Global Regulatory Enforcement Law Blog : Global Regulatory Enforcement Lawyers & Attorneys: Reed Smith Law Firm: Government Contracts & Compliance

This post was written by John L. Hines, Jr., Paul Bond, Amy S. Mushahwar and Frederick Lah.

The Massachusetts Data Protection Regulations, 201 C.M.R. 17.00, ("Massachusetts Regulations") establish minimum standards to be met in connection with safeguarding the personal information of Massachusetts residents. Personal information is defined as a resident's first name and last name or first initial and last name in combination with the resident's Social Security number, driver's license number or state ID card number, or financial account number.

Under the Massachusetts Regulations, companies that own or license personal information must "oversee" service providers by requiring them by contract to "implement and maintain such appropriate security measures for personal information." See 201 C.M.R. 17.03(2)(f). The Massachusetts Regulations provide a grandfather clause that deems any contract with a service provider entered into before March 1, 2010 to be in compliance, even if it does not have provisions related to adequate data security. This clause, though, expires March 1, 2012, which is quickly approaching. From that date forward, all contracts with service providers must be in compliance with the provision.

All companies—whether the owner/licensor of the information overseeing the service provider, or the service provider (who would also likely be considered a licensor)—need to ensure that any contract (new or existing) touching personal information contains a provision to implement and maintain appropriate safeguards. Such a representation should be accompanied with the requisite due diligence to ensure accuracy and the right to review/audit future compliance.

Contractual modification may prove to be harder for some companies, particularly those operating under medium- or long-term contracts that do not require that a servicer provider do all the things that the Massachusetts Regulations require. In this situation, good faith and cooperation may not always work. Still, you may be able to rely on contractual clauses requiring compliance with law to effectuate change. At the very least, you should communicate (and document) your expectation of compliance to the service providers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy S. Mushahwar.

Today, in response to the controversy surrounding cellphone tracking software from Carrier IQ, U.S. Representative Edward Markey (D-MA) released a draft of a cellphone privacy bill.

As background, the Carrier IQ software first made headlines in November, when a researcher posted a YouTube video claiming to show that the Carrier IQ software records users' every keystroke, including the websites they visit, the contents of their text messages and their location. Carrier IQ, a California-based software company, says its software is installed on 140 million phones, but the company does not track keystrokes or user's locations. Carrier IQ now faces a federal investigation and multiple lawsuits on this matter.

The Markey legislation aims to remedy the perceived privacy deficiencies. In its present form, the Markey discussion draft would require companies to:

• Disclose any mobile tracking software when a consumer buys a device (or after sale if it is later installed by a carrier or placed within a mobile application downloaded).
• Notify consumers what information may be collected, any third parties to which the information would be disclosed and how such information will be used.
• Obtain express consent before the tracking software collects or transmits information.
• Require any third party receiving collected personal information to have policies in place to secure the information.
• Require any third parties to prepare and file agreements on information with the Federal Trade Commission (FTC) and Federal Communications Commission (FCC).

Additionally, the legislation contemplates outlining an enforcement regime for the FTC and FCC, along with State Attorney General enforcement and a private right of action. Representative Markey is the co-chair of the Bi-Partisan Congressional Privacy Caucus, and he has previously investigated the privacy and data security practices of Google, Apple, Facebook, Amazon, and others.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler. 

The European Commission today completed its task of reforming the EU Data Protection Directive by sending a draft Regulation to the European Parliament. The draft Regulation contains comprehensive reforms and seeks to harmonise data protection laws across the 27 EU Member States, and to enhance EU citizens' privacy protections in the age of the Internet.

There will be two tiers of compliance obligations and sanctions, with one aimed at small- to medium-sized enterprises and the other at large, multinational organizations. SMEs are entitled to certain exemptions to ease administrative burdens, such as no requirement to appoint a data protection officer and a sanctions cap of up to €1 million. Multinationals with more than 250 employees in the EU will have to appoint a data protection officer and may face sanctions of up to 2 percent of worldwide annual turnover for serious breaches. Multinationals outside the EU will also have to comply with the data protection rules if they seek to market products and services to the EU citizens.

Key provisions include:

A single notification to the data protection authority in the country where an organization has its principle establishment. There remains an obligation to notify and seek prior authorization for a range of processing activity considered to present specific risks, such as systematic and extensive profiling and large-scale video surveillance.

Accountability principle for those processing personal data, including impact assessments for SMEs and top-down accountability for all organisations.

Data breach notification to the national data protection authority if feasible within 24 hours, and to individuals if there is a risk of harm.

Increased individual control over their data includes seeking their explicit consent before data may be processed rather than it being assumed, and their ability to refer matters to the data protection authority in their country even if data is processed by a company based outside the EU.

Data Portability will mean that individuals will have easier access to their own data and be able to transfer it from one service provider to another more easily.

A right to be forgotten allows individuals, including children, the ability to delete their data if an organization does not have any legitimate grounds for retaining it. The right provides exemptions for legitimate historic data such as newspaper archives, and seeks to balance the right to privacy with the right to free speech.

The sanction regime has at least been watered down from the draft Regulation circulated in November 2011, which had proposed sanctions of up to 5 percent of worldwide annual turnover.

There have been some ‘business-friendly’ changes to the draft Regulation as compared with the earlier November draft. The proposal for an opt-in for commercial marketing has been substituted with an opt-out, and the provisions relating to children’s privacy now requires parental consent for under the age of 13, rather than 18.
In addition, while there is an emphasis on binding corporate rules for international data transfers outside of the EU, contractual clauses, EU standard contracts, and findings of adequacy, as well as international commitments by countries or international organizations such as U.S. Safe Harbor, will still apply. Given the changes contemplated under the draft Regulation, existing international data transfer mechanisms may need to be reviewed and amended if the draft Regulation is adopted.
The new European Data Protection Board will no longer act as a supernational regulator in relation to approving enforcement actions and sanctions as proposed in the November version of the draft Regulation. Instead, its powers will be limited to ensuring consistent application of the Regulation without the power to overrule decisions in individual cases.
The Commission's proposed draft Regulation and accompanying Directive now goes to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. The Regulation will only take effect two years after adoption by the European Parliament, and we would expect further changes as it makes its way through the legislative process. That means any changes are probably close to three years down the road.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

There will always be a tension implicit in the relationship between freedom of information and data protection laws. In the United Kingdom this is usually alleviated by the fact that both are regulated by the same person/body, the Information Commissioner’s Office (ICO). However, recently published ICO guidance, aimed at public authorities under the Freedom of Information Act 2000 (FOIA), could provide an arguable basis for allowing private sector organisations to search their employees’ private email accounts for work-related communications or company business to respond to subject access requests made under the Data Protection Act 1998 (DPA) or other legitimate requests, such as e-discovery/disclosure.

The ICO guidance ¹ was prompted by reports of government ministers, elected representatives and/or public sector officials using their non-work personal email accounts (e.g. Hotmail, Yahoo and Gmail) for work-related communications and official business. Concerns that this may have been done in a deliberate attempt to circumvent the FOIA regime prompted the regulator to act. The ICO guidance makes it clear that information held in such accounts and relating to official business of a public authority is “held by the authority” and/or “held by another person on behalf of the authority” and is therefore in scope of a request made under FOIA.

We wonder whether by ensuring no stone is left unturned to identify all information within the scope of FOIA requests this guidance might have some unintended consequences, by analogy, in the context of subject access requests made under the DPA.

The guidance requires public authorities that have established the existence of such information to ask the individual “to search their account for any relevant information”. A record of such action needs to be kept “to demonstrate, if required, that appropriate searches have been made in relation to a particular request”. This may arise in the course of the ICO’s investigation of a complaint under FOIA.

The guidance recommends clear policies for email/acceptable use of IT systems, and records management, in an effort to address the acknowledged “complications” arising from the onerous requirement to request “searches of private email accounts, and other private media”.

Addressing similar “complications” could lead to employers exerting their authority over their employees in attempting to either identify all personal data within the scope of a data subject access request or within the scope of a company’s legitimate business interest, such as would be required to respond to disclosure/discovery. The rationale behind the guidance could just as easily be applied, by analogy, to those occasions when the ICO deems it appropriate that such searches should extend to personal email accounts and home computers, where these have been used to process personal data for which the employer is the data controller.

Such unintended consequences inevitably raise genuine concerns about the erosion of privacy in the workplace. At this point such concerns are likely to surface in the public sector workplace, unless accepted as the inevitable price of greater openness in the public sector. 

¹ “Official information held in private email accounts”, ICO, dated 15 December 2011
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

“You wait for ages for one and then two turn up at the same time!” The European Court of Justice issued two significant rulings this past November.

The first addressed the manner in which Spain enacted the Data Protection Directive. In Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) v Administración del Estado (C-468/10) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado (C-469/10), the claimants challenged Spain’s national data protection law (Organic Law 15/1999) which imposed the extra condition that personal data must be in the public domain when processed, based upon a data controller’s legitimate interests. The ECJ ruled that Article 7(f) of the Data Protection Directive 95/46/EC was sufficiently precise to have direct effect in member states’ national laws because it sets out an exhaustive list of conditions to the processing of personal data and as such member states may not impose additional conditions.

The surprising aspect of this case, in our view, is that it has taken until now to gain a degree of consistency of interpretation for what is a relatively straightforward provision of EU data protection law. In our experience the misinterpretation of this provision in Spanish law has presented real practical difficulties to clients implementing run-of-the-mill applications involving non-sensitive personal data. The resulting emphasis in Spain on the need to gather consent has inevitably introduced increased bureaucracy and associated costs.

The other case, Scarlet Extended SA (Scarlet) v Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM) (Case C-70/10), stemmed from a referral to the ECJ by the Belgian court and has important implications for the practical enforcement of copyright infringement cases. SABAM, a management company representing owners of copyright-protected works, took legal action against Scarlet, an Internet Service Provider (ISP), because Scarlet’s users were downloading works in SABAM’s catalogue through peer-to-peer networks/file sharing and so infringing copyright.

In the legal proceedings SABAM asked the Belgian courts to make an order requiring the ISP to stop such infringements “by blocking, or making it impossible for its customers to send or receive in any way files containing a musical work using peer-to-peer software without permission”. The technical solution would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content was sent, which may also result in the blocking of lawful content. The local Belgian court granted SABAM’s request for an injunction.

Scarlet appealed, claiming that the injunction would be unlawful on several grounds, most notably in the context of data protection and privacy by breaching Belgian laws implementing Directive 2000/31, prohibiting the monitoring of communications and the general surveillance of all communications passing through the ISP’s network, and Directive 95/46/EC because the filtering system would involve the processing of IP addresses, which are personal data.

The ECJ ruled that the technical solution did not strike a fair or proportionate balance between the protection of the intellectual property right holders and the freedom to conduct a business, such as ISPs, nor was a fair balance struck between the protection of copyright and the fundamental rights of individuals, in this case the ISP’s customers.

Crucially, the ECJ noted the impact on the ISP’s customers and the infringement of their fundamental right to protection of their personal data (Article 8 of the Charter of Fundamental Rights of the EU) and their freedom to receive or impart information (Article 11 of the Charter).

This ruling essentially validates the Art. 29 Working Party’s opinion that in the hands of ISPs, IP addresses are personal data because “they allow those users to be precisely identified.” What is unclear from the ruling is whether IP addresses are also considered to be personal data when processed by organizations that would not have access to names and account information that would enable such precise identification.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue.

In a bid to strengthen the European data privacy rules it is most likely that non-European companies will be held to the same standards as European companies in a bid to further protect EU consumer privacy. 

The EU Justice Minister, Viviane Reding, and the German Consumer Protection Minister, Ilse Aigner, released a joint statement saying that the proposed reforms to the Data Protection Directive due at the end of January 2012 will be changed so that consumers’ privacy is protected regardless of a company’s country of origin. “We both believe that companies that direct their services to European consumers should be subject to EU data protection laws. Otherwise they should not be able to do business on our internal market.”

Reding and Aigner focused their statement not just on social networks but also on data that is stored in a ‘cloud’. They stressed that consumers should have more control over their data and stated “EU law should require that consumers give explicit consent before their data are used. And consumers generally should have the right to delete their data at any time, especially the data they post on the internet themselves.”

The joint statement leads us to conclude that both a new principle of accountability and a ‘right to be forgotten’ will be included in the revised EU data protection law. The statements are also consistent with the increased pressure for social networks, like Google and Facebook, who operate outside the European Union but target EU based consumers, to fully comply with the EU data protection laws. The pressure on such companies can also be seen as a natural progression from the investigations into their handling of personal data that have emanated from France, Germany, the UK and Ireland. To prepare for the new horizon, organisations should start by thinking about compliance. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Christopher G. Cwalina.

Privacy policies have been reviled for their incomprehensibility; regulators are calling for clearer disclosures, and, increasingly, statutes require that privacy notices be written in plain language. In this program, our seasoned panelists—including a plain-language expert—will use real-world examples to help you craft a clear and consumer-friendly privacy notice that also satisfies legal requirements. Find out how to turn legalese into easy reading using common words; short, declarative sentences, and an emphasis on action and choice.

In addition, the FTC has said that under well-settled case law and policy, companies must provide prominent disclosures and obtain opt-in consent before using consumer data in a materially different manner than claimed when the data was collected, posted, or otherwise obtained. What constitutes using data in a materially different manner than originally claimed can be difficult to ascertain. Companies are regularly and on an ongoing basis developing new products and services involving new data uses. The line between an existing and already disclosed use of data and the start of a materially different use that needs to be independently disclosed is not always clear and privacy professionals are left to make this decision. Hear directly from an Assistant Director from the FTC's Division of Privacy and Identity Protection on this point.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark S. Melodia and David Z. Smith.

On August 29, 2011, a Google shareholder filed a derivative action against the company’s directors stemming from Google allegedly allowing and supporting Canadian and other foreign pharmacies to advertise and ship prescription drugs to American consumers through Google’s AdWords advertising program in violation of U.S. law. The lawsuit comes on the heels of the announcement days earlier of a $500 million settlement between Google and the U.S. Department of Justice over an investigation of those same advertising practices. Google’s AdWords program displays sponsored advertisements in response to specific searches entered into Google’s search function. AdWords not only allows advertisers to target certain search terms, but to geo-target the searchers, so that certain advertisements will only appear for search terms entered by individuals within a certain geographic location. Plaintiff thus alleges that the directors breached their fiduciary duties and wasted corporate assets by, among other things, failing to ensure that Google had proper internal controls that would have prevented Canadian pharmacies from geo-targeting U.S. citizens with advertisements for prescription drugs.

This lawsuit is the latest in a growing line of derivative and securities fraud complaints based on alleged lack of internal controls over data security and privacy. In past cases, companies such as Heartland Payment, ChoicePoint, TJX, and more recently, Sony, have all been sued for allegedly failing to develop and maintain an adequate security environment, thereby allowing consumers’ private information to be exposed and forcing the companies to expend scarce corporate resources to prevent litigation losses or further reputational hits. The Google case shows that companies not only face the risk of derivative or securities fraud actions over the failure to protect consumers’ data, but may also be forced to defend any failures to control how their systems are used (or possibly misused) by a third-party to target consumers they should not be allowed to target. With the increasing sensitivity over on-line data security and privacy, and growing public awareness of web/search advertising functionalities such as AdWords or sites that allow third-party communication and geo-location check-ins (like social media sites), these lawsuits are likely to become more frequent. Such cases also deliver a fresh reminder to senior management of how strong privacy compliance programs and practices have come to be regarded as a critical component of good corporate governance and behavior.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler.

The closure of the News of the World, the best-read Sunday newspaper in the English language, is a stark illustration of the reputational and commercial damage that can result from privacy-intrusive practices carried out in the name of ‘investigative journalism’.

The UK’s phone-hacking scandal, which has been rumbling for years, blew up this week after it came to light that it was not just public figures and celebrities that were targeted but ordinary people (and their families) who were the victims of crime, terrorism and war. Such egregious and unconscionable behaviour saw an advertising boycott by companies which will result in the last edition of the newspaper this Sunday carry no commercial advertising.

Ultimately, for the newspaper’s owner Rupert Murdoch, the reputational price proved too high as the scandal’s effect threatens the share price of News Corporation International as well as their multi-billion pound takeover of BSkyB in the face of universal public outrage.

As the criminal investigation finally gets into gear, with arrests of high-profile figures expected and a public inquiry ordered by the Prime Minister, it is worth noting that the UK’s data protection regulator, the Information Commissioner Christopher Graham, this week reminded everyone that over five years ago his office (the ICO) first brought to light the unlawful trade in personal information with two special reports to Parliament, What Price Privacy?’ and ‘What Price Privacy Now?’ .

When first publishing these reports the ICO pressed for the strongest possible sanctions for those found guilty of the most serious criminal offences under UK data protection law. Those representations resulted in a power to change the law (see section 77 of the Criminal Justice and Immigration Act 2008). This power would enable the penalty for breaches of section 55 of the Data Protection Act 1998 to include custodial sentences. However, it has not yet been exercised by the UK Government.

On the back of the latest scandal the Commissioner this week called for that power to be exercised. We can expect that call to become stronger and louder over the coming weeks and months.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

The UK Minister responsible for government policy on data protection has raised concerns about any proposed “radical rewrite” of the EU Data Protection Directive.

Kenneth Clarke, Lord Chancellor and Secretary of State for Justice, called for both flexibility and a common-sense solution to modernising data protection law. He recognised that “technology has moved on” and that future EU regulation of data protection must address the “broader landscape” without getting caught up in “endless” debate “over the details”.

The flagging at this stage of some fundamental UK opposition to a number of specific reforms does not bode well for a happy consensus emerging from the EU-wide negotiations to follow the hotly anticipated publication of the EU Commission proposals:

What are seen as ‘Bad Ideas’?

• A new “right to be forgotten” – Worried about its impact on both business and the public, Mr Clarke made it plain that he wants the “right to be forgotten” to be forgotten!
• Revision of the Data Retention Directive – Mr Clarke staunchly defended the ability of law enforcement authorities across the world to collect, retain and pool data to improve security, in spite of concerns from privacy regulators and advocates.
• EU extra-territoriality – While acknowledging the aspirational “idea that European standards [of data protection] should apply to any firm processing EU citizens’ data anywhere in the world”, Mr Clarke was withering in his assessment that, on purely legal grounds, the European Commission must be “wrong”:

“I see little sign that the Commission has thought about this sufficiently yet. And how on earth are you going to enforce EU [data] protection on a global basis?”

Any ‘Good’ Ideas?

The Accountability Principle and Binding Corporate Rules –referring to the UK’s consultation on revision of the EU Data Protection Directive, Mr Clarke backed a more business-friendly solution:

“. . . [W]e should consider moving from a system which restricts information based on national standards of data protection, to a system based on the standard of data protection of the particular company involved – far more relevant to modern methods of business.”

Raising the Stakes for the Future of EU Data Protection?

The UK Government position appears against a move toward harmonization. In Mr Clarke’s view sticking to a set of shared principles and values, which at present has been implemented and is enforced in 27 different ways, would allow each country to be true to its own “constitutional and cultural identities”:

“. . . let’s learn to understand each other’s legal systems better, not rewrite our respective statutes and codes from scratch.”

This is a challenging prospect for global businesses trying to understand and comply with local law variations across Europe. They can only hope that the future EU data protection regime delivers some significant improvements to work with, and avoids the imposition of bad ideas in the form of arbitrary, additional and onerous obligations.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond and Joe Metro.

States regulate doctors in issuing prescriptions. The States keep databases that show which doctors prescribe what medicines, for what purposes, and when. That information is valuable to anyone who would seek to locate doctors with certain prescription-writing habits. For example, a database user might seek out doctors to suggest that those doctors try a different drug or combination of drugs as a more effective treatment. Some doctors objected to being contacted with such suggestions, especially by commercial drug manufacturers. As a consequence, several States passed laws banning the purchase and use of prescription-writing records for purposes of commercial outreach to health care professionals. Vermont's law was challenged by, et al., IMS Health, a major provider of information services to the health care industry. The United States Court of Appeals for the Second Circuit, at IMS Health's urging, struck down Vermont's law as imposing an unconstitutional impairment on commercial free speech. Today, in a 6-3 decision, the United States Supreme Court agreed, adopting a position that Reed Smith helped advance.

Justice Kennedy, writing for the majority in Sorrell v. IMS Health, stated that: "Speech in aid of pharmaceutical marketing...is a form of expression protected by the Free Speech Clause of the First Amendment. As a consequence, Vermont’s statute must be subjected to heightened judicial scrutiny. The law cannot satisfy that standard." The Court noted that Vermont's law would allow academics to use of prescriber-identified information to promote generic drug use. However, the same law would block the makers of brand-name drugs from reaching out to doctors in a comparable, high-touch informational campaign. Thus, "the law on its face burdens disfavored speech by disfavored speakers." Lacking a compelling reason for this viewpoint-based discrimination, Vermont's law could not stand.

The dissent, authored by Justice Breyer, called for a more relaxed standard of review to be applied to the challenged State regulations. The dissent argues that the speech in question is commercial; that limits are routinely put on marketing speech especially in connection with health and safety; and moreover, that the States should be afforded great leeway in deciding for what purposes these State-created databases of prescription information are sold and used.

Reed Smith participated in this case to further explain to the Court the public health benefits arising from targeted commercial use of prescription-writing data. Reed Smith's team drafted and filed an amicus brief supporting IMS Health's position. Reed Smith submitted that brief to the Court on behalf of two former United States Secretaries of Health and Human Services (Dr. Louis W. Sullivan and Governor Tommy Thompson) as well as the Healthcare Leadership Council. The decision of the Court today is fully consistent with the positions advanced by these public health experts. Of note, that Court specifically cited to and endorsed the public health benefits of a free flow of information about treatment options. As the Court found: "A consumer’s concern for the free flow of commercial speech often may be far keener than his concern for urgent political dialogue. That reality has great relevance in the fields of medicine and public health, where information can save lives."

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Careful Consideration is Advised, as FTC's Guidance May Inform Federal and/or State Enforcement Actions

Comments Deadline: July 11, 2011

This post was written by Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

The Federal Trade Commission ("FTC") seeks public comment, as it considers updating and reissuing "Dot Com Disclosures: Information about Online Advertising", its business guidance document for online marketers on how to provide clear and conspicuous disclosures to consumers.

In its request for comment, the FTC cites the dramatic changes in the online world since the guidance was originally published in 2000, particularly the emergence of mobile marketing, the "App" economy, the use of "pop-up blockers," and online social networking. (This recognition of mobile is particularly important in light of last week's letter by Senator Al Franken (D-MN) to Google (maker of the Android) and Apple (maker of the iPhone and iPad) asking that all mobile apps for their devices provide "clear and understandable privacy policies.")

• Email This
• Print
• Comments (1)
• Trackbacks
• Share Link

This post was written by Paul Bond and Chris Cwalina.

In her new article, "The Intersection of Consumer Protection and Competition in the New World of Privacy," Federal Trade Commissioner Julie Brill cautions that the pursuit of privacy may conflict with the pursuit of a competitive market. Commissioner Brill's article, published in the Spring Edition of Competition Policy International, notes that the Federal Trade Commission's role is to protect consumers from many types of market failures. The FTC strives to protect consumers from unfair and deceptive information collection and use practices. But, at the same time, the FTC protects consumers from collusive and other anti-competitive behaviors. Commissioner Brill identifies a potentially problematic range of privacy enhancements which could, paradoxically, harm consumers by stifling competition. In this position, Commissioner Brill goes further than the FTC's preliminary white paper, "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (2010 Privacy Report).

For example, Commissioner Brill asserts that self-regulation to date has been "slow and inadequate". This mirrors criticisms in the 2010 Privacy Report. But Commissioner Brill goes on to posit that dominant companies can misuse privacy self-regulation to stifle market entry by new competitors. The Commissioner does not describe in any detail the manner in which such an anti-competitive plan would be carried out. Presumably, the cost in money or time of complying with the industry's self-regulation would prove prohibitive for fledgling businesses, while just a "cost of doing business" for better capitalized industry leaders. There may also be a concern that existing businesses, which already hold stockpiles of consumer information, would erect barriers to data collection which would affect new enterprises disproportionately.

Commissioner Brill also raises the competitive concern that privacy regulation not unfairly benefit new entrants. "Indeed," she recognizes, "some more established data brokers and other information firms believe it is much easier for their newer competitors to design privacy protections into their new business models and new forms of communications than it is to retrofit old systems to meet the realities of today's privacy concerns."

Until now, a strategic analysis of the competitive impact of privacy regulation has not been an FTC priority. Indeed, in her Article, Commissioner Brill notes that she writes only for herself, and is not reflecting the views of the Commission or the other Commissioners. Still, taken in conjunction with Commissioner Roach's recent opinion that the Google Buzz settlement may have been a strategic ploy by Google to create insurmountable regulatory barriers to entry, it is safe to say the FTC is increasingly wary of privacy regulation being misused for private ends. Advocates of self-regulation, as well as those seeking to advance or defeat governmental regulation, must be prepared to explain why their privacy regulation or self-regulation proposals are consistent with a vigorous free market. Advocates of industry self-regulation already know that the FTC has criticized efforts to date and here is another hurdle that must be addressed before self-regulation is deemed by the FTC to be robust enough and workable.

Given how extremely easy it is to transfer information as an asset between corporate forms, and from one area of the world to another, the prospect for strategic resistance to or abuse of privacy regulation by companies around the world is substantial. Commissioner Brill performs a service by injecting a note of economic realism into the ongoing debate about how information can and should be regulated in the 21st century.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Joseph I. Rosenbaum, Frederick H. Lah, Zack Dong and Amy S. Mushahwar.

On May 4, 2011, the Chinese government announced it was establishing the State Internet Information Office, an office dedicated to managing Internet information. According to the announcement, this office will be responsible for directing, coordinating, and supervising online content management. The office will also have enforcement authority over those in violation of China's laws and regulations (see, for example, China sets up office for Internet information management). While there are reports that many believe the purpose of the new office will be to censor political and social dissidents (see, China Creates New Agency for Patrolling the Internet, the office may also have a key role in thwarting illegal spamming and other dubious data practices.

To read the complete blog post, click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, John Hines, and Frederick Lah.

Just how much privacy are we entitled to in public places, such as public highways and buses, classrooms, restaurants, or even on the Internet? While we expect to lose some sense of privacy when we move into public spaces, does this mean that we should be subject to being recorded (and subsequently publicized on a site like YouTube) anytime we are in public? Two recent cases involving the recording of police officers highlight the debate surrounding these questions.

Back in April 2010, motorcyclist Anthony Graber was charged with violating Maryland's wiretapping laws after he used a camera in his helmet to videotape a state trooper brandish his gun while stopping Graber for speeding. To see the YouTube Video, please click here.  The Maryland court dismissed the charges, providing that "[i]n this rapid information technology era in which we live, it is hard to imagine that either an offender or an officer would have any reasonable expectation of privacy with regard to what is said between them in a traffic stop on a public highway."

Later, in March 2011, the ACLU, on behalf of Khaliah Fitchette, filed a complaint against the City of Newark, N.J. after Fitchette was handcuffed and detained for using her smart phone to record two police officers deal with a disorderly man on a bus. Fitchette was allegedly detained for two hours in the back of the squad car but no charges were filed against her. Fitchette's phone was seized by the police and the video was deleted. The complaint alleges violations of the Fourth Amendment and Fitchette's First Amendment right to record and disseminate the video. A decision has not yet been made on the case.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

With two weeks to go until implementation of an EU-wide amendment to the law on cookies and consent, the UK’s data protection regulator, the ICO, has issued initial guidance on compliance. It proposes three actions that organisations can take to mitigate their potential exposure to enforcement action in the short-term. In the meantime, industry and the authorities are working on finding solutions to the most complex and challenging issues presented by the new law.
In our Client Alert we look more closely at what organisations need to be doing now to comply with this new EU-wide regime.  Reed Smith's Legal Bytes blog also recently posted on the topic.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Kathyleen A. O’Brien.

On April 6, 2011, California State Senator Alan Lowenthal (D-Longbeach) introduced a version of “do-not-track” legislation in the form of SB 761. An initial hearing will be held by the California Senate Judiciary Committee on April 26.

The bill largely follows the current “do-not-track” framework being proposed by U.S. Rep. Jackie Speier (D-CA) and others in Congress. Many, including Sen. Lowenthal, see the California bill as a way to spur action on the national level. Although privacy is largely viewed as a bipartisan issue, Lowenthal is hoping that because the Democrats control the California governorship and legislature, the process of passing a “do-not-track” bill will be quicker and smoother on the state level. Interestingly, the effort is attracting at least some bipartisan support with Judiciary Committee member Sen. Tom Harman (R-Huntington Beach) expressing interest in tackling the issue of online tracking. Ultimately, passage of the bill would, once again, put California out in front on online consumer protection issues much like its “do-not-call” and data breach laws have in the past.

The bill requires the Attorney General, in consultation with the California Office of Privacy Protection, to adopt regulations that would require companies doing business in California that collect, use, or store online data regarding consumers to provide those consumers with a way to opt out of such practices. Additionally, the bill would grant the Attorney General power to impose regulations that may, among other things, require companies to provide consumers with access to their personal data, and a clear and easy to understand data retention and security policy. As a nod to the business community, the Attorney General would have the power to create exemptions for commonly accepted business practices.

Any company that willfully fails to comply with the adopted regulations would be liable to consumers in a civil action with statutory damages, which would range from $100 to $1,000. The proposed bill could include punitive damages also, as determined by the court, as well as costs and reasonable attorney’s fees.

Research for this post was conducted by Legal Intern Noah Cherry.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Nick Tyler.

In a recent speech, Viviane Reding, the EU Commissioner with responsibility for European Union data protection policy identified ‘four pillars’ upon which the privacy rights of EU citizens “need to be built” so that individuals’ have more control over their personal data in today’s online world.

Reforming EU data protection is Commissioner Reding’s “top legislative priority” and the new proposals are expected this summer.

The ‘four pillars’ are:

• The right to be forgotten,
• Transparency,
• Privacy by default, and
• Protection regardless of geographic location.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler.

The EU Commission has recently approved Israel as a country providing “an adequate level of protection for personal data transferred from the European Union”.

This follows a lengthy process which was nearly derailed, after Irish Government objections, following the assassination in Dubai last January of a Hamas official allegedly committed by agents of Mossad, Israel’s Secret Service, and associated allegations of identity theft involving the passports of Irish (as well as UK) citizens.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Nick Tyler and Cynthia O'Donoghue.

With so much consultation activity going on in the United States on the future of privacy regulation and enforcement, initiated by the FTC and US Department of Commerce, we should not lose sight of parallel developments and consultation activity going on in Europe following a recent Communication from the European Commission.

Now seems to be an appropriate time of year to take stock and highlight the key themes of that Communication and what it might mean for clients as they look to address and/or progress their data privacy compliance programmes in the year(s) ahead. We have therefore published a Client Alert which takes a closer look at the emerging themes and what lies ahead in 2011. 

Read the full Client Alert here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Amy Mushahwar.

As promised in our teleseminar last week, we have digested the Department of Commerce Privacy green paper, entitled, "Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework". The green paper will kick start an ongoing discussion of privacy and we encourage organizations to undertake some cost-benefit analysis now for the best outcome in 2011. Time is of the essence and comments to this green paper are due on January 28, 2011. To learn more about this important release, please read our recent client alert.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Judy Harris, Chris Cwalina, Paul Bond, and Amy Mushahwar.

We've been busy here in Washington with two seminal privacy reports released within a span of two weeks.  At Reed Smith, our interdisciplinary team of former government officials, former in-house attorneys, class action litigators and engineers (in the US and internationally) are reviewing the releases and providing prompt insights for your review.  Below, please find a link to the reports, our most recent digests and our aptly timed teleseminar that occurred on the very day that the Department of Commerce released its privacy green paper.

On December 1, 2010, the Federal Trade Commission issued its long-awaited 123-page preliminary report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers. The report is the most important and comprehensive guidance the FTC has ever issued in the privacy arena, and it has the potential to dramatically overhaul the way businesses think about privacy. More importantly, the document sets the stage, potentially, for a very different regulatory framework in Washington. For more detailed information on the FTC Report click here.  Comments are due on this report by January 31, 2011.

On December 16, 2010, the U.S. Department of Commerce issued its initial policy recommendation in a green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework .  The Commerce green paper issued by the specially established Internet Task Force at the Department of Commerce lends another voice to the privacy debate and attempts to create a universal privacy baseline. While the report makes no recommendations to cover specific industry sectors that are addressed by existing privacy regulations, such as, healthcare, financial services and education, it is clear that the Department of Commerce would like to lead the regulatory agenda in the online privacy overhaul that is expected in 2011.  Check back here over the next few days for a more detailed look into the report.  Comments are due on this report by January 28, 2011. 

We addressed both reports in yesterday's teleseminar by privacy counsel Mark Melodia, Chris Cwalina, Paul Bond and Amy Mushahwar,  even though our team was still digesting the Commerce item that was released only hours before the teleseminar.  Our team described how the reports may apply to your business and provided a view from Washington regarding the complex regulatory and legislative road that may lie ahead for data privacy and cyber security issues. Feel free to listen to an audio recording of the event while watching the slide show.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Thomas Fischl and Katharina A. Weimer.

On November 23, 2010, the data protection authority (the “DPA”) of the German federal state of Hamburg fined regional financial institution Hamburger Sparkasse AG (“Haspa”) €200,000 for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers and also granting the representatives access to such profiles. The bank cooperated with the DPA and immediately discontinued the illegal practices.

From the end of 2005 until August 2010, Haspa allowed its self-employed, external customer service representatives access to customer bank data, often without having first obtained the customers’ consent. According to the DPA, the number of bank accounts accessed is not clear. The bank was aware of this practice through reviews of log files that detailed the representatives’ access.  

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Paul Bond, Christopher G. Cwalina, Amy S. Mushahwar, and Frederick Lah.

On December 1, 2010 the FTC released its long-awaited Protecting Consumer Privacy in an Era of Rapid Change. This 123-page preliminary staff report proposes a sea change in US privacy law. The FTC is accepting comments on this report until January 31, 2011.

In the report, the FTC proposes a major change in the framework of US privacy law, stating bluntly that, "Industry must do better."

• Notice-and-consent does not work, the FTC says. People do not read or understand privacy notices as now written. The Commission's view is that privacy policies have become "long" and "incomprehensible".
• The report says that waiting for harm to come to consumers is also not an effective way to enforce privacy norms. Harm has traditionally meant economic or physical harm. Per the report, privacy harms include reputational harms and even the emotional harm of having one's information "out there," and/or "fear of being monitored". The FTC says the new framework must address and allay these anxieties; however, there is some disagreement among the Commissioners. Commissioner J. Thomas Rosch expressed in his concurrence that "the Commission could overstep its bounds" if it were to begin analyzing these more intangible harms when assessing consumer injury.
• Industry self-regulation, per the report, is too little, too late and has failed to provide adequate and meaningful protection.

The report also challenges a number of assumptions in how we view data privacy and security.

• The FTC casts severe doubt on claims that de-identified information need not be protected, citing to multiple instances and methods by which personally-identifiable information (“PII”) can be culled from data that does not include names (i.e., IP Addresses or other unique identifiers). The distinction between PII and non-PII, the FTC concludes, is "of decreasing relevance". Consequently, the scope of the report is very broad and applies to "all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device."
• The report purports to apply in the online and offline world and not just to companies that work directly with consumers.
• The FTC suggests that consumers must be made aware of and consent to onward transfers of information to non-affiliates, regardless of the industry, universalizing consumer notice requirements that hitherto only applied as to certain highly regulated industries (i.e., telecommunications, education, healthcare, financial services) or certain types of highly sensitive data (i.e., credit report information, bank account information).
• The report distinguished between "commonly accepted data practices" and all other data practices. Borrowing from GLBA and HIPAA, commonly accepted practices, like using data to aid law enforcement or in response to judicial process or to prevent fraud, would not require notice to or consent of consumers. All other data practices would require notice and consent, in a form easy to read and understand, ideally provided to the consumer at the point the consumer enters his or her personal data. Behavioral advertising and deep packet inspection are explicitly named as not "commonly accepted data practices". Also, the FTC suggests that opt-in consent be obtained prior to implementing any material changes to a company's privacy policy that would apply to data collected under a prior policy.
• The report suggests that to promote a free and competitive market, the privacy practices of companies need to be more transparent to consumers and that companies provide consumers with "reasonable access" to their data.
• Per the report, appropriate data retention periods should be a legal requirement. The report sites geolocation data as especially important to phase out.
• The report also endorses a "Do Not Track" mechanism, understanding that such a mechanism would be far more complex than the National Do Not Call registry. The FTC supports either legislation or self regulatory efforts to develop a system whereby a consumer could opt not to be "tracked." The FTC has expressed a distinction between "tracking" and "interest-based" advertising. And, in later discussions regarding the report, the FTC has stated that it will treat first-party advertising more favorably than third-party ad servers. The FTC has not decided on the technical mechanism for creating such a registry, but has proposed that a browser-level solution that could be similar to the privacy plug-in on the Firefox browser or incognito mode in Google Chrome. The FTC has not expressed whether opt-in or opt-out would be the default browser setting for any browser privacy plug-ins/modes developed.

So what should businesses do?

First, companies should carefully review the report and the 50+ questions open for public comment posed in Appendix A (there are also additional questions posed in the Commissioner dissent statements).

Second, companies should strongly consider commenting on the report. In our experience, the FTC will listen to and often address business concerns, but they must be heard. Trade associations may be a good place to start but also consider unique issues that your company may face that should be addressed.

Third, now is a good time for companies to pull back and consider their privacy programs and the extent to which they incorporate privacy into their everyday business practices. The report suggests that every company should adopt "privacy by design," "building privacy protections into everyday business practices," "assigning personnel to oversee privacy issues, training employees on privacy issues, and conducting privacy reviews when developing new products and services".

The FTC's full report is available here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

Having hosted and won the very first ‘soccer’ World Cup in 1930, and then having won it again twenty years later, Uruguay belongs to a very exclusive band of multiple-World Cup winning countries. Having reached the semi-finals of this year’s tournament (for the fifth time in total), this relatively small South American republic has a proud and enviable record as one of the most successful footballing nations.

This year is fast proving to be significant for Uruguay for more serious reasons than national sporting prowess (more serious that is if you do not subscribe to the philosophy of Liverpool FC’s legendary manager, Bill Shankly: “Some people think football is a matter of life and death. I assure you, it's much more serious than that.”)

On 12 October the Article 29 Working Party of European data protection regulators issued an opinion approving Uruguay’s admission into another exclusive club—the list of countries that provide an ‘adequate level of protection’ within the meaning of Article 25(6) of European Data Protection Directive 95/46/EC.  The Article 29 Working Party’s opinion was issued after a two-year review process and is a pre-requisite to approval by the European Commission. Barring any unforeseen political hitches, as befell Israel’s bid for ‘adequacy’ earlier this year, such approval should follow.

Some background points to note about Uruguay’s data protection regime:

• The relevant legislation consists of:
  • Law No. 18.331 of 11 August 2008, on the Protection of Personal Data and “Habeas Data” Action (abbreviated as LPDP in Spanish); and
  • Regulating Decree of 31 August 2009, developing LPDP (DPDP).
• LPDP is comprehensive in its scope and reach, covering all sectors of activity.
• The independent supervisory authority is called the Unit for Regulation and Control of Personal Data (URCDP in Spanish).
• Together with the Unit for Access to Public Information (UAIP) URCDP forms the Agency for the Development of Electronic Government and the Knowledge-Based Society (AGESIC in Spanish).
• URCDP operates a permanent register of databases.
• URCDP has power to impose sanctions ranging from a warning and a fine to suspension of any database.
• Article 8 of DPDP contains data breach notification requirements.
• Article 15 of LPDP provides a right of correction to “every natural or legal person”.
• In the case of any denial of the rights of subject access and correction, Article 38 of LPDP provides for an action or writ of habeas data, also exercisable on behalf of deceased persons.

The concept of Habeas data does feature in a number of other Latin American countries’ constitutions but, unlike those of Argentina and, imminently, Uruguay, these have not achieved the vaunted status of EU-approved ‘adequate’ data protection regimes.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O’Donoghue and Nick Tyler.

The Information Commissioner’s Office (ICO), the UK data protection regulator, has recently responded to the UK Government’s Call for Evidence on the current data protection legislative framework. The Ministry of Justice sought evidence about how the European Data Protection Directive 95/46/EC and the Data Protection Act 1998 are working, and their impact on individuals and organisations. The Call for Evidence, which closed on 6 October, seeks to inform the UK negotiation position for a new EU data protection instrument, expected to start in early 2011.

In its response, the ICO asserts that the data protection principles are “sound and should be maintained”, although it acknowledges that changes are needed. The ICO listed key ‘must-haves’ for “an effective new data protection framework”:

• A “much clearer” definition of personal data “more relevant to modern technologies and…practical realities” capable of recognising the many different levels of “identifiability”, and in turn protection, which technology can provide; 
• A “more flexible and contextual” concept of sensitive personal data, with financial and geo-location data being examples of non-sensitive data that warrant increased vigilance and protection;
• A revisit of the definitions of processor and controller and a more collective form of responsibility that deals “more realistically with the collaborative nature of modern business and service delivery”;
• A consistent approach to transparency and consent in Europe as the two concepts are not interchangeable, in meaning or legal effect.
• A new requirement of accountability (see also our recent Client Alert) to “reinforce the responsibility of data controllers”, which can be scaled to an organisation’s size and the risks of their processing of personal data. 
• Significant changes to international data transfers to “deal more realistically with current and future international data flows” by focusing on the exporting data controller’s risk assessment and responsibilities, regardless of location, as well as on assessing ‘adequacy’ based on the specific circumstances and method of transfer as opposed to whether or not a country is designated as ‘adequate’.
• An explicit privacy by design requirement that ensures the building-in of data protection compliance measures at each stage of the information lifecycle as opposed to bolting-on remedial measures.

The ICO’s response is typically pragmatic and builds on several earlier contributions made over the last 18 months. Read together they provide a consistent and compelling case for change (see also, for example, “Making European data protection law fit for the 21st century”).
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue, Katalina Chin and Katharina Weimer.

A few days following the concession made by BlackBerry manufacturers, Research in Motion (RIM), to provide Indian security agencies access to their encrypted data, India’s Home Minister P. Chidambaram held “security to be more important than privacy”.

Security concerns in India have certainly risen following the terror attack on Mumbai in November 2008, the worsening violence in the disputed region of Kashmir and a rising Maoist insurgency in a mineral-rich territory of the East. And certainly, such concerns may be flared by the fact that attacks are often coordinated using mobile phones, satellite phones and voice over internet calls. These mounting fears over terrorism have led the Indian Government to demand from their first target, RIM, full access to the encrypted data of BlackBerry users in India.

Canadian company RIM refused this request on technical grounds, arguing that the information would be impossible to provide. However, in the knowledge that data is provided by RIM to other countries the Indian Government stuck firm to their demand: then why not India? While the private service, Blackberry Internet Service (BIS), offered by RIM uses their own servers for communication, RIM maintained it is not possible for them to access the business service (Blackberry Enterprise Service (BES)). Indeed, the level of privacy afforded to RIM’s corporate customers is a strong selling point and providing governments with access to email communication for surveillance purposes has the potential to breach a fundamental principle of RIM's business approach: customers' trust in the confidentiality of their communications.

Following RIM's refusal to grant access, the Indian Government issued an ultimatum: if they did not grant full access to all data (encrypted or not), India would block the mail service of the smart phone manufacturer entirely. Fearing this ban on their business in India, one of the fastest growing smart phone markets of the world, RIM conceded to the Indian Government's requests and made several suggestions to resolve the issue of providing access to their data. The decision made by Nokia, RIM’s main competitor in the region, to set up servers in India to facilitate government monitoring, may well have weakened any bargaining position that RIM were hoping to play on.

The measures to be adopted by RIM have yet to be made public but the proposals are seemingly sufficient for the Indian government to grant a two-month grace period to evaluate RIM’s suggestions. While the reprieve offers Blackberry users in India some breathing space, it is unclear whether RIM will be in a position to satisfy the interests of both the Indian Government in security and surveillance and their customers in ensuring the privacy of their communications. India’s Home Secretary is due to meet officials from the Department of Telecommunications, the Intelligence Bureau and the National Technical Research Organisation on Monday the 6th of September to discuss Blackberry security issues.

In light of this development and the Indian Government’s priority on national security over privacy, there is likely to be mounting fear amongst similar online communications companies that they may be the next target and have to provide access to encrypted data transmitted online. RIM has faced similar issues in other countries, including Saudi Arabia, the United Arab Emirates, Lebanon and Indonesia. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Cynthia O'Donoghue and Katalina Chin.

The European Commission DG Justice, Freedom and Security commissioned London Economics, one of Europe's leading specialist economics and policy consultancies, to undertake a study and report on the economic benefits of Privacy Enhancing Technologies ("PETs") for organisations and institutions using and holding personal data in selected European member states.

But what are PETs?  It is a term used for a set of computer tools, applications and mechanisms, including procedures and management systems, which aim to protect the privacy of personal data by eliminating, anonymising or minimising personal data in order to prevent unnecessary or unwanted processing of personal data.  Features can include, for example, allowing an individual to choose the degree of anonymity, to inspect, correct and delete any of their personal data, to track the use of their personal data and may also include a consent mechanism prior to providing personal data to online service providers.  The report emphasises that, "data minimisation and consent mechanisms are an important part of PETs, and PETs often combine these elements with data protection tools into an integrated privacy system".

The report highlights that "the rights [set out in Article 8 of the Charter of Fundamental Rights of the European Union which deals with an individual’s rights to the protection of personal data] form the basis of the legal framework in which PETs are deployed" and should have at their core the objective of transparency, proportionality and data minimisation.

The report explains how it is difficult to quantify the wider economic benefits of a data controller using PETs to protect an individual’s personal data, and how the evidence has shown that the benefits can only be assessed on a case-by-case basis.  If anything, the study found little evidence to show that the demand by individuals for greater privacy is driving PETs deployment, and suggests that this is in part due to “the uncertainties surrounding the risk of disclosure of personal data, a lack of knowledge about PETs, and behavioural biases that prevent individuals from acting in accordance with their stated preference for greater privacy”.

The fact of the matter is, as the report makes very clear, that data controllers can derive a variety of benefits from holding and using personal data (including the personalisation of goods and services, data mining, etc.) and to the extent that PETs limit the ability of data controllers to use personal data, this will clearly act as a disincentive in the exploitation of PETs. The report highlights that, “data controllers often favour mere data protection to protect themselves against the adverse consequences of data loss over data minimisation or consent mechanisms which can impede the use of personal data”.  Evidence considered in the study suggests that there is a role for the public sector in helping data controllers realise the benefits of PETs, such as “official endorsements of PETs, including through pioneering deployment and official certification schemes, and direct support for the development of PETs, through subsidies to researchers (e.g. the European Framework Programmes)".

As the heat in data privacy issues continues to rise, with increased powers of regulatory authorities, tougher sanctions being imposed and a greater emphasis in Europe’s legislation on security management, it is clear that privacy by design will be the most effective method of compliance.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was written by Mark Melodia, Cynthia O'Donoghue, and Anthony Traymore.

On April 27, 2010, the Mexican Senate passed Ley Federal de Protección de Datos Personales en Posesión de los Particulares (the Federal Law for Protection of Personal Data (FLPPA)). President Felipe Calderon is expected to sign the FLPPA into law soon, and thereafter, the FLPPA will be published and its regulatory provisions enacted. The objective of the FLPPA is to provide regulatory mechanisms for the newly established replacement agency, Instituto Federal de Acceso a la Información y Protección de Datos (the Federal Institute of Information Access and Data Protection (FIIADP), to enforce the FLPPA in relation to any individual or entity engaging in the collection, storage and/or transfer of personal data.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

This post was writtem by Cynthia O'Donoghue and Daniel Kadar.

A bill "intended to better guarantee the right to privacy in the digital age" was adopted by a large majority of the French Senate March 23, 2010, and immediately transmitted to the French National Assembly for review.

The first objective of the bill is aimed at educating students about the use and exposure of personal information on the Internet, notably through social media. The bill is principally aimed at significantly reinforcing the obligations of data processors, and with increasing the powers of the French data protection agency, the CNIL.

To view the entire alert, please click here.

• Email This
• Print
• Comments
• Trackbacks
• Share Link