Freedom of Expression
This right is deeply entrenched in law with the European Convention of Human rights (in the UK with the Human Rights Act) and now the EU’s version the Charter of Fundamental Rights.

That is not to say it is an absolute right, rather, it is expected that countries are able to encroach on this when needed.
However the Convention and Charter regulate how this is done and for how long.

One of the main controls is to ensure any encroachment has a solid legal basis (see article 52 (1) ).

Another consideration is that the inroad into an individual’s freedom of expression should be proportionate to the outcome sought (don’t use a sledge hammer to crack a nut).

Practically speaking, with the onset of the Lisbon treaty the CJEU must now consider the Charter to have the same validity as any other EU treaties, meaning when they address a problem, which affects the single market for example and the application of EU laws, they must also consider the effect on the Charter.

It is precisely within this frame that the AG last week considered a measure taken by a Court in Belgium to address illegal file sharing.

Scarlet v SABAM
The SABAM is the Belgian equivalent of PRS, a royalty collecting agency representing music artists.

They successfully applied to the lower court of Bruxelles for an injunction against an ISP named Scarlet.

The scope of the injunction was to monitor, identify, filter and block communications where illegal file sharing was taking place, the duration of the injunction was indefinite and the cost of managing this was to be borne by the ISP entirely.

Scarlet appealed against the legality of this injunction to the Court of Appeal of Bruxelles, who deferred the question to the CJEU.

The particular question put to the CJEU was whether the domestic law relied upon by the judge, set in the context of the Charter and other EU laws including data protection, could legitimise granting such a far-reaching remedy.

Important to note here the lower Court relied upon a domestic law, which allows it to give an order to cease copyright infringement. But even more interesting was that this law was in itself a transposition of EU law (article 8(3) of directive 2001/29 and article 11 of directive 2004/48).

So the question essentially touched on not only whether Belgian law could warrant such an injunction but also whether the underpinning EU law could support this type of action.

The AG’s Opinion
The AG thought not (see in particular section E  of Opinion; currently the opinion is only available in French but can be auto translated by Google Translate ) For the AG, under the Charter, the quality of any law should be sufficiently precise that others can be certain of its effects and adjust their behaviour accordingly. Using the words of the European Court of Human Rights the AG said the law should be “formulated with sufficient precision […]  to foresee […] the consequences which a given action may entail” (para 94)

To expand further on this notion, the AG referred to a Turkish case brought to the European Court of Human Rights where the law in question gave the power to chief prison officers to intercept and retain prisoner correspondence if the officer thought the contents were “embarrassing” (Footnote 85 of the Opinion). It was thought such a law did not indicate with sufficient clarity the scope and conditions for the exercise of this power by those authorities.

So details are crucial if a law is to be in line with the Charter, primarily, so people can foresee the consequences.

In this case, from the point of view of Scarlet, the adoption by the lower court of this injunction was an extraordinary measure, both difficult to foresee and due to the serious economic consequences smacked more of being arbitrary.

The ISP was demanded to achieve the result of blocking illegal file sharing but the solution of how this could be done was completely innovative.

Also the injunction gave no guarantee of how subscribers’ personal data would be protected. Nor did it provide any recourse for appeal by affected subscribers.

On this basis, the AG concluded the national law and by implication EU law could not have given authorisation for such a measure. Essentially there was no solid basis in law for this remedy when read in light of the Charter.

Digital Economy Act
If the Court decides to follow this Opinion then other EU countries who are rolling out new laws to combat internet copyright infringement may take more time to stamp out the details of their laws rather than handing over general powers to the judiciary or executive.

How may this affect the UK and the Digital Economy Act?

The UK is obliged to check compatibility with the Human Rights Act (HRA) when passing any new law.

Lord Mandelson okayed the Digital Economy Bill in the Commons but when the bill reached the House of Lords Joint Committee of Human Rights, concerns were raised about so-called ‘skeletal measures’ where powers are granted under the Act and the detail worked out in secondary legislation.

In fact, the Joint Committee said it was “impossible [to] assess fully” whether the Bill is compatible with the HRA due to the lack of detail. Not a good sign. (see in particular 1.28).

One such example of a ‘skeletal measure’ is Article 18 of the Act which allows for the secretary of state to introduce ‘technical measures’ to limit access to the internet for alleged infringing subscribers.

This particular measure is currently under judicial review by the high court but this SABAM Opinion could be the tipping point for a declaration of incompatibility with the Human Rights Act, or maybe there is a referral to the CJEU in the waiting.

Luckily for the government a referral to the CJEU would not see the Digital Economy Act being scrutinised in the same way as Belgium law has been under the Charter. The UK added a few provisos when giving the Charter the force of law with the Lisbon treaty, one of those was to preclude the CJEU from judging whether a UK law violates the Charter (see article 1 of protocol 7).

Interestingly the Telegraph have noted that the Government are circumventing the need to even rely upon article 18 Digital Economy Act by opening “talks between ISPs and the music industry to encourage a voluntary agreement on a list of websites that would be blocked”.

In conclusion, in the UK, it is understandable for the government to grant some general powers rather than type out every possible detail in the law when addressing copyright infringement. This is particularly true in the field of technology and the internet, where flexibility is needed to adapt to this ever changing environment. But at the same, it is equally important in light of the essence of the SABAM opinion to ensure sufficient precision in the law to ensure its validity when placed under European human rights scrutiny.

Data must be retained so that it can be handed over to the authorities on demand, and must be kept for at least one year, so that it can be used by the authorities if necessary. The data that the law will require the sites to retain includes personal information such as customer names, addresses, telephone numbers and even passwords.

However, Google and over 20 other companies want to reverse the new legislation. The ASIC argues, “It doesn’t make sense to have different requirements in France than what we have in Spain and England. Also we do not feel comfortable turning our customers’ passwords over to the police”

The new law raises a number of concerns over privacy, something for which Google and Facebook have already faced criticism as a result of their collection and retention of personal information. In fact Google has been the target of legal action brought by France itself, and was last month fined $142,000 after collecting data through wireless access points around the world.  On a related note, Facebook has found it necessary to change is privacy settings in light of concerns over access to user information.

With a number of the companies affected by the legislation having suffered damage to their reputation themselves following the efforts of privacy advocates, it is no surprise that they are objecting to a new law which will now require them to retain, and release on demand, their users’ personal data.

The new law could be could prove particularly problematic in cases where security is breached. If companies are bound to retain a broader range of user data, including passwords which might be used with a variety of services, it is more likely that an attacker would be able to gain complete access to millions of Internet users’ accounts across not only social networking sites, but email, intranets and possibly even online banking.

The head of ASIC, Benoit Tabaka, has highlighted a range of problems with the new law. One issue he raises is that ‘there was no consultation with the European Commission.’ He goes on to explain that, ‘Our companies are based in several European countries. Our activities target many national markets, so it is clear that we need a common approach’. And he claims that collecting and retaining passwords is a ‘shocking measure’.

In light of the increasing concern over privacy online it is not surprising that the new law has caused a stir. Especially among those companies which have come under attack as a result of their collecting personal information.  Furthermore, is this yet another burden for new IT business to bear, as touched on previously in our post covering Regulation and Start Up Britain, and could it lead to a less competitive marketplace here if similar measures are adopted in the UK?

Proposed reforms to data protection law in Europe, including the right to be forgotten online, and changes to laws which affect when cookies may be stored and accessed by websites, are aimed at developing a “comprehensive set of existing and new rules to better cope with privacy risks online”.  However, while entrepreneurship is hailed as a means for economic recovery, over regulation would certainly represent a significant obstacle  to start ups.  While the barriers for entry to the online marketplace have traditionally been very low, and while web based businesses have been relatively free to design their systems and user experiences as they wish, these freedoms are increasingly weighed against the privacy of users.

Regular scandals serve to highlight the importance of more effective safeguards on the use of personal information, for example the loss of address, bank, and national insurance details for 25 million people in 2007; a BP laptop going missing with personal data for thousands of oil spill victims on board last month; and the exposure of names and email addresses following a cyber attack aimed at Epsilon, who provide e-mail services to several high profile businesses.  There is good reason for concern over the safety of information we provide online, but notably, in each of the cases mentioned here, the exposure of personal details was not necessarily attributable to a lack of consent or misuse of data, but to a breach of security.

Freedom to do business online must be balanced with controls on the use of data, especially as the growth of social media sees more and more interaction taking place on the web. However, if the scales are tipped too far one way or the other, regulation may have a severe negative impact on businesses, or the privacy of web users.

Following the increase last year in the maximum fine which can be levied by the ICO from £5000 to £500,000 and calls for the law to provide mechanisms for enforcement against global companies, the growing reach and impact of data protection law means a steadily increasing burden on website operators to obtain consent for the collection of visitor data, to control its use, and to control access to it.  While compliant businesses are likely to develop trust, and while stricter rules may give web users greater peace of mind, it might be argued that education could play a more significant part in preventing breaches of privacy online, and reduce the need for regulation.  It will be interesting to see whether the reforms strike the right balance, and allow entrepreneurship to thrive, or whether they eventually raise the bar to entry such that only larger players have access to the market.

In this respect, last week the EU Commissioner announced that privacy reform was back on the top of the agenda for this year.
She mentioned the changes envisaged will be based on the pillars of transparency; privacy as default; protection regardless of data location and the right to be forgotten.

Pillars of reform
Transparency or the ‘openness principle’ is a pre-requisite to building trust on the internet and is an agreed necessity voiced by data protection commissioners (see chapter 10 ).   According to the RAND report “where and how personal information is stored and used is becoming increasingly opaque due to technological advances”.

The ‘Privacy as Default’ approach described by the Commissioner aims to make it easier for individuals’ to configure their privacy settings on social networking sites – a possible reaction to the controversy last year surrounding Facebook’s settings (see previous post)

The Commissioner considers the same principle of ‘Privacy as Default’ could also be used to control the collection of data by software applications. This view is consistent with the proposed changes to cookies law due to be implemented where the starting principle is that consent is required every time a cookie is used (although there are exceptions).

The EU Commissioner wants EU citizens to be protected regardless of where their data is processed: “Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.” Currently companies ‘established’ in the EU are subject to the Act. It is not clear, short of an international treaty, how the EU intends to protect EU citizens outside of its jurisdiction. From looking at the report of the Commission in November 2010, they seem undecided yet how this will happen in practice.

Lastly and more intriguingly is the so-called ‘right to be forgotten’.

The EU Commissioner refers to the ambition behind this right as being “a comprehensive set of existing and new rules to better cope with privacy risks online”. Individuals will be given the “right – and not only the “possibility” – to withdraw their consent to data processing.”

Although it is not yet clear what the scope of this right will entail, there have already been some doubts surrounding its practicability. The New Scientist have commented “Once you put something online it can easily be copied and widely distributed, and deleting the original will do nothing to stop people finding a copy elsewhere ”.

Also, an interesting consideration is what would happen when a right to be forgotten implicates third parties. Say for instance, I take an unflattering photo of you at a party upload it on Facebook and tag you. As I am tagging you with the photo this become personal data which Facebook is processing.

If, under this new right to be forgotten, you decide to withdraw your consent to have your data processed will Facebook have to remove it from my photo album? If this is the case then immediately social media sites will be drawn into mediating between people exercising the right to be forgotten and the rights of others who are affected by that right.
Although the principles announced by the Commissioner seem to be reasonable and needed, it remains to be seen what exactly is being proposed and how they intend to deal with the practical issues raised.

Essentially people want to socialise online, are concerned about their privacy and have begun to actively manage who sees what.

But one of the main challenges in trying to protect the privacy of individuals within the sphere of social media is keeping up to date with the constant pace of innovation.

New ways of sharing an individual’s personal details, such as their location, their preferences, are introduced, but it takes time for the law to catch up and, in the meantime, businesses are left with little guidance and individuals proceed with little awareness of consequences.

In this ever-changing environment, it may be important to re-assess the adequacy of tools used to protect privacy and consider whether any additional tools may be used to supplement these.

Just in time notification
TrustE is a privacy services provider and offer certification of websites. Unlike the above author, it is their view not that ‘privacy is dead’ but rather ‘privacy policies are dead’.

Obviously privacy policies are not dead as they are an immovable legal fixture, but from reading the remarks of the author, Fran Maier, it is not so much that privacy policies are dead, but that additional tools are needed to face new challenges to privacy.

Here TrustE suggests the concept of ‘just in time’ notification. This would be relevant whenever a new piece of technology is introduced and new types of data are being collected. The idea is that whenever an individual is about to share their data using a new feature a notification would be available to a visitor to explain to them the implications of going ahead.

An example of this would be the ‘Like’ feature from Facebook. This is a feature where users of Facebook may share the websites or videos they recommend with their friends. This feature is added to third party sites so that a visitor would simply click on the feature on the site to express their approval of the content.

When this was originally launched, TrustE wrote a blog recommending to businesses who were integrating the feature on their website to add a Just-in-time notice. They suggested to add a ‘?’ next to the feature which, when rolled over with a mouse, would inform the visitor about the privacy implications of the Like button, such as that this information will appear on your friends’ newsfeed.

However, as you can see from the above post they have decided that it is no longer necessary to have this notice due to “the ubiquity of the Facebook like button across the internet and the time users have had to familiarize themselves with the button”.

Essentially the public need time to build familiarity with a new piece of social media technology and they benefit from short notices when their privacy is at risk so they can make informed decisions before proceeding. Once the public are familiar with a new feature or practice then these little warning signs can be phased out. Obviously the information on how data is used should also be found in a privacy policy and in no way could these notices become replacements of the role of privacy policies. They would merely be supplements.

Fran Maier’s definition of privacy is interesting: “confident in the expectation of the outcome”.  This implies that an individual knows what is going to happen when they click on a button to, for example, share their location with friends. Underpinning this definition are the key principles of transparency, trust and accountability.

Businesses striving, therefore, to build a relationship with their customers on the basis of these three principles are likely to be reassuring their customers. The bottom line is, if customers can trust you with their privacy then this is likely to produce a halo effect where your customers feel they can extend their trust to your business as a whole and buy from you.

A privacy policy protects you and indicates to your visitors what they’re agreeing to by using your website. If you’re running an eCommerce site or any site that registers visitors and collects their information then your website must have a privacy policy. At its most basic a newsletter subscription form involves collecting personal details from individuals.

Reassures site visitors
A privacy policy is all about providing reassurance to your customers. Basically the message it communicates is this: We collect this type of information, we have security measures in place to keep your information safe, and this is how we use the information we hold about you.So it’s really all about being up front and fair.

Some key elements which the policy should cover are:
•    Who is operating the site.
•    Who is collecting the information on the site.
•    How the information is used.
•    Whether cookies are used.
•    How personal information is protected and kept secure.
•    Whether you are processing information that is classed as sensitive, such as medical records.

You will need to find out whether your website gathers transaction data to identify visitors, and explain how you use that information within your company or if you are sharing it with anyone else outside of the company. For example, will you use the identification data to come up with new offers or to sell names to merchandisers?

Are your online operations secure?
Explain how users can work out when they are in a secure area – namely, when the url changes to https:// and the little lock symbol appears. Focus on the benefits that a secure area gives to users. People should be reluctant to give their credit card information in an eStore that is not secure.

Unsubscribe policy
When people read your privacy policy they will want to know how they can start or stop receiving email from you. You will need a system in place so that you can explain how they may unsubscribe from your communications. Reassure them that they will be able to do so at every point if they receive your communications.

This is the single most important step to take care of when setting up your database system – to have an effective way of keeping track of unsubscribes and updating your list.

Using an ‘opt in’ or ‘opt out’ box at the point of collection is a useful way to build trust and lower barriers and is sometimes necessary, for example if you intend to sell their information. Email validation is a good idea when people sign up on your site, as a way of checking it really was that individual who requested to be added to your newsletter list. But as long as you have a solid unsubscribe system in place, it is the best way to prevent your emails being experienced as spam.

Viewing and editing personal information
Clarify your users can edit their data. For example, say “You will be able to update all the personal information you give us online by logging into such and such an area”.

Registering with the Information Commissioner’s Office
A crucial step which is often overlooked is to register with the Information Commissioner Office (ICO). Anyone processing personal data of individuals (name, number, address) has to register. Most online businesses will be processing such data just by having a website so the scope of this requirement is much broader than what may be thought. That said, the registration procedure is relatively straightforward. You can follow the explanation provided by the ICO here. In essence you download the notification form, complete and return it. Depending which category of business you would fall under, you pay the appropriate fee to register.

Getting a Privacy Policy for Your Business
While there will be many provisions in a privacy policy that are common to all businesses that have a website, (for example, 90% of websites will probably be using Google Analytics) it is important to understand that you need to read any standard privacy policy document you intend to use for your business, and make sure it is true for you. For example, it may not be true to say that you are using all appropriate security and technical measures (such as passwords, firewalls etc), if you are in fact not doing so.

Who are your ‘friends’?

No longer is it easy to protect your privacy; instead Facebook is encouraging you to broadcast as much of your personal information as possible to a network of your ‘friends’.  Although Facebook privacy settings enable you to control who sees what information, and the general idea is that only those on your friends list can see this information, the nature of ‘friends’ on social media and on Facebook is much different to friends in real life.

On Facebook a friend could be anyone from your best friend to an acquaintance you only just met. For the majority of people on Facebook, their friend list does not just include people they know well and can trust. Introducing Facebook Places encourages people to share their current locations meaning that everyone on your friend network can see where you are.

Location sharing

Location sharing is not a new phenomenon.  Websites such as Google, Foursquare, Gowalla and Shopkick also offer services letting people share their locations.  Companies such as Gap and Starbucks even offered free vouchers to those who checked in their location as being in their stores. However, only 4% of people in the US used these services, 80% of whom were men and 70% between 19 and 35.

Location sharing has still not hit the mainstream.  However with Facebook now introducing these services, given its 500 million users it could bring location sharing to the masses.

Privacy issues

Location sharing has huge privacy concerns. Letting Facebook know where you are could enable stalkers to reach you more easily, and it lets people know when your house is unoccupied.

Facebook stalking is a term used by younger generations, as Facebook enables people to look at what others are up to and to look through their photos. Now with location sharing, the term ‘Facebook Stalking’ could literally mean just that – physical stalking.

Implied Consent

On top of this, the privacy settings which come with the Places app imply that you consent to its features.  So Facebook has gone ahead and assumed your consent to something before you have had a chance to decide for yourself whether you want to opt in.

One feature of Facebook Places, which assumes implied consent, is the ‘people here now’ one. The standard settings automatically give your location whereabouts to not only your friends, but complete strangers who also happen to be in around the same place as you.  Also, as mentioned earlier friends can check you in places on Facebook. This is probably fairly harmless provided you trust your friends, but given the nature of friends on Facebook this might not be the case.

Opting Out

It is fairly simple to opt out of these two features.  However, in this information overloaded society people might not find out something is happening for months on end. They may not notice that they have been giving their consent to Facebook Places, and so they might not be aware that there was any need to opt out of anything.

Should Facebook really be implying consent without letting members know what the implications of this is? How accurate is it for Facebook to announce that “no location information is associated with a person unless he or she explicitly chooses to become part of location sharing. No one can be checked in to a location without their explicit permission.”

Conclusion

Once again, with the introduction of Places, Facebook finds itself the subject of widespread debate in relation to privacy concerns.

Really, when it comes to sharing personal information, Facebook’s respect for privacy will best be demonstrated if it  lets people opt-in, rather than them having to opt-out. This way no one could accidentally share information with the Facebook network without realizing it.

Beyond the Data Protection Act there are a number of other laws which clarify and add to the obligations placed upon businesses when using data.

The Privacy and Electronic Communications Regulations seeks to regulate the collection and use of an individual’s contact details for marketing purposes. This would cover sending marketing emails to individuals after having obtained their email address in exchange for a newsletter or an eBook.

A key question here is whether the individual has to specifically opt in to receive certain types of communication, or is it sufficient to give them an opportunity to opt out of certain uses you may want to make of their data?

For most forms of marketing, the general principle under the Regulations is that of ‘prior consent’, namely the individual should ideally give consent to the use of their details envisaged by the business before they can be contacted. In practice this consent can be sought by providing an ‘opt-in’ or an ‘opt-out’ tick box at the point of collection. The difference between the two is that of an individual expressly permitting or prohibiting marketing emails from the business.

An alternative means of showing consent under the Regulations are through ‘soft-opt-ins’. This is where essentially prospective customers or clients provide their details.  Soft opt ins have a number of conditions attached, namely: the details should be collected in the context of a sale or negotiation of a sale to the individual; the marketing emails should relate to similar products and services only; the individual must be provided with an opportunity to opt out at the point when the details are collected and every time they receive a marketing email (this can be done by way of an ‘unsubscribe’ link in the email). For more details on best practice for email marketing see Direct Marketing Association’s guidelines.

For B2B marketing emails, however, the above restrictions do not apply. The opt-in restrictions in article 22 of the Regulations only apply to ‘individual subscribers’ and not ‘corporate subscribers’.  But beware of sole traders and partners who are effectively businesses in the guise of individuals.  If there are any such individuals in your business database, they need either to be treated separately as individuals, or the whole database needs to provide the opt-out and other facilities required for individuals.

Obviously individuals from companies may, in practice, be providing their individual details, but where, for example, the marketing email is addressed to the company itself and the recipient’s email address is non-personal then no opt in provisions should be necessary. That being said every marketing email should always display the identity, contact details of the sender and, if sent by a company, contain the respective details of the organisation such as the company’s registration number.

In addition to this, any individual can at any time under the Data Protection Act request an organisation to cease or not to begin direct marketing to him. Such a request does not need to wait for the organisation to contact him. It must be complied with in a reasonable time.  In practice it often takes time to set up the mechanism, so it may be worth sending him a brief email saying that his message has been received and will be acceded to, but that it may take a week or so to set this up, in which case it is just possible he will receive another direct marketing email in the mean time. It is good practice to keep all such requests in a Stop List, to be run against any future emailing before it goes out, so that if at some future date the organisation acquires his details again it does not start sending him more direct marketing material. This particular opt-out is not confined to emails but may apply to other types of communication.

An interesting point to flag up is that the legislation may set the threshold of what is acceptable in relation to email marketing, but the contract with the Email Service Provider may have even more stringent clauses. Some hosting companies may be contractually entitled to seek damages from customers engaged in unsolicited bulk mail. So as a rule of thumb the terms of business from a hosting service should always be reviewed before engaging in direct marketing.

In all, best practice for  ensuring compliance with legal requirements is by using  opt-in based marketing as much as possible, and stating how you will use  personal details (for example, by featuring a link to your privacy policy).

Ultimately, it depends on the business you are in as to how you comply with the requirements of the legislation.

Organisations must in any event provide individuals with information as to their identity, and the purposes for which the data is sought from the individual and other relevant matter (eg if the data is to be passed to a third party), and all this is usually wrapped up in the general Privacy Policy on which the Commissioner’s guidance can be found here . You can either link your Privacy Policy to the easy way for individuals to opt out of your emails, or you may wish to put both these requirements (Privacy Policy and Opt-out) in one web page.

However, if you intend to share data with third parties, or to sell the data then you do need to be careful how you set up your data collection facility, and ensure that the data stays ‘clean’.

Also it is important to have a good system in place for handling complaints about unwanted emails. Failure to comply with data protection regulations could prove embarrassing in certain situations, and could even lead to a criminal conviction.

The EU introduced Directive (Directive 95/46/EC) which forms the basis of the Data Protection Act. This Act regulates how information is stored about individuals and controls the geographical movement of such information. In particular, the transferral of data outside of the European Union falls under a specific regime. Principle 8 of the Data Protection Act sets out that personal data shall not be exported to a country outside the EEA unless the receiving country can provide an adequate level of data protection. It is important to note that other principles from the Act will still apply such as lawfully processing data (first principle) which would require you to seek consent from your clients before exporting their data. The EEA is an area slightly larger than the European Union and includes Iceland, Liechtenstein and Norway. Also, the European Commission decides which countries outside the EEA provide ‘adequate’ protection, such as the USA and Canada.

If the country you are offshoring to is not in the EEA on the mentioned list then you must fulfill a number of conditions to be in compliance with the Data Protection Act. The Information Commissioner Office (ICO) states that you should ‘assess the adequacy’ of the third countries’ data protection laws.  Due to the comprehensiveness of this assessment, it is probably not an approach that every company can afford to undertake. If this is not possible then emphasis should be placed on the contract between the data exporter and the data importer to ensure that a similar level of data protection is guaranteed.  So, if we were to take the example above, the accountancy practice would be the data exporter and they would enter into an agreement with the Indian bookkeeping service, the data importer. This agreement should cover, amongst other things, the allocation of responsibilities between the exporter and importer, including any sub-processing of data by the bookkeepers.

The European Commission assists businesses in adding specific content to these contracts by supplying model clauses. These model clauses can be added to an offshoring contract (please see Commission decision 5 February 2010 here for updated clauses), but obviously they should accord in substance with the remainder of any negotiated contract. The ICO gives a detailed good practice guidance for offshoring (please see here). One of the salient suggestions is to ensure that the contract you enter into with the data importer is enforceable in both countries. But what if your company has merely set up a branch in a country outside the EU (a subsidiary) rather than offshoring to third parties? In this case the Information Commissioner has suggested that binding corporate rules (BCR) are the means to fulfill the data protection requirements (please see here for more information on this subject).

Offshoring is a growth market as technological developments continue to increase the ‘internationalisation […] of the service economy‘. Recent developments include cloud computing which may push for further growth. But as these opportunities become more accessible to businesses, it is paramount to check compliance with the Data Protection Act before leaping ahead. Are you offshoring or considering offshoring any work? Have you thought about your data protection compliance?  For a consultation about your requirements please contact us.

Can an Online Service Provider be held liable for illegal activities that occur by users on their service?  In the US, the Digital Millennium Copyright Act provides an exemption for ISPs who inadvertently provide the facilities which are used by others for infringement purposes. In Europe Directive 2000/31/EC (‘Directive on electronic commerce’) has a similar exemption for online service providers. Essentially, the resounding principle in both laws is that a service provider should not be in any way responsible when they were not aware of the fact of the infringement and when made aware they took steps to remove the content.
In further detail the Directive emphasises that there is no general obligation on Online Service Providers to monitor the content that they transmit or store (Art 15). For online service providers who are hosting content such as Google and their subsidiary service Youtube, they are specifically covered by Article 14.
This is generally how Google shields themselves from most claims but they are far from achieving complete international immunity, as last Wednesday, 3 of Google’s executives and an employee were held guilty of violating the Italian privacy code, leading to 6 month suspended prison sentences.

The Italian Case
According to the New York Times Italian prosecutors contended that “Google was negligent because it allowed a video of high school kids bullying a disabled classmate to stay on its Italian-language video service for two months in 2006”. Many comments were made regarding the post saying that it was “shameful […] should be taken down immediately”. It was not until Vivi Down, an association protecting persons with Down Syndrome, contacted the police, who then notified Google, that it was then almost immediately removed from Youtube.
In their official reaction to the convictions, Google has stated that they took down the video “within hours of being notified by the Italian police” (please see their blog post here). The question is whether any users made any complaints prior to the police take down request. The prosecutors do not seem to advance any substantial evidence on that point and have adduced that it is “reasonable to imagine” that requests were made by users for the video to be removed.

Were Google made aware of the content by other users prior to the police notification, then it is most probable that they would not be protected by Directive 2000/31/EC . However, this is an evidential point and it appears that we will have to wait a further 3 months before the judgment is published in order to read the actual motivations of the judge.
Google, in their official blog, have said that they found the decision ‘astonishing’ and that they are ‘deeply troubled by this conviction’.  They have surmised that ‘common sense dictates that only the person who films and uploads a video to a hosting platform could take the steps necessary to protect the privacy and obtain the consent of the people they are filming’. With this reaction, Google abdicates any form of responsibility from having made this video accessible to the users and takes a somewhat dramatic view on the implications of this decision: “the Web as we know it will cease to exist”.

A way forward
Blanket impunity for transmitters of information, regardless of how innocent, could be seen as a somewhat untenable proposition. Responsibility is always relative to size and Google, as Times journalist said on Friday, has gone from being David to now Goliath. However, even Goliath can not be expected to review the 20 hours of video uploaded onto Youtube every minute for objectionable content. This would be an impossible and commercially debilitating task.
More pragmatically, it may be worthy for Youtube to add a button to their page templates where all users may bring such issues to Google’s attention. In the same way that the Child Exploitation and Online Protection Centre have convinced BeBo to have an alert button integrated into their site to protect children, Google itself could have a button added to its subsidiary’s site.
The down side is that this could encourage peer monitoring which could be misused by sectarian interests or for political purposes in certain countries. Nonetheless, it would be an important development to allow direct participation in the regulation of internet rather than facing what may be inevitable state or European intervention.
In this connection, it is not inconceivable to think of a case being brought against Italy to the European Court of Human Rights, intimating that the display of a disabled child being bullied is a form of degrading treatment is contrary to Article 3 of the European Convention of Human Rights. The result of which Italy could be held accountable for failing to fulfill its positive duties under that Article. Furthermore, the Charter of Fundamental Rights has been given legal force with the Treaty of Lisbon since December 2009, thereby a preliminary question may be posed to the European Court of Justice on the compatibility of Directive 2000/31/EC with EU fundamental rights.
With this in mind, taking a more pre-emptive and participatory approach to the internet should avoid the need for state intervention and edge us slowly away from the absolute libertarianism that has reigned over the internet to a model more reflective of society at large.

What do you think would be the right way to balance the competing interests of privacy of the individual and the responsibility of ISPs? We look forward to hearing your views.