Internet DatingA booming & risky business?

Ewout Keuleers

Attorney-at-law at the Bar of BrusselsResearcher at the Centre for Computer and Law, CRID

Internet Dating Conference – Nice, 15 July 2004

Ewout.keuleers@ulys.net www.ulys.net

Introduction & overview

Privacy and data protection: Social network based on profiles Sensitive data & etnical/religious/sex dating

Advertising SPAM : electronic mail – E-card – newsletter Consumer protection Protection of minors

Electronic commerce: Regulatory framework General obligations for online services (ISS)

Data Protection & Privacy

EU framework

General & sector specific regulations

General: 95/46

Protection of personal data

General principles

Sensitive data

Scope?Online and offline

Public & private networks

Specific 2002/58

Privacy & electronic communications

Specific obligationsCookies & spyware

spam & E-Cards

Scope?Communication service

Public networks

1. General Protection: Directive 95/46 Scope: customer « profile » 9 Principles of Data protection

Case Studies - specific issues Privacy Policy Unique Service Point & cross-profiling Disclosure of data - testimonials Etnical/religious/ sex Dating

Sensitive data

1. Directive 95/ 46: Scope (1.2) Processing of personal data social network is based on matching registered

profiles « personal data »

Information concerning a data subject identifiable natural person

Direct or indirect Controller or third party

IP address? 007@hotmail.com ?

« Processing » « Any » operation performed upon personal data

Profile/contact information/ demographic data = personal data

Directive 95/ 46: Scope (1.3)

Processing of personal data & « adult » sites

Do not expose minors to harmful or « explicit » content

Online identification of persons: AVS procedure

profile will contain more detailed personal information on customer

1. Directive 95/ 46 -

General Principles (1.4) Data must be : fairly and lawfully processed ; processed for specified, detailed and legitimate purposes ; adequate, relevant and not excessive ; accurate ; not kept longer than necessary ; processed in accordance with the data subject's rights ; secure and remain confidential ; not transferred to countries without adequate protection

(outside EU) ; processing activities « must »  be notified to the supervisory

authority.

Case study 1

Privacy Policy

Case Study 2: Unique Service Point

Dating sites have great commercial potential

Generate traffic

Customer DB with profiles

Can I share ‘customer’ information with third parties?

Can I use the profiles for (targetted) advertising purposes?

Case Study 3: disclosure of data

Testimonial  HeatherAge : 27 - Alabama

“Dear Matchamerica.com,

We are happily married and enjoying the many blessings of being parents. If not for your website our happiness would not have happened. Best of luck to all.”

Chat, forum, testimonials, etc.

Testimonial – disclosure of data“Our wedding was on October 4, 2003, in St. Dorothy's Church, Drexel Hill, PA. Jeri and I met in late February of this year on catholicsingles.com. She had been on the web site during 2002 without much success. I had been on at around the same time and met some very nice ladies, but nothing clicked.

Our first meeting was for mass and breakfast across the street. One thing led to another; in June we both asked each other "Will you marry me?"; we both said yes, and the rest is history.Thank you for all that your web site did for two middle-aged people who had had successful marriages, were widowed much too soon, and were blessed by God to find happiness again. -Joe & Jeri Santine”

Disclosure of personal data Broad an open notion of « processing » includes

« disclosure by transmission, dissemination or otherwise making available »

Must be careful if you disclose personal information in a newsletter or on your website, e.g., personal contact details, names

Lindqvist case (Sweden –European Court of Justice, 2003)

Publication on the internet

Transfer to « third country »?

Sensitive

data

1. Directive 95/ 46: sensitive data (1.5)

Sensitive data: (art 8) « personal data revealing racial or ethnic origin,

political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. »

Direct and indirect

information on sexual orientation or a disease?

1. Directive 95/ 46 : sensitive data (1.6) Very strict regime:

No processing allowed unless limited exception Exceptions:

protect the vital interests of the data subject? the purposes of preventive medicine, medical

diagnosis, the provision of care or treatment or the management of health-care services?

Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority?

Explicit consent of data subject Member State?

Media & Advertising law

Advertising - Content (2.1)

In contrast to some sectors, e.g, gambling, tobacco, etc., no particular restrictions, except for minors!

EU regulatory framework for consumer protection and « publicity »

Proposal Directive on Unfair Commercial Practices (June 2004)

Directive on electronic commerce Directive on distance selling Directives on misleading & comparative advertising.

Advertising - Content (2.2)

“Unfair Commercial Practice” The practice is contrary to the requirements of

professional diligence; The practice materially distorts consumers’ behavior. Average consumer

“Misleading practices” Claiming to be a signatory to a code of conduct when the trader is not. "Bait advertising" scams (advertising a product as a special offer without

actually having it in stock, or having only a token stock of the product) Stating that a product can legally be sold when it cannot. Materially misrepresenting the risk to the consumer or his family if the

consumer does not purchase the product. Describing a product as “gratis”, “free”, “without charge” or similar if the

consumer has to pay anything other than the unavoidable cost of responding and collecting or paying for delivery.

“Aggressive practices” Creating the impression that the consumer cannot leave the premises

until a contract is formed. Conducting personal visits to the consumer’s home ignoring the

consumer's request to leave or not to return. Demanding payment for products supplied by the trader, but which were

not solicited by the consumer (inertia selling).

Advertising - Content (2.3)

Advertising social network services for « adults »

☻Exposure of minors to harmful content

☻Infringing public order and morality

Advertising - Content (2.4)

Dating site as UPS: link/ banner for other services

‘illegal’ service, e.g., Mail Order Bride Sites, remote gaming or online pharmacies

Advertising - Content (2.5)

Advertising - Content (2.6)

Advertising – Support (2.7) Specific regulation for some media

Written press, freedom to provide goods TV (Bacardi Case – TWF Directive) Radio Internet? iDTV? 3G?

Specific regulation for traditional media does (not) apply, only general (or) technology neutral regulation does?

Electronic mail

“any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient”

Commercial Communications

Online privacy protection

EU Framework for commercial communications Electronic Commerce Directive

commercial communications “any form of communication designed to promote, directly or indirectly, the goods, services or image of person pursuing a commercial activity”

Legal regime Article 6: Commercial Communication: Information to be provided

The commercial communication must be identified as such

The natural or legal person on whose behalf the commercial communication is made, must be identified

promotional offers, such as discounts, premiums and gifts, shall be clearly identifiable as such, and the conditions which are to be met to qualify for them shall be easily accessible and be presented clearly and unambiguously

EU Framework for commercial communications Electronic Commerce Directive

Article 7 : Unsolicited commercial communications – SPAM

Spam must be identified in a clear and unambiguous

way, as from the moment of reception on Service providers must respect opt-out registers

Article 16 : Codes of Conduct or other self-regulatory instruments

Misleading practice

EU Framework for commercial communications Privacy Issues: Directive 2002/58/EC

Unsolicited Communications: article 13 : Principle: OPT IN : must give their prior consent :

Electronic mail: email, sms, mms…pop up? Banner ? Newsletter? How to obtain a prior valid consent?

 Exception: OPT-OUT if : Existing commercial relationship Same natural or legal person Similar products or services Consumer is given the opportunity to refuse reception (opt-out)

Upon registration you ask your customer whether he/she wants to receive information on your services

Case study: refer a friend & E-card

E-cards & Opt-in?

Spam or private correspondance?

Broad notion of

« commercial communication »

« electronic mail »

EU Framework for commercial communications Privacy Issues: Directive 2002/58/EC

Cookies, Spyware, hidden identifiers and other similar devices  Legitimate purposes User must be informed on the installation, on its purposes: promotion of gaming activities? Users should have the opportunity to refuse to have a cookie  User should receive user-friendly information on how to refuse installation

US ‘Gator’ cases (2003)

EU Claria (Hertz – March 2004)

Closing remarks and conclusion

Booming industry with great potential

Trust and confidence are key factors

Process profiles in compliance with privacy regulations, in particular when dealing with sensitive data

Be transparent and inform customer on his rights (e-commerce, distance selling, data protection)

Adopt reasonable measures to prevent exposure of minors to adult or harmful content

Ewout.keuleers@ulys.netwww.ulys.net

Q&

AEwout.keuleers@ulys.net www.ulys.net