business environment micro environment macro environment.pptx
Some IT law issues in Spain
1. #lexingbcn
Barcelona
Conference
September
28,
2012
|
G l o b a l
n e t w o r k
o f
a / o r n e y s
s p e c i a l i z e d
i n
e m e r g i n g
t e c h n o l o g y
l a w
2.
3. First
internaEonal
network
of
lawyers
focused
on
informaEon
technology
law
•
17
members
(worldwide)
Interna(onal
•
Same
and
unique
methodology
&
Integrated
procedures
(cross-‐border
projects)
•
Law
&
Technologies
(IT
Law)
Specialized
4.
General
Presenta(on
…
20’
Data
Protec(on
30’
Cloud
Compu(ng
30’
Social
Media
30’
Cookies
30’
New
Domain
Names
15’
Q
&
A
5.
BARCELONA,
FRIDAY,
SEPTEMBER
28,
2012
Privacy,
Cloud,
Social
Media
&
Cookies
Overview
of
Spanish
Law
Marc
GALLARDO
marc.gallardo@alliantabogados.com
|
Argen(na
|
Belgium
|
Canada
|
France
|
Germany
|
Israel
|
Italy
|
Luxembourg
|
Mexico
|
Morocco
|
Norway
|
South
Africa
|
Spain
|
Switzerland
|
Tunisia
|
United
Kingdom
|
USA
6. #
Data
Protec(on
SDPA
(‘99
&
’07
&
‘10)
/
AEPD
High
and
Stringent
Enforcenment
!
€
20.000.000
/
4000
proceedings
Dra
EU
RegulaEon
(January
2012)
#
Cloud
Compu(ng
SDPA
applies
/
AEPD
–
No
specific
regulaEons
AEPD
Guidelines
(June
2012)
/
EU
Guidelines
(July
2012)
#
Social
Media
SDPA
applies
/
AEPD
–
No
specific
regulaEons
No
general
Guidelines
/
EU
Guidelines
#
Cookies
Eprivacy
Rule
in
LSSI
/
AEPD
No
general
Guidelines
/
EU
Guidelines
(June
2012)
7.
Data Controller
Data subject contract
Data Processor
rights obligations
Spanish Data Protection Law (SDPL)
" Notification requeriments
" Information provision obligations
Organic " Legal basis for processing data Regulation
Law 1999 " Confidentiality & Security 2007
" Data Protection Principles
8.
Self-‐Employed
ac(ng
as
traders
•
Professionals
&
Individual
traders
Data
rela(ng
to
contact
persons
•
Secondary
purpose
for
processing
(B2B)
•
Name,
surname,
job,
address,
tel.
&
fax
number
Proper
anonymiza(on
9.
10.
LegiEmate
interest
Key
ObligaEon:
process
personal
data
lawfully
✓ Consent ✓ Emergencies
✓ Contractual relations ✓ Public Interest
✓ Requirements of the law ✓ Legitimate interest!
Consent:
not
always
available
or
reliable
criteria
LegiEmate
interest
criterion
not
properly
incorporated
The
data
should
apeared
in
public
sources
!
Now
void
-‐>
Ruling Feb. 2012!
data subject!
rights! legitimate !
interest DC!
DP principles!
11.
Cloud
CompuEng
Oracle
IBM
Dropbox
Amazon
AWS
Apple
Google
Microsoh
Arsys
Salesforce
12.
Cloud
definiEon
13. Main
risks
LACK
OF
LACK
OF
INFORMATION
CONTROL
14. Guidelines
No
specific
law
regulaEng
cloud
compuEng
but
…
data
protecEon
law
is
applicable
June !
2012! www.agpd.es
July ! Jun
2012!
15. Guidelines
#
User
is
the
Data
Controller
contract
contract
#
CC
Provider
is
the
Data
Processor
16.
17.
General
View
Tools
&
Services
that
facilitate
conversa(on
Internal: SM used within a company
Hosted: Public SM controlled by a company
Public: Public SM outside the control of a company
SNS
impact
on
all
branches
of
law
๏
Privacy
๏
Employment
๏
Intellectual
Property
๏
Free
speech
๏
Marke(ng
and
Consumer
Protec(on
๏
Children
protecEon
๏
Contests
and
Promo(ons
๏
E-‐reputa(on
18.
SNS
Providers
SNS:
Informa(on
Society
Service
•
e-‐Commerce
Liability
Exemp(on
•
No
obliga(on
to
monitor
infringements
SNS
Provider
is
a
data
controller
•
All
obliga(ons
rela(ng
to
privacy
protec(ons
•
Children
verifica(on
age
procedures
(under
14)
=
Authors
of
Apps
+
Adver(sers
[SNS
&
Mobile]
19.
Company
as
a
User
In
some
circumstances,
also
Data
Controllers
•
No
household
exemp(on
Soh
Law
to
resolve
certain
disputes
•
Intellectual
Property
Rights,
Privacy,
Iden(ty
theh,
Defama(on
&
others
Electronic
Commercial
Communica(ons
•
Opt-‐
in
rule
(B2B
+
B2C)
&
soh
opt-‐in
(if
client)
•
Transparency
(id.
sender)
•
Right
to
object
(valid
electronic
address)
20. SituaEon
>
1st
April
‘Cookie’
is
a
small
text
file
delivered
by
a
website
server
onto
the
computer
of
visitor
Mul(ple
func(ons
but
typically
used
to
taylor
website
offerings
and
facilitate
targeted
ads
Rule:
Informa(on
+
Consent
before
storing
or
gaining
access
to
any
cookie
(not
exempted)
21. Problems
Informa(on
?
Consent
?
Browser
/
opt-‐out
/
opt-‐in
Guidelines
on
Exempted
Cookies
a.
Technical
cookies
&
b.
Strictly
necessary
cookies
No
enforcement
over
e-‐privacy
consent
rule
(LSSI)
!
Enforcenment
possible
if
PD
is
collected
(SDPA).
22.
Bo/om
line
is
…
#1 Audit
✓
Conduct
a
comprehensive
and
thorough
risk
assessment
✓
Iden(fy
risks
#2 Put in Place Policies & Programs
✓
Evaluate
the
risks
✓
Address
the
risks
#3 Implement and review
✓
Implement
+
Review
on
a
regular
basis
✓
Train
employees
and
monitor
compliance
✓
Demonstrate
it:
a
policy
must
be
reflected
in
concrete
pracEces
!
23. GENERAL
PRESENTATION
#END
THANK
YOU
Page
23
|
Spain
|
Marc
Gallardo
|
marc.gallardo@alliantabogados.com
24. BARCELONA,
FRIDAY,
SEPTEMBER
28,
2012
Proposed
EU
General
Data
ProtecEon
RegulaEon
of
January
25,
2012:
State
of
Play
ALAIN
BENSOUSSAN
alain-‐bensoussan@lexing.eu
|
Argen(na
|
Belgium
|
Canada
|
France
|
Germany
|
Israel
|
Italy
|
Luxembourg
|
Mexico
|
Morocco
|
Norway
|
South
Africa
|
Spain
|
Switzerland
|
Tunisia
|
United
Kingdom
|
USA
25. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
Introduc(on
What are the stakes?
– harmonize the protection of personal data in the EU
– ensure the effectiveness of such protection
Issue
– a stronger and more coherent data protection framework in the EU
Situation
– uncertain
News
– International mobilization and debate on personal data protection
Page
25
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
26. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
Agenda
1. Strengthen
the
rights
of
individuals
2. Simplify
processes
for
businesses
3. Extend
liability
4. Impose
s(ffer
sanc(ons
Page
26
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
27. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
1.
Strengthen
the
rights
of
individuals
Right
to
be
forgouen
Right
to
data
Strengthen
Clarifica(on
portability
the
rights
of
individuals
about
consent
Clarifica(on
about
the
exercise
of
data
subject
rights
Page
27
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
28. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
2.
Simplify
processes
for
businesses
Cuvng
red
tape
One-‐stop
shop
Joint
controllers
Abolish
the
general
obliga(on
to
no(fy
Mul(na(onals
processing
Excep(on:
data
transfers
outside
the
EU
to
Main
establishment
Joint
defini(on
of:
a
country
without
adequate
of
the
processor
level
of
protec(on
(i.e.
place
of
its
central
-‐purposes;
administra(on
in
the
EU)
-‐condi(ons;
-‐means
of
processing
Excep(on:
Approval
of
BCR
sensi(ve
processing
by
one
supervisory
authority
Page
28
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
29. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
3.
Extend
liability
(1)
Documenta(on
(art.
28)
• Maintain
documenta(on
of
all
processing
opera(ons
• Obliga(on
for
each
controller,
processor
and,
if
any,
the
controller's
representa(ve.
• Content
Data
protec(on
officer
(art.
35)
• Processing
carried
out
by
a
public
authority
or
body
• Processing
carried
out
by
an
enterprise
employing
250
persons
or
more
• Processing
opera(ons
which,
by
virtue
of
their
nature,
their
scope
and/or
their
purposes
require
regular
and
systema(c
monitoring
of
data
subjects
• Designated
for
a
period
of
at
least
2
years
No(fica(on
of
personal
data
breach
(art.
31)
• No
later
than
24
hours
aher
having
become
aware
of
it
• Otherwise,
reasoned
jus(fica(on
should
be
given
Page
29
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
30. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
3.
Extend
liability
(2)
Accountability
(art.22)
• Designa(on
of
a
data
protec(on
officer
with
variety
of
rules
to
ensure
his
independence
• Demonstrate
by
documenta(on
compliance
with
rules
on
security,
processing
opera(ons
and
impact
assessment
• Implement
mechanisms
to
ensure
the
effec(veness
of
measures
Privacy
by
Design
(art.23)
• Deployed
and
implemented
by
default
at
the
(me
of
the
determina(on
of
the
means
for
processing
and
at
the
(me
of
processing
• Ensure
the
implementa(on
of
data
minimiza(on
principle
Impact
assessments
(art.
33)
• Specific
risks
presented
by
processing
opera(ons
to
the
rights
and
freedoms
of
data
subjects
• This
includes:
informa(on
on
sex
life,
health,
video
surveillance,
gene(c
data,
biometric
data
…
• Content:
a
general
descrip(on
of
the
envisaged
processing
opera(ons,
an
assessment
of
the
risks
to
the
rights
and
freedoms
of
data
subjects,
safeguards,
security
measures,
mechanisms
to
demonstrate
compliance
with
the
Regula(on
Page
30
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
31. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
4.
Impose
s(ffer
sanc(ons
(1)
-‐
No
mechanisms
for
requests
by
data
subjects
€250,000
-‐
No
prompt
response
to
requests
by
data
subjects
or
-‐
Charging
a
fee
for
the
informa(on
or
for
responses
to
the
0,5%
of
annual
requests
of
data
subjects
worldwide
turnover
Viola(ons
-‐
Not
providing
informa(on,
or
providing
incomplete
informa(on,
or
not
providing
informa(on
in
a
sufficiently
€500,000
transparent
manner
or
-‐
Not
providing
access
for
the
data
subject,
not
rec(fying
1%
of
annual
personal
data,
not
communica(ng
relevant
informa(on
to
worldwide
turnover
a
recipient
-‐
Not
complying
with
the
right
to
be
forgouen
or
to
erasure
-‐
Not
providing
a
copy
of
the
personal
data
in
electronic
format
-‐
Not
or
not
sufficiently
maintaining
documenta(on
-‐
Not
or
not
sufficiently
determining
the
respec(ve
responsibili(es
with
co-‐controllers
Page
31
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
32. EU
GENERAL
DATA
PROTECTION
REGULATION
-‐
FRANCE
4.
Impose
s(ffer
sanc(ons(2)
-‐
Processing
personal
data
without
any
or
sufficient
legal
basis
-‐
Processing
special
categories
of
data
in
viola(on
of
the
Regula(on
-‐
Not
complying
with
an
objec(on
-‐
Not
complying
with
the
condi(ons
in
rela(on
to
measures
based
on
profiling
-‐
Not
implemen(ng
accountability
(Privacy
by
Design,
Privacy
€1,000,000
Impact
Assessment)
-‐
Not
designa(ng
a
representa(ve
or
-‐
Processing
data
in
viola(on
of
the
Regula(on
2%
of
-‐
Not
aler(ng
on
or
no(fying
a
personal
data
breach
or
not
annual
(mely
no(fying
the
data
breach
worldwide
-‐
Not
carrying
out
a
data
protec(on
impact
assessment
turnover
-‐
Not
designa(ng
a
Data
Protec(on
Officer
-‐
Carrying
out
or
instruc(ng
a
data
transfer
to
a
third
country
without
appropriate
safeguards
-‐
Not
complying
with
an
order
by
the
supervisory
authority
Page
32
|
France|
Me
Alain
BENSOUSSAN
|alain-‐bensoussan@lexing.eu
33. Contact
" ALAIN
BENSOUSSAN
AVOCATS
29
rue
du
colonel
Pierre
Avia
Paris
15
FRANCE
Tel.
:
33
1
41
33
35
35
Fax
:
33
1
41
33
35
36
paris@alain-‐bensoussan.com
" Alain
Bensoussan
D.L
:
33
1
41
33
35
09
Mob.
:
33
6
19
13
44
46
ab@alain-‐bensoussan.com
|
F r a n c e
|
M e
A l a i n
B e n s o u s s a n
|
alain-‐bensoussan@lexing.eu
34. BARCELONA,
FRIDAY,
SEPTEMBER
28,
2012
Data
ProtecEon
in
the
United
States
Recent
Developments
Françoise
GILBERT
Managing
Director
–
IT
Law
Group
Silicon
Valley,
California
+1
650-‐804-‐1235
fgilbert@itlawgroup.com
|
www.globalprivacybook.com
|
francoisegilbert.com
|
@francoisegilbrt
|
Argen(na
|
Belgium
|
Canada
|
France
|
Germany
|
Israel
|
Italy
|
Luxembourg
|
Mexico
|
Morocco
|
Norway
|
South
Africa
|
Spain
|
Switzerland
|
Tunisia
|
United
Kingdom
|
USA
35. Agenda
– Background
– Overview
of
US
data
protec(on
laws
– Role
of
the
US
federal
and
state
agencies
– Recent
US
Government
ini(a(ves
– Recent
enforcement
ac(ons
– Hot
issues
Page
35
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
36. US
Data
Protec(on
Laws
– No
na(onal
data
protec(on
law;
but
dozens
of
Federal
sectoral
laws
• 1890:
“Right
to
Privacy”
defines
the
concept
• 1966:
Freedom
of
Informa(on
Act
(access
to
informa(on
held
by
government
• 1968:
Wiretap
Act
(intercep(on
of
aural
communica(ons
and
disclosure
of
these
communica(ons
in
court)
• 1970:
Fair
Credit
Repor(ng
Act
(credit
repor(ng
agency
disclosure
of
credit
reports)
• 1974:
Privacy
Act
(disclosure
of
government
records)
• 1974:
Family
Educa(onal
Rights
and
Privacy
Act
(disclosure
of
school
records)
• 1978:
Right
to
Financial
Privacy
Act
(banking
and
financial
transac(ons)
• 1978:
Foreign
Intelligence
Surveillance
Act
(electronic
surveillance;
foreign
intelligence)
• 1986:
Computer
Fraud
&
Abuse
Act
(to
reduce
hacking,
use
of
viruses)
• 1986:
Electronic
Communica(on
Privacy
Act
(stored
or
in
transit
informa(on)
• 1996:
Health
Insurance
Portability
and
Accountability
Act
(health
informa(on)
• 1998:
Children
Online
Privacy
Protec(on
Act
(children
informa(on)
• 1999:
Financial
Services
Moderniza(on
Act
(GLBA)
(financial
informa(on)
• 2003:
CAN
SPAM
Act
(commercial
messages)
– Hundreds
of
State
sectoral
laws
(+
some
states
have
cons(tu(onal
rights)
• Protect
individuals
residing
in
a
specific
state
• Security
breach
disclosure
laws
• Security
measure
requirements
• Protec(on
of
driver’s
license
informa(on,
medial
records,
etc.
Page
36
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
37. Federal
&
State
Agencies
– No
“na(onal
data
protec(on
agency”
• Numerous
federal
agencies
play
role
similar
to
that
of
the
Data
Protec(on
Agencies
in
European
Union
– Federal
Trade
Commission
– Department
of
Health
&
Human
Services
– Financial
Services
Agencies
– Securi(es
&
Exchange
Commission
• Numerous
state
agencies,
play
similar
role
at
the
State
Level
– State
Auorney
General
– Other
State
Agencies
– Substan(al
coopera(on
between
State
and
Federal
Agencies
Page
37
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
38. Significant
Penal(es
– Significant
penalEes
in
case
of
violaEon
• FCRA:
up
to
$500,000
total
penalty
per
viola(on
– Actual
penalEes
• Google
(breach
of
FTC
consent
decree)
$22.5million
• ChoicePoint
(breach
of
security)
$15million
• Massachuseus
General
Hospital
(HIPPA)
$4.3million
• Sony
$1million
(COPPA)
• Xanga
$1million
(COPPA)
• CVS,
Rite
Aid
pharmacies
$1million
(HIPAA
+
lack
of
security)
• Spokeo
$800,000
(FCRA)
Page
38
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
39. Federal
Trade
Commission
– Federal
Trade
Commission
(FTC):
• Top
regulator
in
the
US
with
respect
to
protec(on
of
personal
informa(on
• Powers
under
FTC
Act
(§5),
COPPA,
FCRA,
HIPAA
– Numerous
acEons
against
companies
for:
• Failure
to
comply
with
privacy
promises
• Failure
to
provide
adequate
security
measures
for
personal
informa(on
• Unclear
and
decep(ve
terms,
which
concealed
important
disclosure
regarding
un-‐an(cipated
use
of
personal
informa(on
• Failure
to
comply
with
requirements
of
Fair
Credit
Repor(ng
Act
• Failure
to
comply
with
COPPA
requirements
Page
39
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
41. Recent
US
Efforts
on
Privacy
– White
House
Consumer
Bill
of
Rights
(Feb.
2012)
• Restates
Fair
Informa(on
Prac(ce
Principles
– Federal
Trade
Commission
Report
on
Consumer
Privacy
(March
2012)
• Privacy
by
Design,
Privacy
by
Default,
Online
Behavioral
Tracking
and
Adver(sing
– Federal
Trade
Commission
Report
on
Children
and
Mobile
Apps
(February
2012)
• Guidelines
on
mobile
apps
for
children
– Federal
Trade
Commission
Guidelines
on
Mobile
Apps
(August
2012)
• General
guidelines
on
the
publica(on
of
mobile
apps
– Par(cipa(on
in
APEC
Cross
Border
Privacy
Rules
System
Page
41
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
42. Recent
Enforcement
Ac(ons
– FTC
v.
Google
(August
2012)
• $22.5
million
fine
• Viola(on
of
pre-‐exis(ng
consent
decree
with
FTC
• FTC
looked
at
promises
made
in
Privacy
Policy
or
about
privacy
measures,
including
in
Google’s
representa(ons
that
it
complied
with
the
NAI
Code
of
Conduct
– FTC
v.
Facebook
(August
2012)
• Viola(on
of
representa(ons
made
in
Privacy
Policy
• Including
representa(on
that
FB
followed
the
Safe
Harbor
Principles
• 20-‐year
supervision
by
Federal
Trade
Commission
Page
42
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
43. Other
Hot
Issues
– Mobile
• Mobile
apps,
mobile
payments,
mobile
privacy
– BYOD
• Bring
your
own
device
(to
work)
– Social
Media
• Poten(al
employer
access
to
social
media
account
– Behavioral
MarkeEng
• Tracking
devices,
cookies,
tags,
zombie
cookies
– Big
Data
– Cloud
CompuEng
• Reform
of
Electronic
Communica(ons
Privacy
Act
Page
43
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
44. Françoise
Gilbert
IT
Law
Group
Palo
Alto,
California,
USA
Email:
fgilbert@itlawgroup.com
Phone:
+1
650-‐804-‐1235
IT
Law
Group:
itlawgroup.com
Blog:
francoisegilbert.com
Book:
globalprivacybook.com
Twiuer:
@francoisegilbrt
Page
44
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
45. BARCELONA,
FRIDAY,
SEPTEMBER
28,
2012
CLOUD
COMPUTING
LEGAL
ISSUES
UP
IN
THE
AIR
Raffaele
ZALLONE
-‐
Sébas(en
FANTI
r.zallone@studiozallone.it
-‐
sebas(en.fan(@sebas(enfan(.ch
|
Argen(na
|
Belgium
|
Canada
|
France
|
Germany
|
Israel
|
Italy
|
Luxembourg
|
Mexico
|
Morocco
|
Norway
|
South
Africa
|
Spain
|
Switzerland
|
Tunisia
|
United
Kingdom
|
USA
46. CLOUD
COMPUTING
WHAT IS CLOUD COMPUTING
NATIONAL
INSTITUTE
OF
STANDARD
AND
TECNOLOGY:
A
MODEL
FOR
ENABLING
CONVENIENT,
ON-‐DEMAND
NETWORK
ACCESS
TO
SHARED
POOL
OF
COMPUTING
RESOURCE
THERE ARE 3 DIFFERENT SERVICES MODELS
SOFTWARE
AS
A
SERVICES
SAAS
OFFERS
ACCESS
TO
A
SERVICE
(ES:
MAIL,
ACCOUNTING,
SPREADSHEET)
PLATFORM
AS
A
SERVICES
PAAS
OFFERS
ACCESS
TO
DEVELOPMENT
TOOLS
INFRASTRUCTURE
AS
A
SERVICES
IAASOFFERS
HW+SW
ON
DEMAND
(MEMORY,
PROGRAMS,
ETC)
47. CLOUD
COMPUTING
CLOUD COMPUTING
OFFERS
SERVICES
TO
ONE
PRIVATE
CLOUDS
CUSTOMER
ONLY
MORE
SIMILAR
TO
DATA
CENTERS
AN
INFRASTRUCTURE
USED
TO
PUBLIC
CLOUDS
SERVE
SEVERAL
CUSTOMERS
(ES:
GMAIL)
SERVICE
OFFERING
WITH
HYBRID
CLOUDS
MIXTURE
OF
PRIVATE
/
PUBLIC
49. CLOUD
COMPUTING
CONTRACTUAL ISSUES: MANY ARE THE SAME
AS PER OUTSOURCING CONTRACT
SERVICE
LEVELS
AND
RELATED
WHAT
TO
MEASURE
AND
HOW
MEASUREMENTS
CONSEQUENCES
PENALTIES
PROTECTION
OF
DATA
(AVAILABILITY,
DATA
MUST
ALWAYS
BE
AVAILABLE,
IS
RELIABILITY)
SUPPLIER
REL
IABLE?
SUB
CONTRACTING:
WHO
AND
FOR
WHAT
WIDE
USE
OF
SUBCONTRACTING
IS
STD
NEED
TO
HAVE
AGREEMENT
ON
HOW
TO
MANAGE
PROCESS
AN
CONTROLS
CONTINUITY
OF
SERVICE
BACK
UPS?
WARRANTIES?
CHANGES
OF
PLATFORM
/
SW
UPGRADES
NEED
TO
IMPLEMENT
CHANGE
MANAGEMENT
CONTROLS
DURATION
OF
CONTRACT
LONG
TERM
vs
SHORT
TERM:
PRO’S
AND
CON’S
TERMINATION
OF
CONTRACT
AND
NEED
TO
IMPLEMENT
APPROPRIATE
TRANSITION
TO
NEW
SUPPLIER
MANAGEMENT
AND
PROCESSES
50. CLOUD
COMPUTING
SPECIFIC CLOUD COMPUTING
CONTRACTUAL ISSUES
LICENSE
vs
SERVICE
IF
THERE
IS
NO
LICENSE,
TERMINATION
OR
TRANSITION
TO
NEW
SUPPLIER
MAY
BE
A
REAL
PROBLEM
AUDITABILITY
-‐
AVAILABILITY
MUST
HAVE
DATA
ALWAYS
AVAILABLE
FOR
AUDITS
MUST
BE
POSSIBLE
TO
AUDIT
SUPPLIER
ITSELF
LOCATION
OF
DATA
PRIVACY
AND
LIABILITY
ISSUE
SUB
CONTRACTORS
RIGHT
TO
APPROVE
AND
AUDIT
51. CLOUD
COMPUTING
SPECIFIC CLOUD COMPUTING
CONTRACTUAL ISSUES
INTELLECTUAL
PROPERTY
MAKE
SURE
CRITICAL
I.P.
IS
PROTECTED
OPEN
vs
PROPRIETARY
SWITCHING
TO
NEW
SUPPLIER
MAY
BE
A
PROBLEM
CHANGE
MANAGEMENT
SUPPLIER
MAY
DECIDE
TO
CHANGE
SW,
PLATFORM,
SUBCONTRACTORS?
HOW
AND
WITH
WHAT
RIGHTS/NOTICE
STANDARD
CONTRACTUAL
TERMS
NEED
OF
CONTROL
/
FLEXIBILITY
/
REGULATION
OF
SPECIFIC
ISSUES
DATA
PRIVACY
ISSUES
ATTITUDE
OF
SUPPLIERS
52. CLOUD
COMPUTING
DATA PRIVACY ISSUES
WHERE
ARE
THE
DATA?
KNOWING
THE
LOCATION
OF
DATA
IS
ESSENTIAL
UNDER
UE
PRIVACY
LAWS
CAN
SUPPLIER
TRANSFER
DATA?
SAME
AS
ABOVE
MANAGEMENT
OF
SUBCONTRACTORS
MUST
BE
APPOINTED
AS
DATA
PROCESSORS
AND
MUST
BE
AUDITABLE,
BY
CUSTOMER,
BY
PRIVACY
AUTHORITY
OR
OTHER
BODIES
SECURITY
MEASURES
AUDITABILITY
–
LIABILITY
ACCESS
DATA
ARE
PERSONAL
DATA
WHERE
ARE
THEY,
WHO
CAN
ACCESS
THEM,
HOW
LONG
ARE
THEY
STORED
FOR
OBLIGATION
NOT
TO
USE
DATA
SUPPLIER
AND
SUBCONTRACTOR
RETURN
OR
DESTRUCTION
OF
DATA
SUPPLIER
AND
SUBCONTRACTORS
53. CLOUD
COMPUTING
LEGAL ISSUES
LIABILITY
OF
CLOUD
PROVIDER
FOR
NO
LIABILITY
IF
THE
PROVIDER
HAS
NO
ILLEGAL
CONTENT
?
KNOWLEDGE
OR
AWARENESS
OF
ILLEGAL
NATURE
AND
REMOVES
OR
BLOCKS
ILLEGAL
DATA
WHEN
IT
DOES
GAIN
KNOWLEDGE
OR
BECOME
AWARE
OF
ILLEGAL
NATURE
(NOTICE
AND
TAKEDOWN)
JURISDICTIONAL
ISSUES
AND
THE
CHOICE
OF
THE
COMPETENT
COURT
AND
APPLICABLE
LAW
OF
THE
APPLICABLE
LAW
ARE
FUNDAMENTAL;
IF
OUTSIDE
OWN
COUNTRY,
ANY
LITIGATION
CAN
BECOME
PROHIBITIVELY
EXPENSIVE
DISPUTE
RESOLUTION
ARBITRATION
MUST
BE
CONSIDERED
AS
ONE
INTERESTING
OPTION
KEEPING
CONFIDENTIALITY
AND
AVOIDING
PROBLEMS
LIKE
CHOICE
OF
ANOTHER
APPLICABLE
LAW
BY
COURT
54. CLOUD
COMPUTING
LEGAL ISSUES
INTRODUCTION
OF
HARMFUL
CODE
NEED
TO
RELY
ON
THE
PROVIDER
APPLYING
(VIRUSES
AND
OTHER
MALICIOUS
SUFFICIENT
PROTECTION
AGAINST
THESE
CODE)
D A N G E R S ;
N E C E S S I T Y
O F
I M P O S I N G
OBLIGATIONS
TO
THE
PROVIDER
US
PATRIOT
ACT
In
certain
circumstances,
the
US
PATRIOT
Act
allows
the
US
government
to
obtain
data
held
anywhere
in
the
world
by
US
companies
or
companies
with
sufficient
connec(ons
to
the
US.
This
would
extend
to
data
centres
based
in
UE
that
are
operated
by
US
companies
and
data
centres
based
in
the
US
operated
by
non-‐
US
companies.
IT
PROPERTY
OWNERSHIP
NECESSARY
TO
ENSURE
THAT
THE
AGREEMENT
DOES
NOT
TRANSFER
IP
OWNERSHIP
55. CLOUD
COMPUTING
LEGAL ISSUES
ISSUES
PARTICULAR
TO
REGULATED
RULES
THAT
LIMIT
THEIR
ABILITY
TO
INDUSTRIES
OFFSHORE
THEIR
OPERATIONS;
EX:
BANKING
OR
INSURANCE
COMPANIES;
TEST
THE
WATERS
WITH
THEIR
REGULATOR
BEFORE
PROCEEDING
WITH
CLOUD
COMPUTING
SERVICE
SOLUTIONS
SUBCONTRACTORS
ALL
THE
RELEVANT
OBLIGATIONS
MUST
THEREFORE
APPLY
ALSO
TO
THE
SUB-‐
PROCESSORS
THROUGH
CONTRACTS
BETWEEN
THE
CLOUD
PROVIDER
AND
SUBCONTRACTOR
REFLECTING
THE
STIPULATIONS
OF
THE
CONTRACT
BETWEEN
CLOUD
CLIENT
AND
CLOUD
PROVIDER
SPECIAL
PRECAUTIONS
BY
THE
PUBLIC
EUROPEAN
GOVERNMENTAL
CLOUD
AS
A
SECTOR
SUPRA
NATIONAL
VIRTUAL
SPACE
WHERE
A
CONSISTENT
AND
HARMONIZED
SET
OF
RULES
COULD
BE
APPLIED?
56. CLOUD
COMPUTING
CONCLUSIONS AND RECOMMENDATIONS
CLEARLY
IDENTIFY
THE
DATA
AND
THE
EX:
HEALTH
DATA,
WHICH
CAN
ONLY
BE
PROCESSING
THAT
WILL
BE
STORED
BY
A
CLOUD
PROVIDER
LICENSED
BY
ENTRUSTED
TO
THE
CLOUD
PROVIDER
THE
FRENCH
MINISTRY
OF
HEALTH
UNDERTAKE
A
RISK
ANALYSIS
TO
REFER
TO
THE
GUIDELINES
OF
ENISA
ENSURE
THAT
THE
CUSTOMER
IS
(EUROPEAN
NETWORK
AND
INFORMATION
GETTING
THE
RIGHT
LEVEL
OF
SECURITY
AGENCY)
WHEN
CONDUCTING
THE
SECURITY
RISK
UPDATE
THE
RISK
ANALYSIS
REGULARLY
BE
SURE
TO
IDENTIFY
THE
RIGHT
KIND
SAAS,
PAAS,
OR
IAAS,
PUBLIC,
PRIVATE
OR
OF
OFFER
THAT
IS
APPROPRIATE
FOR
HYBRID
CLOUD
SOLUTIONS
A
CLOUD
CUSTOMER'S
BUSINESS
57. CLOUD
COMPUTING
CONCLUSIONS AND RECOMMENDATIONS
Choose
a
cloud
provider
with
essen(al
elements
that
should
appear
in
the
sufficient
service
and
privacy
level
cloud
contracts
guarantees
Rethink
YOUR
own
IT
security
policy
such
as
rules
on
authen(ca(on
of
users,
and
employees'
use
of
mobile
devices
to
access
the
employer's
network…
Ensure
that
the
customer
defines
its
Localiza(on
of
the
data,
reversibility
and
data
own
requirements
on
the
technical
portability
and
legal
security
aspects
of
the
processing
58.
Social
Media
30’
Cookies
30’
New
Domain
Names
15’
Q
&
A
59. BARCELONA,
SEPTEMBER
28,
2012
Some
issues
on
Social
Networks
Jean-‐François
HENROTTE
j•enroue@philippelaw.eu
|
Argen(na
|
Belgium
|
Canada
|
France
|
Germany
|
Israel
|
Italy
|
Luxembourg
|
Mexico
|
Morocco
|
Norway
|
South
Africa
|
Spain
|
Switzerland
|
Tunisia
|
United
Kingdom
|
USA
60. Some
issues
on
Social
Networks
1. How
to
manage
issues
on
Social
Networks
A. First,
the
easy
way
B. Then
the
hard
way
2. How
to
react
if
your
content
is
removed
3. Community
management,
a
new
business
Page
60
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
61. Some
issues
on
Social
Networks
• Social
networks
are
not
an
apart
world.
• Almost
all
the
annoyances
of
society
can
be
found
there,
but
some
more
ohen
:
• Defama(on
• Harassment
• Copyright
infrigement
• Privacy
breach
• …
Page
61
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
62. 1.
How
to
manage
issue
on
Social
Networks
How
to
react
?
B. Hard
Law
A. Soh
Law
Use
the
tools
Use
leuer
of
formal
provided
by
social
no(ce,
cease-‐and-‐
networks
desist
order,
themselves
lawsuit,…
Page
62
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
63. 1.
A
How
to
manage
issue
on
Social
Networks
Old
fashioned
legal
tools
are
good,
but…
Internet
is
a
par(cular
area
where
:
There
is
always
someone
Nothing
is
forgouen
on
the
lookout
Everything
can
be
reproduced
indefinitely
from
a
single
copy
Page
63
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
64. 1.A
How
to
manage
issue
on
Social
Networks
Beware
of
the
Barbara
Streisand’s
effect
Page
64
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
65. 1.A
How
to
manage
issue
on
Social
Networks
Lawyers
need
to
be
careful
when
using
leuers
of
formal
no(ce
or
lawsuits
• There
is
a
significant
risk
of
bad
publicity
• There
is
a
significant
risk
to
auract
much
more
a/enEon
due
to
a
inadequate
or
bad
reac(on
than
to
the
first
event
in
itself
Page
65
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
66. 1.A
How
to
manage
issue
on
Social
Networks
Some
guidelines
• Be
quick
but
do
not
rush
• Be
ready
to
communicate
if
things
go
wrong
• Use
the
reporEng
tools
implemented
by
social
networks
• It
is
fast
• It
tackles
the
problem
at
the
roots
• It
prevent
(partly)
the
spread
of
the
problem
• Main
issue
è
Completely
arbitrary
Page
66
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
67. 1.A
How
to
manage
issue
on
Social
Networks
Tools
to
report
abuse
• First,
the
abuse
must
be
defined
• Break
of
terms
and
policies
• Copyright
(or
other
IP
right)
infrigement
• Defama(on
• Privacy
mauer
• Harassment
• …
• Then,
follow
the
adequate
procedure
Page
67
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
68. 1.A
How
to
manage
issue
on
Social
Networks
• Linkedin
hup://www.linkedin.com/sta(c?key=copyright_policy&trk=hb_h_copy
• Facebook
hup://en-‐gb.facebook.com/help/?page=178608028874393&ref=hcnav
• FlickR
hup://www.flickr.com/abuse/
Page
68
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
69. 1.A
How
to
manage
issue
on
Social
Networks
• Google
+
hup://support.google.com/plus/bin/answer.py?hl=en&answer=1253377
• YouTube
hup://www.youtube.com/t/copyright_no(ce?gl=BE
• Google.com
hups://www.google.com/webmasters/tools/removals?pli=1
Page
69
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
70. 1.B
How
to
manage
issue
on
Social
Networks
When
the
easy
way
is
not
enough
If
:
• Social
network
does
not
comply
with
your
request,
or
not
fast
enough
• You
feel
you
need
a
stronger
ac(on
è
Unholster
the
usual
lawyers
Page
70
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
71. 1.B
How
to
manage
issue
on
Social
Networks
First
issue
:
Iden(fy
the
perpetrator
• Easy
if
his
real
name
is
disclosed
• May
be
really
hard
if
he
uses
a
nickname
• In
Belgium,
it
is
almost
impossible
∟ Due
to
recent
case
law,
only
the
criminal
judge
have
the
power
to
compel
providers
to
disclose
the
iden(ty
of
a
user
(><
Spain)
∟ But,
in
Belgium,
criminal
jus(ce
is
totally
overtaken
and
doesn’t
really
care
about
or
is
not
really
efficient
to
handle
these
cases
Page
71
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
72. 1.B
How
to
manage
issue
on
Social
Networks
The
perpetrator
is
known
And
is
in
a
place
where
you
can
reach
him…
è Then
you
can
sue
him
using
:
∟ Criminal
law
if
defama(on
or
harassment
(Art.
443
and
following
of
B.
Criminal
Code)
∟ Copyright
law
∟ Civil
law
(Art.
1382
–
1383
of
B.
Civil
Code)
∟ Commercial
law
Page
72
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
73. A
word
about
Criminal
Law
Ohen,
the
first
idea
when
faced
with
a
problem
(such
as
defama(on)
on
a
social
network
is
to
use
Criminal
Law
But
(in
Belgium
at
least):
• You
are
not
in
control
• Criminal
procedure
can
be
really
slow
• It
may
paralyse
civil
procedure
Page
73
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
74. 1.B
How
to
manage
issue
on
Social
Networks
The
perpetrator
is
unknown
Or
you
can’t
reach
him
èLodge
a
Criminal
complaint
against
X
è At
the
same
(me,
act
against
the
provider
(social
network
company
in
this
case)
but
:
∟ they
may
benefit
from
the
exemp(on
from
liability
∟ they
can
oppose
the
argument
of
freedom
of
speech
∟ they
can
claim
that
they
did
not
commit
any
fault
Page
74
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
75. 1.B
How
to
manage
issue
on
Social
Networks
Exemp(on
from
civil
liability
Introduced
by
Direc(ve
2000/31/EC
on
electronic
commerce
You
have
to
prove
that:
• they
do
not
fit
into
the
category
of
intermediary
service
providers
(hoster
in
this
case)
as
provided
by
the
Direc(ve
• they
had
previous
knowledge
of
the
illegality
or
had
not
responded
adequately
when
they
were
made
aware
of
this
illegality
èInjuc(on
are
s(ll
possible
Page
75
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
76. 1.B
How
to
manage
issue
on
Social
Networks
Freedom
of
speech
This
right
is
crucial
to
our
socie(es,
but
not
absolute
è You
have
to
prove
that
your
case
stays
into
one
of
these
right's
limita(ons
Page
76
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
77. 1.B
How
to
manage
issue
on
Social
Networks
The
lack
of
fault
è You
need
to
prove
that,
once
the
provider
has
been
made
aware
of
the
illegality,
he
commits
a
fault
if
he
doesn’t
react
quickly
to
remove
or
to
disable
access
to
the
informa(on
Page
77
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
78. 1.B
How
to
manage
issue
on
Social
Networks
Intermediary
conclusions
It
may
be
hard
and
expensive
to
achieve
a
result
(suppression
of
the
content,
not
even
talking
of
compensatory
damages)
with
the
hard
way
Get
yourself
organised
to
control
the
places
of
discussion
Use
the
soh
way
Page
78
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
79. 2.
How
to
react
if
your
content
is
removed
What
if
your
content
is
removed
• IdenEfy
the
pretext
used
to
jus(fy
the
removal
• Use
the
counter-‐noEce
pages
and
tools
offered
by
social
networks
• Act
at
the
same
(me
against
the
person
who
lodged
the
complaint
(when
his
iden(ty
is
known)
and
try
to
obtain
from
him
that
he
withdraws
his
complaint
Page
79
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
80. 3.
Community
management
Community
Management
• A
new
profession
related
to
the
advent
of
social
networks
• This
business
consists
in
managing
and
maintaining
a
community
of
“fans”
of
a
brand,
a
company,
a
people,…
on
social
networks
Page
80
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
81. 3.
Community
management
Issues
• Liule
or
no
educa(on
to
become
a
community
manager
• Ohen
a
poor
understanding
of
the
risks
from
the
execu(ves
• Risks
are
even
greater
than
with
spokesman
• Speed
and
spontaneity
of
responses
• Rapid
dissemina(on
to
the
community
and
beyond
• Fans
can
focus
on
personality
of
the
Community
manager
rather
than
on
the
brand
Page
81
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
82. 3.
Community
management
Issues
• In
most
cases,
applica(on
of
labor
law
(if
the
manager
is
an
employee)
or
standards
liability
rules
• In
Belgium,
except
for
gross
negligence,
the
employee
will
not
be
held
responsible
• Par(cular
auen(on
should
be
paid
to
contract
!
Page
82
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
83. 3.
Community
management
Upon
hiring,
it
must
therefore
be
decided
• Who
owns
the
contents
produced
by
the
Community
Manager
in
case
of
break
of
contract
?
• In
Belgium,
transfer
of
IP
rights
has
to
be
formally
provided
in
the
contract
(><
Spain)
• Who
owns
the
community’s
members
that
he
has
auracted
in
case
of
break
of
contract
?
Page
83
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
84. 3.
Community
management
Upon
hiring,
it
must
therefore
be
decided
• Who
got
the
ownership
and
access
codes
to
the
account
?
• When
possible,
it’s
beuer
that
execu(ve
opens
the
account
themselves
and
then
gives
(limited)
admin
rights
to
the
community
manager
+
Execu(ve
should
keep
modera(ng
powers
in
case
of
emergency
• It
should
be
a
good
idea
to
write
down
in
the
contract
the
unique
ID
of
the
account
Page
84
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
85. Conclusions
Don’t
Panic
!
• Social
networks
are
powerful
tools
for
communica(on,
adver(sing
and
marke(ng
• Social
networks
are
now
part
of
our
everyday
life
and
you
should
use
them,
with
care,
like
every
other
tool
Page
85
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
86. Conclusions
Join
us
on
Page
86
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
87. Credits
• Picture
of
Barbara
Streisand
:
By
Allan
warren
(Own
work)
[CC-‐BY-‐SA-‐3.0
(hup://
crea(vecommons.org/licenses/by-‐sa/3.0)
or
GFDL
(hup://www.gnu.org/copyleh/fdl.html)],
via
Wikimedia
Commons
Page
87
|
Belgium
|
Me
Jean-‐François
HENROTTE
|
j•enroue@philippelaw.eu
88. BARCELONA,
FRIDAY,
SEPTEMBER
28,
2012
RegulaEng
Cookies
in
Canada
Jean-‐François
De
Rico
Langlois
Kronström
Desjardins
llp
|
Argen(na
|
Belgium
|
Canada
|
France
|
Germany
|
Israel
|
Italy
|
Luxembourg
|
Mexico
|
Morocco
|
Norway
|
South
Africa
|
Spain
|
Switzerland
|
Tunisia
|
United
Kingdom
|
USA
89. web beacons
zombie cookies
device
data
supercookies
Online
Behavioural
Cookies
Advertising
90. Cookies
• File
created
by
browser
and
saved
on
a
user’s
computer
by
website
• The
cookie
uniquely
iden(fies,
or
“records”
user
informa(on/preference
91. Purposes
Measuring
web
site
usage
to
•
Improve
func(onality
of
the
site;
•
Fraud
preven(on;
and
•
Online
behavioral
adver(sing;
92. InformaEon
collected
• IP
address;
• pages
visited;
• length
of
Eme
spent
on
each
page;
• adverEsements
viewed;
• arEcles
read;
• purchases
made;
• search
terms;
• user
preferences;
• operaEng
system;
• geographical
locaEon.
94. Europe
ObligaEon
to
provide
explanaEon
of
the
type
and
funcEon
of
cookies
and
obtain
a
user's
explicit
consent
before
installing
a
cookie
95. Canada
Based
on
relaxed
“opt-‐out”
framework.
AnE-‐spam
law
(CASL)
An
Act
to
promote
the
efficiency
and
adaptability
of
the
Canadian
economy
by
regulaEng
certain
acEviEes
that
discourage
reliance
on
electronic
means
of
carrying
out
commercial
acEviEes,
and
to
amend
the
Canadian
Radio-‐television
and
TelecommunicaEons
Commission
Act,
the
CompeEEon
Act,
the
Personal
InformaEon
ProtecEon
and
Electronic
Documents
Act
and
the
TelecommunicaEons
Act
(S.C.
2010,
c.
23)
96. AnE-‐spam
law
(CASL)
Expressly
allows
cookies
to
be
installed
on
a
user's
computer
….provided
the
user's
behaviour
suggests
he
or
she
would
consent
to
the
installaEon…
(?)