Category: Data privacy

privacy policy

empir.is collects no personal information about users visiting the site unless the information is provided by the user. Information provided by the user may include tracking information unless the user has opted out of such tracking.

Any user submitting information agrees that it can be stored for follow up communication and contacts with the site.

empir.is receives anonymous user information from Google Analytics and WordPress via cookies. This includes pages visited, browser, original linking page, operating system, ISP domain and page views. This information is used solely to measure usage and improve site quality.

Any unauthorized attempts to view, upload or change information on empir.is is illegal and violations will be pursued in both civil and criminal actions to the full extent of the law.

Users may request access to personal data collected, make corrections to factual inaccuracies or have their data deleted by contacting empir.is. All personal data submitted to empir.is is stored in the European Union.

Christopher Lynn is empir.is‘ Privacy Officer. Any inquiries concerning this Privacy Policy should be directed to privacy@empir.is.

This Privacy Policy was updated on October 19, 2014 and may be changed without notice.

Ready for Cookie Sweep Day?

Cookie Sweep Day is coming!

The French data protection authority CNIL will conduct a “cookie sweep” this coming September 15 to verify compliance with its recommendations on cookies and tracers used to collect and store personal user information on websites. These audits will be both on-site and remote inspections, meaning that as a website owner, your premises could be subject to a visit by the authorities for non-compliance.

Continued below…

Oreo

The CNIL will feed the data crumbs it gathers into a program of website audits it will conduct in October.

The cookie sweep is not limited to France – all other EU national data protection authorities will be conducting their own sweeps as well across the Member States, to inspect and monitor cookie compliance with the ePrivacy Directive.

Should you be concerned?

To be clear, under the regulations, only certain cookies require a user’s prior consent –  in general, cookies set by third party advertising networks. In a word, if you’re monetizing your site with third party ads, you must ask users for their consent to those cookies (if you’re not already asking for prior consent for these, you should really do it, er, now).

If you’re not already aware of how it works, a user can consent by clicking a banner explaining that the site uses cookies for tracking/advertising purposes or more simply, if the user continues through deeper links within the site and the banner remains persistent.

Users must be able to withdraw consent at any time, and cookies and consents must be reset at a minimum every 13 months. The CNIL holds sites and third party advertising networks jointly liable for compliance.

What’s the risk?

If you’re running a business through ads or tracking via your site, the financial risk is moderate, depending on your size. This past January the CNIL fined Google €150,000 for having cookies set while the banner was loading instead of after consent was given. Clever folks, Google. Anyway, the risk is there.

Nota bene…

Functional cookies and web analytics cookies do not require prior consent but users must have clear and user-friendly information regarding these cookies, including information on how to opt-out.

Another important note is that sites cannot deny users access if they choose to block advertising cookies and cannot make acceptance of advertising cookies a condition of using the service.  Where a business model depends on making content or services freely available in exchange for targeted advertising via cookies, the regulations are…highly disruptive.

The CNIL has also put up an app (“CookieViz”) for users to verify cookies on their Mac, Windows or Linux device.

 

 

 

Not so Safe Harbor: EU-US data protection cooperation on the rocks.

cameraAfter the Snowden relevations, the European Union is finally getting its data privacy act together and it looks like a brutal fight is ahead, possibly leaving global corporations’ reliance on the longstanding safe harbor provisions, standard clauses and consents listing somewhere mid-Atlantic.

Here’s the EU Commission VP & Commissioner for Justice, Fundamental Rights and Citizenship Reding on Safe Harbor at the Vilnius Informal Justice Council 19 July 2013:

The Safe Harbor agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbor Agreement which we will present before the end of the year.

The Safe Harbor agreement enables data to be transferred from the EU to the US. The Safe Harbor framework was developed by the US Department of Commerce, in consultation with the Commission, industry and non-governmental organisations to provide US organizations with a streamlined means of satisfying the Directive’s “adequate protection” requirement.

The Commission is working on an assessment which it will present before the end of the year. We can only hope that the US realizes what a hole it’s dug for its tech companies before then. Quick and decisive action is needed but nothing is coming from either the Obama Administration or the US Congress.

Is Google Analytics Illegal?

Today the Norwegian data privacy authority declared that it considers the use of the Google Analytics tool by the national tax administration and the educational loan fund illegal.

Their argument is relatively clear. The public agencies apparently accepted Google’s standard terms of service which allows it to use IP addresses of tax and education fund users to provide other services. Moreover, if the user is logged into a Google services at the time, Google will also be able to identify the user.

While Norway is not an EU Member, it is a member of the European Free Trade Area and its data protection legislation closely tracks the EU’s, which makes this finding somewhat disconcerting. In fact, since IP addresses collected the agencies are sent to Google for processing, Google becomes an undeclared “data processor”, in clear violation of the law.

I can understand how this might happen since Google makes it simple (and tempting) to adopt Analytics to follow traffic on your site and people in the agencies’ IT departments therefore had a free alternative to going through a public procurement process to acquire a similar service that would properly treat the personal data.

Bottom line, there’s no free software out there. Second bottom line, hire a lawyer to train your IT department in the basics of data protection law.

What you don’t know about EU DATA PRIVACY law and why you need to know it today.

Outside a select group of specialists in IT law (and the even more limited and select group of data privacy law specialists), few company advisors or corporate legal departments truly understand how to be in perfect compliance with European Union data privacy regulations.

Yet nearly every company doing business in the EU has to comply.

If you’re reading this, you have probably been frustrated by the complexity of the requirements, provisions such as Safe Harbor, Model Contractual Clauses, whether to appoint a Data Privacy Officer, etc.

Some of that is about to change.  Basic compliance could soon be achieved by simply amending your company’s internal policy documents.

How? By adopting Binding Corporate Rules, aka “BCRs”.

BCRs are internal policies that any company controlling data can adopt and apply to its entire group, wherever it is doing business, and be compliant with EU Data Privacy regulations, once and for all.

Until now, BCRs were only an option for ‘controllers’ – but the European Commission’s Article 29 Working Party has adopted a document (WP195) on BCRs for data ‘processors’ (the vast majority of companies are processors, not controllers; if you have to ask, you’re most likely a processor).

Why do you need to know this today?

Because the rules the Working Party published are essentially the same as those already in effect for data controllers – meaning that you can start drafting your BCRs today and ready them for submission. As soon as we are clear that the currently non-binding document is acceptable to EU Member State data authorities, you’re good to go.

Given the pressure from the private sector to simplify data privacy compliance, I think that we’ll soon have a win-win here.

If you need more information or would like help working on your data privacy issues, click the feedback button (on the left).

 

69 Questions: EU quizes the G on its new privacy policy.

France’s data privacy authority CNIL (acting under EU mandate) sent Google the following questionnaire in order to clarify a number of concerns on the policy’s implementation, Google’s due diligence vis-a-vis its users and compliance of the policy with EU regulations.

The EU’s Article 29 Working Party (grouping Member State data protection authorities) stated that it further needs to clarify the consequences of the policy for users; specifically different levels of users, such as whether or not they have a Google Account, are non-authenticated, or simply passive users of Google’s services through Google APIs via other websites and/or applications (advertising, analytics, etc.).

Many of the questions seem to point in the direction of Competition Law concerns. It’s hard to imagine that the EU would be posing the same questions about Yahoo!’s privacy policy (which to my eyes, looks compliant).

The CNIL asked Google to provide written responses by April 5. Under EU law, responses are confidential unless Google consents to their release.

 

What to make of the EU reaction to Google’s new privacy policy?

Yesterday’s letter from the French National Commission on Information Technology and Freedoms (CNIL) points out some very specific problems in Google’s widely publicized new privacy policy, which comes into effect 1 March.

While the new policy is exemplary in its clear language, the issues the CNIL enumerates are not so arcane as to concern only specialists in data privacy law.

In sum, the CNIL wants Google’s privacy policy to explain 1) which Google services will collect and/or process personal data, 2) the specific personal data which will be collected and/or processed by each service and 3) how Google will inform the individual of her/his rights regarding access, correction, etc. for the personal data held by each service.

While all this sounds like formalities, complying with EU data privacy law is all about formalities. Google should know this better than anyone today, especially considering the level of expertise they have in data privacy matters.

As it is, Google has (for simplicity’s sake, one would surmise) used a negative definition of what it will not do with an individual’s personal data. From a philosophical point of view, this is a bit like the difference between Civil and Common Law conceptions of liberty. For Civilists, a right doesn’t exist unless it is enumerated. Civilists like things written down.

I think that we’ll likely see more PR pushback from Google in the next few weeks until their global data privacy counsel can talk his colleagues and clients into conceding that their new policy could use a few links to deeper explanations to be compliant with EU law. Google wants to be a good European, after all.

The Opinion 10/2004 on More Harmonised Information Provisions is basic but useful guidance on how to draft a compliant privacy policy statement. Well worth looking at.