FAQ: Privacy, data protection, use of personal information and LockLizard systems

FAQ: My legal department is examining our LockLizard deployment and is raising concerns about “personal information appearing on books that we give students”.  Apparently, there are varying laws in different jurisdictions that prohibit a company from giving electronic files to someone with their name or email address on it.

In Europe, regulation coming from the Data Protection Directive (95/46/EC) is concerned about personal information, but it does not mention anywhere that the personal name, or email address alone is information that falls within the meaning of the Directive, or that the linkage between a personal name and an email address falls within the meaning.  The Directive considers very carefully the processing of information that is gathered for a declared purpose that is necessary for the conduct of a ‘business transaction’ and for the need to ensure that gathered information is not used for purposes that were not stated when that information was collected or transferred to unauthorized parties.  Regulation in Canada and some other nations is very similar in its approach.

Locklizard products are used in most European countries by publishers such as the Law Society of England (and the Law Society of Ireland) and are approved for Copyright control by the Copyright Collecting Societies, so they are well accepted as supporting the Protection of personal data. Directive 95/46/EC.

In the USA regulation has focused more on requiring that the storage of personal information is carried out in such a manner as to prevent those stealing that stored information from being able to process it readily (typically the information is required to be encrypted) and that has applied to financial information, healthcare information or personal information that links it to key data such as the name, street address, Social Security Number, driver’s license and similar information.  Safe Harbor provisions are used when transferring personal data from countries in the European Union.

Such regulations normally apply only to data for living individuals in their capacity as a consumer, and are specifically not applicable when a person acts as a business employee doing business for their employer.

Whilst it is correct to say that when installed Locklizard Viewers are in use, information is collected concerning the hardware identity of the machine that a license is installed on, but a one-way function is used to create the stored information.  This has two advantages.  It prevents an attacker from trying to hack the machine identity, and anyone attacking the main database cannot reveal the machine identity because only the encrypted field is available.  Of course if a browser viewer is used then an ID/password scheme is used and again only one-way encryptions are stored.

Locklizard support the use of an email address as a means of forwarding licensing details (these are also encrypted) to users so that they may license for the use of documents from a specific publisher.  One has to observe that there are many schools of thought about whether an email address on its own constitutes personal data.  It would be correct to say that it is probably the commonest identification method in use globally, and since it is never used on its own it does not disclose anything that could not be readily achieved through email harvesting techniques that are already well developed.  Locklizard do not compel publishers to collect and use an email address, and there are provisions in place to allow publishers to use anonymous identifiers and fulfill licenses by other means (direct web interfaces, for instance) so the minimal amount of clear text information held is indeed marginal.  Little if anything can be found from the database beyond the possibility that X may be a customer of publisher A, since the identifiers are abstract and no meaningful clear text about document contents (potentially indicating preferences?) is held either.

Looking at our dynamic watermarking provisions, we have not become aware that the linking of the name of an individual and an email address, and nothing else, on a printed document or on a screen constitutes exposing Personal Data within the meaning of current regulation.  For one thing, the only person it is exposed to is the individual themselves, unless they choose to share it with others, which is a matter for their own discretion but obviously not processing by you as a publisher, nor are you disclosing that information to third parties for business purposes (marketing, sales and so on).  At one level it is simply the personalization of a book to its purchaser, just as it used to be popular for people to stick a label in the end cover of a hard back book saying, “Ex Libris John (or Jane) Doe” or asking the author to sign it including their name and a personal message, deliberately choosing to identify themselves with the book.  It has to be remembered that this personalisation takes place on the computer of the user, not the publisher.

There is no harmonized regulation concerning the processing of personal information, and it must be stated that LockLizard Limited is not a law firm qualified to give legal advice on such a matter.  We note that a very small number of International Standards have been published addressing the business requirements for processing personal information and they all make it clear that they do not constitute legal advice.  We are aware that the ISO standards organization has  had a special committee look into the need for a technical standard in support of privacy but it will be some years before anything concrete may take shape as a result of recommendations from them.  Further information on relevant ISO/IEC work may be found from ISO/IEC 15944-8:2012 Information Technology – Business Operational View – Part 8:Identification of privacy protection requirements as external constraints on business transactions.  This standard is available FOC and is 212 pages long.