Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party (A29WP) adopted the Opinion on Data Protection Impact Template Assessment for Smart Grid and Smart Metering Systems (Opinion), which evaluates the Privacy Impact Assessment (PIA) template that the member states intend to adopt. The PIA, which was prepared by industry representatives, seeks to ensure that smart-meter operators comply with data protection rules; however, the A29WP pointed out a number of inadequacies in the template.

The EU initiative to roll out smart gas and electricity meters, which can send usage data via remote communications, underpins the desire for a more effective and efficient energy supply. In the Opinion, the A29WP points out the risk that smart-meter usage data may be used to infer information about “consumers’ use of specific goods or devices, daily routines, living arrangements, activities, lifestyles and behaviour.”

The energy supply industry expert group developed the PIA to ensure that smart-meter operators comply with data protection rules, and to facilitate compliance assessments by Data Protection Authorities, as well as to provide information to consumers.

The PIA template contains an eight-step impact assessment and provides step-by-step guidance on how to carry it out. The A29WP admitted the proposed template contains useful elements, but criticised the failure to include any method of directly assessing the foreseeable impacts on the data subjects, including the risk of price discrimination or criminal acts facilitated by unauthorised profiling. The A29WP also felt the PIA template confused risks and threats, and failed to match specific risks to controls based on best practice. Other criticism included that the PIA template lacked sufficient guidance on the concepts of vulnerability, calculating and prioritising risks, choosing appropriate mitigating controls, and appropriately allocating data protection responsibilities between the different stakeholders. The A29WP also recommended including an analysis of industry-specific risks and relevant controls.

The A29WP acknowledged that the industry expert group is preparing ‘best available techniques’ that may address some of the criticisms, but it would wait to see the techniques included within the PIA template before it is resubmitted for a further opinion.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Efrem M. Grail, Shannon Voll Poliziani and Kyle R. Bahr.

A crucial decision in most federal “white collar” criminal investigations is whether to “proffer” to the government – to engage in an off-the-record, question-and-answer session with the prosecutor and investigating agent in the hopes of getting immunity, a plea deal, or no charge at all. Because of the risks involved, the decision must be carefully weighed with the assistance of knowledgeable criminal defense counsel. Those risks recently increased in the Western District of Pennsylvania. On April 11, 2013, the Pittsburgh U.S. Attorney’s Office added language to its standard proffer agreement – a contract signed between the government and the interviewee setting how the government can use the information gained in the proffer – that broadens a prosecutor’s ability to use proffer statements in subsequent legal proceedings in the Western District of Pennsylvania.

Click here to read the issued Client Alert that describes how the new language changes the proffer calculation for clients and their lawyers.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Sarah Woo, Lisa B. Kim and Joshua B. Marker.

The California legislature is determined to be at the forefront in the development of data privacy law by drafting a number of data privacy protection bills that will impact companies’ obligations with respect to the disclosure, compilation, removal, or sharing of consumers’ personal information.

Click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Rosanne M. Kay and Kimberley Davies.

Following on from our posts in 2012 (UK Ministry of Justice Launches Consultation on Deferred Prosecution Agreements and UK Government unveils deferred prosecution agreements as a new enforcement tool), we can now report that on 25 April 2013, the Crime and Courts Act 2013 (the “Act”) was passed. The Act introduces deferred prosecution agreements into UK law for the first time.

The Act will allow the UK Serious Fraud Office and the Crown Prosecution Service to enter into deferred prosecution agreements to deal with economic crimes such as bribery, fraud and money laundering.

The Act is not expected to come into force before February 2014, and in the meantime, a Code for Prosecutors containing further guidance from the Serious Fraud Office and the Director of Public Prosecutions will be published.

We will keep you posted on any future developments.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Steven Boranian, Joshua B. Marker, Lisa B. Kim, and Tyler M. Layton.

In a significant victory, Delta Airlines’ demurrer to the enforcement action filed by the state of California was sustained without leave to amend. We previously wrote about the case here. California alleged that Delta’s mobile application was in violation of CalOPPA because its privacy policy was not reasonably available within the application itself, and because the privacy policy on the Delta website did not accurately describe the information-collection practices of the mobile application.

Judge Marla Miller of San Francisco Superior Court sided with Delta and sustained its demurrer to the complaint without leave to amend. Despite the defense win, however, the decision provides little guidance regarding CalOPPA and its remedies, because the court did not address the substance of the statute. Rather, the court found that the claims against Delta were entirely preempted by the Airline Deregulation Act, which preempts any state “law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” The court declined to rule on the arguments pertaining to the substantive reach of CalOPPA.

In short, the precedential value of this decision outside of the airline industry is up in the air. While the decision may set the groundwork for preemption arguments that can be made in other federally regulated industries, the decision itself provides little guidance on CalOPPA specifically. With the potential for hefty statutory penalties, CalOPPA is still a privacy statute that requires careful consideration with regard to every company’s mobile applications.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Rosanne M. Kay and Kimberley Davies.

On 23 April 2013, Mr Yang Li was the third individual to be convicted under the UK Bribery Act 2010 after he attempted to bribe his tutor.

Mr Li, a student at the University of Bath, offered his tutor £5,000 to amend his dissertation grade, which was 3% short of a pass mark. The tutor rejected the offer, and as Mr Li put his money away, a replica air pistol fell out of his pocket and onto the floor.

Mr Li pleaded guilty in Bristol Crown Court to charges of bribery (under Section 1 of the Bribery Act 2010) and possession of an imitation firearm. He was sentenced to 12 months in prison and ordered to pay £4,880 in costs. Judge Michael Longman stated that “any form of corruption or incitement to a person in any manner amounts to a serious offence which must be taken seriously by the court.”

This is the third conviction under the Bribery Act 2010 in just under two years, so far all involving individuals. There has yet to be any corporate convictions, or any cases offering guidance on the corporate offence under Section 7, in particular on the meaning of “carrying on business” in the United Kingdom.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Permanent Representatives Committee (otherwise known as ‘Coreper,’ consisting of representatives from the Member States and responsible for preparing the work of the Council of the EU) has expressed support for the European Commission’s plans through legislative changes to open up public sector data for re-use across Europe.

The initiative, which is part of the pending update to the 2003 Public Sector Information Directive, would make all generally accessible (i.e., non-personal) public sector information available for re-use across all Member States. Developers, programmers, businesses and citizens will be able to access and re-use public sector data at low cost, and this is predicted to result in a significant boost to the European economy.

Through proposed revisions to the 2003 Directive, a new genuine right to re-use public information would be introduced, including access to information stored by libraries, museums and archives. The revised Directive would allow such bodies to charge at maximum the marginal cost for reproduction, provision and dissemination of the information, so as to ensure the recovery of costs or a reasonable return on investment in exceptional cases. The revisions would also encourage public sector bodies to make data available in open machine-readable formats. The programme would include geographical, health care, transport and statistical information, and through this wider availability of public data could potentially enable economic growth, bringing tens of billions of euros per year across the EU. Neelie Kroes, Vice-President of the European Commission, said: "Opening up public data means opening up business opportunities, creating jobs and building communities.”

The initiative would apply to non-personal public information only, but some privacy groups have already expressed concerns, stating that the open availability of data must be scrutinised to avoid the so-called ‘jigsaw effect,’ whereby large quantities of non-personal data can be used to re-identify anonymous data or to profile individuals.

While Coreper’s support for the initiative is noteworthy, the proposed new rules still need to be formally approved by the European Parliament.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman and Caroline Klocko.

Earlier this week, the Federal Trade Commission (FTC) issued Frequently Asked Questions for complying with the Children's Online Privacy Protection Act (COPPA). The FAQs are intended as a supplement to the already issued compliance materials. As we previously reported, the revised COPPA Rule is set to go into effect on July 1, 2013. For companies running websites that collect information from children under 13, COPPA compliance will be critical. The FAQs will provide helpful guidance to reach that goal.

To learn more please visit our sister blog, AdLaw By Request.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Katharina A. Weimer.

According to a press release Monday, the Hamburg Officer for Data Protection and Freedom of Information issued a fine in the amount of €145,000 against Google Inc. for illegal recording of information from Wi-Fi networks.

While Google’s cars roamed the streets in Germany during the years 2008-2010, they not only took pictures of houses and streets, but they also illegally collected information from Wi-Fi networks in the reach of the cars. Google admitted that this also encompassed content information, e.g., emails, passwords, photographs, chat protocols, etc. While the public prosecutor closed the proceedings in November 2012 without bringing an action, the Hamburg DPA picked up on this in an administrative proceeding and now concluded bindingly that Google Inc. negligently collected data without authorization to do so. Concurrently with issuing the fine, the DPA instructed Google Inc. to immediately delete all information so collected, which has apparently already been confirmed by Google Inc.

While Google Inc. was cooperative in clarifying this incident, and remains adamant that the company’s intention was never to collect this information at all, this clearly indicates that the company’s internal control mechanisms failed severely.

It comes as no surprise to the Hamburg DPA that incidents like this happen in multinational companies – with fines of up to €300,000 for intentional violations as a maximum, and €150,000 for negligent acts, a deterring effect cannot be achieved. The impending change to a penalty of up to 2% of the annual turnover of a company, to be introduced by the new European Regulation, is likely to significantly increase the motivation for companies to implement proper control mechanisms and supervise their implementation and functioning.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

MEXICO: New Privacy Notice Guidelines were introduced April 17, 2013, specifying the format and contents of privacy notices required for the direct or automated collection of personal data.

The Guidelines seek to enable data subjects to make free and informed choices, by ensuring that they are given information and an opportunity to consent and object to the collection of their personal data. Privacy notices must be provided prior to collection, and must be set out in Spanish and in a format that is clear, easy to understand, and not misleading. A simplified or short form privacy notice can be justified in certain circumstances, but must inform data subjects where they can access a fuller privacy policy. The latter must contain, among other information, the data controller’s identity, the purposes of collection, and the rights of the data subject. The addendum to the Guidelines also provides additional recommendations, including special rules for handling the data of children.

Compliance with the Guidelines is mandatory and no exemptions are available. They will be particularly important to businesses operating in the jurisdiction processing personal data of its employees, customers and/or vendors, and/or website operators placing cookies in Mexico. The Instituto Federal de Acceso a la Información y Protección de Datos (IFAI) is already exercising its enforcement powers, including the issuing of monetary penalties. In December 2012, the IFAI fined a Mexican pharmaceutical company a total of 2 million Mexican pesos (approximately US$162,000), giving a clear indication of its actions on data privacy violations.

COLOMBIA: Following the lead of Costa Rica and Peru, Colombian Law No. 1581, having introduced its first data protection frameworks in March this year, came into force April 18, 2013. The new law covers, among other matters, notice and consent requirements, cross-border data transfers, and the processing of children's personal data. In a vein similar to the IFAI in Mexico, the new Colombian data protection regime is supported by serious sanctions, which include monetary penalties of up to US$650,000, up to six-month trading suspensions, and even temporary or permanent closure of business operations for persistent violations.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Lisa B. Kim, Joshua B. Marker and Paul Bond.

California continues to be among the most aggressive states in proposing legislation restricting disclosure of personal identifying information. Earlier this month, California Senate Majority Leader Ellen M. Corbett (D) introduced SB 501, known as the Social Networking Privacy Act, which would require social networking websites to remove certain personal identifying information (PII) within 96 hours of the user’s request. SB 501 specifically defines personal identifying information to mean a person’s name, address, telephone number, driver’s license number, social security number, employee identification number, mother’s maiden name, demand deposit account number, savings account number, or credit card number. A social networking site would have to remove all such PII or face a steep civil penalty, up to $10,000 for each knowing violation. The Bill allows for parents to make the removal request on behalf of children who are younger than 18.

SB 501 follows on the heels of related legislation in the California Assembly, the “Right to Know Act of 2013,” that requires businesses to disclose which personal information it retains and/or discloses to third parties upon the consumer’s request.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Christine E. Nielsen.

Federal Trade Commissioner Julie Brill, in a speech Monday at the National Association of Attorneys General (NAAG) Presidential Initiative Summit, urged the states to take a more active role in investigating and holding accountable data brokers for violations of the Fair Credit Reporting Act (FCRA).

The FCRA regulates the use of credit report information for credit and insurance eligibility decisions, and also in background checks and other investigative reports. The traditional actors in this space have seen increasing competition from entrants into the market, many of which may not be aware of FCRA’s broad reach and statutory requirements. For example, the FTC recently notified entities that compile rental history data that they are likely subject to FCRA and must abide by its requirements.

The attorneys general have publicly pursued several privacy-related investigations and enforcement actions since Attorney General Gansler announced his “Privacy in a Digital Age” Presidential Initiative. The California attorney general has recently provided guidance to and engaged in enforcement actions against entities active in the mobile application space. And the attorneys general have recently concluded an enforcement action against Google, which resulted in a $7 million settlement for Google’s alleged interception of personal data through its Street View vehicles. Still, the FTC, and not the states, has pursued data brokers for FCRA violations.

Data brokers have long been of interest to the FTC, which singled the industry out as one that needs special attention in its 2012 privacy report. Regulators justify heightened scrutiny because data brokers amass large quantities of valuable consumer data, but are often unknown to consumers. The state attorneys general as a multi-state group investigated and eventually settled with ChoicePoint following that data broker’s 2004 security breach, and individually have investigated entities that engaged in pretexting to obtain and compile phone record data.

As we enter the final few months of Attorney General Gansler’s term as NAAG President, we will keep a close watch on whether the attorneys general answer Commissioner Brill’s call-to-action.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

The Spanish Constitutional Court has dismissed a case brought by an employee whose online communications were inspected by his employer. The opinion in the case of Ruiz Medina v. Global Sales Solutions Line (published 22 January 2013) was a noted change in the Constitutional Court’s line of judgments, which usually supports employee rights.

In 2004, Global Sales Solutions discovered the communications of employees using an instant messaging system that they had installed on a work computer in breach of company policy. The discussions included insulting comments about colleagues, managers and customers. After the responsible employees were identified, the company called a meeting during which some of the comments were read out and the authors were reprimanded, which was in turn met by a legal action brought by one of the reprimanded employees.

Spanish privacy law prohibits illegal access to individuals’ personal data, while the right to secrecy of communications prevents interception or obtaining knowledge of secret communications. These rights are enforceable by employees in the workplace and were relied upon by the employee against Global Sales Solutions. The case was dismissed by the Seville court, stating that there was no violation of privacy, because of the prohibited use of company property during work. After this decision was upheld by a senior court, the claimant filed with the Constitutional Court relying on Article 18.3 of the Spanish Constitution, which protects secrecy in communications.

The Constitutional Court held that the right to privacy was waived because the computer was configured for common use and communications were set out as ‘open’. The court also pointed out that the unauthorised installation of communication programmes was banned at the company, and therefore there could have been no expectation of confidentiality. There was one dissenting opinion, which focused on the fact that the employer did not need to access the communications to confirm the breach of company policy.

Although the conclusion of this case may be somewhat surprising seeing as the Constitutional Court historically favours employee rights, Spanish employers will welcome this opinion which has helped set reasonable limits to the right of privacy in the workplace.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

New research from the University of Cambridge shows that information disclosed on Facebook profiles can be used to accurately predict a range of undisclosed sensitive personal data, including sexual orientation, ethnicity, religious and political views, age, and gender.

The research, which involved a study of the Facebook “Likes” of about 58,000 volunteers, found that highly sensitive information could be deduced from those “Likes” with a very high degree of accuracy. For example, the study correctly predicted male sexuality in 88% of cases, ethnicity in 95% of cases, and political views in 85% of cases. The report’s authors admitted using relatively simple methods to make their predictions but emphasised that there was great scope for improvement both in terms of models and data sets used.

This study is significant on a number of grounds. First, it reminds us of the ease with which it is possible for individuals to inadvertently disclose sensitive information about themselves. Second, it highlights the risks of organisations drawing conclusions and/or making decisions about the individuals in question based on the predictions made, some of which could be adverse to the individual. Third, the report also gives credence to the ongoing debate about whether data can ever be truly anonymous, especially as the techniques used in the study are likely to be used by most organisations trying to analyse and monetise big data sets, whether it be for behavioural profiling to assist online behavioural advertising, or strategies related to product development.

A key question is whether the study will impact the deliberations related to the proposed EU General Data Protection Regulation. Most data protection regimes, including in the EU, currently have stricter rules when ‘sensitive data,’ such as sexuality or religious beliefs, are involved. The draft Regulation contains clauses related to the profiling of individuals, as well as to anonymous data. The current draft Regulation would permit individuals to object generally to any profiling of themselves via big data sets or when done for direct marketing purposes, and retains the rule in the Directive on the re-identification of anonymous data. It remains to be seen how the relevant authorities will treat big sets of data which do not explicitly include, but which can be used to accurately predict, information covered by such specific regimes. It is possible that the trend for ‘big data’ will result in additional businesses becoming subject to more scrutiny by the regulatory authorities and more stringent privacy requirements.

• Print
• Comments
• Trackbacks
• Share Link