Masterproef Charlotte De Cortlib.ugent.be/fulltxt/RUG01/002/272/119/RUG01... · Charlotte De Cort...

FacultyofLaw

GhentUniversity

2015-2016

THERIGHTTOPRIVACYINTHEDIGITALAGE

AFacebookcasestudyontheimpactofthe2016dataprotectionreform

Dissertation

‘MasterofLaws’

by

CharlotteDeCort

(Studentnumber:01104180)

Supervisor:Prof.dr.YvesHaeck

Co-supervisor:AndyVanPachtenbeke

I

ACKNOWLEDGMENTS

First and foremost, Iwould like to thankmysupervisor,Professordr.YvesHaeck, forgivingmethefreedomtowriteanddevelopthisdissertationaboutasubjectthatsincerelyinterestedme. Iwould like to thankbothmy supervisor andmy co-supervisor,AndyVanPachtenbeke, for theirguidance throughoutbothMasteryears.Theyhave taughtme legalspeakingandwritingskills,whichwillundoubtedlybeofgreatimportanceinthefuture.

Asidefromtheprofessionalguidance,thisdissertationwouldneverhavebeenpossiblewithout the encouragement ofmy incredibly supportive family. Iwould like to thankmymother, forher countlesspep talksandextraordinaryprintingservices,my father, forhisastounding calmness in stressful times, and my brother and sister, for their continuouseffortstoliftmyspiritsduringthetoughermoments.Additionally,Iwouldliketothankmygrandmafor lightinganoverwhelmingamountofcandlesandmydogforhisunparalleledenthusiasm when welcoming me home. Together they provided me with indispensablepracticalandemotionalsupportandensuredIremainedconfidentinmyabilities.

Lastly, IwouldliketothankKatrienCoenen,DenitsaKuzeva,MarliesVanDijck,HanneVyncke&NielsTack,fortakingthetimetohelpmegetthelastdetailsright.

CharlotteDeCort

17May2016

III

DUTCHABSTRACT

Vele praktijken die sociale netwerken, zoals Facebook, vandaag gebruiken, roepen bijgebruikers vragen op. Zijn deze technieken verenigbaarmet de huidige regelgeving?Velepraktijkenzijnopzijnminstdubieusinverhoudingtotdehuidigeregelgeving.Depraktijkenkomenmeerenmeerinopspraak.Ditwordtaangetoondviatweezakendieindezethesisbesproken worden. De hervorming van de databeschermingsregelgeving zal een impacthebbenopdezepraktijken.Dehervormingbestaatuittweedelen:(i)eennieuwealgemeneverordening gegevensbescherming en (ii) de vervanging van de Safe Harbour beslissingdoorhetEU–VSPrivacySchild.

Denieuwealgemeneverordeninggegevensbeschermingzoudepositievanindividueleinternetgebruikermoetenverbeteren.Ervaltgeenzwart-witantwoordtegevenopdevraagofditookzo is.Deverordening creëertnieuwe rechtenzoalsonderanderehetbefaamde‘rechtopvergetelheid’.Daarnaastwordtdevereistevantoestemmingverzwaard,dezezalvoortaan een duidelijke, actieve handeling vereisen. De algemene verordeninggegevensbeschermingheeftechterookkansenlatenschieten,zobevattehetinitiëlevoorstelvandeCommissieonderanderedevereistevanexplicietetoestemming.

Daarnaast zal de notoire Safe Harbour beslissing vervangenworden door het nieuwe‘EU – VS Privacy Schild”. Deze nieuwe beslissing is reeds zwaar bekritiseerd. De kansbestaat,datdezeonmiddellijkaangevochtenwordt.

ZoweldenieuwealgemeneverordeninggegevensbeschermingalshetEU–VSPrivacySchildtonenaandatereentendensisnaarmeerdatabescherming.Ondervragingentonenaan dat EU-burgers hier ook meer en meer belang aan hechten. Aangezien Facebookbelangrijkgewordenisinhetdagelijkselevenvanvelemensen,hebbenhunpraktijkeneenenormeimpact.Dehervormingvandedatabeschermingsregelgevingzaleenimpacthebbenop deze praktijken in de zin dat de regels op bepaalde vlakken nog strenger worden.Aangezienvelepraktijkenreedsdubieuszijnonderdehuidigeregelgeving,bestaatdekansdatdepraktijkenookindetoekomstgewoonbehoudenzullenblijven.Deveranderingdiewaarschijnlijk de grootste impact zal hebben op de praktijk van ondernemingen zoalsFacebook, is de invoering van hoge administratieve boetes. Die boetes kunnen opgelegdworden door nationale toezichthoudende autoriteiten. Die toezichthoudende autoriteitenzullen voortaan bovendien, bevoegd zijn voor de beoordeling van bedrijven die hunactiviteitenopdeEUrichtenongeachtofzegevestigdzijnbinnenofbuitendeEU.

V

CONTENTS

ACKNOWLEDGMENTS............................................................................................................................I

DUTCHABSTRACT................................................................................................................................III

CONTENTS.................................................................................................................................................V

ChapterI. Introduction...................................................................................................................1

ChapterII. Historyoftherighttoprivacy..................................................................................3

ChapterIII. DataProtectionReform..............................................................................................71. FromtheDataProtectionDirectivetotheGeneralDataProtectionRegulation.............71.1. Reformprocess.....................................................................................................................................71.2. Evolutiontoaregulation..................................................................................................................81.3. Definitions............................................................................................................................................111.3.1. Abroaderdefinitionof‘personaldata’.........................................................................................111.3.2. Safeguardsforsensitivepersonaldataandvulnerablegroups.........................................141.3.2.1 Abroaderdefinitionof‘sensitivepersonaldata’................................................................141.3.2.2 Newlyintroducedconceptof‘vulnerablegroups’..............................................................14

1.3.3. Astricterdefinitionof‘consent’......................................................................................................151.3.4. Newlyintroduceddefinitionfor‘profiling’.................................................................................17

1.4. ExpandedScope................................................................................................................................191.4.1. Materialscope:definitions................................................................................................................201.4.2. Materialscope:GDPRalsoappliestodataprocessors..........................................................201.4.3. Geographicalscope:extra-territoriality......................................................................................211.4.4. Overview....................................................................................................................................................22

1.5. Individual’srightsarestrengthened........................................................................................231.5.1. Existingrightsarebroadened..........................................................................................................231.5.2. Newrights.................................................................................................................................................241.5.2.1 Therighttobeforgotten................................................................................................................241.5.2.2 Righttodataportability.................................................................................................................27

1.5.3. Restrictionstorights............................................................................................................................281.6. Obligationsofdatacontrollersanddataprocessors.........................................................281.6.1. Accountabilityprinciples....................................................................................................................281.6.2. Databreachesmustbenotified.......................................................................................................331.6.3. Appointmentofadataprotectionofficer....................................................................................331.6.3.1 WhichcompaniesmustappointaDPO?..................................................................................341.6.3.2 WhataretherightsandobligationsoftheDPO?................................................................35

1.7. Internationaldataexports............................................................................................................37

VI

1.8. Introductionofadministrativefines........................................................................................382. DataTransferstotheUnitedStatesofAmerica:fromSafeHarbourtotheEU–US

PrivacyShield......................................................................................................................................................................392.1. InvalidationoftheSafeHarbourAgreement........................................................................392.2. Sevencoreprinciples......................................................................................................................402.2.1. Notice..........................................................................................................................................................402.2.2. Choice..........................................................................................................................................................412.2.3. Accountabilityforonwardtransfer...............................................................................................412.2.4. Security.......................................................................................................................................................422.2.5. Dateintegrityandpurposelimitation..........................................................................................422.2.6. Access..........................................................................................................................................................432.2.7. Recourse,enforcementandliability..............................................................................................44

2.3. Criticism................................................................................................................................................452.3.1. OpinionoftheArticle29WorkingParty.....................................................................................452.3.2. NationalDPA’s.........................................................................................................................................47

3. Conclusion......................................................................................................................................................47

ChapterIV. Facebook........................................................................................................................491. Introduction...................................................................................................................................................492. Practices..........................................................................................................................................................502.1. Howdousersgivetheirconsent?..............................................................................................502.2. LocationTracking.............................................................................................................................532.2.1. HowdoesFacebookgatherlocationdata?.................................................................................532.2.2. Applicablelegislation...........................................................................................................................54

2.3. Trackingofbrowsingactivity......................................................................................................562.3.1. Whichdatasubjectsareaffected?..................................................................................................572.3.2. Optingout..................................................................................................................................................582.3.3. Alternativewaysofavoidingtracking..........................................................................................602.3.4. Applicablelegislation...........................................................................................................................60

2.4. AdvertisingPractices......................................................................................................................612.4.1. Behaviouraladvertising......................................................................................................................622.4.2. Advertisementswithsocialactions...............................................................................................662.4.3. Vagueandnon-specificTermsofServiceandDataPolicy..................................................68

2.5. Thelicensingofusers’content....................................................................................................693. Whatrightsdousershaveandaretheyeffective?.......................................................................703.1. Rightofaccess....................................................................................................................................703.2. Righttobeinformed........................................................................................................................713.3. Righttoobject....................................................................................................................................73

VII

3.4. Righttoerasure(Righttobeforgotten).................................................................................74

ChapterV. BelgianPrivacyCommissionv.Facebook..........................................................761. Facts..................................................................................................................................................................762. Claimsoftheparties..................................................................................................................................782.1. CompetenceoftheBelgianCourts............................................................................................782.2. Claimsrelatingtofundamentalrightsandfreedomsarealwaysurgent.................792.3. Thiscaseconcernsthe“processing”of“personaldata”..................................................792.4. TheBelgianPrivacyActwasviolated......................................................................................802.4.1. ViolationofArticle4,§1,1°and2°BelgianPrivacyAct.......................................................802.4.1.1 Facebookdidnotobtainunambiguous,informedconsent.............................................802.4.1.2 Noothergroundsforprocessingwereapplicable..............................................................81

2.4.2. ViolationofArticle4,§1,2°and3°BelgianPrivacyAct.......................................................832.5. Outcome................................................................................................................................................83

3. Aretheconcernsaddressedbythedataprotectionreform?...................................................84

ChapterVI. MaximilianSchremsv.DataProtectionCommissioner................................861. Facts..................................................................................................................................................................872. ConsiderationsoftheCJEU......................................................................................................................882.1. CompetenceofthenationalDPA................................................................................................882.2. ValidityoftheSafeHarbourAgreement.................................................................................892.3. Outcome................................................................................................................................................91

3. Aretheconcernsaddressedbythedataprotectionreform?...................................................92

ChapterVII. Conclusion.....................................................................................................................93

BIBLIOGRAPHY......................................................................................................................................96

1

ChapterI. Introduction

“Privacyisdeadandsocialmediaholdthesmokinggun.”

-PETECASHMORE1

Alongwith the digital age, new challenges for our legal systems have occurred. Legalscholarsallovertheworldarestrugglingtofindanswerstoregulatetheabundanceofnewtechnologies.Oneof themost challenginghumanrights to reconcilewith thisevolution istherighttoprivacy.Overthepastyears,newonlinesocialnetworks,suchasFacebook,haveemerged.Whiletheyhaveofferedoursocietyawholenewwayofcommunicating,theyhavealsoposedchallengestothefundamentalrighttoprivacy.

Sinceitsstartin2004,Facebookhasbecomethelargestonlinesocialnetwork.2In2015,itrecordedover1.5billionusers.WhenFacebookamendeditsTermsofService3in2015,alotofpeoplewereworriedabouttheimpactontheirprivacy.Thoughtheupdatedidcreatesomenewconcerns,mostofFacebook’sworrisomepracticesalreadyexistedprior to thisupdate. It seems that alongwith technological advancements, people are becomingmorewillingtoofferupapartoftheirrighttoprivacy.Aslongasthebenefitsoutweighthecosts,practices,suchas locationtracking, licensingusers’photos,mightbeacceptedbyapartofthe population. These practices, among others,will be discussed in this dissertation. Thispaperwillposethequestionifthese–sometimesquestionable–practiceswillstillbelawfulafterthedataprotectionreformof2016,orifthisreformwillnotbringaboutasignificantchange.

ChapterIIwillshortlydescribethehistoryoftherighttoprivacyandgiveanindicationofthebackgroundofthecurrentlegislationandwhyareformwaslongoverdue.

Chapter III will continuewith the discussion of the data protection reform that tookplacein2016.Firstly,thenewGeneralDataProtectionRegulation,andthekeydifferenceswiththeoldDataProtectionDirective,willbediscussed.Secondly,ChapterIIwilllookatthethetransitionfromtheSafeHarbouragreementtotheEU–USPrivacyShieldfollowingthe

1Pete Cashmore is the CEO and founder of the popular blogMashable, a Technorati Top 10 blogworldwide;Seealsohttp://mashable.com/people/petecashmore/.2 Facebook Newsroom. (n.d.). Company Info. [online] Available at:http://newsroom.fb.com/company-info/[Accessed5May2016].3Facebook. (2016). Terms of Service. [online] Available at: https://www.facebook.com/terms[Accessed5May2016].Hereinafter:TermsofService.

2

Schremscase.ThemostimportantquestionthatwillbeposedinChapterIIIisifthisreformwillimpactinternetusers’righttoprivacy.

InChapterIV,Facebook’sdifferentuseragreements4anditsongoingpractices,suchasthe abovementioned location tracking and licensing of users’ photos, will be discussed.Otherpractices thatwillbediscussedare (i) thewayconsent is given, (ii) the trackingofbrowsing activity and (iii) the advertisement practices. This chapter will assess thesepracticesinlightofthecurrentlegislationandthedataprotectionreform.

In Chapters V and VI two legal cases brought against Facebook will be discussed. InChapterV,thechallengeposedbytheBelgianPrivacyCommissionwillbeexamined.5TheBelgian Privacy Commission challenged the practice particularly of tracking browsingactivityofnon-FacebookusersbeforetheBelgiancourts.InChapterVI,asecondchallenge,fromtheAustriancitizenMaximilianSchrems,willbediscussed.ThecaseofMaxSchremsv.Data Protection Commissioner6before the CJEU will be examined as it questioned thelegitimacyofdatatransfersfromtheEUtotheUS.Thiscaseisparticularlyinterestingsinceit had implications on the Safe Harbour Agreement between the US and the EU andconsequentlywasthecauseofthenewEU–USPrivacyShieldAgreement.Bothcaseswillbeexaminedwith the same approach: (i) the facts, (ii) the claims of the applicants, (iii) theruling,(iv)whateffectdidtherulinghave,andlastly,(v)weretheconcerns,asexpressedbytheapplicantsinthesecases,addressedbythe2016dataprotectionreform?

By Chapter VII, a final assessment will be made of the impact of the 2016 dataprotectionreformonFacebook’spractices.

Bytheendofthisdissertation,asareader,youwillhaveabetterideaofhowFacebookoperates, how its practices can conflict with privacy laws and whether or not the dataprotectionreformwilleliminatesomeoftheseexistingconflicts.

4TheTermsofService,theDataPolicy,and–toalesserextent–thecookiepolicy;Facebook.(2015).Data Policy. [online] Available at: https://www.facebook.com/policy.php [Accessed 5 May 2016];Facebook. (n.d.). Cookies, Pixels & Similar Technologies. [online] Available at:https://www.facebook.com/help/cookies/update[Accessed5May2016].5Belgian Commission For The Protection Of Privacy V. Facebook INC., Facebook Belgium SPRL AndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015).6MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU).

3

ChapterII. Historyoftherighttoprivacy

“Benevixit,benequilatuit.”7

-OVID8

In1879,ThomasCooley,anAmericanjudge,describedtherighttoprivacyquitesimplyas“therighttobeletalone”.9Therighttoprivacy,however,canbetracedasfarbackasthefourteenthcentury.Oneoftheearliestnationallawsonprivacy,theJusticesofthePeaceActin England for the arrest of peeping toms and eavesdroppers, dates back to 1361. In thefollowing years, many other countries, such as Sweden and France, followed suit byintroducingprivacylaws.10

Therighttoprivacysoongraduatedtoaninternationallevel.Theinternationalrighttoprivacy,asitisknowntoday,wasfirstenactedinArticle12oftheUniversalDeclarationofHumanRights11of1948,whichstates:

“No-one should be subjected to arbitrary interference with his privacy, family, home or

correspondence,nortoattacksonhishonourorreputation.Everyonehastherighttothe

protectionofthelawagainstsuchinterferencesorattacks.”

AsidefromtheUDHR,therighttoprivacyisalsofeaturedintheInternationalCovenanton Civil and Political Rights12, the UN Convention on Migrant Workers13and the UNConvention on Protection of the Child14. The right to privacy, as inscribed in the UDHR,cannot be invoked by citizens directly. On a regional level, however, the right to privacysoonbecameenforceable.

7“Tolivewellistoliveconcealed.”8PubliusOvidiusNaso,knownasOvid in theEnglish-speakingworld,wasaRomanpoetwho livedduringthereignofAugustus.9Warren,S.andBrandeis,L.(1980).TheRighttoPrivacy.HarvardLawReview,IV(5).10TheRachelAffaire[1858]D.P.III62(TribunalcivildelaSeine);SeealsoHauch,J.(1994).ProtectingPrivate Facts in France: The Warren & Brandeis Tort is Alive and Well and Flourishing in Paris.TulaneLawReview,68(1219).11Hereinafter:UDHR.12Art. 17 UN General Assembly, International Covenant on Civil andPolitical Rights, 16 December1966,UNDoc.A/6316(1966).13Art.14UNGeneralAssembly,InternationalConventionontheProtectionoftheRightsofallMigrantWorkersandMembersofTheirFamilies,18December1990,UNDoc.A/RES/45/158(1990).14Art. 16 UN General Assembly,ConventionontheRightsoftheChild, 20 November 1989,UNDoc.A/RES/44/25(1989).

4

The European Convention on Human Rights15was adopted in 1950 and entered intoforcein1953.Article8ECHR,titledthe“righttorespectforprivateandfamilylife”,statesthefollowing:

“1. Everyone has the right to respect for his private and family life, his home and his

correspondence.

2.Thereshallbenointerferencebyapublicauthoritywiththeexerciseofthisrightexcept

such as is in accordance with the law and is necessary in a democratic society in the

interests ofnational security, public safetyor the economicwellbeingof the country, for

the prevention of disorder or crime, for the protection of health or morals, or for the

protectionoftherightsandfreedomsofothers.”

ThefirstparagraphofArticle8ECHRcontainstherighttoprivacyinprinciple,whilethesecond paragraph describes the conditions for interference with the right. The bases forinterferencewiththerighttoprivacyarethereforelimitedto(i)nationalsecurity,(ii)publicsafety,(iii)theeconomicwellbeingofthecountry,(iv)preventionofdisorderorcrime,(v)the protection of health andmorals and (vi) the protection of the rights and freedomsofothers.

Everymember of the Council of Europe has incorporated or given effect to the ECHRwithintheirnationallaws,whichrequiresthemtoactinaccordancewiththeprovisionsofthe ECHR.16To enforce the human rights enshrined in the ECHR two institutions werecreatedtooverseeenforcement,namely theEuropeanCommissionofHumanRights17andtheEuropeanCourtofHumanRights.Bothinstitutionshavebeenactiveintheenforcementof Article 8 ECHR. The importance of the right to privacy is stressed as the protectionoffered by Article 8 ECHR is interpreted expansively and viceversa the restrictions areinterpretednarrowly.18

Aside from the Council of Europe, the European Union also guarantees the right toprivacy.AlthoughthefoundingtreatiesoftheEUdidnotcontainhumanrights,theCharter

15Hereinafter:ECHR.16EuropeanUnionAgencyforFundamentalRights,(2014).HandbookDataProtection.p.14.17TheEuropeanCommissionofHumanrightswasabolishedbyprotocol11in1988.18Strossen, N. (1990). Recent US and International Judicial Protection of Individual Rights: AcomparativeLegalProcessAnalysisandProposedSynthesis.HastingsLawJournal,41,p.805.

5

forFundamentalRightsoftheEuropeanUnion19wasenactedin2000.Initially,theCharterwasexclusivelyapoliticaldocument.ItbecamelegallybindingandapartofEUprimarylawthrough theLisbonTreaty20in2009.TheEU isgenerally competent topass legislationondata protection matters based on Article 16 of the Treaty on the Functioning of theEuropeanUnion21andusedthiscompetenceto includeArticle7ontherespectforprivateandfamilylifeandArticle8ontherighttodataprotectionintheCharter.22

As theDirective95/46/ECof theEuropeanParliament and theCouncil of 24October1995ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata23predatesArticle8oftheCharter,Article8oftheChartercan be seen as an embodiment of established EU data protection legislation. Legislatorswerethereforenotonlyabletoexplicitlymentiondataprotectionasaright,butalsotoreferto key data protection principles. These principles, such as consent as a basis for dataprocessingandtherightofaccessandrectification,wereincorporatedinArticle8(2)oftheCharter. Lastly, Article 8 (3) of the Charter confirms the existence of independentauthoritiestoimplementtheprinciplesmentionedinArticle8(2)oftheCharter.24

Until2018,theDataProtectionDirectivewillremainthemostimportantEUlegislativeinstrumentondataprotection.At the timeof its adoption, severalmember statesalreadyhad theirownsetofnationaldataprotection laws. In1995, theestablishmentof theDataProtection Directive was crucial, however, to facilitate the newly established internalmarket by providing a high level of data protection.25The aim of the Data ProtectionDirective was the maximum harmonisation26of the data protection laws at the national

19CharterofFundamentalRightsof theEuropeanUnion,O.J. C-326,26October2012,pp.391–407.Hereinafter:theCharter.20Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing theEuropeanCommunity,signedatLisbon,13December2007,O.J.C306,17December2007,pp.1–271.21Consolidated version of the Treaty on the Functioning of the European Union, O.J. C-326, 26October2012,pp.47–390.Hereinafter:TFEU.22EuropeanUnionAgencyforFundamentalRights,(2014).HandbookDataProtection.p.20.23Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on theprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,O.J.L-281,23November1995,pp.31–50.Hereinafter:DataProtectionDirective.24EuropeanUnionAgencyforFundamentalRights,(2014).HandbookDataProtection.p.20.25Recital(3)–(5)DataProtectionDirective.26Recital1,4,7and8DataProtectionDirective.

6

level.27Therefore, member states have to ensure the national data protection rules fallwithintheframeworksetbytheDataProtectionDirective.28

TheDataProtectionDirective’sterritorialscopecomprisesthe28EUmemberstates,aswell as the non-EU members that are a part of the European Economic Area, namely:Iceland,LiechtensteinandNorway.29

As a result of the changing digital landscape, the European Commission proposed acomplete reform of the data protection legislation in 2012, stating it needed to bemodernized in light of rapid technological developments and globalisation.30The reformpackageconsistedof aproposal foraGeneralDataProtectionRegulation31, to replace theData Protection Directive, and a new directive32, specifically aimed at regulating dataprotectioninpoliceandjudicialcooperationincriminalmatters.33

In the meantime, several judicial cases also started exposing weak spots in de DataProtection Directive. Whether or not these will be rectified by the new General DataProtection Regulation34remains to be seen. In the next chapter, we will discuss thedifferencesbetweentheDataProtectionDirectiveandtheGDPR.

27JoinedcasesAsociaciónNacionaldeEstablecimientosFinancierosdeCrédito(ASNEF)andFederacióndeComercioElectrónicoyMarketingDirecto(FECEMD)v.AdministracióndelEstado [2011]C-468/10andC-469/10(CJEU),§28-29.28EuropeanUnionAgencyforFundamentalRights,(2014).HandbookDataProtection.p.17.29EuropeanUnionAgencyforFundamentalRights,(2014).HandbookDataProtection.p.18.30EuropeanUnionAgencyforFundamentalRights,(2014).HandbookDataProtection.p.21.31EuropeanCommission,ProposalforaregulationoftheEuropeanParliamentandoftheCouncilonthe protection of individuals with regard to the processing of personal data and on the freemovement of such data (General Data Protection Regulation), 25 January 2012, COM 2012/0011(COD).32European Commission, Proposal for a Directive on the protection of individualswith regards toprocessingofpersonaldatabycompetentauthorities for thepurposesofprevention, investigation,detection or prosecution of criminal offences or the execution of criminal penalties, and the freemovementofsuchdata,25January2012,COM2012/0010(COD).33European Commission, (2012). Commission proposes a comprehensive reform of data protectionrules to increase users' control of their data and to cut costs for businesses. [online] Available at:http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en[Accessed9May2016].34Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on theprotection of natural persons with regard to the processing of personal data and on the freemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation),O.J.L-119,4May2016,pp.1-88.Hereinafter:GDPR.

7

ChapterIII. DataProtectionReform

1. From the Data Protection Directive to the General Data

ProtectionRegulation

“Individualsmustbeempowered:theymustknowwhattheirrightsare,andknowhowto

defendtheirrightsiftheyfeeltheyarenotrespected.Ourworkincreatingfirst-ratedata

protectionrulesprovidingfortheworld'shigheststandardofprotectioniscomplete.”35

1.1. Reformprocess

ThecurrentDataProtectionDirectivedatesbackto1995,atimewhenlessthan1%oftheworld’spopulationhadaccesstointernet.By2015around40%oftheglobalpopulationhad access to internet, in the developed world this number even increases to 80%.36Needless tosay, theDataProtectionDirectivehadbecomeoutdatedandwas indesperateneedforanupdatewhentheEuropeanCommissionproposedareformin2012.

On 25 January 2012, the European Commission proposed a comprehensive reform ofthe EU’s data protection rules.37The European Commission expressed two main goals:firstly, to increaseusers’controlof theirdata,andsecondly, tocutcosts forbusinessesbycreatinga‘DigitalSingleMarket’.Theproposedreformcontainedtwolegislativeproposals:aregulationasageneralframeworkfordataprotection38andadirectivespecificallyaimedtowards data processed for the purposes of prevention, detection, investigation or

35JointStatementEuropeanCommissionFirstVice-PresidentFransTimmermans,Vice-President incharge of the Digital Single Market Andrus Ansip, and Commissioner for Justice, Consumers andGenderEquality,VěraJourováonthefinaladoptionofthenewEUrulesforpersonaldataprotection.EuropeanCommission, (2016). JointStatementonthefinaladoptionofthenewEUrulesforpersonaldata protection. [online] Available at: http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm[Accessed15May2016].36Data available at: International Telecommunication Union (ITU). (2015). Statistics - Global ICTDevelopments.[online]Availableat:http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx[Accessed14May2016].37European Commission, (2012). Commission proposes a comprehensive reform of data protectionrules to increase users' control of their data and to cut costs for businesses. [online] Available at:http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en[Accessed4May2016].38EuropeanCommission,ProposalforaregulationoftheEuropeanParliamentandoftheCouncilonthe protection of individuals with regard to the processing of personal data and on the freemovement of such data (General Data Protection Regulation), 25 January 2012, COM 2012/0011(COD).

8

prosecution of criminal offenses and related judicial activities39. The latter will not bediscussedinthisdissertation.

Aftera legislativeprocessofmorethanfouryears,anagreementwasreachedthroughtriloguenegotiationsbetweentheEuropeanParliament,theEuropeanCommissionandtheCouncil.40The final version of the GDPR41was published in the Official Journal on 4May2016.Itentersintoforceon24May2016,butwillonlybeapplicableon25May2018.Untilthen theDataProtectionDirectivewill remain applicable. Thenew rules are promised toaddresstheconcernsexpressedbyEuropeancitizens42bystrengtheningexistingrightsandempoweringindividualswithmorecontrolovertheirpersonaldata.

Inwhat follows themost relevantmeasures from the newGDPRwill be discussed incomparisontotheDataProtectionDirective.

1.2. Evolutiontoaregulation

The Data Protection Directive, as a directive, was never directly applicable in themember states. Each state had to individually implement the directive into its nationallaws.43Directivessetgoalstobeachievedbyacertaindate,butallowforthememberstatestodetermineinwhatwaytheywillreachthesegoals.Thisresultedindifferent,fragmentedapproaches to data protection across the EU. This situation is detrimental for bothbusinesses,astheyfaceconflictingrequirements,andconsumers,astheyarenotprotectedequallyacrosstheEU.

AsanexamplewewilllookatandcomparetheenforcementofdataprotectionlawsinGermany,FranceandtheUnitedKingdom.44

39European Commission, Proposal for a Directive on the protection of individualswith regards toprocessingofpersonaldatabycompetentauthorities for thepurposesofprevention, investigation,detection or prosecution of criminal offences or the execution of criminal penalties, and the freemovementofsuchdata,25January2012,COM2012/0010(COD).40European Commission, (2015). Agreement on Commission's EU data protection reformwill boostDigitalSingleMarket.[online]Availableat:http://europa.eu/rapid/press-release_IP-15-6321_en.htm[Accessed4May2016].41Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on theprotection of natural persons with regard to the processing of personal data and on the freemovementofsuchdata,andrepealingDirective95/46/EC(GeneralDataProtectionRegulation),O.J.L-119,4May2016,pp.1-88.42European Commission, (2015). Special Eurobarometer 431 “Data protection”. [online] EuropeanUnion, p.115. Available at: http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_en.pdf[Accessed14May2016].43Art.288TFEU.44DLAPiper,(2016).DataProtectionLawoftheWorld.pp.137-149,482-487.

9

InGermany,theviolationofdataprotectionlawsisanadministrativeoffencesubjecttopecuniaryfinesofupto300000EURperviolation.Aviolationisconsideredtobeacriminaloffence,whenthebehaviouriswilfulorinexchangeforfinancialbenefits.Foracriminal offence the punishment can be a fine or imprisonment for up to two years.Additionally,Germanauthorities can skimprofits that resulted from theviolation.45Inpractice,Germandataprotectionauthoritieswerereluctanttoenforcetheserules.Veryfewofficialprosecutionprocedureswereopenedandthefinesthatwereimposedwerelow.Recently,therehasbeenatendencytoenforcedataprotectionrulesmorestrictlyafteramendmentstothelawweremadein2009,followingseveralscandals46revealingthedisclosureormisuseofpersonaldataand.47

The French data protection authority, called the ‘Commission Nationale del'Informatique et des Libertés’48,was given awide range of investigative powers. TheCNILcanverifyalldataprocessingandrequestanydocumentitdeemsnecessarytodoso effectively.49Additionally, theCNIL is authorized toperformonline inspections andissue compliance orders when a violation is found.50The CNIL is not even obliged toinformthecompanyunderinvestigation,untiltheinvestigationhasbeenconducted.51If,after a notice or compliance order, the company does not comply with the dataprotection rules, the CNIL can pronounce a fine of up to 150 000 EUR for the firstoffense.Forasecondoffense,withinthefollowing5years,theCNILcanorderafineof

45Art. 43 Bundesdatenschutzgesetz (BDSG) vom 20. Dezember 1990 (BGBl. I S. 2954), neugefasstdurch Bekanntmachung vom 14. Ja- nuar 2003 (BGBl. I S. 66), zuletzt geandert durch Gesetz vom29.07.2009(BGBl. I,S.2254),durchArtikel5desGesetzesvom29.07.2009(BGBl. I,S.2355[2384]unddurchGesetzvom14.08.2009(BGBl.I,S.2814).(GermanFederalDataProtectionAct).46Ernst&Young, (2009).PrivacyandDataProtectionLaw:EuropeanDevelopments;Forexample, in2006Germantelecomcompanylostpersonaldata,suchasaddresses,cellphonenumbers,andemailaddresses, of aboutmillions of customers. Perez,M. (2008). T-Mobile Lost 17Million Subscribers'Personal Data. InformationWeek. [online] Available at: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210700232[Accessed4May2016].47Paez, M. (2009). Germany Strengthens Data Protection Act, Introduces Data Breach NotificationRequirement.[online]JonesDay.Availableat:http://www.jonesday.com/germany-strengthens-data-protection-act-introduces-data-breach-notification-requirement-10-26-2009/#_edn15 [Accessed 4May2016].48Hereinafter:CNIL.49Art.11,§2,(f)andart.40,IIILoin°78-17du6janvier1978relativeàl'informatique,auxfichiersetauxlibertés,Journalofficieldu7janvier1978etrectificatifauJ.O.du25janvier1978.50Art.40,III,§4Loin°78-17du6janvier1978relativeàl'informatique,auxfichiersetauxlibertés,Journalofficieldu7janvier1978etrectificatifauJ.O.du25janvier1978.51DLAPiper,(2016).DataProtectionLawoftheWorld.pp.137-149.

10

up to 300 000 EUR and/or order the company to immediately cease all dataprocessing.52

Lastly,intheUnitedKingdom,aviolationofdataprotectionrulesisconsideredtobea criminal offense punishable with a fine of up to 5,000 GBP53. The British dataprotection authority, called the Information Commissioner’s office54, can also imposefines of up to 500,000 GBP for serious violations.55Serious violations are defined as“serious and likely to cause substantial damage or distress and either the contraventionwasdeliberate,orthedatacontrollerkneworoughttohaveknownthattherewasarisk

thatthebreachwouldoccurandwouldbelikelytocausesubstantialdamageordistress,

butfailedtotakereasonablestepstopreventthebreach.”56

This comparison demonstrates that despite the maximum harmonisation of the DataProtectionDirective, EUmember states still have a lot of leewaywhen implementing theDataProtectionDirective,which results in sometimes vastlydifferent rulesdependingonthecountryyouarein.

As theGDPR is a regulation as opposed to a directive, itwill be directly applicable ineverymemberstate,meaningtheruleswillbecomeapartofthenationallegalsystemandincreasetheharmonizationofdataprotectionrulesintheEU.Althoughmemberstatesmayneed to modify national laws in order to comply with the GDPR or adopt additionallegislation to give the GDPR full effect, this does not change the fact that the GDPR, as aregulation,initselfhaslegaleffectinthememberstatesregardlessofanynationallaw.57Inprinciple,thedataprotectionlawsineverymemberstatewillbethesame.58Inacoupleoflimited exceptions, such as processing data in the employment context59, national ID

52Art.45and47Loin°78-17du6janvier1978relativeàl'informatique,auxfichiersetauxlibertés,Journalofficieldu7janvier1978etrectificatifauJ.O.du25janvier1978.53Provision60DataProtectionAct1998.5,000GBPisthemaximumfinefor level5violationsthatcanbeimposedbyaUKMagistrates’Court.54Hereinafter:ICO.55ICO, (2015). InformationCommissioner’s guidanceabout the issue ofmonetarypenalties preparedandissuedunderSection55C(1)oftheDataProtectionAct1998.pp.6-8.56Provision55ADataProtectionAct1998.57Craig,P.andDeBurca,G.(1998).EUlaw.Oxford:OxfordUniversityPress,p.105.58Art.288TFEU.59Recital155GDPR;Art.88GDPR.

11

numbers60,andprofessionalsecrecyobligations61memberstateswillstillbeabletoadoptspecificlegislation.62

Barringtheseexceptions, thisnewregulationwillensureaconsistentapproachacrossmember states. This does notmean every single detailwill be applied in a uniformway.Different courts of law in different member states may apply and interpret the GDPRdifferently. The European Court of Justice63will, however, be able to play a unifying rolethrough preliminary questions64 and the appeals procedure65 . Through preliminaryquestions national courts can ask questions regarding interpretation and via the appealsprocedure, the CJEUwill be able to judge ifmember states are fulfilling their obligationsundertheGDPR.

1.3. Definitions

ManyofthecoredefinitionsundertheDataProtectionDirective,suchascontrollerandprocessor, will remain unchanged. The GDPR, however, has also expanded the scope ofsomedefinitions,suchaspersonaldataandsensitivepersonaldata,andrestrictedthescopeofotherssuchasconsent.Inaddition,newdefinitions,suchasadefinitionforprofilinghavebeenadded.Inwhatfollows,wewilldiscussthesechanges.

1.3.1. Abroaderdefinitionof‘personaldata’

Under the Data Protection Directive, personal data was defined as “any informationrelatingtoanidentifiedoridentifiablenaturalperson('datasubject');anidentifiablepersonis

onewhocanbeidentified,directlyorindirectly,inparticularbyreferencetoanidentification

number or to one or more factors specific to his physical, physiological, mental, economic,

culturalorsocialidentity”66.Therewasa lotofdebateonwhetherornotonline identifiers,such as an IP address, fall within this definition of personal data.67The answer to this

60Art.87GDPR.61Art.90GDPR.62Paez, M., von Diemar, U., Little, J., Robertson, E., Bru, P., Haas, O. and De Muyter, L. (2015).Agreement Reached on the European Reform of Data Protection. [online] Jones Day. Available at:http://www.jonesday.com/agreement-reached-on-the-european-reform-of-data-protection-12-17-2015/[Accessed4May2016].63Hereinafter:CJEU.64Art.267TFEU.65Art.265and268TFEU.66Art.2(a)DataProtectionDirective.67Lee,P. (2015).GettingtoknowtheGDPR,Part1-Youmaybeprocessingmorepersonalinformationthan you think. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think[Accessed4May2016].

12

questionisespeciallyimportantforonlinecompaniessuchasFacebookwhostoredataperIPaddress.68

Like the Data Protection Directive, the GDPR’s scope is limited to the protection ofpersonaldata.TheGDPRdefinespersonaldataas:“anyinformationrelatingtoanidentifiedoridentifiablenaturalperson(‘datasubject’);anidentifiablenaturalpersonisonewhocanbe

identified,directlyorindirectly, inparticularbyreferencetoanidentifiersuchasaname,an

identificationnumber, locationdata,anonlineidentifierortooneormorefactorsspecificto

thephysical,physiological,genetic,mental,economic,culturalorsocialidentityofthatnatural

person.”69The GDPR settles the previously mentioned debate by explicitly stating onlineidentifiersfallwithinthedefinitionofpersonaldata.Onlinebusinesses,especiallythoseinthesocialmediabusinesswillbe impactedby thischange,70evenmoresoconsidering theextraterritorial scope as will be discussed in Section 1.4.3 of this chapter on the extra-territorialcharacteroftheGDPR.

Under theDataProtectionDirective, companies often tried to escape the scopeof theDataProtectionDirectivebyanonymising thepersonaldata theycollected.TheArticle29WorkingPartytriedtomakearecommendationonhowthiswaspossibleinpracticewhilestill complyingwith theDataProtectionDirective.They came to the conclusion,however,thatitisvirtuallyimpossibletoanonymisepersonaldata.71

TheGDPRhas created a new concept, called “pseudonymisation”, aimed at regulatingthis existing practice of anonymisation. Pseudonymisation is: “the processing of personaldata in suchamanner that thepersonaldatacanno longerbeattributed toa specificdata

subjectwithouttheuseofadditionalinformation,providedthatsuchadditionalinformationis

kept separately and is subject to technical and organisational measures to ensure that the

personal data are not attributed to an identified or identifiable natural person.”72Personaldata that hasundergone theprocess of pseudonymisation, but can still be attributed to anatural person through the use of additional information, should still be considered asinformationonanidentifiableperson.73

68PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.69Art.4(1)GDPR.70PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.71Article29WorkingParty,(2014).Opinion05/2014onAnonymisationTechniques.p.23.72Art.4(5)GDPR.73Recital26GDPR.

13

Althoughthispseudonymiseddatawillstillbeconsideredaspersonaldatawhenitfallswithin the definition of Article 4 (1) GDPR, individuals’ rights will be restricted throughexceptionstocertainprovisionswithintheGDPRwhentheirdatahasbeenpseudonymised.Firstly, there is an exception to the data breach notification requirements as the risk ofpseudonymised data causing harm is significantly lower.74Secondly, there will be anexemptionfromtheneedtocomplywithdatasubjects’rightofaccess,righttocorrectanderase data along with data portability requests.75Lastly, companies will have a greaterflexibilitytoconductdataprofiling76withoutthedatasubject’sconsentastheprocessingofpseudonymiseddata isunlikely tosignificantlyaffectadatasubjectasrequiredbyArticle22(1)GDPRandexplainedinRecital71GDPR.

Article25GDPRemphasisestheimportanceofpseudonymisationbymentioningitasanappropriatetechniquefordatacontrollerstoimplementthedataprotectionprinciplesfromtheGDPRinaneffectiveway.ThisrequirementisrepeatedinArticle32GDPR,forboththecontrollerandtheprocesserofpersonaldata, toensure thesecureprocessingofpersonaldata.77Thesearticles,combinedwithincentivesthroughrelaxedobligations,emphasisetheimportance of pseudonymisation and will reward companies who use the techniqueeffectively.

Whiletheserulesdoreducetheriskofdataleeksforconsumers,theywillalsoresultinexceptions to rights consumers previously had without exception78. The technique ofpseudonymisation will grant exceptions to data subjects’ right of access79, right torectification80, right toerasure(right tobe forgotten)81, right torestrictionofprocessing82andrighttodataportability83.

74Art.34(1)and(3)GDPR.75Art.11(2)GDPR.76Art.22GDPR.77Art.32(1)(a)GDPR.78Art.12DataProtectionDirective.79Art.15GDPR.80Art.16GDPR.81Art.17GDPR.82Art.18GDPR.83Art.20GDPR.

14

1.3.2. Safeguardsforsensitivepersonaldataandvulnerablegroups

1.3.2.1 Abroaderdefinitionof‘sensitivepersonaldata’

Articles9and10GDPRprovideadditionalprotectionfor‘sensitivepersonaldata’.Largescaleprocessingofsensitivepersonaldatawilladditionallyrequirecontrollerstoperformadataprotectionimpactassessmenttoidentifyanyandallpotentialrisksinvolvedwiththeprocessingofthisdata.84

Article9(1)GDPRprohibitstheprocessingof, firstly,personaldatarevealingracialorethnic origin, political opinions, religious or philosophical beliefs or trade-unionmembership,andsecondly,geneticdataandbiometricdata inorder touniquely identifyapersonordataconcerninghealthorsexlifeandsexualorientation.Theprotectionofgeneticand biometric data is new compared to theData ProtectionDirective. Article 9 (2)GDPRcontainsexceptionstothisprinciple,suchasexplicitconsent,reasonsofsubstantialpublicinterestandpublichealth.Memberstateswillbeabletoinstalladditionalsafeguardsfortheprocessingofgeneticdata,biometricdataorhealthdata.

Article10GDPRspecifiestheconditions fortheprocessingofdatarelatingtocriminalconvictionsandoffenses.

1.3.2.2 Newlyintroducedconceptof‘vulnerablegroups’

ContrarytotheDataProtectionDirective,theGDPRalsoincludesadditionalprotectionfor vulnerable groups such as children. The underlying reason to protect children isexplained inRecital38GDPRbyaffirming the fact that childrenmaybe lessawareof theriskstheyface.Thisadditionalprotectionisimplementedinthefollowingways:

§ The principle of transparency demands clear and plain language whencommunicatinginformationtoachild;85

§ Toprocessdataof childrenunder theageof sixteen,parental consent is required.Memberstateswillbeabletolowerthisagetothirteenyearsold.86

84Art. 35 (3) (b) GDPR; See also Lee, P. (2015). Getting to know the GDPR, Part 1 - Youmay beprocessing more personal information than you think. [online] Privacylawblog.fieldfisher.com.Availableat:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think[Accessed4May2016].85Recital58GDPR.86Art.8(1)GDPR

15

Settingof the age limit at sixteenyearshas already caused criticism in somememberstatessuchasBelgium.InBelgium,theFlemishOfficeoftheChildren’sRightsCommissionerstated this limitation is out of touch with reality, as a majority of children already useFacebook at the age of fourteen. Additionally, the Flemish Office of the Children’s RightsCommissionerbelievestheprotectionofchildrenthrougheducationandprivacyawarenesscampaigns is more effective. Flemish Office of the Children’s Rights Commissioner hasrequestedtheBelgianPrivacyCommissiontolowertheagelimitinBelgiumtothirteen.

1.3.3. Astricterdefinitionof‘consent’

The GDPR’s stricter requirements for consent have been the subject of a lot ofdiscussion.“Consent”isoneofthemostfrequentlyusedgroundstojustifytheprocessingofpersonaldata.87ThiswillprobablycontinueundertheGDPR.Thereformcanthereforehaveimplicationsonthepracticeofalotofcompanies.88

Under the current Data ProtectionDirective, consent to processing needs to be givenunambiguouslyby thedatasubject.Eventhoughthis isastrictrequirement, it stillallowsfor consent89to be implied. Only in specific cases, such as the processing of sensitivepersonaldata,explicitconsentisrequired.90

Recital31oftheGDPRstatesthatconsentmustbefreelygiven,specific,informed,andunambiguous. In the initial proposal the European Commission proposed to establishexplicit consent as a new higher standard in the GDPR.91This was supported by theEuropean Parliament.92The Council, however, preferred to maintain the standard ofunambiguous consent, aswas required under the Data Protection Directive, even though

87PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.88Dunphy-Moriel,M. and Power, L. (2015).GettingtoknowtheGeneralDataProtectionRegulation,Part 3 – If you receive personal data from a third party, you may need to "re-think" your legaljustification for processing it. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-general-data-protection-regulation-part-3-if-you-receive-personal-data-from-a-third-party-you-may-need-to-re-think-your-legal-justification-for-processing-it[Accessed4May2016].89Art.7DataProtectionDirective.90Art.8(2)(a)DataProtectionDirective.91Recital25EuropeanCommission,ProposalforaregulationoftheEuropeanParliamentandoftheCouncil on theprotectionof individualswith regard to theprocessingofpersonaldata andon thefreemovementofsuchdata(GeneralDataProtectionRegulation),25January2012,COM2012/0011(COD).92European Parliament, Legislative resolution on the proposal for a regulation of the EuropeanParliament and of the Council on the protection of individuals with regard to the processing ofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),Ordinarylegislativeprocedure:firstreading,12March2014,C7-0025/2012–COM2012/0011(COD).

16

this offers a lower grade of protection to data subjects.93The final version of the GDPR,resultingfromthetriloguenegotiations,containsamiddlegroundbetweentheseoppositepositions.TheGDPR,liketheDataProtectionDirective,requiresunambiguousconsent,butconsentwillalsorequireanaffirmativeaction.Recital31furtherexplainsthisthroughsomeexamples: “ticking a box when visiting an Internet website, choosing technical settings forinformation society servicesorbyanyother statementor conductwhich clearly indicates in

thiscontextthedatasubject'sacceptanceoftheproposedprocessingoftheirpersonaldata”.Consequently, silence, pre-ticked boxes or inactivity cannot constitute consent under theGDPR.

Apracticethatimmediatelycomestomindwhendiscussingtheissueofonlineconsent,is theuseofcookies.UndertheDataProtectionDirective, itsufficedthatpeople implicitlyconsentedtotheuseofcookies,forexample,bynotactivelyobjectingtoit.UndertheGDPR,this will no longer be possible. Every user or visitor of a website will need to provideunambiguous consent through an affirmative action. The notice of the use of cookieswillneedtobecomeevenmoreprominent.

Asidefromthenewdefinitionofconsent,theGDPRwillhavethreeadditionalconsent-relatedrequirementscomparedtotheDataProtectionDirective.

Firstly,datasubjectswillnowhavetherighttowithdrawtheirconsentatanytime.94Thewithdrawalofconsentmustbeaseasyasthegivingofconsent.Beforedatasubjectsgive their consent, the data controller must inform them of the right to withdrawconsent.Whendatasubjectswithdrawtheirconsent, theyhave theright tohave theirdataerasedandnolongerprocessed.

Secondly,ifthereisaclearimbalancebetweenthedatasubjectandthecontroller,itwill be assumed consent was not given freely.95The recital specifies this will beapplicable,inparticular,whenthedatacontrollerisapublicauthority.

Lastly, consent must be specifically obtained for each data processing act. Thismeans a request for consentmust be clearly distinguishable from othermatters in a

93EuropeanCouncil,ProposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata (GeneralDataProtectionRegulation) -Preparationof ageneral approach,15 June2015,COM2012/0011(COD).94Art.7(3)GDPR.95Recital43GDPR.

17

writtendocument.Additionally, therequest forconsentmustbepresentedthroughanintelligibleandeasilyaccessibleform,usingclearandplainlanguage.96

LiketheDataProtectionDirective97,theGDPRwillrequireexplicitconsentforsensitivepersonaldata98,keepinginmindtheconceptofsensitivepersonaldataisbroaderundertheGDPR,asitalsoincludesgeneticandbiometricdata99.UndertheGDPR,thedatacontrollerwillberequiredtoobtainexplicitconsentintwoadditionalsituations100:(i)whenmakingadecisionaboutthedatasubjectbasedsolelyonautomatedprocessing,includingprofiling101,and(ii)whentransferringpersonaldatatoacountrythatdoesnotofferanadequatelevelofprotection.102

1.3.4. Newlyintroduceddefinitionfor‘profiling’

The current Data Protection Directive does not contain any definition of ‘profiling’. Itonly refers,without defining, to ‘automated individual decisions’ and nevermentions theterm‘profiling’explicitly.TheGDPRdefinesprofilingasfollows:

“anyformofautomatedprocessingofpersonaldataconsistingof theuseofpersonal

data to evaluate certain personal aspects relating to a natural person, in particular to

analyse or predict aspects concerning that natural person's performance at work,

economic situation,health,personalpreferences, interests, reliability,behaviour, location

ormovements;”103

Thisdefinitioncontainsthreemainelements:(i)anyformofautomatedprocessing,(ii)concerningpersonaldataand(iii)withthepurposeofevaluatingpersonalaspects.

The rules set by the Data Protection Directive gave every person the right not to besubjected “to a decisionwhichproduces legal effects concerninghimor significantly affectshim and which is based solely on automated processing of data”104. The Data Protection

96Art.7(2)GDPR.97Art.8(2)(a)DataProtectionDirective.98Art.9(2)(a)GDPR.99Art.9(1)GDPR.100Maldoff, G. (2016). Top 10 operational impacts of the GDPR: Part 3 – consent. [online] TheInternational Association of Privacy Professionals. Available at: https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-3-consent/[Accessed4May2016].101Art.22(2)(c)GDPR.102Art.49(1)(a)GDPR.103Art.4(4)GDPR.Editingbyauthor.104Art.15DataProtectionDirective.

18

Directive provided an exception for cases where (i) this automated processing wasperformedinthecourseofenteringintoorperformanceofacontract,or(ii)theautomatedprocessingwasauthorizedbylaw.105

The GDPR’s rules regarding profiling can be found in Article 22 GDPR and are quitesimilartotherulesintheDataProtectionDirective.Article22(1)GDPRstatesthat“thedatasubject shall have the right not to be subject to a decision based solely on automated

processing,includingprofiling,whichproduceslegaleffectsconcerninghimorherorsimilarly

significantlyaffectshimorher.”106Article22(2)GDPRcontinueswiththeexceptionstothisrule, including the same two exceptions from theData ProtectionDirective, and adding athirdexceptionforcaseswherethedatasubjecthasgivenexplicitconsent.

Whentheuseofprofilingisjustifiedbyacontractualrelationshiporexplicitconsent,theGDPR requires the data controller to “implement suitablemeasures to safeguard the datasubject’s rights and freedoms and legitimate interests”107. These measures must at leastguaranteethepossibilityofahumanintervention,therightfordatasubjectstoexpresstheirpoint of view, obtain further information about the decision based on the automatedprocessing,andtherighttocontestthisdecision.108

Inadditiontothesesafeguardingmeasures,datacontrollershaveanobligationtonotifydatasubjectsabout(i)theexistenceofautomateddecisionmaking,includingprofiling,(ii)the logic involved and (iii) the significance and the envisaged consequences for the datasubject.109Thisinformationisalsoincludedindatasubjects’rightofaccess.110

With regards to sensitivepersonaldata,profiling is explicitlyprohibitedby theGDPR,withtheexceptionofcaseswherethedatasubjectprovidedexplicitconsentorcaseswhereprofiling is necessary for reasons of public interest.111Data subjects cannot consent to

105Art.15(2)(b)DataProtectionDirective.See also Proust, O. (2015). Getting to know theGDPR,Part 5: Yourbigdataanalytics andprofilingactivities may be seriously curtailed. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-5-your-big-data-analytics-and-profiling-activities-may-be-seriously-curtailed[Accessed4May2016].106Art.22(1)GDPR.107Art.22(3)GDPR.108Art.22(3)GDPR.109Art.13(2)(f)GDPR;Art.14(2)(g)GDPR.110Art.15(1)(h)GDPR.111Art.22(4)j°Art.9(1)and9(2)(a)&(g)GDPR.

19

profiling, implicitlyorexplicitly,whenthereisalawstatingthattheprohibitioncannotbeliftedbyconsent.112

Although the rules concerning profiling in the GDPR are not vastly different from therules pertaining ‘automated individual decision’ in theData ProtectionDirective, the newdefinition of profiling will create a clearer framework for the national Data ProtectionAuthorities113andcourts toworkwith,aswellasgiveorganisationsand individualsmorelegalcertainty.

The obligation to notify data subjects, aswell as theprohibition of profiling basedonsensitivepersonaldata,areextensionsof individuals’rights.Coupledwithexplicitconsentasanewlegalbasisforprofiling,individualswillbemoreawareandmoreactivelyinvolvedinallowingthesekindofactivitiestotakeplace.

Unfortunately, the GDPR does not clarify the meaning of the terms ‘legal effect’ or‘significantly affects’ used in Article 22 (1) GDPR.114Privacy professionals reason thatactivities such as creditmonitoringwill fallwithin the concept of profiling, as they couldsignificantlyimpactyourchancesof,forexample,obtainingfinancing.Targetedadvertisingon the other hand, is seen as not significantly impactful towards individuals, andwould,consequently, not be considered as profiling.115This statement holds true as targetedadvertising, as invasive as itmay be, does not affect significant aspects of an individual’sdaily life. Even though some activities will clearly fall within profiling, others might fallwithinagreyarea,whichwillneedtobefilledinbynationalDPA’sandcourts.Thelackofdefinition will most likely lead to different interpretations by DPA’s and national courtsacrossEurope.

1.4. ExpandedScope

IncomparisontotheDataProtectionDirective,thescopeoftheGDPRwillbeexpandedbothmateriallyandterritorially.Inwhatfollows,wewillfirstdiscusstheexpansionofthematerialscope,whichhasbeenaffectedbythebroaderdefinitionsasdiscussed inSection1.3, and which will now also include data processors. Afterwards, we will discuss the

112Art.9(2)(a)GDPR113Hereinafter:DPA.114SeealsoProust,O. (2015).GettingtoknowtheGDPR,Part5:Yourbigdataanalyticsandprofilingactivities may be seriously curtailed. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-5-your-big-data-analytics-and-profiling-activities-may-be-seriously-curtailed[Accessed4May2016].115PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.

20

consequencesoftheextra-territorialapplicabilityoftheGDPRasitfocusesonthecountryofdestination.

1.4.1. Materialscope:definitions

As discussed under Section 1.3 on definitions, the changes to definitions and theaddition of new definitions also effect the material scope of the regulation as defined inArticle2GDPR.Theseconclusionswillnotbereiteratedhere.

1.4.2. Materialscope:GDPRalsoappliestodataprocessors

The current Data Protection Directive, generally, contains obligations for datacontrollers and not for processors. This last category is only subjected to obligationsimposed on them through contractual relationships with data controllers. 116 Datacontrollerswereobligedtochooseaprocessorwhowouldprovidesufficientguaranteesinrespect of the technical securitymeasures and organizational measures, and were solelyresponsibleforfailuretocomplywiththeDataProtectionDirective.

Thedefinitionsof ‘controller’and‘processor’haveremainedconsistentthroughoutthedata protection reform. As privacy lawyer Mark Webber explained: processors areunderstood tobe “organisationsthatarepurelyserviceprovidersandonlydealwithdataastheir customers tell them to.”117Since the status of ‘processor’ is so advantageous toorganisations,a lotofthemtrytogetclassifiedasaprocessortoescapeobligationsunderthe Data Protection Directive. As technology evolved, however, data controllers andprocessorshavebecomemoreinextricablylinked,whichiswhytheGDPRwillbeapplicableto theprocessingofdatabydata controllersand processors118as theybothplaya criticalroleintheprotectionofdatasubjects’data.119

116Art.17(3)DataProtectionDirective;SeealsoPatrikios,A.(2015).GettingtoknowtheGDPR,Part2–Out-of-scopetoday,inscopeinthefuture.Whatiscaught? [online]Privacylawblog.fieldfisher.com.Available at: http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-2-out-of-scope-today-in-scope-in-the-future-what-is-caught[Accessed4May2016].117PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.118Recital13GDPR.Themajorityoftheobligationswillstillbefocusedondatacontrollers.119PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.

21

1.4.3. Geographicalscope:extra-territoriality

The geographical scope of the current Data Protection Directive is restricted to datacontrollersthathavebeenestablishedwithintheEU.120ThenewGDPRwillshiftitsfocustothecountryofdestination.LiketheDataProtectionDirective,theGDPRwillbeapplicabletodatacontrollersestablishedinsidetheEU121,but,asdiscussedinSection1.4.2,theGDPRwillalso be applicable to processors established inside the EU. In addition, the GDPRwill beapplicable to data controllers and processors that: (i) offer goods and services to EUresidents122and(ii)monitorbehaviourofEUresidents123.Thelatterisaimedatthetargetedadvertisingindustry.124

TheGDPRwillbeapplicabletoeverydatacontrollerandprocessorin-oroutsideoftheEU that is targetingEUcitizens.125This is ahuge step forward for institutions suchas theArticle29WorkingPartythathavebeentryingtoregulatebusinesseswhoareactiveintheEU, but not established in the EU. Previously, they tried to do this via cookieswhich areplacedonsomeone’sdeviceandthereforeindicateapresenceintheEU.126Thisroundaboutwayoftryingtoregulatethesecompanies isnot ideal.UndertheGDPR,suchcontrivanceswill no longerbenecessary.127If companieswant tobenefit from theEuropeanmarket inthefuture,theywillhavetoplaybyEUrules.

Toenablesupervisoryauthoritiestocommunicatewithcompaniesestablishedoutsideof the EU, the GDPR obliges them to appoint a representative128within the EU.129It ispossible companies will be able to forum shop by assigning this representative130in acountrywherethesupervisoryauthorityhasbeenlenientortolerant inthepast.Whetherthiswillhappen,remainstobeseen.131

Theconceptof‘targeting’EUcitizensisnotanewone.AsimilarconcepthasbeenusedinEUe-commercerulesandhasbeenbroadly interpreted.Thetarget languageofthesite,

120Art. 4 Data Protection Directive. See also Google Spain SL, Google Inc. v. Agencia Española deProteccióndeDatos(es),MarioCostejaGonzález[2014]C-131/12(CJEU),§55-56.121Art.3(1)GDPR.122Art.3(2)(a)GDPR.123Art.3(2)(b)GDPR.124PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.125Art.3GDPR.126Formoredetails,seeArticle29WorkingParty,(2010).Opinion8/2010onapplicablelaw.p.25.127PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.128Art.4(17)GDPR.129Art.27GDPR.130Art.26(3)GDPR.131PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.

22

acceptingEurosasacurrencyanddeliveringtopeopleintheEU,areall indicationsthatabusinesstargetstheEUmarket.132TheconceptintheGDPRwillprobablyreflectthatofthee-commerce rules. EUe-commerce ruleshave taughtus, however, that although the rulestarget and are applicable to companies outside of the EU, enforcing them has proveddifficult.This isalsosomethingthatwillneedtobeaddressedinthefuture.Asupervisoryauthority with limited resources will perhaps not be able to enforce these rules on itsown.133

1.4.4. Overview

Data controllers

established within the

EU

Their data processing activities were already subjected to therulesoftheDataProtectionDirective.

Processors established

withintheEU

Theirdataprocessingactivitiesdidnot fallwithin thematerialscopeof theDataProtectionDirective,butwillbe subjected totheGDPR’sdirectstatutoryobligationsforprocessors.134

Data controllers &

processors established

outsideoftheEU

Theirdataprocessingactivitiesdidnot fallwithin the scopeoftheDataProtectionDirective. If theseorganisationscollectandprocessdatabelongingtoEUresidents,theywillfallwithinthescopeoftheGDPR.

132Art.6(1)(b)RegulationNo593/2008oftheEuropeanParliamentandoftheCouncilof17June2008onthelawapplicabletocontractualobligations(RomeI),O.J.L-177,4July2008,pp.6–16.SeealsoRagno,F.(2009).TheLawApplicabletoConsumerContractsundertheRomeIRegulation.In: F. Ferrari and S. Leible, ed.,RomeIRegulation:TheLawApplicabletoContractualObligationsinEurope,1sted.Munich:sellier.europeanlawpublishers,pp.147-149.133PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.134Art.28(3)GDPR.

23

1.5. Individual’srightsarestrengthened

1.5.1. Existingrightsarebroadened

Firstly, the GDPR will strengthen the right of access in comparison to the DataProtection Directive. Under the Data Protection Directive, organisations were allowed tocharge a small fee.135Under theGDPR, data subjectsmust be able to call on their right ofaccessforfree136.Onlyiftherequesttohaveaccesstothedataismanifestlyunfoundedorexcessivethecontrollermaychargeareasonablefeeorcanrefusetherightofaccess.Thecontroller will bear the burden of proof with regards to the manifestly unfounded orexcessive character of the data subject’s request.137In practice, the effect of this changemight not have a huge impact considering few countries currently allow a fee to becharged.138

Secondly, the GDPR will expand the information data controllers need to provide inorder to comply with the data subject’s right to be provided with fair processinginformation.TheDataProtectionDirectiveonlysetoutaminimumofinformationregardingthe processing that needed to be provided. In the future, the data controllerwill need toprovide more detailed information as provided under Article 13 (2) GDPR.139Recital 39GDPR-again140-referstothebasicprincipleoftransparency141andprescribesthatthefactthat data is being collected, used, consulted or otherwise processed, as well as to whichextent the data will be processed should be communicated to the data subjects. Thecommunication of this information must be transparent, meaning it must be easilyaccessible, easy to understand and clear and plain language should be used. The type ofinformationthatshouldbecommunicatedcandependonthecontextandthepurposeoftheprocessing.Ifthedataprocessingincludesprofiling,thedatasubjectshouldbemadeawareofthispracticeanditsconsequences.InadditiontothelistinArticle13(1)GDPR,Article13(2)GDPRcontainsalistoftheinformationthatshouldbecommunicatedtothedatasubjectspecifically to ensure fair and transparentprocessing.The latter includes the existenceofthe different rights data subjects have, the right to lodge a complaint to a supervisoryauthority,whethertheprovisionofthisdataisacontractualrequirementandtheexistence

135Art.12DataProtectionDirective.136Art.12(5)GDPR.137Art.12(5)GDPR.138PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.139Recital39GDPRgivestheidentityofthecontrollerandthepurposeoftheprocessingasexamplesofinformationthatshouldbeprovided.140Section1.3.2.2ofChapterIIIontheprotectionofvulnerablegroups.141Art.5(1)(a)GDPR.

24

of practices such as profiling. The intentionof the lawmakers seems to be to informdatasubjectsoftheirrightsasthoroughlyaspossible.Itis,however,questionable,ifthisgoalwillnot be compromised by the sheer amount of information data subjects have to wadethrough.

Finally,therighttoobjecttotheprocessingofdatawasgivenabroaderscope.WhereasthetherighttoobjecttotheprocessingofdatawasonlyavailableinlimitedcircumstancesundertheDataProtectionDirective,142itwillnowalsobeavailabletodatasubjectsincaseswheretheprocessingisbasedonthelegitimateinterestsofthecontrollerorisundertakenforspecificmarketingpurposes.143Thedatasubjectwillnolongerneedtoprovidespecificjustificationstoexercisethisright.

1.5.2. Newrights

The GDPR introduces two new key rights for data subjects: the right to be forgotten(Section1.5.2.1)andtherighttodataportability(Section1.5.2.2).

1.5.2.1 Therighttobeforgotten

The right to be forgotten is not entirely new, the Data Protection Directive alreadycontained a narrower right to erasure for data which was no longer necessary for thespecifiedpurpose.144TherighttobeforgottenemergedasaprinciplethroughthecaselawoftheCJEU,i.e.theCostejav.Googlecase.145Thiscasegaveindividualstherighttohavetheirdataremovedfromsearchengines,suchasGoogle.146

TheimplementationoftherighttobeforgottenintheGDPRwashighlydebatedandwasthe subject of 118 amendments throughout the legislative process.147Throughout thisprocess, the European Parliament148proposed awatered down version of the right to beforgotten,goingbacktocallingitthe‘righttoerasure’.Additionally,theCouncilproposedto

142Art.14DataProtectionDirective.143Art.21(1)–(3)GDPR.144Art.12DataProtectionDirective.145GoogleSpainSL,GoogleInc.vAgenciaEspañoladeProteccióndeDatos(es),MarioCostejaGonzález[2014]C-131/12(CJEU).146PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.147 Lobbyplag. (n.d.). LobbyPlag: Amendments. [online] Available at:http://lobbyplag.eu/map/article/17[Accessed9May2016].148European Parliament, Legislative resolution on the proposal for a regulation of the EuropeanParliament and of the Council on the protection of individuals with regard to the processing ofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),Ordinarylegislativeprocedure:firstreading,12March2014,C7-0025/2012–COM2012/0011(COD).

25

remove the data controller’s obligation tomake sure third parties also erase the data,149whichwasproposedbytheParliament.150InthefinalversionoftheGDPR,eventhename,whichhadchangedbackandforthinpreviousversions,isacompromise:“Righttoerasure(‘right tobe forgotten’)”.151A formerAssociateGeneralCounselatGoogle152alreadycalledthefinalversionoftherighttobeforgottenambiguousonkeypoints,goingasfarascallingit“thegiftoflifetimeemployment”fordataprotectionlawyers.153

UndertheGDPR,thisrightwillnolongerberestrictedtosearchengines,itwillapplytoany controller that stores your data. The Costeja v. Google case already established thatsearch engines are data controllers. 154 An important question will be whetherintermediaries,suchasFacebookorWikipedia,willbeseenascontrollers.Thiswillimpactsituations where, for example, someone requests Facebook or Twitter, which areintermediaryhostingplatforms,totakedownapostfromanotheruserabouttheindividualwhorequeststhetakedown.155

One of themain arguments against imposing this obligation on intermediaries is thatintermediaries do not always control what information is processed. On online socialnetworks, for example, it is the user himself who decides what information or data toupload,theintermediarysubsequentlyonlyprocessesthisdatabasedoninstructionsgiven

149EuropeanCouncil,ProposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata (GeneralDataProtectionRegulation) -Preparationof ageneral approach,15 June2015,COM2012/0011(COD).150See also Van Canneyt, T. and Power, L. (2015).GettingtoknowtheGDPR,Part4–"Souped-up"individual rights. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-4-souped-up-individual-rights/[Accessed4May2016].151Art.17GDPR.152“Daphne Keller is the Director of Intermediary Liability at the Stanford Center for Internet andSociety.ShewaspreviouslyAssociateGeneralCounselforIntermediaryLiabilityandFreeSpeechissuesatGoogle. In that role she focused primarily on legal andpolicy issues outside theU.S., including theE.U.’sevolving“RighttoBeForgotten.”HerearlierrolesatGoogleincludedleadingthecorelegalteamsforWeb Search, Copyright, andOpen Source Software.” The Center for Internet and Society. (n.d.).Stanford Law School - Daphne Keller. [online] Available at:http://cyberlaw.stanford.edu/about/people/daphne-keller[Accessed14May2016].153Keller, D. (2015). The Final Draft of Europe's "Right to Be Forgotten" Law. [online] Center forInternet and Society.Available at: http://cyberlaw.stanford.edu/blog/2015/12/final-draft-europes-right-be-forgotten-law[Accessed4May2016].154GoogleSpainSL,GoogleInc.vAgenciaEspañoladeProteccióndeDatos(es),MarioCostejaGonzález[2014]C-131/12(CJEU),§41.155Keller, D. (2015). The Final Draft of Europe's "Right to Be Forgotten" Law. [online] Center forInternet and Society.Available at: http://cyberlaw.stanford.edu/blog/2015/12/final-draft-europes-right-be-forgotten-law[Accessed4May2016].

26

bytheuser.156Recital18oftheGDPRexplainsthatsocialnetworkingpurelyforhouseholdactivities, will not fall within the scope of this regulation. It also states, however, thatcontrollersandprocessorswhoprovidethemeansforthisactivityfallwithinthescopeoftheGDPR.This recital, combinedwith the fact thatDPA’shavebeenstrict towardsonlinesocial networks, such as Facebook, in the past, leads to the conclusion that online socialnetworkswilllikelyneedtocomplywiththeobligationsregardingtherighttobeforgotten.Whentheseintermediariesdecidewhetherornottheywanttotakethisrisk,theywilltakeinto account the high fines imposed on failure to comply. The introduction of theseadministrativefineswillbediscussedunderSection1.8ofthischapter.

Howorganisationsshouldcomplywitharequestregardingtherighttobeforgottenisnotentirelyclearyet.TheGDPRdoesnotcontainaprocedure,nordoesitcontainguidelinesin balancing these claims with the freedom of expression or dealing with invalid claims.SomelegalscholarssuggesttheprocedurecontainedintheE-CommerceDirective157shouldbeappliedasitcontainsthistypeofguidelinesandwouldensureconsistentproceduresforthe removal of data regardless of the legal basis of the request. There is, however,muchdiscussiononwhetherornottheE-CommerceDirectiveisevenapplicable,asthetextoftheE-CommerceDirective158andtheGDPR159seemcontradictiveontheapplicability.160

The E-Commerce Directive states that companies do not have to take content offlineuntiltheyhaveverifiedthevalidityoftheclaimandweigheditagainstotherinterests.TheGDPR and its fines might conflict with these instructions. The GDPR does not containpenalties for organisations who remove too much data, but it does contain fines for notremoving data in accordance with the right to be forgotten The fines could potentiallypromotetheremovalofdatabeforeexaminingthevalidityorweighingtheremovalagainstotherrightsandfreedoms.Itisnotdesirablefororganisationstobeencouragedtoremovedatawithoutthoroughexamination.

156Keller, D. (2015). The Final Draft of Europe's "Right to Be Forgotten" Law. [online] Center forInternet and Society.Available at: http://cyberlaw.stanford.edu/blog/2015/12/final-draft-europes-right-be-forgotten-law[Accessed4May2016].157Directive2000/31/ECof theEuropeanParliamentandof theCouncilof8 June2000oncertainlegal aspects of information society services, in particular electronic commerce, in the InternalMarket,O.J.L-178,17July2000,pp.1-16.Hereinafter:E-CommerceDirective.158Art.12and15E-commerceDirective.159Sartor,G. (2013).Providers'liabilitiesandtherighttobeforgotten.EuropeanUniversity Institute,p.9.160Keller, D. (2015). The Final Draft of Europe's "Right to Be Forgotten" Law. [online] Center forInternet and Society.Available at: http://cyberlaw.stanford.edu/blog/2015/12/final-draft-europes-right-be-forgotten-law[Accessed4May2016].

27

Finally,Recital66GDPRandArticle17(2)GDPRrequirethecontroller,contactedbythedata subject, to contact other controllers who are processing the data subject’s data toinform them about the request. This will often be applicable in cases were controllerssubcontractedtheirprocessingactivitiestoothercompanies.

1.5.2.2 Righttodataportability

Asidefromtherighttobeforgotten,individualswillhaveanothernewright:therighttodata portability.161This gives data subjects the right to retrieve their data from a specificdatacontrollerandtransferthisdatatoanotherdatacontroller.Thegoalofthisnewrightisto avoid service providers from keeping customers locked-in, simply because they havetheirdata.162Critics,however,haveexpressedseveralconcernsaboutthisnewrighttodataportability.163

Thefirstcriticismconcernstherighttodataportability’srelationtoEUcompetitionandUSantitrustlaw,bothofwhichwerecreatedtosolvetheabovementionedlock-inproblems.Theselawsrequirethatmarketdominanceisshowninordertoavoidtargetingsmall,start-up companies. Criticsworry that the obligations imposed by the right to data portabilityapply, without any distinction, to large companies and small start-up companies.Consideringthenewsoftwarethatwillbeneededandthefactthatthissoftwarewillneedtobealignedworldwide,thecostsforstart-upsmightbetobigtobear.164

Thesecondcriticism,whichisthemostrelevanttothisdissertation,isthattherighttodataportabilitymightactuallyreducethequalityofdataprotectionthatindividualsreceive,by creatingabigger riskof infringementonadata subject’s right todata security165.Thiscriticismstemsfromtheincreasingtensionbetweenaccesstoinformationandthesecuritythereof.Therighttodataportabilityallowsapersontorequestalifetimeofpersonaldata.Onewould rationally assume companies check the identity of the person requesting thisinformation. The GDPR conversely states that the right to data portability must beacknowledgedwithouthindrance,whichmayencouragecompaniestonotcheckidentities

161Art.20GDPR.162PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.163Swire, P. and Lagos, Y. (2013). Why the Right to Data Portability Likely Reduces ConsumerWelfare:AntitrustandPrivacyCritique.MarylandLawReview,72,pp.336-339.164Swire, P. and Lagos, Y. (2013). Why the Right to Data Portability Likely Reduces ConsumerWelfare:AntitrustandPrivacyCritique.MarylandLawReview,72,pp.335-380.165Art.32GDPR.

28

asthorough166inordertoavoidfinesof“upto20000000EUR,orincaseofanundertaking,upto4%ofthetotalworldwideannualturnoveroftheprecedingfinancialyear,whicheveris

higher”167.

Whilethissecondcriticismseemsacceptable, themajorityoftheriskstodatasecuritycan be dealt with by putting in place the necessary security safeguards. This includesperformingthoroughidentitychecks,whichisalsoinlinewithorganisations’basicdutyofcareinaccordancewiththedatasubject’srighttosecurity.168

1.5.3. Restrictionstorights

Article 23 GDPR contains the limited grounds for restriction of the rights found inArticles 12 to 22 GDPR. The grounds for restriction range from defence and nationalsecurity,toprotectionofjudicialindependenceandjudicialproceedingsandtheprotectionofthedatasubjectortherightsandfreedomsofothers.

Article 23 (2) GDPR specifies that any law that restricts the rights on these grounds,must specify certain facts, specifically (i) the purposes of the processing or categories ofprocessing,(ii)thecategoriesofpersonaldata,(iii)thescopeoftherestrictionsintroduced,(iv) the safeguards to prevent abuse or unlawful access or transfer, (v) the risks for therightsandfreedomsofdatasubjectsand(vi)therightofdatasubjectstobeinformedabouttherestriction,unlessthismaybeprejudicialtothepurposeoftherestriction.169

1.6. Obligationsofdatacontrollersanddataprocessors

1.6.1. Accountabilityprinciples

EversincetheEuropeanCommissionproposedthenewGDPRin2012,theprincipleofaccountabilityhasbeenattheforefrontofthenewlegislation.Theconceptofaccountabilityisnotanewone.TheOrganisationforEconomicCo-operationandDevelopment170hasbeen

166Swire, P. and Lagos, Y. (2013). Why the Right to Data Portability Likely Reduces ConsumerWelfare:AntitrustandPrivacyCritique.MarylandLawReview,72,pp.335-380.167Art.83(5)(b)GDPR.168Art.32GDPR.169Art.23(2)GDPR.170Hereinafter:OECD.

29

issuing itsGuidelineson theProtectionofPrivacy andTransborderDataFlows, includingtheprincipleofaccountability,since1980.171Thelatestversionwasissuedin2013.172

National lawmakershavealsobeenpayingattention to theprincipleofaccountability.The CNIL, the French DPA, for example, published its own accountability standards in2015.173The same trend occurs globally in countries such as Canada174and Australia175.MostoftheseguidelinesaresimilartotheguidelinessetoutbytheOECD.176InsidetheEUregulatoryframework,however,theprincipleofaccountabilityhasneverbeenasimportantasitisinthenewGDPR.

Currently, theData ProtectionDirective includes some obligations that fallwithin theconcept of accountability.177Firstly, there is the processing notice, which requires theprovision of specific information about intended processing activities to individuals.178Secondly,theDataProtectionDirectiveincludestherequirementfororganisationstonotifythe national DPA’s of intended processing activities. 179 Lastly, the requirement fororganisations tohaveappropriate technicalandorganisationalmeasuresensuringprivacyand security of the personal data they are processing, also fallswithin the accountabilityprinciple.180

The principle of accountability will be a core principle in the new GDPR and can befoundthroughouttheentiretyofthetext.Theprincipleitself is formulatedinArticle5(2)

171PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016;OECD,(2011).Thirty years after the OECD Privacy Guidelines. [online] Available at:http://www.oecd.org/sti/ieconomy/49710223.pdf[Accessed4May2016].172OECD,(2013).PrivacyGuidelines.Availableat:http://www.oecd.org/internet/ieconomy/privacy-guidelines.htm[Accessed20April2016].173CNIL, (2015).UnnouveaulabelCNILgouvernanceInformatiqueetLibertés. [online] Available at:https://www.cnil.fr/fr/un-nouveau-label-cnil-gouvernance-informatique-et-libertes [Accessed 4May2016].174Officeof thePrivacyCommissionerofCanada, (2012).GettingAccountabilityRightwithaPrivacyManagementProgram.175AustralianLawReformCommission,(2008).Report108Volume2.pp.1132-1134.176Davidson,B.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part7-AccountabilityPrinciples = More Paperwork. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-7-accountability-principles-more-paperwork[Accessed4May2016].177Davidson,B.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part7-AccountabilityPrinciples = More Paperwork. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-7-accountability-principles-more-paperwork[Accessed4May2016].178Art.12(a)DataProtectionDirective.179Art.18DataProtectionDirective.180Art.17(1)DataProtectionDirective.

30

GDPR, and exists of two aspects: firstly, thedata controller is responsible for compliance,andsecondly,thedatacontrollermustbeabletodemonstrateitscompliance.

Theobligationssurrounding theprincipleofaccountabilityaresetoutmoreclearly inArticles24to31GDPR.Theobligationsoforganisationswillmainlyconsistofthefollowingfourmeasures:firstly,theywillneedtoensuretheyputadocumentationsysteminplace(i),secondly, theywill need to ensure their systems complywith the regulation (ii), thirdly,they will need to ensure technical compliance (iii) and lastly, they will – in somecircumstances–berequiredtoappointadataprotectionofficer(iv).181

(i)Documentationsystem

Article30GDPRcreatesabroadobligationforthedatacontroller182andprocessor183tomaintain recordsof itsprocessingactivities.Article30 (5)GDPRcontainsanexception tothisobligationfororganisationsemployinglessthan250persons,unlesstheprocessing:

§ islikelytoposearisktotherightsandfreedomsofthedatasubjects;or

§ isnotoccasional;or

§ includessensitivepersonaldata.184

(ii)Systemscompliance:‘privacybydesign’and‘privacybydefault’

Throughout every product’s development process, from start to finish, organisationswill need to take into account privacy concerns.185This idea, commonly referred to as‘privacybydesign’186,expectsorganisationstodesigntheirproductsandotheractivitiesforcompliance. Organisations will need to consider privacy in anything and everything theydo.187

181Davidson,B.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part7-AccountabilityPrinciples = More Paperwork. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-7-accountability-principles-more-paperwork[Accessed4May2016].182Art.30(1)GDPR.183Art.30(2)GDPR.184AsdefinedinArticles9(1)and10GDPR.185Davidson,B.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part7-AccountabilityPrinciples = More Paperwork. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-7-accountability-principles-more-paperwork[Accessed4May2016].186Art.25(1)GDPR.187PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.

31

The current Data Protection Directive does not contain the concept of ‘privacy bydesign’. It alsodoesnot containanyobligation to considerprivacy issues from thedesignstage of a project. As mentioned above, the Data Protection Directive only included theobligation to implement appropriate technical and organisational measures to protectpersonaldataagainstunlawfulprocessing.188TheGDPR’sinclusionoftheprivacybydesignprincipleensuresprivacycanno longerbeanafterthought.189Itwill requirecompanies todesign compliant policies, procedures and systems at the outset of any developmentprocess.190

When implementing the necessary measures, several things should be taken intoaccount:

“Havingregardtothestateoftheartandthecostsofimplementationandtakinginto

account the nature, scope, context and purposes of the processing aswell as the risk of

varying likelihood and severity for the rights and freedoms of individuals, the controller

and the processor shall implement appropriate technical and organisational measures

(…)”191

The risk-based approach was added at the initiative the Council192. Permittingbusinesses to take these factors into account, will provide them with more flexibility.Consequently,hismightcreatedifficultiesregardingtheinterpretationinthefuture.193

In addition to ‘privacy by design’, the GDPR also introduces the concept ‘privacy bydefault’.194This concept is meant to ensure that, when data controllers implement the

188Mahmood,S.andPower,L.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part6–Designing for compliance. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-6-designing-for-compliance/[Accessed4May2016].189PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.190Art.25(1)GDPR.SeealsoMahmood,S. andPower,L. (2016).GettingtoknowtheGeneralDataProtectionRegulation,Part 6 – Designing for compliance. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-6-designing-for-compliance/[Accessed4May2016].191Art.32(1)GDPR.Editingbyauthor.192EuropeanCouncil,ProposalforaRegulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata (GeneralDataProtectionRegulation) -Preparationof ageneral approach,15 June2015,COM2012/0011(COD).193Mahmood,S.andPower,L.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part6–Designing for compliance. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-6-designing-for-compliance/[Accessed4May2016].

32

required appropriate technical and organisational measures, by default, only necessarypersonal data for each specific purpose of the processing will be processed.195Article 25GDPRspecifiesthatthisrequiresorganisationstoevaluatetheamountofdatatheycollect,the extent of the processing, the period of storage and the accessibility. By default, theamountofdata shouldbe restricted towhat isnecessary for the intendedpurpose and itshouldnotbestoredlongerthannecessaryinlightoftheintendedpurpose.Article25GDPRalso specifically states that, without the data subject’s consent, the data should not beavailabletoanindefiniteamountofpeople.

ThefundamentaldifferencebetweentheDataProtectionDirectiveandtheGDPRisthat,whereastheDataProtectionDirectiveonlyrequiredorganisationstoensurethatexcessivepersonal data was not processed and stored longer than necessary, the GDPR nowadditionallyrequiresspecifictechnicalandorganisationalmeasuresbeputinplacetomeettheserequirements.196Automatedprocesses forerasureofparticularpersonaldataafteraspecific period, can be an example of a measure taken to comply with the regulationregardingtheperiodofstorage.

(iii)TechnicalCompliance

Technicalcompliancepertainsmainlytothesecurityofdatathroughtechniques,suchaspseudonymisation and encryption, to ensure the integrity of the organisation’s systems.Organisations should be able to demonstrate the resilience of their systems whenconfrontedwithaphysicalor technical incident,aswellasputprocedures inplaceto testsystemsatvariousmomentsinvarioussituations.

Asapartoftechnicalcomplianceorganisationswillalsoneedtoputproceduresinplaceincaseofadatabreach.ThissubjectwillbediscussedinSection1.6.2ofthischapter.

194Art.25(2)GDPR.195Mahmood,S.andPower,L.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part6–Designing for compliance. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-6-designing-for-compliance/[Accessed4May2016].196Mahmood,S.andPower,L.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part6–Designing for compliance. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-6-designing-for-compliance/[Accessed4May2016].

33

(iv)Personnel

Oneofthekeyrequirementsforcompliancewiththeaccountabilityprinciplewillbetheappointmentofadataprotectionofficer197.Section1.6.3ofthischapterwillgointofurtherdetailaboutthedifferentaspectsoftheappointmentofaDPO.

1.6.2. Databreachesmustbenotified

TheGDPRrequiresorganisationsthatsufferadatabreachtoreportthistothenationalDPAwithin72hoursofbecomingawareofthebreach.198Inaddition,ifthebreachposesahigh risk to data subjects’ rights and freedoms, the organisation also needs to notify theaffecteddatasubjectswithoutunduedelay.199

The burden of proof for this notification requirementwill rest upon the organisationitself.Consequently,itwillbecrucialfororganisationstodocumentthisprocesssufficiently,includingfulldetailsofthebreach,itsconsequences,andthemeasurestakentoaddressthebreach.200

1.6.3. Appointmentofadataprotectionofficer

UnderthecurrentDataProtectionDirective,thereisnoprovisionrequiringcompaniesto appoint a DPO. Member states did have the authority to exempt companies, whoappointedaDPO,fromthedutytoregisterwiththelocalDPA.MemberstatesweregivenabroadrangetoimplementthisfeatureoftheDataProtectionDirective.Asaresult,variousrulesapplyacrossEurope.

The new GDPR will harmonize the appointment of a DPO, making it a mandatoryobligation for certain data controllers and processors.201In what follows we will discusswhichcompanieswillneedtoappointaDPOaswellastherightsandobligationsoftheDPO.

197Hereinafter:DPO.198Art.33GDPR.199Art.34GDPR.200Davidson,B.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part7-AccountabilityPrinciples = More Paperwork. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-7-accountability-principles-more-paperwork[Accessed4May2016].201Privacylawblog.fieldfisher.com. (2016). Getting toknow theGeneralDataProtectionRegulation -Part 8. [online] Available at: http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-8-you-may-need-to-appoint-a-data-protection-officer/[Accessed4May2016].

34

1.6.3.1 WhichcompaniesmustappointaDPO?

Throughout the legislative process a number of ways were suggested to determinewhichcompanieswouldberequiredtoappointaDPO.Initially, theEuropeanCommissionproposed tomake the appointmentof aDPOmandatory for every company that employsmorethan250people.202TheEuropeanParliamentinsteadproposedtoadjustthistoeverycompanythatprocessesdataofmorethan250people.203ThefinalversionoftheGDPRwaswatered down in the trilogue negotiations, with Article 37 GDPR specifying which datacontrollersandprocessorswillfallundertheobligation.Theobligationwillapplytoalldatacontrollersandprocessors:

§ that are public authorities processing personal data, with the exception of courtsactingintheirjudicialauthority;or

§ whosecoreactivitiesinvolveregularandsystematicmonitoringofdatasubjectsonalargescale;or

§ whosecoreactivitiesinvolvethelargescaleprocessingofspecialcategoriesofdataasdefinedinArticles9and10GDPR.

Amissedopportunity seems tobe the lackof adefinition for ‘coreactivities’ or ‘largescale’.At firstglancetheunderlying intentionwastobroadlycapturedatacontrollersandprocessorswhodealwith so-called ‘bigdata’.204Whiledefinitions couldhavehadeither arestrictingeffect,oranexpandingeffect,theywouldhavecertainlybeenabletocreatemorelegalcertaintyfordatasubjects.ItremainstobeseenhowthenationalDPA’sandcourtswillinterpretArticle37GDPR.

Recital 24 GDPR suggests that the second type of data controllers and processors,namely those whose core activities involve regular and systematic monitoring of data

202Art.35(1)(b)EuropeanCommission,ProposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),25January2012,COM2012/0011(COD).203European Parliament, Legislative resolution on the proposal for a regulation of the EuropeanParliament and of the Council on the protection of individuals with regard to the processing ofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),Ordinarylegislativeprocedure:firstreading,12March2014,C7-0025/2012–COM2012/0011(COD).SeealsoPhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.204Privacylawblog.fieldfisher.com. (2016). Getting toknow theGeneralDataProtectionRegulation -Part 8. [online] Available at: http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-8-you-may-need-to-appoint-a-data-protection-officer/[Accessed4May2016].

35

subjects on a large scale, is only intended to capture companieswho are engaged in theonline behaviour tracking or profiling of data subjects205, and therefore not all big datacompanies.

Likewise, some legal scholars already assume the third type of data controllers andprocessors will only capture companies whose services are focused on helping othercompanies address compliance requirements with regards to HIPAA requirements206orrequirements to store patient records for large public sector health authorities.207Theytheorize this third category was not meant to apply to all companies processing specialcategories of data. However, since there is no explicit mention of this in any part of theGDPR, it seems premature to restrict this third category to this very specific set ofcompanies.

Boththesecondandthethirdcategoryalsorequiretheprocessingactivitytobeacorebusiness.Thiswillexcludecompanies,whomaybeundertakingactivitiessuchasprofilingand tracking,butnotasapartof their coreactivities.Thiswillbe thecase forcompanieswho,forexample,profileortracktheiremployees.

Memberstatesaregiventheopportunity to install furtherrequirementsregardingtheappointmentofaDPO.Thiscreatesthepossibilitytoimposestricterrulesthroughnationallaw.208

1.6.3.2 WhataretherightsandobligationsoftheDPO?

TheGDPRdoesnotcontainspecificrequirementsfortheDPO,itonlycontainsageneralrequirement that the DPO must have “expert knowledge of data protection law andpractices”.209ThisshouldenablehimtofulfilthedutiessetoutinArticle39GDPR:

“Thedataprotectionofficershallhaveatleastthefollowingtasks:

205Privacylawblog.fieldfisher.com. (2016). Getting toknow theGeneralDataProtectionRegulation -Part 8. [online] Available at: http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-8-you-may-need-to-appoint-a-data-protection-officer/[Accessed4May2016].206HIPAA requirements stem from the US Health Insurance Portability and Accountability Act of1996.Itsetsstandardsforprotectingsensitivepatientdata.207Privacylawblog.fieldfisher.com. (2016). Getting toknow theGeneralDataProtectionRegulation -Part 8. [online] Available at: http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-8-you-may-need-to-appoint-a-data-protection-officer/[Accessed4May2016].208Art.37(4),38(5)and39(1)(a-b)GDPR.209Art.37(5)GDPR.

36

(a)toinformandadvisethecontrollerortheprocessorandtheemployeeswhocarry

out processing of their obligations pursuant to this Regulation and to other Union or

MemberStatedataprotectionprovisions;

(b) to monitor compliance with this Regulation, with other Union or Member State

dataprotectionprovisionsandwiththepoliciesofthecontrollerorprocessorinrelationto

the protection of personal data, including the assignment of responsibilities, awareness-

raisingandtrainingofstaffinvolvedinprocessingoperations,andtherelatedaudits;

(c) to provide advice where requested as regards the data protection impact

assessmentandmonitoritsperformancepursuanttoArticle35;

(d)tocooperatewiththesupervisoryauthority;

(e) to act as the contact point for the supervisory authority on issues relating to

processing,includingthepriorconsultationreferredtoinArticle36,andtoconsult,where

appropriate,withregardtoanyothermatter.”210

Inadditiontotheseduties,theDPOwillbesubjectedtosomeotherobligations.TheDPOwillbesubjecttoconfidentialityandrulesregardingconflictsofinterest.211

TheDPOwillalsobeentitledtocertainrightsasaconsequenceofhisfunction.Firstly,hewillhavetherighttohaveaccesstosufficientresourcestoperformhistasksandinvestin his ongoing training.212DPO’s must have access to the company’s data processingpersonnelandoperations.213TheGDPRalsoobligestheDPOtoreportdirectlytothehighestmanagementlevelofthecompany214,warrantingthehandlingofdataprotectionissuesuptotheboardlevel.215

The DPO could be an employee or a third party. Data protection lawyers are alreadyadvisingtheirclientstooptforathirdpartyasaDPO,asanemployeeasDPOisentitledtospecialprotectionagainstdismissal.216

210Editingbyauthor.211Art.38(5)and(6)GDPR.212Art.38(2)GDPR.213Art. 38 (1) GPDR; See also Privacylawblog.fieldfisher.com. (2016). Getting to know the GeneralData Protection Regulation - Part 8. [online] Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-8-you-may-need-to-appoint-a-data-protection-officer/[Accessed4May2016].214Art.36(3)GDPR.215PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.216PhilLeeandMarkWebber,"GDPR1.0-Top10ThingsYouNeedToKnow!",2016.

37

1.7. Internationaldataexports

The current Data Protection Directive contains a bottom line stating businesses areprohibited from transferring personal data to a third country outside of the EuropeanEconomicAreaifthatcountrydoesnotprovideadequatedataprotection.217TheEuropeanCommission was given the power to approve particular countries, through adequacydecisions, and thereby confirm these countries provide an adequate level of dataprotection.218One of the most important examples in this regard is the Safe HarbourDecision.TheSafeHarbourDecisionwill soonbe replacedby theEU–USPrivacyShield,whichwillbediscussedindetailinSection2ofthischapter.

Inaddition,businessescantransferdata toa thirdcountry,whichmaynotprovideanadequate levelofdataprotection,as longas theyregulate the transferofdata themselvesthrough contractual rules or binding corporate rules.219These contractual rules are oftenbasedonthemodelclausesapprovedbytheEuropeanCommission.Furtherrulesregardingtheinternationaltransferofdataaredifferentineachmemberstate.

The data protection reform did not introduce anymajor changes to the data transferregime under the Data Protection Directive. Data transfers will still be prohibited tocountries that do not offer adequate protection.220The European Commissionwill still beable to approve particular countries221and the adequacy decisions issuedwhile the DataProtectionDirectivewas in forcewill remainvalid.222TheGDPRdoes,however,provideamechanismfor frequentre-evaluationof thedataprotection in thirdcountries, containingtheexplicitpossibilitytorepeal,amendorsuspendtheseadequacydecisions.223

In addition, data transfers will exceptionally be allowed based on conditions such asexplicitconsentandlegitimateinterest.224Thelatterwillonlybepossibleifthedatatransferisnotrepetitiveandconcernsalimitedamountofdatasubjects.225

217Art.25(1)DataProtectionDirective.218Art.25(6)DataProtectionDirective;SeealsoPower,L.(2016).GettingtoknowtheGDPR,Part9–Data transfer restrictions are here to stay, but so are BCR. [online] Privacylawblog.fieldfisher.com.Available at: http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-gdpr-part-9-data-transfer-restrictions-are-here-to-stay-but-so-are-bcr/[Accessed4May2016].219Art.26(2)DataProtectionDirective.220Art.44GDPR.221Art.45(1)GDPR.222Art.45(9)GDPR.223Art.45(5)GDPR.224Art.49(1)GDPR.225Art.49(1)(h)GDPR.

38

TheGDPRwill still allow companies to guarantee adequate protection throughuse ofmodelclausesorbindingcorporaterules.226ThemodelclausesapprovedbytheEuropeanCommission under the Data Protection Directive227will remain valid.228The GDPR alsostatesthatwhenusingthesemodelclauses,noadditionalauthorizationfromDPA’swillbenecessary,229asisthecaseinsomememberstatesnow.

1.8. Introductionofadministrativefines

WhiletheDataProtectionDirectivedidnotcontainanymentionofadministrativefines,theGDPRintroducesveryhighadministrativefinesforviolationsoftheregulation.Thefinescangoupto10000000EUR230forsomeviolationsandupto20000000EUR231forothers.

Thesefinesmightprovetobethebestencouragementforcompaniestotaketherighttoprivacy toheart.On thecontrary, theymightalsoencouragecompanies to takesteps thatinfringeonotherrightssuchasthefreedomofexpressionwhenerasingdataasmentionedunder Section 1.5.2.1 of this chapter. Itwill be crucial to putmeasures in place ensuringthesecasesarefewandfarbetween.

226Art.46(2)GDPR.227Art.26(4)DataProtectionDirective.228Art.46(5)GDPR.229Art.46(2)GDPR.230Art.83(4)GDPR.231Art.83(5)-(6)GDPR.

39

2. Data Transfers to the United States of America: from Safe

HarbourtotheEU–USPrivacyShield

“Arguingthatyoudon’tcareabouttherighttoprivacybecauseyouhavenothingtohideisno

differentthansayingyoudon’tcareaboutfreespeechbecauseyouhavenothingtosay.”232

-EDWARDSNOWDEN233

2.1. InvalidationoftheSafeHarbourAgreement

TheSafeHarbourAgreementwasanagreementbetweentheEUandtheUSdatingbackto 2000. It comprised a system of self-certification set up by the US State Department.Organisations could take part in this system and thus commit themselves to protectEuropean data in accordance with seven principles set out by the Safe HarbourAgreement.234This agreement was given effect by the European Commission’s adequacydecision:theSafeHarbourDecision.

In October 2015, the CJEU declared the Safe Harbour Decision invalid in the Schremscase.235ThisrulingwasbasedpartlyonrevelationsfromEdwardSnowdenevidencingmasssurveillanceonEuropean citizensby theNational SecurityAgency236. TheSchremscase237will be discussed inmore detail in Chapter VI. All data transfers to the US based on thecertification offered by the Safe Harbour Agreement after this ruling are illegal. A lot ofcompanies’datatransferpracticesarecompromisedbythislegaluncertainty,whichiswhythe negotiations for the EU – US Privacy Shield gained momentum.238The European

232Snowden,E. (2015). JustdayslefttokillmasssurveillanceunderSection215ofthePatriotAct.Weare Edward Snowden and the ACLU’s Jameel Jaffer. AUA. • /r/IAmA. [online] reddit. Available at:https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left_to_kill_mass_surveillance_under/crglgh2[Accessed15May2016].233“EdwardSnowdenisaformerNationalSecurityAgencysubcontractorwhomadeheadlinesin2013whenhe leakedtopsecret informationaboutNSAsurveillanceactivities.” Biography. (2016).EdwardSnowden. [online] Available at: http://www.biography.com/people/edward-snowden-21262897[Accessed15May2016].234Lee, P. (2016). ThePrivacyShield– is itanygood then?. [online] Privacylawblog.fieldfisher.com.Available at: http://privacylawblog.fieldfisher.com/2016/the-privacy-shield-is-it-any-good-then/[Accessed4May2016].235MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU).236Hereinafter:NSA.237MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU).238European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,p.3.

40

CommissionannouncedthenewagreementinFebruary2016statingitcould“restoretrustintransatlanticdataflowssincethe2013surveillancerevelations”239.

Before the EU – US Privacy Shield can be applied to data transfers, the EuropeanCommissionmustgiveeffecttotheagreementbyadoptinganadequacydecision.Followingthe comitology procedure, the European Commission cannot adopt its adequacy decisionbeforeobtaininganopinionfromtheArticle29WorkingParty.Initsopinion,theArticle29Working Party has already criticised the new agreement.240This criticism, as well as thecriticismsfromotherparties,willbediscussedunderSection2.3ofthischapter.

2.2. Sevencoreprinciples

Like the Safe Harbour Agreement, the EU – US Privacy Shield will work with a self-certification system based on seven principles.241This time, however, the principles arepromisedtobemoredetailed.242ThesevencoreprinciplescomprisedintheEU–USPrivacyShield are: (i) notice, (ii) choice, (iii) accountability for onward transfer, (iv) security, (v)date integrity and purpose limitation, (vi) access and (vii) recourse, enforcement andliability.243Additionally, the EU – US Privacy Shield contains a number of supplementalprinciples.Thesesupplementalprinciplescanservemultiplepurposes.Firstly,theyaddressspecial situations such as the handling of sensitive data and journalistic exceptions.Secondly,theycontainextrarequirementsandclarificationstothecoreprinciples.244

2.2.1. Notice

The notice principle will be similar to the right to information data subjects receiveunderEUdataprotectionlaws.Organisationswillbeobligatedtoprovidetheminformation

239 European Commission, (2016). Restoring trust in transatlantic data flows through strongsafeguards: European Commission presents EU-U.S. Privacy Shield. [online] Available at:http://europa.eu/rapid/press-release_IP-16-433_en.htm[Accessed6May2016].240Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.241European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,pp.4-5.242Lee, P. (2016). ThePrivacyShield– is itanygood then?. [online] Privacylawblog.fieldfisher.com.Available at: http://privacylawblog.fieldfisher.com/2016/the-privacy-shield-is-it-any-good-then/[Accessed4May2016].243EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,pp.4-7.244Lee, P. (2016). ThePrivacyShield– is itanygood then?. [online] Privacylawblog.fieldfisher.com.Available at: http://privacylawblog.fieldfisher.com/2016/the-privacy-shield-is-it-any-good-then/[Accessed4May2016].

41

about subjects such as the type of data collected, the purpose of the processing and theexistenceoftherightofaccess.245

Additionally,organisationswillneedtomaketheprivacypolicyavailabletothepublicand provide a link to the US Department of Commerce’s website, which contains moreinformationaboutdatasubjects’rightsandtheavailablemechanismsforrecourse.246

In the first place, this informationmust be providedwhen data subjects are asked togive personal data. If this is not possible, the informationmaybeprovided afterwards assoonaspossible.Thenoticemustbegiveninclearandnoticeablelanguage.247

2.2.2. Choice

Thechoiceprincipleoffersdatasubjectstherighttooptoutatanytimeiftheirdatawillbe disclosed to a third party or used for a materially different purpose. In the case ofsensitivepersonaldata, organisationswill need toobtain affirmative andexpress consent(opt-in)tousethedataforadifferentpurposeortodiscloseittoathirdparty.248

2.2.3. Accountabilityforonwardtransfer

Thisprincipleentailsthatthetransferofdatatocontrollersorprocessorscanonlytakeplaceonthebasisofacontractforlimitedandspecifiedpurposesandonlyifthatcontractprovidesanequallevelofprotectionasguaranteedbythesevencoreprinciples.249

Thisprincipleshouldbereadtogetherwiththenoticeprincipleandthechoiceprinciple,whichallowdatasubjectstooptout,orinthecaseofsensitivepersonaldata,tooptinforfuturetransfers.250

245European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,p.4.246European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,p.4.247EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,pp.4-5.248European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.4; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,p.5.249European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.5; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,p.5.

42

Ifdamagearises,causedbythetransferofdatainthechainofprocessing,theburdenofproofwill liewith the organisation acting as the processor or controller of the data. Theorganisation will need to prove they were not responsible for the event that caused thedamage. If they cannot provide proof, they will be held responsible as the original datacontrollerorprocessorofthedata.251

2.2.4. Security

The security principle is similar to the requirement to provide security of processingunder the GDPR.252It requires organisations to put in place reasonable and appropriatesecuritymeasurestakingintoaccounttherisksinvolvedintheprocessingandthenatureofthedata.253

In the case of sub-processing, the EU – US Privacy Shield requires a contract thatguarantees the same level of protection as provided by the seven core principles, andensurestheproperimplementation.254

2.2.5. Dateintegrityandpurposelimitation

The data integrity and purpose limitation principle is a manifestation of the EU dataprotection laws which require the collection of personal data to be limited to what isrelevant for the specifiedpurpose.A contrario it prohibits theprocessingof anypersonaldatacontrarytothepurposeforwhichiswasinitiallycollectedorsubsequentlyauthorisedbythedatasubject.255

250European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.5; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,p.5.251European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.5; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,pp.5-6.252Art.32GDPR.253European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.4; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,p.6.254European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,pp.4,20-21.255European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,pp.4-5.

43

As long as the organisation retains the information, it is obliged to comply with thisprinciple and take reasonable steps ensuring that thedata is: “reliableforitsintendeduse,accurate,completeandcurrent.”256

2.2.6. Access

The access principle is the expression of the right of access provided to data subjectsunder EU data protection law. Unlike the new GDPR, this principle still allows theorganisationtochargeanon-excessivefee.257

The restriction of this right is possible only in exceptional circumstances.258Forexample,theEU–USPrivacyShieldalsoprovidesanexceptionforcaseswheretherightsofotherindividualswouldbeviolated,orwheretherightofaccesswouldcreateaburdenorexpense disproportionate to the individuals’ privacy risk.259The right of access, however,cannot be refused on the basis of costwhen the data subject offers to pay these costs.260When the right of access is denied, the burden of proofwill lie upon the organisation toprovetheseconditionswerefulfilled.261

Alongwiththerightofaccess, theaccessprinciplealsogivesdatasubjectstherighttocorrect,amendordeleteanyinformationifitiseitherinaccurate,orhasbeenprocessedinviolationofthesevencoreprinciples.262

256EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,p.6.257European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.5; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,p.18.258European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.5; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,p.17.259EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,p.16.260EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,p.18.261European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,p.5.262European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.Privacy Shield, p.5; EU-US Privacy Shield Agreement, Annex II EU-U.S. Privacy Shield FrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,p.6.

44

2.2.7. Recourse,enforcementandliability

Once organisations participate in the self-certification system, they are bound by thesevencoreprinciples.Theirparticipationmustbere-certifiedannually.Toensureeffectiveprivacyprotection, a system for ensuring compliancemustbeput inplace.263This canbeachievedintwopossibleways.Thefirstpossibilityisasystemofself-assessment,including(i) internalprocedures for the trainingon the implementationofprivacypolicies, and (ii)periodical review in an objective manner. The second possibility consists of outsidecompliancereviewssuchasauditingorrandomchecks.264

TheEU–USPrivacyShieldalso requires follow-upprocedures toensuredeclarationsmadebyorganisationsabouttheirprivacypoliciesaretrueandhavebeenimplementedasstated. This requirement is of special importance when violations have already beenexposed.265

The next step in ensuring effective privacy protection is putting in place a system toofferrecoursetoaffecteddatasubjectswhenthesevencoreprinciplesarenotrespected.266The EU – US Privacy Shield will require a readily available and independent recoursemechanism.Datasubjects’complaintsmustbesolvedexpeditiouslyandfreeofcharge.Onepossibility offered by the EU – US Privacy Shield to aide in complying with the effectiverecourse obligations, is to cooperate with the national DPA’s. In case non-compliance isuncovered,theEU–USPrivacyShieldrequiresrigoroussanctions.267

Additionally,theombudspersonisacompletelynewmechanismestablishedinAnnexIIIoftheEU–USPrivacyShield.Theombudsperson,whowillworkindependentlyfromtheUSintelligenceservices,willdealwithcomplaints fromEUcitizenswhen they fear theirdatahasbeenusedunlawfullyintheareaofnationalsecurity.268

263European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,p.5.264European Commission, (2016). Draft Adequacy Decision pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the EU-U.S.PrivacyShield,p.5.265EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,pp.6-7,14-15.266EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,pp.21-25.267EU-US Privacy Shield Agreement,AnnexIIEU-U.S.PrivacyShieldFrameworkPrinciples IssuedByTheU.S.DepartmentOfCommerce,pp.6-7,9-10.268European Commission, (2016). EU-U.S. Privacy Shield: Frequently Asked Questions. [online]Availableat:http://europa.eu/rapid/press-release_MEMO-16-434_en.htm[Accessed6May2016].

45

2.3. Criticism

Although the new EU – US Privacy shield has not even entered into force yet, it hasalreadycausedanabundanceofcriticism.NoticeablewasthecriticismofEdwardSnowden,whose revelations triggered the invalidation of the Safer Harbour Agreement in the firstplace. Snowden stated: “it'snota 'PrivacyShield,' it'sanaccountabilityshield.Neverseenapolicyagreementsouniversallycriticized.”269Inwhatfollows,thecriticismsexpressedbytheArticle29WorkingPartyandthenationalDPA’swillbediscussed.

2.3.1. OpinionoftheArticle29WorkingParty

DespitethefactthattheChairoftheArticle29WorkingPartyexpressedthattheinitialreactiontotheEU–USPrivacyShieldwaspositive,theArticle29WorkingPartyaddressedseveralconcernsandshortcomings.270TheArticle29WorkingPartybaseditsopinion271onthecurrentDataProtectionDirective,Article8ECHRandArticles7,8and45oftheCharter,aswellastheSchremscase272.

Firstly,theArticle29WorkingPartyconsiderstheEU–USPrivacyShield,consistingofadraftadequacydecisionandsevenannexes,tobetoocomplexandinconsistent.TheArticle29WorkingParty actuallyhad tohave severalmeetingswithUSRepresentatives and theEuropeanCommissiontoclarifysomeaspectsoftheagreement.273

Secondly, the Article 29 Working Party does not believe the EU – US Privacy Shieldoffersprotectionequivalent to theEUdataprotectionrulesaskeyprinciplessuchasdataretention274cannotbefoundinthenewagreement.275Itstatedthat“thelanguageusedinthedraft adequacy decision does not oblige organisations to delete data if they are no longer

necessary.ThisisanessentialelementofEUdataprotectionlawtoensurethatdataiskeptfor

269 Snowden, E. (2016). Edward Snowden on Twitter. [online] Twitter. Available at:https://twitter.com/Snowden/status/694571566990921728[Accessed6May2016]. 270Cropper,L. (2016).EU-USPrivacyShield:TheArticle29WorkingPartyraisesitsconcerns. [online]Privacylawblog.fieldfisher.com. Available at: http://privacylawblog.fieldfisher.com/2016/eu-us-privacy-shield-the-article-29-working-party-raises-its-concerns/[Accessed3May2016].271Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.272MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU).273Cropper,L. (2016).EU-USPrivacyShield:TheArticle29WorkingPartyraisesitsconcerns. [online]Privacylawblog.fieldfisher.com. Available at: http://privacylawblog.fieldfisher.com/2016/eu-us-privacy-shield-the-article-29-working-party-raises-its-concerns/[Accessed3May2016].274Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.pp.3,17.275Cropper,L. (2016).EU-USPrivacyShield:TheArticle29WorkingPartyraisesitsconcerns. [online]Privacylawblog.fieldfisher.com. Available at: http://privacylawblog.fieldfisher.com/2016/eu-us-privacy-shield-the-article-29-working-party-raises-its-concerns/[Accessed3May2016].

46

no longer than necessary to achieve the purpose for which the data were collected.”276

Additionally,theopinionstatesthattheapplicationofthepurposelimitationprinciple277isunclear.278

Thirdly, theArticle29WorkingPartyhasexpressedmajorconcernsabout individuals’ability to invoke their rights. The ombudsperson mechanism provided by the EU – USPrivacyshieldissaidtobetoocomplexandthereforeineffective.279TheArticle29WorkingParty suggested the use of national DPA’s as a point of contact when compensation isneededbyEUdatasubjects.280

Fourthly,theArticle29WorkingPartystatedthattheEU–USPrivacyShieldallowsforderogationsfornationalsecuritypurposesanddoesnotexcludethecontinuedcollectionofmassive and indiscriminate data.281The Article 29Working Party reiterated thatmassiveand indiscriminate collection of data can never be considered lawful by European dataprotection standards because of the lack of proportionality. Nevertheless, the Article 29WorkingPartyhasstated that jurisprudence282on thecollectionofpersonaldatawith thepurpose of battling crime is inconclusive and thus awaits the CJEU’s decision on dataretentionexpectedin2016.283

Aside from theseconcerns, theArticle29WorkingPartyhasalso stated theadequacydecisionoftheEuropeanCommissionwillneedtobereviewedaftertheGDPRcomesintoforcetoconfirmconformitywiththehigherlevelofdataprotectionensuredbytheGDPR.

Although this opinion is not binding to the European Commission, it carries a lot ofweight. The Article 29 Working Party has made specific suggestions to improve the

276Article29WorkingParty,(2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.p.57.277SeealsoSection2.2.5ofthischapter.278Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.pp.3,24-25.279Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.pp.45-51,57.280Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.p.27.281Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.pp.52-57.282Joined cases Tele2 Sverige AB v. Post- och telestyrelsen and Secretary of State for the HomeDepartmentv.DavisandOthers,C-203/25andC-698/15(CJEU).283Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.p.39.

47

agreement.284TheoverallconsensusseemstobethattheEU–USPrivacyShieldstilldoesnotensureanadequateprotectionofEUdatasubjects’datawhentransferredtotheUS.

2.3.2. NationalDPA’s

The British DPA, the ICO, has issued a statement acknowledging the EU – US PrivacyShieldisstillunstable,butassuringorganisationsitwillnotuseitsenforcementpowersintheforeseeablefuture.TheArticle29WorkingPartyconfirmedtheuseofbindingcorporaterulesandmodel clauseswerestill valid,but the ICOurgesorganisationsnot to rush theirdecisionaboutwhichmechanismtorelyupon.285

On the opposing end, the French DPA, CNIL, and the German DPA’s have started toquestionorganisationsonthealternativetransfermechanismstheyrelyoncurrentlywhileawaitingthenewagreement.286

3. Conclusion

Whilethedatareformpromisedtostrengthenindividuals’rights,theendresultisnotasstraightforward.

Firstly,TheGDPRhascertainlyexpandedindividuals’righttoerasurebygivingitalegalbasis and created additional protection for children.Additionally, it has created a stricterrequirementforconsent,butmissedtheopportunitytotakeitonestepfurtherandrequireexplicit consent. The obligation to appoint a DPO and the addition of principles such asprivacy by design, privacy by default and the accountability principle, are definiteimprovements. They are aimed at stimulating organisations to take privacy by heart. Themost important motivator for organisations, however, will probably be the threat ofadministrativefines,which,asdiscussed,inturnmightalsohavesomenegativeeffects.

284Cropper,L. (2016).EU-USPrivacyShield:TheArticle29WorkingPartyraisesitsconcerns. [online]Privacylawblog.fieldfisher.com. Available at: http://privacylawblog.fieldfisher.com/2016/eu-us-privacy-shield-the-article-29-working-party-raises-its-concerns/ [Accessed 3May 2016]; Article 29WorkingParty,(2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.285Cropper,L. (2016).EU-USPrivacyShield:TheArticle29WorkingPartyraisesitsconcerns. [online]Privacylawblog.fieldfisher.com. Available at: http://privacylawblog.fieldfisher.com/2016/eu-us-privacy-shield-the-article-29-working-party-raises-its-concerns/ [Accessed 3May 2016]; Article 29WorkingParty,(2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.286Cropper,L. (2016).EU-USPrivacyShield:TheArticle29WorkingPartyraisesitsconcerns. [online]Privacylawblog.fieldfisher.com. Available at: http://privacylawblog.fieldfisher.com/2016/eu-us-privacy-shield-the-article-29-working-party-raises-its-concerns/ [Accessed 3May 2016]; Article 29WorkingParty,(2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.

48

The conclusion on the GDPR can therefore not be one hundred percent positive ornegative.Itcanstillbecritiquedonanumberofissues,theredoesseemtobeawillingnessandatendencytoimproveindividuals’rightsregardingtheirdata.Thedifferencesbetweenthe European Commission’s initial proposal and the final GDPR, however, show that thedifferentinterestsatstakepreventsomeofthemoreimpactfulproposals.

Secondly, theEU–USPrivacy Shield is criticisedbymany as beingmore of the samecomparedtotheSafeHarbourAgreement.Thedraftadequacydecisionasit isnow,isstillmissing some crucial safeguards as mentioned by the Article 29 Working Party. It is,however,stillpossiblesomeoftheArticle29WorkingParty’ssuggestionswillbetakenintoaccountbytheEuropeanCommission.Ifthefinaladequacydecisiondoesnotguaranteeanadequatelevelofdataprotectionitwillbecontestedimmediately,whichmightpromptanentirelynewagreement.

In the following chapter Facebook’s Terms of Service and Data Policy287will bediscussed. Based on the analysis of Chapter III, Chapter IVwill question how Facebook’spracticesmightconflictwiththeexistingandthefuturelegalframework.

287Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].

49

ChapterIV. Facebook

“Privacyisnolongerasocialnorm.”288

-MARKZUCKERBERG289

1. Introduction

Asof30September2015,Facebookhadover1,5billionuserswho logged inmonthly.Over one billion of them log in daily.290Initially the social networkwas only available tostudents atHarvard.Later, thiswasexpanded toanyoneover theageof thirteen.291SinceusingFacebookisinessencefreeofcharge,theusersaretheproductsthatFacebookprofitsfrom. Every user essentially offers up a piece of their privacy to use Facebook. Facebookusesandsellsthisdatatointerestedparties,toprovideservicessuchastargetedmarketing.

Thetermstowhicheveryuseragreesareseparatedintomultipleagreements.ThethreepoliciesofinterestforthispaperaretheTermsofService,theDataPolicy292,andtoalesserextenttheCookiePolicy293.Facebook’sTermsofService,asabasisforallotheragreements,areroughly10000wordslong.

A Facebook profile has started to play a significant role in how people communicate.Consequently,users, sometimesunknowingly, signawayapartof their right toprivacy inordertoenjoytheseadvantages.Facebookhasrecognisedthisissueandhasmadeeffortstotranslate these terms into basic explanations about some of the most frequently askedquestions,butontheothersideithascontinuouslyimplementedfurtherreachingrightstouseusers’data.

288Johnson,B.(2010).Privacynolongerasocialnorm,saysFacebookfounder.TheGuardian.[online]Available at: https://www.theguardian.com/technology/2010/jan/11/facebook-privacy [Accessed15May2016].289“MarkZuckerbergisco-founderandCEOofthesocial-networkingwebsiteFacebook,aswellasoneofthe world's youngest billionaires.” Biography. (2016). Mark Zuckerberg. [online] Available at:http://www.biography.com/people/mark-zuckerberg-507402[Accessed15May2016].290Facebook Investor Relations. (2015). Facebook Reports Third Quarter 2015 Results - Facebook.[online] Available at: http://investor.fb.com/releasedetail.cfm?ReleaseID=940609 [Accessed 5 May2016].291Clause4(5)TermsofService.Agerequirementsmayvarydependingonthecountry.292Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].293 Facebook. (n.d.). Cookies, Pixels & Similar Technologies. [online] Available at:https://www.facebook.com/help/cookies/update[Accessed5May2016].

50

2. Practices

2.1. Howdousersgivetheirconsent?

As an online social network, Facebook, in order to process personal datamust justifythis based on one of the legitimate grounds found in Article 7 of the Data ProtectionDirective. The type of justification Facebook can use depends on the data it collects. Forexample, the basic information needed to start up a Facebook profile can be deemedinformation necessary for the performance a contract as listed in Article 7 (b) DataProtection Directive.294Another example can be information processed to ensure systemsecurity, which can be collected based on Article 7 (f) Data Protection Directive, namelylegitimateinterest.295Anythingoutsideofthesepurposes,however,canonlybejustifiedbyconsent,which,accordingtotheDataProtectionDirective296,needstobeunambiguous.297

As discussed in Chapter III, the definition of consentwill change under the GDPR. AsFacebook relies quite heavily on consent as a justification for their practices, this willcertainly impact them.While the Data Protection Directive still allowed implicit consent,thiswillnolongerbepossibleundertheGDPR.NotactivelyprotestingnewTermsofServiceortheuseofcookies,forexample,willnolongerconstituteconsentundertheGDPR.Userswill need to actively give their consent in order to justify Facebook’s processing of theirpersonaldata.When it comes tosensitivepersonaldata,explicit consentwillberequired,thiswasalreadythecaseundertheDataProtectionDirectiveandwillthereforenothaveahugepractical impact. Facebookwill have to keep inmind that thedefinitionof sensitivepersonaldatawillbebroaderasitwillincludegeneticandbiometricdata.Theymaycomeintocontactwiththiskindofinformationthroughlinkedhealth-relatedapplications.

Takenintoconsiderationthefactthatobtainingconsentwillbecomemoredifficult,itisworth mentioning that a Belgian report already questions the validity of the consent

294Van Eecke, P. and Truyens, M. (2010). Privacy and social networks. Computer Law& SecurityReview,26(5),pp.535-546.295Van Eecke, P. and Truyens, M. (2010). Privacy and social networks. Computer Law& SecurityReview,26(5),pp.535-546.296Art.7(a)DataProtectionDirective.297Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.12. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

51

obtained by Facebook, as a justification for processing under the Data ProtectionDirective.298

Like the GDPR, the Data Protection Directive required consent to be given freely,specifically, informed and unambiguously.299The report questions whether the consentobtained by Facebookwas given freely,whether itwas specific,whether itwas informedandwhetheritwasunambiguous.

Firstly, the report questioned if the consentwas given freely. TheArticle 29WorkingPartyhasstatedthatfreelygivenconsentassumesthattheconsumerhasarealchoiceand“no risk of deception, intimidation, coercion or significant negative consequences if he/shedoes not consent.”300The report questions whether this is reconcilable with Facebook’sdominantmarketpositioninadditiontoitsall-or-nothingapproach.301Thisstancehasbeenconfirmed by the Article 29Working Party, stating that users should be able to use thesocial network regardless of the fact that they consent to, for example, behaviouraladvertising.302Additionally, the report criticises the fact that the Terms of Service extendthisconsenttoallofFacebook’spartnerservices,statingthatFacebook“effectivelyleveragesits strong position as an online social network to legitimise the tracking an profiling of

individuals’behaviouracrossservicesanddevices”303.

Secondly,thereportquestionswhethertheconsentobtainedbyFacebookisspecificasrequiredundertheDataProtectionDirective.Thismeansthatthedatasubjectmustbeableto ascertain for which purposes the processing will take place.304The report argues that

298Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] pp.8, 13-17. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].299Art.4(11)GDPR;Art.2(h)DataProtectionDirective.300Article29WorkingParty,(2011).Opinion15/2011onthedefinitionofconsent.p.11.301Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.14. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].302Article29WorkingParty,(2011).Opinion15/2011onthedefinitionofconsent.p.18.303Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.15. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].304Article29WorkingParty,(2011).Opinion15/2011onthedefinitionofconsent.pp.21-25.

52

Facebook’sDataPolicy305isanythingbutspecific,statingvaguepurposessuchas‘promotesafetyandsecurity’,or ‘provide, improveanddevelopservices’.Onthecontrary,Facebookmakesaneffort to informusersof thecategoriesofdata thatwillbesharedwhen linkingtheirFacebookaccount toanapplication.Theextentof informationotherparties, suchasthird-party partners or customers, have access to, remains unclear, let alone who theseotherpartiesareexactly.306

Thirdly,thereportquestionswhethertheconsentisinformed.Thisconclusionisbasedprimarily on the fact that the average userwill never read the Terms of Service or DataPolicy,eveniftheyarenotinsurmountablylong.TheCJEUhasruledthatsimplylinkingtothesetermsprovesinsufficientwithregardstoconsumerprotection.307DatasubjectshavetherighttobegivenaminimumamountofinformationasrequiredbyArticle10oftheDataProtection Directive, including information regarding the purposes of processing and theidentityofpeopleororganisationthatwillhaveaccesstothedata,whichasexplainedaboveisvagueatbest.308

Lastly,thereportascertainsthattheconsentobtainedbyFacebookisnotunambiguous.This means there can be no misunderstanding about the fact that the data subject hasconsented.AsFacebook’sdefaultsettingssharedatawith‘friendsoffriends’,andusersneedto take active steps to undo this, they have by definition not actively taken any steps toconsent with these settings. Even though the Article 29 Working Party questioned thispractice, the Data Protection Directive, still allows for consent to be implicit. This is nottaken into account in the report. Their argument only stands true when the processinginvolvessensitivepersonaldataandexplicitconsentisrequired.309

305Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].306Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.15. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].307ContentServicesLtdv.Bundesarbeitskammer[2012]C-49/12(CJEU),§50.308Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.16. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].309Art.8(2)(a)DataProtectionDirective.

53

2.2. LocationTracking

2.2.1. HowdoesFacebookgatherlocationdata?

Toitsadvertisers,Facebookstatesthefollowingonhowtheygatherinformationonthelocationof theirusers:“Facebookusesinformationfrommultiplesourcessuchascurrentcityfrom profile, IP address, data from mobile devices if location services are enabled, and

aggregatedinformationaboutthelocationoffriends.”310

WhilethecurrentcitymentionedonyourprofileandtheIPaddressarelogicalsourcesof information,data frommobiledevicesandaggregated informationthroughfriendsmaybesurprisingtosomeusers.Inwhatfollowswewilldiscusstheselasttwosources.

Firstly, Facebook is able to track its users’ location data through their smart devices.This ispossiblebyusingdifferentsensorssuchasGPS,Wi-Fi,Bluetoothetc. Ifyoudonotwantyourdevicetosendthiskindofinformationtotheorganisationsoftheappsyouuse,itispossibletoturnlocationsharingoffonthedeviceitself.Thiscanbedoneforallappsorforeachappindividually.311

The Facebook mobile application requests the use of location data to use certainlocation-basedservices.Theusermustfirstallowtheapplicationaccesstothelocationdataoftheirdevicetousetheseservices.Oncethisauthorizationisgiven,however, thereisnowaytorestrict it through furtherpreferencesorsettings.312Facebookrequires theuser tomakean“allornothing”choice.

There isone service,however, thatFacebookdoesnotenablebydefault.This service,called“NearbyFriends”,allowsuserstoseewhichfriendsarenearbyandgetanotification

310Facebook. (n.d.).HowdoesFacebookknowwhenpeopleareinthelocationsIamtargeting?-HelpCenter. [online] Available at: https://www.facebook.com/business/help/133609753380850[Accessed19April2016].Editingbyauthor.311Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.73. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].312Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.73. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

54

whensomeone isnearby.313This functionremainsactiveevenwhentheapplication isnotactively being used. There is, however, no guarantee that Facebook cannot use thisinformationforotherpurposes.Facebook,forexample,sellsthisknowledgeforadvertisingpurposes,byallowingadvertiserstotargetspecificaudiencesbasedontheirlocation.314

Secondly, Facebook can gather location information on its users via informationgatheredthroughtheirfriends.Ifausers’frienduploadsphotosofhim,orcheckshimin,incertainlocations,Facebookcanusethissharedlocationdata.315

Evenifadatasubjectturnsofhislocationsharingonhissmartdevice,itislikelythatthedata subject himself might be sharing location data unintentionally simply by usingFacebook.Forexample,whenuploadingaphototakenwithasmartdevice,itoftencontainsmetadata, including the location where the photo was taken. Inadvertently the user issharingthisinformationwithFacebook.316

2.2.2. Applicablelegislation

Under the currentDataProtectionDirective, the collection anduse of locationdata isprocessing of personal data.317The Article 29 Working Party has also emphasized thedelicate nature of location data318, even though they do not fall within the definition ofsensitivepersonaldata.319

The Article 29Working Party also states that location data should be deleted after ajustifiedperiodoftime.Thelocationdatacannotberetainedlongerthanisnecessaryforits

313Facebook. (n.d.). Nearby Friends | Facebook Help Center | Facebook. [online] Available at:https://www.facebook.com/help/629537553762715/[Accessed19April2016].314 Facebook, “What option do I have when selecting people within a location”,https://www.facebook.com/business/help/755086584528141[lastretrievedon19April2016].315Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016];SeealsoAcar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos, J. (2015). Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevised Policies and Terms v.1.3. [online] p.74. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].316Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.73. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].317Article29WorkingParty,(2011).Opinion13/2011onGeolocationservicesonsmartmobiledevices.p.20.318Article29WorkingParty,(2011).Opinion13/2011onGeolocationservicesonsmartmobiledevices.p.19.319Art.9GDPR.

55

purpose and providers of geolocation applications must ensure that it is deleted at theappropriatetime.320In2013Facebook’sDataPolicystatedthat:“weonlykeepituntilitisnolongerusefultoprovideyourservices”321,which is in linewith theopinionof theArticle29WorkingParty. It is interesting tonote that, after its revision in2015, theFacebookDataPolicynolongermentionslimitingtheretentionoflocationdata.

Belgian researchers concluded by saying that Facebook, to comply with the dataprotection legislation, should “offer more granular in-app settings for sharing of locationdata,withallparametersturnedoffbydefault.”322

The GDPR, containing the privacy by default principle, confirms what these Belgianresearcherssaidin2015.AsdiscussedunderSection1.6.1ofChapterIII,privacybydefaultrequiresthatappropriatetechnicalandorganisationalmeasuresareputinplacetoensurethat only necessary personal data for each specific purpose of the processing will beprocessed.323This means that the collection of information will need to be looked atseparatelyforeachspecificpurpose.Inthefuture,thestorageoflocationdatawillrequireappropriatetechnicalandorganisationalmeasurestoensurethisdataiskeptnolongerthannecessary.

320Article29WorkingParty,(2011).Opinion13/2011onGeolocationservicesonsmartmobiledevices.p.19.321Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].SeealsoAcar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3. [online] p.74. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].322Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.75. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].323Mahmood,S.andPower,L.(2016).GettingtoknowtheGeneralDataProtectionRegulation,Part6–Designing for compliance. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-6-designing-for-compliance/[Accessed4May2016].

56

2.3. Trackingofbrowsingactivity

AgroupofBelgianresearcherswasaskedbytheBelgianPrivacyCommissiontoprepareatechnicalreport324onFacebook’strackingpracticethroughsocialplug-ins325.Tracking isconsideredtobethe“collectionofusers’webbrowsingactivitiesacrossdifferentwebsites”326.Theirfindingssparkedadebate,andeventuallyevenledtoacourtcase.ThecaseitselfwillbediscussedunderChapterV.Inthissectionwewilllookatthepracticeoftrackingthroughsocialplug-insandtheconclusionsfromthetechnicalreport.

Facebook can track people through the use of social plug-ins. When visiting a sitecontaining one of these social plug-ins, Facebook places a cookie in the data subject’sbrowser.ThefactthattheLikeButtonisfoundon32%ofthetop10000sitesshowsthatFacebookcollectsdataonanenormousgroupofpeople.327It isnotnecessary for thedatasubjecttointeractwiththesocialplug-inforinformationtobegathered.328

Facebook’s Data Policy explains they can use the data collected through these socialplug-ins to: provide, improve and develop services, communicate with you, show andmeasure ads and services and promote safety and security.329Facebook’s Cookie Policyindicates information gathered through cookies can be used for: authentication, security

324Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].325Facebook Developers. (n.d.). Social Plugins - Documentation - Facebook for Developers. [online]Availableat:https://developers.facebook.com/docs/plugins[Accessed18April2016].326Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.2. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].327Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.2. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].328Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.90. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].329Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016];Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015). From social media service to advertising network: a critical analysis of Facebook’s RevisedPolicies and Terms v.1.3. [online] p.93. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

57

and site integrity, advertising, localisation, site features and services, performance andanalytics&research.330

2.3.1. Whichdatasubjectsareaffected?

ThereportanalysesFacebook’strackingpracticeontwogroups:(i)non-Facebookuses,(ii)Facebookusers.The latter isdivided intocurrentFacebookusersandFacebookuserswhohavedeactivatedtheiraccount.ThereportconcludedeachabovementionedgroupwastrackedbyFacebookatonepointoranother.

Firstly, thereportshowsthatnon-FacebookuserswhovisitedapublicFacebookpage,without ever making an account, are tracked through cookies. These cookies gatherinformation,suchasthewebsitevisited,thebrowserused,thelanguagepreferencesandtheoperatingsystem.331ThereportalsoshowedthatFacebookplacesacookieoncertainnon-Facebookpages,allowingthemtotrackpeopleeven if theyhavenevervisitedaFacebookpage.332For example, a Facebook cookie was found on the third party website mtv.com,userswho never visit a Facebook page, but do visitmtv.comwill also be tracked. One ofthesecookiehasalifespanoftwoyears,whichmeansFacebookcancollectthisdataaslongasthedatasubjectdoesnotmanuallyremovethecookiefromhisbrowser.333

Secondly, the report looks at Facebook users, differentiating between those who stillhaveanaccountandthosewhohavedeactivatedit.WithregardstoFacebookusersanotherdistinction must be made: whether the user is logged in or not. When a Facebook userremains logged in, eleven cookies are placed on the browser, one of which is used foradvertisingpurposes.334Thesecookiesareonly removedafter thebrowser,not the tab, is

330 Facebook. (n.d.). Cookies, Pixels & Similar Technologies. [online] Available at:https://www.facebook.com/help/cookies/update[Accessed5May2016].331Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.2. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].332Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.12. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].333Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.6. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].334Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] pp.13, 21. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].

58

closed.335As a logged in Facebook user, Facebook along with the information about thebrowser, website etc., will also receive the user’s Facebook ID, allowing them to link theactivitytoaspecificuser.336WhenaFacebookuserisloggedoutcookiesarestillplacedanddata is still collected. Logging out therefore does not stop Facebook from tracking a datasubject’sbrowsingactivity.337

One would expect that deactivating your account ends this practice. The report,however,showsthatdeactivatinganaccountdoesnotremovethesecookiesanddoesnotprevent Facebook from tracking your browsing activity.338The cookies placed collect thesame information as theydowith loggedout Facebookusers.339Facebook’s CookiePolicystatesthatthetrackingofnon-Facebookusersisnecessarytoensuresecurity.340

2.3.2. Optingout

Facebookrespondstocriticismbypointingoutusersandnon-Facebookusershavethepossibility to ‘opt out’.341Facebook therefore assumes everyone, by default, has implicitlyconsented,bynotopting-out,eveniftheyneveracceptedFacebook’sTermsofService.

Thereportconductedresearchtoseeiftheopt-outmethod,assuggestedbyFacebook,eliminatesall cookies.Again, adistinctionwasmadebetween (i)peoplewhodonothavecookiesintheirbrowser,non-FacebookuserswhohavenevervisitedaFacebookpageora

335Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.13. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].336Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.15. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].337Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] pp.15-17. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].338Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.18. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].339Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.18. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].340 Facebook. (n.d.). Cookies, Pixels & Similar Technologies. [online] Available at:https://www.facebook.com/help/cookies/update[Accessed5May2016].SeealsoAcar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3. [online] p.98. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].341Facebook. (n.d.). Control the ads you see - About Advertising on Facebook. [online] Available at:http://facebook.com/about/ads[Accessed18April2016].

59

thirdpartywebsitecontainingaFacebookcookie,orloggedoutFacebookuserswhoclearedtheircookiesafterloggingout,and(ii)peoplewithcookies,i.e.everyoneelse.

PeoplewithoutcookieswhousedtheEuropeanopt-outsiteendedupwithanadditionalcookie to indicate the opt-out. However, after the opt-out procedure Facebook had againplacedacookiewithalifespanoftwoyearsintheuser’sbrowser.Boththeopt-outcookieand the standard tracking cookie were sent to Facebook when subsequently visiting awebsitecontainingasocialplug-in.Eachvisittoasitecontainingaplug-incanthereforestillbelinkedbyFacebookusingthestandardtrackingcookie.342It ispeculiarthatthisdidnothappenwhenoptingout throughaUSorCanadianopt-out site.Whenoptingout throughthesewebsites,onlytheopt-outcookiewasplacedwithalifespanoffiveyears.343

People who still have cookies in their browser when opting out are also treateddifferently. Through theEuropeanopt-out site, Facebook againplaced theopt-out cookie,butdidnot removeanyof theother cookies it hadpreviously stored in thebrowser.Theresearchers confirmed thatwhen subsequently visiting sites containing a Facebook socialplug-in,Facebookstillreceivedtheuniquelyidentifyingcookiesaftertheopt-out.Evenafterlogging out, this practice persists.344This time, when opting out through US or Canadiansites,theendresultisthesame;Facebookstilltracksdatasubjects’browsingactivityusingsocial plug-ins.345In their response, Facebook promised that when a user opts-out theywouldnolongerusethecollecteddataforadvertisingpurposes,346afactwhichhasnotbeenconfirmedindependently.

342Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.19. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].343Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.21. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].344Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.22. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].345Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] p.22. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].346Facebook Newsroom. (2015). SettingtheRecordStraightonaBelgianAcademicReport. [online]Available at: http://newsroom.fb.com/news/h/setting-the-record-straight-on-a-belgian-academic-report/[Accessed16May2016].

60

Thereportconcludesthattheopt-outmethod,assuggestedbyFacebook,doesnotstoptrackingbyFacebook.Facebookstillcollectsinformationonitsusersregardlessofwhethertheyareloggedinornot.347

2.3.3. Alternativewaysofavoidingtracking

Data subjects who want to prevent being tracked can enlist other tools that limittrackingthroughsocialplug-ins.

Afirstexampleisthe“SocialSharePrivacyTool”,whichblocksthesocialplug-insfromloadinguntilyouactuallywanttousethem.Thistool isalsoendorsedbytheFrenchDPA,CNIL.348IfadatasubjectusesMozillaFirefoxasabrowser,theyhavetheoptionofblockingthird-partysocialplug-insthroughtheirsettings.349Additionally,thereareseveraladd-onsavailable to install in your browser to block these social plug-ins that allow Facebook totrack data subjects’ browsing activities, such as “Facebook Disconnect”350, “PrivacyBadger”351or “Ghostery”352, as recommended by the Belgian DPA, the Belgian PrivacyCommission.353

2.3.4. Applicablelegislation

For starters, Facebook, as a data controller is obliged to comply with its obligationsunderthecurrentDataProtectionDirective.354Additionally,Article5(3)E-PrivacyDirectiverequires prior consent for cookies placed via social plug-ins. There are two exceptions tothisrequirement:(a)whenthesolepurposeofthestorageoraccessisthetransmissionofacommunication,or(b)whenthestorageoraccessisstrictlynecessaryinordertoprovide

347Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThroughSocial Plug-ins. [online] pp.22-23. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf[Accessed4May2016].348Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.99. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].349Mozilla Support. (n.d.). Disable third-party cookies in Firefox to stop some types of tracking byadvertisers|FirefoxHelp. [online]Available at: https://support.mozilla.org/en-US/kb/disable-third-party-cookies.[Accessed7May2016].350Availableathttps://disconnect.me.351Availableathttps://www.eff.org/privacybadger.352Availableathttps://www.ghostery.com.353BelgianPrivacycommission.be.(n.d.).Ikbeneeninternetgebruiker,hoekanikmijbeschermentegentracking door social plug-ins? | Privacycommissie. [online] Available at:https://www.privacycommission.be/nl/ik-ben-een-internetgebruiker-hoe-kan-ik-mij-beschermen-tegen-tracking-door-social-plug-ins[Accessed18Apr.2016].354Art.6(1)(c)DataProtectionDirective.

61

aninformationsocietyserviceexplicitlyrequestedbytheuser.Exception(b)isofparticularimportanceforanonlinesocialnetworksuchasFacebook.

Article29WorkingPartyhasclarifiedthemeaningofthelatterexception.Itstatedthatexception (b) cannot be used to justify tracking via social plug-ins of non-members. Thesameappliestouserswhentheyarenot loggedin.355TheArticle29WorkingPartystatedthe following: “Socialnetworksthatwishtousecookiesforadditionalpurposes(oralongerlifespan)beyondCRITERIONBhaveampleopportunitytoinformandgainconsentfromtheir

membersonthesocialnetworkplatformitself.”356

On the impaired functioning of the opt-outmechanism, the Article 29Working Partystatedthatanopt-outmechanismcannotbeconsideredanadequatemechanismtoobtaininformedconsentfromtheaverageuser,especiallyinrelationtobehaviouraladvertising.357

When the GDPR becomes applicable, Facebookwill need to rethink this practice. TheGDPRrecognizestheprinciplesofprivacybydesignandprivacybydefault.Thismeansthatprivacywillneedtobecomeaconcernthroughouteveryprocessandshouldbeguaranteedbydefault.Thismeans,forexample,theamountofdatacollectedshouldbelimitedtowhatisnecessaryandtheperiodofstorageshouldbelimitedtowhatisnecessary.358

2.4. AdvertisingPractices

As amultinational company, Facebook getsmost of its profits through advertising.359ThemostvaluablecomponentofFacebook’sbusinessmodel is thereforecomprisedof theamountofFacebookusersandtheamountofinformation,suchaslocationdata,theyshare.Users may not be paying for the service in the traditional sense, but they are giving upprivateinformationinexchangeforusingFacebook.Thispracticehascreatedanew,morepersonalway for advertisers to target their clients. Facebook’sTermsof Service state thefollowing on advertisements and other commercial content served or enhanced byFacebook:

355Article29WorkingParty,(2012).Opinion04/2012onCookieConsentExemption.p.9.356Article29WorkingParty,(2012).Opinion04/2012onCookieConsentExemption.p.9.357Article29WorkingParty,(2010).Opinion2/2010ononlinebehaviouraladvertising.p.15.358Section1.6.1ofChapterIII.359Facebook Investor Relations. (2015). Facebook Reports Third Quarter 2015 Results - Facebook.[online] Available at: http://investor.fb.com/releasedetail.cfm?ReleaseID=940609 [Accessed 5 May2016].

62

“Our goal is to deliver advertising and other commercial or sponsored content that is

valuable to our users and advertisers. In order to help us do that, you agree to the

following:

1. Yougiveuspermissiontouseyourname,profilepicture,content,and information in

connectionwithcommercial,sponsored,orrelatedcontent(suchasabrandyoulike)

servedorenhancedbyus.Thismeans,forexample,thatyoupermitabusinessorother

entity to pay us to display your name and/or profile picture with your content or

information,withoutanycompensationtoyou.Ifyouhaveselectedaspecificaudience

foryourcontentorinformation,wewillrespectyourchoicewhenweuseit.

2. Wedonotgiveyourcontentorinformationtoadvertiserswithoutyourconsent.

3. You understand that we may not always identify paid services and

communicationsassuch.”360

Facebook uses a method called ‘behavioural advertising’ to target advertisements tospecific audiences. Additionally, Facebook uses its users’ friends to advertise products orservices through ‘social advertisements’ and ‘sponsored stories’. In what follows each ofthesemethodswillbediscussed.

2.4.1. Behaviouraladvertising

By default, Facebook is allowed to use the information it collects to targetadvertisements to specific audiences.361It combines the data it collects through FacebookwithdatacollectedfromthirdpartiesorotherFacebookservicesandcompanies.362

(i)Combinationwithdatafromthirdparties

The firstway inwhich Facebook combines its datawith data gathered from thirdparties is the “custom audience” feature. When advertisers buy advertisements on

360Clause9TermsofService.361Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.38. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].362Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.55. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

63

Facebooktheyareabletoselectcustomaudiences.Thisallowsadvertiserstoreachtheirown customers through Facebook.363In this case Facebook combines its own userinformation with the information provided by the advertiser (third party) to targetadvertisements. Advertisers can provide information from their own customer lists,informationonpeoplethatvisittheirwebsiteorusetheirmobileapplication.364

A secondway inwhichFacebookcombines itsdatawithdata collected from thirdparties is the “lookalikeaudiences” feature.ThisallowsadvertiserswhohavesetupacustomaudiencetotargetotherFacebookuserswithasimilarprofile.Firstly,Facebookanalyses the users from the custom audience and looks for common patterns andafterwards,basedon thesepatterns, it looks forsimilarprofiles.Thiscanbebasedoninformationsuchasdemographics,location,interestsetc.365

After creating a custom audience or a lookalike audience, advertisers can furtherspecify the audience theywould like to reach. Advertisers are given several targetingoptions.366

363 Facebook. (n.d.). What is a custom audience? - Help Center. [online] Available at:https://www.facebook.com/help/341425252616329[Accessed5May2016].364 Facebook. (n.d.). What is a custom audience? - Help Center. [online] Available at:https://www.facebook.com/help/341425252616329[Accessed5May2016].365Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] pp.63-64. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].366 Facebook. (n.d.). Audience Targeting Options - Help Center. [online] Available at:https://www.facebook.com/help/633474486707199[Accessed21April2016].SeealsoAcar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3. [online] pp.61-62. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

64

Figure1.Facebook'sbasictargetingoptions367

Firstly, advertisers can target audiences based on location. Advertisers can evenspecify whether they want to reach people living in a certain location, people whorecentlyvisitedacertain locationorpeople traveling inacertain location.368Asecondoption is targeting based on more demographics, including education level, specificschools, fields of study etc.369A third option is to target audiences based on age andgender.370Afourthoptionistotargetpeoplebasedontheirinterests.Advertiserscouldforexampletargettheiradvertisementtopeopleinterestedinsports.Facebookwilllookfor this interestvia thingspeople shareon their timelines, appsused,pages likedandotheractivitiesonandoffFacebook.371Afifthoptionistargetingbasedonpreferencestoselectaudiencesbasedoncertainpurchasebehavioursortravelpreferences.372Finally,Facebook provides the option to target audiences based on connections, this allowsadvertisers to target people who already have a connectionwith them or vice versa.

367 Facebook. (n.d.). Audience Targeting Options - Help Center. [online] Available at:https://www.facebook.com/help/633474486707199[Accessed21April2016].368Facebook. (n.d.).What options do I have when selecting people within a location? - Help Center.[online]Availableat:https://www.facebook.com/help/755086584528141[Accessed21April2016].369Facebook. (n.d.). How do I target education levels, specific schools, fields of study or specificgraduation years? - Help Center. [online] Available at:https://www.facebook.com/help/227971680551772[Accessed21April2016].370Facebook.(n.d.).CanItargetmyadtopeoplebasedontheirageandgender?-HelpCenter. [online]Availableat:https://www.facebook.com/help/813939365351532[Accessed21April2016].371 Facebook. (n.d.). What is interests targeting? - Help Center. [online] Available at:https://www.facebook.com/help/188888021162119[Accessed21April2016].372 Facebook. (n.d.). What are audience behaviours? - Help Center. [online] Available at:https://www.facebook.com/help/243268465859743[Accessed21April2016].

65

Additionally,theycantargetbothgroupsandfriendsofpeoplewhoareconnectedtotheadvertiser.373

(ii)CombinationwithdatafromotherFacebookservicesandcompanies

In2013,Facebookacquiredanadserving,managementandmeasurementplatform,called Atlas. Its goal was to provide advertisers with a more complete view of theiradvertisementcampaignsacrossdevices,andtoconnectonlineadvertisingwithofflinepurchasebehaviour.Thisserviceismeanttoprovideadvertiserswithtangibleevidenceofthepositiveimpactofdigitaladvertisingonofflinesales.374

Toallowadvertiserstotargetaudiencesacrossdifferentdevices,Atlaswilllinkdatasubjectstodevices.Itremainsunclearwhichinformationwillbeusedtodothis.375ViaAtlas,Facebookwillbringtogether informationgatheredthroughFacebookitself,withinformation gathered across other Facebook platforms and services, such asInstagram.376

Instinctivelyonecouldthinkbehaviouraladvertisingqualifiesasprofiling.Thispracticewill, however, not fall within the definition of profiling in the GDPR.377As discussed inSection 1.3.4, privacy lawyers have theorized that targeted advertisements do not have asignificantimpactonadatasubject’slifeandthereforedonotqualifyasprofiling.

373 Facebook. (n.d.). What is connections targeting? - Help Center. [online] Available at:https://www.facebook.com/help/186282224754628[Accessed21April2016].374Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] pp.65-66. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].375Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.66. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].376Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.67. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].377Art.4(4)GDPR.

66

2.4.2. Advertisementswithsocialactions

“YourprofilepictureornamemaybepairedwithanadtoshowyouractivityonFacebook

(ex: if you follow theStarbucksPage).Keep inmind that yournameandprofilepicturewill

onlyappeartothepeoplewhohavepermissiontoviewyourPagelikes.”378

Facebook’s Terms of Service allow Facebook to use a users’ name, profile picture,contentandinformationinconnectionwithcommercial,sponsoredorrelatedcontent.379Ifauserhasspecifiedaspecificaudienceforthis informationthroughtheirprivacysettings,Facebookisobligedtorespectthis.

Asocialadvertisementisaregularadvertisementthatmentionsauser’snameandthefact that this user liked a particular brand. Social ads appear in the sidebar (figure 2). Asponsoredstoryontheotherhandappearsintheusers’newsfeed(figure3).

Figure2.SocialAd380

378Facebook.(n.d.).DoesFacebookusemynameorphotoinads?-AboutFacebookAds|FacebookHelpCenter. [online] Available at: https://www.facebook.com/help/769828729705201/ [Accessed 5April2016].379Clause9(1)TermsofService.380Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.38. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

67

Figure3.SponsoredStory381

Through their settings, users can opt out of these ads. As the GDPR will requirecompaniestoadheretotheprincipleofprivacybydefault,382theopt-outmechanismcanbequestioned. To provide the maximum amount of protection of users’ right to privacy,privacybydefault requiresa systemwhereusersactivelyopt in to these services.This isalsoinlinewiththenewdefinitionofconsent,whichrequiresanaffirmativeactionfromthedatasubject.Incasesweresensitiveinformationisprocessed,userswillevenhavetogiveexplicitconsent.

Additionally,privacybydefaultrequiresthatonlytheinformationstrictlynecessaryforeachspecificpurposeisprocessed.Thenecessitytestappliestotheamountofpersonaldatacollected,theextentoftheirprocessing,theperiodoftheirstorageandtheiraccessibilityinlightof thepurpose.383With regard to thepurposeof theprocessing,Facebookonlygivesvague information to its users about the purpose. We will discuss this issue in the nextsection.

381 Facebook Ad Settings. (n.d.). Facebook. [online] Available at:https://www.facebook.com/settings?tab=ads[Accessed14May2016].382Art.25(2)GDPR.383Art.25(2)GDPR.

68

2.4.3. Vagueandnon-specificTermsofServiceandDataPolicy

Oneof themajor issueswithFacebook’sTermsofServiceandDataPolicy is that theyuse non-restrictive language. Both the current Data ProtectionDirective384and the futureGDPR385requireorganisationstoinformthedatasubjectsonthepurposeofthecollectionoftheirdata.Facebook’sDataPolicyonlysetsoutfourmainandvaguepurposesapplicabletothe sharing and/or combining of all personal data collected. There is no differentiationbetweenspecificcategoriesofdata.386

Additionally,theDataPolicycontainsavarietyofcatch-allprovisionsallowingFacebooktoshareandcombineallthedataithasgathered.Whenitisunclearwhetherspecific,moreprotecting, provisions are applicable, the user can only fall back on these catch-all termsprovidingextensiverightstoFacebook.387

Moreover, Facebook determined the categories of parties they can share users’ datawith.Indoingso,theTermsofServiceusearangeofterms,whichcanresultinconfusion.388Someof thetermsusedare: thirdparties,advertising,measurementoranalyticspartners,providers of integrated third-party features, partnerswho globally support our business,service providers, vendors, third-party companies, third-party customers, third-partypartners etc. This seems irreconcilable with the GDPR’s provision that requiresorganisations touse clearandunderstandable language.Theuseof several confusingandconflictingtermswillthereforeconflictwithdatasubjects’righttobeinformed.

384Art.10DataProtectionDirective.385Art.13(1)(c)GDPR.386Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016];Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015). From social media service to advertising network: a critical analysis of Facebook’s RevisedPolicies and Terms v.1.3. [online] pp.68-69. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].387Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016];Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015). From social media service to advertising network: a critical analysis of Facebook’s RevisedPolicies and Terms v.1.3. [online] p.69. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].388Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.69. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

69

2.5. Thelicensingofusers’content

When signing up to Facebook and agreeing to the Terms of Service, users grantFacebookalicensetothecontenttheyplaceonline.Thiscontent,suchasphotosandvideos,isautomaticallyprotectedbyintellectualpropertyrights.389Whilethelicenseissubjectstotheusers’privacysettings,itisformulatedincrediblybroad.

Firstly,thelicensegrantedtoFacebookisnon-exclusive,whichmeansuserscanstilluseand exploit their own content. Secondly, the license granted to Facebook is worldwide,whichmeans Facebook can use the users’ contentworldwide. Thirdly, the license can betransferredandsublicensed,whichmeansFacebookcanauthorizea thirdparty touse itsusers’content.Fourthly,thelicenseisgivenroyaltyfree,whichmeansuserscanneverclaimanyoftheprofitsFacebookmakesfromusing,transferringorsublicensingthecontent.

This practice, however, is not subjected to data protection laws. It is subjected tointellectualpropertylaw.Thelicenseissubjecttotherulesofcopyrightlaw,whicharenotharmonizedbyEuropeanlaw.Toknowwhetherornotthislicenseisvalid,onemustlookatthenationalcopyrightlaw.

In Germany, courts have already investigated this license in 2012.390German lawrequires thatnomore rightsaregranted thannecessary for the intendedpurpose.391Thisprinciple, alsoknownas the “doctrineof intendedpurpose”, determines that the scopeofthe license needs to be determined in light of the specific purpose of the agreement. TheBerlin District Court decided that an automatic, worldwide license granted by simplyaccepting the Terms of Service was invalid and declared it not enforceable. The BerlinDistrict Court held that: “suchabroad transfer contradicts the core ideaof thedoctrineofintendedpurpose.”392

389Clause2(1)TermsofService.390 Landgericht Berlin, Urtail vom 6. März 2012, (16 O 551/10), accessible athttp://openjur.de/u/269310.html.391Art.31(5)Urheberrechtsgesetzvom9.September1965(BGBl.IS.1273),dasdurchArtikel7desGesetzesvom4.April2016(BGBl.IS.558)geandertwordenist.(GermanCopyrightAct).392Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.79. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

70

Aside from copyright law, this license has also been called into question through theArticle 3 of the Unfair Contract Terms Directive.393Some legal scholars have questionedwhether the license does not create a significant imbalance in the parties’ rights andobligations.394

Eventhoughthisissuemightbeconsideredaprivacyissuebytheaverageuser,wewillnot go into further detail as it does not pertain to the data protection law and wouldthereforetakeusbeyondthescopeofthisdissertation.

3. Whatrightsdousershaveandaretheyeffective?

TheGDPRwasmeanttostrengthenandbroadendatasubjects’rights.Inthissectionwewilldiscusstherights insofarastheyarerelevantforFacebookusersandif theyhavetheabilitytoexercisetheserightseffectively.

OnemajorchangeintheGDPR,whichappliestoalloftherightswewilldiscussinthissection,istheintroductionoffinesasdiscussedinSection1.8ofChapterIII.395Thesefineswill give the national DPA’smore powers regarding the enforceability of data protectionlaws.

3.1. Rightofaccess

Both the Data Protection Directive396and the GDPR397give data subjects the right tofreely exercise their right of access. Facebook has put in place amechanism for users todownload the information Facebook has collected about them.398The problem with this

393CouncilDirective93/13/EECof5April1993onunfairtermsinconsumercontracts,O.J.L-95,21April1993,pp.29-34.394Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.45. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].395Art.83(5)(b)GDPR.396Art.12DataProtectionDirective.397Art.15GDPR.398Facebook. (n.d.). How can I downloadmy information from Facebook? | Facebook Help Center |Facebook. [online] Available at: https://www.facebook.com/help/212802592074644 [Accessed 30April2016];SeealsoAcar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos, J.(2015). From social media service to advertising network: a critical analysis of Facebook’s RevisedPolicies and Terms v.1.3. [online] p.106. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

71

mechanism,isthatitonlyprovidesuserswithafractionoftheinformationactuallyheldbyFacebook.399

Austrian activist, Maximilian Schrems, has addressed this issue, and has written aninformalmanual forFacebookusersonhowtogainaccess to theentiretyof theirdata.400The first recommended step is to send an e-mail to Facebook, which will result in thefollowingstandardreply,referringthedatasubjecttotheabovementionedmechanism:

“(…)Thankyouforcontactingustomakeadatarequest.Youcanaccessyourdataon

Facebookinseveralways.First,youcanaccessyourpersonaldatafromyouraccount(ex:

on your timeline or in your activity log). Second, we provide a tool that allows you to

download a copy of your account data. This tool is available from the Account Settings

page.(…)”

AsthisreplydoesnotgivethedatasubjectstherightofaccessasprovidedbytheGDPR,or the currentData ProtectionDirective, data subjects are encouraged to file a complaintwiththeIrishDPA,asthisiswhereFacebook’ssubsidiaryislocated.401Atthistime,theIrishDPA is no longer processing these complaints. This inactivity is a blatant disregard toFacebookusers’rightofaccess.Asaresult, the finaloptionforFacebookuserstoexercisetheir right of access effectively is to file a purely political complaint with the EuropeanCommissionagainsttheRepublicofIrelandfornon-enforcementofEUlaw.Asthispracticeis already non-compliantwith the currentData ProtectionDirective, itwill remain illegalundertheGDPR.

3.2. Righttobeinformed

Under the Data Protection Directive, data controllers were obliged to inform datasubjectsaboutthe identityof thecontrollerandthepurposeof theprocessing402.Memberstateswereallowedtoexpandthisobligationinsofaras itwasnecessarytoguaranteefairprocessing in a specific situation. This supplemental information could pertain to therecipientsorcategoriesofrecipientsofthedatasubjects’data,theexistenceoftherightofaccess, the right to be rectify and others.403Several member states, including Belgium404,

399DataProtectionCommissioner,(2012).FacebookIrelandLimited–ReportofRe-Audit.p.22.400 Europe versus facebook. (n.d.). Get Your Data. [online] Available at: http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data_.html[Accessed14May2016].401 Europe versus facebook. (n.d.). Get Your Data. [online] Available at: http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data_.html[Accessed14May2016].402Art.10and11DataProtectionDirective.403Art.10(c)DataProtectionDirective.

72

have used this option. Facebook’s Data Policy is supposed to inform Facebook users asrequiredbytheDataProtectionDirective.

Firstly,theDataPolicyidentifiesFacebook’sestablishmentinIreland,FacebookIrelandLtd.,asthedatacontrollerforFacebookusersoutsideoftheUSorCanada.405

Secondly,theDataPolicyalsoprovidesabroadoverviewofthedifferentpurposes.406AsdiscussedinSection2.4.3,however,thisoverviewisvagueandnon-specific.ItpertainstoalldatacollectedbyFacebookandthereforedoesnotmakeitpossibletodeterminethespecificpurpose for the collection of specific data. The Data Policy is written in a very non-restrictive way, only giving examples of possible processing operations, but not limitingthem.Thispracticehasalreadybeencriticised inanevaluationofGoogle’sprivacypolicy:“Googleshouldavoidindistinctlanguagesuchas“wecan”/“wemay...”,butrathersay“ifyouuseservicesAandB,wewill ...”.”407These phrases are used abundantly in Facebook’s DataPolicy.408AstheDataProtectionDirectivespecificallyrequiresthelimitationofthepurposeof theprocessing of data to be specific409, the vague andbroaddescriptions employedbyFacebookcannotbeconsideredtobeinlinewiththeDataProtectionDirective.410

Lastly, as some countries inEuropemight require awider rangeof information to beprovided,wewillbrieflylookattheinformationprovidedinregardto(i)therecipientsor

404Art.9,§1Wetvan8december1992totbeschermingvandepersoonlijkelevenssfeertenopzichtevandeverwerkingvanpersoonsgegevens,BS13maart1993.Hereinafter:BelgianPrivacyAct.405Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].406Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].407Article 29Working Party, (2014).LettertoLarryPage.GooglePrivacyPolicy-Appendix. p.2; Seealso CNIL, (2012). CNIL Review of Google’s New Privacy Policy: Incomplete Information andUncontrolledCombinationofDataacrossServices. p.2, and College Bescherming Persoonsgegevens,(2013).InvestigationintotheCombiningofPersonalDatabyGoogle-ReportofDefinitiveFindings.DenHaag,pp.66-68.408Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016];Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015). From social media service to advertising network: a critical analysis of Facebook’s RevisedPolicies and Terms v.1.3. [online] p.104. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].409Art. 6 (1) (b) Data Protection Directive; See also Article 29 Working Party, (2013). Opinion03/2013onPurposeLimitation.pp.15etseq.410Article29WorkingParty, (2013).Opinion03/2013onPurposeLimitation.p.16;SeealsoAcar,G.,Verdoodt, V., Wauters, E., Van Alsenoy, B., Heyman, R. and Ausloos, J. (2015). From socialmediaservice to advertising network: a critical analysis of Facebook’s Revised Policies and Terms v.1.3.[online] p.104. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

73

categories of recipients of data, (ii) the categories of data that areprocessed and (iii) thedatasubjects’rights.InSection2.4.3thedescriptionofrecipientsofdatahavealreadybeendiscussed:Facebookusesasplatterofdifferentterms,resultinginconfusingandmisleadinginformation.Furthermore,Facebookdoesnotprovideaclearoverviewofallthecategoriesofdata itcollects.411Lastly,Facebook’sDataPolicydoesnotrefer toanyof therightsdatasubjectsareentitledto.412

As thesepracticeswerealreadyquestionableunder theDataProtectionDirective, thiswill alsobe the caseunder theGDPR.TheGDPRwillnowgrant aharmonized right tobeinformed across Europe. Additionally, the principle of transparency in theGDPR requiresthis information be easily accessible, easy to understand and clear and plain languageshouldbeused.ThisconflictswiththeconfusingwaytheDataPolicyiscurrentlydrafted.

3.3. Righttoobject

Through their privacy settings, Facebook offers users the possibility to object to theprocessingoftheirdatabydeterminingtheaudience413.Thereis,however,nosimplewaytoobject to theprocessingofdata for advertisementpurposes. Facebookonly letsusersoptout of socials ads, but does not let users opt out of sponsored stories. With regards toadvertisingbasedonactivitiesonFacebook,monitoredthroughtracking,Facebookdoesnotprovide an opt-out option on their site, but refers users to an opt-out mechanism. Asdiscussed in Section 2.3.2, research has shown this opt-outmechanism does not actuallypreventFacebookfromplacingatrackingcookieintheusers’browser,makingitineffective.Additionally,thismechanismdoesnotprovideforaneffectiverighttoobjectastheprocessisquitelongandneedstoberepeatedoneverydevice.414

411Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] pp.104-105. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].412Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].413Theaudiencecanbesetto:friends,friendsoffriendsorpublic.414Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] pp.107-108. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

74

TheGDPRwillofferdatasubjectsmoregroundstoobjecttotheprocessingoftheirdata,more specifically in the case of direct marketing.415Additionally, the GDPR will requireFacebooktoexplicitlyinformdatasubjectsabouttheexistenceofthisrightatthelatestinthe first written communication.416The communication of this right must be clear andseparatefromanyotherinformation.

3.4. Righttoerasure(Righttobeforgotten)

Facebook’s Data Policy does not explicitly inform Facebook users of their right toerasure.417They do offer two ways to delete information: (i) delete the informationmanually through the activity log on the users’ profile, or (ii) delete your account.418TheDataPolicyalsostatesthatwhenusingoption(i),informationwillstillbestored“aslongasitisnecessarytoprovideproductsandservicestoyouandothers”419.When opting to deleteyouraccount,FacebookpromisestodeletethethingspostedbytheFacebookuser,suchasphotosor statusupdates.TheDataPolicydoesnot,however,mentionanythingabout theerasureofchatlogs,locationdataorbehaviouraldata.420TheDataPolicyonlymentionsthatinformation associated with a Facebook user’s account will be kept until the account isdeleted.Itisunclearwhat“informationassociatedwiththeaccount”includes.421

TheDataPolicyandtheTermsofServicestateclearlythatonlyinformationpostedbytheFacebookuserhimself,will bedeleted.422Thedeletionofone’s accountdoesnothaveanyconsequences fordataabout thedata subjectpostedbyothers.While theDataPolicydoesnotcontainareferraltothedatasubjects’righttoerasureregardingthistypeofdata,it

415Art.21(2)-(3)GDPR.416Art.21(4)GDPR.417Facebook. (2015). Data Policy. [online] Available at: https://www.facebook.com/policy.php[Accessed5May2016].418 Section IV Facebook. (2015). Data Policy. [online] Available at:https://www.facebook.com/policy.php[Accessed5May2016].419 Section IV Facebook. (2015). Data Policy. [online] Available at:https://www.facebook.com/policy.php[Accessed5May2016].420Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.108. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].421Acar,G.,Verdoodt,V.,Wauters,E.,VanAlsenoy,B.,Heyman,R.andAusloos,J.(2015).Fromsocialmediaservicetoadvertisingnetwork:acriticalanalysisofFacebook’sRevisedPoliciesandTermsv.1.3.[online] p.109. Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms [Accessed4May2016]; SeealsoDataProtectionCommissioner,(2012).FacebookIrelandLimited–ReportofRe-Audit.p.42.422 Clause 2 (2) Terms of Service; Facebook. (2015). Data Policy. [online] Available at:https://www.facebook.com/policy.php[Accessed5May2016].

75

doesofferatooltorequestremovalforprivacylawreasons.Thistool,however,onlyallowstheFacebookusertorequesttheremovalofpictures.Thisisinstarkcontrastwiththerighttoerasurewhichappliestoanytypeofpersonaldata.423

Article12oftheDataProtectionDirectivealreadycontainedarighttoerasurefordatathatwasnolongernecessaryforthespecifiedpurpose.WhentheCJEUrecognisedtherightto be forgotten as a principle, this principle needed to be implemented in the GDPR. Asdiscussed in Section 1.5.2.1 of Chapter III, the right to be forgotten will offer a broaderspectrumofgroundsforindividualstorequesttheerasureoftheirdata.Sincethispracticewas already questioned under the Data Protection Directive, it will remain incompatiblewiththeGDPR.

423Art.17(1)GDPR.

76

ChapterV. BelgianPrivacyCommissionv.Facebook

“FacebookisthesocialnetworkparexcellencewhichalmosthalfofallBelgiansareamember

of.Thewayinwhichthesemembers'andallInternetusers'privacyisdeniedcallsformeasures.

WiththisrecommendationwehavetakenafirststeptowardsFacebookandallInternet

stakeholderswhouseFacebook,inordertoensuretheystartworkinginaprivacy-friendlyway.

It'sbendorbreak.”424

-WILLEMDEBEUCKELAERE425

WhetheryouareauserofFacebookornot,everythirdpartysitecontaininga“like”or“share”plug-inplacesacookiefromFacebookinyourbrowser.ThiscookieallowsFacebooktotrackyourbrowsingactivityoneverysiteyouvisit.AsFacebookusersimplicitlyconsentto this practice by joining Facebook, this could not be challenged by the Belgian PrivacyCommission.Thepractice,however,oftrackingpeoplewhodonotuseandhaveneverusedFacebook,waschallengedincourtbytheBelgianPrivacyCommission.426

Inthischapterwewillfirstlyreviewthefactsofthecase,afterwardswewilllookattheclaimsofbothpartiesandthedecisionoftheBelgianCourtofFirstInstance.Lastly,wewillexamine whether the data protection reform has addressed the concerns posed by theBelgianPrivacyCommission.

1. Facts

BothFacebookInc.,establishedintheUS,FacebookIrelandLtd.andFacebookBelgiumSPRL were defendants in this case. Facebook Ireland, incorporated in Ireland, offersFacebookasaservicetousersinEurope.EuropeanFacebookusersthereforedonotenterintoacontractwithFacebookInc.FacebookBelgiumSPRLwasincorporatedinBelgiumin2001toensurerelationswiththepublicadministrationandlobbying.

424Belgian Privacy Commission, (2015). On13May theBelgianPrivacyCommissionadopteda firstrecommendation of principle on Facebook. [online] Available at:https://www.privacycommission.be/en/news/13-may-belgian-privacy-commission-adopted-first-recommendation-principle-facebook[Accessed15May2016].425WillemDebeuckelaereisthepresidentoftheBelgianPrivacyCommission.426Belgian Privacy Commission, (2015). The judgment in the Facebook case. [online] Available at:https://www.privacycommission.be/en/news/judgment-facebook-case[Accessed4May2016].

77

Following the revision of Facebook’s Terms of Service in 2015, the Belgian PrivacyCommissionapproachedateamofresearchers.Theirreport,publishedon31March2015,found that Facebook also processes personal data of data subjectswhohave never had aFacebook account.427This investigation prompted extensive correspondence between theBelgianPrivacyCommissionandFacebook.Duringthistime,FacebookstatedthatFacebookIrelandLtd. shouldbe considered tobe thedata controller regardingEuropeanFacebookusers. Additionally, Facebook rejected the applicability of Belgian privacy laws andconsequently,thecompetenceoftheBelgianPrivacyCommission.Facebookarguedthattheonly competent DPA in Europe was the Irish DPA. Lastly, Facebook stated that sensitivepersonaldataisnotusedfortargetedadvertising.

TheBelgianPrivacyCommissionissuedarecommendationrelatingtotheuseofsocialplug-ins and cookies of Facebook.428The Belgian Privacy Commission stated that Belgianprivacy laws were applicable to this practice and that it was competent regarding thetracking of the browsing activity of Belgian internet users by Facebook. It also found thepractice of tracking of the browsing activity through cookies of userswho do not have aFacebook account, a violation of Belgian privacy law. The Belgian Privacy Commissionsubsequently ordered Facebook to refrain the use of long-life429and unique identifiercookieswithregardstonon-Facebookusers.

TheBelgianPrivacyCommissionservednoticeofdefaulttoFacebookInc.andFacebookBelgiumSPRLforviolationsofBelgianPrivacyActandArticle129oftheActof13June2005onelectroniccommunication.Bothpartiesremainedfirmintheirpositions,whichresultedintheinitiationofsummaryproceedingsbeforetheDutch-SpeakingCourtofFirstInstanceinBrusselsbythePresidentoftheBelgianPrivacyCommission,WillemDebeuckelaere.

Four major issues were addressed by the Court: (i) the competence of the Belgiancourts,(ii)whetherornottherewasprocessingof‘personaldata’,(iii)whetherornottherewasurgency,andlastly(iv)whetherornottheBelgianPrivacyActwasviolated.

427Formoreinformationaboutthereport:seeSection2.3ofChapterIV.428Belgian Privacy Commission, (2015). On13May theBelgianPrivacyCommissionadopteda firstrecommendation of principle on Facebook. [online] Available at:https://www.privacycommission.be/en/news/13-may-belgian-privacy-commission-adopted-first-recommendation-principle-facebook[Accessed15May2016].429AsdiscussedinSection2.3.1ofChapterIV,somecookieshavealifespanoftwoyears.

78

2. Claimsoftheparties

2.1. CompetenceoftheBelgianCourts

ThedefendantsarguedFacebookIrelandLtd. is thesolecontractualparty inregardtoEuropean Facebook users and is the only legal entity controlling the personal data ofEuropeaninternetusers.ThedefendantsthereforearguedthattheBelgiancourtswerenotcompetentasonlytheIrishcourtshavejurisdictionregardingthiscase.430

Thiscasewasalandmarkcaseasanationalcourtdetermineditwascompetenttojudgeon this issue.This issuehadbeen contestedbyFacebook for yearsbasedon the fact thattheirmain European headquarters is based in Ireland. Belgium’s situationwas unique inthis aspect, as Facebook had a small subsidiary based in Belgium for lobbying activities.Facebook argued this Belgian subsidiary never handled any personal data, and that thehandling of personal data happened solely by the company based in Ireland. The Courtagreed with the Belgian Privacy Commission referring to the Costajav.Googlecase from2014.431In thiscasetheCJEUruledthat if there isa localestablishment(incasuFacebookBelgium SPRL) and the activities of this establishment are inextricably linked to theactivities of the data controllers, the local law is applicable (in casu Belgian law).432TheCourtstatedthefollowing:

“ThatFacebookBelgiumitselfdoesnotprocessthepersonaldataorthatitissaidnotto

conclude contract with advertisers, is irrelevant. The determining factor for the

applicationofArticle4.1.a)ofDirective95/46/ECisnotbasedonthat,butonthefinding

that the activities of Facebook Belgium are therefore also inextricably linked to the

activitiesoftheoperatorofthesocialnetworksite.”433

Thisreasoningalsoapplied in thiscase,asFacebookBelgiumSPRLperforms lobbyingactivitiesinBelgiumfortheFacebookgroupandisinvolvedinbothmarketingactivitiesand

430Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),pp.3-4.431Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.14.432GoogleSpainSL,GoogleInc.vAgenciaEspañoladeProteccióndeDatos(es),MarioCostejaGonzález[2014]C-131/12(CJEU),§52-57.433Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.16.

79

the sellingof advertisement space, activities inextricably linked to the activity of thedatacontroller.434

2.2. Claimsrelatingtofundamentalrightsandfreedomsarealwaysurgent

InaccordancewithBelgianlaw435,thereisurgencywhen“thefearofdamageofacertainscope,orof serious inconveniencemakes itnecessary to takean immediatedecision”436. TheBelgian Privacy Commission based its argument on the fact that claims related to theprotectionofbasic rightsand freedomsarealwaysconsideredurgentas theyconcern thefundamentalrightsandfreedomsoftheentiresociety.ThepreambleoftheDataProtectionDirective shows that its aim is the protection of the right to privacy as a fundamentalright.437

Additionally,theBelgianPrivacyCommissionarguedthatthiscaseconcernsmillionsofpeopleastheplug-insandcookiescanbefoundonmillionsofwebsitesacrosstheinternet.Forexample,Facebook’s“Like”-button,oneofthemostpopularplug-ins,canbefoundonnolessthan32%ofthe10000mostvisitedwebsites.438ThispracticegivesFacebookaccesstosensitivepersonal data such as information related tohealth, sexual, religiousorpoliticalpreference.439

As these plug-ins can be found on all types ofwebsites, it is nearly impossible for aninternetusernot tocome intocontactwith thematonepointoranother, resulting in theplacementofaFacebooktrackingcookie.

2.3. Thiscaseconcernsthe“processing”of“personaldata”

Facebookarguedthecollecteddatacouldonlyleadtotheidentificationofacomputer,andnotan individualdatasubject.440ThroughthetrackingcookieFacebookplaces indatasubjects’browser,itgathersinformationthatuniquelyidentifiestheinternetbrowserofan

434Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.15.435Art.584,§1GerechtelijkWetboek,BS31oktober1967,p.11360.(BelgianJudicialCode);CourtofCassation,21May1987,Pas.1987,I,1160.436Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.18.437Recital10DataProtectionDirective.438Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.9.439Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.19.440Belgian Commission For The ProtectionOf PrivacyV. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.21.

80

internetuser.Facebook,however,alsogathersinformation,suchasanIPaddress,thatcandirectlyorindirectlyidentifyindividuals.

While there was discussion on whether or not the definition of personal dataencompasses an IP address, both the CJEU441and the Article 29 Working Party442havestated an IP address should be considered as personal data since it allows users to beuniquely identified. Furthermore, Facebook inadvertently confirmed this with theirargument that cookies also serve a security purpose in determining who can accessFacebook, implying they can identify individuals.443This argument will be discussed inSection2.4.1ofthischapter.

As Facebook automatically processed the IP addresses, the Court decided thisconstitutedtheprocessingofpersonaldatasubjecttotheBelgianPrivacyAct.

2.4. TheBelgianPrivacyActwasviolated

2.4.1. ViolationofArticle4,§1,1°and2°BelgianPrivacyAct

2.4.1.1 Facebookdidnotobtainunambiguous,informedconsent

TheIrishDPAhadpreviouslyarguedthatsomecookiesarenotsubjecttotherequiredunambiguousconsentastheyarenecessarytoprovideaservice.444Securitycookiesbelongto this category. These cookies, however, have to be deleted at the end of every session,whichdoesnothappentothetrackingcookieasitremainsinthedatasubject’sbrowserforaperiodoftwoyears.445

Facebook argued it obtained consent through the following steps. When visiting aFacebookpageforthefirsttime,anon-Facebookuserwillseeabanneralertingthemtotheuseofcookies.Atthistimenocookieisplacedyet.Thebannerlinkstoanexplanationaboutthe use of cookies, but this explanationdoesnotmention the tracking cookie specifically.Only if ausercontinues toanotherFacebookpage, suchas theTermsofService, a cookie

441ScarletExtendedSAvSociétébelgedesauteurs, compositeursetéditeursSCRL (SABAM) [2011]C-70/10(CJEU),§51.442Article29WorkingParty,(2007).Opinion4/2007ontheconceptofpersonaldata.pp.16-17.443Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.22.444Data Protection Commissioner, (n.d.). Guidance Note on Data Protection in the ElectronicCommunicationsSector.p.3.445Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.24.

81

willbeplaced.Facebookargues,atthispoint,theinternetuserhasbeeninformedoftheuseof cookies and has therefore unambiguously consented by continuing to use Facebook.Similarly,when a non-Facebook user clicks on a Facebook plug-in, such as a Like-button,outsideofFacebooknocookieisplaced.Whentheuser,however,clickscancel,acookieisplaced.446

The Belgian Privacy Commission argued that the fact that an internet user visited aFacebookpageonce,cannotbeconsideredasconsenttoFacebook’sTermsofService.

With regard to Facebook users, the Court concluded it can be assumed they haveimplicitly, but unambiguously consented to Facebook’s use of cookies. With regard tointernet users who have never had a Facebook account the Court concluded that thispractice did not complywith the required unambiguous, informed consent447. In the firstcase, a user, who, for example, goes on to read the Terms of Service, is still gatheringinformation.Inthesecondcase,aninteractionsuchasclickingcancelindicatesthewishoftheusernottousetheservice.448

2.4.1.2 Noothergroundsforprocessingwereapplicable

TheCourtconcludedthatFacebookcouldnotrelyonconsentandtheprocessingofdatasubjectsthereforeseeminglyviolatedArticle4,§1,1°and2°oftheBelgianPrivacyAct.Toconcludeaviolation,however,theCourtfirsthadtoinvestigatewhetheranyothergroundsforprocessing449couldbeinvoked.

Firstly,asmentioned inSection2.3of this chapter,Facebook tried toargue that thesecookiesplay a crucial role in securing thepersonal dataof their users as requiredby theBelgianPrivacyAct450. TheCourt rejected this argument stating that: “Thiswouldcreateacompletely absurd situation in which Facebook users have to grant explicit consent to the

processing of their personal data, and non-users of Facebook –without having granted any

consent – would have to tolerate that their personal data are also processed to secure the

personaldataofothers.Thisisobviouslyimpossible:everydatasubjectmustbeabletoconsent

446Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.24.447Art.5(a)BelgianPrivacyAct.448Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.24.449Art.5BelgianPrivacyAct.450Art.16,§4BelgianPrivacyAct.

82

to the processing of his personal data himself.”451Moreover, the Court even called theprocessing of personal data of non-Facebook users entirely excessive, excluding thepossibilitythattheprocessingwasappropriateandtherefore legitimateundertheBelgianPrivacyAct.452

Secondly,theCourtrejectedtheargumentthatthesecookiessafeguardedavitalinterestofnon-Facebookusers453.

Thirdly, the Court rejected the possibility of legitimizing the processing based on aninstruction to perform the processing in the public interest or in the exercise of officialauthority.454TheCourtdeemeditunpersuasivethattheprocessingofpersonaldataofnon-FacebookuserswasnecessarytosecureFacebookservices,statingthat:“thedefendantsdonotmakeitplausiblethatanattackoftheFacebookplatformwouldbepossiblethroughplug-

inswhicharenotactuallyusedbyuserswhoaccessapageoutsidetheFacebookdomain”.455

Finally, the Court examined the final ground which allows processing when it isnecessarytopromotethe legitimate interestsof thecontrollerorthethirdpartytowhomthe data is disclosed, except where such interests are overridden by the interests orfundamentalrightsandfreedomsofthedatasubjectclaimingprotectionundertheBelgianPrivacyAct.456TheCourtappliedthenecessitytest.Firstly,criminalscaneasilycircumventthe use of cookies through specific software. The processing as executed by Facebook,therefore,cannoteffectivelyplayavitalroleinthesecurityofFacebookservices.Secondly,the method used has an enormous impact on non-Facebook users’ fundamental right toprivacy. Thirdly, Facebook had other, less invasive, security options to achieve the sameresults.

In conclusion, theCourtheld thatnoothergrounds legitimisedFacebook’spracticeoftrackingnon-Facebookusers.

451Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.27.452Art.16,§4BelgianPrivacyAct;BelgianCommissionForTheProtectionOfPrivacyV.FacebookINC.,FacebookBelgiumSPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.27.453Art.5(d)BelgianPrivacyAct.454Art.5(e)BelgianPrivacyAct.455Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.28.456Art.5(f)BelgianPrivacyAct.

83

2.4.2. ViolationofArticle4,§1,2°and3°BelgianPrivacyAct

Facebookisoneofthebiggestonlinesocialnetworksandhasapowerfulpositioninthedigitallandscapeimpactingmillionsofinternetusers.Thispositioncreatesanimbalanceintheirrelationswithindividuals.

WhenweighingFacebook’sinterestagainstthoseofnon-Facebookusers,itisclearthatFacebookuses its position of power to disproportionally infringe onnon-Facebookusers’rights. This disproportion constitutes an additional violation of Article 4, §1, 2° and 3°BelgianPrivacyActconsideringthescaleofthepersonaldatacollectedbyFacebookandtheindicatedpurpose.

2.5. Outcome

TheCourtordered thedefendants: “inrespectofeveryInternetuseronBelgianterritorywhohasnotregisteredasamemberoftheonlinesocialnetworkofFacebook,tocease:

§ placing a [tracking] (…) cookiewhen they land on aweb page of the facebook.com

domainwithoutprovidingthemwithpriorsufficientandadequateinformationabout

thefactthatFacebookplacesthe[tracking](…)cookiewiththemandabouttheway

Facebookusesthat[tracking](…)cookiethroughsocialplug-ins;

§ collecting the [tracking] (…) cookie through social plug-ins placed on third-party

websites.”457

Inadditiontothecostsoftheproceedings,Facebookwassentencedtopayasumof250000EURperstartedperiodof24hoursinwhichtheorderforcessationwasnotcompliedwith.TheCourtstatedthisamountwasadequateinlightofFacebook’sfinancialresults.458

Theimplicationsofthisjudgmentforthefuturearenotentirelyclearyet.Facebookhasdeclared itwill appeal this decision andhas shutdownall public Facebook sites fornon-Facebook users. It is without doubt, that this will pose problems for restaurants and

457Belgian Commission For The ProtectionOf Privacy V. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),p.32.458Belgian Commission For The ProtectionOf PrivacyV. Facebook INC., FacebookBelgium SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels2015),pp.31-32.

84

businesses who refer to their public Facebook page as their website.459It does not seemlikelythatFacebookwillcomplywithoutafight.

Since then, it hasbeen confirmed that Facebookhas appealed the case.Ahearinghasbeen scheduled for 11 May 2016. This appeal does not suspend the enforcement of thejudgmentoftheBelgianCourtofFirstInstance.

Following the Belgian Privacy Commission’s example, several other DPA’s, amongothers,theFrenchDPA,theDutchDPA,theSpanishDPAandseveralGermanDPA’s460,havestartedinvestigationsintoFacebook’spractices.461

3. Aretheconcernsaddressedbythedataprotectionreform?

AstheBelgianCourtofFirst Instancealreadydeclaredaviolation, theDataProtectionDirective already provided sufficient rules to contest Facebook’s tracking practice. TheGDPR, however, will build on the Data Protection Directive by expanding the territorialscope,settingstricterrequirementsforconsentandofferingDPA’smorepowersregardingenforceability.

Firstly, Facebook will no longer be able to contest the fact that Belgian courts arecompetenttohandlecasesregardingBelgianFacebookusersandnon-Facebookusers.Thisis due to the GDPR’s scope, which includes an extra-territorial facet. Whether or notFacebookhasasubsidiary inamemberstatewillno longerberelevantasbothFacebookInc., established in the United States of America, as Facebook Ireland Ltd., established inIreland, targetEU internetusers.Thiswillbe thebasis for thecompetenceof thenationalcourtsandDPA’sineveryEUmemberstate.

459Drozdiak,N. (2015).BelgianPrivacyWatchdogHailsFacebookCourtRuling.WallStreetJournal.[online] Available at http://www.wsj.com/articles/belgian-privacy-watchdog-hails-facebook-court-ruling-1447162169[Accessed4May2016].460BecauseofGermany’sstatestructure,therearemultipledataprotectionauthorities.461Bracy, J. (2016). CNIL gives Facebook three months to comply with privacy order. [online]InternationalAssociationofPrivacyProfessionals.Availableat:https://iapp.org/news/a/cnil-gives-facebook-three-months-to-comply-with-privacy-order/ [Accessed 10May 2016];Meyer, D. (2016).FacebookHitWithGermanAntitrust InvestigationOverUserTerms.Fortune. [online]Availableat:http://fortune.com/2016/03/02/facebook-germany-antitrust/ [Accessed 14May 2016]; Fioretti, J.(2016). French data privacy regulator cracks down on Facebook. Reuters. [online] Available at:http://www.reuters.com/article/us-facebook-france-privacy-idUSKCN0VH1U1 [Accessed 14 May2016].

85

Secondly,theGDPRcontainsastricterdefinitionofconsent.Consentwillnolongerbeajustification for processing when it is implicit. Instead, internet users will need to takeaffirmativeaction inorder toconsentwithFacebook’s trackingpolicies.Consequently, theineffective opt-outmechanism suggestedbyFacebookwill no longerbe acceptable.Userswillhavetoopt-intothesepractices.ThisisadditionallyconfirmedbytheGDPR’sprincipleofprivacybydefault.

Thirdly,andperhapsmostimportantly,theDPA’swillbeequippedwithmorepowerstoenforce the newdata protection rules.DPA’swill be able to impose noticeable fines. It ispossible these fines will prove to be the most powerful motivator for organisations tocomplywiththeGDPR.

86

ChapterVI. Maximilian Schrems v. Data Protection

Commissioner

“Thequestionis,dowehaveafundamentalrighttodataprotectioninEurope,dowehavea

privatesphereinEurope,anddoweenforceit?Becauseuntilnowwehavebeenlivinginabig

lie.”462

-MAXIMILIANSCHREMS463

In June2014,MaximilianSchrems,anAustriancitizen,broughtacasebefore the IrishHighCourt,whichaskedtwopreliminaryquestionstotheCJEU.Therulinginthiscasehadsevere consequences as Decision 2000/520/EC of 26 July 2000 pursuant to Directive95/46/ECoftheEuropeanParliamentandoftheCouncilontheadequacyoftheprotectionprovided by the safe harbour privacy principles and related frequently asked questionsissued by the US Department of Commerce464was declared invalid. This affected all datatransfersbasedontheSafeHarbourAgreement,whichbecameillegal.

Mr. Schrems argued that the SafeHarbourDecision, giving effect to the SafeHarbourAgreementbetweentheEUandtheUS,didnotgiveconsumersanykindofprotectionasitallowsover3000USCompanies,includingFacebook,torepatriateEuropeanPersonalDatawithoutensuringanadequatelevelofdataprotection..465

Inthischapterwewillconsecutivelydiscussthefactsofthecase,theconsiderationsofthe CJEU and the newEU –USPrivacy Shield. Finally,wewill reviewwhether or not theconcernsraisedbyMr.Schremswillbeaddressedbythe2016dataprotectionreform.

462Fioretti,J.(2015).MaxSchrems:thelawstudentwhotookonFacebook.Reuters.[online]Availableat: http://www.reuters.com/article/us-eu-ireland-privacy-schrems-idUSKCN0S124020151007[Accessed15May2016].463MaximilianSchremsisanAustrianPhDstudentandprivacyactivist.464Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of theEuropean Parliament and of the Council on the adequacy of the protection provided by the safeharbourprivacyprinciplesand related frequentlyaskedquestions issuedby theUSDepartmentofCommerce,O.J.L-215,25August2000,pp.7-47.Hereinafter:SafeHarbourDecision.465Schechner,S.(2014).MaxSchremsVs.Facebook:ActivistTakesAimatU.S.-EUSafeHarbor.WallStreet Journal. [online] Available at: http://blogs.wsj.com/digits/2014/11/20/max-schrems-vs-facebook-activist-takes-aim-at-u-s-eu-safe-harbor/[Accessed4May2016].

87

1. Facts

Facebook IrelandLtd., located in Ireland, is a subsidiary fromFacebook Inc..,which islocatedintheUnitedStates.WhensigninguptoFacebook,userslivingintheEUenterintoanagreementwithFacebookIrelandLtd.Some,orall,ofthepersonaldatafromtheseusersisentirelyorpartlytransferredtoserversintheUSownedbyFacebookInc.466

On25June2013anAustrianlawstudentnamedMaximilianSchremstooktheinitiativeto submit a complaint to the Irish DPA, called the Data Protection Commissioner. Heobjectedtothetransferofhisdatatoservers intheUS,citingthatthe lawandpractice inforcedidnotprovideadequateprotectionasrequiredby theDataProtectionDirective. Inlight of recent revelations made by Edward Snowden, Mr. Schrems felt his data was nolongeradequatelyprotected.Themainsecurityriskwasposedbypublicauthoritiesof theUS,theNSAinparticular.467

The IrishDPAstated itwasnot required to investigateMr.Schrems’complainton thebasis that itwasunfounded as therewasno concrete evidence that theNSAhad actuallyaccessed Mr. Schrems’ data. Additionally, the Irish DPA argued that the EuropeanCommission had found in the Safe Harbour Decision that the United States provided anadequatelevelofprotectionbasedontheSafeHarbourAgreement.468

ThisdecisionwaschallengedbyMr.SchremsbeforetheIrishHighCourt.AlthoughtheIrishHighCourtrecognisedtheelectronicsurveillanceofEuropeandatabyUSintelligenceservices was necessary and indispensable, it also acknowledged that Edward Snowden’srevelations showed a significant overreach on the part of the NSA and other federalagencies.Itarguedthatthepracticeofmasssurveillance,whencarriedoutindiscriminately,is not a proportionate restriction to the right to privacy as required by the Irishconstitution.469

In order to determine whether the surveillance of Mr. Schrems’ data was lawful inaccordancewithIrishdataprotectionlaws,severalfactorsneededtobeproven:firstly,thatthesurveillancewastargetedtowardsspecificpeopleorgroupsofpeople,secondly,thatthetargetingofcertainpeoplewasbasedonobjectivefactors,thirdly,thatthesurveillancewas

466MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§27.467MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§28.468MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§29.469MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§30-33.

88

carriedout inthe interestofnationalsecurityorthesuppressionofcrime,and lastly, thatthere were appropriate and verifiable safeguards ensuring the previous factors werecomplied with. In light of this, the Irish High Court decided the Irish DPA should havecontinued its investigation of Mr. Schrems’ case as the practice of undifferentiatedsurveillanceisinherentlycontrarytotheseprinciples.470

TheIrishHighCourtconcludedthattheSafeHarbourDecisionandtheassociatedSafeHarbourAgreement did not guarantee an adequate level of protection as required by EUdataprotectionlaws.EventhoughMr.Schremsdidnotformallyquestionthelegalityoftheadequacy decision, the Irish High Court referred two preliminary questions to the CJEU.Firstly, the Irish High Court questioned if the DPA’s are absolutely bound by adequacydecisionswhen determining if a country ensures an adequate level of data protection.471Secondly, the Irish High Court asked if the DPA may and/or must conduct its owninvestigation in light of factual developments after the publication of the decision of theEuropeanCommission.472

2. ConsiderationsoftheCJEU

2.1. CompetenceofthenationalDPA

TheCJEUfirstinvestigatedthepowersoftheDPA’swithinthemeaningofArticle28oftheDataProtectionDirective,which regulates theDPA’swhen theEuropeanCommissionhas adopted an adequacy decision as provided in Article 25 (6) of the Data ProtectionDirective.

TheCJEUstartsbypointingouttheindependenceoftheDPA’sisimperativetotheirtaskofensuringtheprotectionofindividuals.473Forthesamereason,theDPA’shavebeengivena broad range of powers.474While the Data Protection Directive states DPA’s are onlycompetenttoinvestigatetheprocessingofpersonaldataintheirownmemberstate475,theCJEU states that the transfer of personal data should be considered as processing476as

470MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§33.471MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§35-36.472MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§36.473MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§41.474MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§43.475Art.28(1)and(6)DataProtectionDirective.476Art.2(b)DataProtectionDirective.

89

defined by the Data Protection Directive carried out in amember state.477The DPA’s arethereforecompetenttoinvestigatethetransferofdatatoathirdcountry.478

Article 25 of the Data Protection Directive imposes several obligations to ensure thetransferofdatatothirdcountriesdoesnotendangerthedataprotectionofEuropeandatasubjects. Both a member state and the European Commission can find whether or not athird countryprovidesanadequate levelofprotection.TheEuropeanCommissioncandothis throughadequacydecisions, like theonebasedon theSafeHarbourAgreement.Thisadequacydecision,whichisbindingtoallmemberstates,obligesmemberstatestotakethenecessary measures to comply with the decision. Until this decision is declared invalid,memberstates,ortheirorgans,cannotadoptmeasuresthatcontradictit.479

OnlytheCJEUiscompetenttodeclareanadequacydecisioninvalid.Untilthishappens,however,datasubjectsmustretaintherightto lodgeacomplaintwiththeirnationalDPA.TheDPAmustsubsequentlybeabletoinvestigatethisclaimindependently,regardlessofanexistingadequacydecision.Likewise,ifaDPAfindstheclaimunfounded,datasubjectsmustretaintherighttocontestthisdecisionbeforeacourtoflaw.480

TheCJEUconcludedthatanadequacydecision:“doesnotpreventasupervisoryauthorityofaMemberState(…)fromexaminingtheclaimofapersonconcerningtheprotectionofhis

rights and freedoms in regard to the processing of personal data relating to himwhich has

beentransferredfromaMemberStatetothatthirdcountry(…).”481

2.2. ValidityoftheSafeHarbourAgreement

UndertheDataProtectionDirective,transfersofdatatothirdcountriesarelawfulwhenthethirdcountryprovidesanadequatelevelofprotection.482TheDataProtectionDirective,however,doesnotcontainadefinitionoftheterm‘adequate’.Theonlyavailableexplanationis that the level of protection should be evaluated in light of all the circumstancessurroundingadatatransfer.483TheunderlyinggoalofArticle25DataProtectionDirectiveis

477MaximilianSchremsv.DataProtectionCommissioner [2016]C-362/14 (CJEU), §45. Parliamentv.CouncilandCommission[2006]C-317/04andC-31804(CJEU),§56.478MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§44-45,47.479MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§50-52.480MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§57-64.481MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§66.482Art.25(1)DataProtectionDirective.483Art.25(2)DataProtectionDirective.

90

the implementation of the obligation in Article 8 (1) of the Charter. It aims for thecontinuationofahighlevelofdataprotectionwhentransferringdatatoathirdcountry.484

The term ‘adequate’ does not require third countries to provide a level of dataprotectionidenticaltotheEU.AstheAdvocateGeneralasserted,485andasconfirmedbytheCJEU,thetermmustbeunderstoodasrequiringalevelofprotectionoffundamentalrightsessentially equivalent to that guaranteed within the EU by virtue of the Data ProtectionDirective and in light of the Charter.486Consequently, at the time of taking an adequacydecision, the European Commission should ensure an adequate level of protection, andafterwards periodically re-evaluate whether the data protection standards are upheldfactuallyandlegally.487

The CJEU startedwith the following analysis. Firstly, the Safe Harbour principles areonly applicable to US organisations receiving data from the EU, and are therefore notapplicable to US public authorities.488Secondly, the Safe Harbour Decision contains anexception to the applicability of the SafeHarbour principles for national security reasonsandwhen there is a conflict with US law. The Safe Harbour Decision does not contain areferencetorulesbalancingtheseinterferenceswithfundamentalrights.489Thirdly,theSafeHarbourDecisiondoesnotcontainanyinformationaboutasystemtoofferrecoursetodatasubjects.490Lastly,andaboveall,EUdataprotectionlawsallowinterferenceonlyinsofarasit is strictly necessary. In light of Edward Snowden’s revelations, which evidenced thegeneralised storage of all the personal data transferred from the EU without anydifferentiation, limitationorexception, thisprinciplewasnot respected in the slightest.491ForthesereasonstheEuropeanCommissiondidnotsufficientlyensureanadequatelevelofprotectionforthetransferofdatatotheUSandtheArticle1oftheSafeHarbourDecisiondoes not comply with the requirements set out in Article 25 (6) of the Data ProtectionDirective.492

484MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§68-72.485Opinion of AdvocateGeneral Bot,MaximilianSchremsv.DataProtectionCommissioner [2016] C-362/14(CJEU),§141.486MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§73.487MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§75-76.488MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§82.489MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§84-88.490MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§89-90,95.491MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§91-94.492MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§96-98.

91

Lastly, theCJEUalso investigatedtheSafeHarbourDecisioninsofaras itrestrictedthenational DPA’s competence to investigate data subjects’ complaints. Article 3 of the SafeHarbourDecisionrestrictsthepowersofthenationalDPA’s.TheDataProtectionDirective,however,doesnotallowforadequacydecisionstolimitthesepowers.

TheCJEUfoundthatArticles1and3oftheSafeHarbourDecisionwereinvalidfortheabovementioned reasons. Since the other articles of the Safe Harbour Decision areinextricablyconnectedtoArticle1and3,theentiredecisionwasdeclaredinvalid.493

2.3. Outcome

Initsjudgmenton6October2015theCJEUruledthat:

(i) National supervisory authorities have the competence to examine EU - thirdcountry data transferswhen examining a claimwhere a person contends thatthe lawandpractices in force in that thirdcountrydonotensureanadequatelevelofprotection;

(ii) TheSafeHarbourDecisionisinvalid.

On2February2016theEuropeanCommissionandtheUnitedStatesagreedonanewframework agreement for transatlantic data transfers: the EU –US Privacy Shield.494Thispolitical agreement is said to reflect the requirements set by the CJEU in its ruling on 6October2015intheSchremscaseandasdiscussedaboveinSection2ofthischapter.

AsaconsequenceoftheSchremscasethenewdatatransferpactbetweentheUSandtheEU will explicitly contain an option for the EU to suspend the pact if any new concernsregarding privacy arise.495The detailed contents of the new EU – US Privacy Shield havealreadybeenaddressedinSection2ofChapterIII.

493MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§98,104-106.494European Commission, (2016). EU Commission and United States agree on new framework fortransatlantic data flows:EU-USPrivacy Shield. [online] Available at: http://europa.eu/rapid/press-release_IP-16-216_en.htm[Accessed4May2016].495Fioretti, J.(2015).EUcansuspendnewdatatransferpactwithU.S.ifworriedaboutprivacy:Official.[online] Reuters. Available at: http://www.reuters.com/article/us-eu-dataprotection-usa-idUSKBN0TT1FG20151210?feedType=RSS&feedName=technologyNews#ZPodROJISjvM0iwL.97[Accessed4May2016].

92

3. Aretheconcernsaddressedbythedataprotectionreform?

AsevidencedbythecriticismontheEU–USPrivacyShield,discussedinSection2.3ofChapterIII, theEU–USPrivacyshield is far fromperfect.While it isnot finalyet,andtheEuropeanCommissionmightstilltakeintoaccountsomeoftherecommendationsmadebytheArticle29WorkingParty,itseemslikelythattheEU–USPrivacyShieldwillnotaddressthe concerns expressed byMaximilian Schrems in this case because, firstly, there are nomajorchangestothesystemofadequacydecisions,secondly,thenewrecoursemechanismis said to be too complex, and thirdly, theEU –USPrivacy Shield doesnot prohibitmasssurveillance.

Firstly, the GDPR does not make any radical changes to the regime of adequacydecisions. The only relevant change is the explicitmention of the possibility to repeal oramendadequacydecisionandthenecessityofperiodicreview.ThequestionstillremainsiftheEuropeanCommissionwill activelyuse thispossibility.These requirements, however,also come from the judgment of the CJEU in this case. The CJEU explicitly said it is theEuropean Commission’s duty to review adequacy decisions in light of new evidenceregardingthelevelofdataprotectioninacertaincountry.

Secondly, the EU – US Privacy Shield tries to offer data subjects a new recoursemechanismforconcernsregardingnationalsecurity.Themechanismoftheombudspersoncan surely be used by data subjects, such as Maximilian Schrems, if similar informationabout the NSA arises. The Article 29 Working Party’s evaluation of this mechanism,however,isnotpositive.Themechanism,asitisnow,istoocomplexandthereforedoesnotprovideeffectiverecourse.

Thirdly, the EU – US Privacy Shield still contains an exception to the seven coreprinciplesforreasonsofnationalsecurity.TheEU–USPrivacyShielddoesnotcontainanyprovision that prohibits the mass and indiscriminate surveillance of European data. Theexceptionfornationalsecurityreasonsdoesnotcontainanyobligationofproportionality.

93

ChapterVII. Conclusion

“Thereisnolawofphysicsthatsaysthatitisimpossibletohaveprivacy.Wecanhave

privacy,ifthatiswhatweasasocietychoose.”496

-BARBARASIMONS497

Thisdissertationstartedwithaquotethatstated:“privacyisdeadandsocialmediaholdthe smokinggun.”The2016dataprotection reform,however,proves thatEUcitizensarenotwillingtosimplygiveuptheirrighttoprivacy.ThetwocasesdiscussedalsoprovethatFacebook’s practices are not always compliant with the current EU data protectionlegislation.

Since these practices already pose problemsunder theData ProtectionDirective, it islikely this will continue to be the case unless Facebook changes it’s Terms of Servicedrastically.The improvements in theGDPRofferdatasubjectsmorerights,but thoseonlymeansomethingiftheyareenforced.AsmoreandmorenationalDPA’sarestartingtopayattentiontoFacebook’spractices,itislikelythatmoreofthemwillbecontested.Themostimportant question for the future will therefore be if the 2016 data protection reformcreatesneweffectivewaystoenforcetheEUdataprotectionlaws.BoththeGDPRandtheEU–USPrivacyShieldcontainbothimprovementsandshortcomings.

TheGDPRwillcertainlyhaveapositiveimpactontheenforceabilityofEUdatasubjects’rights.Firstly, the inclusionoftheaccountabilityprincipleandtheprinciplesofprivacybydesignanddefault ensureorganisationswillhave to take intoaccount the impactof theirpracticesonprivacyineveryphaseoftheirprojects.Additionally,theappointmentofaDPOwill ensure someone is constantly evaluating organisations’ privacy policies. Thirdly, theextra-territorialfacetoftheGDPRwillputanendtoFacebook’sunremittingargumentthatonly the Irish DPA is competent to handle EU citizens’ complaints against Facebook. Ifnational DPA’s are given sufficient resources they will be able to play a crucial role in

496Rainie, L. and Anderson, J. (2014). TheFutureofPrivacy -Elaborations:MoreExpertResponses.[online] Pew Research Center: Internet, Science & Tech. Available at:http://www.pewinternet.org/2014/12/18/elaborations-more-expert-responses-4/ [Accessed 16May2016].497“BarbaraSimonsisahighlydecoratedretiredIBMcomputerscientist,formerpresidentoftheACM,andcurrentboardchairforVerifiedVoting.” Rainie,L.andAnderson,J.(2014).TheFutureofPrivacy-Elaborations:MoreExpertResponses.[online]PewResearchCenter:Internet,Science&Tech.Availableat: http://www.pewinternet.org/2014/12/18/elaborations-more-expert-responses-4/ [Accessed 16May2016].

94

fightingviolationsoftherighttoprivacy.Lastly,theGDPRwillimpactorganisations’stancesonprivacyasitnowofferstheopportunitytonationalDPA’stoimposeconsiderablefines.In the past, fines have proven to be a powerfulmotivator for organisations,whichmightmake these fines the most important innovation in the GDPR. The GDPR, however, alsomissedsomeopportunities.Theinitialproposalcontainedthestandardofexplicitconsent.Additionally,thereisatrendintheEUtoprovideconsumerswithmoreinformationintheassumption this will allow them to make informed decisions. The sheer amount ofinformationanorganisationhastoprovide,however,mighthavetheoppositeeffectaslessdatasubjectswillbeinclinedtoreadtheincreasinglylongertermsofservice.

TheEU–USPrivacyShieldontheotherhandwillbelessimpactful.Althoughprogresshas been made to offer additional recourse mechanisms and provide more detailedobligations, the criticism of the EU –US Privacy Shield is abundant. The EU –US PrivacyShield is criticised to be too complex and at times inconsistent. Additionally, tome keyprinciples, such as data retention, are not guaranteed. The concept of an ombudspersonmightbeagoodone,lestitnotbeascomplexasitisnow.Lastly,theEU–USPrivacyShielddoes nothing to prevent the mass surveillance of EU data subjects’ data. Unless theEuropean Commission renegotiates the EU – US Privacy Shield to include therecommendationsmade by the Article 29Working Party, itwillmost likely be contestedimmediately. Unless the European Commission is able to ensure an adequate level ofprotectionbyUSorganisations,theprotesttoitsadequacydecisionswillpersist.

Overall,datasubjects’righttodataprotectionwillbecomemoreenforceable.Aslongasdata subjects andDPA’smake it a priority to actually enforce these rights, theGDPRwillofferthemtheeffectivemechanismstodoso.Peoplewhovaluetheirprivacywillbeabletodemandahighstandardofdataprotection,whileotherswhodonotmindgivingupapartoftheir right to privacy, in exchange for services, can opt-in to these practices. ThisdissertationcanthereforebeconcludedfittinglywiththewordsofNielsOleFinnemann498:

“Thecitizenswilldividebetweenthosewhopreferconvenience

andthosewhopreferprivacy.”499

498“NielsOleFinnemannisaprofessoranddirectorofNetlab,DigHumLabinDenmark.”Rainie, L. andAnderson, J. (2014). The Future of Privacy - Elaborations: More Expert Responses. [online] PewResearch Center: Internet, Science & Tech. Available at:http://www.pewinternet.org/2014/12/18/future-of-privacy/[Accessed16May2016].499Rainie, L. and Anderson, J. (2014). TheFutureofPrivacy -Elaborations:MoreExpertResponses.[online] Pew Research Center: Internet, Science & Tech. Available at:http://www.pewinternet.org/2014/12/18/future-of-privacy/[Accessed16May2016].

96

BIBLIOGRAPHY

I. Legislation

UNGeneralAssembly, InternationalCovenantonCivilandPoliticalRights,16December1966,UNDoc.A/6316(1966).

UN General Assembly, International Convention on the Protection of the Rights of allMigrantWorkersandMembersofTheirFamilies,18December1990,UNDoc.A/RES/45/158(1990).

UNGeneralAssembly,ConventionontheRightsoftheChild,20November1989,UNDoc.A/RES/44/25(1989).

TreatyofLisbonamending theTreatyonEuropeanUnionand theTreatyestablishingthe European Community, signed at Lisbon, 13 December 2007,O.J. C 306, 17 December2007,pp.1–271.

CouncilDirective93/13/EECof5April1993onunfairtermsinconsumercontracts,O.J.L-95,21April1993,pp.29-34.

CommissionDecision2000/520/ECof26July2000pursuanttoDirective95/46/ECoftheEuropeanParliamentandoftheCouncilontheadequacyoftheprotectionprovidedbythesafeharbourprivacyprinciplesandrelatedfrequentlyaskedquestionsissuedbytheUSDepartmentofCommerce,O.J.L-215,25August2000,pp.7-47.

Directive2000/31/ECoftheEuropeanParliamentandoftheCouncilof8June2000oncertain legal aspectsof information society services, inparticular electronic commerce, intheInternalMarket,O.J.L-178,17July2000,pp.1-16.

Directive 2002/58/ECof theEuropeanParliament andof theCouncil of 12 July 2002concerning theprocessingofpersonaldataand theprotectionofprivacy in theelectroniccommunications sector, O.J. L-201, 31 July 2002, 37-47, as amended by Directive2009/136/EC of the European Parliament and of the Council of 25 November 2009amendingDirective2002/22/EConuniversalserviceandusers’rightsrelatingtoelectroniccommunicationsnetworksandservices,Directive2002/58/ECconcerningtheprocessingofpersonal data and the protection of privacy in the electronic communications sector and

97

Regulation(EC)No2006/2004oncooperationbetweennationalauthoritiesresponsiblefortheenforcementofconsumerprotectionlaws,O.J.L-337,18December2009,pp.11-36.

Directive95/46/ECoftheEuropeanParliamentandoftheCouncilof24October1995ontheprotectionof individualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata,O.J.L-281,23November1995,pp.31–50.

EU-US Privacy Shield Agreement,Annex IIEU-U.S.PrivacyShieldFrameworkPrinciplesIssuedByTheU.S.DepartmentOfCommerce,pp.4-7,9-10,14-18,20-21.

EuropeanCommission, (2016).DraftAdequacyDecisionpursuanttoDirective95/46/ECoftheEuropeanParliamentandoftheCouncilontheadequacyoftheprotectionprovidedby

theEU-U.S.PrivacyShield,pp.3-5.

European Commission, Proposal for a Directive on the protection of individuals withregards to processing of personal data by competent authorities for the purposes ofprevention, investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andthefreemovementofsuchdata,25January2012,COM2012/0010(COD).

EuropeanCommission,ProposalforaregulationoftheEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),25January2012,COM2012/0011(COD).

European Parliament, Legislative resolution on the proposal for a regulation of theEuropeanParliamentandoftheCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation),Ordinarylegislativeprocedure:firstreading,12March2014,C7-0025/2012–COM2012/0011(COD).

European Council, Proposal for a Regulation of the European Parliament and of theCouncilontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovementofsuchdata(GeneralDataProtectionRegulation)-Preparationofageneralapproach,15June2015,COM2012/0011(COD).

Regulation2016/679oftheEuropeanParliamentandoftheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldataandonthe

98

freemovement of such data, and repealing Directive 95/46/EC (General Data ProtectionRegulation),O.J.L-119,4May2016,pp.1-88.

ConsolidatedversionoftheTreatyontheFunctioningoftheEuropeanUnion,O.J.C-326,26October2012,pp.47–390.

CharterofFundamentalRightsoftheEuropeanUnion,O.J.C-326,26October2012,pp.391–407.

RegulationNo593/2008oftheEuropeanParliamentandoftheCouncilof17June2008onthelawapplicabletocontractualobligations(RomeI),O.J.L-177,4July2008,pp.6–16.

GerechtelijkWetboek,BS31oktober1967,p.11360.(BelgianJudicialCode).

Wetvan8december1992totbeschermingvandepersoonlijkelevenssfeertenopzichtevandeverwerkingvanpersoonsgegevens,BS13maart1993.(BelgianPrivacyAct).

Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés,Journal officiel du 7 janvier 1978 et rectificatif au J.O. du 25 janvier 1978. (French DataProtectionAct)

Bundesdatenschutzgesetz(BDSG)vom20.Dezember1990(BGBl.IS.2954),neugefasstdurchBekanntmachungvom14.Januar2003(BGBl.IS.66),zuletztgeändertdurchGesetzvom29.07.2009(BGBl.I,S.2254),durchArtikel5desGesetzesvom29.07.2009(BGBl.I,S.2355 [2384] und durch Gesetz vom 14.08.2009 (BGBl. I, S. 2814). (German Federal DataProtectionAct).

Urheberrechtsgesetzvom9.September1965(BGBl.IS.1273),dasdurchArtikel7desGesetzesvom4.April2016(BGBl.IS.558)geändertwordenist.(GermanCopyrightAct).

DataProtectionAct1998.(UKDataProtectionAct).

II. CaseLaw

ECHR

KlassandothersvFederalRepublicofGermany[1979]5029/71SeriesANo.28(ECHR).

Leanderv.Sweden[1987]9248/81(ECHR).

Malonev.TheUnitedKingdom[1984]8691/79(ECHR).

99

X.v.Iceland[1976]6825/74(ECHR).

CJEU

Albako Margarinefabrik Maria von der Linde GmbH & Co. KG v Bundesanstalt für

landwirtschaftlicheMarktordnung[1987]C-249/85(CJEU).

ContentServicesLtdv.Bundesarbeitskammer[2012]C-49/12(CJEU).

GoogleSpainSL,GoogleInc.vAgenciaEspañoladeProteccióndeDatos(es),MarioCosteja

González[2014]C-131/12(CJEU).

JoinedcasesAsociaciónNacionaldeEstablecimientosFinancierosdeCrédito(ASNEF)andFederación de Comercio Electrónico y Marketing Directo (FECEMD) v. Administración del

Estado[2011]C-468/10andC-469/10(CJEU).

Joined cases Tele2 Sverige AB v. Post- och telestyrelsen and Secretary of State for theHomeDepartmentv.DavisandOthers,C-203/25andC-698/15(CJEU).

MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU).

MediasetSpAv.MinisterodelloSviluppoeconomico[2014]C-69/13(CJEU).

Opinion of Advocate General Bot,MaximilianSchremsv.DataProtectionCommissioner[2016]C-362/14(CJEU),§141.

Parliamentv.CouncilandCommission[2006]C-317/04andC-31804(CJEU),§56.

ScarletExtendedSAvSociétébelgedesauteurs, compositeursetéditeursSCRL(SABAM)[2011]C-70/10(CJEU).

NATIONALCOURTS

CourtofCassation,21May1987,Pas.1987,I,1160.

Belgian Commission For The Protection Of Privacy V. Facebook INC., Facebook Belgium

SPRLAndFacebookIrelandLimited15/57/C(DutchSpeakingCourtofFirstInstanceBrussels

2015).

Landgericht Berlin, Urtail vom 6. März 2012, (16 O 551/10), available athttp://openjur.de/u/269310.html.

100

TheRachelAffaire[1858]D.P.III62(TribunalcivildelaSeine).

III. PolicyDocuments

Article29WorkingParty,(2007).Opinion4/2007ontheconceptofpersonaldata.pp.16-17.

Article 29 Working Party, (2010). Opinion 2/2010 on online behavioural advertising.p.15.

Article29WorkingParty,(2010).Opinion8/2010onapplicablelaw.p.25.

Article 29 Working Party, (2011). Opinion 13/2011 on Geolocation services on smartmobiledevices.pp.19-20.

Article29WorkingParty,(2011).Opinion15/2011onthedefinitionofconsent.pp.11,18,21-25.

Article29WorkingParty,(2012).Opinion04/2012onCookieConsentExemption.p.9.

Article29WorkingParty,(2013).Opinion03/2013onPurposeLimitation.pp.15-16.

Article29WorkingParty, (2014).LettertoLarryPage.GooglePrivacyPolicy-Appendix.p.2.

Article29WorkingParty,(2014).Opinion05/2014onAnonymisationTechniques.p.23.

Article 29Working Party, (2016).Opinion01/2016ontheEU–USPrivacyShielddraftadequacydecision.pp.3,17,24-25,27,39,45-57.

AustralianLawReformCommission,(2008).Report108Volume2.pp.1132-1134.

CNIL, (2012). CNILReview of Google’sNewPrivacy Policy: Incomplete Information andUncontrolledCombinationofDataacrossServices.p.2.

College Bescherming Persoonsgegevens, (2013). Investigation into the Combining ofPersonalDatabyGoogle-ReportofDefinitiveFindings.DenHaag,pp.66-68.

Data Protection Commissioner, (2012). Facebook IrelandLimited–ReportofRe-Audit.pp.22,42.

101

DataProtectionCommissioner,(n.d.).GuidanceNoteonDataProtectionintheElectronicCommunicationsSector.p.3.

ICO, (2015). InformationCommissioner’sguidanceabouttheissueofmonetarypenaltiespreparedandissuedunderSection55C(1)oftheDataProtectionAct1998.pp.6-8.

OECD, (2013). Privacy Guidelines. Available at:http://www.oecd.org/internet/ieconomy/privacy-guidelines.htm[Accessed20April2016].

OfficeofthePrivacyCommissionerofCanada,(2012).GettingAccountabilityRightwithaPrivacyManagementProgram.

IV. LegalDoctrine

Acar,G.,VanAlsenoy,B.,Piessens,F.,Diaz,C.andPreneel,B.(2015).FacebookTrackingThrough Social Plug-ins. [online] pp.2, 6, 12-13, 15, 17-19, 21-23. Available at:https://securehomes.esat.kuleuven.be/~gacar/fb_tracking/fb_plugins.pdf [Accessed 4May2016].

Acar,G.,Verdoodt,V.,Wauters,E., VanAlsenoy,B.,Heyman,R. andAusloos, J. (2015).From social media service to advertising network: a critical analysis of Facebook’s Revised

PoliciesandTermsv.1.3. [online]pp.8, 12-17, 38, 55, 61-69, 73-79, 90-93, 98-99, 104-109.Available at:https://www.researchgate.net/publication/291147719_From_social_media_service_to_advertising_network_-_A_critical_analysis_of_Facebook's_Revised_Policies_and_Terms[Accessed4May2016].

Belgian Privacycommission.be. (n.d.). Ik ben een internetgebruiker, hoe kan ik mijbeschermen tegen tracking door social plug-ins? | Privacycommissie. [online] Available at:https://www.privacycommission.be/nl/ik-ben-een-internetgebruiker-hoe-kan-ik-mij-beschermen-tegen-tracking-door-social-plug-ins[Accessed18Apr.2016].

Burke, K. (1981). Secret Surveillance and theEuropeanConvention onHumanRights.StanfordLawReview,33(6),p.1122.

Craig,P.andDeBurca,G.(1998).EUlaw.Oxford:OxfordUniversityPress.

Cropper,L.(2016).EU-USPrivacyShield:TheArticle29WorkingPartyraisesitsconcerns.[online] Privacylawblog.fieldfisher.com. Available at:

102

http://privacylawblog.fieldfisher.com/2016/eu-us-privacy-shield-the-article-29-working-party-raises-its-concerns/[Accessed3May2016].

Davidson, B. (2016). Getting to know the General Data Protection Regulation, Part 7 -Accountability Principles = More Paperwork. [online] Privacylawblog.fieldfisher.com.Available at: http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-7-accountability-principles-more-paperwork [Accessed 4May2016].

DLAPiper,(2016).DataProtectionLawoftheWorld.pp.137-149,482-487.

Dunphy-Moriel, M. and Power, L. (2015). Getting toknowtheGeneralDataProtectionRegulation,Part3–Ifyoureceivepersonaldatafromathirdparty,youmayneedto"re-think"

yourlegaljustificationforprocessingit.[online]Privacylawblog.fieldfisher.com.Availableat:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-general-data-protection-regulation-part-3-if-you-receive-personal-data-from-a-third-party-you-may-need-to-re-think-your-legal-justification-for-processing-it[Accessed4May2016].

Ernst&Young,(2009).PrivacyandDataProtectionLaw:EuropeanDevelopments.

European Union Agency for Fundamental Rights, (2014). Handbook Data Protection.pp.14,17-18,20-21.

Hauch,J.(1994).ProtectingPrivateFactsinFrance:TheWarren&BrandeisTortisAliveandWellandFlourishinginParis.TulaneLawReview,68(1219).

Keller,D.(2015).TheFinalDraftofEurope's"RighttoBeForgotten"Law.[online]Centerfor Internet and Society. Available at: http://cyberlaw.stanford.edu/blog/2015/12/final-draft-europes-right-be-forgotten-law[Accessed4May2016].

Lee, P. (2015).GettingtoknowtheGDPR,Part1-Youmaybeprocessingmorepersonalinformation than you think. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-1-you-may-be-processing-more-personal-information-than-you-think[Accessed4May2016].

Lee, P. (2016). The Privacy Shield – is it any good then?. [online]Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/the-privacy-shield-is-it-any-good-then/[Accessed4May2016].

103

Mahmood, S. and Power, L. (2016). Getting to know the General Data ProtectionRegulation, Part 6 – Designing for compliance. [online] Privacylawblog.fieldfisher.com.Available at: http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-6-designing-for-compliance/[Accessed4May2016].

Maldoff,G.(2016).Top10operationalimpactsoftheGDPR:Part3–consent.[online]TheInternational Association of Privacy Professionals. Available at:https://iapp.org/news/a/top-10-operational-impacts-of-the-gdpr-part-3-consent/[Accessed4May2016].

Paez, M. (2009). Germany Strengthens Data Protection Act, Introduces Data BreachNotification Requirement. [online] Jones Day. Available at:http://www.jonesday.com/germany-strengthens-data-protection-act-introduces-data-breach-notification-requirement-10-26-2009/#_edn15[Accessed4May2016].

Paez, M., von Diemar, U., Little, J., Robertson, E., Bru, P., Haas, O. and De Muyter, L.(2015).AgreementReachedontheEuropeanReformofDataProtection. [online] JonesDay.Available at: http://www.jonesday.com/agreement-reached-on-the-european-reform-of-data-protection-12-17-2015/[Accessed4May2016].

Patrikios,A.(2015).GettingtoknowtheGDPR,Part2–Out-of-scopetoday,inscopeinthefuture. What is caught?. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-2-out-of-scope-today-in-scope-in-the-future-what-is-caught[Accessed4May2016].

Power,L.(2016).GettingtoknowtheGDPR,Part9–Datatransferrestrictionsareheretostay, but so are BCR. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-gdpr-part-9-data-transfer-restrictions-are-here-to-stay-but-so-are-bcr/[Accessed4May2016].

Privacylawblog.fieldfisher.com. (2016). Getting to know the General Data ProtectionRegulation - Part 8. [online] Available at:http://privacylawblog.fieldfisher.com/2016/getting-to-know-the-general-data-protection-regulation-part-8-you-may-need-to-appoint-a-data-protection-officer/ [Accessed 4 May2016].

Proust,O.(2015).GettingtoknowtheGDPR,Part5:Yourbigdataanalyticsandprofilingactivities may be seriously curtailed. [online] Privacylawblog.fieldfisher.com. Available at:

104

http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-5-your-big-data-analytics-and-profiling-activities-may-be-seriously-curtailed[Accessed4May2016].

Ragno, F. (2009). The Law Applicable to Consumer Contracts under the Rome IRegulation. In: F. Ferrari and S. Leible, ed., Rome I Regulation: The Law Applicable toContractualObligationsinEurope,1sted.Munich:sellier.europeanlawpublishers,pp.147-149.

Ryssdal,R. (1991).DataProtectionand theEuropeanConventiononHumanRights inCouncilofEuropeDataprotection,humanrightsanddemocraticvalues.In:XIIIConferenceoftheDataProtectionCommissioners.pp.41-43.

Sartor,G. (2013).Providers'liabilitiesandtherighttobeforgotten.EuropeanUniversityInstitute,p.9.

Strossen,N.(1990).RecentUSandInternationalJudicialProtectionofIndividualRights:A comparative Legal Process Analysis and Proposed Synthesis.HastingsLaw Journal, 41,p.805.

Swire, P. and Lagos, Y. (2013). Why the Right to Data Portability Likely ReducesConsumerWelfare:AntitrustandPrivacyCritique.MarylandLawReview,72,pp.335-380.

Van Canneyt, T. and Power, L. (2015).GettingtoknowtheGDPR,Part4–"Souped-up"individual rights. [online] Privacylawblog.fieldfisher.com. Available at:http://privacylawblog.fieldfisher.com/2015/getting-to-know-the-gdpr-part-4-souped-up-individual-rights/[Accessed4May2016].

Van Eecke, P. and Truyens, M. (2010). Privacy and social networks. ComputerLaw&SecurityReview,26(5),pp.535-546.

Warren,S.andBrandeis,L.(1980).TheRighttoPrivacy.HarvardLawReview,IV(5).

V. PressReleases

OECD

OECD, (2011). Thirty years after the OECD Privacy Guidelines. [online] Available at:http://www.oecd.org/sti/ieconomy/49710223.pdf[Accessed4May2016].

105

EUROPEANCOMMISSION

European Commission, (2012). Commission proposes a comprehensive reform of dataprotectionrulestoincreaseusers'controloftheirdataandtocutcostsforbusinesses. [online]Availableat:http://europa.eu/rapid/press-release_IP-12-46_en.htm?locale=en[Accessed4May2016].

European Commission, (2015). Agreement on Commission's EU data protection reformwill boost Digital Single Market. [online] Available at: http://europa.eu/rapid/press-release_IP-15-6321_en.htm[Accessed4May2016].

European Commission, (2016). EU Commission and United States agree on newframework for transatlantic data flows: EU-US Privacy Shield. [online] Available at:http://europa.eu/rapid/press-release_IP-16-216_en.htm[Accessed4May2016].

European Commission, (2016). EU-U.S. Privacy Shield: Frequently Asked Questions.[online] Available at: http://europa.eu/rapid/press-release_MEMO-16-434_en.htm[Accessed6May2016].

EuropeanCommission, (2016). JointStatementonthefinaladoptionofthenewEUrulesfor personal data protection. [online] Available at: http://europa.eu/rapid/press-release_STATEMENT-16-1403_en.htm[Accessed15May2016].

EuropeanCommission,(2016).Restoringtrustintransatlanticdataflowsthroughstrongsafeguards: European Commission presents EU-U.S. Privacy Shield. [online] Available at:http://europa.eu/rapid/press-release_IP-16-433_en.htm[Accessed6May2016].

BELGIANPRIVACYCOMMISSION

BelgianPrivacyCommission,(2015).On13MaytheBelgianPrivacyCommissionadopteda first recommendation of principle on Facebook. [online] Available at:https://www.privacycommission.be/en/news/13-may-belgian-privacy-commission-adopted-first-recommendation-principle-facebook[Accessed15May2016].

Belgian Privacy Commission, (2015). The judgment in the Facebook case. [online]Available at: https://www.privacycommission.be/en/news/judgment-facebook-case[Accessed4May2016].

106

CNIL

CNIL, (2015). Un nouveau label CNIL gouvernance Informatique et Libertés. [online]Available at: https://www.cnil.fr/fr/un-nouveau-label-cnil-gouvernance-informatique-et-libertes[Accessed4May2016].

VI. MediaCoverage

Bracy, J.(2016).CNILgivesFacebookthreemonthstocomplywithprivacyorder. [online]International Association of Privacy Professionals. Available at:https://iapp.org/news/a/cnil-gives-facebook-three-months-to-comply-with-privacy-order/[Accessed10May2016].

Drozdiak,N.(2015).BelgianPrivacyWatchdogHailsFacebookCourtRuling.WallStreetJournal.[online]Availableathttp://www.wsj.com/articles/belgian-privacy-watchdog-hails-facebook-court-ruling-1447162169[Accessed4May2016].

Fioretti, J. (2015). EU can suspend new data transfer pact with U.S. if worried aboutprivacy: Official. [online] Reuters. Available at: http://www.reuters.com/article/us-eu-dataprotection-usa-idUSKBN0TT1FG20151210?feedType=RSS&feedName=technologyNews#ZPodROJISjvM0iwL.97[Accessed4May2016].

Fioretti, J. (2015). Max Schrems: the law student who took on Facebook. Reuters.[online] Available at: http://www.reuters.com/article/us-eu-ireland-privacy-schrems-idUSKCN0S124020151007[Accessed15May2016].

Fioretti, J. (2016). French data privacy regulator cracks down on Facebook. Reuters.[online] Available at: http://www.reuters.com/article/us-facebook-france-privacy-idUSKCN0VH1U1[Accessed14May2016].

Johnson, B. (2010). Privacy no longer a social norm, says Facebook founder. TheGuardian. [online] Available at:https://www.theguardian.com/technology/2010/jan/11/facebook-privacy [Accessed 15May2016].

Meyer,D. (2016).FacebookHitWithGermanAntitrust InvestigationOverUserTerms.Fortune. [online] Available at: http://fortune.com/2016/03/02/facebook-germany-antitrust/[Accessed14May2016].

107

Perez,M.(2008).T-MobileLost17MillionSubscribers'PersonalData.InformationWeek.[online] Available at: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=210700232[Accessed4May2016].

Schechner, S. (2014). Max Schrems Vs. Facebook: Activist Takes Aim at U.S.-EU SafeHarbor. Wall Street Journal. [online] Available at:http://blogs.wsj.com/digits/2014/11/20/max-schrems-vs-facebook-activist-takes-aim-at-u-s-eu-safe-harbor/[Accessed4May2016].

VII. Facebook

Facebook Ad Settings. (n.d.). Facebook. [online] Available at:https://www.facebook.com/settings?tab=ads[Accessed14May2016].

Facebook Developers. (n.d.). SocialPlugins -Documentation -Facebook forDevelopers.[online] Available at: https://developers.facebook.com/docs/plugins [Accessed 18 April2016].

Facebook Investor Relations. (2015). Facebook Reports Third Quarter 2015 Results -Facebook. [online] Available at:http://investor.fb.com/releasedetail.cfm?ReleaseID=940609[Accessed5May2016].

FacebookNewsroom. (2015).SettingtheRecordStraightonaBelgianAcademicReport.[online] Available at: http://newsroom.fb.com/news/h/setting-the-record-straight-on-a-belgian-academic-report/[Accessed16May2016].

Facebook Newsroom. (n.d.). Company Info. [online] Available at:http://newsroom.fb.com/company-info/[Accessed5May2016].

Facebook. (2015). Data Policy. [online] Available at:https://www.facebook.com/policy.php[Accessed5May2016].

Facebook. (2016). Terms of Service. [online] Available at:https://www.facebook.com/terms[Accessed5May2016].(TermsofService)

Facebook. (n.d.). Audience Targeting Options - Help Center. [online] Available at:https://www.facebook.com/help/633474486707199[Accessed21April2016].

108

Facebook. (n.d.). Can I target my ad to people based on their age and gender? - HelpCenter. [online] Available at: https://www.facebook.com/help/813939365351532[Accessed21April2016].

Facebook. (n.d.). Control the ads you see - About Advertising on Facebook. [online]Availableat:http://facebook.com/about/ads[Accessed18April2016].

Facebook. (n.d.). Cookies, Pixels & Similar Technologies. [online] Available at:https://www.facebook.com/help/cookies/update[Accessed5May2016].

Facebook. (n.d.). Does Facebook usemy name or photo in ads? - About Facebook Ads |Facebook Help Center. [online] Available at:https://www.facebook.com/help/769828729705201/[Accessed5April2016].

Facebook. (n.d.). How can I downloadmy information fromFacebook? | FacebookHelpCenter | Facebook. [online] Available at:https://www.facebook.com/help/212802592074644[Accessed30April2016].

Facebook. (n.d.). How do I target education levels, specific schools, fields of study orspecific graduation years? - Help Center. [online] Available at:https://www.facebook.com/help/227971680551772[Accessed21April2016].

Facebook. (n.d.). How does Facebook know when people are in the locations I amtargeting? - Help Center. [online] Available at:https://www.facebook.com/business/help/133609753380850[Accessed19April2016].

Facebook.(n.d.).NearbyFriends|FacebookHelpCenter|Facebook.[online]Availableat:https://www.facebook.com/help/629537553762715/[Accessed19April2016].

Facebook. (n.d.). What are audience behaviours? - Help Center. [online] Available at:https://www.facebook.com/help/243268465859743[Accessed21April2016].

Facebook. (n.d.). What is a custom audience? - Help Center. [online] Available at:https://www.facebook.com/help/341425252616329[Accessed5May2016].

Facebook. (n.d.). What is connections targeting? - Help Center. [online] Available at:https://www.facebook.com/help/186282224754628[Accessed21April2016].

Facebook. (n.d.). What is interests targeting? - Help Center. [online] Available at:https://www.facebook.com/help/188888021162119[Accessed21April2016].

109

Facebook. (n.d.).WhatoptionsdoIhavewhenselectingpeoplewithinalocation? -HelpCenter. [online] Available at: https://www.facebook.com/help/755086584528141[Accessed21April2016].

VIII. Other

Biography. (2016). Edward Snowden. [online] Available at:http://www.biography.com/people/edward-snowden-21262897[Accessed15May2016].

Biography. (2016). Mark Zuckerberg. [online] Available at:http://www.biography.com/people/mark-zuckerberg-507402[Accessed15May2016].

Europe versus facebook. (n.d.). GetYourData. [online] Available at: http://europe-v-facebook.org/EN/Get_your_Data_/get_your_data_.html[Accessed14May2016].

European Commission, (2015). Special Eurobarometer 431 “Data protection”. [online]European Union, p.115. Available at:http://ec.europa.eu/public_opinion/archives/ebs/ebs_431_en.pdf[Accessed14May2016].

International Telecommunication Union (ITU). (2015). Statistics - Global ICTDevelopments. [online] Available at: http://www.itu.int/en/ITU-D/Statistics/Pages/stat/default.aspx[Accessed14May2016].

Lee, Phil, and Mark Webber. "GDPR 1.0 - Top 10 Things You Need To Know!".Presentation,SanDiskCorporation,2016.

Lobbyplag. (n.d.). LobbyPlag: Amendments. [online] Available at:http://lobbyplag.eu/map/article/17[Accessed9May2016].

Mashable. (n.d.). Pete Cashmore. [online] Available at:http://mashable.com/people/petecashmore/[Accessed15May2016].

Mozilla Support. (n.d.). Disable third-party cookies in Firefox to stop some types oftrackingbyadvertisers|FirefoxHelp. [online]Available at: https://support.mozilla.org/en-US/kb/disable-third-party-cookies.[Accessed7May2016].

Rainie, L. and Anderson, J. (2014). The Future of Privacy - Elaborations: More ExpertResponses. [online] Pew Research Center: Internet, Science & Tech. Available at:http://www.pewinternet.org/2014/12/18/future-of-privacy/[Accessed16May2016].

110

Snowden,E.(2015).JustdayslefttokillmasssurveillanceunderSection215ofthePatriotAct.WeareEdwardSnowdenandtheACLU’s Jameel Jaffer.AUA.•/r/IAmA. [online] reddit.Available at:https://www.reddit.com/r/IAmA/comments/36ru89/just_days_left_to_kill_mass_surveillance_under/crglgh2[Accessed15May2016].

Snowden, E. (2016). Edward Snowden on Twitter. [online] Twitter. Available at:https://twitter.com/Snowden/status/694571566990921728[Accessed6May2016].

TheCenterforInternetandSociety.(n.d.).StanfordLawSchool-DaphneKeller.[online]Available at: http://cyberlaw.stanford.edu/about/people/daphne-keller [Accessed 14May2016].

Masterproef Charlotte De Cortlib.ugent.be/fulltxt/RUG01/002/272/119/RUG01... · Charlotte De Cort...

Documents

Transcript of Masterproef Charlotte De Cortlib.ugent.be/fulltxt/RUG01/002/272/119/RUG01... · Charlotte De Cort...