Interactive TV: Measures That Are Both Necessary and Appropriate to Bring Processing Operations into Line with the Legislation in Force - February...
[doc. web. n. 1116787]
[ doc. web. n. 1109503]
Interactive TV: Measures That Are Both Necessary and Appropriate to Bring Processing Operations into Line with the Legislation in Force - February 3, 2005
THE GARANTE PER LA PROTEZIONE DEI DATI PERSONALI
Having convened today, in the presence of Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr. Mauro Paissan, Members, and Mr. Giovanni Buttarelli, Secretary General;
Having considered the claims and reports submitted with regard to the processing of personal data related to the provision of interactive and/or conditioned-access TV services;
WHEREAS it is necessary to set forth some measures that are both required and appropriate in order to bring the processing of the aforementioned data into line with the legislation in force (Section 154(1), letter c), of the Personal Data Protection Code);
HAVING REGARD to the documents acquired via both the on-going investigations and the public consultation performed;
HAVING REGARD to the considerations made by the Secretary General pursuant to Section 15 of the Garante´s Regulations No. 1/2000;
ACTING on the report submitted by Mr. Mauro Paissan,
1. New Television Services
The growing integration of the most recent technologies as implemented in TV-programming, electronic communications, and computer science makes available innovative products and services also based on the development of digital technologies. Users and subscribers can benefit from several products, including interactive products, that are accessible either via terrestrial and/or satellite means or via cable, by availing themselves either of payment-based - i.e. sign-up, pay-per-view, video-on-demand, etc. - solutions or of other conditioned-access means.
In order to obtain such services and products, a decoder/set-top-box is required to allow viewing (encrypted) signals; said decoder can be connected with a data communication line (so-called "return channel"), whereby one can communicate with the service provider by means of the remote control and/or an ad-hoc keyboard to send requests and/or information in accordance with different interaction levels. Thus, one can view films and sports events, participate in opinion polls, games and/or tests, customise the programming, access telebanking and/or distance selling services, etc. . This means that subscribers and users play active roles in their relationships with providers, interact with them in increasingly customised ways, and are sometimes identified via their own particulars.
The provisions laid down herein apply in principle to all the aforementioned situations as distinguished from the provision of conventional radio and TV broadcasting services, which are offered to the audience at large without identifying the individual users. Therefore, they apply irrespective of the technology that is implemented to provide the given service - i.e. irrespective of the broadcasting technology (analog vs. digital), the payment mode (e.g. via pre-paid cards), or the devices that are used (keypad, remote control, etc.). In the presence of a continuously active return channel, interactive TV services afford increasing opportunities for continuously monitoring and profiling users - as it is unnecessary to repeatedly activate the return channel; therefore, they require increased caution in implementing the provisions set out herein.
This is not the right place to make additional considerations concerning the issues specifically arising on account of the possible involvement of mobile telephony networks, as also related to calling line identification, or else in connection with the offer of other types of service - such as health care services, which entail processing sensitive data, or the initiatives that are currently being tested to enable access to public services, especially at local level, e.g. to apply for administrative certifications and records, carry out database searches, etc. . Here specific problems arise in particular as regards data flows, information notices, and consent requests, if any.
The issues that are relevant to the processing of personal data will be taken into account in this provision, given that the need to afford users a high level of protection of their fundamental rights and freedoms as well as of their dignity - which has been set forth in the DP Code (legislative decree no. 196/2003) - was recently re-affirmed by the legislation regulating radio and TV broadcasting (see Section 4(3) of Act no. 112 of May 3, 2004).
The possibility for a subscriber/a user to unknowingly disclose several items of personal information via the return channel, perhaps regarding other users within the family circle, makes it necessary to set forth specific safeguards aimed at preventing unlawful profiling operations and/or the invasive monitoring of personal tastes and habits. Individuals must be in a position to make their choices freely and based on adequate information.
In view of protecting data subjects, the Garante hereby requires data controllers to take some measures that are necessary and/or appropriate for the processing operations to be in line with the legislation in force concerning personal data protection (Section 154(1), letter c) of the Code) and are also applicable to electronic communications (under Title X, Section 121 and following ones) involving identified and/or identifiable subscribers and/or users as recipients (see Section 4(2), letter a)).
2. Data Minimisation and Proportionality
Processing must be compliant with data minimisation, lawfulness, fairness, quality, and proportionality principles as per Sections 3 and 11 of the Code.
- in pursuance of the data minimisation principle set out in Section 3 of the Code, information systems and software shall have to be configured from the start in such a manner as to minimise use of the information concerning identifiable subscribers and/or users. Such information may not be processed if the relevant purposes can be pursued by only using either really anonymous data or indirectly identifying data;
- further to the proportionality principle set out in Section 11(1), letter d), of the Code, all personal data and the various mechanisms implemented to process them in the individual stages and situations where such processing takes place shall have to be relevant and not excessive in respect of the purposes to be achieved.
As for the purchase of a decoder and/or a set-top box, a distinction should be drawn between the situation in which it is necessary to simultaneously establish a contractual relationship with an identified subscriber and the case where this identification - including the possible association between subscriber´s name and equipment serial number - is unlawful, for instance because the decoder is only operated via pre-paid non-identifying cards.
If it is specifically provided under the law that the purchaser is to be identified, again it will be necessary to take into account the purposes of such identification - which might be required, for instance, exclusively for taxation purposes in connection with the availability of documents that entitle the purchaser to state-funded benefits. From a data protection viewpoint, setting up databases of the owners of satellite dishes and/or TV aerials is to be also considered unlawful - irrespective of the association between such data and other personal information, which compounds the problem further.
In the light of the safeguards set out in the Code, the use of pre-paid non-identifying cards is preferable to personal subscriptions.
As regards billing, it is unlawful to process personal data concerning connection duration, viewed programmes and events, viewing times and/or interruptions, changes of channel, and the viewer´s behaviour during commercials, except to the extent that this is actually necessary and in line with the necessary mechanisms and timing.
Any request made by the provider to individual users whereby the latter should identify themselves when sending information via the return channel is only lawful if it has been subjected to the Garante´s prior checking (under section 17 of the Code).
In connection with other events entailing the so-called "televoting", no data should be collected and/or stored that can be related to identifiable individuals; this applies ever since the information transmitted by an user is received, irrespective of whether the questions only concern preferences, tastes and/or habits and no sensitive information is gathered concerning individuals, social events and/or political, religious or trade-union matters. Market surveys, other sample-based surveys, and polls must be carried out anonymously by preventing the inflow of answers relating to identifiable entities; if this is unavoidable on technical grounds, the answers must be anonymised directly after they are collected - which rules out all the more any communication to third parties and/or the dissemination of the personal data.
Finally, not every request made by a user and/or every purchase of products and/or participation in surveys entails per se the processing of sensitive data. If sensitive data are to be collected either on account of the specific information transmitted by users or because of the mechanisms applied to the use of such information (Section 4(1), letter d), of the Code), it should be considered that processing sensitive data is not allowed, as a rule, either to deliver TV services or for the purpose of profiling customers and/or implementing loyalty programmes - apart from the exceptional case in which the processing in question is really indispensable with regard to a specific good or service requested and has also been authorised by the Garante and consented to by the data subject either in writing or by means of electronic networks in a manner that can be equated to the provision of consent in writing. This shall also apply to market surveys, polls and other sample-based surveys (see the Garante´s general authorisation no. 5/2004 as published in the Official Journal no. 190 of August 14, 2004).
3. Information Notices
The information notices that are currently provided when applying for smart cards are not suitable in respect of the sensitiveness and complexity of information flows, which may actually concern several users related to the same subscriber and allow tracing back their conduct ex post also within the family circle - i.e. this may be done not only by the provider in connection with its billing activities. Additionally, purposes and mechanisms of the processing might be different in the individual cases as well as over a given time span.
Prior to entering into a contract, the subscriber must be provided with a clear-cut, complete information notice in order to accede to the relevant proposal in full knowledge thereof.
In compliance with the fairness principle (Section 11(1), letter a), of the Code) as well as further to the provisions already issued by this Authority with regard to loyalty programmes (see Provision by the Garante of February 24, 2005, www.garanteprivacy.it), the provider is not allowed to pursue lines of conduct that are liable to impinge on the subscribers´ free, informed decisions as to profiling activities that might lead - partly by means of digital codes - to monitoring data subjects´ decisions and personal spheres (meaning their tastes, preferences, habits, needs, and choices).
The information provided both upon entering into a contract and thereafter is to be attached special importance because of the risk that a data subject may underestimate and/or misjudge the circumstances.
It is unfair to get a subscriber or an user to provide personal data without affording him or her the explanations and time required to be adequately informed and express - where necessary - his or her informed consent.
The information may be worded in a summary fashion and in a colloquial style, providing the language is clear and unambiguous. The information notice must contain all the items set out in the Code (Section 13(1)) without referring to terms of service that are not attached as for the relevant sections; the nature of the traffic data that are processed and the duration of such processing shall also have to be specified (Section 123(4) of the Code).
If the information notice is contained in a form, it must be adequately highlighted and placed as a separate, unified item in an ad-hoc box; furthermore, it must be easily identifiable compared with such clauses of the terms of service as may be reported either in footnotes or in side notes.
Any natural person that accesses interactive services and/or is enabled to perform conditioned accesses on a case by case basis - be it the subscriber or not - must be re-informed quickly and effectively about the possible use of his/her personal data via the display of an initial notice (such as: "This is how we use your personal data"), which should allow accessing a detailed information notice - legible also from a distance - by simply pressing a key.
Processing of personal data, if any, as performed exclusively with a view to delivering requested services must be "necessary to fulfil obligations resulting from a contract to which the data subject is a party". In these cases it is inappropriate for the service provider to request the data subject´s consent to the processing, the less so if an all-purpose request is made (Section 24(1), letter b), of the Code).
Where monitoring and/or profiling activities are undertaken, or personal data are meant to be transferred to specific third parties, these circumstances and the respective purposes shall have to be referred to and highlighted in a detailed manner both upon establishing the relevant relationship and prior to dealing with the individual requests for service and/or soliciting responses from users. It should be spelled out that both providing the data and one´s consent for the above purposes - as well as with a view to taking part in surveys, which must pursue clearly specified, lawful purposes - are free options as regards the standard practice related to the provision of services and may not be achieved by exerting pressure and/or applying any other type of conditioning.
The graphic interface containing the said additional information for users must also indicate how consent to the specific processing can be given - e.g. by pressing a key.
Communicating sensitive data to the provider in interactive mode should only be possible if the user avails himself/herself of authentication credentials associated with a confidential password.
5. Payments and Billing
Interactive and conditioned-access services may be accessed either for free or on the basis of specific additional payments via pre-paid cards and/or regular debiting arrangements (e.g. based on a subscription or else on pay-per-view schemes).
Whilst the amount to be paid is charged automatically to the pre-paid card, the bill issued to a subscriber may also detail the individual "pay-per-view" events charged.
Since different individuals may access the same TV, i.e. the TV services on offer, the provider must implement adequate measures and strike the appropriate balance between protecting the privacy of the actual users of the services and the need for the subscriber to verify that the bill is correct.
In pursuance of the aforementioned principles relating to data proportionality and minimisation, the data reported in the bill should not be excessive compared with the purpose to be achieved. The subscriber must have the possibility not to receive itemised bills. Pay-per-view services must be billed in terms of total charges, dates and usage costs, whilst the specific "titles" of the individual "events" purchased should only be disclosed following a specific, subsequent request.
6. Data Retention
In providing interactive and/or conditioned access TV services, different data categories are processed for different purposes.
As well as "administrative" data of a general character, data related to the billing of individual items of consumption are sometimes processed, which in some cases can be regarded as "traffic data" (pursuant to Section 4(2), letter h), of the Code) irrespective of whether they are processed by the service provider or else the telephone operator (e.g. the phone number, or the smart card number; starting time and duration of the electronic communication relating to the requested service; etc.). As already pointed out, sensitive data may also happen to be processed.
Further to the aforementioned proportionality principle, data controllers are required to specify maximum data retention periods also in the course of the individual relationships.
The above specification will have to be provided after considering whether data may be lawfully collected and retained under the terms applying to each of the purposes for which the processing is intended, by also taking account of the data subjects´ supervening choices - if any.
The principle to be abided by is that any personal data whose retention is unnecessary for the purposes for which it has been collected and subsequently processed must be erased or anonymised (see Section 11(1), letter e), of the Code).
If there is no need to specifically bill individual products and no specific, separate consent has been given to profiling activities, the personal data that can be derived from televoting, opinion polls, purchases, etc. may not be stored and used for either purpose.
Upon expiry of the deadline applying to billing and/or challenging of a bill, the personal data relating to the individual services or programmes that have been purchased must be erased. This also applies to the storage of the data subject´s consent - which should only be obtained where it is necessary, as specified above -, to be provided either in writing or by means of electronic networks in a manner than can be equated to the provision of consent in writing.
Also where consent has been acquired specifically, the detailed data on purchases and services may be retained for no longer than twelve months as of their storage in connection with commercial, advertising and/or profiling purposes, regardless of whether they are pursued by third parties or not, unless they are anonymised in such a manner as to prevent data subjects from being identified also indirectly and/or by matching databases. Where it is planned to process the data thereafter, such plans will have to be subjected to the Garante´s prior checking as per Section 17 of the Code. If the relationship is terminated, any and all uses of the data for the above purposes will also have to be terminated.
The data retention period after termination of the relevant relationship will have to be set out also with regard to administrative purposes; such period may not be in excess of three months - subject to specific legal obligations related to the keeping of accounting records, which will not have to be claimed inappropriately. This specification will have to be provided in the information notice; suitable mechanisms will have to be made available to automatically erase the data, as also related to third party recipients (in particular if the latter received the data for profiling and/or marketing purposes).
The personal data falling within the scope of the "traffic data" definition may only be processed in compliance with the law (Sections 123 and 132 of the Code). It shall not be allowed to access information that is stored in the subscriber´s/user´s terminal equipment in order to store information and/or monitor the operations performed (see Section 122(1) of the Code).
Finally, if a given entity - e.g. a service centre - carries out activities on behalf of several providers, it must be ensured that the individual personal data are handled separately. In particular, there must be no matching of the databases possibly set up.
7. Additional Requirements
In addition to the provisions set out herein, the obligations laid down in the Code as regards data controllers are left unprejudiced; such obligations may be developed further by means of the Code of conduct and professional practice applying to electronic communications services (as per Sections 122 and 133 of the Code). Failure to comply with said obligations entails the impossibility of using the processed data (as per Section 11 of the Code) and carries the relevant administrative and criminal sanctions (Section 161 and following ones of the Code).
Reference is made, in particular,
a) to the obligation to notify the Garante of processing operations carried out
- with the help of electronic means, where they are aimed at defining the data subject´s profile and/or personality, analysing consumption patterns and habits, or else monitoring the use of electronic communications services apart from the processing operations that are technically indispensable to provide said services to users (Section 37(1), letter d), of the Code);
- by using sensitive data in view of opinion polls, market surveys, and other sample-based surveys (Section 37(1), letter e), of the Code);
- by using data suitable for disclosing health and sex life in view of "providing health care services via electronic networks" (Section 37(1), letter b), of the Code);
b) to the obligations concerning adoption of security measures that are proportional to the knowledge acquired thanks to technical developments (Sections 31 to 35 of the Code, and Annex B thereto), including the so-called "minimum" security measures, with particular regard to verification of authentication and authorisation profiles also in order to prevent unsolicited services from being billed;
c) to the selection of the entities that are authorised - in their capacity of either persons in charge of the processing or data processors - to carry out processing operations based on the tasks committed to them as well as on the instructions provided, under the provider´s direct authority (as per Sections 29 and 30 of the Code). The appointment of "external" entities is subject to specific legal restrictions in this sector (see Section 123(5) of the Code) and should not result into dodging the safeguards subscribers and users are entitled to as regards communication of the data to third parties, transparency in the provision of information, and compliance with the stated purposes;
d) to the obligation to take the measures required in order to facilitate exercise of data subjects´ rights and the provision of timely responses to data subjects, also by means of the same interactive tools that are used to provide the requested services (Section 9(1) and Section 10(1) of the Code).
8. Information to Be Provided to the Garante
For the purposes and in pursuance of Sections 157, 164, and 168 of the Code, the data controllers referred to in the records of proceedings that are pending before the Office are called upon to confirm, by no later than May 15, 2005, that the processing operations they perform are compliant with the provisions laid down herein, by also providing such additional information as may be helpful in this regard and attaching the relevant documents.
BASED ON THE ABOVE PREMISES, THE GARANTE:
Orders, in pursuance of Section 154(1), letter c), of the Code, that the controllers of processing operations concerning data related to interactive TV services take the necessary and appropriate measures set forth in this provision with a view to bringing such processing operations into line with the legislation in force.
Done in Rome, this 3rd day of February 2005
THE SECRETARY GENERAL