Internet DatingA booming & risky business?
Ewout Keuleers
Attorney-at-law at the Bar of BrusselsResearcher at the Centre for Computer and Law, CRID
Internet Dating Conference – Nice, 15 July 2004
[email protected] www.ulys.net
Introduction & overview
Privacy and data protection: Social network based on profiles Sensitive data & etnical/religious/sex dating
Advertising SPAM : electronic mail – E-card – newsletter Consumer protection Protection of minors
Electronic commerce: Regulatory framework General obligations for online services (ISS)
General & sector specific regulations
General: 95/46
Protection of personal data
General principles
Sensitive data
Scope?Online and offline
Public & private networks
Specific 2002/58
Privacy & electronic communications
Specific obligationsCookies & spyware
spam & E-Cards
Scope?Communication service
Public networks
1. General Protection: Directive 95/46 Scope: customer « profile » 9 Principles of Data protection
Case Studies - specific issues Privacy Policy Unique Service Point & cross-profiling Disclosure of data - testimonials Etnical/religious/ sex Dating
Sensitive data
1. Directive 95/ 46: Scope (1.2) Processing of personal data social network is based on matching registered
profiles « personal data »
Information concerning a data subject identifiable natural person
Direct or indirect Controller or third party
IP address? [email protected] ?
« Processing » « Any » operation performed upon personal data
Profile/contact information/ demographic data = personal data
Directive 95/ 46: Scope (1.3)
Processing of personal data & « adult » sites
Do not expose minors to harmful or « explicit » content
Online identification of persons: AVS procedure
profile will contain more detailed personal information on customer
1. Directive 95/ 46 -
General Principles (1.4) Data must be : fairly and lawfully processed ; processed for specified, detailed and legitimate purposes ; adequate, relevant and not excessive ; accurate ; not kept longer than necessary ; processed in accordance with the data subject's rights ; secure and remain confidential ; not transferred to countries without adequate protection
(outside EU) ; processing activities « must » be notified to the supervisory
authority.
Case Study 2: Unique Service Point
Dating sites have great commercial potential
Generate traffic
Customer DB with profiles
Can I share ‘customer’ information with third parties?
Can I use the profiles for (targetted) advertising purposes?
Case Study 3: disclosure of data
Testimonial HeatherAge : 27 - Alabama
“Dear Matchamerica.com,
We are happily married and enjoying the many blessings of being parents. If not for your website our happiness would not have happened. Best of luck to all.”
Chat, forum, testimonials, etc.
Testimonial – disclosure of data“Our wedding was on October 4, 2003, in St. Dorothy's Church, Drexel Hill, PA. Jeri and I met in late February of this year on catholicsingles.com. She had been on the web site during 2002 without much success. I had been on at around the same time and met some very nice ladies, but nothing clicked.
Our first meeting was for mass and breakfast across the street. One thing led to another; in June we both asked each other "Will you marry me?"; we both said yes, and the rest is history.Thank you for all that your web site did for two middle-aged people who had had successful marriages, were widowed much too soon, and were blessed by God to find happiness again. -Joe & Jeri Santine”
Disclosure of personal data Broad an open notion of « processing » includes
« disclosure by transmission, dissemination or otherwise making available »
Must be careful if you disclose personal information in a newsletter or on your website, e.g., personal contact details, names
Lindqvist case (Sweden –European Court of Justice, 2003)
Publication on the internet
Transfer to « third country »?
1. Directive 95/ 46: sensitive data (1.5)
Sensitive data: (art 8) « personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. »
Direct and indirect
information on sexual orientation or a disease?
1. Directive 95/ 46 : sensitive data (1.6) Very strict regime:
No processing allowed unless limited exception Exceptions:
protect the vital interests of the data subject? the purposes of preventive medicine, medical
diagnosis, the provision of care or treatment or the management of health-care services?
Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority?
Explicit consent of data subject Member State?
Advertising - Content (2.1)
In contrast to some sectors, e.g, gambling, tobacco, etc., no particular restrictions, except for minors!
EU regulatory framework for consumer protection and « publicity »
Proposal Directive on Unfair Commercial Practices (June 2004)
Directive on electronic commerce Directive on distance selling Directives on misleading & comparative advertising.
Advertising - Content (2.2)
“Unfair Commercial Practice” The practice is contrary to the requirements of
professional diligence; The practice materially distorts consumers’ behavior. Average consumer
“Misleading practices” Claiming to be a signatory to a code of conduct when the trader is not. "Bait advertising" scams (advertising a product as a special offer without
actually having it in stock, or having only a token stock of the product) Stating that a product can legally be sold when it cannot. Materially misrepresenting the risk to the consumer or his family if the
consumer does not purchase the product. Describing a product as “gratis”, “free”, “without charge” or similar if the
consumer has to pay anything other than the unavoidable cost of responding and collecting or paying for delivery.
“Aggressive practices” Creating the impression that the consumer cannot leave the premises
until a contract is formed. Conducting personal visits to the consumer’s home ignoring the
consumer's request to leave or not to return. Demanding payment for products supplied by the trader, but which were
not solicited by the consumer (inertia selling).
Advertising - Content (2.3)
Advertising social network services for « adults »
☻Exposure of minors to harmful content
☻Infringing public order and morality
Advertising - Content (2.4)
Dating site as UPS: link/ banner for other services
‘illegal’ service, e.g., Mail Order Bride Sites, remote gaming or online pharmacies
Advertising - Content (2.5)
Advertising – Support (2.7) Specific regulation for some media
Written press, freedom to provide goods TV (Bacardi Case – TWF Directive) Radio Internet? iDTV? 3G?
Specific regulation for traditional media does (not) apply, only general (or) technology neutral regulation does?
Electronic mail
“any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient”
EU Framework for commercial communications Electronic Commerce Directive
commercial communications “any form of communication designed to promote, directly or indirectly, the goods, services or image of person pursuing a commercial activity”
Legal regime Article 6: Commercial Communication: Information to be provided
The commercial communication must be identified as such
The natural or legal person on whose behalf the commercial communication is made, must be identified
promotional offers, such as discounts, premiums and gifts, shall be clearly identifiable as such, and the conditions which are to be met to qualify for them shall be easily accessible and be presented clearly and unambiguously
EU Framework for commercial communications Electronic Commerce Directive
Article 7 : Unsolicited commercial communications – SPAM
Spam must be identified in a clear and unambiguous
way, as from the moment of reception on Service providers must respect opt-out registers
Article 16 : Codes of Conduct or other self-regulatory instruments
Misleading practice
EU Framework for commercial communications Privacy Issues: Directive 2002/58/EC
Unsolicited Communications: article 13 : Principle: OPT IN : must give their prior consent :
Electronic mail: email, sms, mms…pop up? Banner ? Newsletter? How to obtain a prior valid consent?
Exception: OPT-OUT if : Existing commercial relationship Same natural or legal person Similar products or services Consumer is given the opportunity to refuse reception (opt-out)
Upon registration you ask your customer whether he/she wants to receive information on your services
Case study: refer a friend & E-card
E-cards & Opt-in?
Spam or private correspondance?
Broad notion of
« commercial communication »
« electronic mail »
EU Framework for commercial communications Privacy Issues: Directive 2002/58/EC
Cookies, Spyware, hidden identifiers and other similar devices Legitimate purposes User must be informed on the installation, on its purposes: promotion of gaming activities? Users should have the opportunity to refuse to have a cookie User should receive user-friendly information on how to refuse installation
US ‘Gator’ cases (2003)
EU Claria (Hertz – March 2004)
Closing remarks and conclusion
Booming industry with great potential
Trust and confidence are key factors
Process profiles in compliance with privacy regulations, in particular when dealing with sensitive data
Be transparent and inform customer on his rights (e-commerce, distance selling, data protection)
Adopt reasonable measures to prevent exposure of minors to adult or harmful content