Updated news: Organisations now have until 25th May 2012 to introduce a strategy in order to become compliant with the new EU and UK online privacy laws. It is advised to start this process immediately in order to avoid future warnings from the ICO and potential development issues.

 

Matraxis now offer a Website Cookie Audit service to help your organisation prove they are taking the first few step towards becoming compliant with the new EU and UK online privacy laws.

 

How can Webtrends' clients prepare for the new laws?

European countries are required to implement the new directive (Directive 2009/136/EC) by May 25, 2011, and until these laws are enacted, there are a few practical steps that Webtrends‟ clients can follow in order to prepare for these new laws. These are:

• Provide information about all personal data processing to website users
  We suggest that this is done through a clearly signposted Privacy Policy that fully explains the use of cookies and other tracking codes for web analytics, web optimization and other online marketing purposes. Since the new rules emphasise transparency, even if you already set out clear information in your Privacy Policy, we suggest that you review the language to ensure that it is as clear and comprehensive as possible.
  
  
• Obtain the prior consent of website users to the use of their personal data
  Your privacy policy should explain to users how they can control the storage of and access to cookies on their devices and refer them to their browser interfaces for further information. It should also provide a link to a form providing the information listed above and a clear and user friendly explanation of the mechanism for refusing to make their personal data available, including the loss of benefits such as ease of login and preference-based content.
  
  
• Monitor news sources
  Webtrends recommends that you monitor news from the EU Commission and national governments over the coming months to determine how this directive will be implemented. The Field Fisher Waterhouse law firm, for example, provides publications and press-releases on its web site, http://www.ffw.com/, to which you can subscribe.
  
  

What are the privacy and data protection laws?

Data protection laws in the EU gives individuals the right to control how their personal information (known as “personal data”) is used and places legal obligations on organizations using personal data to safeguard such information. These laws are derived from several directives of the European Parliament, commonly referred to as the Data Protection and Privacy Directives.

 

Where can I find the text of the directives?

There are several directives to consider (click on the links to the official text):

• The original Directive 95/46/EC often called the Data Protection Directive.
  
  
• The Privacy Directive 2002/58/EC designed to address primarily the emergence of mobile devices.
  
  
• Directive 2009/136/EC requires users give consent prior to storing of info on their device or access to info on the device. Must be implemented into local laws by May 25th 2011

 

What's the object of these directives?

The object of these directives is to ensure user‟s (called “data subjects”) right to privacy with respect to processing of their personal data. In essence, the directives say that any time a user‟s personal data is collected and processed other than for the immediate fulfillment of a request, the user must provide prior consent to the use of this data.

 

Who must comply with data protection law?

The Data Protection Directive establishes the concept of “controllers” and “processors” and creates specific legal obligations applicable to controllers.

A controller is a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In practice, the key aspect of this definition is the ability to decide how personal data is being collected, stored, used, altered and disclosed. Webtrends‟ customers are data controllers.

In contrast a processor is a natural or legal person, public authority, agency or any other body (other than an employee of the controller) who processes personal data on behalf of a controller. The Data Protection Directive does not impose any specific obligations upon processors. Webtrends is a data processor for customers who subscribe to Webtrends “software as a service” solution.

The Data Protection Directive applies to controllers that are either:

• established in a country in the EU or, where not established in the EU; or
  
  
• make use of equipment situated in a country in the EU (except where the equipment is used only for transit purposes).

As a result all EU based controllers must comply with the Data Protection Directive as it is implemented in the EU Member State in which they operate. Likewise, a controller based outside the EU but who uses equipment located in the EU (for hosting personal data, for example) must also comply.

 

What data is considered personal data?

The precise definition of personal data varies across the EU due to the slightly different ways in which the Data Protection Directives are implemented in law. Fundamentally, personal data is any information that relates to an identified or identifiable living individual (known as a “data subject”). An identifiable individual is a person who can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.

 

Are IP addreses personal data?

An IP address can be personal data depending on the way in which it is used; if an IP address is processed with the aim of identifying an individual, the IP address may be deemed personal data. The approach taken to IP addresses as personal data will differ slightly between EU Member States.

Most importantly, some DPAs (Data Protection Agency), especially in Germany, have taken the position that IP addresses are personal data. Webtrends‟ clients that are subject to the more restrictive legal interpretations of the directives can implement changes in their use of Webtrends technology described in Webtrends IP-Less Tracking.

 

Are cookies personal data?

Cookies are generally regarded as personal data because they are used to track the activities of a computer and differentiate between users.

In the context of compliance with data protection laws it is useful to distinguish between „first party‟ cookies and „third party‟ cookies. First party cookies are cookies placed by the operator of the website visited by the user. These cookies enable the website‟s operator to advertise its own products or tailor its website to the user based on the information gathered by its own cookies. The website operator will be the controller of the personal data gathered by its own, first party, cookies. Webtrends technology enables the use of first party cookies to collect data.

Third party cookies are cookies sent by an entity other than that which operates the website. Third parties – typically advertising networks – may enter into agreements with a number of partner websites to enable them to serve cookies from those websites and collect information about visitors for the purposes of serving tailored advertising on a number of websites. Where the third party determines the means and purposes of the processing of personal data it gathers from its third party cookies, it will be a controller and must comply with the Data Protection Directive as it is implemented in the EU Member State in which it operates. Based on the difference in first party cookies and third party cookies, it is important to confirm that a vendor is using a first party cookie to collect data from your websites.

 

So, is it legal to collect personal data and IP addresses?

Yes, the use of cookies and the collection of personal data remain legal as long as you comply with the EU data protection requirements, such as the consent rules (see “How can consent be obtained?” below).

Is this not just relating to information stored for advertising purposes?

No, the directive applies to any personal data processed entirely or partly by automatic means.

 

What are the new rules on personal data?

The November 2009 directive 2009/136/EC amended the rules affecting the use of personal data. The revised directive says that the storing of information or the gaining of access to information already stored on the device of an Internet user is allowed on the condition that the user concerned has given his or her “prior consent”, having been provided with clear and comprehensive information. Specific laws adopting such new directive must be passed by each European country by May 25th, 2011.

 

How can consent be obtained?

The latest directive, 2009/136/EC, clarifies that consent must be obtained prior to any processing of personal data. The meaning of “consent” should be read in the context of the result that the EU legislators intended to achieve – that is to tackle the problem that unwanted software such as adware, junk, or even viruses and spyware may be installed on a user‟s hard drive without their knowledge and consent.

 

What should you get consent for?

Consent must apply to any processing of the personal data, including storing of data on the user‟s device (such as with cookies), collecting data from the user‟s device, and using this data for subsequent activities (such as behavioral targeting).

Note that the directives also apply to “data that have not been obtained from the data subject”, such as data about the user that you may automatically retrieve from social networks.

 

Aside from data collection, what are the EU data protection requirements?

• Notification to authorities
  Under the Data Protection Directive controllers are required to register with the local Data Protection Authority of the Member State in which they intend to process personal data before they can begin processing personal data. In some cases controllers may also require approval from the local Data Protection Authority before they can begin processing personal data.
  
  
• Notice and information provision
  Controllers must have a Data Protection Statement or Privacy Policy to inform the individuals to whom the data relates, of the purposes for which the data is intended to be processed and any other relevant details (such as the potential recipients of the data and whether the individuals will be contacted for marketing purposes).
  
  
• Legitimate processing conditions
  A controller may only process personal data if at least one of the so-called “fair processing conditions” (e.g. consent, contractual necessity, legitimate interests, etc) is met.
  
  
• Quality of data
  With regard to the quality of the data, the Data Protection Directive provides that personal data must be accurate, up to date and not kept for longer than is necessary for the purposes for which it was collected.
  
  
• Honouring rights
  A number of rights allow individuals to exercise certain degree of control over the way their data is used and therefore, controllers must be prepared to honour those rights. A key right in the context of most businesses is the right of individuals to prevent the use of their personal data for purposes of direct marketing. This right entitles individuals to ask the business to cease (or not to begin) marketing-related communications by any means. In order to exercise this right, individuals must always be given the opportunity to opt out from receiving direct marketing.
  
  
• Security
  Controllers must put in place appropriate technical and organisation measures to protect personal data against accidental or unlawful destruction or accidental loss or alteration, or unauthorized disclosure or access. In addition, where a controller engages a third party to process personal data on its behalf the controller must ensure that the processor adopts appropriate and equivalent security measures.
  
  
• Adequate protection for transfers
  The Data Protection Directive allows personal data to be transferred outside the European Economic Area only when the third country provides an “adequate level of protection” for the data or when the controller adduces adequate safeguards with respect to the protection of privacy.

The options available to controllers to legitimise international transfers of personal data include:

o Applying European data protection standards across the organisation through the adoption of Binding Corporate Rules (for intra-group transfers);

o Entering into the standard contractual clauses adopted by the European Commission allowing exports of personal data on a global basis; or

o Relying on the “Safe Harbor Privacy Principles" (for transfers to the USA only) where the receiving entity is Safe Harbor certified.

 

What is the "Safe Harbor" certification?

The Safe Harbor certification is a self-regulatory certification based on a number of principles (the Safe Harbor Privacy Principles) which have been approved by the European Commission as offering adequate protection for personal data transferred from the EU. As a result, an organisation that voluntarily becomes a signatory party to the Safe Harbor scheme will be regarded as providing an adequate level of protection for the purposes of the Data Protection Directive.

The decision by organisations based in the USA to abide by the Safe Harbor Privacy Principles is entirely voluntary. Organisations that decide to participate in the Safe Harbor scheme must comply with the relevant requirements and publicly declare that they do so. In practice, an organization needs to self-certify annually to the US Department of Commerce in writing that it agrees to adhere to the Safe Harbor‟s requirements. It must also state in its published privacy policy statement that it adheres to the principles.

Webtrends is certified as compliant with the Safe Harbor requirements. In addition, Webtrends is certified by TRUSTe, an independent third party provider of a privacy seal, as to compliance with the EU Safe Harbor requirements.

Disclaimer: This information is not intended to constitute legal advice and should not be relied upon in lieu of consultation with appropriate legal advisors in your own jurisdiction. It may not be current as the laws in the area of internet privacy change frequently.


For more information, please contact This e-mail address is being protected from spambots. You need JavaScript enabled to view it or call Matraxis on 020 8133 8323 to discuss how Matraxis can help your organisation prepare for the changes in EU and UK online privacy laws. Alternatively, read how a Matraxis Website Cookie Audit service can be of benefit.