Some IT law issues in Spain

1,978 views

Published on

General Presentation by Marc Gallardo in Lexing Barcelona Conference

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,978
On SlideShare
0
From Embeds
0
Number of Embeds
681
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Some IT law issues in Spain

  1. 1. #lexingbcn   Barcelona  Conference        September  28,  2012  |   G l o b a l   n e t w o r k   o f   a / o r n e y s   s p e c i a l i z e d   i n   e m e r g i n g   t e c h n o l o g y   l a w  
  2. 2.  
  3. 3. First   internaEonal   network   of   lawyers   focused   on  informaEon  technology  law       •   17  members  (worldwide)  Interna(onal   •   Same  and  unique  methodology  &   Integrated   procedures  (cross-­‐border  projects)   •   Law  &  Technologies  (IT  Law)   Specialized    
  4. 4.    General  Presenta(on    …              20’                                              Data  Protec(on        30’                                  Cloud  Compu(ng        30’          Social  Media          30’                                Cookies            30’                                                                                        New  Domain  Names                                      15’                         Q  &  A                                                                                                        
  5. 5.       BARCELONA,  FRIDAY,  SEPTEMBER  28,  2012  Privacy,  Cloud,  Social  Media  &  Cookies   Overview  of  Spanish  Law   Marc  GALLARDO                                                      marc.gallardo@alliantabogados.com        |  Argen(na  |  Belgium  |  Canada    |  France  |  Germany  |  Israel  |  Italy  |  Luxembourg  |  Mexico  |  Morocco  |  Norway  |  South  Africa  |  Spain  |  Switzerland  |  Tunisia    |  United  Kingdom  |  USA  
  6. 6.  #  Data  Protec(on           SDPA  (‘99  &  ’07  &  ‘10)  /  AEPD     High  and  Stringent  Enforcenment  !   €  20.000.000  /  4000  proceedings   Dra  EU  RegulaEon  (January  2012)    #  Cloud  Compu(ng                                                                                                           SDPA  applies  /  AEPD  –  No  specific  regulaEons   AEPD  Guidelines  (June  2012)  /  EU  Guidelines  (July  2012)    #  Social  Media                                                                                                             SDPA  applies  /  AEPD  –  No  specific  regulaEons   No  general  Guidelines  /  EU  Guidelines        #  Cookies                                                                                                                           Eprivacy  Rule  in  LSSI  /  AEPD     No  general  Guidelines  /  EU  Guidelines  (June  2012)  
  7. 7.     Data Controller Data subject contract Data Processor rights obligations Spanish Data Protection Law (SDPL) "   Notification requeriments "   Information provision obligations Organic "   Legal basis for processing data RegulationLaw 1999 "   Confidentiality & Security 2007 "   Data Protection Principles
  8. 8.    Self-­‐Employed  ac(ng  as  traders  •   Professionals  &  Individual  traders    Data  rela(ng  to  contact  persons    •   Secondary  purpose  for  processing  (B2B)  •   Name,  surname,  job,  address,  tel.  &  fax       number    Proper  anonymiza(on  
  9. 9.          LegiEmate  interest   Key  ObligaEon:  process  personal  data  lawfully     ✓  Consent ✓  Emergencies ✓  Contractual relations ✓  Public Interest ✓  Requirements of the law ✓  Legitimate interest!  Consent:  not  always  available  or  reliable  criteria      LegiEmate  interest  criterion  not  properly  incorporated    The  data  should  apeared  in  public  sources  !  Now  void  -­‐>  Ruling Feb. 2012! data subject! rights! legitimate ! interest DC! DP principles!
  10. 10.                                      Cloud  CompuEng Oracle   IBM  Dropbox   Amazon   AWS   Apple   Google   Microsoh   Arsys Salesforce  
  11. 11.              Cloud  definiEon  
  12. 12. Main  risks     LACK  OF   LACK  OF  INFORMATION   CONTROL  
  13. 13. Guidelines   No  specific  law  regulaEng  cloud  compuEng  but  …     data  protecEon  law  is  applicable  June !2012! www.agpd.esJuly ! Jun2012!
  14. 14. Guidelines      #  User  is  the  Data  Controller     contractcontract #  CC  Provider  is  the  Data  Processor  
  15. 15.          General  View  Tools  &  Services  that  facilitate  conversa(on   Internal: SM used within a company Hosted: Public SM controlled by a company Public: Public SM outside the control of a company SNS  impact  on  all  branches  of  law   ๏   Privacy   ๏   Employment   ๏   Intellectual  Property   ๏   Free  speech   ๏   Marke(ng  and  Consumer  Protec(on   ๏   Children  protecEon   ๏   Contests  and  Promo(ons   ๏   E-­‐reputa(on  
  16. 16.                  SNS  Providers  SNS:  Informa(on  Society  Service  •   e-­‐Commerce  Liability  Exemp(on    •   No  obliga(on  to  monitor  infringements    SNS  Provider  is  a  data  controller  •   All  obliga(ons  rela(ng  to  privacy  protec(ons  •   Children  verifica(on  age  procedures  (under   14)  =  Authors  of  Apps  +  Adver(sers  [SNS  &  Mobile]    
  17. 17.              Company  as  a  User  In  some  circumstances,  also  Data  Controllers      •   No  household  exemp(on      Soh  Law  to  resolve  certain  disputes    •   Intellectual  Property  Rights,  Privacy,  Iden(ty     theh,  Defama(on  &  others  Electronic  Commercial  Communica(ons  •   Opt-­‐  in  rule  (B2B  +  B2C)  &    soh  opt-­‐in  (if  client)  •   Transparency  (id.  sender)  •   Right  to  object  (valid  electronic  address)  
  18. 18.        SituaEon  >  1st  April  ‘Cookie’  is  a  small  text  file  delivered  by  a  website  server  onto  the  computer  of  visitor  Mul(ple  func(ons  but  typically  used  to  taylor  website  offerings  and  facilitate  targeted  ads    Rule:  Informa(on  +  Consent  before  storing  or  gaining  access  to  any  cookie  (not  exempted)    
  19. 19. ProblemsInforma(on  ?  Consent  ?  Browser  /  opt-­‐out  /  opt-­‐in    Guidelines  on  Exempted  Cookies  a.  Technical  cookies  &  b.  Strictly  necessary  cookies  No  enforcement  over  e-­‐privacy  consent  rule  (LSSI)  !  Enforcenment  possible  if  PD  is  collected  (SDPA).  
  20. 20.                  Bo/om  line  is  …  #1 Audit✓   Conduct  a  comprehensive  and  thorough  risk  assessment  ✓   Iden(fy  risks  #2 Put in Place Policies & Programs✓   Evaluate  the  risks  ✓   Address  the  risks  #3 Implement and review✓   Implement  +  Review  on  a  regular  basis  ✓   Train  employees  and  monitor  compliance  ✓   Demonstrate  it:  a  policy  must  be  reflected  in  concrete  pracEces  !  
  21. 21. GENERAL  PRESENTATION  #END     THANK  YOU   Page  23   |  Spain  |  Marc  Gallardo  |  marc.gallardo@alliantabogados.com  
  22. 22. BARCELONA,  FRIDAY,  SEPTEMBER  28,  2012  Proposed  EU  General  Data  ProtecEon  RegulaEon   of  January  25,  2012:   State  of  Play   ALAIN  BENSOUSSAN     alain-­‐bensoussan@lexing.eu   |  Argen(na  |  Belgium  |  Canada    |  France  |  Germany  |  Israel  |  Italy  |  Luxembourg  |  Mexico  |  Morocco  |  Norway  |  South  Africa  |  Spain  |  Switzerland  |  Tunisia     |  United  Kingdom  |  USA  
  23. 23. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE  Introduc(on  What are the stakes? –  harmonize the protection of personal data in the EU –  ensure the effectiveness of such protectionIssue –  a stronger and more coherent data protection framework in the EUSituation –  uncertainNews –  International mobilization and debate on personal data protection   Page  25   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  24. 24. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE  Agenda   1.  Strengthen  the  rights  of  individuals   2.  Simplify  processes  for  businesses   3.  Extend  liability   4.  Impose  s(ffer  sanc(ons       Page  26   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  25. 25. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE  1.  Strengthen  the  rights  of  individuals   Right  to  be   forgouen   Right  to  data   Strengthen   Clarifica(on   portability   the  rights  of  individuals     about  consent     Clarifica(on  about   the  exercise  of  data   subject  rights   Page  27   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  26. 26. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE  2.  Simplify  processes  for  businesses   Cuvng  red  tape   One-­‐stop  shop   Joint  controllers     Abolish   the    general  obliga(on  to  no(fy   Mul(na(onals   processing   Excep(on:   data  transfers  outside  the  EU  to   Main  establishment   Joint  defini(on  of:     a  country    without  adequate   of  the  processor     level  of  protec(on   (i.e.  place  of  its  central   -­‐purposes;   administra(on  in  the  EU)   -­‐condi(ons;     -­‐means  of  processing   Excep(on:   Approval  of  BCR   sensi(ve  processing    by  one   supervisory  authority   Page  28   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  27. 27. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE  3.  Extend  liability  (1)   Documenta(on  (art.  28)   • Maintain  documenta(on  of  all  processing  opera(ons   • Obliga(on  for  each  controller,  processor  and,  if  any,  the  controllers  representa(ve.     • Content   Data  protec(on  officer  (art.  35)   • Processing  carried  out  by  a  public  authority  or  body   • Processing  carried  out  by  an  enterprise  employing  250  persons  or  more     • Processing  opera(ons  which,  by  virtue  of  their  nature,  their  scope  and/or  their  purposes  require  regular  and  systema(c   monitoring  of  data  subjects       • Designated  for  a  period  of  at  least  2  years   No(fica(on  of  personal  data  breach  (art.  31)   • No  later  than  24  hours  aher  having  become  aware  of  it   • Otherwise,  reasoned  jus(fica(on  should  be  given   Page  29   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  28. 28. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE    3.  Extend  liability  (2)   Accountability  (art.22)   • Designa(on  of  a  data  protec(on  officer  with  variety  of  rules  to  ensure  his  independence   • Demonstrate  by  documenta(on  compliance  with  rules  on  security,  processing  opera(ons  and  impact  assessment   • Implement  mechanisms  to  ensure  the  effec(veness  of  measures   Privacy  by  Design  (art.23)   • Deployed  and  implemented  by  default  at  the  (me  of  the  determina(on  of  the  means    for  processing  and  at  the  (me  of   processing   • Ensure  the  implementa(on  of  data  minimiza(on  principle   Impact  assessments  (art.  33)   • Specific  risks  presented  by  processing  opera(ons  to  the  rights  and  freedoms  of  data  subjects   • This  includes:  informa(on  on  sex  life,  health,  video  surveillance,  gene(c  data,  biometric  data  …   • Content:  a  general  descrip(on  of  the  envisaged  processing  opera(ons,  an  assessment  of  the  risks  to  the  rights  and  freedoms   of  data  subjects,  safeguards,  security  measures,  mechanisms  to  demonstrate  compliance  with  the  Regula(on   Page  30   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  29. 29. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE  4.  Impose  s(ffer  sanc(ons  (1)   -­‐    No  mechanisms  for  requests  by  data  subjects     €250,000   -­‐    No  prompt  response  to  requests  by  data  subjects                or     -­‐    Charging  a  fee  for  the  informa(on  or  for  responses  to  the   0,5%  of  annual   requests  of  data  subjects   worldwide  turnover  Viola(ons         -­‐    Not  providing  informa(on,  or  providing  incomplete     informa(on,  or  not  providing  informa(on  in  a  sufficiently   €500,000     transparent  manner                  or     -­‐    Not  providing  access  for  the  data  subject,  not  rec(fying   1%  of  annual   personal  data,  not  communica(ng  relevant  informa(on  to   worldwide  turnover   a  recipient     -­‐    Not  complying  with  the  right  to  be  forgouen  or  to  erasure     -­‐    Not  providing  a  copy  of  the  personal  data  in  electronic   format     -­‐    Not  or  not  sufficiently  maintaining  documenta(on     -­‐    Not  or  not  sufficiently  determining  the  respec(ve   responsibili(es  with  co-­‐controllers   Page  31   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  30. 30. EU  GENERAL  DATA  PROTECTION  REGULATION  -­‐  FRANCE  4.  Impose  s(ffer  sanc(ons(2)   -­‐    Processing  personal  data  without  any  or  sufficient  legal  basis   -­‐  Processing  special  categories  of  data  in  viola(on  of  the   Regula(on       -­‐    Not  complying  with  an  objec(on     -­‐    Not  complying  with  the  condi(ons  in  rela(on  to  measures     based  on  profiling     -­‐  Not  implemen(ng  accountability  (Privacy  by  Design,  Privacy   €1,000,000   Impact  Assessment)       -­‐  Not  designa(ng  a  representa(ve    or     -­‐  Processing  data  in  viola(on  of  the  Regula(on   2%  of   -­‐  Not  aler(ng  on  or  no(fying  a  personal  data  breach  or  not   annual   (mely  no(fying  the  data  breach   worldwide     -­‐  Not  carrying  out  a  data  protec(on  impact  assessment   turnover   -­‐  Not  designa(ng  a  Data  Protec(on  Officer     -­‐  Carrying  out  or  instruc(ng  a  data  transfer  to  a  third  country   without  appropriate  safeguards   -­‐  Not  complying  with  an  order  by  the  supervisory  authority         Page  32   |  France|  Me  Alain  BENSOUSSAN  |alain-­‐bensoussan@lexing.eu  
  31. 31. Contact   "   ALAIN  BENSOUSSAN  AVOCATS              29  rue  du  colonel  Pierre  Avia  Paris  15  FRANCE                          Tel.  :  33  1  41  33  35  35                          Fax  :  33  1  41  33  35  36                          paris@alain-­‐bensoussan.com     "   Alain  Bensoussan                D.L  :  33  1  41  33  35  09                          Mob.  :  33  6  19  13  44  46                                        ab@alain-­‐bensoussan.com          |     F r a n c e     |     M e   A l a i n   B e n s o u s s a n     |     alain-­‐bensoussan@lexing.eu  
  32. 32. BARCELONA,  FRIDAY,  SEPTEMBER  28,  2012   Data  ProtecEon  in  the  United  States   Recent  Developments   Françoise  GILBERT   Managing  Director  –  IT  Law  Group   Silicon  Valley,  California  +1  650-­‐804-­‐1235   fgilbert@itlawgroup.com  |  www.globalprivacybook.com  |  francoisegilbert.com  |  @francoisegilbrt  |  Argen(na  |  Belgium  |  Canada    |  France  |  Germany  |  Israel  |  Italy  |  Luxembourg  |  Mexico  |  Morocco  |  Norway  |  South  Africa  |  Spain  |  Switzerland  |  Tunisia    |  United  Kingdom  |  USA  
  33. 33. Agenda   – Background   – Overview  of  US  data  protec(on  laws   – Role  of  the  US  federal  and  state  agencies   – Recent  US  Government  ini(a(ves   – Recent  enforcement  ac(ons   – Hot  issues   Page  35  |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  34. 34. US  Data  Protec(on  Laws     –  No  na(onal  data  protec(on  law;  but  dozens  of  Federal  sectoral  laws   •  1890:  “Right  to  Privacy”  defines  the  concept   •  1966:  Freedom  of  Informa(on  Act  (access  to  informa(on  held  by  government   •  1968:  Wiretap  Act  (intercep(on  of  aural  communica(ons  and  disclosure  of  these  communica(ons  in  court)   •  1970:  Fair  Credit  Repor(ng  Act  (credit  repor(ng  agency  disclosure  of  credit  reports)   •  1974:  Privacy  Act  (disclosure  of  government  records)   •  1974:  Family  Educa(onal  Rights  and  Privacy  Act  (disclosure  of  school  records)   •  1978:  Right  to  Financial  Privacy  Act  (banking  and  financial  transac(ons)   •  1978:  Foreign  Intelligence  Surveillance  Act  (electronic  surveillance;  foreign  intelligence)   •  1986:  Computer  Fraud  &  Abuse  Act  (to  reduce  hacking,  use  of  viruses)   •  1986:  Electronic  Communica(on  Privacy  Act  (stored  or  in  transit  informa(on)   •  1996:  Health  Insurance  Portability  and  Accountability  Act  (health  informa(on)   •  1998:  Children  Online  Privacy  Protec(on  Act  (children  informa(on)   •  1999:  Financial  Services  Moderniza(on  Act  (GLBA)  (financial  informa(on)   •  2003:  CAN  SPAM  Act  (commercial  messages)     –  Hundreds  of  State  sectoral  laws  (+  some  states  have  cons(tu(onal  rights)   •  Protect  individuals  residing  in  a  specific  state   •  Security  breach  disclosure  laws   •  Security  measure  requirements   •  Protec(on  of  driver’s  license  informa(on,  medial  records,  etc.   Page  36     |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  35. 35. Federal  &  State  Agencies   –  No  “na(onal  data  protec(on  agency”   •  Numerous  federal  agencies  play  role  similar  to  that  of  the  Data   Protec(on  Agencies  in  European  Union   –  Federal  Trade  Commission   –  Department  of  Health  &  Human  Services   –  Financial  Services  Agencies   –  Securi(es  &  Exchange  Commission   •  Numerous  state  agencies,  play  similar  role  at  the  State  Level   –  State  Auorney  General   –  Other  State  Agencies     –  Substan(al   coopera(on   between   State   and   Federal   Agencies   Page  37   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  36. 36. Significant  Penal(es   –  Significant  penalEes  in  case  of  violaEon   •  FCRA:  up  to  $500,000  total  penalty  per  viola(on   –  Actual  penalEes   •  Google  (breach  of  FTC  consent  decree)  $22.5million   •  ChoicePoint  (breach  of  security)  $15million   •  Massachuseus  General  Hospital  (HIPPA)  $4.3million   •  Sony  $1million  (COPPA)   •  Xanga  $1million  (COPPA)   •  CVS,  Rite  Aid  pharmacies  $1million  (HIPAA  +  lack  of  security)   •  Spokeo  $800,000  (FCRA)   Page  38   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  37. 37. Federal  Trade  Commission   –  Federal  Trade  Commission  (FTC):   •  Top   regulator   in   the   US   with   respect   to   protec(on   of   personal   informa(on   •  Powers  under  FTC  Act  (§5),  COPPA,  FCRA,  HIPAA   –  Numerous  acEons  against  companies  for:   •  Failure  to  comply  with  privacy  promises   •  Failure   to   provide   adequate   security   measures   for   personal   informa(on   •  Unclear   and   decep(ve   terms,   which   concealed   important   disclosure   regarding  un-­‐an(cipated  use  of  personal  informa(on   •  Failure  to  comply  with  requirements  of  Fair  Credit  Repor(ng  Act   •  Failure  to  comply  with  COPPA  requirements     Page  39   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  38. 38. FTC  Enforcement  Ac(ons   –  Google  (Aug.  2012,  Dec.  2011)   –  Sony  BMG  Music  (Dec.  2008;   –  Spokeo  (Jun.  2012)   Jan  2011)   –  MySpace  (May  2012)   –  TJX  (Aug.  2008)   –  RockYou  (Mar.  2012)   –  Reed  Elsevier  (Aug.  2008)   –  Facebook  (Mar.  2011)   –  ValueClick  (Mar.  2008)   –  Playdom/Disney  (May.  2011)   –  ChoicePoint  (Jan.  2006)   –  Twi/er  (Mar.  2011)   –  BJ  Wholesale  (Sep.  2005)   –  RiteAid  Pharm  (Nov.  2010)   –  Microso  (Aug.  2002)   –  Lifelock  (Nov.  2010)   –  Geoci(es  /  Yahoo  (1999)   –  Sears  (Sep.  2009)   Page  40  |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  39. 39. Recent  US  Efforts  on  Privacy   –  White  House  Consumer  Bill  of  Rights  (Feb.  2012)   •  Restates  Fair  Informa(on  Prac(ce  Principles   –  Federal   Trade   Commission   Report   on   Consumer   Privacy   (March   2012)   •  Privacy  by  Design,  Privacy  by  Default,  Online  Behavioral  Tracking  and   Adver(sing   –  Federal   Trade   Commission   Report   on   Children   and   Mobile   Apps   (February  2012)   •  Guidelines  on  mobile  apps  for  children     –  Federal   Trade   Commission   Guidelines   on   Mobile   Apps   (August   2012)   •  General  guidelines  on  the  publica(on  of  mobile  apps   –  Par(cipa(on  in  APEC  Cross  Border  Privacy  Rules  System     Page  41   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  40. 40. Recent  Enforcement  Ac(ons   –  FTC  v.  Google  (August  2012)   •  $22.5  million  fine   •  Viola(on  of  pre-­‐exis(ng  consent  decree  with  FTC   •  FTC  looked  at  promises  made  in  Privacy  Policy  or  about  privacy   measures,   including   in   Google’s   representa(ons   that   it   complied   with  the  NAI  Code  of  Conduct   –  FTC  v.  Facebook  (August  2012)   •  Viola(on  of  representa(ons  made  in  Privacy  Policy   •  Including   representa(on   that   FB   followed   the   Safe   Harbor   Principles   •  20-­‐year  supervision  by  Federal  Trade  Commission   Page  42  |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  41. 41. Other  Hot  Issues   –  Mobile   •  Mobile  apps,  mobile  payments,  mobile  privacy   –  BYOD   •  Bring  your  own  device  (to  work)   –  Social  Media   •  Poten(al  employer  access  to  social  media  account   –  Behavioral  MarkeEng   •  Tracking  devices,  cookies,  tags,  zombie  cookies   –  Big  Data   –  Cloud  CompuEng   •  Reform  of  Electronic  Communica(ons  Privacy  Act   Page  43   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  42. 42. Françoise  Gilbert   IT  Law  Group   Palo  Alto,  California,  USA       Email:  fgilbert@itlawgroup.com   Phone:  +1  650-­‐804-­‐1235   IT  Law  Group:  itlawgroup.com   Blog:  francoisegilbert.com   Book:  globalprivacybook.com   Twiuer:  @francoisegilbrt   Page  44  |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  43. 43. BARCELONA,  FRIDAY,  SEPTEMBER  28,  2012   CLOUD  COMPUTING   LEGAL  ISSUES  UP  IN  THE  AIR   Raffaele  ZALLONE  -­‐  Sébas(en  FANTI   r.zallone@studiozallone.it    -­‐    sebas(en.fan(@sebas(enfan(.ch  |  Argen(na  |  Belgium  |  Canada    |  France  |  Germany  |  Israel  |  Italy  |  Luxembourg  |  Mexico  |  Morocco  |  Norway  |  South  Africa  |  Spain  |  Switzerland  |  Tunisia    |  United  Kingdom  |  USA  
  44. 44. CLOUD  COMPUTING   WHAT IS CLOUD COMPUTINGNATIONAL  INSTITUTE  OF  STANDARD  AND  TECNOLOGY:  A  MODEL  FOR  ENABLING  CONVENIENT,  ON-­‐DEMAND  NETWORK  ACCESS  TO  SHARED  POOL  OF  COMPUTING  RESOURCE   THERE ARE 3 DIFFERENT SERVICES MODELSSOFTWARE  AS  A  SERVICES   SAAS  OFFERS  ACCESS  TO  A   SERVICE  (ES:  MAIL,  ACCOUNTING,   SPREADSHEET)  PLATFORM  AS  A  SERVICES   PAAS  OFFERS  ACCESS  TO   DEVELOPMENT  TOOLS  INFRASTRUCTURE  AS  A  SERVICES   IAASOFFERS  HW+SW  ON  DEMAND   (MEMORY,  PROGRAMS,  ETC)    
  45. 45. CLOUD  COMPUTING   CLOUD COMPUTING   OFFERS  SERVICES  TO  ONE  PRIVATE  CLOUDS   CUSTOMER  ONLY  MORE  SIMILAR   TO  DATA  CENTERS     AN  INFRASTRUCTURE  USED  TO  PUBLIC  CLOUDS   SERVE  SEVERAL  CUSTOMERS           (ES:  GMAIL)     SERVICE  OFFERING  WITH  HYBRID  CLOUDS   MIXTURE  OF  PRIVATE  /  PUBLIC    
  46. 46. CLOUD  COMPUTING   CLOUD COMPUTING MAIN ISSUES   SECURITY CONTRACTUAL PRIVACY ISSUES ISSUES  
  47. 47. CLOUD  COMPUTING   CONTRACTUAL ISSUES: MANY ARE THE SAME AS PER OUTSOURCING CONTRACTSERVICE  LEVELS  AND  RELATED   WHAT  TO  MEASURE  AND  HOW  MEASUREMENTS   CONSEQUENCES  PENALTIES  PROTECTION  OF  DATA  (AVAILABILITY,   DATA  MUST  ALWAYS  BE  AVAILABLE,  IS  RELIABILITY)   SUPPLIER  REL  IABLE?  SUB  CONTRACTING:  WHO  AND  FOR  WHAT     WIDE  USE  OF  SUBCONTRACTING  IS  STD   NEED  TO  HAVE  AGREEMENT  ON  HOW  TO   MANAGE  PROCESS  AN  CONTROLS  CONTINUITY  OF  SERVICE   BACK  UPS?  WARRANTIES?  CHANGES  OF  PLATFORM  /  SW  UPGRADES   NEED  TO  IMPLEMENT  CHANGE   MANAGEMENT  CONTROLS  DURATION  OF  CONTRACT   LONG  TERM  vs  SHORT  TERM:  PRO’S  AND   CON’S  TERMINATION  OF  CONTRACT  AND   NEED  TO  IMPLEMENT  APPROPRIATE  TRANSITION  TO  NEW  SUPPLIER   MANAGEMENT  AND  PROCESSES    
  48. 48. CLOUD  COMPUTING   SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES   LICENSE  vs  SERVICE   IF  THERE  IS  NO  LICENSE,  TERMINATION  OR   TRANSITION  TO  NEW  SUPPLIER  MAY  BE  A   REAL  PROBLEM   AUDITABILITY  -­‐  AVAILABILITY   MUST  HAVE  DATA  ALWAYS  AVAILABLE  FOR   AUDITS   MUST  BE  POSSIBLE  TO  AUDIT  SUPPLIER   ITSELF   LOCATION  OF  DATA   PRIVACY  AND  LIABILITY  ISSUE   SUB  CONTRACTORS   RIGHT  TO  APPROVE  AND  AUDIT    
  49. 49. CLOUD  COMPUTING   SPECIFIC CLOUD COMPUTING CONTRACTUAL ISSUES   INTELLECTUAL  PROPERTY   MAKE  SURE  CRITICAL  I.P.  IS  PROTECTED   OPEN  vs  PROPRIETARY   SWITCHING  TO  NEW  SUPPLIER  MAY  BE  A   PROBLEM   CHANGE  MANAGEMENT   SUPPLIER  MAY  DECIDE  TO  CHANGE    SW,   PLATFORM,  SUBCONTRACTORS?  HOW  AND   WITH  WHAT  RIGHTS/NOTICE   STANDARD  CONTRACTUAL  TERMS   NEED  OF  CONTROL  /  FLEXIBILITY  /   REGULATION  OF    SPECIFIC  ISSUES   DATA  PRIVACY  ISSUES   ATTITUDE  OF  SUPPLIERS    
  50. 50. CLOUD  COMPUTING   DATA PRIVACY ISSUES  WHERE  ARE  THE  DATA?   KNOWING  THE  LOCATION  OF  DATA  IS   ESSENTIAL  UNDER  UE  PRIVACY  LAWS  CAN  SUPPLIER  TRANSFER  DATA?   SAME  AS  ABOVE  MANAGEMENT  OF  SUBCONTRACTORS   MUST  BE  APPOINTED  AS  DATA  PROCESSORS   AND  MUST  BE  AUDITABLE,  BY  CUSTOMER,  BY   PRIVACY  AUTHORITY  OR  OTHER  BODIES  SECURITY  MEASURES   AUDITABILITY  –  LIABILITY  ACCESS  DATA  ARE  PERSONAL  DATA   WHERE  ARE  THEY,  WHO  CAN  ACCESS  THEM,   HOW  LONG  ARE  THEY  STORED  FOR  OBLIGATION  NOT  TO  USE  DATA   SUPPLIER  AND  SUBCONTRACTOR  RETURN  OR  DESTRUCTION  OF  DATA   SUPPLIER  AND  SUBCONTRACTORS    
  51. 51. CLOUD  COMPUTING   LEGAL ISSUES  LIABILITY  OF  CLOUD  PROVIDER  FOR   NO   LIABILITY   IF   THE   PROVIDER   HAS   NO  ILLEGAL  CONTENT  ?   KNOWLEDGE   OR   AWARENESS   OF   ILLEGAL   NATURE   AND   REMOVES   OR   BLOCKS   ILLEGAL   DATA   WHEN   IT   DOES   GAIN   KNOWLEDGE   OR   BECOME   AWARE   OF   ILLEGAL   NATURE   (NOTICE   AND  TAKEDOWN)  JURISDICTIONAL  ISSUES  AND   THE  CHOICE  OF  THE  COMPETENT  COURT  AND  APPLICABLE  LAW   OF  THE  APPLICABLE  LAW  ARE  FUNDAMENTAL;   IF  OUTSIDE  OWN  COUNTRY,  ANY  LITIGATION   CAN  BECOME  PROHIBITIVELY  EXPENSIVE  DISPUTE  RESOLUTION   ARBITRATION  MUST  BE  CONSIDERED  AS  ONE   INTERESTING  OPTION  KEEPING   CONFIDENTIALITY  AND  AVOIDING  PROBLEMS   LIKE  CHOICE  OF  ANOTHER  APPLICABLE  LAW  BY   COURT    
  52. 52. CLOUD  COMPUTING   LEGAL ISSUES  INTRODUCTION  OF  HARMFUL  CODE   NEED   TO   RELY   ON   THE   PROVIDER   APPLYING  (VIRUSES  AND  OTHER  MALICIOUS   SUFFICIENT   PROTECTION   AGAINST   THESE  CODE)   D A N G E R S ;   N E C E S S I T Y   O F   I M P O S I N G     OBLIGATIONS  TO  THE  PROVIDER    US  PATRIOT  ACT   In  certain  circumstances,  the  US  PATRIOT  Act   allows  the  US  government  to  obtain  data  held   anywhere  in  the  world  by  US  companies  or   companies  with  sufficient  connec(ons  to  the   US.  This  would  extend  to  data  centres  based  in   UE  that  are  operated  by  US  companies  and   data  centres  based  in  the  US  operated  by  non-­‐ US  companies.    IT  PROPERTY  OWNERSHIP   NECESSARY  TO  ENSURE  THAT  THE   AGREEMENT  DOES  NOT  TRANSFER  IP   OWNERSHIP    
  53. 53. CLOUD  COMPUTING   LEGAL ISSUES  ISSUES  PARTICULAR  TO  REGULATED   RULES   THAT   LIMIT   THEIR   ABILITY   TO  INDUSTRIES   OFFSHORE   THEIR   OPERATIONS;   EX:   BANKING   OR   INSURANCE   COMPANIES;   TEST   THE   WATERS   WITH   THEIR   REGULATOR   BEFORE   PROCEEDING   WITH   CLOUD   COMPUTING   SERVICE  SOLUTIONS  SUBCONTRACTORS   ALL  THE  RELEVANT  OBLIGATIONS  MUST   THEREFORE  APPLY  ALSO  TO  THE  SUB-­‐ PROCESSORS  THROUGH  CONTRACTS   BETWEEN  THE  CLOUD  PROVIDER  AND   SUBCONTRACTOR  REFLECTING  THE   STIPULATIONS  OF  THE  CONTRACT  BETWEEN   CLOUD  CLIENT  AND  CLOUD  PROVIDER    SPECIAL  PRECAUTIONS  BY  THE  PUBLIC   EUROPEAN  GOVERNMENTAL  CLOUD  AS  A  SECTOR     SUPRA  NATIONAL  VIRTUAL  SPACE  WHERE  A     CONSISTENT  AND  HARMONIZED  SET  OF  RULES   COULD  BE  APPLIED?    
  54. 54. CLOUD  COMPUTING  CONCLUSIONS AND RECOMMENDATIONS   CLEARLY  IDENTIFY  THE  DATA  AND  THE   EX:   HEALTH   DATA,   WHICH   CAN   ONLY   BE   PROCESSING  THAT  WILL  BE   STORED   BY   A   CLOUD   PROVIDER   LICENSED   BY   ENTRUSTED  TO  THE  CLOUD  PROVIDER   THE  FRENCH  MINISTRY  OF  HEALTH   UNDERTAKE  A  RISK  ANALYSIS  TO   REFER  TO  THE  GUIDELINES  OF  ENISA   ENSURE  THAT  THE  CUSTOMER  IS   (EUROPEAN  NETWORK  AND  INFORMATION   GETTING  THE  RIGHT  LEVEL  OF   SECURITY  AGENCY)  WHEN  CONDUCTING  THE   SECURITY   RISK     UPDATE  THE  RISK  ANALYSIS   REGULARLY   BE  SURE  TO  IDENTIFY  THE  RIGHT  KIND   SAAS,  PAAS,  OR  IAAS,  PUBLIC,  PRIVATE  OR   OF  OFFER  THAT  IS  APPROPRIATE  FOR   HYBRID  CLOUD  SOLUTIONS   A  CLOUD  CUSTOMERS  BUSINESS    
  55. 55. CLOUD  COMPUTING   CONCLUSIONS AND RECOMMENDATIONS    Choose   a   cloud   provider   with   essen(al   elements   that   should   appear   in   the  sufficient   service   and   privacy   level   cloud  contracts  guarantees  Rethink  YOUR  own  IT  security  policy   such  as  rules  on  authen(ca(on  of  users,  and   employees  use  of  mobile  devices  to  access   the  employers  network…  Ensure  that  the  customer  defines  its   Localiza(on  of  the  data,  reversibility  and  data  own  requirements  on  the  technical   portability  and  legal  security  aspects  of  the  processing    
  56. 56.            Social  Media          30’                                  Cookies            30’                                New  Domain  Names      15’                         Q  &  A                                                                                                        
  57. 57. BARCELONA,  SEPTEMBER  28,  2012   Some  issues  on  Social  Networks   Jean-­‐François  HENROTTE   j•enroue@philippelaw.eu  |  Argen(na  |  Belgium  |  Canada    |  France  |  Germany  |  Israel  |  Italy  |  Luxembourg  |  Mexico  |  Morocco  |  Norway  |  South  Africa  |  Spain  |  Switzerland  |  Tunisia    |  United  Kingdom  |  USA  
  58. 58. Some  issues  on  Social  Networks  1.  How  to  manage  issues  on  Social  Networks   A.  First,  the  easy  way   B.  Then  the  hard  way  2.  How  to  react  if  your  content  is  removed  3.  Community  management,  a  new  business   Page  60   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  59. 59. Some  issues  on  Social  Networks  •  Social  networks  are  not  an  apart  world.  •  Almost  all  the  annoyances  of  society  can  be   found  there,  but  some  more  ohen  :   •  Defama(on   •  Harassment     •  Copyright  infrigement     •  Privacy  breach   •  …   Page  61   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  60. 60. 1.  How  to  manage  issue  on  Social  Networks   How  to  react  ?   B.  Hard  Law  A.  Soh  Law      Use  the  tools   Use  leuer  of  formal  provided  by  social   no(ce,    cease-­‐and-­‐networks   desist  order,  themselves   lawsuit,…   Page  62   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  61. 61. 1.  A  How  to  manage  issue  on  Social  Networks   Old  fashioned  legal  tools  are  good,  but…   Internet  is  a  par(cular  area  where  :     There  is  always  someone    Nothing  is  forgouen   on  the  lookout       Everything  can  be  reproduced   indefinitely     from  a  single  copy     Page  63   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  62. 62. 1.A  How  to  manage  issue  on  Social  Networks   Beware  of  the  Barbara  Streisand’s  effect   Page  64  |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  63. 63. 1.A  How  to  manage  issue  on  Social  Networks  Lawyers   need   to   be   careful   when   using  leuers  of  formal  no(ce  or  lawsuits  •  There   is   a   significant   risk   of   bad   publicity  •  There   is   a   significant   risk   to   auract   much   more   a/enEon   due   to   a   inadequate  or  bad  reac(on  than  to  the   first  event  in  itself   Page  65   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  64. 64. 1.A  How  to  manage  issue  on  Social  Networks  Some  guidelines  •  Be  quick  but  do  not  rush  •  Be   ready   to   communicate   if   things   go   wrong  •  Use   the   reporEng   tools   implemented   by   social  networks   •  It  is  fast   •  It  tackles  the  problem  at  the  roots   •  It  prevent  (partly)  the  spread  of  the  problem   •  Main  issue  è  Completely  arbitrary   Page  66   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  65. 65. 1.A  How  to  manage  issue  on  Social  Networks  Tools  to  report  abuse  •  First,  the  abuse  must  be  defined   •  Break  of  terms  and  policies   •  Copyright  (or  other  IP  right)  infrigement     •  Defama(on   •  Privacy  mauer   •  Harassment   •  …  •  Then,  follow  the  adequate  procedure   Page  67   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  66. 66. 1.A  How  to  manage  issue  on  Social  Networks  •  Linkedin  hup://www.linkedin.com/sta(c?key=copyright_policy&trk=hb_h_copy  •  Facebook  hup://en-­‐gb.facebook.com/help/?page=178608028874393&ref=hcnav    •  FlickR  hup://www.flickr.com/abuse/       Page  68   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  67. 67. 1.A  How  to  manage  issue  on  Social  Networks  •  Google  +  hup://support.google.com/plus/bin/answer.py?hl=en&answer=1253377    •  YouTube  hup://www.youtube.com/t/copyright_no(ce?gl=BE    •  Google.com  hups://www.google.com/webmasters/tools/removals?pli=1           Page  69   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  68. 68. 1.B  How  to  manage  issue  on  Social  Networks  When  the  easy  way  is  not  enough  If  :  •  Social   network   does   not   comply   with   your   request,  or  not  fast  enough  •  You  feel  you  need  a  stronger  ac(on  è  Unholster  the  usual  lawyers   Page  70   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  69. 69. 1.B  How  to  manage  issue  on  Social  Networks  First  issue  :  Iden(fy  the  perpetrator  •  Easy  if  his  real  name  is  disclosed  •  May  be  really  hard  if  he  uses  a  nickname   •  In  Belgium,  it  is  almost  impossible   ∟  Due   to   recent   case   law,   only   the   criminal   judge   have   the   power   to   compel   providers   to   disclose   the  iden(ty  of  a  user  (><  Spain)   ∟  But,   in   Belgium,   criminal   jus(ce   is   totally   overtaken  and  doesn’t  really  care  about  or  is  not   really  efficient  to  handle  these  cases   Page  71   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  70. 70. 1.B  How  to  manage  issue  on  Social  Networks  The  perpetrator  is  known  And  is  in  a  place  where  you  can  reach  him…    è Then  you  can  sue  him  using  :   ∟  Criminal   law   if   defama(on   or   harassment   (Art.  443  and  following  of  B.  Criminal  Code)   ∟  Copyright  law   ∟  Civil  law  (Art.  1382  –  1383  of  B.  Civil  Code)   ∟  Commercial  law   Page  72   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  71. 71. A  word  about  Criminal  Law  Ohen,   the   first   idea   when   faced   with   a  problem   (such   as   defama(on)   on   a   social  network  is  to  use  Criminal  Law    But  (in  Belgium  at  least):  •  You  are  not  in  control  •  Criminal  procedure  can  be  really  slow  •  It  may  paralyse  civil  procedure   Page  73   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  72. 72. 1.B  How  to  manage  issue  on  Social  Networks  The  perpetrator  is  unknown  Or  you  can’t  reach  him  èLodge  a  Criminal  complaint  against  X  è At  the  same  (me,  act  against  the  provider   (social  network  company  in  this  case)  but  :   ∟  they  may  benefit  from  the  exemp(on  from  liability   ∟  they  can  oppose  the  argument  of  freedom  of  speech   ∟  they  can  claim  that  they  did  not  commit  any  fault   Page  74   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  73. 73. 1.B  How  to  manage  issue  on  Social  Networks  Exemp(on  from  civil  liability    Introduced  by  Direc(ve  2000/31/EC  on  electronic  commerce  You  have  to  prove  that:  •  they   do   not   fit   into   the   category   of   intermediary   service  providers  (hoster  in  this  case)  as  provided   by  the  Direc(ve  •  they   had   previous   knowledge   of   the   illegality   or   had   not   responded   adequately   when   they   were   made  aware  of  this  illegality  èInjuc(on  are  s(ll  possible   Page  75   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  74. 74. 1.B  How  to  manage  issue  on  Social  Networks  Freedom  of  speech  This   right   is   crucial   to   our   socie(es,   but   not  absolute    è You   have   to   prove   that   your   case   stays   into   one  of  these  rights  limita(ons     Page  76   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  75. 75. 1.B  How  to  manage  issue  on  Social  Networks  The  lack  of  fault  è You   need   to   prove   that,   once   the   provider   has   been  made  aware  of  the  illegality,  he  commits   a  fault  if  he  doesn’t  react  quickly  to   remove  or   to  disable  access  to  the  informa(on     Page  77   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  76. 76. 1.B  How  to  manage  issue  on  Social  Networks   Intermediary  conclusions     It  may  be  hard  and  expensive  to  achieve  a  result   (suppression  of  the  content,  not  even  talking  of   compensatory  damages)  with  the  hard  way     Get  yourself  organised  to  control  the  places  of   discussion   Use  the  soh  way   Page  78   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  77. 77. 2.  How  to  react  if  your  content  is  removed  What  if  your  content  is  removed    •  IdenEfy   the   pretext   used   to   jus(fy   the   removal  •  Use   the   counter-­‐noEce   pages   and   tools   offered  by  social  networks  •  Act   at   the   same   (me   against   the   person   who   lodged   the   complaint   (when   his   iden(ty   is   known)   and   try   to   obtain   from   him  that  he  withdraws  his  complaint   Page  79   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  78. 78. 3.  Community  management  Community  Management  •  A   new   profession   related   to   the   advent   of   social  networks  •  This   business   consists   in   managing   and   maintaining   a   community   of   “fans”   of   a   brand,   a   company,   a   people,…   on   social   networks   Page  80   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  79. 79. 3.  Community  management  Issues  •  Liule  or  no  educa(on  to  become  a  community   manager  •  Ohen   a   poor   understanding   of   the   risks   from   the  execu(ves  •  Risks  are  even  greater  than  with  spokesman   •  Speed  and  spontaneity  of  responses   •  Rapid  dissemina(on  to  the  community  and  beyond   •  Fans   can   focus   on   personality   of   the   Community   manager   rather  than  on  the  brand   Page  81   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  80. 80. 3.  Community  management  Issues  •  In   most   cases,   applica(on   of   labor   law   (if   the   manager   is   an   employee)   or   standards   liability  rules  •  In  Belgium,  except  for  gross  negligence,  the   employee  will  not  be  held  responsible    •  Par(cular   auen(on   should   be   paid   to   contract  !   Page  82   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  81. 81. 3.  Community  management  Upon  hiring,  it  must  therefore  be  decided  •  Who   owns   the   contents   produced   by   the   Community   Manager   in   case   of   break   of   contract  ?   •  In   Belgium,   transfer   of   IP   rights   has   to   be   formally  provided  in  the  contract  (><  Spain)  •  Who  owns  the  community’s  members  that   he   has   auracted     in   case   of   break   of   contract  ?   Page  83   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  
  82. 82. 3.  Community  management  Upon  hiring,  it  must  therefore  be  decided  •  Who   got   the   ownership   and   access   codes   to  the  account  ?     •  When   possible,   it’s   beuer   that   execu(ve   opens   the   account   themselves   and   then   gives   (limited)   admin   rights   to   the   community   manager   +   Execu(ve   should   keep   modera(ng   powers   in   case   of   emergency   •  It  should  be  a  good  idea  to  write  down  in  the   contract  the  unique  ID  of  the  account   Page  84   |  Belgium  |  Me  Jean-­‐François  HENROTTE  |  j•enroue@philippelaw.eu  

×