Blogging from the IAPP London Data Protection Intensive
This report is provided by London partner Quentin Archer:
London, April 25 2012: IAPP Europe is currently holding its Data Protection Intensive 2012 in London, of which Hogan Lovells is a sponsor. The conference heard from specialists in the Nordic countries on current issues in the region, concentrating in particular on cloud computing.
The contributions from speakers from Finland, Sweden and Norway demonstrated that there was advanced consideration of cloud computing issues, including in particular three recent decisions of the Swedish regulator. They had collaborated on an investigation into Facebook. However there were also practical differences in regulation in the region which needed to be addressed.
Reijo Aarnio, Finnish Data Protection Ombudsman, stated that education was a large part of his task. He promoted data protection teaching as part of schooling. As a result of the activities of his office, data protection was also being considered actively in the context of new legislation in various areas.
He said that there was much discussion on data breaches, but often we see only the tip of the iceberg. The Finnish Parliament would shortly bring forward rules on breach notification. He welcomed the introduction of the principle of accountability. It reflected work he had been doing on developing a data balance sheet, which will appear in English on his website in a few weeks.
On enforcement, the Scandinavian investigation of Facebook was not the first example of regional co-operation, but it showed how well it could work.
In answer to a question on how the new EU Regulation and the regulators themselves could properly promote EU competitiveness, since excessive regulation might drive out data processing which consumers really wanted, he pointed out that in assessing competitiveness it was necessary to bear in mind that contract law was to be harmonised as well as data protection. Data protection should not be considered in isolation.
Dan Jerker B. Svantesson of Bond University spoke on Swedish aspects.
As in many other places a popular topic was cloud computing. An organisation called Cloud Sweden had published on legal issues in the field. The Swedish DPA, the Datainspektionen, had been very active in making and publishing some recent decisions relating to cloud computing. They demonstrated that data protection rules can hinder cloud computing to some degree.
The first decision related to an agreement between Google and Salem Municipality for a SaaS service. The Datainspektionen found that Google had a unilateral right to change the terms of the contract, which meant that the municipality could not be certain if it was complying with privacy law or not. A contract term that Google could use data processed for the creation of products was also a problem.
The contract allowed Google to engage third parties to process data without informing the municipality. This meant that the municipality did not know at any one time who had its data. The Datainspektionen decided that controllers needed to have a contract with each processor and to know who they were. This created problems with transfers outside the EU as well. Controversially, the Datainspektionen felt that Swedish law should apply to the processing relationship in order to ensure that the municipality was compliant with Swedish privacy law..
The privacy impact assessment used in that instance was apparently not very advanced, so may have given a false sense of security. The Datainspektionen stressed that the controller always remains liable for use of the data handed to the processor, irrespective of how the processor structures its operations.
The second decision concerned the use of Dropbox, a file-sharing service (provided by Amazon) where a municipality was again the customer. The service was intended to be used to store corporate information such as minutes of meetings. However, it was discovered that employees of the municipality were using the service to store more sensitive information, a fact of which the municipality were aware. The Datainspektionen said that the municipality must implement proper privacy policies in such a case.
The third decision concerned Brevo AB, which operated a form of digital letter box on a Microsoft platform. The question arose as to whether it was a controller or processor in relation to the data stored on its service. The Datainspektionen found that it was a controller, contrary to Brevo's arguments. The Datainspektionen also found that Brevo was in breach of the law as it did not know (as in the Salem case mentioned above) who was processing the data, since Microsoft claimed the right to sub-contract processing without notice to Brevo.
In conclusion it may be necessary for cloud providers to be more realistic in contract terms, and customers more rigorous in vetting them.
Thomas Nortveldt of the Norwegian Consumer Council said he was probably the only consumer representative at the conference. Despite their consumer focus, however, the Council did recognise that customers needed to provide data to receive services, and service providers needed to process that data.
The Council had been active in making a complaint against Facebook and Zynga. It asked the Norwegian DPA whether it had jurisdiction but was told that it did not, because Facebook was based in Ireland. This led to the (perhaps surprising) conclusion that because of the fairly small establishment of Facebook in Ireland the Irish commissioner had jurisdiction over all Facebook users except those in the US and Canada.
The Council had developed with ICT Norway a project on the value of products uploaded to cloud services, aiming at a self-regulatory norm for secure storage in the cloud. It had created a seal of approval for online services. It had also conducted a survey on the attitude of consumers to cloud services. It found that people were concerned about loss of control over data, wanted Norwegian law to apply so that they knew they were protected, and wanted to know where their data was.
Kaisa Olkkonen of Nokia drew some comparative conclusions on approaches across the region. There were some differing practices in Nordic countries, e.g. on BCR mutual recognition and treatment of model clauses. Notification duties differed, leading to potential difficulties where both controller and processor were obliged to notify exactly the same processing.
The Nordic regulators were generally not penalising cookie use as long as users were properly informed - they were not currently insisting on consent.
There were differences in relation to breach notification. In Finland all companies with online services were under a duty to notify security breaches. Rules differed from one country to another as to whether it was necessary to notify just the DPA or users also. It was generally hoped that DPAs would not be overburdened with notifications to no purpose, especially when the new Regulation came into force.
Please join us for our April 2016 Privacy and Cybersecurity Events.