Privacy & Data Protection

Other sections of this issue:
Privacy & Data Protection | ISP-Liability & Media Law | Contracts & E-Commerce |
Electronic Communications & IT

---

• Data Protection Enforcement by National Data Protection Authorities – The Netherlands
• Commission consultation on responses to computer attacks and ENISA's report on information security awareness in the financial sector
• Binding Corporate Rules to become more attractive

---

Data Protection Enforcement by National Data Protection Authorities – The Netherlands

In this newsletter, we highlight two recent actions of the Dutch data protection authority. The first concerns a Dutch website which compiled blacklists of IP addresses of “cyberhooligans” and made these data available to other website owners. The second concerns a report of the Dutch data protection authority and the Dutch Health Care Inspectorate with regard to the use of IT and related privacy risks in the healthcare sector.

Introduction
As mentioned in our previous newsletter, national data protection authorities are increasingly enforcing data protection obligations. In this newsletter, we highlight two recent actions of the Dutch data protection authority. The first one concerns a Dutch website which compiled blacklists of IP addresses of "cyberhooligans" and made these data available to other website owners so that they could bar these IP addresses as well. The second one concerns a report of the Dutch data protection authority and the Dutch Health Care Inspectorate with regard to privacy risks related to the increased implementation of ICT in the healthcare sector.

Blacklist
The Dutch website "Geencommentaar.nl" ("Nocomment.nl") is a publicly accessible weblog which allows visitors to post reactions to various messages.

On September 10, 2008, the website opened a separate sub-website, "Bluf 2008", where visitors could express their support for the magazine "Bluf!" via a petition.

The same day, another weblog, "Geenstijl.nl" ("Nostyle.nl"), reacted by asking its visitors to sign the "Bluf!" petition (and in doing so, influence the petition).

Geencommentaar.nl afterwards confirmed that it had expressly initiated the petition concerned in order to obtain the IP address of "cyberhooligans" (among which it counted the Geenstijl.nl signatories of the petition), known for trying to influence online petitions or discussion fora in general, so as to compile a blacklist and exclude them afterwards from discussion fora.

Geencommentaar.nl registered the IP-addresses of visitors to the "Bluf 2008" sub-website in the period between September 10 until at least September 19 and composed, without their knowledge, a blacklist of IP-addresses of all individuals who, according to Geencommentaar.nl abused of the possibilities of the website, e.g. by completing a clearly fictitious name and function in the petition.

In addition, other website owners were given access to this blacklist in order to refuse the IP-addresses on the list access to their respective websites. Whereas the other website owners were not given the entire address list, they had the possibility, as from September 19, to check whether a certain IP-address of their own visitors appeared on the list or not. Aside from this "manual" check, it was also possible to perform this verification automatically via the "Geen Stijl IP checker" which allowed each website owner to verify for all his visitors whether their IP address was on the list.

The IP addresses were collected without the knowledge of the persons concerned and the website did not inform them of the purpose of the collection.

The Dutch privacy authorities have investigated the matter and have decided that the processing violated the Dutch Privacy Act. The data processor, owner of Geencommentaar.nl, has informed the Dutch privacy authorities that it immediately destroyed the list and removed from its website the software that allowed the processing of the IP-addresses. In view this voluntary removal, the privacy authorities did not undertake any other further action.

ICT in the healthcare sector
Many healthcare institutions make increasingly use of various kinds of ICT applications to improve the quality of service of patients.

The Dutch privacy authorities have, together with the Dutch Health Care Inspectorate analyzed how Dutch clinics handle the security of data and the application of ICT. In particular, they examined whether the clinics are aware of the security and privacy risks and whether they have adapted sufficient safeguards to minimize these risks. Twenty Dutch clinics have been evaluated, further to a previous study which was published in 2004.

The new study was presented in November 2008 and shows a lack of awareness with regard to the risks which are attached to the use of ICT in clinics. In many cases, data security procedures have not been laid down in a formal policy, and too much is still arranged on an ad hoc basis.

Another significant finding is that staff are not adequately aware of the importance of data security.

Of the twenty clinics examined, nine did not have an 'appropriate level of security' as defined under article 13 of the Dutch Data Protection Act. Five clinics were found to have a security level well below the required standard. Six other clinics had taken some measures, but their security level remained unacceptable.

It was decided that, by inadequately protecting the personal data of patients, considerable risks arose both with regard to the healthcare itself and the privacy of the patient. As an example, the careless handling of login data leads to unauthorized access of privacy sensitive patient data. The report gives the example of a clinic where several members of the staff had accessed the electronic medical file of a patient although they did not belong to the staff treating this patient and therefore did not require these data.

The twenty clinics are now required to explain how they intend to implement an appropriate level of data security. They must submit an "Action Plan" to both the Health Care Inspectorate and the Dutch Data Protection Authority, discussing the intended remedial action and the date by which all measures will be implemented. If they fail to submit this plan, or if the content of the plan is deemed unsatisfactory, enforcement action will be taken. The Health Care Inspectorate further intends to request all other clinics in the Netherlands to produce an "Action Plan".

Conclusion
These two cases again underline the increased activity of national data protection authorities in Europe.

The focus on the multimedia and new technologies' sector is again confirmed by the first decision of the Dutch Data Protection Authority. The issue of blacklists is closely watched throughout Europe and website owners and other economic actors should be very careful when considering any such a processing of personal data.

The health care sector also is a sector where one can expect a lot of attention of local privacy authorities in the near future, given the sensitive nature of the personal data concerned, the increased computerization and outsourcing of handling patient data and possible healthcare risks. All actors in the healthcare sector, including, for instance, service providers dealing in some way or another with patient data for clinics or individual healthcare providers, are concerned.

For more information, contact: Frederik Van Remoortel or Thomas De Meese.

---

Commission consultation on responses to computer attacks and ENISA's report on information security awareness in the financial sector

Information security is high on the European agenda. The European Commission has recently launched a consultation on how it can strengthen the European Union’s response to computer attacks. Only two weeks later the European Network and Information Security Agency (ENISA) published its report about Information security awareness in financial organizations …

Introduction
From the finding that responses to cyber-attacks from individual countries are inadequate, the European Commission decided to hold an online consultation that is closing in January of next year. The results of this consultation will be used to determine whether or not a coordinated policy will form a part of planned reforms in the field of telecoms.

Online consultation
The Commission's online consultation is open for all citizens and organizations. The Commission seems interested in all kinds of security incidents, including both accidental and voluntary security breaches.

The consultation itself is divided into three types of questions: (i) challenges to network and information security; (ii) key priorities for a possibly modernized network and (iii) information security policy. The last part of the questionnaire is about the means that are needed to address the challenges.

The only compulsory question of the entire consultation is whether or not ENISA is still the right instrument to prevent, address and respond to network and information security problems. Therefore, it is not unlikely that the results of this consultation might be used at a discussion about the future of ENISA.

ENISA's report on information security awareness in financial organizations
In its report on information security awareness in financial organizations, ENISA states that the loss caused by theft of customer information and costs of security incidents response is rising.

The main goal of the report is to provide financial organizations with a tool to improve understanding of the importance of data loss and to prepare and implement awareness raising and training programs. ENISA's report advises companies to significantly reconsider their approaches to data security and provides practical advice on how to achieve this.

Although the report targets the financial sector, it can also be a useful instrument for other industries.

Links:

• ENISA - European Network and Information Security Agency

For more information, contact: Jan Janssen or Thomas De Meese.

---

Binding Corporate Rules to become more attractive

The Article 29 Working Party has issued a structure for the drafting of Binding Corporate Rules (“BCRs”). Moreover, 9 Data Protection Authorities recently agreed on the mutual recognition of decisions approving BCRs. These actions take BCRs one step closer to being a true alternative to the standard contractual clauses.

Introduction
As a rule, a transfer of personal data to a non-EU Member State is only allowed if an adequate level of protection is ensures in that state. However, even if this is not the case, such a transfer will be allowed if inter alia adequate safeguards are offered by the data controller. To that regard, various tools are at hand to the data controller, such as incorporating the European Commission's standard contractual clauses into a contract or adopting BCRs.

The problems with BCRs
BCRs are a set of rules adopted by a group of companies which provide in a binding framework for data processing within the group.

Only a few group of companies have chosen to adopt BCRs. That is because BCRs still need to be approved by the Data Protection Authorities of all the Member States where personal data are processed by the group of companies. Obtaining approval in various Member States may prove to be a very resource- and time-consuming process, even more so as there were no guidelines as to when BCRs offer adequate safeguards.

BCRs going forward
Earlier this year, the Article 29 Working Party has partially overcome one problematic aspect of BCRs. In a working document, the Article 29 Working Party suggested a structure for BCRs in an attempt to make drafting BCRs easier.

In October 2008, 9 Data Protection Authorities agreed to mutually recognize their decisions approving BCRs. The concerned Member States are France, Germany, Ireland, Italy, Latvia, Luxembourg, the Netherlands, Spain and the United Kingdom.

These actions certainly make BCRs a more attractive tool for groups of companies operating in these Member States. However, BCRs will only become a true alternative to the standard contractual clauses if all EU Member States agree to mutually recognize their decisions on this matter.

Link:

• Working Document Setting up a framework for the structure of Binding Corporate Rules [PDF]

For more information, contact: Olivier Van Droogenbroek or Thomas De Meese.