2 Privacy Regulations and Privacy by Design
2.1 European Union
2.1.1 Data Protection Directive 95/46/EC
國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
14
2.1.1 Data Protection Directive 95/46/EC
In October 1995, EU adopted Data Protection Directive 95/46/EC as a regulatory framework (thirty-three articles in eight chapters) to guarantee secure and free movement of personal data across the national borders of its member states, and the DPD went into effect in October 1998. The DPD defines the basic elements of data protection that member states must transpose into national law (e.g. UK Data Protection Act 1998), each member state manages the regulation of data protection and its enforcement within its jurisdiction. Data protection commissioners from EU member states participate in a working group at the community level according to Article 29 of DPD.28
Article 29 Data Protection Working Party (WP29), setup under Article 29 of DPD, which is composed of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor (EDPS) and the European Commission. WP29 is an independent European advisory body on privacy and data protection. Article 30 of the DPD describes the main tasks as: (i) Provide expert advice from the national level to the European Commission on data protection matters; (ii) Promote the uniform application of DPD in all Member States of the EU;
(iii) Advise the Commission on any European Community law that effects the right to the protection of personal data.29
This general DPD has been also complemented by other legal instruments, such as the EPD for the electronic communications sector. The EPD complements the
28 Electronic Privacy Information Center (EPIC), EU Data Protection Directive,
https://epic.org/privacy/intl/eu_data_protection_directive.html (Accessed on 27 December 2014)
29 Article 29 Data Protection Working Party Main Tasks,
https://secure.edps.europa.eu/EDPSWEB/edps/Cooperation/Art29 (Accessed on 27 December 2014)
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
15
existing DPD and sets out more-specific “rights to privacy in the electronic communication sector”. The main provisions of this Directive are to ensure providers of electronic communications services to offer “secured services” as well as maintenances of “confidential information”. This Directive particularly concerns the processing of personal data issues relating to the delivery of communication services, such as security process (Article 4), confidentiality of communications (Article 5), cookies (Article 5(3)), public directories of subscribers (Article 12), unsolicited communications (Article 13), users’ control of their personal data (Article 14(3)).30
In 2009, the EPD has been amended by Cookie Directive 2009/136/EC.31 This Directive requires websites to obtain informed consent from visitors before storing information on a computer or any web connected devices. The storage of user information is mostly done by cookies, which can then be used for tracking website visitors. Article 5(3) of the EPD requires that users’ have been informed about the use of cookies, the purpose that the cookie will be used for and the right to opt-out of cookies, which was commonly placed in privacy policies that users mostly do not read.
With Article 2(5) of the Cookie Directive which replaces Article 5(3) of the EPD, however, the website user will now be required to opt-in when visiting a website containing cookies, so the website has to block cookies, until visitors have given their informed consent to their use. As a result, organizations offering services and applications which attempt to access personal data will require user informed consent via the opt-in principle.
30 EU Legislation Summary, Data Protection in the Electronic Communications Sector (May 2010), http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm (Accessed on 15 January 2015).
31 EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015).
‧
In 2006 and 2009, moreover, the EPD was amended as part of a wide range of initiative to create a “Telecoms Package”32: a comprehensive regulatory framework for the electronic communications and telecommunications to align EU’s Digital Agenda for Europe 2020 strategy.33 These are important privacy policies for mobile app stakeholders to ensure their products and services will comply with EU privacy regulations.
In December 2009, the WP29 and the Working Party on Police and Justice (WPPJ) published a joint Opinion entitled “The Future of Privacy”34that advocated for incorporating the PbD principles into EU’s new privacy protection framework.
Though the idea of incorporating technological data protection safeguards in ICT system is not completely new, the DPD already contains several provisions which call for data controllers’ obligation to implement technology safeguards in the design and operation of ICT system, security measures and organizational measures to ensure compliances.
However, apps and smart devices today are ubiquitous, global and connected.
Chapter Four of “The Future of Privacy” summarizes: “The technological developments have strengthened the risks for individuals’ privacy and data protection and to counterbalance these risks, the principle of Privacy by Design should be introduced in the new framework: privacy and data protection should be integrated
32 European Commission, Regulatory Framework for Electronic Communications in the European Union (December 2009),
https://ec.europa.eu/digital-agenda/sites/digital-agenda/files/Copy%20of%20Regulatory%20Framework%20for%20Electonic%20Communications
%202013%20NO%20CROPS.pdf (Accessed on 20 May 2015).
33 European Commission, Digital Agenda in the Europe 2020 Strategy (March 2015),
http://ec.europa.eu/digital-agenda/en/digital-agenda-europe-2020-strategy (Accessed on 20 May 2015).
34 EU Article 29 Data Protection Working Party and Working Party on Police and Justice, The Future of Privacy (December 2009),
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp168_en.pdf (Accessed on 20 March 2015).
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
17
into the design of Information and Communication Technologies. The application of such principle would emphasize the need to implement privacy enhancing technologies, privacy by default settings and the necessary tools to enable users to better protect their personal data. This principle of Privacy by Design should therefore not only be binding for data controllers, but also for technology designers and producers and relevant stakeholders”.
In March 2013, the WP29 published the “Opinion 02/2013 on Apps on Smart Devices”.35 In this opinion, the WP29 clarifies the legal framework applicable to the processing of personal data in the development, distribution and usage of apps on smart devices, which focused on the consent requirement, the principles of purpose limitation; data minimization, the need to take adequate security measures, the obligation to correctly inform end users and their rights and reasonable retention periods and fair processing of data collected from.
The relevant EU legal framework applicable to mobile privacy is the DPD. It applies in any case where the use of apps on smart devices involves processing personal data of individuals. To identify applicable law, it is essential to first identify the role of the different stakeholders involved, the identification of the controllers of processing carried out via mobile apps is particularly crucial in relation to applicable law. According to Article 4.1(a) of the DPD, the national law of a Member State is applicable to all processing of personal data carried out “in the context of an establishment” of the controller on the territory of that Member State. Pursuant to Article 4.1(c) of the DPD, the national law of a Member State is also applicable in cases where the controllers is not established in Community territory and makes use
35 EU Article 29 Data Protection Working Party, Opinion 02/2013 on apps on smart devices (February 2013), http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp202_en.pdf (Accessed on 19 December 2014).
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
18
of equipment situated on the territory of that Member State. Since the device is instrumental in the processing of personal from about the user, this is criterion is usually fulfilled. However, this is only relevant where the controller is not established in the EU. As a result, whenever a stakeholder involved in the development, distribution and operation of apps is considered to be a controller, such a stakeholder is responsible alone or jointly with other stakeholders for ensuring compliance with all the requirements set forth under the DPD. The identification of the stakeholders involved in mobile apps is provided in the Section 3.2.1– Mobile Apps Stakeholders of this thesis.
In addition to the DPD, the EPD (2002/58/EC, as revised by Cookie Directive 2009/136/EC), sets a specific standard for all stakeholders worldwide that wish to store or access information stored in the users’ devices in the European Economic Area (EEA). Article 5(3) of the EPD prescribes that “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Data Protection Directive 95/46EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”36
36 EU Article 29 Data Protection Working Party, Cookie Directive 2009/136/EC (November 2009), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0136&from=EN (Accessed on 15 January 2015).
‧ 國
立 政 治 大 學
‧
N a tio na
l C h engchi U ni ve rs it y
19
While many provisions of the EPD only apply to providers of public electronic communication services and providers of public communication networks in the Community, Article 5(3) applies to every entity that places on or reads information from smart devices. It applies without regard to the nature of the entity (e.g. whether public or private, an individual programmer or a major corporation or whether it is a data controller, data processor or a third party).37
The consent requirement of Article 5(3) applies to “any information”, without regard to the nature of the data being stored or accessed. The scope is not limited to personal data, information can be any type of data stored on the device. Furthermore, the consent requirement from Article 5(3) of the EPD applies to services offered in the Community, that is, to all individuals living in the EEA, regardless of the location of the service provider. It is important for app developers to know that both Directives are imperative laws in that the individuals’ rights are non-transferable and not subject to contractual waiver. This means that the applicable EU privacy law cannot be excluded by a unilateral declaration or contractual agreement.38