data it law May 2016: bitcoin anonymity or ad blockers blockers in the EU

The overview of interesting Data & IT Law articles and news in May 2016!

The challenge to ad blockers ‘blockers’ in the EU

The internet users have a possibility to block the ads and browse the web without pop-ups and adverts with ad blockers. On the other hand, these programs represent a serious thread for online businesses, as they make online marketing and revenue generation much harder.

Therefore, some companies developed ad blocker blockers – they either employed new technology to block them or ask users to switch ad blockers off. Sometimes, they block an access to users who refused. However, as Financial Times describes in its article, such blockers may violate privacy regulation. “EU rules concerning online privacy, popularly known as the “cookie directive”, dictate that if a website stores or accesses information on someone’s computer, they must first gain consent (…) (T)his rule should apply to the technology used by companies to detect if someone is using an ad blocker.”

The article at Cointelegraph refers to another EU legislation, supporting the use of ad blockers: “the recommendations of Recital 66 of 2009/136/EC which states that a citizen may use settings of a web browser or other applications as a means to indicate whether or not they consent to web sites storing and/or accessing stored information on their devices.”

New Data Protection Law in Turkey

Turkey had enacted its first complex Data Protection Law No. 6698 and published it in April. The basis for the legislation is the EU Data Protection Directive (for more information, see dataitlaw article here), introducing legal definitions of personal data, data controller, etc.

However, according to an article in Technology Law Dispatch, it includes “some novelties such as a definition of ‘explicit consent’, which has been lacking under EU law.” The law establishes two new bodies too: The Personal Data Protection Authority and the Board of Personal Data Protection. They have various rights, including a power to impose fines.

The law also covers the cross-border data transfers. According to an article at CEE Legal Matters, “(p)ursuant to Art 9, Personal Data may only be transferred abroad after obtaining a Data Subject’s explicit consent (…) However, the Law sets forth further safety measures relating to cross-border transfers in accordance with such exceptional cases: The destination country must have any adequate level of protection, which is to be determined by the Authority, otherwise the Data Controller in Turkey and the data importer abroad have to commit in writing to provide an adequate level of protection, which is to be approved by the board of the Authority.”

The Guide for obtaining consent from German Data Protection authorities

Getting consent of the user is often the main method, how to make the data collection and processing legal. Duesseldorfer Kreis, an association of the German Data Protection authorities, published a guidance for obtaining a consent legally.

The authors at b:inform analyzed the guidance in more detail. Some principles for obtaining a legal consent:

• A valid consent requires clear and unambiguous wording, so that data subjects understand that they are consenting to certain data processing activities.
• The consent wording must inform data subjects in a transparent and easy-to-understand manner about the relevant data processing activities.
• Generally, opt-in is required, pre-ticked boxes or other opt-outs are not sufficient.
• The consent wording – if embedded in a broader contractual declaration – should generally be placed directly above the signature line. Only in certain cases (e.g., where health data is collected), a valid consent might require a separate signature .
• The consent wording must be clearly recognisable as such. It must not be mixed with general information on data processing without being separated out and prominently featured (e.g., by bold or different coloured text).

There was also another interesting article on obtaining consent from Canadian context. It analyses three specific scenarios and what would be the proper legal solution of them.

Bitcoin and Blockchain – is anonymity enough?

An interesting article at Finextra dealt with the issue of money laundering, Bitcoin and privacy. According to the article, the problem is that: “Bitcoin with its blockchain presents itself as privacy and transparency innovations for financial transactions. However, they beg the observations: if an anonymous ledger is made public, the transparency advantages are lost; and if a ledger containing personal data is published, the transparency objective is achieved at the expense of privacy and the protection of personal data. (…) The identification of beneficial owners lies at the heart of the fight against money laundering, and without it, any legal or technical measure would become ineffective. However, this step does not equal a carte blanche for financial institutions with regard to fundamental rights and data protection.”

The author finally argues that only a data protection by design attitude would be the solution to balance both goals. “Take for example, a technical rule regarding the use of an account and the identification of the user that grows in correlation with the amount of money transferred or deposited to an account. This type of rule would give access and allow users to remain anonymous for transactions of low or insignificant risk, and block the account and require the identification of beneficial owners once certain ceilings have been reached.”