Archive for March, 2013

Article 29 Working Party’s Opinion on Mobile App Privacy

Posted by fgilbert on March 15th, 2013

On March 14, 2013, the European Union’s Article 29 Working Party published its opinion on the unique privacy and data protection issues faced by applications used on mobile device.  The 30-page opinion provides an analysis of the technical and legal issues, and concludes with a series of recommendations to app developers, platform developers, equipment manufacturers and third parties.

In many respects, this new opinion of the Article 29 Working Party is very similar to the document that the Federal Trade Commissions has published recently on the same topic.  It addresses many themes also found in the FTC documents regarding the use of mobile applications in general, or that mobile applications directed to children.

The Article 29 Opinion WP 202 provides two series of recommendations for application developers.  The first set of recommendation is in fact a recitation of general principles set forth in the proposed Data Protection Regulation, but adapted to the specific context of the mobile world, with references to location data, unique device identifier, SMS.   There are also references to other modern concepts, such as privacy design, also found on the proposed Data Protection regulation, but absent from Directive 95/46/EC, the directive currently in effect.

The second set of recommendations to application developers includes specific guidance on the actions to be taken.  These include:

  • Adopting appropriate measures that address the risks to the data;
  • Informing users about security breaches;
  • Telling users what types of data are collected or 
accessed on the device, how long the data are retained and what security measures are used to protect these data;
  • Developing tools to enable users to decide how long their data should be retained, based on their specific preferences and contexts, rather than offering pre-defined retention terms;
  • Including information in their privacy policy dedicated to European users;
  • Developing and implementing simple but secure online access tools for users, without collecting 
additional excessive personal data;
  • Developing, in cooperation with OS and device manufacturers and others, innovative solutions to adequately inform users on mobile devices, such as through layered information notices combined with meaningful icons.

The remainder of the recommendations is addressed to app stores, OS and device manufacturers, and third parties.

The protection of children reappears as a common theme in the different recommendations to the different players in the mobile market.  Each set of recommendations provided in WP 202 stresses that they should limit their collection of information from children, and especially refrain from processing children’s data for behavioral advertising purposes, and refrain from using their access to a child’s account to collect data about the child’s relatives or friends.

Laws Regulating Government Access to Cloud Data

Posted by fgilbert on March 13th, 2013

 

A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, and members of the Lexing Network, in a discussion of the laws that regulate government access to cloud data.

The topic is of great importance to cloud services providers and users, which are increasingly becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party in a lawsuit. Requests for access by law enforcement, intelligence and secret services, are governed by very complex rules, and predictably, these rules differ from country to country.

As Peter McGoff, the General Counsel of Box, a major provider of cloud services, explained in his introductory remarks, cloud service providers (CSP) receive frequent requests for access to data or communications stored on their servers. They will respond to these requests in a manner that addresses the CSP’s obligations to comply with the applicable laws and its obligations to the customers affected by the access request, while ensuring that the CSP’s resources are used efficiently and reasonably.

The program followed with an overview of the applicable laws in the United States by Francoise Gilbert, Managing Director of the IT Law Group. The Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) are the primary laws governing these issues, and they are supplemented by other federal laws and a plethora of state laws. ECPA and FISA were enacted in the 1970s and 1980’s, and have been amended numerous times, including through the USA PATRIOT Act 2001, and most recently through the FISA Amendment Act 2013.

A discussion with attorneys practicing in Canada, the United Kingdom, Switzerland, Italy, France, and Belgium followed. For example, Canada’s Security Intelligence Service Act (Part II)allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment of any “information, record, document or thing.” In the United Kingdom, government agencies find their authority in the Regulation of Investigatory Powers Act 2000 (RIPA).  Among other things, RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources.

The program concluded with tips from Peter McGoff. CSPs and other companies that anticipate receiving third party requests for access to data or communications should have in place a plan for responding to these requests in a manner that is consistent with the terms and conditions of their service, and that takes into account their obligations under the laws of the countries that have jurisdiction over their operations.

A video of the program is available by clicking here.