Some IT law issues in Spain

| G l o b a l n e t w o r k o f a / o r n e y s s p e c i a l i z e d i n e m e r g i n g t e c h n o l o g y l a w

Barcelona Conference

September 28, 2012

#lexingbcn

Interna(onal •  17 members (worldwide)

Integrated

•  Same and unique methodology & procedures (cross-‐border projects)

Specialized •  Law & Technologies (IT Law)

First internaEonal network of lawyers focused on informaEon technology law

Data Protec(on 30’

Cloud Compu(ng 30’

Social Media 30’

Cookies 30’

New Domain Names 15’

Q & A

General Presenta(on … 20’

| Argen(na | Belgium | Canada | France | Germany | Israel | Italy | Luxembourg | Mexico | Morocco | Norway | South Africa | Spain | Switzerland | Tunisia | United Kingdom | USA

Privacy, Cloud, Social Media & Cookies Overview of Spanish Law

Marc GALLARDO [email protected]

BARCELONA, FRIDAY, SEPTEMBER 28, 2012

# Data Protec(on

# Cookies

# Social Media

# Cloud Compu(ng

SDPA (‘99 & ’07 & ‘10) / AEPD High and Stringent Enforcenment ! € 20.000.000 / 4000 proceedings Dra\ EU RegulaEon (January 2012)

SDPA applies / AEPD – No specific regulaEons AEPD Guidelines (June 2012) / EU Guidelines (July 2012)

SDPA applies / AEPD – No specific regulaEons No general Guidelines / EU Guidelines

Eprivacy Rule in LSSI / AEPD No general Guidelines / EU Guidelines (June 2012)

Data Controller

Data Processor Data subject

Spanish Data Protection Law (SDPL)

rights obligations

"   Notification requeriments "   Information provision obligations "   Legal basis for processing data "   Confidentiality & Security "   Data Protection Principles

contract

Organic Law 1999

Regulation 2007

•  Professionals & Individual traders Self-‐Employed ac(ng as traders

•  Secondary purpose for processing (B2B) •  Name, surname, job, address, tel. & fax number

Data rela(ng to contact persons

Proper anonymiza(on

LegiEmate interest

✓  Consent ✓  Contractual relations ✓  Requirements of the law

✓  Emergencies ✓  Public Interest ✓  Legitimate interest!

Ruling Feb. 2012!

legitimate !interest DC!

data subject!rights!

DP principles!

Key ObligaEon: process personal data lawfully

Consent: not always available or reliable criteria LegiEmate interest criterion not properly incorporated The data should apeared in public sources ! Now void -‐>

Cloud CompuEng

Amazon AWS

IBM

Microsoh

Salesforce

Google

Oracle

Arsys

Dropbox

Apple

Cloud definiEon

LACK OF CONTROL

LACK OF INFORMATION

Main risks

Jun

Guidelines

June !2012! www.agpd.es

July !2012!

No specific law regulaEng cloud compuEng but … data protecEon law is applicable

# User is the Data Controller

# CC Provider is the Data Processor

cont

ract

contract Guidelines

Tools & Services that facilitate conversa(on

General View

SNS impact on all branches of law ๏  Privacy ๏  Intellectual Property ๏  Marke(ng and Consumer Protec(on ๏  Contests and Promo(ons

๏  Employment ๏  Free speech ๏  Children protecEon ๏  E-‐reputa(on

Internal: SM used within a company Hosted: Public SM controlled by a company Public: Public SM outside the control of a company

SNS Providers

•  e-‐Commerce Liability Exemp(on •  No obliga(on to monitor infringements

SNS: Informa(on Society Service

•  All obliga(ons rela(ng to privacy protec(ons •  Children verifica(on age procedures (under 14)

SNS Provider is a data controller

= Authors of Apps + Adver(sers [SNS & Mobile]

Company as a User

•  No household exemp(on In some circumstances, also Data Controllers

•  Intellectual Property Rights, Privacy, Iden(ty theh, Defama(on & others

Soh Law to resolve certain disputes

•  Opt-‐ in rule (B2B + B2C) & soh opt-‐in (if client) •  Transparency (id. sender) •  Right to object (valid electronic address)

Electronic Commercial Communica(ons

SituaEon > 1st April

‘Cookie’ is a small text file delivered by a website server onto the computer of visitor

Mul(ple func(ons but typically used to taylor website offerings and facilitate targeted ads

Rule: Informa(on + Consent before storing or gaining access to any cookie (not exempted)

Problems

Informa(on ? Consent ? Browser / opt-‐out / opt-‐in

Guidelines on Exempted Cookies a. Technical cookies & b. Strictly necessary cookies

No enforcement over e-‐privacy consent rule (LSSI) ! Enforcenment possible if PD is collected (SDPA).

#1 Audit

#2 Put in Place Policies & Programs

#3 Implement and review

✓  Conduct a comprehensive and thorough risk assessment ✓  Iden(fy risks

✓  Evaluate the risks ✓  Address the risks

✓  Implement + Review on a regular basis ✓  Train employees and monitor compliance ✓  Demonstrate it: a policy must be reflected in concrete pracEces !

Bo/om line is …

GENERAL PRESENTATION #END

| Spain | Marc Gallardo | [email protected]

Page 23

THANK YOU


Proposed EU General Data ProtecEon RegulaEon of January 25, 2012:

State of Play

ALAIN BENSOUSSAN alain-‐[email protected]


EU GENERAL DATA PROTECTION REGULATION -‐ FRANCE

| France| Me Alain BENSOUSSAN |alain-‐[email protected]

Page 25

What are the stakes? –  harmonize the protection of personal data in the EU –  ensure the effectiveness of such protection

Issue –  a stronger and more coherent data protection framework in the EU

Situation –  uncertain

News –  International mobilization and debate on personal data protection

Introduc(on



Page 26

1. Strengthen the rights of individuals

2. Simplify processes for businesses

3. Extend liability

4. Impose s(ffer sanc(ons

Agenda



Page 27

1. Strengthen the rights of individuals

Strengthen the rights of individuals

Right to be forgouen

Clarifica(on about consent

Clarifica(on about the exercise of data

subject rights

Right to data portability



Page 28

2. Simplify processes for businesses

Cuvng red tape

Abolish the general obliga(on to no(fy

processing

Excep(on: data transfers outside the EU to a country without adequate

level of protec(on

Excep(on: sensi(ve processing

One-‐stop shop

Mul(na(onals

Main establishment of the processor

(i.e. place of its central administra(on in the EU)

Approval of BCR by one

supervisory authority

Joint controllers

Joint defini(on of:

-‐purposes; -‐condi(ons; -‐means of processing



Page 29

3. Extend liability (1)

• Maintain documenta(on of all processing opera(ons • Obliga(on for each controller, processor and, if any, the controller's representa(ve. • Content

Documenta(on (art. 28)

• Processing carried out by a public authority or body • Processing carried out by an enterprise employing 250 persons or more • Processing opera(ons which, by virtue of their nature, their scope and/or their purposes require regular and systema(c monitoring of data subjects

• Designated for a period of at least 2 years

Data protec(on officer (art. 35)

• No later than 24 hours aher having become aware of it • Otherwise, reasoned jus(fica(on should be given

No(fica(on of personal data breach (art. 31)



Page 30

3. Extend liability (2)

• Designa(on of a data protec(on officer with variety of rules to ensure his independence • Demonstrate by documenta(on compliance with rules on security, processing opera(ons and impact assessment • Implement mechanisms to ensure the effec(veness of measures

Accountability (art.22)

• Deployed and implemented by default at the (me of the determina(on of the means for processing and at the (me of processing

• Ensure the implementa(on of data minimiza(on principle

Privacy by Design (art.23)

• Specific risks presented by processing opera(ons to the rights and freedoms of data subjects • This includes: informa(on on sex life, health, video surveillance, gene(c data, biometric data … • Content: a general descrip(on of the envisaged processing opera(ons, an assessment of the risks to the rights and freedoms of data subjects, safeguards, security measures, mechanisms to demonstrate compliance with the Regula(on

Impact assessments (art. 33)



Page 31

4. Impose s(ffer sanc(ons (1) Viola(

ons

-‐ No mechanisms for requests by data subjects -‐ No prompt response to requests by data subjects -‐ Charging a fee for the informa(on or for responses to the requests of data subjects

-‐ Not providing informa(on, or providing incomplete informa(on, or not providing informa(on in a sufficiently transparent manner

-‐ Not providing access for the data subject, not rec(fying personal data, not communica(ng relevant informa(on to a recipient

-‐ Not complying with the right to be forgouen or to erasure -‐ Not providing a copy of the personal data in electronic format

-‐ Not or not sufficiently maintaining documenta(on -‐ Not or not sufficiently determining the respec(ve responsibili(es with co-‐controllers

€250,000 or 0,5% of annual worldwide turnover

€500,000 or 1% of annual worldwide turnover



Page 32

4. Impose s(ffer sanc(ons(2) -‐ Processing personal data without any or sufficient legal basis -‐ Processing special categories of data in viola(on of the Regula(on

-‐ Not complying with an objec(on -‐ Not complying with the condi(ons in rela(on to measures based on profiling

-‐ Not implemen(ng accountability (Privacy by Design, Privacy Impact Assessment)

-‐ Not designa(ng a representa(ve -‐ Processing data in viola(on of the Regula(on -‐ Not aler(ng on or no(fying a personal data breach or not (mely no(fying the data breach

-‐ Not carrying out a data protec(on impact assessment -‐ Not designa(ng a Data Protec(on Officer -‐ Carrying out or instruc(ng a data transfer to a third country without appropriate safeguards

-‐ Not complying with an order by the supervisory authority

€1,000,000

or 2% of annual

worldwide turnover

| F r a n c e | M e A l a i n B e n s o u s s a n | alain-‐[email protected]

"   ALAIN BENSOUSSAN AVOCATS 29 rue du colonel Pierre Avia Paris 15 FRANCE Tel. : 33 1 41 33 35 35 Fax : 33 1 41 33 35 36 paris@alain-‐bensoussan.com

"   Alain Bensoussan D.L : 33 1 41 33 35 09 Mob. : 33 6 19 13 44 46

ab@alain-‐bensoussan.com

Contact


Data ProtecEon in the United States Recent Developments

Françoise GILBERT Managing Director – IT Law Group

Silicon Valley, California +1 650-‐804-‐1235 [email protected] | www.globalprivacybook.com | francoisegilbert.com | @francoisegilbrt


| Belgium | Me Jean-‐François HENROTTE | j�[email protected]

Page 35

– Background – Overview of US data protec(on laws – Role of the US federal and state agencies – Recent US Government ini(a(ves – Recent enforcement ac(ons – Hot issues

Agenda


Page 36

–  No na(onal data protec(on law; but dozens of Federal sectoral laws •  1890: “Right to Privacy” defines the concept •  1966: Freedom of Informa(on Act (access to informa(on held by government •  1968: Wiretap Act (intercep(on of aural communica(ons and disclosure of these communica(ons in court) •  1970: Fair Credit Repor(ng Act (credit repor(ng agency disclosure of credit reports) •  1974: Privacy Act (disclosure of government records) •  1974: Family Educa(onal Rights and Privacy Act (disclosure of school records) •  1978: Right to Financial Privacy Act (banking and financial transac(ons) •  1978: Foreign Intelligence Surveillance Act (electronic surveillance; foreign intelligence) •  1986: Computer Fraud & Abuse Act (to reduce hacking, use of viruses) •  1986: Electronic Communica(on Privacy Act (stored or in transit informa(on) •  1996: Health Insurance Portability and Accountability Act (health informa(on) •  1998: Children Online Privacy Protec(on Act (children informa(on) •  1999: Financial Services Moderniza(on Act (GLBA) (financial informa(on) •  2003: CAN SPAM Act (commercial messages)

–  Hundreds of State sectoral laws (+ some states have cons(tu(onal rights) •  Protect individuals residing in a specific state •  Security breach disclosure laws •  Security measure requirements •  Protec(on of driver’s license informa(on, medial records, etc.

US Data Protec(on Laws


Page 37

–  No “na(onal data protec(on agency” •  Numerous federal agencies play role similar to that of the Data Protec(on Agencies in European Union

–  Federal Trade Commission –  Department of Health & Human Services –  Financial Services Agencies –  Securi(es & Exchange Commission

•  Numerous state agencies, play similar role at the State Level –  State Auorney General –  Other State Agencies

–  Substan(al coopera(on between State and Federal Agencies

Federal & State Agencies


Page 38

–  Significant penalEes in case of violaEon •  FCRA: up to $500,000 total penalty per viola(on

–  Actual penalEes •  Google (breach of FTC consent decree) $22.5million •  ChoicePoint (breach of security) $15million •  Massachuseus General Hospital (HIPPA) $4.3million •  Sony $1million (COPPA) •  Xanga $1million (COPPA) •  CVS, Rite Aid pharmacies $1million (HIPAA + lack of security) •  Spokeo $800,000 (FCRA)

Significant Penal(es


Page 39

–  Federal Trade Commission (FTC): •  Top regulator in the US with respect to protec(on of personal informa(on

•  Powers under FTC Act (§5), COPPA, FCRA, HIPAA –  Numerous acEons against companies for:

•  Failure to comply with privacy promises •  Failure to provide adequate security measures for personal informa(on

•  Unclear and decep(ve terms, which concealed important disclosure regarding un-‐an(cipated use of personal informa(on

•  Failure to comply with requirements of Fair Credit Repor(ng Act •  Failure to comply with COPPA requirements

Federal Trade Commission


Page 40

–  Google (Aug. 2012, Dec. 2011) –  Spokeo (Jun. 2012) –  MySpace (May 2012) –  RockYou (Mar. 2012) –  Facebook (Mar. 2011) –  Playdom/Disney (May. 2011) –  Twi/er (Mar. 2011) –  RiteAid Pharm (Nov. 2010) –  Lifelock (Nov. 2010) –  Sears (Sep. 2009)

–  Sony BMG Music (Dec. 2008; Jan 2011)

–  TJX (Aug. 2008) –  Reed Elsevier (Aug. 2008) –  ValueClick (Mar. 2008) –  ChoicePoint (Jan. 2006) –  BJ Wholesale (Sep. 2005) –  Microso\ (Aug. 2002) –  Geoci(es / Yahoo (1999)

FTC Enforcement Ac(ons


Page 41

–  White House Consumer Bill of Rights (Feb. 2012) •  Restates Fair Informa(on Prac(ce Principles

–  Federal Trade Commission Report on Consumer Privacy (March 2012)

•  Privacy by Design, Privacy by Default, Online Behavioral Tracking and Adver(sing

–  Federal Trade Commission Report on Children and Mobile Apps (February 2012)

•  Guidelines on mobile apps for children –  Federal Trade Commission Guidelines on Mobile Apps (August

2012) •  General guidelines on the publica(on of mobile apps

–  Par(cipa(on in APEC Cross Border Privacy Rules System

Recent US Efforts on Privacy


Page 42

–  FTC v. Google (August 2012) •  $22.5 million fine •  Viola(on of pre-‐exis(ng consent decree with FTC •  FTC looked at promises made in Privacy Policy or about privacy measures, including in Google’s representa(ons that it complied with the NAI Code of Conduct

–  FTC v. Facebook (August 2012) •  Viola(on of representa(ons made in Privacy Policy •  Including representa(on that FB followed the Safe Harbor Principles

•  20-‐year supervision by Federal Trade Commission

Recent Enforcement Ac(ons


Page 43

– Mobile •  Mobile apps, mobile payments, mobile privacy

–  BYOD •  Bring your own device (to work)

–  Social Media •  Poten(al employer access to social media account

–  Behavioral MarkeEng •  Tracking devices, cookies, tags, zombie cookies

–  Big Data –  Cloud CompuEng

•  Reform of Electronic Communica(ons Privacy Act

Other Hot Issues


Page 44

Françoise Gilbert IT Law Group

Palo Alto, California, USA

Email: [email protected] Phone: +1 650-‐804-‐1235

IT Law Group: itlawgroup.com Blog: francoisegilbert.com

Book: globalprivacybook.com Twiuer: @francoisegilbrt


CLOUD COMPUTING LEGAL ISSUES UP IN THE AIR

Raffaele ZALLONE -‐ Sébas(en FANTI [email protected] -‐ sebas(en.fan(@sebas(enfan(.ch


CLOUD COMPUTING

NATIONAL INSTITUTE OF STANDARD AND TECNOLOGY: A MODEL FOR ENABLING CONVENIENT, ON-‐DEMAND NETWORK ACCESS TO SHARED POOL OF COMPUTING RESOURCE

SOFTWARE AS A SERVICES SAAS OFFERS ACCESS TO A SERVICE (ES: MAIL, ACCOUNTING, SPREADSHEET)

PLATFORM AS A SERVICES PAAS OFFERS ACCESS TO DEVELOPMENT TOOLS

INFRASTRUCTURE AS A SERVICES IAASOFFERS HW+SW ON DEMAND (MEMORY, PROGRAMS, ETC)

WHAT IS CLOUD COMPUTING

THERE ARE 3 DIFFERENT SERVICES MODELS

CLOUD COMPUTING

PRIVATE CLOUDS

OFFERS SERVICES TO ONE CUSTOMER ONLY MORE SIMILAR TO DATA CENTERS

PUBLIC CLOUDS

AN INFRASTRUCTURE USED TO SERVE SEVERAL CUSTOMERS (ES: GMAIL)

HYBRID CLOUDS

SERVICE OFFERING WITH MIXTURE OF PRIVATE / PUBLIC

CLOUD COMPUTING

CLOUD COMPUTING

CLOUD COMPUTING MAIN ISSUES

SECURITY

CONTRACTUAL ISSUES

PRIVACY ISSUES

CLOUD COMPUTING

CONTRACTUAL ISSUES: MANY ARE THE SAME AS PER OUTSOURCING CONTRACT

SERVICE LEVELS AND RELATED MEASUREMENTS

WHAT TO MEASURE AND HOW CONSEQUENCES PENALTIES

PROTECTION OF DATA (AVAILABILITY, RELIABILITY)

DATA MUST ALWAYS BE AVAILABLE, IS SUPPLIER REL IABLE?

SUB CONTRACTING: WHO AND FOR WHAT WIDE USE OF SUBCONTRACTING IS STD NEED TO HAVE AGREEMENT ON HOW TO MANAGE PROCESS AN CONTROLS

CONTINUITY OF SERVICE BACK UPS? WARRANTIES?

CHANGES OF PLATFORM / SW UPGRADES NEED TO IMPLEMENT CHANGE MANAGEMENT CONTROLS

DURATION OF CONTRACT LONG TERM vs SHORT TERM: PRO’S AND CON’S

TERMINATION OF CONTRACT AND TRANSITION TO NEW SUPPLIER

NEED TO IMPLEMENT APPROPRIATE MANAGEMENT AND PROCESSES

CLOUD COMPUTING

SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES

LICENSE vs SERVICE IF THERE IS NO LICENSE, TERMINATION OR TRANSITION TO NEW SUPPLIER MAY BE A REAL PROBLEM

AUDITABILITY -‐ AVAILABILITY MUST HAVE DATA ALWAYS AVAILABLE FOR AUDITS MUST BE POSSIBLE TO AUDIT SUPPLIER ITSELF

LOCATION OF DATA PRIVACY AND LIABILITY ISSUE

SUB CONTRACTORS RIGHT TO APPROVE AND AUDIT

CLOUD COMPUTING

SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES

INTELLECTUAL PROPERTY MAKE SURE CRITICAL I.P. IS PROTECTED

OPEN vs PROPRIETARY SWITCHING TO NEW SUPPLIER MAY BE A PROBLEM

CHANGE MANAGEMENT SUPPLIER MAY DECIDE TO CHANGE SW, PLATFORM, SUBCONTRACTORS? HOW AND WITH WHAT RIGHTS/NOTICE

STANDARD CONTRACTUAL TERMS NEED OF CONTROL / FLEXIBILITY / REGULATION OF SPECIFIC ISSUES

DATA PRIVACY ISSUES ATTITUDE OF SUPPLIERS

CLOUD COMPUTING

DATA PRIVACY ISSUES WHERE ARE THE DATA? KNOWING THE LOCATION OF DATA IS

ESSENTIAL UNDER UE PRIVACY LAWS

CAN SUPPLIER TRANSFER DATA? SAME AS ABOVE

MANAGEMENT OF SUBCONTRACTORS MUST BE APPOINTED AS DATA PROCESSORS AND MUST BE AUDITABLE, BY CUSTOMER, BY PRIVACY AUTHORITY OR OTHER BODIES

SECURITY MEASURES AUDITABILITY – LIABILITY

ACCESS DATA ARE PERSONAL DATA WHERE ARE THEY, WHO CAN ACCESS THEM, HOW LONG ARE THEY STORED FOR

OBLIGATION NOT TO USE DATA SUPPLIER AND SUBCONTRACTOR

RETURN OR DESTRUCTION OF DATA SUPPLIER AND SUBCONTRACTORS

CLOUD COMPUTING

LEGAL ISSUES LIABILITY OF CLOUD PROVIDER FOR ILLEGAL CONTENT ?

NO LIABILITY IF THE PROVIDER HAS NO KNOWLEDGE OR AWARENESS OF ILLEGAL NATURE AND REMOVES OR BLOCKS ILLEGAL DATA WHEN IT DOES GAIN KNOWLEDGE OR BECOME AWARE OF ILLEGAL NATURE (NOTICE AND TAKEDOWN)

JURISDICTIONAL ISSUES AND APPLICABLE LAW

THE CHOICE OF THE COMPETENT COURT AND OF THE APPLICABLE LAW ARE FUNDAMENTAL; IF OUTSIDE OWN COUNTRY, ANY LITIGATION CAN BECOME PROHIBITIVELY EXPENSIVE

DISPUTE RESOLUTION ARBITRATION MUST BE CONSIDERED AS ONE INTERESTING OPTION KEEPING CONFIDENTIALITY AND AVOIDING PROBLEMS LIKE CHOICE OF ANOTHER APPLICABLE LAW BY COURT

CLOUD COMPUTING

LEGAL ISSUES INTRODUCTION OF HARMFUL CODE (VIRUSES AND OTHER MALICIOUS CODE)

NEED TO RELY ON THE PROVIDER APPLYING SUFFICIENT PROTECTION AGAINST THESE DANGERS; NECESS ITY OF IMPOSING OBLIGATIONS TO THE PROVIDER

US PATRIOT ACT In certain circumstances, the US PATRIOT Act allows the US government to obtain data held anywhere in the world by US companies or companies with sufficient connec(ons to the US. This would extend to data centres based in UE that are operated by US companies and data centres based in the US operated by non-‐US companies.

IT PROPERTY OWNERSHIP NECESSARY TO ENSURE THAT THE AGREEMENT DOES NOT TRANSFER IP OWNERSHIP

CLOUD COMPUTING

LEGAL ISSUES ISSUES PARTICULAR TO REGULATED INDUSTRIES

RULES THAT LIMIT THEIR ABILITY TO OFFSHORE THEIR OPERATIONS; EX: BANKING OR INSURANCE COMPANIES; TEST THE WATERS WITH THEIR REGULATOR BEFORE PROCEEDING WITH CLOUD COMPUTING SERVICE SOLUTIONS

SUBCONTRACTORS ALL THE RELEVANT OBLIGATIONS MUST THEREFORE APPLY ALSO TO THE SUB-‐PROCESSORS THROUGH CONTRACTS BETWEEN THE CLOUD PROVIDER AND SUBCONTRACTOR REFLECTING THE STIPULATIONS OF THE CONTRACT BETWEEN CLOUD CLIENT AND CLOUD PROVIDER

SPECIAL PRECAUTIONS BY THE PUBLIC SECTOR

EUROPEAN GOVERNMENTAL CLOUD AS A SUPRA NATIONAL VIRTUAL SPACE WHERE A CONSISTENT AND HARMONIZED SET OF RULES COULD BE APPLIED?

CLOUD COMPUTING

CONCLUSIONS AND RECOMMENDATIONS

CLEARLY IDENTIFY THE DATA AND THE PROCESSING THAT WILL BE ENTRUSTED TO THE CLOUD PROVIDER

EX: HEALTH DATA, WHICH CAN ONLY BE STORED BY A CLOUD PROVIDER LICENSED BY THE FRENCH MINISTRY OF HEALTH

UNDERTAKE A RISK ANALYSIS TO ENSURE THAT THE CUSTOMER IS GETTING THE RIGHT LEVEL OF SECURITY UPDATE THE RISK ANALYSIS REGULARLY

REFER TO THE GUIDELINES OF ENISA (EUROPEAN NETWORK AND INFORMATION SECURITY AGENCY) WHEN CONDUCTING THE RISK

BE SURE TO IDENTIFY THE RIGHT KIND OF OFFER THAT IS APPROPRIATE FOR A CLOUD CUSTOMER'S BUSINESS

SAAS, PAAS, OR IAAS, PUBLIC, PRIVATE OR HYBRID CLOUD SOLUTIONS

CLOUD COMPUTING

CONCLUSIONS AND RECOMMENDATIONS Choose a cloud provider with

sufficient service and privacy level guarantees

essen(al elements that should appear in the cloud contracts

Rethink YOUR own IT security policy such as rules on authen(ca(on of users, and employees' use of mobile devices to access the employer's network…

Ensure that the customer defines its own requirements on the technical and legal security aspects of the processing

Localiza(on of the data, reversibility and data portability

Social Media 30’

Cookies 30’

New Domain Names 15’

Q & A


Some issues on Social Networks

Jean-‐François HENROTTE j�[email protected]

BARCELONA, SEPTEMBER 28, 2012


Page 60

1.  How to manage issues on Social Networks A.  First, the easy way B.  Then the hard way

2.  How to react if your content is removed

3.  Community management, a new business



Page 61

•  Social networks are not an apart world. •  Almost all the annoyances of society can be

found there, but some more ohen : •  Defama(on •  Harassment •  Copyright infrigement •  Privacy breach •  …



Page 62

A.  Soh Law

How to react ?

1. How to manage issue on Social Networks

B.  Hard Law

Use the tools provided by social networks themselves

Use leuer of formal no(ce, cease-‐and-‐

desist order, lawsuit,…


Page 63

Internet is a par(cular area where :

Old fashioned legal tools are good, but…

Nothing is forgouen

Everything can be reproduced indefinitely

from a single copy

There is always someone on the lookout

1. A How to manage issue on Social Networks


Page 64

Beware of the Barbara Streisand’s effect

1.A How to manage issue on Social Networks


Page 65

Lawyers need to be careful when using leuers of formal no(ce or lawsuits •  There is a significant risk of bad publicity

•  There is a significant risk to auract much more a/enEon due to a inadequate or bad reac(on than to the first event in itself



Page 66

•  Be quick but do not rush •  Be ready to communicate if things go

wrong •  Use the reporEng tools implemented by

social networks •  It is fast •  It tackles the problem at the roots •  It prevent (partly) the spread of the problem •  Main issue è Completely arbitrary

Some guidelines



Page 67

•  First, the abuse must be defined •  Break of terms and policies •  Copyright (or other IP right) infrigement •  Defama(on •  Privacy mauer •  Harassment •  …

•  Then, follow the adequate procedure

Tools to report abuse



Page 68

•  Linkedin hup://www.linkedin.com/sta(c?key=copyright_policy&trk=hb_h_copy

•  Facebook hup://en-‐gb.facebook.com/help/?page=178608028874393&ref=hcnav

•  FlickR hup://www.flickr.com/abuse/



Page 69

•  Google + hup://support.google.com/plus/bin/answer.py?hl=en&answer=1253377

•  YouTube hup://www.youtube.com/t/copyright_no(ce?gl=BE

•  Google.com hups://www.google.com/webmasters/tools/removals?pli=1



Page 70

If : •  Social network does not comply with your

request, or not fast enough •  You feel you need a stronger ac(on

è Unholster the usual lawyers

When the easy way is not enough

1.B How to manage issue on Social Networks


Page 71

•  Easy if his real name is disclosed •  May be really hard if he uses a nickname

•  In Belgium, it is almost impossible ∟  Due to recent case law, only the criminal judge

have the power to compel providers to disclose the iden(ty of a user (>< Spain)

∟  But, in Belgium, criminal jus(ce is totally overtaken and doesn’t really care about or is not really efficient to handle these cases

First issue : Iden(fy the perpetrator



Page 72

And is in a place where you can reach him… è Then you can sue him using :

∟  Criminal law if defama(on or harassment (Art. 443 and following of B. Criminal Code)

∟  Copyright law ∟  Civil law (Art. 1382 – 1383 of B. Civil Code) ∟  Commercial law

The perpetrator is known



Page 73

Ohen, the first idea when faced with a problem (such as defama(on) on a social network is to use Criminal Law But (in Belgium at least): •  You are not in control •  Criminal procedure can be really slow •  It may paralyse civil procedure

A word about Criminal Law


Page 74

Or you can’t reach him

èLodge a Criminal complaint against X

è At the same (me, act against the provider (social network company in this case) but : ∟  they may benefit from the exemp(on from liability ∟  they can oppose the argument of freedom of speech ∟  they can claim that they did not commit any fault

The perpetrator is unknown



Page 75

Introduced by Direc(ve 2000/31/EC on electronic commerce

You have to prove that: •  they do not fit into the category of intermediary

service providers (hoster in this case) as provided by the Direc(ve

•  they had previous knowledge of the illegality or had not responded adequately when they were made ��aware of this illegality

èInjuc(on are s(ll possible

Exemp(on from civil liability



Page 76

This right is crucial to our socie(es, but not absolute è You have to prove that your case stays into

one of these right's limita(ons

Freedom of speech



Page 77

è You need to prove that, once the provider has been made aware of the illegality, he commits a fault if he doesn’t react quickly to remove or to disable access to the informa(on

The lack of fault



Page 78

It may be hard and expensive to achieve a result (suppression of the content, not even talking of compensatory damages) with the hard way


Intermediary conclusions

Get yourself organised to control the places of discussion

Use the soh way


Page 79

•  IdenEfy the pretext used to jus(fy the removal

•  Use the counter-‐noEce pages and tools offered by social networks

•  Act at the same (me against the person who lodged the complaint (when his iden(ty is known) and try to obtain from him that he withdraws his complaint

What if your content is removed

2. How to react if your content is removed


Page 80

•  A new profession related to the advent of social networks

•  This business consists in managing and maintaining a community of “fans” of a brand, a company, a people,… on social networks

Community Management

3. Community management


Page 81

•  Liule or no educa(on to become a community manager

•  Ohen a poor understanding of the risks from the execu(ves

•  Risks are even greater than with spokesman •  Speed ��and spontaneity of responses •  Rapid dissemina(on to the community and beyond •  Fans can focus on personality of the Community manager

rather than on the brand

Issues



Page 82

•  In most cases, applica(on of labor law (if the manager is an employee) or standards liability rules

•  In Belgium, except for gross negligence, the employee will not be held responsible

•  Par(cular auen(on should be paid to contract !

Issues



Page 83

•  Who owns the contents produced by the Community Manager in case of break of contract ?

•  In Belgium, transfer of IP rights has to be formally provided in the contract (>< Spain)

•  Who owns the community’s members that he has auracted in case of break of contract ?

Upon hiring, it must therefore be decided



Page 84

•  Who got the ownership and access codes to the account ?

•  When possible, it’s beuer that execu(ve opens the account themselves and then gives (limited) admin rights to the community manager + Execu(ve should keep modera(ng powers in case of emergency

•  It should be a good idea to write down in the contract the unique ID of the account

Upon hiring, it must therefore be decided



Page 85

•  Social networks are powerful tools for communica(on, adver(sing and marke(ng

•  Social networks are now part of our everyday life and you should use them, with care, like every other tool

Don’t Panic !

Conclusions


Page 86

Join us on

Conclusions


Page 87

•  Picture of Barbara Streisand : By Allan warren (Own work) [CC-‐BY-‐SA-‐3.0 (hup://crea(vecommons.org/licenses/by-‐sa/3.0) or GFDL (hup://www.gnu.org/copyleh/fdl.html)], via Wikimedia Commons

Credits


RegulaEng Cookies in Canada

Jean-‐François De Rico Langlois Kronström Desjardins llp


Cookies

web beacons

supercookies

device data zombie cookies

Online Behavioural Advertising

Cookies

•  File created by browser and saved on a user’s computer by website

•  The cookie uniquely iden(fies, or “records” user informa(on/preference

Purposes

Measuring web site usage to •  Improve func(onality of the site; •  Fraud preven(on; and •  Online behavioral adver(sing;

InformaEon collected

•  IP address; •  pages visited; •  length of Eme spent on each page; •  adverEsements viewed; •  arEcles read; •  purchases made; •  search terms; •  user preferences; •  operaEng system; •  geographical locaEon.

CLOUD COMPUTING

Europe

Canada Page 93

Europe

ObligaEon to provide explanaEon of the type and funcEon of cookies and obtain a user's explicit consent before installing a cookie

Canada

Based on relaxed “opt-‐out” framework.

AnE-‐spam law (CASL) An Act to promote the efficiency and adaptability of the Canadian economy by regulaEng certain acEviEes that discourage reliance on electronic means of carrying out commercial

acEviEes, and to amend the Canadian Radio-‐television and TelecommunicaEons Commission Act, the CompeEEon Act, the Personal InformaEon ProtecEon and Electronic

Documents Act and the TelecommunicaEons Act (S.C. 2010, c. 23)

AnE-‐spam law (CASL)

Expressly allows cookies to be installed on a user's computer ….provided the user's behaviour suggests he or she would consent to the installaEon… (?)

General prohibiEon

InstallaEon of computer program

8. (1) A person must not, in the course of a commercial ac(vity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless –  (a) the person has obtained the express consent of the owner or an

authorized user of the computer system and complies with subsec(on 11(5); or

–  (b) the person is ac(ng in accordance with a court order.

“computer program” means data represen(ng instruc(ons or statements that, when executed in a computer system, causes the computer system to perform a func(on;

Cookie ExcepEon

•  10 (…) (8) A person is considered to expressly consent to the installaEon of a computer program if

•  (a) the program is –  (i) a cookie, –  (ii) HTML code, –  (iii) Java Scripts, –  (iv) an opera(ng system,

–  (v) any other program that is executable only through the use of another computer program whose installa(on or use the person has previously expressly consented to, or

–  (vi) any other program specified in the regula(ons; and

•  (b) the person’s conduct is such that it is reasonable to believe that they

consent to the program’s installaEon.

Withdrawal of consent

Policy PosiEon on Online Behavioural AdverEsing

Applica(on of PIPEDA to the collec(on/use of data about individuals’ web ac(vi(es for the purposes of online behavioural adver(sing (OBA) only.

OPC will generally consider informa(on collected for OBA to be PI, considering that:

Ø the purpose is crea(ng profiles to serve targeted ads;

Ø means available for gathering and analyzing disparate bits of data and serious possibility of iden(fying individuals;

The condi(ons under which opt-‐out consent to OBA can be considered acceptable are:

•  Individuals are made aware of the purposes for the prac(ce in a manner that is clear and understandable – the purposes must be made obvious and cannot be buried in a privacy policy, at or before the (me of collec(on and provided with informa(on about the various par(es involved in OBA;

•  Individuals are able to easily opt-‐out of the prac(ce -‐ ideally at or before the (me the informa(on is collected;

•  The opt-‐out takes effect immediately and is persistent; •  The informa(on collected and used is limited, to the extent prac(cable, to

non-‐sensi(ve informa(on ; and •  Informa(on collected and used is destroyed as soon as possible or

effec(vely de-‐iden(fied

JurisdicEon

Canadian businesses, to the extent they process and use data about individuals in the European Union, through websites that offer goods and services to European viewers or use cookies to monitor European viewer behaviour, will need to comply with the more stringent direc(ve.


COOKIES EU & UK LAW PERSPECTIVE

Daniel PREISKEL Preiskel & Co LLP

5 Fleet Place London EC4 7RD United Kingdom

[email protected]

BARCELONA, 28 SEPTEMBER 2012

COOKIES -‐ EU & UK LAW PERSPECTIVE

| United Kingdom| Daniel PREISKEL| [email protected]

Page 107

•  Essen(als of Cookies

•  Defini(on •  EU & UK Legal Framework •  EU & UK Independent Authori(es •  Key Issues •  Enforcement & Penal(es •  Compliance

Table of Contents



Page 108

What is a cookie?

•  According to the Informa(on Commissioner’s Office (ICO) -‐ that is the independent authority in UK dealing with privacy and data protec(on -‐ a cookie is “a small file, typically of le?ers and numbers, downloaded on to a device when the user accesses certain websites. Cookies are then sent back to originaFng website on each subsequent visit. Cookies are useful because they allow a website to recognise a user’s device”

•  There are several type of cookies depending on their specific features, for instance there are session cookies and persistent cookies

Essen(als of Cookies



Page 109

Legal Framework

•  EU DirecEves: European Direc(ve -‐ 2002/58/EC -‐ which is concerned with the protec(on of privacy in the electronic communica(ons sector, which has been amended by Direc(ve 2009/136/EC

•  UK RegulaEons: the Privacy and Electronic Communica(ons (EC Direc(ve) Regula(ons 2003 (SI 2003/2426) as amended by the Privacy and Electronic Communica(ons (EC Direc(ve) (Amendment) Regula(ons 2011 (SI 2011/1208)




Page 110

Legal Framework

•  Both the Direc(ves and Regula(ons apply to cookies and similar technologies for storing informa(on

•  The legal framework states that the use of cookies is only allowed if an end user has been provided with clear and comprehensive informa(on about the purposes for which each cookie is stored and accessed on to his/her computer or mobile device and the user has given his or her informed consent




Page 111

Legal Framework

•  There is an excep(on to the requirement to provide informa(on about cookies and obtain consent where the use of the cookie is:

•  for the sole purpose of carrying out the transmission of a communica(on over an electronic communica(ons network; or

•  where such storage or access is strictly necessary (i.e. essen(al) for the provision of an informa(on society service requested by the subscriber or user. For instance it is likely to fall within the excep(on a cookie used to remember the goods a user wishes to buy when they proceed to the checkout or add goods to their shopping basket




Page 112

EU & UK Independent Authori(es

•  European Data Privacy Supervisor is an independent supervisory authority devoted to protec(ng personal data and privacy and promo(ng good prac(ce in the EU ins(tu(ons and bodies

•  Ar(cle 29 Working Party on the Protec(on of Individuals, that is an independent European advisory body on data protec(on and privacy set up under Ar(cle 29 of Direc(ve 95/46/EC

•  The Informa(on Commissioner’s Office is the UK’s independent authority set up to uphold informa(on rights in the public interest, promo(ng openness by public bodies and data privacy for individuals




Page 113

Key issues

•  Cookie audit:

•  Iden(fy which type of cookies are used •  Confirm the type of cookies and how intrusive they are •  Confirm the purpose(s) of each cookie and whether each cookie would be

necessary to perform the services requested •  Iden(fy what data each cookie holds, and confirm whether the cookie is linked

to other data that the cookie owner holds about a user •  Confirm the lifespan of each persistent cookie •  Confirm whether the cookie is a first-‐party or third-‐party cookie •  Double check that the company has an adequate privacy policy posted on its

website with accurate and clear informa(on about each type of cookie used by the company




Page 114

Key issues

•  Ensure informa(on about cookies and mechanisms for making choices, are as easily accessible as possible for users of devices in which cookies are stored, so as to obtain valid and well informed consent by using:

•  Prominent links •  Legal foot notes and privacy policy •  News items and blog posts •  A clickable image or icon




Page 115

Key issues

•  Cookies as “equipment” and applicable law

•  Use of technologies “similar” to cookies, for instance the apps to access the user’s loca(on and/or personal informa(on

•  Mul(-‐jurisdic(onal issues in the interpreta(on, applica(on and enforcement of the law

•  Con(nuing dialogue with authori(es




Page 116

Enforcement & Penal(es

•  In cases where organisa(ons refuse or fail to comply voluntarily with the Regula(ons the ICO and the Courts have a range of op(ons to available to them to take formal ac(on where this is necessary

•  For instance the ICO may request:

•  Informa(on No(ce •  Undertaking •  Enforcement No(ce •  Monetary Penalty No(ce




Page 117

Compliance

•  The person sevng the cookie is primarily responsible for compliance with the requirements of the law

•  Where third party cookies are set through a website, both par(es (the website owner and the person sevng the cookie) will have the responsibility for ensuring users are clearly informed about cookies and for obtaining consent




Page 118

Compliance

•  Providers must obtain users' consent:

•  Before the cookie is set •  Through an affirma(ve step

•  For instance, providers may use pop-‐Up windows, message bars, header bars or splash pages, browser sevngs, terms and condi(ons, sevng-‐led consent and/or feature-‐led consent just to name a few




Page 119

Conclusion

•  Data protec(on is a complex area •  Penal(es & Reputa(onal damage •  Compliance is key




Page 120

Daniel PREISKEL [email protected]


| G e r m a n y | B e l g i u m | C a n a d a | S p a i n | U S A | F r a n c e | I s r a e l | I t a l y | M o r o c c o | M e x i c o | N o r w a y | S w i t z e r l a n d

Trademark Rights ProtecEon Mechanisms for New gTLD´s

Enrique Ochoa

Langlet, Carpio y Asociados

BARCELONA, 28 SEPTEMBER 2012


New GTLD´s -‐ .love -‐ .app -‐ .microsoh -‐ .barcelona -‐ .nyc -‐ .lawyer


-‐ Legal Rights Objec(ons (LRO).


WIPO Arbitra(on and Media(on Center has been appointed by ICANN as the exclusive provider of dispute

resolu(on services for trademark based “pre-‐delega(on” Legal Rights

Objec(ons under ICANN’s New gTLD

Program.


ICANN offers three other types of pre-‐delega(on objec(on-‐based dispute resolu(on procedures which are not administered by WIPO: -‐ “String Confusion Objec(on,” -‐ “Limited Public Interest Objec(on,” and -‐ “Community Objec(on.” ICANN has furthermore established a process for the ICANN Governmental Advisory Commiuee (GAC) to provide “GAC Advice on New gTLDs” concerning applica(ons iden(fied by governments as problema(c.


Trademark protecEon mechanisms available a\er new gTLDs are approved. “Rights ProtecEon Mechanisms” (RPMs). -‐ Trademark Clearinghouse (for use in connec(on with Sunrise periods and Trademark Claims services) -‐ Uniform Rapid Suspension system (URS), and -‐ Post-‐Delega(on Dispute Resolu(on Procedure (PDDRP). In addi(on, the exis(ng Uniform Domain Name Dispute Resolu(on Policy (UDRP) will be applicable to all new gTLDs.


Enrique Ochoa [email protected]


| G l o b a l n e t w o r k o f a / o r n e y s s p e c i a l i z e d i n e m e r g i n g t e c h n o l o g y l a w

Germany Buse Heberer Fromm Rechtsanwälte Bernd Reinmüller, Tim Caesar & Stephan Menzemer Neue Mainzer Strasse 28 60311 Frankfurt Am Main T. 0049 699 71 09 71 00 F. 0049 699 71 09 72 00 [email protected] www.buse.de

Belgium Philippe & Partners Jean-‐François Henroue & Alexandre Cruquenaire j�[email protected] hup://lexing.philippelaw.eu Liège Boulevard d’Avroy, 280 4020 Liège T. 0032 4 229 20 10 F. 0032 78 15 56 56 Brussels Avenue Louise, 240 1050 Bruxelles T. 0032 2 250 39 80 F. 0032 78 15 56 56

Canada Langlois, Kronström, Desjardins Richard Ramsay & Jean-‐François De Rico jean-‐[email protected] www.langloiskronstromdesjardins.com Montreal 1002, rue Sherbrooke Ouest, 28e étage H3A3L6 Montréal T. 0015 148 42 95 12 F. 0015 148 45 65 73 Quebec 801, Grande Allée Ouest, Bureau 300 G1S1C1 Québec T. 0014 186 50 70 00 F. 0014 186 50 70 75

Spain Alliant Abogados Asociados SLP Marc Gallardo Gran Via Corts Catalanes 702 08010 Barcelone T. 0034 93 265 58 42 F. 0034 93 265 52 90 [email protected] www.alliantabogados.com

USA IT Law Group Françoise Gilbert 555 Bryant Street #603 Palo Alto, CA 94301 T. 0016 508 04 12 35 F. 0016 507 35 18 01 [email protected] www.itlawgroup.com

France Alain Bensoussan, Isabelle Tellier & Frédéric Forster www.alain-‐bensoussan.com Paris 29, rue du Colonel Pierre Avia F75508 Paris cedex 15 T. 0033 141 33 35 35 F. 0033 141 33 35 36 paris@alain-‐bensoussan.com Grenoble 7, place Firmin Gau(er F38000 Grenoble T. 0033 476 70 09 95 F. 0033 476 70 09 96 grenoble@alain-‐bensoussan.com

Israel Livnat, Mayer & Co Russell D. Mayer Jérusalem Technology Park, Building 9, 4th Floor P.O. Box 48193 Malcha 91481 Jérusalem T. 0097 226 79 95 33 F. 0097 226 79 95 22 [email protected] www.livmaylaw.co.il

Italiy Studio Legale Zallone Raffaele Zallone 31 Via Dell’Annunciata 20121 Milano T. 0039 229 01 35 83 F. 0039 229 01 03 04 [email protected] www.studiovallone.it

Luxembourg Philippe & Partners Marc Gouden & Jean-‐François Henroue 41 avenue de la Liberté 1931 Luxembourg T. 00352 266 886 F. 00352 266 887 00 [email protected] hup://lexing.philippelaw.eu

Morocco Bassamat & Associée Fassi-‐Fihri Bassamat 30 rue Mohamed Ben Brahim Al Mourrakouchi 20000 Casablanca T. 00212 522 26 68 03 F. 00212 522 26 68 07 [email protected] www.cabinetbassamat.com

Mexico Langlet, Carpio y Asociados Enrique Ochoa Torre Axis Santa Fe Prolongación Paseo de la Reforma # 61, PB-‐B1 Col. Paseo de las Lomas 01330 Mxico, D.F. T. 0052 55 25 91 10 70 F. 0052 55 25 91 10 40 [email protected] www.lclaw.com.mx

Norway Føyen Advøka�irma DA Arve Føyen Postboks 7086 St. Olavs pl. 0130 Oslo T. 0047 21 93 10 00 F. 0047 21 93 10 01 [email protected] www.foyen.no

United Kingdom Preiskel & Co LLP Danny Preiskel 5 Fleet Place London EC4M 7RD T. 0044 20 7332 5640 F. 0044 20 7332 5641 [email protected] www.preiskel.com

Switzerland SébasEen FanE Avocat & Notaire 8B rue de Pré-‐Fleuri, CP 497 1951 Sion T. 0041 27 322 15 15 F. 0041 27 322 15 70 sebas(en.fan(@sebas(enfan(.ch www.sebas(enfan(.ch

South Africa Michalsons Lance Michalson and John Giles [email protected] www.michalsons.co.za Johannesburg Ground Floor Twickenham Building The Campus, 57 Sloane & Cnr Main Road 2021 Bryanston T. 0027 11 568 0331 F. 0027 86 529 4276 Cape Town Boyes Drive St James 7945 Cape Tow T. 0027 21 300 1070 F. 0027 86 529 4276

Tunisie Cabinet Younsi & Younsi Yassine Younsi 4, Rue Pe(te Malte 1001 Tunis T. 00 216 71 346 564 [email protected] hup://younsiandyounsilawfirm.e-‐monsite.com

ArgenEna Estudio Millé Antonio & Rosario Millé Suipacha 1111 -‐ piso 11 C1008AAW Buenos Aires T. 0054 11 5297 7000 F. 0054 11 5297-‐7009 [email protected] www.mille.com.ar

Some IT law issues in Spain

Business

fair credit

data centres

uk independent

cookies legal

personal data

onal data

social networks

signicant