Data Protection General: Directive 95/46 Particular: Directive 2002/58 Overview legal aspects of databases Intellectual Property: « Traditional copyright » protection for the structure « Sui generis » protection for the content -Database: collection of independent data arranged in a systematic or methodical way and individually accessible by electronic or other means. - Substantial investment - Maker of a database has an exclusive right to prevent extraction and/or re-utilization
General & sector specific regulations General: 95/46 Protection of personal data General data protection principles Scope? Online and offline Public & private networks Specific 2002/58 Privacy & electronic communications Specific obligations (e.g., cookies, spam) Scope? Communication service Public networks
Scope: Directive 95/46 « Processing of personal data » personal data: Information concerning a data subject identifiable natural person Direct or indirect Controller or third party Legal entity: SME? IP address? firstname.lastname@example.org? Processing: Any operation performed upon personal data In the EU? Outsourcing to non-EU countries?
Data Protection Principles Data must be: fairly and lawfully processed; processed for specified, detailed and legitimate purposes; adequate, relevant and not excessive; accurate; not kept longer than necessary; processed in accordance with the data subject's rights; Secure and remain confidential; not transferred to countries without adequate protection (outside EU); Processing activities « must » be notified to the supervisory authority.
Processing « shall mean any operation … whether or not by automatic means, such as collection, recording, organization, storage, disclosure by transmission, dissemination or otherwise making available, etc. » Means of collection: Data subject is aware,e.g., webform/ trade fairs Data subject is not aware, e.g., spy ware
Case Study 3: disclosure of personal data Web database or online database Database query to retrieve all persons with certain properties Broad an open notion of « processing » includes « disclosure by transmission, dissemination or otherwise making available » Pay attention to unauthorized disclosures Personal details on website: Lindqvist case Unauthorized access and retrieval of information Transfer to third parties, e.g, business partners or other DB
2. Sector Specific regulation Directive 2002/58/EC on privacy and electronic communication One of the Directives of the new « Telecom Package » Update of Directive 97/66 on privacy and telecommunications Overview: scope contents Articulation with general framework
Scope: sector specific regulation « This Directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community. » Public networks: no private or corporate networks: « Individual » communication: no broadcasting Online exploitation, ASP? Includes: Protection of the legitimate interests of subscribers who are legal persons (SME). Scope is not always very clear & distinction sometimes too academic.
Sector specific regulation Contents: clarification of some principles Cookies, spy ware Security and confidentiality Traffic & location data Directories of subscribers, e.g., yellow pages SPAM: collection and use of email!
Sector Specific regulation Pragmatic Approach and articulation: Directive 95/46 applies to all networks Obligations imposed by Directive 2002/58/EC, “covered” by Directive 95/46/EC Example: Security: 2002/58 (art 4) The provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services, if necessary in conjunction with…. 95/46 (art.17) The controller must implement appropriate technical and organizational measures to protect personal data against … all other unlawful forms of processing.
Cookies – online identifiers Online exploitation of database requires the identification of customers Processing of personal data Directive 95/46 Directive 2002/58: Legitimate purposes User must be informed on the installation, on its purposes: Users should have the opportunity to refuse to have a cookie User should receive user-friendly information on how to refuse installation Consequences of refusal – conditional access
Use of electronic contact details (email) Unsolicited Communications: article 13 : Principle: OPT IN : addresses must give their prior consent How to obtain a prior valid consent? Electronic mail: email, sms, mms…pop up? Exception: OPT-OUT if : Existing commercial relationship Same natural or legal person Similar products or services Consumer is given the opportunity to refuse reception (opt-out) Opt-in data bases?
& WWW.ULYS.NET Thibault.email@example.com Q UESTIONS c OMMENTS