Lexing Barcelona Conference

| Global network of attorneys specialized in emerging technology law
Barcelona Conference
September 28, 2012
#lexingbcn

First international network of lawyers focused
on information technology law

Data Protection 30’
Cloud Computing 30’
Social Media 30’
Cookies 30’
New Domain Names 15’
Q & A
General Presentation … 20’

# Data Protection
# Cookies
# Social Media
# Cloud Computing
SDPA (‘99 & ’07 & ‘10) / AEPD
High and Stringent Enforcenment !
€ 20.000.000 / 4000 proceedings
Draft EU Regulation (January 2012)
SDPA applies / AEPD – No specific regulations
AEPD Guidelines (June 2012) / EU Guidelines (July 2012)
SDPA applies / AEPD – No specific regulations
No general Guidelines / EU Guidelines
Eprivacy Rule in LSSI / AEPD
No general Guidelines / EU Guidelines (June 2012)

Data Controller
Data Processor
Data subjectData subject
Spanish Data Protection Law (SDPL)
rights obligations
Notification requeriments
Information provision obligations
Legal basis for processing data
Confidentiality & Security
Data Protection Principles
contract
Organic
Law 1999
Regulation
2007

Legitimate interest
✓ Consent
✓ Contractual relations
✓ Requirements of the law
✓ Emergencies
✓ Public Interest
✓ Legitimate interest
Ruling Feb.
2012
legitimate
interest DC
data subject
rights
DP principles
Key Obligation: process personal data lawfully
Consent: not always available or reliable criteria
Legitimate interest criterion not properly incorporated
The data should apeared in public sources ! Now void ->
Consent: not always available or reliable criteria
Legitimate interest criterion not properly incorporated
The data should apeared in public sources ! Now void ->

Cloud Computing
Amazon
AWS
IBM
Microsoft
Salesforce
Google
Oracle
Arsys
Dropbox
Apple

LACK OF
CONTROL
LACK OF
INFORMATION
Main risks
Public

Jun
Guidelines
June
2012 www.agpd.es
July
2012
No specific law regulating cloud computing but …
data protection law is applicable
No specific law regulating cloud computing but …
data protection law is applicable

# User is the Data Controller
# CC Provider is the Data Processor
contract
Guidelines

Tools & Services that facilitate conversation
General View
SNS impact on all branches of law
๏ Privacy
๏ Intellectual Property
๏ Marketing and Consumer Protection
๏ Contests and Promotions
๏ Employment
๏ Free speech
๏ Children protection
๏ E-reputation
Internal: SM used within a company
Hosted: Public SM controlled by a company
Public: Public SM outside the control of a company

#1 Audit
#2 Put in Place Policies & Programs
#3 Implement and review
✓ Conduct a comprehensive and thorough risk assessment
✓ Identify risks
✓ Evaluate the risks
✓ Address the risks
✓ Implement + Review on a regular basis
✓ Train employees and monitor compliance
✓ Demonstrate it: a policy must be reflected in concrete practices !
Bottom line is …

GENERAL PRESENTATION #END
| Spain | Marc Gallardo | marc.gallardo@alliantabogados.com
Page 23
THANK YOU

Proposed EU General Data Protection Regulation
of January 25, 2012:
State of Play
ALAIN BENSOUSSAN
alain-bensoussan@lexing.eu

Eu GENERAL DATA PROTECTION REGULATION - FRANCE
| France| Me Alain BENSOUSSAN |alain-bensoussan@lexing.eu
Page 25
What are the stakes?
– harmonize the protection of personal data in the EU
– ensure the effectiveness of such protection
Issue
– a stronger and more coherent data protection framework in the EU
Situation
– uncertain
News
– International mobilization and debate on personal data protection
Introduction

Page 26
1. Strengthen the rights of individuals
2. Simplify processes for businesses
3. Extend liability
4. Impose stiffer sanctions
Agenda

Page 27
1. Strengthen the rights of individuals

Page 28
2. Simplify processes for businesses

Page 29
3. Extend liability (1)

Page 30
3. Extend liability (2)

Page 31

Page 32
€1,000,000
or
2% of
annual
worldwide
turnover

| France | Me Alain Bensoussan | alain-bensoussan@lexing.eu
ALAIN BENSOUSSAN AVOCATS
29 rue du colonel Pierre Avia Paris 15 FRANCE
Tel. : 33 1 41 33 35 35
Fax : 33 1 41 33 35 36
paris@alain-bensoussan.com
Alain Bensoussan
D.L : 33 1 41 33 35 09
Mob. : 33 6 19 13 44 46
ab@alain-bensoussan.com
Contact

Data Protection in the United States
Recent Developments
Françoise GILBERT
Managing Director – IT Law Group
Silicon Valley, California +1 650-804-1235
fgilbert@itlawgroup.com | www.globalprivacybook.com | francoisegilbert.com | @francoisegilbrt

| Belgium | Me Jean-François HENROTTE | jfhenrotte@philippelaw.eu
Page 35
– Background
– Overview of US data protection laws
– Role of the US federal and state agencies
– Recent US Government initiatives
– Recent enforcement actions
– Hot issues
Agenda

Page 36
– No national data protection law; but dozens of Federal sectoral laws
• 1890: “Right to Privacy” defines the concept
• 1966: Freedom of Information Act (access to information held by government
• 1968: Wiretap Act (interception of aural communications and disclosure of these communications in court)
• 1970: Fair Credit Reporting Act (credit reporting agency disclosure of credit reports)
• 1974: Privacy Act (disclosure of government records)
• 1974: Family Educational Rights and Privacy Act (disclosure of school records)
• 1978: Right to Financial Privacy Act (banking and financial transactions)
• 1978: Foreign Intelligence Surveillance Act (electronic surveillance; foreign intelligence)
• 1986: Computer Fraud & Abuse Act (to reduce hacking, use of viruses)
• 1986: Electronic Communication Privacy Act (stored or in transit information)
• 1996: Health Insurance Portability and Accountability Act (health information)
• 1998: Children Online Privacy Protection Act (children information)
• 1999: Financial Services Modernization Act (GLBA) (financial information)
• 2003: CAN SPAM Act (commercial messages)
– Hundreds of State sectoral laws (+ some states have constitutional rights)
• Protect individuals residing in a specific state
• Security breach disclosure laws
• Security measure requirements
• Protection of driver’s license information, medial records, etc.
US Data Protection Laws

Page 37
– No “national data protection agency”
• Numerous federal agencies play role similar to that of the Data
Protection Agencies in European Union
– Federal Trade Commission
– Department of Health & Human Services
– Financial Services Agencies
– Securities & Exchange Commission
• Numerous state agencies, play similar role at the State Level
– State Attorney General
– Other State Agencies
– Substantial cooperation between State and Federal
Agencies
Federal & State Agencies

Page 38
– Significant penalties in case of violation
• FCRA: up to $500,000 total penalty per violation
– Actual penalties
• Google (breach of FTC consent decree) $22.5million
• ChoicePoint (breach of security) $15million
• Massachusetts General Hospital (HIPPA) $4.3million
• Sony $1million (COPPA)
• Xanga $1million (COPPA)
• CVS, Rite Aid pharmacies $1million (HIPAA + lack of security)
• Spokeo $800,000 (FCRA)
Significant Penalties

Page 39
– Federal Trade Commission (FTC):
• Top regulator in the US with respect to protection of personal
information
• Powers under FTC Act (§5), COPPA, FCRA, HIPAA
– Numerous actions against companies for:
• Failure to comply with privacy promises
• Failure to provide adequate security measures for personal
information
• Unclear and deceptive terms, which concealed important disclosure
regarding un-anticipated use of personal information
• Failure to comply with requirements of Fair Credit Reporting Act
• Failure to comply with COPPA requirements
Federal Trade Commission

Page 40
FTC Enforcement Actions

Page 41
– White House Consumer Bill of Rights (Feb. 2012)
• Restates Fair Information Practice Principles
– Federal Trade Commission Report on Consumer Privacy (March
2012)
• Privacy by Design, Privacy by Default, Online Behavioral Tracking and
Advertising
– Federal Trade Commission Report on Children and Mobile Apps
(February 2012)
• Guidelines on mobile apps for children
– Federal Trade Commission Guidelines on Mobile Apps (August
2012)
• General guidelines on the publication of mobile apps
– Participation in APEC Cross Border Privacy Rules System
Recent US Efforts on Privacy

Page 42
– FTC v. Google (August 2012)
• $22.5 million fine
• Violation of pre-existing consent decree with FTC
• FTC looked at promises made in Privacy Policy or about privacy
measures, including in Google’s representations that it complied
with the NAI Code of Conduct
– FTC v. Facebook (August 2012)
• Violation of representations made in Privacy Policy
• Including representation that FB followed the Safe Harbor
Principles
• 20-year supervision by Federal Trade Commission
Recent Enforcement Actions

Page 43
– Mobile
• Mobile apps, mobile payments, mobile privacy
– BYOD
• Bring your own device (to work)
– Social Media
• Potential employer access to social media account
– Behavioral Marketing
• Tracking devices, cookies, tags, zombie cookies
– Big Data
– Cloud Computing
• Reform of Electronic Communications Privacy Act
Other Hot Issues

Page 44
Françoise Gilbert
IT Law Group
Palo Alto, California, USA
Email: fgilbert@itlawgroup.com
Phone: +1 650-804-1235
IT Law Group: itlawgroup.com
Blog: francoisegilbert.com
Book: globalprivacybook.com
Twitter: @francoisegilbrt

CLOUD COMPUTING
LEGAL ISSUES UP IN THE AIR
Raffaele ZALLONE - Sébastien FANTI
r.zallone@studiozallone.it - sebastien.fanti@sebastienfanti.ch

CLOUD COMPUTING
NATIONAL INSTITUTE OF STANDARD AND TECNOLOGY:
A MODEL FOR ENABLING CONVENIENT, ON-DEMAND NETWORK ACCESS
TO SHARED POOL OF COMPUTING RESOURCE
SOFTWARE AS A SERVICES SAAS OFFERS ACCESS TO A
SERVICE (ES: MAIL, ACCOUNTING,
SPREADSHEET)
PLATFORM AS A SERVICES PAAS OFFERS ACCESS TO
DEVELOPMENT TOOLS
INFRASTRUCTURE AS A SERVICES IAASOFFERS HW+SW ON
DEMAND (MEMORY, PROGRAMS,
ETC)
WHAT IS CLOUD COMPUTING
THERE ARE 3 DIFFERENT SERVICES MODELS

CLOUD COMPUTING
PRIVATE CLOUDS
OFFERS SERVICES TO ONE
CUSTOMER ONLY MORE SIMILAR
TO DATA CENTERS
PUBLIC CLOUDS
AN INFRASTRUCTURE USED TO
SERVE SEVERAL CUSTOMERS
(ES: GMAIL)
HYBRID CLOUDS
SERVICE OFFERING WITH
MIXTURE OF PRIVATE / PUBLIC
CLOUD COMPUTING

CLOUD COMPUTING
CLOUD COMPUTING
MAIN ISSUES
SECURITY
CONTRACTUAL
ISSUES
PRIVACY
ISSUES

CLOUD COMPUTING
CONTRACTUAL ISSUES: MANY ARE THE SAME
AS PER OUTSOURCING CONTRACT
SERVICE LEVELS AND RELATED
MEASUREMENTS
WHAT TO MEASURE AND HOW
CONSEQUENCES PENALTIES
PROTECTION OF DATA (AVAILABILITY,
RELIABILITY)
DATA MUST ALWAYS BE AVAILABLE, IS
SUPPLIER REL IABLE?
SUB CONTRACTING: WHO AND FOR WHAT WIDE USE OF SUBCONTRACTING IS STD
NEED TO HAVE AGREEMENT ON HOW TO
MANAGE PROCESS AN CONTROLS
CONTINUITY OF SERVICE BACK UPS? WARRANTIES?
CHANGES OF PLATFORM / SW UPGRADES NEED TO IMPLEMENT CHANGE
MANAGEMENT CONTROLS
DURATION OF CONTRACT LONG TERM vs SHORT TERM: PRO’S AND
CON’S
TERMINATION OF CONTRACT AND
TRANSITION TO NEW SUPPLIER
NEED TO IMPLEMENT APPROPRIATE
MANAGEMENT AND PROCESSES

CLOUD COMPUTING
SPECIFIC CLOUD COMPUTING
CONTRACTUAL ISSUES
LICENSE vs SERVICE IF THERE IS NO LICENSE, TERMINATION OR
TRANSITION TO NEW SUPPLIER MAY BE A
REAL PROBLEM
AUDITABILITY - AVAILABILITY MUST HAVE DATA ALWAYS AVAILABLE FOR
AUDITS
MUST BE POSSIBLE TO AUDIT SUPPLIER
ITSELF
LOCATION OF DATA PRIVACY AND LIABILITY ISSUE
SUB CONTRACTORS RIGHT TO APPROVE AND AUDIT

CLOUD COMPUTING
SPECIFIC CLOUD COMPUTING
CONTRACTUAL ISSUES
INTELLECTUAL PROPERTY MAKE SURE CRITICAL I.P. IS PROTECTED
OPEN vs PROPRIETARY SWITCHING TO NEW SUPPLIER MAY BE A
PROBLEM
CHANGE MANAGEMENT SUPPLIER MAY DECIDE TO CHANGE SW,
PLATFORM, SUBCONTRACTORS? HOW AND
WITH WHAT RIGHTS/NOTICE
STANDARD CONTRACTUAL TERMS NEED OF CONTROL / FLEXIBILITY /
REGULATION OF SPECIFIC ISSUES
DATA PRIVACY ISSUES ATTITUDE OF SUPPLIERS

CLOUD COMPUTING
DATA PRIVACY ISSUES
WHERE ARE THE DATA? KNOWING THE LOCATION OF DATA IS
ESSENTIAL UNDER UE PRIVACY LAWS
CAN SUPPLIER TRANSFER DATA? SAME AS ABOVE
MANAGEMENT OF
SUBCONTRACTORS
MUST BE APPOINTED AS DATA PROCESSORS
AND MUST BE AUDITABLE, BY CUSTOMER, BY
PRIVACY AUTHORITY OR OTHER BODIES
SECURITY MEASURES AUDITABILITY – LIABILITY
ACCESS DATA ARE PERSONAL DATA WHERE ARE THEY, WHO CAN ACCESS THEM,
HOW LONG ARE THEY STORED FOR
OBLIGATION NOT TO USE DATA SUPPLIER AND SUBCONTRACTOR
RETURN OR DESTRUCTION OF DATA SUPPLIER AND SUBCONTRACTORS

CLOUD COMPUTING
LEGAL ISSUES
LIABILITY OF CLOUD PROVIDER FOR
ILLEGAL CONTENT ?
NO LIABILITY IF THE PROVIDER HAS NO
KNOWLEDGE OR AWARENESS OF ILLEGAL
NATURE AND REMOVES OR BLOCKS ILLEGAL
DATA WHEN IT DOES GAIN KNOWLEDGE OR
BECOME AWARE OF ILLEGAL NATURE (NOTICE
AND TAKEDOWN)
JURISDICTIONAL ISSUES AND
APPLICABLE LAW
THE CHOICE OF THE COMPETENT COURT AND
OF THE APPLICABLE LAW ARE FUNDAMENTAL;
IF OUTSIDE OWN COUNTRY, ANY LITIGATION
CAN BECOME PROHIBITIVELY EXPENSIVE
DISPUTE RESOLUTION ARBITRATION MUST BE CONSIDERED AS ONE
INTERESTING OPTION KEEPING
CONFIDENTIALITY AND AVOIDING PROBLEMS
LIKE CHOICE OF ANOTHER APPLICABLE LAW
BY COURT

CLOUD COMPUTING
LEGAL ISSUES
INTRODUCTION OF HARMFUL CODE
(VIRUSES AND OTHER MALICIOUS
CODE)
NEED TO RELY ON THE PROVIDER APPLYING
SUFFICIENT PROTECTION AGAINST THESE
DANGERS; NECESSITY OF IMPOSING
OBLIGATIONS TO THE PROVIDER
US PATRIOT ACT In certain circumstances, the US PATRIOT Act
allows the US government to obtain data held
anywhere in the world by US companies or
companies with sufficient connections to the
US. This would extend to data centres based in
UE that are operated by US companies and
data centres based in the US operated by non-
US companies.
IT PROPERTY OWNERSHIP NECESSARY TO ENSURE THAT THE
AGREEMENT DOES NOT TRANSFER IP
OWNERSHIP

CLOUD COMPUTING
LEGAL ISSUES
ISSUES PARTICULAR TO REGULATED
INDUSTRIES
RULES THAT LIMIT THEIR ABILITY TO
OFFSHORE THEIR OPERATIONS; EX: BANKING
OR INSURANCE COMPANIES; TEST THE
WATERS WITH THEIR REGULATOR BEFORE
PROCEEDING WITH CLOUD COMPUTING
SERVICE SOLUTIONS
SUBCONTRACTORS ALL THE RELEVANT OBLIGATIONS MUST
THEREFORE APPLY ALSO TO THE SUB-
PROCESSORS THROUGH CONTRACTS
BETWEEN THE CLOUD PROVIDER AND
SUBCONTRACTOR REFLECTING THE
STIPULATIONS OF THE CONTRACT BETWEEN
CLOUD CLIENT AND CLOUD PROVIDER
SPECIAL PRECAUTIONS BY THE PUBLIC
SECTOR
EUROPEAN GOVERNMENTAL CLOUD AS A
SUPRA NATIONAL VIRTUAL SPACE WHERE A
CONSISTENT AND HARMONIZED SET OF RULES
COULD BE APPLIED?

CLOUD COMPUTING
CONCLUSIONS AND RECOMMENDATIONS
CLEARLY IDENTIFY THE DATA AND THE
PROCESSING THAT WILL BE
ENTRUSTED TO THE CLOUD PROVIDER
EX: HEALTH DATA, WHICH CAN ONLY BE
STORED BY A CLOUD PROVIDER LICENSED BY
THE FRENCH MINISTRY OF HEALTH
UNDERTAKE A RISK ANALYSIS TO
ENSURE THAT THE CUSTOMER IS
GETTING THE RIGHT LEVEL OF
SECURITY
UPDATE THE RISK ANALYSIS
REGULARLY
REFER TO THE GUIDELINES OF ENISA
(EUROPEAN NETWORK AND INFORMATION
SECURITY AGENCY) WHEN CONDUCTING THE
RISK
BE SURE TO IDENTIFY THE RIGHT KIND
OF OFFER THAT IS APPROPRIATE FOR
A CLOUD CUSTOMER'S BUSINESS
SAAS, PAAS, OR IAAS, PUBLIC, PRIVATE OR
HYBRID CLOUD SOLUTIONS

CLOUD COMPUTING
CONCLUSIONS AND RECOMMENDATIONS
Choose a cloud provider with
sufficient service and privacy level
guarantees
essential elements that should appear in the
cloud contracts
Rethink YOUR own IT security policy such as rules on authentication of users, and
employees' use of mobile devices to access
the employer's network…
Ensure that the customer defines its
own requirements on the technical
and legal security aspects of the
processing
Localization of the data, reversibility and data
portability

Social Media 30’
Cookies 30’
New Domain Names 15’
Q & A

Some issues on Social Networks
Jean-François HENROTTE
jfhenrotte@philippelaw.eu
BARCELONA, SEPTEMBER 28, 2012

Page 60
1. How to manage issues on Social Networks
A. First, the easy way
B. Then the hard way
2. How to react if your content is removed
3. Community management, a new business

Page 61
• Social networks are not an apart world.
• Almost all the annoyances of society can be
found there, but some more often :
• Defamation
• Harassment
• Copyright infrigement
• Privacy breach
• …

Page 62
A. Soft Law
How to react ?
1. How to manage issue on Social Networks
B. Hard Law
Use the tools
provided by social
networks
themselves
Use letter of formal
notice, cease-and-
desist order,
lawsuit,…

Page 63
Internet is a particular area where :
Old fashioned legal tools are good, but…
Nothing is forgotten
Everything can be reproduced
indefinitely
from a single copy
There is always someone
on the lookout
1. A How to manage issue on Social Networks

Page 64
Beware of the Barbara Streisand’s effect
1.A How to manage issue on Social Networks

Page 65
Lawyers need to be careful when using
letters of formal notice or lawsuits
•There is a significant risk of bad publicity
•There is a significant risk to attract much
more attention due to a inadequate or
bad reaction than to the first event in
itself

Page 66
• Be quick but do not rush
• Be ready to communicate if things go
wrong
• Use the reporting tools implemented by
social networks
• It is fast
• It tackles the problem at the roots
• It prevent (partly) the spread of the problem
• Main issue  Completely arbitrary
Some guidelines

Page 67
• First, the abuse must be defined
• Break of terms and policies
• Copyright (or other IP right) infrigement
• Defamation
• Privacy matter
• Harassment
• …
• Then, follow the adequate procedure
Tools to report abuse

Page 68
• Linkedin
http://www.linkedin.com/static?key=copyright_policy&trk=hb_ft_copy
• Facebook
http://en-gb.facebook.com/help/?page=178608028874393&ref=hcnav
• FlickR
http://www.flickr.com/abuse/

Page 69
• Google +
http://support.google.com/plus/bin/answer.py?hl=en&answer=1253377
• YouTube
http://www.youtube.com/t/copyright_notice?gl=BE
• Google.com
https://www.google.com/webmasters/tools/removals?pli=1

Page 70
If :
•Social network does not comply with your
request, or not fast enough
•You feel you need a stronger action
 Unholster the usual lawyers
When the easy way is not enough
1.B How to manage issue on Social Networks

Page 71
• Easy if his real name is disclosed
• May be really hard if he uses a nickname
• In Belgium, it is almost impossible
∟ Due to recent case law, only the criminal judge
have the power to compel providers to disclose
the identity of a user (>< Spain)
∟ But, in Belgium, criminal justice is totally
overtaken and doesn’t really care about or is not
really efficient to handle these cases
First issue : Identify the perpetrator

Page 72
And is in a place where you can reach him…
Then you can sue him using :
∟ Criminal law if defamation or harassment
(Art. 443 and following of B. Criminal Code)
∟ Copyright law
∟ Civil law (Art. 1382 – 1383 of B. Civil Code)
∟ Commercial law
The perpetrator is known

Page 73
Often, the first idea when faced with a
problem (such as defamation) on a social
network is to use Criminal Law
But (in Belgium at least):
•You are not in control
•Criminal procedure can be really slow
•It may paralyse civil procedure
A word about Criminal Law

Page 74
Or you can’t reach him
Lodge a Criminal complaint against X
At the same time, act against the provider
(social network company in this case) but :
∟ they may benefit from the exemption from liability
∟ they can oppose the argument of freedom of speech
∟ they can claim that they did not commit any fault
The perpetrator is unknown

Page 75
Introduced by Directive 2000/31/EC on electronic commerce
You have to prove that:
•they do not fit into the category of intermediary
service providers (hoster in this case) as provided by
the Directive
•they had previous knowledge of the illegality or had
not responded adequately when they were made
aware of this illegality
Injuction are still possible
Exemption from civil liability

Page 76
This right is crucial to our societies, but not
absolute
You have to prove that your case stays into
one of these right's limitations
Freedom of speech

Page 77
 You need to prove that, once the provider has
been made aware of the illegality, he commits
a fault if he doesn’t react quickly to remove or
to disable access to the information
The lack of fault

Page 78
It may be hard and expensive to achieve a result
(suppression of the content, not even talking of
compensatory damages) with the hard way
Intermediary conclusions
Get yourself organised to control the places of
discussion
Use the soft way

Page 79
• Identify the pretext used to justify the
removal
• Use the counter-notice pages and tools
offered by social networks
• Act at the same time against the person
who lodged the complaint (when his
identity is known) and try to obtain from
him that he withdraws his complaint
What if your content is removed
2. How to react if your content is removed

Page 80
• A new profession related to the advent of
social networks
• This business consists in managing and
maintaining a community of “fans” of a
brand, a company, a people,… on social
networks
Community Management
3. Community management

Page 81
• Little or no education to become a community
manager
• Often a poor understanding of the risks from
the executives
• Risks are even greater than with spokesman
• Speed and spontaneity of responses
• Rapid dissemination to the community and beyond
• Fans can focus on personality of the Community manager
rather than on the brand
Issues

Page 82
• In most cases, application of labor law (if
the manager is an employee) or standards
liability rules
• In Belgium, except for gross negligence, the
employee will not be held responsible
• Particular attention should be paid to
contract !
Issues

Page 83
• Who owns the contents produced by the
Community Manager in case of break of
contract ?
• In Belgium, transfer of IP rights has to be
formally provided in the contract (>< Spain)
• Who owns the community’s members that
he has attracted in case of break of
contract ?
Upon hiring, it must therefore be decided

Page 84
• Who got the ownership and access codes
to the account ?
• When possible, it’s better that executive
opens the account themselves and then
gives (limited) admin rights to the
community manager + Executive should
keep moderating powers in case of
emergency
• It should be a good idea to write down in the
contract the unique ID of the account
Upon hiring, it must therefore be decided

Page 85
• Social networks are powerful tools for
communication, advertising and marketing
• Social networks are now part of our
everyday life and you should use them,
with care, like every other tool
Don’t Panic !
Conclusions

Page 86
Join us on
Conclusions

Page 87
• Picture of Barbara Streisand : By Allan warren (Own work) [CC-BY-SA-3.0
(http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)],
via Wikimedia Commons
Credits

Regulating Cookies in Canada
Jean-François De Rico
Langlois Kronström Desjardins llp

CookiesCookies
web beaconsweb beacons
supercookies
device datadevice data
zombie
cookies
OnlineOnline
BehaviouralBehavioural
AdvertisingAdvertising

Cookies
• File created by browser and
saved on a user’s computer
by website
• The cookie uniquely
identifies, or “records” user
information/preference

PurposesPurposes
Measuring web site usage to
• Improve functionality of the site;
• Fraud prevention; and
• Online behavioral advertising;

Information collectedInformation collected
• IP address;
• pages visited;
• length of time spent on each page;
• advertisements viewed;
• articles read;
• purchases made;
• search terms;
• user preferences;
• operating system;
• geographical location.

CLOUD COMPUTING
Europe
Canada
Page 93

Europe
Obligation to provide explanation of the type
and function of cookies and obtain a user's
explicit consent before installing a cookie

Canada
Based on relaxed “opt-out” framework.
Anti-spam law (CASL)
An Act to promote the efficiency and adaptability of the Canadian economy by regulating
certain activities that discourage reliance on electronic means of carrying out commercial
activities, and to amend the Canadian Radio-television and Telecommunications
Commission Act, the Competition Act, the Personal Information Protection and Electronic
Documents Act and the Telecommunications Act (S.C. 2010, c. 23)

Anti-spam law (CASL)
Expressly allows cookies to be installed on a
user's computer ….provided the user's
behaviour suggests he or she would consent
to the installation…
(?)

General prohibitionGeneral prohibition
Installation of computer program
8. (1) A person must not, in the course of a commercial activity, install or
cause to be installed a computer program on any other person’s computer
system or, having so installed or caused to be installed a computer program,
cause an electronic message to be sent from that computer system, unless
– (a) the person has obtained the express consent of the owner or an
authorized user of the computer system and complies with subsection
11(5); or
– (b) the person is acting in accordance with a court order.

“computer program” means data
representing instructions or statements that,
when executed in a computer system, causes
the computer system to perform a function;

Cookie ExceptionCookie Exception
• 10 (…) (8) A person is considered to expressly consent to the installation of
a computer program if
• (a) the program is
– (i) a cookie,
– (ii) HTML code,
– (iii) Java Scripts,
– (iv) an operating system,
– (v) any other program that is executable only through the use of
another computer program whose installation or use the person has
previously expressly consented to, or
– (vi) any other program specified in the regulations; and
• (b) the person’s conduct is such that it is reasonable to believe that they
consent to the program’s installation.

Withdrawal of consentWithdrawal of consent

Policy Position on Online Behavioural Advertising
Application of PIPEDA to the collection/use of
data about individuals’ web activities for the
purposes of online behavioural advertising
(OBA) only.

OPC will generally consider information
collected for OBA to be PI, considering that:
the purpose is creating profiles to serve targeted
ads;
means available for gathering and analyzing
disparate bits of data and serious possibility of
identifying individuals;

The conditions under which opt-out consent to OBA can be considered acceptable are:
• Individuals are made aware of the purposes for the practice in a manner
that is clear and understandable – the purposes must be made obvious and
cannot be buried in a privacy policy, at or before the time of collection and
provided with information about the various parties involved in OBA;
• Individuals are able to easily opt-out of the practice - ideally at or before the
time the information is collected;
• The opt-out takes effect immediately and is persistent;
• The information collected and used is limited, to the extent practicable, to
non-sensitive information ; and
• Information collected and used is destroyed as soon as possible or
effectively de-identified

JurisdictionJurisdiction
Canadian businesses, to the extent they
process and use data about individuals in the
European Union, through websites that offer
goods and services to European viewers or
use cookies to monitor European viewer
behaviour, will need to comply with the more
stringent directive.

COOKIES
EU & UK LAW PERSPECTIVE
Daniel PREISKEL
Preiskel & Co LLP
5 Fleet Place London EC4 7RD
United Kingdom
dpreiskel@preiskel.com
BARCELONA, 28 SEPTEMBER 2012

COOKIES - EU & UK LAW
PERSPECTIVE
| United Kingdom| Daniel PREISKEL| dpreiskel@preiskel.com
Page 107
• Essentials of Cookies
• Definition
• EU & UK Legal Framework
• EU & UK Independent Authorities
• Key Issues
• Enforcement & Penalties
• Compliance
Table of Contents

PERSPECTIVE
Page 108
What is a cookie?
• According to the Information Commissioner’s Office (ICO) - that is
the independent authority in UK dealing with privacy and data
protection - a cookie is “a small file, typically of letters and numbers,
downloaded on to a device when the user accesses certain websites.
Cookies are then sent back to originating website on each
subsequent visit. Cookies are useful because they allow a website to
recognise a user’s device”
• There are several type of cookies depending on their specific
features, for instance there are session cookies and persistent
cookies
Essentials of Cookies

PERSPECTIVE
Page 109
Legal Framework
• EU Directives: European Directive - 2002/58/EC - which is concerned
with the protection of privacy in the electronic communications
sector, which has been amended by Directive 2009/136/EC
• UK Regulations: the Privacy and Electronic Communications (EC
Directive) Regulations 2003 (SI 2003/2426) as amended by the
Privacy and Electronic Communications (EC Directive) (Amendment)
Regulations 2011 (SI 2011/1208)

PERSPECTIVE
Page 110
Legal Framework
• Both the Directives and Regulations apply to cookies and similar
technologies for storing information
• The legal framework states that the use of cookies is only allowed if
an end user has been provided with clear and comprehensive
information about the purposes for which each cookie is stored and
accessed on to his/her computer or mobile device and the user has
given his or her informed consent

PERSPECTIVE
Page 111
Legal Framework
• There is an exception to the requirement to provide information
about cookies and obtain consent where the use of the cookie is:
• for the sole purpose of carrying out the transmission of a
communication over an electronic communications network; or
• where such storage or access is strictly necessary (i.e. essential) for
the provision of an information society service requested by the
subscriber or user. For instance it is likely to fall within the exception
a cookie used to remember the goods a user wishes to buy when
they proceed to the checkout or add goods to their shopping basket

PERSPECTIVE
Page 112
EU & UK Independent Authorities
• European Data Privacy Supervisor is an independent supervisory
authority devoted to protecting personal data and privacy and
promoting good practice in the EU institutions and bodies
• Article 29 Working Party on the Protection of Individuals, that is an
independent European advisory body on data protection and privacy
set up under Article 29 of Directive 95/46/EC
• The Information Commissioner’s Office is the UK’s independent
authority set up to uphold information rights in the public interest,
promoting openness by public bodies and data privacy for
individuals

PERSPECTIVE
Page 113
Key issues
• Cookie audit:
• Identify which type of cookies are used
• Confirm the type of cookies and how intrusive they are
• Confirm the purpose(s) of each cookie and whether each cookie would be
necessary to perform the services requested
• Identify what data each cookie holds, and confirm whether the cookie is linked
to other data that the cookie owner holds about a user
• Confirm the lifespan of each persistent cookie
• Confirm whether the cookie is a first-party or third-party cookie
• Double check that the company has an adequate privacy policy posted on its
website with accurate and clear information about each type of cookie used
by the company

PERSPECTIVE
Page 114
Key issues
• Ensure information about cookies and mechanisms for making
choices, are as easily accessible as possible for users of devices in
which cookies are stored, so as to obtain valid and well informed
consent by using:
• Prominent links
• Legal foot notes and privacy policy
• News items and blog posts
• A clickable image or icon

PERSPECTIVE
Page 115
Key issues
• Cookies as “equipment” and applicable law
• Use of technologies “similar” to cookies, for instance the apps to
access the user’s location and/or personal information
• Multi-jurisdictional issues in the interpretation, application and
enforcement of the law
• Continuing dialogue with authorities

PERSPECTIVE
Page 116
Enforcement & Penalties
• In cases where organisations refuse or fail to comply voluntarily with
the Regulations the ICO and the Courts have a range of options to
available to them to take formal action where this is necessary
• For instance the ICO may request:
• Information Notice
• Undertaking
• Enforcement Notice
• Monetary Penalty Notice

PERSPECTIVE
Page 117
Compliance
• The person setting the cookie is primarily responsible for compliance
with the requirements of the law
• Where third party cookies are set through a website, both parties
(the website owner and the person setting the cookie) will have the
responsibility for ensuring users are clearly informed about cookies
and for obtaining consent

PERSPECTIVE
Page 118
Compliance
• Providers must obtain users' consent:
• Before the cookie is set
• Through an affirmative step
• For instance, providers may use pop-Up windows, message bars,
header bars or splash pages, browser settings, terms and conditions,
setting-led consent and/or feature-led consent just to name a few

PERSPECTIVE
Page 119
Conclusion
• Data protection is a complex area
• Penalties & Reputational damage
• Compliance is key

PERSPECTIVE
Page 120
Daniel PREISKEL

New GTLD´s
- .love
- .app
- .microsoft
- .barcelona
- .nyc
- .lawyer

- Legal Rights Objections (LRO).

WIPO Arbitration and
Mediation Center has been
appointed by ICANN as the
exclusive provider of dispute
resolution services for
trademark based “pre-
delegation” Legal Rights
Objections
under ICANN’s New gTLD
Program.

ICANN offers three other types of pre-delegation objection-based
dispute resolution procedures which are not administered by
WIPO:
- “String Confusion Objection,”
- “Limited Public Interest Objection,” and
- “Community Objection.”
ICANN has furthermore established a process for the ICANN
Governmental Advisory Committee (GAC) to provide “GAC Advice
on New gTLDs” concerning applications identified by governments
as problematic.

Trademark protection mechanisms available after new gTLDs are
approved. “Rights Protection Mechanisms” (RPMs).
- Trademark Clearinghouse (for use in connection with Sunrise
periods and Trademark Claims services)
- Uniform Rapid Suspension system (URS), and
- Post-Delegation Dispute Resolution Procedure (PDDRP).
In addition, the existing Uniform Domain Name Dispute
Resolution Policy (UDRP) will be applicable to all new gTLDs.

Enrique Ochoa
eochoa@lclaw.com.mx

| Global network of attorneys specialized in emerging technology law
Germany
Buse Heberer Fromm Rechtsanwälte
Bernd Reinmüller, Tim Caesar & Stephan
Menzemer
Neue Mainzer Strasse 28
60311 Frankfurt Am Main
T. 0049 699 71 09 71 00
F. 0049 699 71 09 72 00
reinmueller@buse.de
www.buse.de
Belgium
Philippe & Partners
Jean-François Henrotte & Alexandre
Cruquenaire
jfhenrotte@philippelaw.eu
http://lexing.philippelaw.eu
Liège
Boulevard d’Avroy, 280
4020 Liège
T. 0032 4 229 20 10
F. 0032 78 15 56 56
Brussels
Avenue Louise, 240
1050 Bruxelles
T. 0032 2 250 39 80
F. 0032 78 15 56 56
Canada
Langlois, Kronström, Desjardins
Richard Ramsay & Jean-François De Rico
jean-francois.derico@lkd.ca
www.langloiskronstromdesjardins.com
Montreal
1002, rue Sherbrooke Ouest, 28e étage
H3A3L6 Montréal
T. 0015 148 42 95 12
F. 0015 148 45 65 73
Quebec
801, Grande Allée Ouest, Bureau 300
G1S1C1 Québec
T. 0014 186 50 70 00
F. 0014 186 50 70 75
Spain
Alliant Abogados Asociados SLP
Marc Gallardo
Gran Via Corts Catalanes 702
08010 Barcelone
T. 0034 93 265 58 42
F. 0034 93 265 52 90
marc.gallardo@alliantabogados.com
www.alliantabogados.com
USA
IT Law Group
Françoise Gilbert
555 Bryant Street #603
Palo Alto, CA 94301
T. 0016 508 04 12 35
F. 0016 507 35 18 01
fgilbert@itlawgroup.com
www.itlawgroup.com
France
Alain Bensoussan, Isabelle Tellier
& Frédéric Forster
www.alain-bensoussan.com
Paris
29, rue du Colonel Pierre Avia
F75508 Paris cedex 15
T. 0033 141 33 35 35
F. 0033 141 33 35 36
paris@alain-bensoussan.com
Grenoble
7, place Firmin Gautier
F38000 Grenoble
T. 0033 476 70 09 95
F. 0033 476 70 09 96
grenoble@alain-bensoussan.com
Israel
Livnat, Mayer & Co
Russell D. Mayer
Jérusalem Technology Park,
Building 9, 4th Floor
P.O. Box 48193 Malcha
91481 Jérusalem
T. 0097 226 79 95 33
F. 0097 226 79 95 22
mayer@lmf.co.il
www.livmaylaw.co.il
Italiy
Studio Legale Zallone
Raffaele Zallone
31 Via Dell’Annunciata
20121 Milano
T. 0039 229 01 35 83
F. 0039 229 01 03 04
r.zallone@studiozallone.it
www.studiovallone.it
Luxembourg
Philippe & Partners
Marc Gouden & Jean-François
Henrotte
41 avenue de la Liberté
1931 Luxembourg
T. 00352 266 886
F. 00352 266 887 00
luxembourg@philippelaw.eu
http://lexing.philippelaw.eu
Morocco
Bassamat & Associée
Fassi-Fihri Bassamat
30 rue Mohamed Ben Brahim Al Mourrakouchi
20000 Casablanca
T. 00212 522 26 68 03
F. 00212 522 26 68 07
contact@cabinetbassamat.com
www.cabinetbassamat.com
Mexico
Langlet, Carpio y Asociados
Enrique Ochoa
Torre Axis Santa Fe
Prolongación Paseo de la
Reforma # 61, PB-B1
Col. Paseo de las Lomas
01330 Mxico, D.F.
T. 0052 55 25 91 10 70
F. 0052 55 25 91 10 40
eochoa@lclaw.com.mx
www.lclaw.com.mx
Norway
Føyen Advøkatfirma DA
Arve Føyen
Postboks 7086 St. Olavs pl.
0130 Oslo
T. 0047 21 93 10 00
F. 0047 21 93 10 01
arve.foyen@foyen.no
www.foyen.no
United Kingdom
Preiskel & Co LLP
Danny Preiskel
5 Fleet Place
London EC4M 7RD
T. 0044 20 7332 5640
F. 0044 20 7332 5641
www.preiskel.com
Switzerland
Sébastien Fanti Avocat & Notaire
8B rue de Pré-Fleuri, CP 497
1951 Sion
T. 0041 27 322 15 15
F. 0041 27 322 15 70
sebastien.fanti@sebastienfanti.ch
www.sebastienfanti.ch
South Africa
Michalsons
Lance Michalson and John Giles
lance@michalsons.co.za
www.michalsons.co.za
Johannesburg
Ground Floor
Twickenham Building
The Campus, 57 Sloane & Cnr Main Road
2021 Bryanston
T. 0027 11 568 0331
F. 0027 86 529 4276
Cape Town
Boyes Drive
St James
7945 Cape Tow
T. 0027 21 300 1070
F. 0027 86 529 4276
Tunisie
Cabinet Younsi & Younsi
Yassine Younsi
4, Rue Petite Malte
1001 Tunis
T. 00 216 71 346 564
cabinetyounsi_younsi@yahoo.fr
http://younsiandyounsilawfirm.e-
monsite.com
Argentina
Estudio Millé
Antonio & Rosario Millé
Suipacha 1111 - piso 11
C1008AAW Buenos Aires
T. 0054 11 5297 7000
F. 0054 11 5297-7009
estudio@mille.com.ar
www.mille.com.ar

Lexing Barcelona Conference

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Lexing Barcelona Conference

Similar a Lexing Barcelona Conference (20)

Más de Marc Gallardo

Más de Marc Gallardo (8)

Último

Último (20)

Lexing Barcelona Conference

Notas del editor