On Sat, May 23, 2009 at 2:45 PM, Srini RamaKrishnan <[email protected]>wrote:
> What's the punishment under EU data privacy laws if indeed user data > was handed over without authorization as is claimed? > > Cheeni > How interesting -- I'm working on an update to a Data security law treatise, and while I'm firmly entrenched in the U.S. aspects only, this article does give me an opportunity to speculate on laws across the pond. Mind you, I'm no EU Data Directive geek, but after a quick reading of the law ( substantive portions available here: http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part2_en.pdf), I'm curious whether the law would even attach. There's a lot of holes and unanswered questions, and in the light of discovery, its quite possible that all of my initial views could be wrong. That being said: 1. To qualify under the Data Directive, data has to be of a personal nature. Personal data are defined as "any information *relating to an identified or identifiable natural person** *("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a). I'm not sure a username and IP address alone would qualify, but then again, caselaw may argue otherwise. If anyone knows of such a case, I'd be interested! 2. The Data Directive, under Art. 7 explicitly excludes notification requirements in cases "when processing is necessary for compliance with a legal obligation to which the controller is subject." If this was in response, say to a legitimately-crafted DMCA Sec. 512 takedown notice, then I think CBS' actions, while repugnant, would seemingly be in the clear. 3. I haven't perused Last.fm's privacy/ToS policies in awhile, but assuming they added language in the agreement permitting the disclosure of userids/ip addresses in response to a request by their contracting licensees (e.g., the record companies) for infringement purposes, I'm not sure that disclosure by the parent would trigger liability under the data directive. Admittedly, this does make for one hell of an interesting legal question! Interesting stuff. Carey (who is up to her eyeballs in hackers, lawsuits and the Computer Fraud and Abuse Act)
