I'm still in Houston, and still away from my copy of the European privacy protection directive (whose exact name I don't recall), so my comments are tentative. But let's look at the original posting:
On 5/8/97, Bob Trachtenberg <bobt[_at_]accentsoft.com> wrote:
>
> I have been asked by a client whether installing a software mechanism
> in a program freely distributed over the Web (among other methods)
> which records user information such as name and e-mail address, and
> automatically sends it back to the software developer, without the
> user being aware of such action, violates the law in the US or
> anywhere else.
Now, this might or might not be a "cookie." There is no statement of mechanism here.
What is stated is that user information is sent back to the software developer, who thus can create a database about the user. And this information is sent back to the developer without the user being informed of this action. As I recall the EC Directive, the customer/user is entitled to know that data is being collected about her. The user has the right to protest the collection of the data, and the collector is to attempt to accomodate the user in her protest. The user has the right to inspect the data stored about her and do demand corrections to it.
Therefore, as I recall the Directive, this would be in violation of the Directive, if the user was European and/or if the data collector was European.
Query: suppose that the developer and user are both in Europe.
(a) am I correct that this surreptitious collection of data about
the user is unlawful.
(b) If so, is the developer liable for civil damages, for criminal
penalties, or both?
Now suppose that the developer is American, but that it has branch offices in Europe.
(a) am I correct that the developer would still be liable in Europe
and subject to jurisdiction (because of the branch offices)
of a European court?
Many thanks for your insight and comments.
Cem Kaner, J.D., Ph.D. Attorney at Law P.O. Box 1200 Santa Clara, CA 95052 408-244-7000Author (with Falk & Nguyen) of TESTING COMPUTER SOFTWARE (2nd Ed, VNR)
This e-mail communication should not be interpreted as legal advice or a legal opinion. The transmission of this e-mail communication does not create an attorney-client relationship between me and you. Do not act or rely upon law-related information in this communication without seeking the advice of an attorney.
On 5/12/97, John Enser <jxe[_at_]olswang.co.uk> wrote:
>
> On 11/May/1997, Abraham de Wolf <abraham.de.wolf[_at_]sap-ag.de> wrote:
> >
> > I noticed that we have two opinions on wether the collection of data of
> > visitors to a web site by socalled cookies would be in violation of the
> > European Databases Directive. I say no and Cem says yes. May I ask Cem
> > to give his reasoning? The Directive only protects the "makers" or
> > "rightholders" of a database (and then they also must be "nationals of
> > a Member State or have their habitual residence in the territory of the
> > Community".), according to Article 11 of the Directive. A visitor to a
> > web page is not the maker or rightsholder to that page or better does
> > not become one by visiting it ;-).
> >
> > By the way, violators of the laws which are passed in accordance with
> > this Directive will provide both civil and criminal remedies as is
> > already provided for by the national copyright laws of the Member
> > States But, so my position, using "cookies" does not violate European
> > Copyright law or the refered Directive.
>
> I think Cem is referring, correctly to the data protection directive,
> not the database directive - similar name - entirely different subject.
> But is he right on the substance? As cookies are stored on the client,
> not the server, it is arguable that the browser owner is the one who
> requires the deata protection regulation ?
Received on Wed May 14 1997 - 12:57:21 GMT
This archive was generated by hypermail 2.2.0 : Mon Mar 26 2007 - 00:35:25 GMT