attorney at the bars of paris and brussels database exploitation & data protection thibault...
TRANSCRIPT
Attorney at the Bars of Paris and Brussels
Database exploitation Database exploitation & &
Data protection Data protection
Thibault VerbiestThibault Verbiest
Amsterdam 1 April 2005
Data Protection General:
Directive 95/46
Particular:
Directive 2002/58
Overview legal aspects of databases
Intellectual Property:« Traditional copyright » protection for the structure
« Sui generis » protection for the content -Database: collection of independent data arranged in a systematic or methodical way and individually accessible by electronic or other means. - Substantial investment - Maker of a database has an
exclusive right to prevent extraction and/or re-utilization
General & sector specific regulations
General: 95/46Protection of personal data
General data protection principles
Scope?Online and offlinePublic & private networks
Specific 2002/58Privacy & electronic
communications
Specific obligations(e.g., cookies, spam)
Scope?Communication
servicePublic networks
1. General Protection: Directive 95/46 Scope: 9 Principles of Data protection Sensitive data
Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Case Studies Privacy Policy Collection of information Disclosure of data via webapplication
Scope: Directive 95/46 « Processing of personal data » personal data:
Information concerning a data subject identifiable natural person
Direct or indirect Controller or third party
Legal entity: SME?
IP address? [email protected]?
Processing: Any operation performed upon personal data In the EU? Outsourcing to non-EU countries?
Data Protection PrinciplesData must be: fairly and lawfully processed; processed for specified, detailed and legitimate purposes; adequate, relevant and not excessive; accurate; not kept longer than necessary; processed in accordance with the data subject's rights; Secure and remain confidential; not transferred to countries without adequate protection
(outside EU); Processing activities « must » be notified to the supervisory
authority.
Case study 1: Privacy Policy Legally required? Contents
The name and address of the controller and processor (contract)
Purposes of the processing activity The kind of data processed: « sensitive data » The means to collect and process data (cf. cookies) Inform the data subject on his/her rights and the way
he/she can exercise them The technical and organizational measures adopted to
ensure the secure and confidential character (cf. disclusure)
Reference to general information on data protection legislation, e.g., FAQ, or the contact details privacy officer ([email protected])
Case Study 2: collection of information
Case Study 2: collection of information
Processing « shall mean any operation … whether or not by automatic means, such as collection, recording, organization, storage, disclosure by transmission, dissemination or otherwise making available, etc. »
Means of collection: Data subject is aware,e.g., webform/ trade fairs Data subject is not aware, e.g., spy ware
Case Study 3: disclosure of personal data Web database or online database Database query to retrieve all persons with
certain properties Broad an open notion of « processing »
includes « disclosure by transmission, dissemination or otherwise making available »
Pay attention to unauthorized disclosures Personal details on website: Lindqvist case Unauthorized access and retrieval of information Transfer to third parties, e.g, business partners or other DB
2. Sector Specific regulation Directive 2002/58/EC on privacy and electronic
communication One of the Directives of the new « Telecom
Package » Update of Directive 97/66 on privacy and
telecommunications Overview:
scope contents Articulation with general framework
Scope: sector specific regulation
« This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. » Public networks: no private or corporate networks: « Individual » communication: no broadcasting Online exploitation, ASP?
Includes: Protection of the legitimate interests of
subscribers who are legal persons (SME).
Scope is not always very clear & distinction sometimes too academic.
Sector specific regulation
Contents: clarification of some principles Cookies, spy ware Security and confidentiality Traffic & location data Directories of subscribers , e.g., yellow pages SPAM: collection and use of email!
Sector Specific regulationPragmatic Approach and articulation:
Directive 95/46 applies to all networks
Obligations imposed by Directive 2002/58/EC, “covered” by
Directive 95/46/EC
Example: Security:2002/58 (art 4)
The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with….
95/46 (art.17)
The controller must implement appropriate technical and organizational measures to protect personal data against … all other unlawful forms of processing.
Cookies – online identifiers Online exploitation of database requires the
identification of customers
Processing of personal data Directive 95/46
Directive 2002/58: Legitimate purposes User must be informed on the installation, on its
purposes: Users should have the opportunity to refuse to have a
cookie User should receive user-friendly information on how to
refuse installation Consequences of refusal – conditional access
Use of electronic contact details (email)
Unsolicited Communications: article 13 : Principle: OPT IN : addresses must give their prior consent
How to obtain a prior valid consent? Electronic mail: email, sms, mms…pop up?
Exception: OPT-OUT if : Existing commercial relationship Same natural or legal person Similar products or services Consumer is given the opportunity to refuse reception (opt-out)
Opt-in data bases?
&WWW.ULYS.NET
QUESTION
S
cOMMENTS