Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by John L. Hines, Jr., Paul Bond, Amy S. Mushahwar and Frederick Lah.

The Massachusetts Data Protection Regulations, 201 C.M.R. 17.00, ("Massachusetts Regulations") establish minimum standards to be met in connection with safeguarding the personal information of Massachusetts residents. Personal information is defined as a resident's first name and last name or first initial and last name in combination with the resident's Social Security number, driver's license number or state ID card number, or financial account number.

Under the Massachusetts Regulations, companies that own or license personal information must "oversee" service providers by requiring them by contract to "implement and maintain such appropriate security measures for personal information." See 201 C.M.R. 17.03(2)(f). The Massachusetts Regulations provide a grandfather clause that deems any contract with a service provider entered into before March 1, 2010 to be in compliance, even if it does not have provisions related to adequate data security. This clause, though, expires March 1, 2012, which is quickly approaching. From that date forward, all contracts with service providers must be in compliance with the provision.

All companies—whether the owner/licensor of the information overseeing the service provider, or the service provider (who would also likely be considered a licensor)—need to ensure that any contract (new or existing) touching personal information contains a provision to implement and maintain appropriate safeguards. Such a representation should be accompanied with the requisite due diligence to ensure accuracy and the right to review/audit future compliance.

Contractual modification may prove to be harder for some companies, particularly those operating under medium- or long-term contracts that do not require that a servicer provider do all the things that the Massachusetts Regulations require. In this situation, good faith and cooperation may not always work. Still, you may be able to rely on contractual clauses requiring compliance with law to effectuate change. At the very least, you should communicate (and document) your expectation of compliance to the service providers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue, Paul Bond, Chris Cwalina, Nick Tyler and Frederick Lah.

Consumers increasingly demand transparency into how companies use their personal information. We’ve seen a number of responses to this. One has been legislative; for example, the accounting requirement under the Dodd-Frank Act and California's Shine the Light Act. For our previous analysis of the latter, please click here. Regulators have also responded, with both the U.S. Department of Commerce and the Federal Trade Commission ("FTC") suggesting that the privacy practices of companies need to be more transparent. There have been enforcement actions as well; for example, Facebook's settlement with the FTC requiring better disclosures on data use and sharing.

Now we are seeing the market respond with a niche industry of privacy testers and raters arising to meet consumer demand for this information. One such rater getting recent attention on both sides of the Atlantic is PrivacyChoice (through its new Privacy Score product). According to its website, Privacy Score "estimates the privacy risk of using a website based on how they handle your personal and tracking data." The site awards websites scores out of 100. Close to 1500 sites have been scored so far. The site also offers a list of every company "tracking" consumers visiting a particular site.

By its own admission, the Privacy Score given to a company's site is just a "rough measure." The scores are based solely on the representations made on the site's privacy policy, and the amount of "tracking" purportedly being done on the site. Therefore, the scores may not accurately reflect the actual privacy practices of a company, especially considering the fact that many companies tend to use safer and broader language in their privacy policies to avoid any risk of over-promising and under-delivering. In other words, companies should not overreact if they see an especially low score (of which there are very few), nor should they find any real sense of comfort if they are given a high score.

The concept of privacy testing and rating is not new. TRUSTe has been issuing seals of approval for privacy policies for years. In addition, the Wall Street Journal has released a "What They Know" series about the tracking activity of marketers on websites, and has rated the level of "exposure" for a number of sites (using Privacy Choice data as part of its methodology). Nevertheless, this concept of testing and rating is a direct response to the growing demand from consumers to know how companies are using their personal information, and it is not going away anytime soon.

From the European perspective, these scores/ratings are of little value to consumers. They do not provide any reliable assessment of compliance with the more stringent and long-established legal requirements for transparency and fair information handling under European data protection legislation and codes of practice.

You should prepare for your company's disclosures (privacy policies, terms of use, etc.) to be heavily reviewed in a high-scrutiny environment. This means being well-informed about what is happening on your site and mapping your disclosures accordingly. If you believe you’ve been mis-reviewed by Privacy Choice, consider whether you think it’s worth speaking out and/or pursuing correction. On a more macro-level, consider how you can better present yourself to consumers to meet their increasing demand for transparency. In light of this growing trend, it’s not just a matter of compliance with law - it’s a commercial imperative to protect your brand.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Judith L. Harris and Amy S. Mushahwar.

The Federal Communications Commission (FCC) acted today to tighten its rules under the Telephone Consumer Protection Act (TCPA) and conform them, to the extent possible, with the more stringent rules already in place at the Federal Trade Commission (FTC) under the Telephone Sales Rule (TSR). This change will hit hardest entities such as banks which are not subject to FTC jurisdiction, and do not have more stringent compliance programs already in place. Although the FCC’s order has not been released and no information is available yet as to the details of how the revised rules will operate and exactly to what calls they will apply, the following four points are clear:

1. Prior express WRITTEN consent will now be required before making any telemarketing robocall (using an autodialer or a prerecorded message) to a consumer; electronic signatures will be acceptable as evidence of written consent and this change will not apply to purely informational calls (“such as those related to school closings and flight changes.”);

2. The “established business relationship” will be eliminated as an exception to the prior written consent requirement that currently applies in the case of wireline calls;

3. An automated opt-out mechanism will have to be included in each robocall to facilitate a consumer’s ability to withdraw prior consent; and

4. The rules governing abandoned or “dead air” calls will be tightened, including through stricter time limits and by changing those limits to apply to each separate marketing campaign, rather than allowing the limits to be averaged over different calling campaigns, as is currently the case.

We are awaiting further details on exactly how these rules will be applied and when they will become effective. In the interim, please contact the authors of this article or the Reed Smith attorney with whom you normally work.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue, Nick Tyler, and Katalina Chin.

As reported in our January blog on the day of its release, the European Commission has now published a draft General Data Protection Regulation (the “Regulation”) and has sent it to the European Parliament, along with a new draft Directive aimed at protecting personal data in relation to criminal investigations and judicial proceedings, including across borders.

The European Commission’s stated goal is to have parliamentary approval of the Regulation by the end of 2012. Despite some areas of uncertainty and the strong potential for continued disharmony, as well as the inevitable changes that will result from the legislative process, the Regulation provides enough detail in relation to the accountability principle and the increased self-regulatory regime for organisations to start preparing for implementation within the next three years.  

For a detailed analysis, please click here to read the issued Client Alert. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Steven J. Boranian, Joshua B. Marker, Mark S. Melodia, Christopher G. Cwalina and Paul Bond.

Increasingly, consumers demand to know how the businesses they patronize use, share, and disclose personal information. California’s Shine the Light Act, California Civil Code 1798.83, is intended to meet this demand for transparency. The Shine the Light Act provides California residents a statutory right to demand an accounting of how a business has shared personal information about them, to third parties, for the purpose of those third parties engaging in direct marketing to the consumer. The Act imposes a corresponding duty on many businesses to provide a clear and conspicuous method by which consumers can make such a demand. As reflected in the Reed Smith Shine the Light Act Reference Guide, the Act does not apply to every business, nor to every disclosure. Where the Act does apply, violation of its requirements can result in liability of up to $3,000 per violation.

Despite going into effect in 2005, the Act has just recently become the statutory basis for a number of consumer class actions, including against major publishing companies such as Conde Nast and Men’s Journal LLC. The lawsuits allege that the companies did not provide a method for consumers to obtain the disclosures of their personal information as required by the law. The suits seek thousands in statutory damages on behalf of every class member. To see if the Act applies to you, and what you have to do to comply, please review the chart and call counsel with any questions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Identity Management and Access Control is the foundation of a company's data management practices. But, because of the extensive coordination that must occur within the organization, it is often a long-term strategic goal that continues to take the back seat in favor of other, more immediate projects. Often, if a company can keep the discussions of Identity Management and Access Control within the context of central ROI prospects and/or compliance needs that already enjoy leadership support, such projects are far more likely to make it to the finish line. Reed Smith recently hosted a series of meetings on this topic in its Washington, D.C., New York, Pittsburgh and Philadelphia offices with the CISO Executive Network on "Identity Management and Access Control." Please click here for a recorded video conference of Amy Mushahwar presenting to the Pittsburgh CISO Executive Network.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue, David Cohen, Nick Tyler, and Regis Stafford.

The American Bar Association (ABA) this week passed an important resolution urging all courts in the U.S. to:

“consider and respect…the data protection and privacy laws of any…foreign sovereign, and the interests of any person who is subject to, or benefits from such laws, with regard to data that is subject to preservation, disclosure, or sought in discovery in civil litigation.”

The ABA journal describes the long-standing dilemma faced by litigators on both sides of the Atlantic as “Hobson’s Choice”. The ABA Section of the International Law Report to the House of Delegates further explains the choice too often faced by litigants: “violate foreign law and expose themselves to enforcement proceedings that have included criminal prosecution, or choose noncompliance with a U.S. discovery order and risk U.S. sanctions ranging from monetary costs to adverse inference jury instructions to default judgments.”

It is interesting to note the timing of the resolution, coming as it has less than two weeks after publication by the EU Commission of the long-awaited draft EU Data Protection regulation with its proposed new sanctions of up to 2 percent of annual worldwide turnover for serious breaches, which would include an unlawful data transfer to the U.S..

Such sanctions represent a ‘game-changer’ in the current risk profile and choices presented to multi-nationals faced with U.S. discovery requirements demanding the transfer of personal data held by EU affiliates in breach of EU data protection laws.

Current U.S. jurisprudence will now be tested – up until now the U.S. courts have tended to strike the balance in favour of compliance with U.S. rules on the basis that there is no realistic prospect of prosecution in Europe for an enterprise which breaches EU cross-border transfer restrictions. See In Strauss v. Credit Lyonnais S.A., 242 F.R.D. 199 (E.D.N.Y. 2007).

However, as the report to the ABA House of Delegates regarding the resolution explains, there are other good reasons, in addition to the possibility of sanctions, for U.S. courts to respect Europe’s data privacy laws. If U.S. courts continue to favor broad discovery in violation of EU restrictions, U.S. litigants may face, “a similarly hardened view of U.S. laws and regulations to the detriment of U.S. litigants” in courts outside of the U.S.. Moreover, “[p]ermitting broad discovery in disregard or even defiance of foreign protective legislation can ultimately impede global commerce [and] harm the interests of U.S. parties in foreign courts and provoke retaliatory measures.”

The resolution has been diluted from that originally proposed, with the insertion of qualifying words such as “where possible in the context of the proceedings”. Nonetheless, the ABA have sent a clear signal that the time for a re-evaluation of the status quo is needed and U.S. Courts need to recognise the wider implications of cross-border litigation in the context of an increasingly globalised corporate and legal environment.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by John L. Hines, Jr.

On December 20, 2012, Reed Smith welcomed the founder and CEO of Reputation.com to discuss online reputation management. Mr. Fertik, who speaks regularly in the popular media, explained the particular reputational challenges presented by the online environment, how to take advantage of social media to control your reputation and how innovative software solutions are being used to help victims of harmful speech in situations where legal solutions may be impractical. The full presentation, which reviews the factors that make up an online reputation and how it is distinguished from your "brand", how to manage your online reputation: legal and technical tools, how to mitigate online reputation risk for yourself and your clients and ethical considerations can be found HERE.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar.

Today, in response to the controversy surrounding cellphone tracking software from Carrier IQ, U.S. Representative Edward Markey (D-MA) released a draft of a cellphone privacy bill.

As background, the Carrier IQ software first made headlines in November, when a researcher posted a YouTube video claiming to show that the Carrier IQ software records users' every keystroke, including the websites they visit, the contents of their text messages and their location. Carrier IQ, a California-based software company, says its software is installed on 140 million phones, but the company does not track keystrokes or user's locations. Carrier IQ now faces a federal investigation and multiple lawsuits on this matter.

The Markey legislation aims to remedy the perceived privacy deficiencies. In its present form, the Markey discussion draft would require companies to:

• Disclose any mobile tracking software when a consumer buys a device (or after sale if it is later installed by a carrier or placed within a mobile application downloaded).
• Notify consumers what information may be collected, any third parties to which the information would be disclosed and how such information will be used.
• Obtain express consent before the tracking software collects or transmits information.
• Require any third party receiving collected personal information to have policies in place to secure the information.
• Require any third parties to prepare and file agreements on information with the Federal Trade Commission (FTC) and Federal Communications Commission (FCC).

Additionally, the legislation contemplates outlining an enforcement regime for the FTC and FCC, along with State Attorney General enforcement and a private right of action. Representative Markey is the co-chair of the Bi-Partisan Congressional Privacy Caucus, and he has previously investigated the privacy and data security practices of Google, Apple, Facebook, Amazon, and others.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler. 

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens' privacy protections in the age of the Internet.

There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.

Key provisions include:

A single notification to the data protection authority in the country where an organization has its principle establishment. There remains an obligation to notify and seek prior authorization for a range of processing activity considered to present specific risks, such as systematic and extensive profiling and large-scale video surveillance.

Accountability principle for those processing personal data, including impact assessments for SMEs and top-down accountability for all organisations.

Data breach notification to the national data protection authority if feasible within 24 hours, and to individuals if there is a risk of harm.

Increased individual control over their data includes seeking their explicit consent before data may be processed rather than it being assumed, and their ability to refer matters to the data protection authority in their country even if data is processed by a company based outside the EU.

Data Portability will mean that individuals will have easier access to their own data and be able to transfer it from one service provider to another more easily.

A right to be forgotten allows individuals, including children, the ability to delete their data if an organization does not have any legitimate grounds for retaining it. The right provides exemptions for legitimate historic data such as newspaper archives, and seeks to balance the right to privacy with the right to free speech.

The sanction regime has at least been watered down from the draft Regulation circulated in November 2011, which had proposed sanctions of up to 5 percent of worldwide annual turnover.

There have been some ‘business-friendly’ changes to the draft Regulation as compared with the earlier November draft. The proposal for an opt-in for commercial marketing has been substituted with an opt-out, and the provisions relating to children’s privacy now requires parental consent for under the age of 13, rather than 18.
In addition, while there is an emphasis on binding corporate rules for international data transfers outside of the EU, contractual clauses, EU standard contracts, and findings of adequacy, as well as international commitments by countries or international organizations such as U.S. Safe Harbor, will still apply. Given the changes contemplated under the draft Regulation, existing international data transfer mechanisms may need to be reviewed and amended if the draft Regulation is adopted.
The new European Data Protection Board will no longer act as a supernational regulator in relation to approving enforcement actions and sanctions as proposed in the November version of the draft Regulation. Instead, its powers will be limited to ensuring consistent application of the Regulation without the power to overrule decisions in individual cases.
The Commission's proposed draft Regulation and accompanying Directive now goes to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will only take effect two years after adoption by the European Parliament, and we would expect further changes as it makes its way through the legislative process. That means any changes are probably close to three years down the road.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Kurt Gwynne, Mark Melodia and Frederick Lah.

Last year, we wrote a post about how a New York bankruptcy judge delayed the approval of Barnes and Noble's acquisition of Borders' database of customer information amid privacy concerns. The court later approved the transaction, requiring that Barnes and Noble give customers 15 days to opt out of the transfer by responding to an email that was sent when the deal closed. A copy of that email can be found here.

Those same privacy concerns are re-surfacing in another bankruptcy asset sale. Real Mex Restaurants Inc. ("Real Mex"), the operator of Chevys Fresh Mex and other Mexican restaurants, filed for Chapter 11 bankruptcy protection back in October 2011. In November, Real Mex received tentative court approval to auction off its assets. Last week, though, the U.S. Trustee, the administrative agency charged with enforcing the country's bankruptcy laws, asked the Delaware bankruptcy court to block the proposed sale of Real Mex's assets until privacy concerns were addressed.

The U.S. Trustee objected to the sale based on its opinion that it violated section 363(b)(1) of the Bankruptcy Code because no consumer privacy ombudsman had been appointed to protect individuals' personally identifiable information ("PII"). Section 363 permits the sale or lease of PII only when either (1) such a sale or lease is made consistent with the debtor's policy prohibiting the transfer of PII to persons that are not affiliated with the debtor or (2) the court appoints a consumer privacy ombudsman and, thereafter, approves the sale or lease after giving due consideration to the facts, circumstances, and conditions of such sale or such lease; and finding that no showing was made that such sale or such lease would violate applicable nonbankruptcy law.

As we reported in our last post, this is not the first time that would-be buyers of databases have faced judicial or regulatory scrutiny about privacy concerns. See, e.g., In re: Peter Ian Cummings and FTC v. Toysmart.com, LLC and Toysmart.com, Inc. Still, though, the Real Mex case serves as an important reminder: Companies looking to acquire or transfer assets containing customer information need to address the associated privacy risks with those transactions, ideally before the government raises the issue first.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As part of a growing national trend, a Federal Court in Massachusetts recently held that ZIP codes are protected personally identifiable information, and therefore, retailers may not request a customer's ZIP code at the point of sale.

For more information, please read the issued Client Alert here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler. 

The U.S. Federal Trade Commission (FTC) has waded into the political debate with an Informal Note on the draft EU Data Protection Regulation as reported by Statewatch. In addition, Digital Civil Rights in Europe has reported that the U.S. Department of Commerce engaged in significant lobbying of the European Commission in response to the leaked draft Regulation.

The FTC’s Informal Note, provided to the EC in December 2011, focused on “two overarching concerns”:

• “potential adverse effect on the global interoperability of privacy frameworks” – resulting in divergence rather than convergence of data privacy standards globally; and
• “serious implications for regulatory enforcement activities involving third countries” such as the U.S. – resulting in EU data protection laws presenting a significant obstacle to international enforcement cooperation.

In both respects, the Informal Note portrays the draft Regulation as a backward step that would have an adverse effect on the global interoperability of privacy regimes due to it increasing differences rather than promoting convergence. The FTC also raised concerns about the draft Regulation’s potential to adversely impact international investigations, hinder information sharing between regulatory agencies and undercut enforcement cooperation between the EU data protection authorities and similar privacy enforcement agencies round the world.

In doing so, the FTC’s Informal Note emphasises many of the issues highlighted in our two blogs and Client Alert following the leak of the draft Regulation. In particular, the following themes are highlighted:

• Data breach notification – criticising the Regulation’s “focus on process, instead of on improving security practices”, the note concludes that this “may…dilute the effectiveness and credibility of all such notices.” This echoes a concern first raised by the UK Information Commissioner’s Office during the IAPP Summit in November 2011, relating to notification of all data breaches regardless of seriousness or number of persons affected.
• The “right to be forgotten” – the FTC’s concern relates to a chilling effect on rights to free speech and intimates that a right to be forgotten is little more than a pipe-dream fraught with legal and practical obstacles that render it unfeasible. Basically, the ubiquity of the Internet means that the cat’s out of the bag and any attempt to put it back is doomed to fail.
• The definition of “child” – the EU’s definition of child being anyone under the age of 18 runs counter to the U.S.’s longstanding regulation of children’s privacy (defined as under-13 in the Children’s Online Privacy Protection Act (COPPA)). The FTC refers the EC to its recent review of the COPPA Rule¹suggesting it take a more modern and less paternalistic view by recognising:

“…it would be difficult to require parental permission for teenagers because they’re independent, more sophisticated with new technologies than their parents are, and have access to computers outside the home, particularly with the increasing proliferation of mobile devices.”

• Transfers to third countries – criticising the increased complexity in determining adequacy for transferring data outside the EU, the FTC believes that the draft Regulation only makes the process more burdensome, opaque and indeterminate rather than the EC achieving its stated objective of clarifying it. There is undoubtedly a degree of self interest in the FTC’s alarm at the possibility that a U.S. Safe Harbor certification may no longer be recognised (at least in its current form) as a lawful basis for transfers of personal information from the EU to the U.S., as we previously highlighted. The prospect that present lawful trans-border dataflow mechanisms will need to be replaced by new or re-vamped versions, including through the use of binding corporate rules, will alarm every U.S. organisation that has invested significantly in putting legal mechanisms in place to transfer data from the EU to the U.S.
• International Investigations – the FTC raises concerns about the effect on international regulatory enforcement, effectively calling the draft Regulation a ‘blocking statute’, because data controllers will have to notify and receive prior authorisation from a data protection authority before disclosing personal data to any non-EU governmental or regulatory authorities or private litigants outside the EU. The FTC highlights the conflicts as well as perils such provisions will create for U.S. companies with a presence in the EU, especially if an investigation relates to anti-competitive activities, financial or consumer fraud. The FTC suggests that the draft Regulation incentivises “offshoring” evidence, resulting in untimely delays and potentially damaging the interests of consumers, including in the EU.

The FTC’s Informal Note, along with other voices loudly debating the draft Regulation, advocates a more balanced and proportional approach to privacy and data protection. 

Whether this US intervention will contribute to a delay in the EC publishing the draft Regulation, or whether, as recently restated by Ms. Reding’s office, publication will still take place on Data Protection Day on 28 January, we don’t have long to find out.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

As reported yesterday by DataGuidance, it’s back to the drawing board for the Directorate-General for Justice (Justice) responsible for EU data protection law after they received strong “unfavourable” opinions from two key Directorates-General in response to the European Commission’s mandatory inter-service consultation process.

Publication of the draft EU Data Protection Regulation had been expected at the end of this month but has now been delayed until late February/March. The nature of the concerns raised by the Information Society and Media Directorate General (INFSO) and Directorate General for Trade (D-G Trade) mirror many of those highlighted in our earlier blog post and Client Alert following the leak of the draft Regulation last month.

INFSO’s concerns run to 22 pages and invoke some harsh criticism of the proposals and a perceived lack of openness and flexibility on the part of Justice. INFSO’s concerns include:

• The broad scope of personal data, including geo-location data and online identifiers, without qualification;
• The onerous requirements of proposed new data breach notification obligations;
• The definition of “child” (under-18 threshold proposed) – unworkable in the online world;
• The burdensome nature of the proposed new “right to be forgotten”;
• A failure by Justice to take account of concerns about the continued burdens relating to data transfers, in particular those transfers described as “massive, frequent or structural”;
• An increased risk of interference, contradiction and confusion within the draft regulation as a result of its addressing areas already covered by the ePrivacy Directive;
• The proposed new sanctions regime.

The comments by INFSO represent a significant setback in the EU Commission’s attempts to re-shape European data protection law for the next generation. With the long-term future of enterprise and society in mind, INFSO rejects the draft regulation as:

“…an overly cumbersome legal framework which places new burdens and costs upon data controllers and processors, thereby acting as a deterrent for the development of new business models. INFSO is concerned that the proposal does not sufficiently take account of the economic climate and is at odds with the vision of Europe 2020.”

It’s not the first time (and won’t be the last) that data protection regulation has been blamed for standing in the way of progress but this opinion presents a significant challenge to the EU Commission’s efforts to complete the race to revise the EU Data Protection Directive.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

The Information Commissioner’s Office (ICO), the UK’s data protection and freedom of information regulator, has launched a high level “Information Rights Strategy”.

In it, the ICO identifies the following priority areas: Internet and mobile services; health; credit and finance; criminal justice; and information security.

The ICO will focus on outcomes in the above areas that reduce risks to information rights (both data protection and freedom of information). The outcomes are aimed at raising the awareness and understanding of information rights and risks. The ICO seeks to raise awareness among individuals as well as those organisations responsible for meeting obligations under information rights law.

The ICO’s strategy applies internationally and recognises the pervasive risks arising from “global data flows and universal deployment of new technologies”. The ICO seeks to work with and influence fellow regulators at EU and global level in an effort to achieve a consistent and harmonised approach.

The ultimate objective of “good information rights practice” will depend in part on the ICO’s use of its enforcement powers. In identifying the five priority areas, the ICO clearly signals which industry sectors and compliance issues will receive “particular regulatory attention”.

While the area of information security will continue to be a priority compliance risk for all, organisations in the telecommunications/new media, health sector and financial services will fall under the regulator’s microscope.

In a stark warning to any who may be complacent about compliance, the ICO states: “We will actively seek out situations where organisations significantly fail to live up to their information rights responsibilities and use the full range of our powers to address these”.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

There will always be a tension implicit in the relationship between freedom of information and data protection laws. In the United Kingdom this is usually alleviated by the fact that both are regulated by the same person/body, the Information Commissioner’s Office (ICO). However, recently published ICO guidance, aimed at public authorities under the Freedom of Information Act 2000 (FOIA), could provide an arguable basis for allowing private sector organisations to search their employees’ private email accounts for work-related communications or company business to respond to subject access requests made under the Data Protection Act 1998 (DPA) or other legitimate requests, such as e-discovery/disclosure.

The ICO guidance ¹ was prompted by reports of government ministers, elected representatives and/or public sector officials using their non-work personal email accounts (e.g. Hotmail, Yahoo and Gmail) for work-related communications and official business. Concerns that this may have been done in a deliberate attempt to circumvent the FOIA regime prompted the regulator to act. The ICO guidance makes it clear that information held in such accounts and relating to official business of a public authority is “held by the authority” and/or “held by another person on behalf of the authority” and is therefore in scope of a request made under FOIA.

We wonder whether by ensuring no stone is left unturned to identify all information within the scope of FOIA requests this guidance might have some unintended consequences, by analogy, in the context of subject access requests made under the DPA.

The guidance requires public authorities that have established the existence of such information to ask the individual “to search their account for any relevant information”. A record of such action needs to be kept “to demonstrate, if required, that appropriate searches have been made in relation to a particular request”. This may arise in the course of the ICO’s investigation of a complaint under FOIA.

The guidance recommends clear policies for email/acceptable use of IT systems, and records management, in an effort to address the acknowledged “complications” arising from the onerous requirement to request “searches of private email accounts, and other private media”.

Addressing similar “complications” could lead to employers exerting their authority over their employees in attempting to either identify all personal data within the scope of a data subject access request or within the scope of a company’s legitimate business interest, such as would be required to respond to disclosure/discovery. The rationale behind the guidance could just as easily be applied, by analogy, to those occasions when the ICO deems it appropriate that such searches should extend to personal email accounts and home computers, where these have been used to process personal data for which the employer is the data controller.

Such unintended consequences inevitably raise genuine concerns about the erosion of privacy in the workplace. At this point such concerns are likely to surface in the public sector workplace, unless accepted as the inevitable price of greater openness in the public sector. 

¹ “Official information held in private email accounts”, ICO, dated 15 December 2011
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

“You wait for ages for one and then two turn up at the same time!” The European Court of Justice issued two significant rulings this past November.

The first addressed the manner in which Spain enacted the Data Protection Directive. In Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) v Administración del Estado (C-468/10) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado (C-469/10), the claimants challenged Spain’s national data protection law (Organic Law 15/1999) which imposed the extra condition that personal data must be in the public domain when processed, based upon a data controller’s legitimate interests. The ECJ ruled that Article 7(f) of the Data Protection Directive 95/46/EC was sufficiently precise to have direct effect in member states’ national laws because it sets out an exhaustive list of conditions to the processing of personal data and as such member states may not impose additional conditions.

The surprising aspect of this case, in our view, is that it has taken until now to gain a degree of consistency of interpretation for what is a relatively straightforward provision of EU data protection law. In our experience the misinterpretation of this provision in Spanish law has presented real practical difficulties to clients implementing run-of-the-mill applications involving non-sensitive personal data. The resulting emphasis in Spain on the need to gather consent has inevitably introduced increased bureaucracy and associated costs.

The other case, Scarlet Extended SA (Scarlet) v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (Case C-70/10), stemmed from a referral to the ECJ by the Belgian court and has important implications for the practical enforcement of copyright infringement cases. SABAM, a management company representing owners of copyright-protected works, took legal action against Scarlet, an Internet Service Provider (ISP), because Scarlet’s users were downloading works in SABAM’s catalogue through peer-to-peer networks/file sharing and so infringing copyright.

In the legal proceedings SABAM asked the Belgian courts to make an order requiring the ISP to stop such infringements “by blocking, or making it impossible for its customers to send or receive in any way files containing a musical work using peer-to-peer software without permission”. The technical solution would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content was sent, which may also result in the blocking of lawful content. The local Belgian court granted SABAM’s request for an injunction.

Scarlet appealed, claiming that the injunction would be unlawful on several grounds, most notably in the context of data protection and privacy by breaching Belgian laws implementing Directive 2000/31, prohibiting the monitoring of communications and the general surveillance of all communications passing through the ISP’s network, and Directive 95/46/EC because the filtering system would involve the processing of IP addresses, which are personal data.

The ECJ ruled that the technical solution did not strike a fair or proportionate balance between the protection of the intellectual property right holders and the freedom to conduct a business, such as ISPs, nor was a fair balance struck between the protection of copyright and the fundamental rights of individuals, in this case the ISP’s customers.

Crucially, the ECJ noted the impact on the ISP’s customers and the infringement of their fundamental right to protection of their personal data (Article 8 of the Charter of Fundamental Rights of the EU) and their freedom to receive or impart information (Article 11 of the Charter).

This ruling essentially validates the Art. 29 Working Party’s opinion that in the hands of ISPs, IP addresses are personal data because “they allow those users to be precisely identified.” What is unclear from the ruling is whether IP addresses are also considered to be personal data when processed by organizations that would not have access to names and account information that would enable such precise identification.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Joseph Rosenbaum, Ramsey Hanna and Joshua Marker posted an update on our sister blog, Legal Bytes, regarding how the Department of Justice reversed its position on the U.S. Wire Act's applicability to online gambling that does not involve sports betting. Our interdisciplinary team of privacy specialists, technologists and marketing - focused attorneys have their eye on this development. The DOJ's statement has the potential to rev the data-intensive, multi-billion dollar online gambling industry back up in the U.S. market.

For more information, please visit our Legal Bytes blog or read the issued Client Alert here:  U.S. Federal Government Reverses its Stance on Online Gaming.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue, Nick Tyler and Katalina Chin.

The new proposed EU Data Protection Framework looks set to implement dramatic changes to the landscape and to affect any organisation that does business in the EU or that handles the data of its citizens. It has the potential to create even more regulatory burdens on business despite promoting a more self-regulatory regime. Although the new Framework is in draft and is making its way through the legislative process, it makes for sobering reading because failure to comply could result in sanctions of up to 5 percent of an organisation's annual worldwide turnover.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

In a decision with potentially far-reaching consequences for the UK data protection regulator, a High Court Judge, Tugendhat J., questioned the legal basis upon which the Information Commissioner’s Office (ICO) declined to take action to stop the publication of defamatory and offensive material on the website solicitorsfromhell.co.uk. See, The Law Society and Others v Rick Kordowski [2011] EWHC 3185 (QB) (Judgment dated 7 December 2011).

The website was a forum for individuals to post comments about lawyers, most of which were libelous or defamatory, and could be posted anonymously without any moderation by the site’s publisher. The judge ordered that the site be taken down permanently and banned the web address from being transferred to anyone else.

Mr Kordowski failed to mount any credible defence to the raft of claims brought in the proceedings – the judge labelling him a “public nuisance”. The judge also highlighted the challenge faced by the administrative justice system by what he identified as a new breed of “vexatious litigant” – “defendants who mischievously provoke claims which they know they cannot defend”.

Tugendhat J. commented that he found it impossible reconcile the legal views of the ICO expressed in a letter to the Law Society with authoritative statements of the law, and found that the UK Data Protection Act 1998 (“DPA”) indeed envisages that the ICO should consider what is acceptable for one individual to say about another under the First Data Protection Principle since data must be processed lawfully.

The ICO based its position on the scope of the “domestic purposes” exemption in relation to individuals posting their views on third party websites. Section 36 of the DPA exempts all processing of personal data by an individual “only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. Even though the ICO had recognized “a growing social problem in individuals posting offensive material about each other”, the view expressed to the Law Society was that the DPA was both “out of step with technology” and “simply not designed to deal with [this] sort of problem”.

While the court did not review the ICO’s decision, the clear implication was that the ICO could, and perhaps should, have taken a more active role in exercising its regulatory powers. The court acknowledged that the ICO may often find itself in the difficult position of being asked to referee legal disputes which might better be resolved in the courts. In a clear-cut case, however, “where there is no room for argument that processing is unlawful [in this case defamatory and amounting to harassment]”, it is difficult to argue that the processing was not within the ICO’s enforcement powers.

The challenges faced by those charged with regulating the Internet are significant, and the court’s judgment aligns with the limited scope of the “domestic purposes exemption” set out in the draft EC Data Protection Regulation, which specifically carves out of the domestic purposes exemption instances when an individual posts personal data on the Internet that is “accessible to an indefinite number of individuals”.

Following this judgment, it will be interesting to see if the ICO follows the court’s interpretation of its ability to take a more robust view of its powers in relation to “lawful processing”. The ICO will certainly have to think twice about what qualifies as a “domestic” exemption, and there is a message in here to web site operators as well: they can no longer rely on the “domestic” use exception and will have to increase web site moderation and taken down obviously unlawful postings.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

On Christmas Day, organisations operating in the UK will have just five months to get their act together and comply fully with the new EU-wide rules on cookies.

See earlier Client Alerts:

•  'What Cookies Are In Your Jar?' – ICO's guidance on compliance with new EU cookie law leaves industry something to chew on (and few crumbs of comfort!)
•  Prepare Now and Protect Your Cookie Jar (or those cookies may crumble)!

The 12-month lead-in period set by the UK data protection regulator, the Information Commissioner’s Office (ICO), expires on 25 May 2012. This period is a time for taking pro-active steps, with the Information Commissioner himself issuing a timely warning on his blog that not enough is being done to address compliance by too many.

If the ICO’s message wasn’t clear seven months ago, its latest reminder should be now:

“organisations will need to be able to demonstrate they have taken sensible measured action to move to compliance. If a website has not achieved full compliance at the end of the period the [ICO] will expect a specific and clear explanation of why it was not possible to comply in time, a clear timescale for when compliance will be achieved and details of specifically what work is being done to make that happen.”

The ICO have helpfully taken the opportunity to update their guidance.This now includes a number of useful examples of what some organisations are doing to meet the new requirement for positive consent to cookies and other similar technologies.

The key first steps remain the same:

1. Cookie Audit,
2. User Impact Assessment, and
3. Action Plan.
 

At this stage of the lead-in period, the ICO expects organisations to have decided on the solutions appropriate to them and to have ready an

4. Implementation Plan – setting out the organisation’s activities to get into compliance between now and 25 May 2012. If you haven’t yet started this process, now is the time to start and to map out your chosen solutions!

The ICO emphasises that organisations must have in place “mechanisms for exercising user choice” to better educate consumers about the different cookies they use, what they are used for, and “making the case” about the undoubted benefits of cookies. The ICO’s guidance stems from UK Government-sponsored research revealing the general public’s limited understanding of cookies and how to manage them, including among more “internet-savvy” consumers.

While many view the new EU-wide requirement for positive consent to cookies as a legislative ‘sledgehammer to crack a nut’, the ICO’s position is that the more information given to consumers the better choice and control they are able to exercise.

The ICO’s view is the opposite of less is more in that greater information and choice will result in increased consumer confidence rather than resistance to cookies.

While the ICO recognises that technical solutions remain a “work in progress”, it also challenges the prevalent criticism and to the new rules highlighting some genuine ‘quick fixes’ which, while not perfect, seem to be good enough for them to accept as compliant.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Daniel Kadar.

In August, France implemented new rules governing the use of cookies as required under the ePrivacy Directive (Ordinance of 24 August 2011 number 2011-1012 relating to electronic communications ("the Ordinance")), and the CNIL has now issued guidance called the ‘Telecoms Package’ to help businesses comply with cookie legislation in France. The main aim of the guidance is to explain how users can be informed about and how consent can be obtained prior to the placement of cookies on an individual’s computer.

The guidance provides clarification on the following areas:

• The definition of "cookie" broadly includes other technology related to cookies, such as Flash cookies and local storage web.
• Users' consent to cookies must be specific. The setting of most browsers can, according to the CNIL, be changed so that the consent of the user will be demanded for each cookie. However, in the CNIL’s view, this solution raises a number of problems. As such, browsers in the current state do not meet the requirements of the Ordinance in obtaining user consent.
• No consent is needed for cookies that are used for the sole purpose of enabling or facilitating communication, such as session cookies, cookies related to language preferences, Flash cookies necessary for a media player to operate, cookies that contribute to the security of the user, or cookies used to remember a shopping basket.
• Third-Party cookies - it is the website operator’s responsibility when the site allows a third party to place a cookies on a user’s computer.

Website operators are liable for an administrative fine of up to EUR 300,000 for any breach of the new rules, and there is the possibility of criminal sanctions. Most importantly, the information and consent requirement applies regardless of whether cookies contain personal data or not.

The CNIL stated that methods for collecting user consent can take many forms (which are not exhaustive); for example, (i) a banner just like the one used on the webpage of the UK data protection regulator (ICO); (ii) an area of application for consent, or; (iii) tick boxes when registering for an online service.

Businesses with online operations are recommended to conduct an assessment of the nature of each cookie, how intrusive they are, decide if consent is needed, and think about how users could be provided with detailed information about the cookies. This is important because if a complaint is made against a website operator, the CNIL will review what the website operator has done to ensure compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Taiwanese Ministry of Justice recently concluded a public consultation on draft enforcement rules and proposed amendments to its primary data protection legislation, the Computer-Processed Personal Data Protection Act ("the Act").

The amendments are reportedly far-reaching. If the amendments are approved, some key changes to the Act would be:

• The law would apply to the private as well as public sector. The law would have extraterritorial effect and would apply to entities outside Taiwan if the data of Taiwanese residents is collected.
• Class actions would be possible.
• Administrative fines would increase from a minimum of NT$10,000 to NT$100,000 (approx. EUR 2,430), and a maximum of NT$20,000 to NT$500,000 (approx. EUR 12,000).
• Fines could be imposed both on the company and on the individual person responsible for data protection compliance.

The amendments were to be finalised by the end of November 2011 and are expected to be sent to the Cabinet for approval this month. If approved, the new law, the “Personal Information Protection Act”, should come into force by November 2012.

Businesses established in Taiwan and non-Taiwanese businesses conducting business in Taiwan should consider undertaking a review of their personal data collecting procedures, technical & security measures, and other company data protection policies in preparation for the new data protection rules to ensure compliance. This is especially pertinent, given the more severe criminal sanctions proposed by the amendments of up to five years in prison, and increased fines of up to NT$1 million.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue & Daniel Kadar.

Earlier this month, the CNIL announced that CNIL labels would now be available for two categories with respect to processing of personal data:

i) data privacy audit procedures, and
ii) data privacy professional training.

The labels signify to the public that the product or process offered meets the requirements of the CNIL in terms of quality and compliance.

The CNIL had the possibility of issuing labels on products or procedures to mark their compliance with the Data Protection Act as far back as 2004. However, because of logistical problems, the CNIL was not able to deliver such labels. The law of 13 May 2009 removed such barriers.  Moreover, Decision 2011-249 of 8 September 2011 modified the CNIL's internal regulations and paved the way for products and procedures to receive a label as a seal of approval.

The process for obtaining the label involves setting up an application file evidencing compliance with a full set of specifications ranging from knowledge and capacity to comply with the French Data Protection Act, to high-quality standards.

As a result, the CNIL has worked, for data privacy audit procedures, on the ISO 19011 Norm.

The CNIL will have two months to consider an application for a label. The cost of the application and any amendments are not known yet.

If awarded, the label will be valid for three years and the company can display the label logo.

Refusal to issue or withdrawal of the label does not mean that the applicant is in breach of the Data Protection Act. It just means that the product or process does not accord with the requirements of the CNIL in order to obtain a label.

As data security and data protection compliance becomes more prominent, the CNIL label could be seen as a notable competitive advantage in the market in these two areas.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The European Commission’s new draft data protection regulation was leaked to the press earlier this month. The proposal includes repeal of the present EU Data Protection Directive 95/46 and recommends a General Data Protection Regulation, as well as a Police and Criminal Justice Data Protection Directive.

The Commission appears to have made good its threats to increase enforcement to make U.S. and other companies outside the EEA comply. Some of the ground-breaking proposals include a harmonised enforcement and sanctions mechanism which include penalties of 1%, 3% or 5% of a enterprise's annual worldwide turnover for intentional or negligent breaches of various data protection obligations. Those penalties will certainly force organisations to sit up and take notice of their data protection obligations.

As suspected, the draft regulation includes new elements in relation to the principles of transparency and data minimisation, as well as a new principle of accountability for data controllers. Built into the new principle is an obligation for Privacy by Design “and by default”.

In addition, the right to be forgotten shifts the burden from individuals to organisations by requiring organisations that seek to continue to process personal data to demonstrate compelling legitimate grounds for the processing which override the interests or fundamental rights of the individual. This new right to be forgotten extends to erasure of information in the public domain available via the Internet or other communication service, and links to a new right to have the data restricted.

The draft Regulation also includes an obligation on large enterprises to appoint a data protection officer for both data controllers and data processors, where the processing of personal data requires regular and systematic monitoring.

The draft Regulation further proposes a new ‘super’ regulator, a European Data Protection Board to consist of the heads of each of the Member States’ Data Protection Authorities to replace the Article 29 Working Party. This new ‘super’ regulator will have the power to review and opine on measures at the national level relating to cross-border data processing whether within the European Union or outside of it, including approvals of data transfer agreements and binding corporate rules.

As we recently saw with France’s implementation of a data protection label, the proposed Regulation encourages the use of data protection certifications, such as seals and marks, for data controllers, aimed at helping individuals assess an organisation’s privacy practices.

Unless organisations raise data privacy and protection up the priority list of importance, they would be sitting on a time bomb. The issue is not whether this proposal will come into force, but when, and while there may be some changes while the proposal makes its way through the European Parliament, the way forward for organisations is now clear, and organisations will have at least two years to bolster their processes and procedures and get ready for the new horizon.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by John L. Hines, Jr., Paul Bond, Amy S. Mushahwar, Brad M. Rostolsky and Frederick Lah.

Earlier this year, Texas Governor Rick Perry signed into law Texas House Bill (H.B. 300), which presents more stringent requirements for health privacy, data breach notification obligations, and increased fines for violations. The law will become effective September 1, 2012. The following client alert details what businesses in Texas need to know about this new data privacy law. In addition, we wanted to remind clients about California's amendments to its data breach notification bill, as those changes are set to become effective January 1, 2012. Please feel free to pass this along to any client who may find it relevant.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Christopher G. Cwalina, Steven B. Roosa and Frederick Lah.

Online advertising network ScanScout, Inc. has agreed to settle the FTC's charges that it deceptively represented that users could opt out of receiving targeted ads by changing their Web browser settings to block and delete cookies. The consent decree stems from the FTC's charges that ScanScout's privacy policy did not adequately inform users about the use and management of Flash local shared objects, otherwise known as "Flash cookies", from being placed on their computers. This news is just the latest progression with the Flash cookie issue. In addition to the ongoing threat of Flash cookie-related litigation, companies should now be put on notice that the failure to properly disclose the use of Flash cookies can result in FTC enforcement. The following client alert provides more detail about the consent decree itself and lists some steps that every company with an online presence should take with regard to their use of Flash cookies and other data collection technologies. Please feel free to pass this along to any client who may find it relevant.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In a bid to strengthen the European data privacy rules it is most likely that non-European companies will be held to the same standards as European companies in a bid to further protect EU consumer privacy. 

The EU Justice Minister, Viviane Reding, and the German Consumer Protection Minister, Ilse Aigner, released a joint statement saying that the proposed reforms to the Data Protection Directive due at the end of January 2012 will be changed so that consumers’ privacy is protected regardless of a company’s country of origin. “We both believe that companies that direct their services to European consumers should be subject to EU data protection laws. Otherwise they should not be able to do business on our internal market.”

Reding and Aigner focused their statement not just on social networks but also on data that is stored in a ‘cloud’. They stressed that consumers should have more control over their data and stated “EU law should require that consumers give explicit consent before their data are used. And consumers generally should have the right to delete their data at any time, especially the data they post on the internet themselves.”

The joint statement leads us to conclude that both a new principle of accountability and a ‘right to be forgotten’ will be included in the revised EU data protection law. The statements are also consistent with the increased pressure for social networks, like Google and Facebook, who operate outside the European Union but target EU based consumers, to fully comply with the EU data protection laws. The pressure on such companies can also be seen as a natural progression from the investigations into their handling of personal data that have emanated from France, Germany, the UK and Ireland. To prepare for the new horizon, organisations should start by thinking about compliance. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Paul Bond, and Frederick Lah.

When it comes to data security training, it may be surprising to learn that the people who run the company often have the greatest need for training. Since directors and executives of companies make important big-picture decisions, it is critical for them – perhaps more than any other employees in the company – to be knowledgeable and mindful about their information-sharing and use practices. Consider the fact that most directors and executives of companies tend to be older than the average employee and thus, probably not as technologically savvy, and the need for proper data security training and measures becomes even more significant.

An article by Mark Melodia and Paul Bond of Reed Smith's Data Security, Privacy & Management team was recently featured in Corporate Compliance Insights. The article highlights five manageable steps that companies should take to secure director-level communications in the face of cyber threats.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Richard Thomas, the former UK Information Commissioner predicted that the European Commission will issue a regulation rather than a directive as part of the overhaul of the EU data protection directive. Under EU law a regulation has immediate legal effect whereas a directive requires the EU member states to enact implementing legislation. The issuance of a regulation would finally harmonise data protection law across the EU member states. In addition Richard Thomas predicted that the issuance of a regulation would result in a standardised registration process for data controllers across the EU. Richard Thomas made his predictions at the 10th Annual Data Protection Compliance Conference which took place last week in London.

At the same conference the current Information Commissioner, Christopher Graham, complained about not having statutory powers to carry out audits in sectors that receive the most complaints and which cause him the most concern. Commissioner Graham’s complaint stems from the fact that under the UK Data Protection Act 1998 he must seek permission from organisations before being able to carry out an audit of their data protection practices. Commissioner Graham is seeking to extend his powers under the Coroners and Justice Act 2009 so that he can target those sectors most complained about which include car insurance companies and banking and building societies.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christopher G. Cwalina.

Privacy policies have been reviled for their incomprehensibility; regulators are calling for clearer disclosures, and, increasingly, statutes require that privacy notices be written in plain language. In this program, our seasoned panelists—including a plain-language expert—will use real-world examples to help you craft a clear and consumer-friendly privacy notice that also satisfies legal requirements. Find out how to turn legalese into easy reading using common words; short, declarative sentences, and an emphasis on action and choice.

In addition, the FTC has said that under well-settled case law and policy, companies must provide prominent disclosures and obtain opt-in consent before using consumer data in a materially different manner than claimed when the data was collected, posted, or otherwise obtained. What constitutes using data in a materially different manner than originally claimed can be difficult to ascertain. Companies are regularly and on an ongoing basis developing new products and services involving new data uses. The line between an existing and already disclosed use of data and the start of a materially different use that needs to be independently disclosed is not always clear and privacy professionals are left to make this decision. Hear directly from an Assistant Director from the FTC's Division of Privacy and Identity Protection on this point.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

On 7 September 2011 the Executive in Costa Rica published Law No. 8968 on the Protection of the Person concerning the Treatment of Personal Data. Along with Uruguay, Mexico, Colombia, Peru, Chile and Argentina, it is now the seventh country in Central and Latin America to enact data protection laws. Following the European model for the protection of personal data, the new Costa Rican law incorporates a consent requirement for the processing of personal data, establishes a new supervisory authority to be known as Prodhab which will have sanctioning powers and also sets up a registration process for public or private entities processing personal data. This alert is of potential interest to all corporations doing business in Costa Rica.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia, Paul J. Jaskot, and Frederick Lah.

On September 15, Barnes & Noble ("B&N") acquired several of Borders’ intellectual property assets, including a database of customer information, as part of Borders' bankruptcy auction.  The sale of those assets hit a potential roadblock on Thursday, though, when a New York bankruptcy judge refused to approve the transaction, saying that he needed more time to think about the potential privacy concerns. This decision came on the heels of a Report issued by a court-appointed ombudsman who recommended certain privacy restrictions to be taken with respect to the customer information.

The Report recommended, among other restrictions, that B&N obtain the affirmative consent of affected consumers before transferring the personal data and that it treat consumer information pursuant to Borders' privacy policy in effect at the time of its collection. Borders' first privacy policy, published in 2006, provided that it will "only disclose [customer] email address or other personal information to third parties if you expressly consent to such disclosure." (emphasis in original text)

The Report also cited to letters the ombudsman received from 25 State Attorney Generals and the FTC expressing concern over the transfer of personal information in connection with the sale. The FTC's letter recommended than any transfer of personal information take place only with the consent of Borders' customers or with significant restrictions on the transfer and use of the information. Those recommended restrictions included: (i) Borders agreeing not to sell the customer information as a standalone asset; (ii) the buyer's line of business be substantially similar to that of the old owner; (iii) the buyer expressly agreeing to be bound by the terms of Borders' privacy policy; and (iii) the buyer agreeing to obtain affirmative consent from consumers for any material changes to the policy. The FTC further stated that any transfer of customer information could contravene Borders' express promise not to disclose such information and could constitute a deceptive or unfair practice.

B&N responded to the Report by filing a statement with the bankruptcy court. In the statement, B&N denied knowing that the ombudsman was planning to make recommendations or that he had corresponded with the FTC and the Attorney Generals. B&N characterized the Report's restrictions as "overreaching and unnecessary" and said that implementation of the restrictions "would materially reduce the value of the customer list." While B&N did agreed with some of the restrictions, it rejected others, particularly that Borders obtain opt-in consent for the transfer of personal data and that B&N treat consumer information pursuant to the Borders' privacy policy in effect at the time of its collection. According to B&N, it would be completely unrealistic to expect customers to affirmatively respond to a request from Borders since Borders "has gone out of business." Further, to treat consumer data pursuant to Borders' privacy policies at the time of its collection would be, according to B&N, "administratively difficult, if not impossible, and would likely have the perverse effect of harming consumers through confusion and lack of a straightforward method for them to understand how their information is being used." B&N said the transaction is "at risk."

This is certainly not the first time that would-be buyers of information-based assets have faced FTC or judicial scrutiny and concerns about the privacy implications of such a transfer. For example, last year, a former publisher of a magazine and dating website for gay youth had declared bankruptcy, which resulted in the dispute over ownership of various business assets, including the subscriber database. The FTC warned that any transfer or use of the database could potentially result in a violation of the FTC Act. The New Jersey Bankruptcy Court eventually ordered the buyer to destroy the subscriber database.

Similarly, in 2000, the FTC brought an action against Toysmart, in which the Commission sued an online toy retailer which had filed for bankruptcy and sought to auction the personal information it collected from customers. The Commission eventually entered into a settlement with Toysmart allowing the transfer so long as the buyer adhered to certain restrictions, many of which were similar to the ones recommended in the FTC's letter to Borders.

In today’s information age, consumer information is essential to business efficiency and can be a very valuable asset for those companies who are forced to liquidate their assets to mitigate debt (as evidenced by the $13.9 million dollar price tag B&N agreed to pay for the IP assets). While databases containing consumer information can be valuable, transferring such databases can be a risky process, subject to judicial and regulatory scrutiny. This case teaches us that companies looking to perform these transfers need to be mindful of the privacy implications involved in the process. Reed Smith can help companies that are contemplating such transactions, whether in a bankruptcy proceeding or a negotiated transaction, with evaluating the transferability of those assets and identifying and analyzing associated risks — before the government or another third party does.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On September 15, 2011, the Federal Trade Commission announced proposed changes to the Children’s Online Privacy Protection Act Rule (the "COPPA Rule") and is seeking public comment on proposed amendments to the COPPA Rule, which gives parents control over what personal information websites may collect from children under 13. The FTC’s purpose was to modernize the COPPA Rule in order to take into account technological changes. Written comments must be received on or before November 28, 2011. To read more on the topic please see the full client alert here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia and David Z. Smith.

On August 29, 2011, a Google shareholder filed a derivative action against the company’s directors stemming from Google allegedly allowing and supporting Canadian and other foreign pharmacies to advertise and ship prescription drugs to American consumers through Google’s AdWords advertising program in violation of U.S. law. The lawsuit comes on the heels of the announcement days earlier of a $500 million settlement between Google and the U.S. Department of Justice over an investigation of those same advertising practices. Google’s AdWords program displays sponsored advertisements in response to specific searches entered into Google’s search function. AdWords not only allows advertisers to target certain search terms, but to geo-target the searchers, so that certain advertisements will only appear for search terms entered by individuals within a certain geographic location. Plaintiff thus alleges that the directors breached their fiduciary duties and wasted corporate assets by, among other things, failing to ensure that Google had proper internal controls that would have prevented Canadian pharmacies from geo-targeting U.S. citizens with advertisements for prescription drugs.

This lawsuit is the latest in a growing line of derivative and securities fraud complaints based on alleged lack of internal controls over data security and privacy. In past cases, companies such as Heartland Payment, ChoicePoint, TJX, and more recently, Sony, have all been sued for allegedly failing to develop and maintain an adequate security environment, thereby allowing consumers’ private information to be exposed and forcing the companies to expend scarce corporate resources to prevent litigation losses or further reputational hits. The Google case shows that companies not only face the risk of derivative or securities fraud actions over the failure to protect consumers’ data, but may also be forced to defend any failures to control how their systems are used (or possibly misused) by a third-party to target consumers they should not be allowed to target. With the increasing sensitivity over on-line data security and privacy, and growing public awareness of web/search advertising functionalities such as AdWords or sites that allow third-party communication and geo-location check-ins (like social media sites), these lawsuits are likely to become more frequent. Such cases also deliver a fresh reminder to senior management of how strong privacy compliance programs and practices have come to be regarded as a critical component of good corporate governance and behavior.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christopher G. Cwalina, Amy S. Mushahwar and Frederick Lah.

On August 15, the Federal Trade Commission issued an advisory opinion letter saying that it has no present intention to challenge the Council of Better Business Bureaus' accountability program for companies engaged in online behavioral advertising. The program is designed to hold those companies accountable for compliance with the Self-Regulatory Principles for Online Behavioral Advertising, which were released by the FTC in 2009. While the FTC's analysis was limited to competition law, it still signals a step in the direction of self-regulation for the online behavioral advertising industry. In our Client Alert, we review the requirements of the program and take a closer look at the FTC's analysis.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Vicky G. Gormanly and Joseph I. Rosenbaum.

The interest level in storing health records in digital format has grown rapidly with the lower cost and greater availability and reliability of interoperable storage mechanisms and devices. Health care providers like hospitals and health systems, physician practices, and health insurance companies are among those most likely to be considering a cloud-based solution for the storage of patient-related health information. While lower cost, ubiquitous 24/7 availability, and reliability are key drivers pushing health care providers and insurers to the cloud, a number of serious legal and regulatory issues should be considered before releasing sensitive patient data into the cloud.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler.

The closure of the News of the World, the best-read Sunday newspaper in the English language, is a stark illustration of the reputational and commercial damage that can result from privacy-intrusive practices carried out in the name of ‘investigative journalism’.

The UK’s phone-hacking scandal, which has been rumbling for years, blew up this week after it came to light that it was not just public figures and celebrities that were targeted but ordinary people (and their families) who were the victims of crime, terrorism and war. Such egregious and unconscionable behaviour saw an advertising boycott by companies which will result in the last edition of the newspaper this Sunday carry no commercial advertising.

Ultimately, for the newspaper’s owner Rupert Murdoch, the reputational price proved too high as the scandal’s effect threatens the share price of News Corporation International as well as their multi-billion pound takeover of BSkyB in the face of universal public outrage.

As the criminal investigation finally gets into gear, with arrests of high-profile figures expected and a public inquiry ordered by the Prime Minister, it is worth noting that the UK’s data protection regulator, the Information Commissioner Christopher Graham, this week reminded everyone that over five years ago his office (the ICO) first brought to light the unlawful trade in personal information with two special reports to Parliament, What Price Privacy?’ and ‘What Price Privacy Now?’ .

When first publishing these reports the ICO pressed for the strongest possible sanctions for those found guilty of the most serious criminal offences under UK data protection law. Those representations resulted in a power to change the law (see section 77 of the Criminal Justice and Immigration Act 2008). This power would enable the penalty for breaches of section 55 of the Data Protection Act 1998 to include custodial sentences. However, it has not yet been exercised by the UK Government.

On the back of the latest scandal the Commissioner this week called for that power to be exercised. We can expect that call to become stronger and louder over the coming weeks and months.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

The UK Minister responsible for government policy on data protection has raised concerns about any proposed “radical rewrite” of the EU Data Protection Directive.

Kenneth Clarke, Lord Chancellor and Secretary of State for Justice, called for both flexibility and a common-sense solution to modernising data protection law. He recognised that “technology has moved on” and that future EU regulation of data protection must address the “broader landscape” without getting caught up in “endless” debate “over the details”.

The flagging at this stage of some fundamental UK opposition to a number of specific reforms does not bode well for a happy consensus emerging from the EU-wide negotiations to follow the hotly anticipated publication of the EU Commission proposals:

What are seen as ‘Bad Ideas’?

• A new “right to be forgotten” – Worried about its impact on both business and the public, Mr Clarke made it plain that he wants the “right to be forgotten” to be forgotten!
• Revision of the Data Retention Directive – Mr Clarke staunchly defended the ability of law enforcement authorities across the world to collect, retain and pool data to improve security, in spite of concerns from privacy regulators and advocates.
• EU extra-territoriality – While acknowledging the aspirational “idea that European standards [of data protection] should apply to any firm processing EU citizens’ data anywhere in the world”, Mr Clarke was withering in his assessment that, on purely legal grounds, the European Commission must be “wrong”:

“I see little sign that the Commission has thought about this sufficiently yet. And how on earth are you going to enforce EU [data] protection on a global basis?”

Any ‘Good’ Ideas?

The Accountability Principle and Binding Corporate Rules –referring to the UK’s consultation on revision of the EU Data Protection Directive, Mr Clarke backed a more business-friendly solution:

“. . . [W]e should consider moving from a system which restricts information based on national standards of data protection, to a system based on the standard of data protection of the particular company involved – far more relevant to modern methods of business.”

Raising the Stakes for the Future of EU Data Protection?

The UK Government position appears against a move toward harmonization. In Mr Clarke’s view sticking to a set of shared principles and values, which at present has been implemented and is enforced in 27 different ways, would allow each country to be true to its own “constitutional and cultural identities”:

“. . . let’s learn to understand each other’s legal systems better, not rewrite our respective statutes and codes from scratch.”

This is a challenging prospect for global businesses trying to understand and comply with local law variations across Europe. They can only hope that the future EU data protection regime delivers some significant improvements to work with, and avoids the imposition of bad ideas in the form of arbitrary, additional and onerous obligations.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The International Corporation for Assigned Names and Numbers (ICANN) announced last week that it has approved the plan for unlimited new gTLDs, and that ICANN will be taking applications from January 12 to April 12, 2012. The nightmare of many brand owners fearing that ICANN would adopt a system of unlimited gTLDs is now reality. Reed Smith hosted a teleseminar on June 28th to discuss how the gTLD program presents new burdens and obligations to brand owners and what organizations should be doing to protect themselves. To listen to the program, click here. To view a related client alert, ".anything On Its Way: New Generic Top Level Domains Will Launch January 12," released Monday June 20, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Hasn’t it been a busy week in Europe? The regulators seems to be falling over one another in a race to the top of privacy regulation. Targeted are web browsers and ‘do-not-track’ mechanisms, children’s internet privacy, banks, and the U.S.’s request for passenger data.

The European Commissioner Nellie Kroes came close to threatening the advertising industry when speaking at a recent workshop in Brussels. The EU is picking up the baton from the U.S. Federal Trade Commission in calling for a ‘Do Not Track’ standard to be in place by June of 2012. For those web browers who either run or businesses who honour do-not-track, Commissioner Kroes says, “But this is not enough. Citizens need to be sure what exactly companies commit to if they say they honour do not track. … If I don't see a speedy and satisfactory development, I will not hesitate to employ all available means to ensure our citizens' right to privacy."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Joe Metro.

States regulate doctors in issuing prescriptions. The States keep databases that show which doctors prescribe what medicines, for what purposes, and when. That information is valuable to anyone who would seek to locate doctors with certain prescription-writing habits. For example, a database user might seek out doctors to suggest that those doctors try a different drug or combination of drugs as a more effective treatment. Some doctors objected to being contacted with such suggestions, especially by commercial drug manufacturers. As a consequence, several States passed laws banning the purchase and use of prescription-writing records for purposes of commercial outreach to health care professionals. Vermont's law was challenged by, et al., IMS Health, a major provider of information services to the health care industry. The United States Court of Appeals for the Second Circuit, at IMS Health's urging, struck down Vermont's law as imposing an unconstitutional impairment on commercial free speech. Today, in a 6-3 decision, the United States Supreme Court agreed, adopting a position that Reed Smith helped advance.

Justice Kennedy, writing for the majority in Sorrell v. IMS Health, stated that: "Speech in aid of pharmaceutical marketing...is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard." The Court noted that Vermont's law would allow academics to use of prescriber-identified information to promote generic drug use. However, the same law would block the makers of brand-name drugs from reaching out to doctors in a comparable, high-touch informational campaign. Thus, "the law on its face burdens disfavored speech by disfavored speakers." Lacking a compelling reason for this viewpoint-based discrimination, Vermont's law could not stand.

The dissent, authored by Justice Breyer, called for a more relaxed standard of review to be applied to the challenged State regulations. The dissent argues that the speech in question is commercial; that limits are routinely put on marketing speech especially in connection with health and safety; and moreover, that the States should be afforded great leeway in deciding for what purposes these State-created databases of prescription information are sold and used.

Reed Smith participated in this case to further explain to the Court the public health benefits arising from targeted commercial use of prescription-writing data. Reed Smith's team drafted and filed an amicus brief supporting IMS Health's position. Reed Smith submitted that brief to the Court on behalf of two former United States Secretaries of Health and Human Services (Dr. Louis W. Sullivan and Governor Tommy Thompson) as well as the Healthcare Leadership Council. The decision of the Court today is fully consistent with the positions advanced by these public health experts. Of note, that Court specifically cited to and endorsed the public health benefits of a free flow of information about treatment options. As the Court found: "A consumer’s concern for the free flow of commercial speech often may be far keener than his concern for urgent political dialogue. That reality has great relevance in the fields of medicine and public health, where information can save lives."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As Companies Approach the January 1, 2012 PCI DSS 2.0 Compliance Deadline, a New Information Supplement Provides Guidance on the Scoping, Controls Necessary and Testing Procedures for Virtual Environments.

This post was written by Paul Bond, Chris Cwalina, Dan Herbst and Amy Mushahwar.

On Tuesday, June 14, the PCI Security Standards Council, the body that administers the Payment Card Industry Data Security Standard (PCI-DSS), released a comprehensive set of guidelines for PCI compliance in virtual card holder data environments. The Council's 39-page guidance document (available at https://www.pcisecuritystandards.org/security_standards/documents.php) describes in detail how each of the 12 PCI security control objectives within logical environments should be applied in a virtual setting. The document – which was over two years in the making – provides clearer guidance regarding how organizations can deploy virtualized environments in a secure fashion.

As background, before virtualization technologies, the standard computing model was one computer to one operating system with that computer’s associated applications and resources. Virtualization technologies enable IT teams to combine or divide computing resources to unify many computing systems into one operating environment or to partition one server into several virtual machines. Virtualization technologies undergird important applications over a wide range of areas such as, virtual test environments, server consolidation, multiple operating system support, system migration, cloud computing and so on. Given the variety of virtualization flavors and applications, the Council in its guidance recognized there is “no one-size-fits-all method or solution to configure virtualized environments[.]”

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Please click here to read Nymity's interview with firm attorney Amy Mushahwar.  Most business executives, legislators, government officials and regulators all agree that information fluidity is critical to innovation and economic growth. The same group would also agree that without trust, commerce on the Internet would come to a standstill. Trust is built through protection, proper management and privacy of information.

Amy Mushahwar has followed the privacy and protection journey on the Hill for many years. She shares her observations of who is on point for what in 2011 in the Administration, Congress and the various agencies. She also provides us with insight into what might be on the privacy, security and information management agendas of those who are in charge.

Amy is a data privacy, security and management attorney at the law offices of Reed Smith and a former data security technical consultant. Amy assists firm clients with crafting public policy advocacy strategies and building enterprise‐wide regulatory compliance programs from the ground up.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

The Information Commissioner’s Office (ICO) told attendees of the British Banker’s Association conference today that they need to get it right on data protection.

Banks were reminded that data protection is not only about keeping data secure, it is about ensuring individuals remain in control of data the banks hold about them.

Two years ago the ICO was inundated with complaints about the banks’ failures to provide information about unfair bank charges, and the ICO does not want a repeat.

In light of the recent ruling about the mis-selling of payment protection insurance, the ICO will expect banks to provide customers with timely and full responses to information requests.

The ICO also announced that it has identified the financial sector as a priority area in its draft Information Rights Strategy.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Amy Mushahwar and Fred Lah.

On June 9, 2011, Citigroup confirmed that its online banking platform Citi Account Online had suffered a data breach involving the names, credit card numbers, addresses, and email details of approximately 200,000 customers.  While Citi has already notified the Office of the Comptroller of the Currency in accordance with FDIC Guidance, financial institutions responding to a breach must also comply with the breach notification laws of the individual states.

Citi is just the latest victim in a recent string of hacking attacks, with major companies like Sony, Epsilon, Michael's Stores, Apple, and Google having suffered recent (and in some cases widely-publicized) breaches of their own. When a company suffers a data breach, they will often be faced with the complex task of complying with a multitude of different state laws providing divergent standards of breach notification. States often differ in how they define what type of personal information triggers notification, how long a company has to send notifications, and whether notifications must be sent to third parties (e.g., government agencies or consumer reporting agencies). Navigating the sea of 47 different state laws can be quite challenging for companies confronted with the task.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Chris Cwalina.

The theft of services has always been illegal in Tennessee. However, consumers in Tennessee, like those across the country, routinely share their passwords to online subscription-based services like Netflix, Rhapsody, Pandora, and Hulu. The Tennessee General Assembly has addressed this issue by amending the State’s theft of services statute. The newly-revised statute makes it a criminal act to help anyone obtain a service to which he or she is not entitled, including “entertainment subscription service[s]”. The revision has been signed by the Governor, and is immediately effective. See a copy of the enacted law (attached) as well as Legislative commentary.

While the measure was widely reported as making it illegal to share passwords to online services, in fact the word “password” is not used in the revision. Tennessee’s measure is neutral as to the technology used. Whether access to the online entertainment service is based on passwords or tokens or biometric data, now or in the future, paying customers cannot legally share their path to access with non-subscriber friends and family.

The Tennessee measure addresses only the tip of the iceberg when it comes to password sharing (hereafter, a term meant to include all sharing of methods of access online). A person stealing Netflix Instant access is no different from a cable thief, or a thief of physical goods. That much should be uncontroversial. The real, unanswered question is to what extent customers should be allowed to share passwords with third parties for purposes, not of theft, but of agency. More and more, consumers are entrusting third parties with the account numbers and passwords issued to them by their banks, credit card companies, retirement plans, and other holders of consumer accounts and lines of credit. This password-sharing may be for purposes of storing all passwords in one central location (like LastPass), or for purposes of having an agent retrieve financial information from multiple accounts to compile one snapshot for the consumer (like Mint.com or CashEdge), or even to have an agent arrange for automated bill payment. Consumers provide their account passwords to these third parties, who generally have not been vetted or approved by the companies issuing the password and holding the consumer account. The Tennessee statute does not address this circumstance. The next part of our Problems with Passwords series will deal with the privacy and competitive intelligence risks posed by the widespread (and growing) consumer practice of password sharing with third parties for purposes of agency.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

Now that the revised rules on cookies and consent are in force in the UK, there have been two developments that we want to bring to the attention of clients by way of an update of our earlier Client Alert:

• In an 'open letter on the UK's implementation of Article 5(3) of the e-Privacy Directive on cookies' dated 24 May 2011 (the 'DCMS letter'), the UK Department for Culture, Media and Sport (DCMS), in consultation with the UK Information Commissioner's Office (ICO), clarified how the Amended Regulations should be interpreted and implemented, following legal issues raised by industry stakeholders.
• The ICO issued further guidance on how it will enforce the new cookie regime on 25 May 2011.

While the ICO guidance was anticipated, the DCMS letter was not. In our latest Client Alert we provide a summary of the key aspects of both these developments.

The UK is one of only a few EU countries to have implemented the revised e-Privacy Directive, and we shall be keeping a close eye on developments over the coming months to see whether the UK 'recipe' for revised cookie rules is followed elsewhere.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Firm attorneys Gina M. Cavalier and Brad M. Rostolsky recently wrote about a HIPAA privacy update on the Life Sciences Legal Update blog. Specifically, the Department of Health and Human Services (HHS) today issued a Notice of Proposed Rulemaking implementing provisions of the HITECH Act related to accounting for disclosures of protected health information (PHI). To see the complete post, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Careful Consideration is Advised, as FTC's Guidance May Inform Federal and/or State Enforcement Actions

Comments Deadline: July 11, 2011

This post was written by Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

The Federal Trade Commission ("FTC") seeks public comment, as it considers updating and reissuing "Dot Com Disclosures: Information about Online Advertising", its business guidance document for online marketers on how to provide clear and conspicuous disclosures to consumers.

In its request for comment, the FTC cites the dramatic changes in the online world since the guidance was originally published in 2000, particularly the emergence of mobile marketing, the "App" economy, the use of "pop-up blockers," and online social networking. (This recognition of mobile is particularly important in light of last week's letter by Senator Al Franken (D-MN) to Google (maker of the Android) and Apple (maker of the iPhone and iPad) asking that all mobile apps for their devices provide "clear and understandable privacy policies.")

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

This post was written by Paul Bond and Chris Cwalina.

In her new article, "The Intersection of Consumer Protection and Competition in the New World of Privacy," Federal Trade Commissioner Julie Brill cautions that the pursuit of privacy may conflict with the pursuit of a competitive market. Commissioner Brill's article, published in the Spring Edition of Competition Policy International, notes that the Federal Trade Commission's role is to protect consumers from many types of market failures. The FTC strives to protect consumers from unfair and deceptive information collection and use practices. But, at the same time, the FTC protects consumers from collusive and other anti-competitive behaviors. Commissioner Brill identifies a potentially problematic range of privacy enhancements which could, paradoxically, harm consumers by stifling competition. In this position, Commissioner Brill goes further than the FTC's preliminary white paper, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (2010 Privacy Report).

For example, Commissioner Brill asserts that self-regulation to date has been "slow and inadequate". This mirrors criticisms in the 2010 Privacy Report. But Commissioner Brill goes on to posit that dominant companies can misuse privacy self-regulation to stifle market entry by new competitors. The Commissioner does not describe in any detail the manner in which such an anti-competitive plan would be carried out. Presumably, the cost in money or time of complying with the industry's self-regulation would prove prohibitive for fledgling businesses, while just a "cost of doing business" for better capitalized industry leaders. There may also be a concern that existing businesses, which already hold stockpiles of consumer information, would erect barriers to data collection which would affect new enterprises disproportionately.

Commissioner Brill also raises the competitive concern that privacy regulation not unfairly benefit new entrants. "Indeed," she recognizes, "some more established data brokers and other information firms believe it is much easier for their newer competitors to design privacy protections into their new business models and new forms of communications than it is to retrofit old systems to meet the realities of today's privacy concerns."

Until now, a strategic analysis of the competitive impact of privacy regulation has not been an FTC priority. Indeed, in her Article, Commissioner Brill notes that she writes only for herself, and is not reflecting the views of the Commission or the other Commissioners. Still, taken in conjunction with Commissioner Roach's recent opinion that the Google Buzz settlement may have been a strategic ploy by Google to create insurmountable regulatory barriers to entry, it is safe to say the FTC is increasingly wary of privacy regulation being misused for private ends. Advocates of self-regulation, as well as those seeking to advance or defeat governmental regulation, must be prepared to explain why their privacy regulation or self-regulation proposals are consistent with a vigorous free market. Advocates of industry self-regulation already know that the FTC has criticized efforts to date and here is another hurdle that must be addressed before self-regulation is deemed by the FTC to be robust enough and workable.

Given how extremely easy it is to transfer information as an asset between corporate forms, and from one area of the world to another, the prospect for strategic resistance to or abuse of privacy regulation by companies around the world is substantial. Commissioner Brill performs a service by injecting a note of economic realism into the ongoing debate about how information can and should be regulated in the 21st century.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Joseph I. Rosenbaum, Frederick H. Lah, Zack Dong and Amy S. Mushahwar.

On May 4, 2011, the Chinese government announced it was establishing the State Internet Information Office, an office dedicated to managing Internet information. According to the announcement, this office will be responsible for directing, coordinating, and supervising online content management. The office will also have enforcement authority over those in violation of China's laws and regulations (see, for example, China sets up office for Internet information management). While there are reports that many believe the purpose of the new office will be to censor political and social dissidents (see, China Creates New Agency for Patrolling the Internet, the office may also have a key role in thwarting illegal spamming and other dubious data practices.

To read the complete blog post, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler.

In a case involving the “extraordinary rendition and related issues” of individuals detained or captured by UK soldiers in Iraq and Afghanistan, the Upper Tribunal (Administrative Appeals Chamber) has taken what many will view as a practical and realistic approach to when personal data can be anonymised effectively and thereby fall outside the scope of the UK Data Protection Act 1998 (DPA), so enabling disclosure without constraint.

The Tribunal dismissed the concerns of both the data controller, the Ministry of Defence (MoD) and the UK’s data protection regulator, the Information Commissioner, about the extent to which the information requested could be appropriately redacted to ensure anonymisation while the MoD continued to hold the original source personal data, including identifying information.

The long-held view among European data protection regulators has been that anonymisation cannot be achieved unless the key to identification – almost always held by a data controller – is permanently destroyed. This ruling challenges that prevailing view.

The Tribunal took the view that careful redaction of the key information that would enable identification of any individual, can mean that data is not personal data and so falls outside the scope of the DPA.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Getting lost in international privacy law? Firm attorneys Cynthia O’Donoghue, Katharina A. Weimer and Amy Mushahwar recently wrote an article for Information Security Magazine on navigating international data privacy law. To see the article, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, John Hines, and Frederick Lah.

Just how much privacy are we entitled to in public places, such as public highways and buses, classrooms, restaurants, or even on the Internet? While we expect to lose some sense of privacy when we move into public spaces, does this mean that we should be subject to being recorded (and subsequently publicized on a site like YouTube) anytime we are in public? Two recent cases involving the recording of police officers highlight the debate surrounding these questions.

Back in April 2010, motorcyclist Anthony Graber was charged with violating Maryland's wiretapping laws after he used a camera in his helmet to videotape a state trooper brandish his gun while stopping Graber for speeding. To see the YouTube Video, please click here.  The Maryland court dismissed the charges, providing that "[i]n this rapid information technology era in which we live, it is hard to imagine that either an offender or an officer would have any reasonable expectation of privacy with regard to what is said between them in a traffic stop on a public highway."

Later, in March 2011, the ACLU, on behalf of Khaliah Fitchette, filed a complaint against the City of Newark, N.J. after Fitchette was handcuffed and detained for using her smart phone to record two police officers deal with a disorderly man on a bus. Fitchette was allegedly detained for two hours in the back of the squad car but no charges were filed against her. Fitchette's phone was seized by the police and the video was deleted. The complaint alleges violations of the Fourth Amendment and Fitchette's First Amendment right to record and disseminate the video. A decision has not yet been made on the case.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

And, Adds a Third Arena in the Senate for Privacy Discussions

This post was written by Judy Harris, Chris Cwalina, Amy Mushahwar & Mike Sacks.

On Monday, Senator Jay Rockefeller (D-WV) introduced a bill entitled, “Do-Not-Track Online Act of 2011,” that will kick off a dialogue over how and in what circumstances companies should be allowed to collect certain types of consumer information online. In the bill’s present form, it appears that most information collection would need to occur on an opt-in basis, which would be a significant departure from the current self-regulatory standard.

Sen. Rockefeller’s bill adds to the web of privacy activity in the Senate and is the third in a flurry of actions relevant Senate committees have recently taken to address privacy issues. In mid-April, Senators John Kerry and John McCain introduced their “Commercial Privacy Bill of Rights Act” into the Commerce Committee, where Kerry serves as the Chair of the Communications, Technology, and the Internet Subcommittee. On Tuesday, May 10, the Judiciary Committee’s Privacy Subcommittee held a hearing on mobile privacy, bringing in Apple and Google executives to testify. And, Sen. Rockefeller’s bill now joins the Kerry-McCain bill in the Senate Commerce Committee. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

With two weeks to go until implementation of an EU-wide amendment to the law on cookies and consent, the UK’s data protection regulator, the ICO, has issued initial guidance on compliance. It proposes three actions that organisations can take to mitigate their potential exposure to enforcement action in the short-term. In the meantime, industry and the authorities are working on finding solutions to the most complex and challenging issues presented by the new law.
In our Client Alert we look more closely at what organisations need to be doing now to comply with this new EU-wide regime.  Reed Smith's Legal Bytes blog also recently posted on the topic.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post is written by John Feldman and Amy Mushahwar.

Bill Adds to the Web of Proposed Privacy Legislation and Contains Much More Than Kids Do Not Track

 Today, Rep. Ed Markey (D-Mass.) circulated a discussion draft of his kids online do-not-track bill, co-sponsored by Joe Barton (R-Tex.) that proposes to make it illegal to use kids' or teens' information for targeted marketing and require parental consent for online tracking of the info. Both Congressmen co-chair the House Privacy Caucus and their kids' privacy bill will join other more generally-applicable privacy legislation pending in the 112th Congress by Representatives Cliff Stearns (R-Fl.), Fred Upton (R-Mich.), Jackie Speier (D-Calf.) and Bobby Rush (D-Ill.) and Senators John Kerry (D-Mass.) and John McCain (R.-Ariz.) with Senator Jay Rockefeller (D-W.Va.) promising to release a generally-applicable privacy bill containing Do Not Track provisions next week.

But, members of the privacy community were expecting this piece of proposed legislation. Markey had promised since late 2010 that the bill was coming. Specifically, the bill would update the Childrens' Online Privacy Protection Act of 1998 ("COPPA") provisions relating to the collection, use and disclosure of children's personal information. Further, it would establish protections for personal information of teens who were previously not addressed in COPPA at all.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Chris Cwalina, Paul Bond, and Frederick Lah.

In VPR Internationale v. Does 1-1017 (C.D. Ill.), Judge Baker opined that Internet Protocol ("IP") addresses do not -- by themselves -- qualify as personal information, capable of accurately identifying an individual. While this decision is a landmark ruling for the mass-BitTorrent lawsuits in that it may spell the end of the “pay-up-or-else-schemes”, it may have broader data privacy implications.

In VPR, plaintiff sought to sue over a thousand alleged copyright infringers. The plaintiff did not know the name of these Doe defendants. The plaintiff only knew the defendants by the IP address from which each defendant came. Plaintiff sought to subpoena the Internet Service Providers (ISPs) associated with each IP to learn the identity of each defendant. The court rejected this demand for expedited discovery.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Frederick Lah.

Standards for determining whether an employee has privacy rights with respect to an employer-issued communications device continue to develop. The analysis continues to be grounded in a detailed, fact-specific analysis of what the employee has been told, and permitted to do, by the employer. Recently, the Court of Appeals for Ontario found that a high school teacher had a reasonable expectation of privacy in personal information stored on his work computer based on the facts presented.

A high school teacher was issued a laptop by the school to take home and use on weekends for his exclusive personal use. In addition to keeping some personal files on the laptop -- which was protected by a password determined by the teacher -- the teacher allegedly possessed sexually explicit photos of a student at the high school where he was employed. When one of the school's computer technicians noticed an unusual volume of activity on the teacher's laptop, he investigated the teacher's computer as part of his duties and found the photos. Upon informing the school's principal of the photos, the school then handed the laptop over to the police who took a mirror image of the laptop's hard drive without obtaining a warrant. The officer believed that any data, including personal data, on the school's laptop belonged to the school. The teacher was arrested thereafter.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Reed Smith Attorney Amy Mushahwar was recently interviewed by IT Business Edge on the McCain-Kerry Bill. According to Amy, "if enacted, the bill would expand the Federal Trade Commission’s jurisdiction to include telecommunications companies for privacy matters. Typically, telecom companies would not be within the FTC’s jurisdiction." To see the complete interview, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by John Hines and Amy Mushahwar.

Are you recording credit card magnetic stripe data, CAV2, CVC2, CID, CVV2 or PIN data?

Many businesses record telephone calls for a number of purposes including regulatory compliance and customer service monitoring. For those companies that also take credit card payment information over the phone, please be advised that PCI Security Standards Council issued a clarification regarding call center recordings that has generated a number of calls to our offices, excerpted below.

[i]t is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.

It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.

Where technology exists to prevent recording of these data elements, such technology should be enabled.

If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

This requirement does not supersede local or regional laws that may govern the retention of audio recordings.

Please see the full PCI Security Standards Counsel clarification .

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

A new French law, published on March 30, 2011, allows, among other things, the French Data Protection Authority, the CNIL, to give more publicity to sanctions it imposes.

Prior to this reform, the French data protection authority could only publicize its rulings on its website and on “Légifrance”, the French official website for law. Publication in other media was only possible when a data processor had been sanctioned for having acted in bad faith.

From now on, the CNIL is allowed to order the publication of pronounced sanctions in newspapers and other media, whether or not the data processor involved has acted in bad faith.

This reform took place only two weeks after the CNIL issued a €100.000 fine against GOOGLE in the GOOGLE STREET VIEW case.

At that time, given the absence of bad faith on GOOGLE’s part, the CNIL could only publish the sentence on its website and on “Légifrance”.

We believe this change will significantly increase publicity about the CNIL’s sanctions, thereby dissuading wrongdoing.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Kathyleen A. O’Brien.

On April 6, 2011, California State Senator Alan Lowenthal (D-Longbeach) introduced a version of “do-not-track” legislation in the form of SB 761. An initial hearing will be held by the California Senate Judiciary Committee on April 26.

The bill largely follows the current “do-not-track” framework being proposed by U.S. Rep. Jackie Speier (D-CA) and others in Congress. Many, including Sen. Lowenthal, see the California bill as a way to spur action on the national level. Although privacy is largely viewed as a bipartisan issue, Lowenthal is hoping that because the Democrats control the California governorship and legislature, the process of passing a “do-not-track” bill will be quicker and smoother on the state level. Interestingly, the effort is attracting at least some bipartisan support with Judiciary Committee member Sen. Tom Harman (R-Huntington Beach) expressing interest in tackling the issue of online tracking. Ultimately, passage of the bill would, once again, put California out in front on online consumer protection issues much like its “do-not-call” and data breach laws have in the past.

The bill requires the Attorney General, in consultation with the California Office of Privacy Protection, to adopt regulations that would require companies doing business in California that collect, use, or store online data regarding consumers to provide those consumers with a way to opt out of such practices. Additionally, the bill would grant the Attorney General power to impose regulations that may, among other things, require companies to provide consumers with access to their personal data, and a clear and easy to understand data retention and security policy. As a nod to the business community, the Attorney General would have the power to create exemptions for commonly accepted business practices.

Any company that willfully fails to comply with the adopted regulations would be liable to consumers in a civil action with statutory damages, which would range from $100 to $1,000. The proposed bill could include punitive damages also, as determined by the court, as well as costs and reasonable attorney’s fees.

Research for this post was conducted by Legal Intern Noah Cherry.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

After months of deliberations, Senators McCain and Kerry introduced a comprehensive privacy bill entitled, the Commercial Privacy Bill of Rights Act of 2011 (the Act). Released in a press conference held by McCain and Kerry yesterday, the bill establishes a baseline framework for the privacy, security and management of personal information.

We have provided a summary of the bill’s definitions and key provisions (which contemplates five FTC rulemakings), all of which might change once the bill is debated within the Senate. To learn more, please see our recent client alert.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

In a recent speech, Viviane Reding, the EU Commissioner with responsibility for European Union data protection policy identified ‘four pillars’ upon which the privacy rights of EU citizens “need to be built” so that individuals’ have more control over their personal data in today’s online world.

Reforming EU data protection is Commissioner Reding’s “top legislative priority” and the new proposals are expected this summer.

The ‘four pillars’ are:

• The right to be forgotten,
• Transparency,
• Privacy by default, and
• Protection regardless of geographic location.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

Google, Inc. agreed to a proposed consent order over charges that it used deceptive tactics and violated its privacy promises to consumers when it launched its social network, Google Buzz. The Agency alleged in its Complaint that Google's information practices violated Section 5 of the FTC Act.

As background, in February 2010, Google launched Buzz, a social networking service within Gmail, its web-based email product. Google used the information of Gmail users, including first and last name and email contacts, to populate the social network. Gmail users were, in many instances, automatically set up with “followers” (people that followed the user or people that the user followed). According to the FTC's Complaint, even if a user did not enroll in Buzz, the user's information was shared in a number of ways (e.g., a user who did not enroll in Buzz could still be followed by other Gmail users who enrolled in Buzz). The FTC also alleges that the setup process for Gmail users who enrolled in Buzz did not adequately communicate that certain previously private information would be shared publicly by default. Further, the FTC alleges that certain personal information of Gmail users was shared without consumers' permission through Buzz (e.g., some information was searchable on the Internet and could be indexed by Internet search engines).

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Kevin Xu and John Hines.

On February 22, 2011, the Federal Trade Commission (“FTC”) filed a complaint against Phillip A. Flora (“Flora”) for an operation that allegedly blasted consumers with millions of illegal spam text messages, including many messages that deceptively advertised a mortgage modification website called “Loanmod-gov.net.” The FTC is asking the court to shut down Flora’s operation and freeze his assets.

According to the FTC complaint, beginning on or about August 22, 2009, Flora transmitted or arranged for the transmission of at least 5 million spam text messages to random consumers. The text messages promoted products and services, including, but not limited to, loan modification programs and debt relief services. The text messages offered to help consumers obtain mortgage loan modifications and many of the messages state: “Homeowners, we can lower your mortgage payment by doing a Loan Modification. Late on payments OK. No equity OK. May we please give you a call? Loanmod-gov.net.” Consumers who visited this web address arrived at a website that touted itself as the “Official Home Loan Modification and Audit Assistance Information” beneath a picture of the U.S. flag. This website, although it included the term “gov” in its address, was not operated by or affiliated with any governmental entity. Additionally, Flora allegedly collected information from consumers who responded to text messages – even those asking him to stop sending messages – and sold their contact information to marketers claiming they were “debt settlement leads.”

The FTC charges that Flora violated the Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce, by sending unsolicited commercial text messages to consumers, and by misrepresenting that he was affiliated with a government agency. In addition, the FTC charges that Flora violated the CAN-SPAM Act by sending consumers spam text messages that failed to include a way for consumers to “opt-out” of future messages and failed to include the physical mailing address of the sender, as required by the CAN-SPAM Act.

The outcome of this case, which we note is being brought by the FTC and not the FCC, may have a significant impact on consumer data privacy rights in the mobile communications sector, and may serve as a watershed case for consumers’ potential recourses in future privacy violation situations arising from mobile communications.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

Now that the UK Coalition Government has published its Protection of Freedoms Bill (the Bill) the big question is whether the proposed changes will achieve their objective “to restore the rights of individuals in the face of encroaching state power, in keeping with Britain’s tradition of freedom and fairness”.

Key aspects of the Bill will impact data protection and freedom of information:

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

Asian countries continue to focus on developing their data protection legislation.

The Philippines Congress recently finished its second reading of House Bill 1554 which will introduce a unified and special law relating to data protection and privacy. Singapore, which already has some sectoral laws and a voluntary data protection model code, is now calling for the introduction of formal data protection legislation for parliamentary debate in early 2012.

The Philippines draft bill seeks to establish fair practices and regulate the collection, use and protection of individuals’ private information as well as to promote the development of its business process outsourcing industry. Under the Filipino bill, businesses and government agencies would have to obtain an individual’s unambiguous consent to collect and use their personal data. The bill also sets out data breach notification requirements to the regulator and to affected individuals when there is a real risk of serious harm, including breaches that may enable identity fraud. The proposed bill defines personal information quite broadly as “any data that can be used alone or in conjunction with other data to identify an individual”, and provides additional protections for sensitive personal information. Under the bill, a national Privacy Commission would be created that has the power to implement and enforce data protection legislation, including the authority to impose civil fines for certain violations and to refer suspected intentional violations to the Philippines Government’s Justice Department for investigation and potential imposition of criminal penalties of up to three years imprisonment.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Frederick Lah.

On Tuesday, the U.S. Supreme Court held that corporations do not have “personal privacy” under the Freedom of Information Act (“FOIA”). The decision comes just one year after the decision in Citizens United v. Federal Election Commission. In Citizens United, the Supreme Court, in a 5-4 opinion, ruled that a federal law banning corporations and unions from financing political spending was unconstitutional. Many critics of the decision felt that the Court was treating corporations as individual persons, with First Amendment free speech rights. Many of those same critics were concerned that the Court was going to take another step in that direction with the AT&T case.

Instead, the Supreme Court ended up ruling that corporations do not enjoy “personal privacy” under FOIA. Back in 2005, a trade association representing some of AT&T’s competitors submitted a FOIA request for information submitted by AT&T to the FCC during an investigation for alleged overbilling. Under FOIA, federal agencies are exempt from disclosing law enforcement records which could reasonably be expected to constitute an “unwarranted invasion of personal privacy.” While FOIA defines the term “person” to include corporations, it does not define the term “personal.” AT&T argued that it is a corporate citizen with "personal privacy" rights protected by the exemption and that it should therefore be protected from any disclosure that would embarrass it.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Gina Cavalier and Mark Melodia.

Earlier this week, Reed Smith's blog Life Sciences Legal Update posted that the Department of Health and Human Services' (HHS), Office for Civil Rights (OCR) announced the imposition of the first ever civil money penalty for violations of the HIPAA Privacy Rule.  To learn more about this significant development, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Joshua Marker.

Catalog and retail marketing in California just got a little bit trickier. No longer can retailers require that a customer provide a ZIP code to complete a credit card transaction, and this may impede the ability of many retailers to generate in-store marketing leads. On February 10, 2011, the California Supreme Court held that the Song-Beverly Credit Card Act (“the Act”) covers key components of an individual’s address as ‘personal identification information’ in a credit card transaction.

In that case, Pineda v. Williams-Sonoma Stores, Inc., No. S178241, Williams-Sonoma’s practice of collecting individual’s ZIP codes when completing a credit card transaction was at issue. Williams-Sonoma collected these ZIP codes for credit card verification purposes and developed a retail marketing lead list from its in-store transactions. The California Supreme Court found that this practice violated Section 1747.08(a)(2) of the Act, as ZIP codes are ‘personal identification information’ covered by the Act, and the collection of that information was thus prohibited. 

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

ENISA (the European Network and Information Security Agency) has issued a new report on data breach notifications . Having approached telecoms operators and data protection authorities (DPAs) on this topic, the report highlights data breach handling and key stakeholder concerns.

The revised e-Privacy Directive (2002/58/EC) brought in EU data breach notification requirements for the telecoms sector and the European Commission is considering the inclusion of the finance, healthcare and small business sectors. By requiring mandatory data breach notification to the national data protection authority, the Commission hopes to encourage organisations to increase the level of security afforded to personal data and to reassure citizens about the security of their personal data by telecom sector operators.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler.

In spite of impending cuts in the budgets of local government across the UK it is notable that the national data protection regulator, the ICO, has seen fit to hit two London Borough Councils with hefty fines for ineffective data security policies and practice.

It is bordering on the incredible in this day and age that they should have issued unencrypted laptops to their home workers, but what probably amounted to the ‘last straw’ from the ICO’s point of view was that the councils failed to follow their own policies, which specifically required encryption. Two such laptops were stolen from an employee’s home.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler.

The EU Commission has recently approved Israel as a country providing “an adequate level of protection for personal data transferred from the European Union”.

This follows a lengthy process which was nearly derailed, after Irish Government objections, following the assassination in Dubai last January of a Hamas official allegedly committed by agents of Mossad, Israel’s Secret Service, and associated allegations of identity theft involving the passports of Irish (as well as UK) citizens.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Daniel Kadar.

The CNIL, the French data protection authority, has just published the conclusions of its deliberation on October 14, 2010 concerning its new approach of whistle blowing hotlines.

Operating a whistle blowing hotline in France is subject to notification to the CNIL since personal data are collected and processed. This is a specific notification procedure since running such a hotline is not considered as belonging to the management of Human Resources.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler and Cynthia O'Donoghue.

Last week the UK Government announced a package of measures focused on extending the scope of the Freedom of Information Act (FOIA) and strengthening the independence of the UK’s data protection and freedom of information regulator, the Information Commissioner’s Office (ICO).

The anticipated Freedom Bill (to be published in February 2011) will include proposals to extend the scope of FOIA to a number of organisations for the first time. The Government announced the definite inclusion of the Financial Ombudsman Service and has proposed including The Advertising Standards Authority, The Panel on Takeovers and Mergers, The Law Society, Bar Council and other approved regulators under the Legal Services Act 2007, subject to consultation. The UK Government aims to strengthen FOIA provisions to ensure the public sector proactively releases data to allow businesses, non-profit organisations and others to re-use the information for social and commercial purposes.

Another aim of the Freedom Bill is to enhance the independence of the ICO (including a greater role for Parliamentary oversight) by enabling the regulator, for the first time, to independently set charges for certain services. Sections 51(8) of the Data Protection Act and 47(4) of FOIA provide the ICO with the power to set charges for its services.

Having lain dormant we now expect these charging powers, including those under the Data Protection Act and Privacy and Electronic Communications Regulations, to be activated, allowing the ICO to provide chargeable services for, among other things:

• audits and assessments of data protection good practice; and
• privacy impact assessments.

Further information about the UK Government’s announcement, and the positive reaction of the ICO, can be found in the following links:

• Ministry of Justice press release
• ICO statement

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler and Moritz Wagner.

The German data protection authorities (DPAs) have recently passed a resolution setting minimum requirements for the competency and independence of company data protection officers (DPOs).

This initiative follows inspections carried out within companies that revealed a generally insufficient level of competency among DPOs, as well as of data controllers’ organizational framework and resources for data protection compliance, in particular given the ever-increasing complexities of automated processing of personal data and the requirements of the Federal Data Protection Act.

The resolution should be read as a warning from the DPAs that companies must not view the appointment of a DPO as a mere formality, but must ensure that the DPO has sufficient competency and independence and is provided with the necessary support and resources to do his or her job effectively. The resolution also shows that DPAs will increasingly monitor compliance with these requirements.

We have published a Client Alert which provides more detail about the new requirements and the consequences of non-compliance.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler and Cynthia O'Donoghue.

With so much consultation activity going on in the United States on the future of privacy regulation and enforcement, initiated by the FTC and US Department of Commerce, we should not lose sight of parallel developments and consultation activity going on in Europe following a recent Communication from the European Commission.

Now seems to be an appropriate time of year to take stock and highlight the key themes of that Communication and what it might mean for clients as they look to address and/or progress their data privacy compliance programmes in the year(s) ahead. We have therefore published a Client Alert which takes a closer look at the emerging themes and what lies ahead in 2011. 

Read the full Client Alert here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy Mushahwar.

As promised in our teleseminar last week, we have digested the Department of Commerce Privacy green paper, entitled, "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework". The green paper will kick start an ongoing discussion of privacy and we encourage organizations to undertake some cost-benefit analysis now for the best outcome in 2011. Time is of the essence and comments to this green paper are due on January 28, 2011. To learn more about this important release, please read our recent client alert.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Judy Harris, Chris Cwalina, Paul Bond, and Amy Mushahwar.

We've been busy here in Washington with two seminal privacy reports released within a span of two weeks.  At Reed Smith, our interdisciplinary team of former government officials, former in-house attorneys, class action litigators and engineers (in the US and internationally) are reviewing the releases and providing prompt insights for your review.  Below, please find a link to the reports, our most recent digests and our aptly timed teleseminar that occurred on the very day that the Department of Commerce released its privacy green paper.

On December 1, 2010, the Federal Trade Commission issued its long-awaited 123-page preliminary report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. The report is the most important and comprehensive guidance the FTC has ever issued in the privacy arena, and it has the potential to dramatically overhaul the way businesses think about privacy. More importantly, the document sets the stage, potentially, for a very different regulatory framework in Washington. For more detailed information on the FTC Report click here.  Comments are due on this report by January 31, 2011.

On December 16, 2010, the U.S. Department of Commerce issued its initial policy recommendation in a green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework .  The Commerce green paper issued by the specially established Internet Task Force at the Department of Commerce lends another voice to the privacy debate and attempts to create a universal privacy baseline. While the report makes no recommendations to cover specific industry sectors that are addressed by existing privacy regulations, such as, healthcare, financial services and education, it is clear that the Department of Commerce would like to lead the regulatory agenda in the online privacy overhaul that is expected in 2011.  Check back here over the next few days for a more detailed look into the report.  Comments are due on this report by January 28, 2011. 

We addressed both reports in yesterday's teleseminar by privacy counsel Mark Melodia, Chris Cwalina, Paul Bond and Amy Mushahwar,  even though our team was still digesting the Commerce item that was released only hours before the teleseminar.  Our team described how the reports may apply to your business and provided a view from Washington regarding the complex regulatory and legislative road that may lie ahead for data privacy and cyber security issues. Feel free to listen to an audio recording of the event while watching the slide show.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Thomas Fischl and Katharina A. Weimer.

On November 23, 2010, the data protection authority (the “DPA”) of the German federal state of Hamburg fined regional financial institution Hamburger Sparkasse AG (“Haspa”) €200,000 for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers and also granting the representatives access to such profiles. The bank cooperated with the DPA and immediately discontinued the illegal practices.

From the end of 2005 until August 2010, Haspa allowed its self-employed, external customer service representatives access to customer bank data, often without having first obtained the customers’ consent. According to the DPA, the number of bank accounts accessed is not clear. The bank was aware of this practice through reviews of log files that detailed the representatives’ access.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

On December 1, 2010 the FTC released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This 123-page preliminary staff report proposes a sea change in US privacy law. The FTC is accepting comments on this report until January 31, 2011.

In the report, the FTC proposes a major change in the framework of US privacy law, stating bluntly that, "Industry must do better."

• Notice-and-consent does not work, the FTC says. People do not read or understand privacy notices as now written. The Commission's view is that privacy policies have become "long" and "incomprehensible".
• The report says that waiting for harm to come to consumers is also not an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Per the report, privacy harms include reputational harms and even the emotional harm of having one's information "out there," and/or "fear of being monitored". The FTC says the new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch expressed in his concurrence that "the Commission could overstep its bounds" if it were to begin analyzing these more intangible harms when assessing consumer injury.
• Industry self-regulation, per the report, is too little, too late and has failed to provide adequate and meaningful protection.

The report also challenges a number of assumptions in how we view data privacy and security.

• The FTC casts severe doubt on claims that de-identified information need not be protected, citing to multiple instances and methods by which personally-identifiable information (“PII”) can be culled from data that does not include names (i.e., IP Addresses or other unique identifiers). The distinction between PII and non-PII, the FTC concludes, is "of decreasing relevance". Consequently, the scope of the report is very broad and applies to "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device."
• The report purports to apply in the online and offline world and not just to companies that work directly with consumers.
• The FTC suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates, regardless of the industry, universalizing consumer notice requirements that hitherto only applied as to certain highly regulated industries (i.e., telecommunications, education, healthcare, financial services) or certain types of highly sensitive data (i.e., credit report information, bank account information).
• The report distinguished between "commonly accepted data practices" and all other data practices. Borrowing from GLBA and HIPAA, commonly accepted practices, like using data to aid law enforcement or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers. All other data practices would require notice and consent, in a form easy to read and understand, ideally provided to the consumer at the point the consumer enters his or her personal data. Behavioral advertising and deep packet inspection are explicitly named as not "commonly accepted data practices". Also, the FTC suggests that opt-in consent be obtained prior to implementing any material changes to a company's privacy policy that would apply to data collected under a prior policy.
• The report suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers and that companies provide consumers with "reasonable access" to their data.
• Per the report, appropriate data retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
• The report also endorses a "Do Not Track" mechanism, understanding that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self regulatory efforts to develop a system whereby a consumer could opt not to be "tracked." The FTC has expressed a distinction between "tracking" and "interest-based" advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but has proposed that a browser-level solution that could be similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not expressed whether opt-in or opt-out would be the default browser setting for any browser privacy plug-ins/modes developed.

So what should businesses do?

First, companies should carefully review the report and the 50+ questions open for public comment posed in Appendix A (there are also additional questions posed in the Commissioner dissent statements).

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen to and often address business concerns, but they must be heard. Trade associations may be a good place to start but also consider unique issues that your company may face that should be addressed.

Third, now is a good time for companies to pull back and consider their privacy programs and the extent to which they incorporate privacy into their everyday business practices. The report suggests that every company should adopt "privacy by design," "building privacy protections into everyday business practices," "assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services".

The FTC's full report is available here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

The UK data protection regulator, the Information Commissioner’s Office (ICO), announced today the imposition of monetary penalties against two organisations for serious breaches of the Data Protection Act. This is the first time the ICO has used its new enforcement powers since they came into effect in April this year.

The monetary penalties signal a step-change in the UK data protection regulator’s approach to enforcement and will see the heat turned up now for those that fall foul of the law through poor, negligent or non-existent personal information handling practices.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

This post was written by Judith L. Harris, Christopher G. Cwalina and  Amy S. Mushahwar.

The midterm elections will likely result in a shift of political power within the House of Representatives. The resultant divided government is likely to impact the present ambitious privacy and data security legislative agenda. Reed Smith Washington D.C. Data Privacy, Security and Management attorneys Judith Harris, Christopher Cwalina, and Amy Mushahwar have published an analysis of their predictions for 2011 legislative priorities as the incoming crop of legislators move from campaign mode to governance. Please see their article in Information Security here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

Having hosted and won the very first ‘soccer’ World Cup in 1930, and then having won it again twenty years later, Uruguay belongs to a very exclusive band of multiple-World Cup winning countries. Having reached the semi-finals of this year’s tournament (for the fifth time in total), this relatively small South American republic has a proud and enviable record as one of the most successful footballing nations.

This year is fast proving to be significant for Uruguay for more serious reasons than national sporting prowess (more serious that is if you do not subscribe to the philosophy of Liverpool FC’s legendary manager, Bill Shankly: “Some people think football is a matter of life and death. I assure you, it's much more serious than that.”)

On 12 October the Article 29 Working Party of European data protection regulators issued an opinion approving Uruguay’s admission into another exclusive club—the list of countries that provide an ‘adequate level of protection’ within the meaning of Article 25(6) of European Data Protection Directive 95/46/EC.  The Article 29 Working Party’s opinion was issued after a two-year review process and is a pre-requisite to approval by the European Commission. Barring any unforeseen political hitches, as befell Israel’s bid for ‘adequacy’ earlier this year, such approval should follow.

Some background points to note about Uruguay’s data protection regime:

• The relevant legislation consists of:
  • Law No. 18.331 of 11 August 2008, on the Protection of Personal Data and “Habeas Data” Action (abbreviated as LPDP in Spanish); and
  • Regulating Decree of 31 August 2009, developing LPDP (DPDP).
• LPDP is comprehensive in its scope and reach, covering all sectors of activity.
• The independent supervisory authority is called the Unit for Regulation and Control of Personal Data (URCDP in Spanish).
• Together with the Unit for Access to Public Information (UAIP) URCDP forms the Agency for the Development of Electronic Government and the Knowledge-Based Society (AGESIC in Spanish).
• URCDP operates a permanent register of databases.
• URCDP has power to impose sanctions ranging from a warning and a fine to suspension of any database.
• Article 8 of DPDP contains data breach notification requirements.
• Article 15 of LPDP provides a right of correction to “every natural or legal person”.
• In the case of any denial of the rights of subject access and correction, Article 38 of LPDP provides for an action or writ of habeas data, also exercisable on behalf of deceased persons.

The concept of Habeas data does feature in a number of other Latin American countries’ constitutions but, unlike those of Argentina and, imminently, Uruguay, these have not achieved the vaunted status of EU-approved ‘adequate’ data protection regimes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

The Information Commissioner’s Office (ICO), the UK data protection regulator, has recently responded to the UK Government’s Call for Evidence on the current data protection legislative framework. The Ministry of Justice sought evidence about how the European Data Protection Directive 95/46/EC and the Data Protection Act 1998 are working, and their impact on individuals and organisations. The Call for Evidence, which closed on 6 October, seeks to inform the UK negotiation position for a new EU data protection instrument, expected to start in early 2011.

In its response, the ICO asserts that the data protection principles are “sound and should be maintained”, although it acknowledges that changes are needed. The ICO listed key ‘must-haves’ for “an effective new data protection framework”:

• A “much clearer” definition of personal data “more relevant to modern technologies and…practical realities” capable of recognising the many different levels of “identifiability”, and in turn protection, which technology can provide; 
• A “more flexible and contextual” concept of sensitive personal data, with financial and geo-location data being examples of non-sensitive data that warrant increased vigilance and protection;
• A revisit of the definitions of processor and controller and a more collective form of responsibility that deals “more realistically with the collaborative nature of modern business and service delivery”;
• A consistent approach to transparency and consent in Europe as the two concepts are not interchangeable, in meaning or legal effect.
• A new requirement of accountability (see also our recent Client Alert) to “reinforce the responsibility of data controllers”, which can be scaled to an organisation’s size and the risks of their processing of personal data. 
• Significant changes to international data transfers to “deal more realistically with current and future international data flows” by focusing on the exporting data controller’s risk assessment and responsibilities, regardless of location, as well as on assessing ‘adequacy’ based on the specific circumstances and method of transfer as opposed to whether or not a country is designated as ‘adequate’.
• An explicit privacy by design requirement that ensures the building-in of data protection compliance measures at each stage of the information lifecycle as opposed to bolting-on remedial measures.

The ICO’s response is typically pragmatic and builds on several earlier contributions made over the last 18 months. Read together they provide a consistent and compelling case for change (see also, for example, “Making European data protection law fit for the 21st century”).
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Diane Bettino and Paul Bond.

Nearly every state in the U.S. has a statute requiring notifications upon discovery of a data security breach.  Most of these laws do not mandate notification to any state authority. T hose few state laws that compel governmental notice are usually satisfied with contemporaneous notice, or notice after the fact.

That all may change, at least for entities licensed or directly regulated by state agencies.  The State of Connecticut’s Department of Insurance has issued a bulletin, Bulletin IC-25.

Bulletin IC-25 envisions a much more active government role whenever a company licensed or regulated by the Department has an “information security incident”.  This Bulletin applies to a variety of regulated entities, from insurers to appraisers, from bail bond agents to pharmacy benefit managers to medical discount plans.

The Bulletin requires that the business send notice of an “information security incident” no later than five calendar days after the incident is identified.  As businesses who have suffered from data security breaches know, it will often take more than five calendar days to know even the basics about a potential incident.

This lightening-quick notification to the Department should include as much as possible about 15 categories of information, including the results of internal reviews and copies of the business’s privacy policies and data breach policies.  If regulated companies did not have adequate incentive to have such policies in place before, they surely do now.

“The Department will want to review, in draft form, any communications proposed to be made” regarding the breach.  Additionally, “depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time” (emphasis added).  Businesses used to drafting their own communications and selecting their own remedies to offer will now be negotiating those points post-breach with a government agency.

In addition, the Department will set up a “monitoring process,” unique to each incident, to keep abreast of “activities associated with any information security incident”.

It remains to be seen whether other state regulatory agencies adopt a similar approach.  However, for those who fall under the ambit of this Bulletin, it represents a sea change in the allocation of authority between government and business in the period between breach and notification.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Kevin Xu and John L. Hines, Jr.

U.S. courts often disregard foreign data privacy laws in the context of discovery. Litigants sometimes find themselves compelled to produce under U.S. law what they are forbidden to produce under the privacy laws of another country. However, a recent U.S. court decision indicates increasing sensitivity to the privacy expectations of persons abroad.

On August 27, 2010, in connection with In re Payment Card Interchange Fee and Merchant Discount Antitrust Litigation, the court ruled that some data collected and processed in the EU would have been unlawful to transfer to the United States under the EU Privacy Directive, and thus, should not be subject to production in U.S. litigation.

• Email This
• Print
• Comments (2)
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

On July 13, 2010, the influential Article 29 Working Party ("Working Party"), consisting of all the European Union's national data privacy regulators, adopted Opinion 3/2010 on the principle of accountability (the "Opinion").

This is an important contribution to the European Commission's review of the European Data Protection Directive 95/46/EC (Data Protection Directive), a draft of which had been expected later this year, but is now expected some time in late 2011. In essence, the Opinion builds on good practice in the area of global regulatory compliance, advocating the introduction of a "principle of accountability" in the revised Data Protection Directive that "would explicitly require data controllers to implement appropriate and effective measures to put into effect the principles and obligations of the [Data Protection] Directive and demonstrate this on request." The Working Party objective is to "encourage data protection in practice" by requiring data controllers to take a strategic, risk-based approach when determining effective and appropriate measures based on the nature of the personal information being processed and the risks represented by such processing.

It is going to be several years before any revised Data Protection Directive is agreed and in force throughout Europe. In the meantime, organisations are encouraged to follow the lead of an increasing number of data controllers who are taking responsibility for their data privacy obligations through the adoption of robust data privacy compliance programs. In so doing, they are holding themselves accountable to their stakeholders, including data protection authorities and data subjects, for that commitment to good practice.

The Working Party suggests that not only are such organisations more likely to be in compliance with the law, but, in the event of a data protection violation, data protection authorities also "could give weight to the implementation (or lack of it) of measures and their verification in considering sanctions."

The Opinion is an important output of the Working Party and provides a clear indication of how the European data protection authorities view the real-world challenges facing data controllers.

To view the entire alert please click here.  For additional information please contact one of the authors.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue, Katalina Chin and Katharina Weimer.

A few days following the concession made by BlackBerry manufacturers, Research in Motion (RIM), to provide Indian security agencies access to their encrypted data, India’s Home Minister P. Chidambaram held “security to be more important than privacy”.

Security concerns in India have certainly risen following the terror attack on Mumbai in November 2008, the worsening violence in the disputed region of Kashmir and a rising Maoist insurgency in a mineral-rich territory of the East. And certainly, such concerns may be flared by the fact that attacks are often coordinated using mobile phones, satellite phones and voice over internet calls. These mounting fears over terrorism have led the Indian Government to demand from their first target, RIM, full access to the encrypted data of BlackBerry users in India.

Canadian company RIM refused this request on technical grounds, arguing that the information would be impossible to provide. However, in the knowledge that data is provided by RIM to other countries the Indian Government stuck firm to their demand: then why not India? While the private service, Blackberry Internet Service (BIS), offered by RIM uses their own servers for communication, RIM maintained it is not possible for them to access the business service (Blackberry Enterprise Service (BES)). Indeed, the level of privacy afforded to RIM’s corporate customers is a strong selling point and providing governments with access to email communication for surveillance purposes has the potential to breach a fundamental principle of RIM's business approach: customers' trust in the confidentiality of their communications.

Following RIM's refusal to grant access, the Indian Government issued an ultimatum: if they did not grant full access to all data (encrypted or not), India would block the mail service of the smart phone manufacturer entirely. Fearing this ban on their business in India, one of the fastest growing smart phone markets of the world, RIM conceded to the Indian Government's requests and made several suggestions to resolve the issue of providing access to their data. The decision made by Nokia, RIM’s main competitor in the region, to set up servers in India to facilitate government monitoring, may well have weakened any bargaining position that RIM were hoping to play on.

The measures to be adopted by RIM have yet to be made public but the proposals are seemingly sufficient for the Indian government to grant a two-month grace period to evaluate RIM’s suggestions. While the reprieve offers Blackberry users in India some breathing space, it is unclear whether RIM will be in a position to satisfy the interests of both the Indian Government in security and surveillance and their customers in ensuring the privacy of their communications. India’s Home Secretary is due to meet officials from the Department of Telecommunications, the Intelligence Bureau and the National Technical Research Organisation on Monday the 6th of September to discuss Blackberry security issues.

In light of this development and the Indian Government’s priority on national security over privacy, there is likely to be mounting fear amongst similar online communications companies that they may be the next target and have to provide access to encrypted data transmitted online. RIM has faced similar issues in other countries, including Saudi Arabia, the United Arab Emirates, Lebanon and Indonesia. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

The European Commission DG Justice, Freedom and Security commissioned London Economics, one of Europe's leading specialist economics and policy consultancies, to undertake a study and report on the economic benefits of Privacy Enhancing Technologies ("PETs") for organisations and institutions using and holding personal data in selected European member states.

But what are PETs?  It is a term used for a set of computer tools, applications and mechanisms, including procedures and management systems, which aim to protect the privacy of personal data by eliminating, anonymising or minimising personal data in order to prevent unnecessary or unwanted processing of personal data.  Features can include, for example, allowing an individual to choose the degree of anonymity, to inspect, correct and delete any of their personal data, to track the use of their personal data and may also include a consent mechanism prior to providing personal data to online service providers.  The report emphasises that, "data minimisation and consent mechanisms are an important part of PETs, and PETs often combine these elements with data protection tools into an integrated privacy system".

The report highlights that "the rights [set out in Article 8 of the Charter of Fundamental Rights of the European Union which deals with an individual’s rights to the protection of personal data] form the basis of the legal framework in which PETs are deployed" and should have at their core the objective of transparency, proportionality and data minimisation.

The report explains how it is difficult to quantify the wider economic benefits of a data controller using PETs to protect an individual’s personal data, and how the evidence has shown that the benefits can only be assessed on a case-by-case basis.  If anything, the study found little evidence to show that the demand by individuals for greater privacy is driving PETs deployment, and suggests that this is in part due to “the uncertainties surrounding the risk of disclosure of personal data, a lack of knowledge about PETs, and behavioural biases that prevent individuals from acting in accordance with their stated preference for greater privacy”.

The fact of the matter is, as the report makes very clear, that data controllers can derive a variety of benefits from holding and using personal data (including the personalisation of goods and services, data mining, etc.) and to the extent that PETs limit the ability of data controllers to use personal data, this will clearly act as a disincentive in the exploitation of PETs. The report highlights that, “data controllers often favour mere data protection to protect themselves against the adverse consequences of data loss over data minimisation or consent mechanisms which can impede the use of personal data”.  Evidence considered in the study suggests that there is a role for the public sector in helping data controllers realise the benefits of PETs, such as “official endorsements of PETs, including through pioneering deployment and official certification schemes, and direct support for the development of PETs, through subsidies to researchers (e.g. the European Framework Programmes)".

As the heat in data privacy issues continues to rise, with increased powers of regulatory authorities, tougher sanctions being imposed and a greater emphasis in Europe’s legislation on security management, it is clear that privacy by design will be the most effective method of compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Chris Cwalina, Judy Harris and Amy Mushahwar.

Securing information technology infrastructure has become a prominent focus of the Obama administration and the subject of several bills percolating on Capitol Hill. In step with these efforts, on Monday, August 9, 2010, the Federal Communications Commission ("FCC") requested public comment on its proposal to expand its role in protecting private networks from cybersecurity attacks through creation of a cybersecurity roadmap.

The concept of establishing a cybersecurity roadmap was initially laid out in the National Broadband Plan, which the FCC presented to Congress in March of this year. The proposed roadmap would identify the five most critical cybersecurity threats to the communications infrastructure and to end users. It would also establish a two-year plan (with milestones) for the FCC to address these threats. 

By means of this roadmap, the FCC would like to demonstrate leadership and provide a clear vision on cybersecurity priorities.  Presently, various parts of the federal government -- from the Justice Department to the Defense Department -- share responsibility for thwarting private cyberattacks.  The Government Accountability Office ("GAO") has intimated that the present structure of federal cybersecurity coordination leaves much to be desired.  In a recent report, the GAO stated, “[f]ederal agencies have not demonstrated an ability to coordinate their activities and project clear policies on a consistent basis[.]”

The FCC is using its Section 706 deployment authority as a basis for acting to fill the perceived leadership void, stating that if cyberattacks create a lack of consumer confidence on the Internet, there may be a decreased demand for broadband services. The FCC's concern is buttressed by the fact that online hackers are showing increasing sophistication. For example, in Malware (a program containing sequences of steps to carry out attacks) alone, there have been three generations of common hacks, each upping the ante in terms of network damages.

• Generation 1: consisted of viruses that were spread across the network through e-mail and file sharing methods that required human "touch" to trigger replication (examples of this generation include LoveLetter, Fizzer, and Melissa).
• Generation 2: consisted of worms that exploited operating systems or application vulnerabilities using an automated script (an example of this generation includes the now infamous Anna Kournikova virus).
• Generation 3: has been the most detrimental to networks and has consisted of a combination of elements (for example, viruses, Trojan horses, and automation) to uniquely exploit networks (examples of this generation include Blaster, SQL Slammer, Slapper, Sasser, and Witty worms).

Comments are encouraged from all relevant stakeholders (applications developers, ISPs, e-commerce site owners, device manufacturers). Because this is a newer foray of the FCC, comments are encouraged even by those who are not usual suspects before the Commission. Those companies interested in this proceeding should act quickly as comments are due to the FCC on September 23, 2010.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Frederick Lah.

Wal-Mart's decision to put radio-frequency identification (RFID) tags on individual clothing has bothered some privacy advocates. Previously only used by the company in its warehouses, Wal-Mart is expanding its use of the tags with the aim of reducing loss and ensuring shelves are optimally stocked. Further down the road, a full implementation of RFID could potentially do away with checkout lines as the sale of RFID-enabled products can be completed with one quick scan of all items in the cart.

The privacy concerns with RFID technology are nothing new but have been elevated with the technology now entering into customer households. RFID tags store unique numerical identification codes that can be scanned and potentially tracked from a distance. Though the tags can be removed, they cannot be turned off. Privacy advocates are worried that the expanded use of the technology would allow retailers to track movements throughout the store of customers carrying driver's licenses that contain RFID technology (e.g., Michigan, New York, and Washington). The concern is that retailers could scan data from such licenses and their purchases, and combine the information with other personal data, and then be able to know the person's identity the next time they enter the store. There are also worries that unscrupulous marketers would be able to drive by customers' homes and scan their garbage to learn about their buying habits. Wal-Mart insists that the tag doesn't collect customer information and that they are using the technology strictly to manage their inventory. Wal-Mart also plans to educate consumers with the new implementation through in-store videos and signs posted in their stores.

According to the Wall Street Journal, Wal-Mart's broad adoption of the tags is the largest in the world. With Wal-Mart being one of the most influential retailers in the world, a successful implementation of the technology could lead to other merchants following its lead. Several other retailers including J.C. Penney and Bloomingdale's have already begun experimenting with electronic tags and numerous European retailers have embraced the technology as well. Those clients interested in using RFID tags should consider both the benefits and privacy risks before implementing the technology.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Chris Cwalina, Mark Melodia and Amy Mushahwar.

With President Obama scheduled to sign the Dodd-Frank Wall Street Reform and Consumer Protection Act this week, the financial services industry faces a rapidly changing regulatory environment.  While a great deal of attention has been paid to the significant restructuring of the financial services regulatory regime, little focus has been placed on the proposed changes to the oversight of consumer privacy issues, data security and data stewardship. These issues may not only affect banks, but all types of businesses servicing the financial industry as well.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

On June 22, 2010, the influential Article 29 Working Party ("Working Party"), consisting of all the European Union's national data privacy regulators, adopted Opinion 2/2010 on online behavioural advertising (the "Opinion").

In what is being widely viewed as a significant challenge to the future of digital advertising, the Working Party has made it clear that national implementation of amended Directive 2002/58/EC (the "ePrivacy Directive") will require a complete overhaul of existing technology and practice, including currently available browsers and opt-out mechanisms, to achieve the level of informed consent from users that they say the law requires.

To view the entire alert please click here. For additional information please contact one of the authors.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katharina Weimer.

In 2000, the European Union and the U.S. Department of Commerce agreed to the Safe Harbor framework that includes principles governing the protection of personal data transferred to a U.S.-based company that self-certifies compliance to the Safe Harbor Principles. Compliance with the Principles is deemed by the EU to provide an adequate level of protection for the processing of personal data.  Transfers of personal data outside the European Economic Area are prohibited unless adequate measures to protect the data are implemented, and the Safe Harbor framework is one method ensuring adequate protection for transfers of personal data from the EU to the United States.  The Department of Commerce publishes a list on the Internet of all companies that have self-certified as Safe Harbor, including information on the status of the certification and on the type of personal data covered by the certification.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Cynthia O'Donoghue, and Anthony Traymore.

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)). President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was writtem by Cynthia O'Donoghue and Daniel Kadar.

A bill "intended to better guarantee the right to privacy in the digital age" was adopted by a large majority of the French Senate March 23, 2010, and immediately transmitted to the French National Assembly for review.

The first objective of the bill is aimed at educating students about the use and exposure of personal information on the Internet, notably through social media. The bill is principally aimed at significantly reinforcing the obligations of data processors, and with increasing the powers of the French data protection agency, the CNIL.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link