What's the punishment under EU data privacy laws if indeed user data was handed over without authorization as is claimed?
Cheeni http://www.techcrunch.com/2009/05/22/deny-this-lastfm/ Deny This, Last.fm by Michael Arrington on May 22, 2009 A couple of months ago Erick Schonfeld wrote a post titled “Did Last.fm Just Hand Over User Listening Data To the RIAA?” based on a source that has proved to be very reliable in the past. All hell broke loose shortly thereafter. Before posting Erick reached out to the RIAA, Last.fm and parent company CBS for comments. The only response was from CBS - “To our knowledge, no data has been made available to RIAA.” The CBS spokesperson, Katie Gunion, subsequently emailed us to say “would you please attribute the statement to Last.fm, it is currently reading as though CBS issued the statement” Gunion’s email lists her title as Public Relations, CBS Interactive, and her first statement did not name Last.fm (this is important, see below). A subsequent statement by Shannon Jacobs, VP of Communications at CBS: “this is a last.fm issue, as far as I am concerned. It is not a corporate issue. This is a last.fm issue, not a corporate issue. The posting represents last.fm’s response.” After the story broke all concerned parties had no problem commenting publicly. Last.fm cofounder Richard Jones said “I’m rather pissed off this article was published, except to say that this is utter nonsense and totally untrue.” He followed up with a blog post “Techcrunch are full of shit, “I denied it vehemently on the Techcrunch article, as did several other Last.fm staffers. We denied it in the Last.fm forums, on twitter, via email – basically we denied it to anyone that would listen, and now we’re denying it on our blog.” One blog called us a “tabloid masquerading as a legitimate news outlet.” Lots of others piled on. Apart from updating the original post we’ve been quiet on this story. The person who first leaked the news was terminated from CBS for the leak, says our original source, and threatened with legal action. He understandably went very quiet. But the outrageously shrill denials by Last.fm just didn’t ring true. Once you got past the personal attacks, the denial language itself was too carefully worded. Now we’ve located another source for the story, someone who’s very close to Last.fm. And it turns out Last.fm was telling the truth, sorta, when they said Erick’s story wasn’t correct. Last.fm didn’t hand user data over to the RIAA. According to our source, it was their parent company, CBS, that did it. That corresponds to what our original source said in conversations we had after our initial post and before CBS lawyers became involved. But we didn’t want to update until we had an independent source for that information, too. Here’s what we believe happened: CBS requested user data from Last.fm, including user name and IP address. CBS wanted the data to comply with a RIAA request but told Last.fm the data was going to be used for “internal use only.” It was only after the data was sent to CBS that Last.fm discovered the real reason for the request. Last.fm staffers were outraged, say our sources, but the data had already been sent to the RIAA. Here’s an email from the original source, partially redacted. A screenshot of this email is here. Re: touching base From: [redacted, a CBS employee] Sent: [redacted] To: [redacted] [ _____] We provided the data to the RIAA yesterday because we know from experience that they can negatively impact our streaming rates with publishers. Based on the urgency of the request they probably just wanted to learn more about the leak but who knows. Seriously, can you blame them? [______] Our ops team provided the usual reports along with additional log data including user IP addresses. The GM who told them to do it said the data was for internal use only. Well, that was the big mistake. The team in the UK became irate because they had to do it a second time since we were told some of the data was corrupted. This time they transferred the data directly to them and in doing so they discovered who really made the request. Shit really hit the fan, I even got a call [______] Obviously, I can see their POV but what they don’t understand over there is that we are in the analytics business and it’s not like this is the first time we’ve provided this data to a third party. Someone over there should be more forthright with users about the data policy instead of complaining about BD to upper management like I’m here trying to destroy the business. We’re just trying to help them stay afloat here it’s not like Pro memberships are earning any revenue! [______________] So if you hear of anything, I’m even open to possibly moving West now for the right opportunity, let me know. Our new source, which hasn’t seen this email, says much the same: that Last.fm didn’t know the nature of the CBS request until after the data was sent and that the data was in fact subsequently sent by CBS to the RIAA. This source’s information comes directly from Last.fm employees who he has spoken with. It’s important to note that while sources are in agreement that it was the RIAA that made the request, it may have been one or more music labels acting independently. The suggestion in the email above that the compliance was made because of the ability for the requester to negatively impact streaming rates suggests it was a label request. But the end result is the same. We believe CBS lied to us when they denied sending the data to the RIAA, and that they subsequently asked us to attribute the quote to Last.fm to make the statement defensible. Last.fm’s denials were strictly speaking correct, but they ignored the underlying truth of the situation, that their parent company supplied user data to the RIAA, and that the data could possibly be used in civil and criminal actions against those users. We believe that the outrage they aimed at us for reporting the story, which was materially correct, should have been aimed at CBS instead. But Last.fm never spoke publicly of the real facts of the story. We believe Last.fm and CBS violated their own privacy policy in the transmission of this data. We also believe CBS and Last.fm may have violated EU privacy laws, including the Data Protection Directive, and should be investigated by the appropriate authorities. And to the CBS employee who was fired and threatened based on this story - we believe certain U.S. Whistle Blower laws may protect you from retaliation from CBS in this matter. We’d like to provide you with legal counsel at our cost.
