Full Disclosure

[Joel Harrison]

On Mon, Apr 28, 2008 at 7:16 PM, Ian Batten <igb@batten.eu.org> wrote:
>
>  On 28 Apr 2008, at 16:06, Joel Harrison wrote:
>
> >
> > I realise that.  By "retrieve", I mean "retrieve the value of" - what
> > I'm getting at is the action taken by the web server to determine and
> > process the value of the webwise cookie in its domain.  Whilst the
> > webwise cookie is sent to the web server automatically, I understood
> > that it would require a deliberate step in the website code to
> > determine the value of the webwise cookie and then do something with
> > it - without that step, the webwise cookie would be sent to the web
> > server but no action would be taken on it.
> >
>
>  Not if I'm just dumping the contents of all the cookies associated with my
> domain.  Or should all websites keep careful track of all the cookies they
> might potentially have placed, on the offchance that five years later an ISP
> may be so deranged as to forge additional cookies for no readily apparent
> reason?  Phorm and the ISP have together forged the cookie; no-one else is
> under any obligation to help them keep secret what they have placed in plain
> sight.

Can we assume for the purposes of this question that the web server is
located in the UK?  Otherwise, a number of different issues get
conflated, and the discussion isn't terribly helpful.

I'll also skip ahead to your second question by saying that this
scenario isn't specifically contemplated in 2002/58/EC or in PECR.
This is, as you say, pretty unsurprising, at least insofar as the
legislation relates to cookies - the legislation isn't limited to
cookies, however, although they do get special mention in the recitals
to the Directive.

What the law says is that this information should not be accessed
unless the purposes of the access have been made clear and the user
has been given an opportunity to refuse.  There's no requirement that
the information should be secret or confidential; nor is there any
requirement that it should be personal data within the DPA.  Nor is
the law limited, in terms, to accessing cookies that one has placed in
the user's domain oneself - merely accessing the information,
independently of the act of storing the information in the first
place, is prohibited unless certain conditions are met.

As with so much in the privacy sphere, when it comes to enforcement
it's a matter of fact and degree.  As I've said, nobody is ever going
to be taken to task for running some code that trawls through all the
cookies in his domain and stumbling upon the value of a webwise cookie
that happens to have been placed there.  At the other end of the
scale, if a person were deliberately to look for a webwise cookie in
his domain, read the UID and use that UID to gather additional data
about the user, I expect the ICO would have something to say about
that.

Of course, this focuses on the webwise cookie.  Bear in mind that
Phorm is holding up its model as an example of how things should be
done.  If its implementation were to be copied, popular websites could
have dozens of cookies placed in their domains by various competing ad
companies.  (I believe, though, that there's a limit to how many
cookies most browsers will permit to be associated with a single
domain.)  These websites would then be in a position to perform the
same trick across all of these cookies, potentially gathering very
substantial amounts of data about their users.

> >
> > > In any case, this particular web server is in Peru, and what does it now
> or
> > > care about PECR?
> > >
> >
> > I'm afraid Peruvian privacy law is outside my remit.  However, if the
> > web server is located anywhere in the EU then it has to deal with
> > 2002/58/EC, and various other countries now have laws that regulate
> > the use of cookies - so this isn't a UK-specific issue.
> >
> >
>
>  Could you tell us what the regulations say about processing cookies marked
> as being in your domain but not actually placed by you?  I rather suspect
> they don't cover that case, for fairly obvious reasons.

See above.

>  Moreover, if you hand DPA-regulated data to an offshore location that
> doesn't have equivalent legislation, the responsibility is on you.

Where did you get that from?  The situation isn't that straightforward.

There are certain conditions that must be met in order for a transfer
of personal data outside the EEA to be lawful - see Schedule 4 to the
DPA.  A transfer that doesn't meet at least one Schedule 4 condition
is unlawful and, yes, the transferor is liable for the breach of the
DPA.

If I (as data controller) make a permitted controller-to-processor
transfer outside the EEA then, again, I'm responsible for whatever the
processor does.  But that's no different from a transfer to a
processor in another EEA member state, or indeed if the data remains
within the same EEA member state.  (This is, incidentally, why the
previous Information Commissioner took the view that all
controller-to-processor transfers outside the EEA were OK; but that
view has long since been withdrawn.)

However, if I make a permitted controller-to-controller transfer
outside the EEA (say, if I'm selling copies of my mailing list and
have obtained permission for this from the data subjects), I'm not
automatically responsible for what the receiving organisation then
does with the data.  The EU's model clauses for
controller-to-controller transfers do provide that the transferor is
jointly liable with the transferee for any foul-ups by the transferee
(among other things), but this only applies if the EU's model clauses
are being used - and if the transferor is using an alternative legal
basis (e.g. relying on the data subjects' consent), the model clauses
aren't even relevant.

> > You might also be interested to know that in its recent opinion on
> > search engines, the Article 29 Working Party expressed the view that
> > merely reading or writing cookies from/to the web browser of a user
> > located in the EU was sufficient to bring an undertaking's processing
> > of personal data within the scope of the Data Privacy Directive.  So
> > your Peruvian web site would be subject to EU privacy law if it was
> > accessed by users from within the EU.  Of course, there are legal and
> > practical issues to do with enforcement, but this doesn't seem like
> > the place to go into them in detail.
> >
>
>  So if I run a Peruvian web server selling Alpaca rugs, which has no truck
> with cookies, but Phorm (of whom, being an Andean peasant, I have never
> heard) forge cookies in my domain, who is responsible to whom under Article
> 29?

What a magnificent question!

For starters, nobody is responsible here under Article 29 - that's
just the provision of the DP Directive under which the Working Party
is established.  But that really is beside the point.

Strictly speaking, on the Article 29 Working Party's view Phorm and
the ISP are making the Peruvian rug-seller an unwitting data
controller - but I wouldn't get carried away with this, because the
sufficiency of using cookies as a basis for engaging the DP Directive
hasn't been tested in court, and what a court would say where the use
of cookies is unintentional is anyone's guess.  More importantly,
though, the ISP and Phorm are setting up a situation in which personal
data will be exported outside the EEA (here, to Peru), almost
certainly without the data subject's consent (and certainly without
the data subject's informed consent, because he has absolutely no clue
that any of this is going on).  Now, this may be harmless enough in
practice if the Peruvian rug-seller is, as you say, no fan of cookies.
 But what if he is an habitual examiner of cookies, who delights in
reading the values of whatever cookies he can get his hands on
(augmenting this with information about the ads that the UID
generates, just for good measure), safe in the knowledge that, whilst
he may technically fall within the scope of the DPA, the chances of a
visit from the ICO are pretty slim?  Will I now receive little flyers
for books on Peruvian privacy law together with my rugs?

>
>
>  ian
>
>
>