Over the past few days it has been reported in various places that the European Union is extending its privacy investigations to include music players, meaning that Microsoft is in the frame again, this time alongside Real. The reports, however, are not strictly true (we accept that headline-hungry sub-editors will have had something to do with them). The EU is indeed looking at media players, but it is doing so as part of a far wider-ranging effort to nail down privacy protection policy and its implementation.
A little less sexy, perhaps, but more significant. The soundbite that got them all going appears in a working document of the Data Protection Working Party of the European Commission, whose brief is to figure out, on an ongoing basis, how EU law on data protection should be applied. As new technologies and new implementations come along, it considers them and how they should fit into law that already exists. And actually, this does sound like a most excellent job, part blue-skying about weird new Internet stuff, part evolving the law to cater for it.
Anyway, here's the sound-bite before we get onto the really important stuff. European law would "apply to information collected through spywares, which are pieces of software secretly installed in the individual's computer, for instance at the occasion of the downloading of bigger software (e.g. a music player software), in order to send back personal information related to the data subject (e.g. the music titles the individual tends to listen to)."
The clunkiness of the wording is no doubt a consequence of the EU's translation systems, but you get the drift, if not the context. Clearly it applies to music player software, but equally clearly music player software suppliers will hotly deny that they're the purveyors of spyware as defined by the Working Party. Secretly installed? Good heavens no, it clearly states in very small type 12 levels down on our web site that we are doing this solely for market research purposes and that you can very easily decline to participate.
Well, that doesn't entirely cut ice with the Working Party:
"The collection [of data] must be based on a legitimate ground (unambiguous consent, performance of a contract, compliance with a legal obligation, in pursuance of legitimate interests of the controller etc) and the individual has the right of access to and the rectification or erasure of his personal data."
The controller, by the way, is how the working party defines the individual, group, company official etc responsible for collecting the data, but it's clear from the above that permission has to be actively sought, that the circumstances in which personal data can be collected are being tightly defined, and that access has to be a deal wider-ranging than we're used to.
This is all stuff the Working Party is considering, so it's work in progress, not yet cast in stone, and in some cases will overlap with other pieces of developing European law (the overall war on cookies, for example). But as the law gets firmed up and implemented, it will clearly mean changes in the practices of various companies and web sites.
Who cares outside Europe? Well, the document we've been quoting from is entitled "Working document on determing the international application of EU data protection to personal data processing on the Internet by non-EU based web sites," and makes specific reference to the application of the US COPPA law's provision for coverage of "foreign web sites collecting personal information from children on US territory." Which is sort of getting your retaliation in early, but the objective is not so much to apply European privacy law outside of Europe as to determine that an appropriate privacy law of some sort is applied. As US privacy law is frequently deemed less than appropriate in European terms, this, ahem, could still cause a few problems.
In addition to applying European law to cover foreign companies processing data on EU citizens, the Working Group sees it as possible that under certain circumstances privacy law could be applied to protect individuals who are not EU citizens. So how does that work? "The country of origin principle, which is linked to the establishment of the controller, can no longer serve the purpose of determining the applicable law... it is also imaginable that controllers locate their establishment outside the EU in order to bypass the application of EU law."
The principle used instead is the location of the equipment used to process the data. Specifically, this does not cover routing equipment, just processing equipment, but if I've put a cookie on your computer (and I quite possibly have, sorry) then your computer is the processing equipment. So, the individual could be a US national or a Chinese national" or whatever. This isn't elaborated, but it seems pretty clear that you could be a non-EU citizen in a non-EU country and still be covered, if processing took place in the EU. You could even, in those circumstances, be a US citizen situated in the US taking action against a US company under EU law.
It is, as we said earlier, a bit of a blue-skying exercise, but fascinating nevertheless as a boffinish attempt to cover the territory. Or indeed the extraterritory. The document's conclusions stress that "a high level of protection of individuals can only be assured if web sites established outside the European Union... respect the guarantees for personal data processing... recognised at European level." It also puts forward "the development of a programme for the promotion of European data protection rules in a pragmatic way," and suggests a "European system of labels/web seals, open also to non-EU web sites." Which actually sounds rather intriguing... ®
The working document