for making choices, are as easily accessible as possible for users of devices in which cookies are stored, so as to obtain valid and well informed consent by using:

Prominent links Legal foot notes and privacy policy News items and blog posts A clickable image or icon
Page 114

Cookies as equipment and applicable law

Use of technologies similar to cookies, for instance the apps to access the users loca(on and/or personal informa(on

Mul(-jurisdic(onal issues in the interpreta(on, applica(on and enforcement of the law

Con(nuing dialogue with authori(es
Page 115
Essen(als of Cookies Enforcement & Penal(es

In cases where organisa(ons refuse or fail to comply voluntarily with the Regula(ons the ICO and the Courts have a range of op(ons to available to them to take formal ac(on where this is necessary For instance the ICO may request:

Informa(on No(ce Undertaking Enforcement No(ce Monetary Penalty No(ce
Page 116
Essen(als of Cookies Compliance

The person sevng the cookie is primarily responsible for compliance with the requirements of the law

Where third party cookies are set through a website, both par(es (the website owner and the person sevng the cookie) will have the responsibility for ensuring users are clearly informed about cookies and for obtaining consent
Page 117
Essen(als of Cookies Compliance

Providers must obtain users' consent:

Before the cookie is set Through an arma(ve step

For instance, providers may use pop-Up windows, message bars, header bars or splash pages, browser sevngs, terms and condi(ons, sevng-led consent and/or feature-led consent just to name a few
Page 118
Essen(als of Cookies Conclusion

Data protec(on is a complex area Penal(es & Reputa(onal damage Compliance is key
Page 119
Essen(als of Cookies
Daniel PREISKEL dpreiskel@preiskel.com
Page 120
Trademark Rights ProtecEon Mechanisms for New gTLDs

BARCELONA, 28 SEPTEMBER 2012
| G e r m a n y | B e l g i u m | C a n a d a | S p a i n | U S A | F r a n c e | I s r a e l | I t a l y | M o r o c c o | M e x i c o | N o r w a y | S w i t z e r l a n d
Enrique Ochoa Langlet, Carpio y Asociados
New GTLDs - .love - .app - .microsoh - .barcelona - .nyc - .lawyer

- Legal Rights Objec(ons (LRO).
WIPO Arbitra(on and Media(on Center has been appointed by ICANN as the exclusive provider of dispute resolu(on services for trademark based pre- delega(on Legal Rights Objec(ons under ICANNs New gTLD Program.
ICANN oers three other types of pre-delega(on objec(on-based dispute resolu(on procedures which are not administered by WIPO: - String Confusion Objec(on, - Limited Public Interest Objec(on, and - Community Objec(on. ICANN has furthermore established a process for the ICANN Governmental Advisory Commiuee (GAC) to provide GAC Advice on New gTLDs concerning applica(ons iden(ed by governments as problema(c.
Trademark protecEon mechanisms available a\er new gTLDs are approved. Rights ProtecEon Mechanisms (RPMs). - Trademark Clearinghouse (for use in connec(on with Sunrise periods and Trademark Claims services) - Uniform Rapid Suspension system (URS), and - Post-Delega(on Dispute Resolu(on Procedure (PDDRP). In addi(on, the exis(ng Uniform Domain Name Dispute Resolu(on Policy (UDRP) will be applicable to all new gTLDs.
Enrique Ochoa eochoa@lclaw.com.mx

ArgenEna
Estudio Mill Antonio & Rosario Mill Suipacha 1111 - piso 11 C1008AAW Buenos Aires T. 0054 11 5297 7000 F. 0054 11 5297-7009 estudio@mille.com.ar www.mille.com.ar
Belgium
Philippe & Partners Jean-Franois Henroue & Alexandre Cruquenaire jenroue@philippelaw.eu hup:// lexing.philippelaw.eu Lige Boulevard dAvroy, 280 4020 Lige T. 0032 4 229 20 10 F. 0032 78 15 56 56 Brussels Avenue Louise, 240 1050 Bruxelles T. 0032 2 250 39 80 F. 0032 78 15 56 56
Canada
Langlois, Kronstrm, Desjardins Richard Ramsay & Jean-Franois De Rico jean-francois.derico@lkd.ca www.langloiskronstromdesjardins.com Montreal 1002, rue Sherbrooke Ouest, 28e tage H3A3L6 Montral T. 0015 148 42 95 12 F. 0015 148 45 65 73 Quebec 801, Grande Alle Ouest, Bureau 300 G1S1C1 Qubec T. 0014 186 50 70 00 F. 0014 186 50 70 75
France
Alain Bensoussan, Isabelle Tellier & Frdric Forster www.alain-bensoussan.com Paris 29, rue du Colonel Pierre Avia F75508 Paris cedex 15 T. 0033 141 33 35 35 F. 0033 141 33 35 36 paris@alain-bensoussan.com Grenoble 7, place Firmin Gau(er F38000 Grenoble T. 0033 476 70 09 95 F. 0033 476 70 09 96 grenoble@alain-bensoussan.com
Germany
Buse Heberer Fromm Rechtsanwlte Bernd Reinmller, Tim Caesar & Stephan Menzemer Neue Mainzer Strasse 28 60311 Frankfurt Am Main T. 0049 699 71 09 71 00 F. 0049 699 71 09 72 00 reinmueller@buse.de www.buse.de
Israel
Livnat, Mayer & Co Russell D. Mayer Jrusalem Technology Park, Building 9, 4th Floor P.O. Box 48193 Malcha 91481 Jrusalem T. 0097 226 79 95 33 F. 0097 226 79 95 22 mayer@lmf.co.il www.livmaylaw.co.il
Italiy
Studio Legale Zallone Raaele Zallone 31 Via DellAnnunciata 20121 Milano T. 0039 229 01 35 83 F. 0039 229 01 03 04 r.zallone@studiozallone.it www.studiovallone.it
Luxembourg
Philippe & Partners Marc Gouden & Jean-Franois Henroue 41 avenue de la Libert 1931 Luxembourg T. 00352 266 886 F. 00352 266 887 00 luxembourg@philippelaw.eu hup://lexing.philippelaw.eu
Mexico
Langlet, Carpio y Asociados Enrique Ochoa Torre Axis Santa Fe Prolongacin Paseo de la Reforma # 61, PB-B1 Col. Paseo de las Lomas 01330 Mxico, D.F. T. 0052 55 25 91 10 70 F. 0052 55 25 91 10 40 eochoa@lclaw.com.mx www.lclaw.com.mx
Morocco
Bassamat & Associe Fassi-Fihri Bassamat 30 rue Mohamed Ben Brahim Al Mourrakouchi 20000 Casablanca T. 00212 522 26 68 03 F. 00212 522 26 68 07 contact@cabinetbassamat.com www.cabinetbassamat.com
Norway
Fyen Advkairma DA Arve Fyen Postboks 7086 St. Olavs pl. 0130 Oslo T. 0047 21 93 10 00 F. 0047 21 93 10 01 arve.foyen@foyen.no www.foyen.no
South Africa
Michalsons Lance Michalson and John Giles lance@michalsons.co.za www.michalsons.co.za Johannesburg Ground Floor Twickenham Building The Campus, 57 Sloane & Cnr Main Road 2021 Bryanston T. 0027 11 568 0331 F. 0027 86 529 4276 Cape Town Boyes Drive St James 7945 Cape Tow T. 0027 21 300 1070 F. 0027 86 529 4276
Spain
Alliant Abogados Asociados SLP Marc Gallardo Gran Via Corts Catalanes 702 08010 Barcelone T. 0034 93 265 58 42 F. 0034 93 265 52 90 marc.gallardo@alliantabogados.com www.alliantabogados.com
Switzerland
SbasEen FanE Avocat & Notaire 8B rue de Pr-Fleuri, CP 497 1951 Sion T. 0041 27 322 15 15 F. 0041 27 322 15 70 sebas(en.fan(@sebas(enfan(.ch www.sebas(enfan(.ch
Tunisie
Cabinet Younsi & Younsi Yassine Younsi 4, Rue Pe(te Malte 1001 Tunis T. 00 216 71 346 564 cabinetyounsi_younsi@yahoo.fr hup://younsiandyounsilawrm.e- monsite.com
United Kingdom
Preiskel & Co LLP Danny Preiskel 5 Fleet Place London EC4M 7RD T. 0044 20 7332 5640 F. 0044 20 7332 5641 dpreiskel@preiskel.com www.preiskel.com
USA
IT Law Group Franoise Gilbert 555 Bryant Street #603 Palo Alto, CA 94301 T. 0016 508 04 12 35 F. 0016 507 35 18 01 fgilbert@itlawgroup.com www.itlawgroup.com
| G l o b a l n e t w o r k o f a / o r n e y s s p e c i a l i z e d i n e m e r g i n g t e c h n o l o g y l a w

Digital Law Conference Barcelona

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Digital Law Conference Barcelona

Uploaded by

Copyright:

Available Formats

#lexingbcn

First internaEonal network of lawyers focused on informaEon technology law

Data Protec(on Cloud Compu(ng Social Media Cookies

New Domain Names 15

Privacy, Cloud, Social Media & Cookies Overview of Spanish Law

BARCELONA, FRIDAY, SEPTEMBER 28, 2012

# Cloud Compu(ng # Social Media # Cookies

SDPA applies / AEPD No specic regulaEons No general Guidelines / EU Guidelines

Eprivacy Rule in LSSI / AEPD No general Guidelines / EU Guidelines (June 2012)

Spanish Data Protection Law (SDPL)

Organic Law 1999

Self-Employed ac(ng as traders

Data rela(ng to contact persons

data subject! rights!

legitimate ! interest DC! DP principles!

IBM Dropbox Amazon AWS Apple Google Arsys Salesforce

# User is the Data Controller

# CC Provider is the Data Processor

Tools & Services that facilitate conversa(on

SNS impact on all branches of law

SNS: Informa(on Society Service

SNS Provider is a data controller All obliga(ons rela(ng to privacy protec(ons

In some circumstances, also Data Controllers

Electronic Commercial Communica(ons

Transparency (id. sender) Right to object (valid electronic address)

st April SituaEon > 1

Guidelines on Exempted Cookies

Conduct a comprehensive and thorough risk assessment Iden(fy risks

Evaluate the risks

GENERAL PRESENTATION #END

| Spain | Marc Gallardo | marc.gallardo@alliantabogados.com

BARCELONA, FRIDAY, SEPTEMBER 28, 2012

EU GENERAL DATA PROTECTION REGULATION - FRANCE

| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu

EU GENERAL DATA PROTECTION REGULATION - FRANCE

| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu

EU GENERAL DATA PROTECTION REGULATION - FRANCE

1. Strengthen the rights of individuals

Right to data portability

Strengthen the rights of individuals

Clarica(on about consent

Clarica(on about the exercise of data subject rights

| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu

EU GENERAL DATA PROTECTION REGULATION - FRANCE

2. Simplify processes for businesses

-purposes; -condi(ons; -means of processing

Joint deni(on of:

Excep(on: sensi(ve processing

Approval of BCR by one supervisory authority

| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu

EU GENERAL DATA PROTECTION REGULATION - FRANCE

3. Extend liability (1)

Data protec(on ocer (art. 35)

No(ca(on of personal data breach (art. 31)

| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu

EU GENERAL DATA PROTECTION REGULATION - FRANCE

3. Extend liability (2)

Privacy by Design (art.23)

Impact assessments (art. 33)

| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu

EU GENERAL DATA PROTECTION REGULATION - FRANCE

4. Impose s(er sanc(ons (1)

| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu

EU GENERAL DATA PROTECTION REGULATION - FRANCE