HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Two webinars, one afternoon.  On Thursday, February 24, Hogan Lovells Privacy and Information Management Practice Director Chris Wolf will participate in a BNA webinar (along with Senior Governmental Affairs Advisor Nancy Granese of Hogan Lovells and Jules Polonetsky of the Future of Privacy Forum) on privacy developments in Washington, and an Experian webinar on data security breach notification laws (along with Reed Freeman of Morrison & Foerster and Tony Hadley of Experian).  Both pay-to-view programs are open for sign-up now.

What to Expect from Washington in Privacy Law in 2011

Privacy is a non-partisan issue, and 2011 is being viewed as the year in which significant changes may emerge. Media attention has focused on online collection and use of consumer data for marketing purposes, and government access to personal data stored in the “cloud”. Meanwhile, proposals for change in the US privacy framework have emerged from the Federal Trade Commission, Department of Commerce, and the U.S. Congress. Additionally, proposals for privacy law reform have been proposed in the European Union.

This BNA webinar will focus on Washington’s influence on privacy law reform, and provide the insiders' view of what changes are likely coming in 2011.

Program Highlights:

• Learn what the realistic prospects are for new privacy laws and regulations.

• Which privacy best practices may emerge from the recent proposals for reform?

• What will the FTC and the Department of Commerce do in the privacy and data security realm?

• Hear an evaluation of the role of self-regulation.

• Who are the players in Washington who can affect privacy policy changes

You may register here.

State Legislation Past and Present:  The Effects of Data Breach Notification and Resolution

In 2010, security breach-related legislation was revised or newly enacted in five states and introduced in at least 18 additional states. Join us for a discourse on the effects and new developments state laws have imposed on data breach notification and resolution. 

Learn how companies that have experienced breaches have fared given the new laws and what lessons have been learned. Our panel of privacy experts will address specific examples of how data breaches occur and what steps their clients have taken to mitigate the risk of a breach in the first 72 hours. They will investigate how these laws have been applied in real-life scenarios and the implications for:

• Data breaches resulting from third party vendors
   
• Data leakage and referring headers
   
• How breach laws affect medical laws already in place
   
• Cyber risk insurance and what it means to compliance

You may register here.

• Email This
• Print
• Share Link

Hogan Lovells offices worldwide are celebrating Data Privacy Day today. The internationally-recognized day, which is observed in the United States, Canada, and 27 European countries, serves to raise awareness and promote data privacy and protection education.

As part of Hogan Lovells' commitment to fostering dialogue around issues including consumer privacy protection, misuse of information, and online safety, planned Data Privacy Day activities will include:

• Hogan Lovells lawyers from the Privacy and Information Management Practice in the Washington, D.C. office will participate in a new program, the "Privacy Law Salon" in Miami Beach, FL, a Cambridge Forums conference organized by practice director Christopher Wolf, practice Senior Policy Advisor Professor Daniel Solove from the George Washington University Law School, and Berkeley Law Professors Paul Schwartz and Chris Hoonagle, and will involve practice co-director Marcy Wilder and privacy lawyers Barbara Bennett, Lynda Marshall, Chris Zaetta, and Tim Tobin. Numerous Hogan Lovells clients also are participating in the Privacy Law Salon and Department of Commerce General Counsel and co-chair of the new federal privacy committee in the White House Office of Science and Technology, Cameron Kerry will address the group.
• A data protection seminar in our Hong Kong office titled, "A Survival Guide to Data Protection in Hong Kong" will be presented by Hogan Lovells partner Gabriela Kennedy.
• Lawyers in our Madrid office will partner with the Spanish Data Protection Agency for a discussion about data privacy with students. Internal seminars, discussions, and games related to data protection and privacy will take place in many offices.
• Hundreds of Hogan Lovells lawyers in Washington, D.C., New York, California, and London will receive a fortune cookie from the Privacy and Information Management Practice (a subtle reference to the use of tracking cookies online -- a current privacy focus) to raise awareness of how the privacy practice can help clients.

Washington, D.C. office partners Christopher Wolf and Marcy Wilder, co-directors of Hogan Lovells' Privacy and Information Management practice group, coordinated the events. Hogan Lovells is well positioned to assist clients around the globe and in a wide array of industries with advice and representation in the rapidly changing area of privacy and data security law. With offices located throughout the Americas, Europe, Asia, and the Middle East, Hogan Lovells is unique in it ability to provide global assistance on privacy and data security matters. We draw upon the extensive experience of our technology, health, communications, and consumer protection lawyers to provide advice and counsel across a wide range of subject matters and industries.

The Privacy and Information Management practice group's blog, The Chronicle of Data Protection is the source for privacy and information security news and trends. 

• Email This
• Print
• Share Link

We are delighted to share this news with readers of the Hogan Lovells Chronicle of Data Protection:

FOR IMMEDIATE RELEASE

Hogan Lovells Adds Leading Privacy Professor Daniel Solove as Senior Policy Advisor

WASHINGTON, D.C., 3 January 2011 – Hogan Lovells US LLP announced today that Professor Daniel J. Solove, an internationally-known leader in privacy law, has joined the Washington, D.C. office as a Senior Policy Advisor to the Privacy and Information Management Practice.

 

With Professor Solove’s arrival, Hogan Lovells will be able to offer clients his insights and experience from years of scholarship in privacy and engagement with the privacy community.

 

Christopher Wolf, Director of the privacy practice at Hogan Lovells, said: “Having Dan Solove available to consult with us and our clients on privacy law matters is an amazing opportunity. Dan is universally regarded as one of the top privacy scholars in the country, someone who not only is a widely-heralded for his knowledge but also someone who understands the practical aspects of privacy protection.”

 

Professor Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. Professor Solove is the author of numerous books, including Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale, forthcoming 2011), Understanding Privacy (Harvard 2008), The Future of Reputation: Gossip and Rumor in the Information Age (Yale 2007) (winner of the 2007 McGannon Award), and The Digital Person: Technology and Privacy in the Information Age (NYU 2004).

 

Professor Solove is also the author of a textbook, Information Privacy Law with Aspen Publishing Co. now in its third edition, with co-author Professor Paul Schwartz. Professor Solove also co-authored with Professor Paul Schwartz the forthcoming Privacy Law Fundamentals to be published by the International Association of Privacy Professionals (IAPP) in 2011. Additionally, Professor Solove is the author of several other textbooks, including Privacy and the Media (1st edition, Aspen Publishing Co. 2009) and Privacy, Information, and Technology (2nd edition, Aspen Publishing Co. 2009), all with Paul Schwartz.

He has published nearly 40 articles and essays, which have appeared in leading law reviews, including the Yale Law Journal, Stanford Law Review, Columbia Law Review, Michigan Law Review, N.Y.U. Law Review, Chicago Law Review, U. Pennsylvania Law Review, among others.

 

Professor Solove has testified before Congress and has served as an expert witness in privacy cases. He has been interviewed and featured in several hundred media broadcasts and articles, including the New York Times, Wall Street Journal, Washington Post, Chicago Tribune, USA Today, Associated Press, Time, Newsweek, People, Reader’s Digest, ABC, CBS, NBC, CNN, NPR, and C-SPAN’s “Book TV.” 

 

Marcy Wilder, also a Director of the privacy practice at Hogan Lovells observed: “One of the hallmarks of the Hogan Lovells privacy practice is the advice we provide to clients not only on existing legal requirements but on how to anticipate changes in privacy law and regulation. Having Dan Solove as part of our team enhances our ability to help clients ‘look around corners’ and be prepared for coming privacy developments.”

 

Warren Gorrell, Co-CEO of Hogan Lovells added: “Our global privacy practice is recognized for its breadth and depth, and adding Professor Solove to the team is a real coup.”

About Hogan Lovells

www.hoganlovells.com

Hogan Lovells combines the breadth of business-oriented legal advice and high-quality service that clients have come to expect through working with its two founding firms – Hogan & Hartson and Lovells.

"Hogan Lovells" or the "firm" refers to the international legal practice comprising Hogan Lovells International LLP, Hogan Lovells US LLP, Hogan Lovells Worldwide Group (a Swiss Verein), and their affiliated businesses, each of which is a separate legal entity. Hogan Lovells International LLP is a limited liability partnership registered in England and Wales with registered number OC323639. Registered office and principal place of business: Atlantic House, Holborn Viaduct, London EC1A 2FG. Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia.

###

• Email This
• Print
• Share Link

The Future of Privacy Forum is conducting a survey on the reaction of privacy enthusiasts to the recently-issued FTC and Commerce privacy reports, as described below.   You are invited to participate and share your views.

From the Future of Privacy Forum blog:

It’s been an extremely busy few weeks in the privacy world as of late.   A little more than two weeks ago, the FTC released their long-awaited staff report on “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,”  and yesterday the Department of Commerce’s Internet Safety Task Force released their privacy Green Paper,  “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  The reviews on both have ranged across both ends of the spectrum and have brought increased media attention to the ideas of a ‘Do Not Track’ list, a ‘Privacy Bill of Rights,’ and the creation of a Federal CPO.  

But now it’s time for a little more research into what privacy enthusiasts really think of these two reports.  What will they mean for the future of privacy and how will they impact our national policy when it comes to privacy protections for consumers?  Will they spur legislation or will the industry see them as a signal to start embracing stronger self-regulation mechanisms?  

We want to know what privacy enthusiasts think of the latest reports from the FTC and Department of Commerce so we’re asking all those interested to participate in a brief survey.  The survey can be seen here, and should take no more than five minutes to complete.  All participants should complete the survey no later than December 31, 2010, and we will announce the results shortly thereafter.  

We look forward to your thoughts and thank you in advance for participating!

• Email This
• Print
• Share Link

International Association of Privacy Professionals (IAPP) Web Conference

The FTC Privacy Report – A First Look into New Frameworks for Businesses and Policymakers

Date: December 14, 2010
Event start time: 1:00 pm (GMT-05:00) Eastern Time (US & Canada)
Via IAPP Web Conference Service (Registration required)

The FTC has just issued a preliminary report asking for comments on new controls and standards for the online protection of individuals’ privacy. The report details an expansion in scope and breadth of what may constitute consumer data and asks for feedback on sweeping new standards. Join a Web conference examining this important new development in the evolution of consumer privacy. 

Presenters and Hosts:

Robert Belair, Partner, Arnall Golden Gregory LLP

Christopher Wolf, Partner, Hogan Lovells  US LLP

Panelists:

Edward W. Felten, Chief Technologist, Office of the Chairman, FTC, (effective Jan. 1)

Peder Magee, Senior Staff Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, FTC

To register, click here

• Email This
• Print
• Share Link

Commissioner Jule Brill is the keynote speaker at today's IAPP Practical Privacy program on the Federal Trade Commission and consumer privacy in Washington, DC.  Obviously, the just-released FTC Report is the hot topic.

Among the highlights of Commissioner Brill's remarks:

• Privacy through the lens of Black Friday and Cyber Monday, the "high holy days of consumerism" -- A number of consumers detailed their purchases online through "online exhibitionism," including even uploaded videos in which teenage girls showed off their purchases.  So, with so many people chosing to make public what they have a right to keep private, why is the FTC looking for new and better ways to protect people's privacy?  It is simple, the Commission's mandate is to preserve consumer control over private data.  It is their choice to share, but "we make sure that consumers understand the implications of revealing information and are empowered to protect their information."
• Up to now, the FTC has been playing defense -- enforcing privacy rights that cause tangible harm only after the fact.  The notice and choice, and no harm/no foul paradigm does not do enough to protect consumers.
• The FTC Report reflects a new paradigm:  (1)  Privacy at every stage of development of products and services; (2)  Simplification of consumer choice; (3)  Increased transparency "but we are not throwing away the harm model, as our enforcement will show."  Indeed, we are not throwing away anything, we are building on the current platform of protection.
• The most-talked about recommendation, the proposal of a Do Not Track mechanism:  "I want to dispel concerns that have arisen."  (1)  The FTC is not proposing a list like "Do Not Call" but rather a "browser-based approach" that communicates their preferences to every web site visited.  "I want to commend browser providers on developing these controls for consumers who show that the recommended approach is technologically-feasible."  (2)  Do Not Track will not result in consumers en masse opting out., as the Roundtables demonstrated.  "I am reminded of 'Miracle on 34th Street' where Macy's is featured as the consumer friendly store, providing choices to consumers.  Mr. Macy in the film would have been eager to compete on privacy, and advertisers today should show consumers of the benefits of collecting and using their information for tailored advertising."
• Should we wait for industry to come up with a self-regulatory system or look to a new law enacted by Congtress?  If industry does not adopt Do Not Track, then I support a law that gives the Commission APA rulemaking authority and civil penalties, along with the ability to respect self-regulatory regimes.  I am discouraged by the immediate reaction of some in industry to even the concept of Do Not Track.
• The Commission is not recommending the possibility of legislation outside of the "Do Not Track" arena but Commissioner Brill thinks the Report could serve as a roadmap for more general legislative proposals.
• Consumer deserve greater access to information about them in databases. 
• More cops on the beat are better.  Even though browser controls for tracking that if ignored by marketers could violate existing laws enforced by others, Commissioner Brill believes that FTC authority to enforce is important.

• Email This
• Print
• Share Link

European Data Protection Supervisor Peter Hustinx traveled in frigid, snowy conditions from Brussels to London on 2 December for an interview presentation at the London Offices of Hogan Lovells attended by lawyers from the Hogan Lovells global Privacy and Information Management Practice as well as clients and friends of the firm. 

The interview coincided with visits to Europe of US Hogan Lovells privacy partners Barbara Bennett, Marcy Wilder and Chris Wolf, who participated in the IAPP Privacy Congress in Paris earlier in the week, and meetings with EU Hogan Lovells privacy colleagues in London, including: 

Quentin Archer (London)

Roger Tym (London)

Mac Macmillan (London)

Winston Maxwell (Paris)

Stefan Schuppert (Munich)

Hanno Timner (Berlin)

Marco Berliri (Rome)

Gonzalo Gállego (Rome)

Lionel de Souza (Paris)

Massimiliano Masnada (Rome)

Messrs. Maxwell and Schuppert and Ms. Wilder presented in Paris on Binding Corporate Rules and Mr. Wolf presented on the balancing of fundamental rights of privacy and anti-piracy. The London meetings were organized by Barbara Bennett and Quentin Archer and focused on global developments in privacy law and how best to provide seamless privacy law services to clients around the world with multi-jurisdictional needs.

The session with Mr. Hustinx, conducted by Hogan Lovells practice leader Chris Wolf, started with the observation that the firm’s practice is now the largest privacy practice in the world, and thus what happens in the EU with respect to privacy has great significance for clients of the firm. The focus of the interview was on the recently-issued draft agenda of the European Commission on privacy. 

Mr. Hustinx spent about an hour discussing many of the details of the draft agenda, including the process for its consideration, the concepts of the “right to be forgotten,” changes to the ways in which notice and choice are implemented, how national privacy laws might be harmonized across the EU, how cross-border transfers outside the EU might be facilitated, and the efficacy of increased enforcement and penalties.

Two observations by Mr. Hustinx stand out:

• The current EU data protection framework will stay in place for the next 4 to 5 years, as the process for consideration and implementation of the changes embodied in the Commission’s draft agenda will be lengthy and thorough.
• The day will come when the United States privacy framework will be recognized by the EU as providing “adequate protection” and thus allowing cross-border transfers without the employment of auxillary legal tools. Mr. Hustinx concurred in the observation that the FTC Report issued on 1 December contained concepts now present under the EU Directive and paralleled in significant ways the Commission’s draft privacy agenda. Mr. Hustinx declined to say when the time for the EU adequacy recognition for the US would come, but suggested it was not in the immediate future. He applauded the closer working relationship between the US and the EU on privacy matters, following a mention of greater US governmental attention to privacy issues, and said there are privacy protection concepts from around the world that may be adopted in the EU – that global exchanges of best practices is in everyone’s interests.

Hogan Lovells expresses enormous appreciation to Mr. Hustinx for meeting with us, and especially for the arduous travel to and from London he endured to be with us.

• Email This
• Print
• Share Link

Hogan Lovells Privacy Practice Leader Chris Wolf has been tapped to chair the first Transatlantic Events privacy program in the United States, which will take place in Chicago in early-March 2011.  UK-based Transatlantic Events is well known for its substantive programs in the EU.  It has brought together a prestigious panel of presenters for the Chicago program  The program agenda follows.

Attendees who reserve their places before 1 January 2011 will pay only $550.00, instead of the full rate ($750.00).   Places are limited and reserved on a "first come, first serve" basis.

Click here to register for this conference in Chicago.

"Data Protection: Global Compliance Management"
Monday, 7th of March 2011
Loyola University
Chicago, Illinois, USA

9:00 AM - 9:05 AM
Chairman's Introduction: Privacy & Data Protection overview
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

Part One: Safe Harbor, Model Clauses, BCR and the APEC Solution

9.05 AM - 9.35 AM
Data Protection: Federal Trade Commission Keynote Address.
Keynote Speaker: C. Steven Baker, Director, Midwest Region,
Federal Trade Commission

9.35 AM - 10.00 AM
BCR: Can one size fit all?
Speaker: Brian Hengesbaugh, Partner, Baker & McKenzie LLP
- Application process how it works in practice.
- Challenges/learning points.
- How do they compare to other options

10:00 AM – 10:25 AM
Data Protection: Safe Harbor and Practical Implementations
Speaker: Robert L. Rothman, President, Privacy Associates International LLC

10:25 AM - 11:10 AM
Ensuring Data Protection Law Compliance in Multiple Jurisdictions
Speaker: Liisa M. Thomas, Partner, Winston & Strawn LLP
- What are key privacy concerns for US companies that operate in multiple jurisdictions?
- What are some of the major concerns when taking a US compliance approach into the EU?
- Into other jurisdictions?
- Is a uniform compliance policy feasible?
- What are some practical steps companies that operate in multiple jurisdictions
can take for risk and compliance management

11:10 AM - 11:25 AM Coffee

Part Two: Data Protection And The Workplace

11:25 AM -11:50 AM
SARs in the current climate
Speaker: Vincent J. Vitkowsky, Partner, Edwards Angell Palmer & Dodge LLP
- A primer on the basic rules
- Some practical issues and how to address them
- Discussing the changing landscape of the law and current climate and the impact on SARs

11:50 AM - 12:15 PM
Ethical Hotlines, Compliance and Data Privacy: Creating international solutions rather than conflict!
Speaker: Robert Bond, Partner, Speechly Bircham LLP (UK)
- SOX 301(4) and reporting hotlines
- OFAC and the UK Bribery Act
- Understanding the conflicts between US and EU regimes
- Implementing workable compliance solutions for multinationals

12:15 PM - 12:40 PM
Outsourcing, Insourcing and "The Cloud"
Speaker: Rebecca S. Eisner, Partner, Mayer Brown LLP
- What are the legal issues?
- Shifting distinctions between "data controllers" and "data processors"
- Jurisdictional problems. Whose law applies?
- Offshoring. - How to address data protection in the Cloud

12:40 PM - 1:00 PM
The Data Protection Interactive
Panel Chairman: Christopher Wolf
Panelists: Liisa M. Thomas, Robert Bond, Rebecca S. Eisner,
Robert L. Rothman, Brian Hengesbaugh
- SOX, Data Protection and Hotlines
- Responding to Privacy Breaches
- Binding Corporate Rules
- Data Protection and Outsourcing
- The Cloud

1:00 PM - 2:00 PM Lunch

Part Three: Marketing, Kids and Social Networking

2:00 PM - 2:05 PM
Chairman's Introduction: Privacy & Data Protection overview
Co-Chairman: Thomas J. Smedinghoff, Partner, Wildman, Harrold, Allen & Dixon LLP

2:05 PM – 2:30 PM
When will a Marketing Director go to Prison?
Tesco Ireland has just been fined and forced to stop sending marketing emails. As the regulators get tough, where are the man-traps waiting for the unwary marketing dep’t to walk right in to?
Speaker: Tim Beadle, Director, Atrium, (UK)
- Gaining consent and what 2011's "cookie law" will require
- Behavioural vs contextual data
- Data sharing and buying

2:30 PM - 2:55 PM
Data Protection For Children: The problems of getting consent & other potential pitfalls
Speaker: Roslyn J. Kitchen, Partner, Cohen Silverman Rowan, LLP
- The ability to enforce a child's right to privacy (even when they dont think they need it).
- CARU, contract law, and protections under COPPA.
- What is verified parental consent? And when Marketers dont need it.
- When is a child not a child? How technology can help or hinder.
- On-line promotional activity directed to your child customer: sweepstakes and contests, chat rooms, product reviews, and other fun stuff!!

2:55 PM - 3.25 PM
The U.S. Perspective to Social Networking, Advertising, Marketing and Privacy Issues: Legal and Compliance - The U.S. Perspective to Social Networking and Privacy
Speaker: Edward R. McNicholas, Partner, Sidley Austin LLP
- Social Media - Advertising and Marketing
- Company Social Media Governance and Policies
- Digital Age Privacy - Does privacy really exist anymore?

3:25 PM - 3:45 PM
Panel Discussion: Social Networking, Marketing and Privacy
Panel Chairman: Thomas J. Smedinghoff
Panelists: Tim Beadle, Roslyn J. Kitchen, Edward R. McNicholas

3:45 PM - 4.00 PM Coffee

Part Four: Information Security
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

4:00 PM - 4:25 PM
Privacy and Security Litigation
Speaker: Ian C. Ballon, Greenberg Traurig LLP
- class action litigation update
- security breach update
- flash cookie litigation
- federal preemption of certain privacy and security claims
- compelling the disclosure of the identity of anonymous and pseudonymous actors
- social network issues
- winning strategies in litigation
- ways to minimize the risk of litigation

4:25 PM - 4:50 PM
Information Security: Responding to Investigations by the FTC
Speaker: Peter F. McLaughlin, Senior Counsel, Foley & Lardner LLP

4:50 PM - 5:15 PM
Managing A Crisis
Speaker: Bart A. Lazar, Partner, Seyfarth Shaw LLP
- Investigation and first response
- Notification to regulators / individuals
- Managing communication
- Managing liability

5:15 PM - 5:30 PM
Panel Discussion: Information Security
Panel Chairman: Christopher Wolf
Panelists: Ian C. Ballon, Peter F. McLaughlin, Bart A. Lazar
Guest Panelist: Thomas J. Smedinghoff

5:30 PM Chairman's final remarks and close of Conference.
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

• Email This
• Print
• Share Link

As the Data Protection Authority and Privacy Commissioner Conference in Jerusalem winds up, Hogan Lovells Privacy and Information Management Practice Leader Christopher Wolf shares this report published in the Huffington Post which he co-authored with his co-chair of the Future of Privacy Forum think tank, Jules Polonetsky:

Modern democracies agree that the issue must be addressed, but the path to agreement is rough. This may describe the current political situation in the Middle East, but it also describes the conundrum of a global framework to protect the personal information of individuals in an increasingly technological age. All sides recognize that personal privacy is exposed in ways never before seen, but what legal framework is best to ensure responsible data practices is open to great debate.

We live in a time when companies are compiling digital dossiers about us, and are collecting information about our web browsing, our searches and our shopping habits. Geo-location data from our mobile phones is allowing a wide range of services, and new forms of online technology also allow targeted, so-called "behavioral" advertising. The increasing use of social networks, shows that people are more willing than ever to publish and share information about themselves, which provides an even richer trove of information that can be used to analyze consumers and predict their interests. And governments are eager to access the data in the name of national security.

Not all data collection and use is bad, of course. The use of online data subsidizes free content and enables new services. It is allowing us to better connect with each other. But lack of transparency about what is going on with personal data is a real problem, because it takes away personal control over who gets to see and use our information.

This week, in Jerusalem, regulators and policy-makers from around the world are meeting to discuss the best way to fix the world's increasing privacy problems. There will be no disagreement over the technological threats to privacy. But disagreement is likely on what framework is best to improve individual privacy protections in this technological age. In the EU and in Israel, the preferred legal framework is an across-the-board privacy law for all data, while the US takes a more focused, harms-based approach to the protection of privacy

So how do we get an improved global baseline of privacy, one that allows people to understand what is going on with their information and that gives them control?

There is much to commend the mandate in the EU and Israel that all businesses that collect and use personal information must have privacy top of mind for all data. But even in the EU, there is an emerging understanding that specific privacy problems require more focused attention.

The hallmark of the current legal and regulatory privacy regime in the United States is its focus and flexibility. Lawmakers have enacted strict laws about financial privacy, health privacy, and children's privacy. They recognized that financial data, medical data and personal information of kids deserve priority protection. Other personal information is protected through enforcement actions initiated by the Federal Trade Commission and state regulators.

Indeed, while the US lacks a comprehensive across-the-board privacy law like that in the EU and Israel, our framework of shared lawmaking authority and targeted enforcement has led to better privacy protection than ever according to a new study by professors at the University of California at Berkeley. The threat of enforcement plays a large role in getting companies to better protect privacy. In the last year we have seen important steps by companies and trade groups that have real promise. For example, companies have started to venture beyond legalistic privacy policies and are using more intuitive symbols or icons to begin to alert users to different kinds of data use. And companies are coming together in voluntary, self-regulatory groups with new privacy standards.

Interestingly, the idea of self-regulation is gaining a foothold of sorts in the EU, just as legislative proposals for comprehensive privacy law been introduced in the US Congress. So, while the privacy officials meeting in Jerusalem this week are unlikely to change their views on what is the best legal framework to protect privacy, they will have a chance to see the benefits of alternative approaches. This ultimately may lead to more common ground in the quest to protect the personal privacy of people around the world.

Wolf and Polonetsky are co-chairs of the Future of Privacy Forum, a think tank in Washington, DC that promotes responsible data practices.

Relatedly, see this report on proposals for reform of the EU Data Protection Directive and this report on the presentation Chris Wolf made at the Jerusalem conference on the effectiveness of the US enforcement model.

Word has it that the 33d Annual Conference of DPAs and Privacy Commissioners will take place in 2011 in Mexico, where a new national privacy law is being implemented.  While it does not quite have the biblical ring of last year's proclamation  upon the selection of Israel as the site of the DPA meeting, "Next year in Jerusalem":  El año que viene en México!

• Email This
• Print
• Share Link

The 32d Annual International Conference of Data Protection and Privacy Commissioners begins this week in Jerusalem.  Hogan Lovells Privacy and Information Management Leader Christopher Wolf will be a panelist and will present a paper entitled: "Targeted Enforcement and Shared Lawmaking Authority as Catalysts for Data Protection in the United States."  An article adapted from that presentation appears in this week's BNA Privacy and Security Law Report and BNA graciously has allowed us to provide a reprint of that article here.

The focus of the international privacy meeting in Israel will be the challenges presented to existing legal regimes by advances in technology and the willingness of people -- especially young people -- to share great amounts of personal information online.  It is widely agreed that current laws need reexamination and possible revision in light of new ways to collect and share personal data.  It is in that conext that the "Targeted Enforcement and Shared Lawmaking Authority" paper is offered for international consideration to demonstrate effective aspects of US law. 

The paper begins:

Modern democracies are committed to the protection of personal data. There are various approaches to achieving protection, ranging from the comprehensive regulatory approach of the European Union, to the harms-based APEC framework, to the sectoral and geographic approach of the United States, which relies heavily on Federal Trade Commission (FTC) enforcement against unfair or deceptive consumer practices and the combination of federal and state laws. The US framework frequently is criticized for the absence of a comprehensive privacy law. Indeed that perceived deficiency has resulted in a persistent finding by the EU that the US lacks “adequate protection” for personal data, requiring legal work-arounds for the cross-border transfer of personal data from the EU to the US. At the same time, there is global recognition of a need to re-examine privacy governance to cope with the implications of new technologies, and to protect generations of technology users.  

Without debating the primacy of one approach to the protection of privacy over another, it nevertheless is useful to look beyond labels and common perceptions to examine the effective aspects of the United States regime (emphasis supplied). This paper discusses the effectiveness of enforcement by the FTC under its jurisdiction to police unfair and deceptive practices, and the experience in individual states as incubators of new privacy and data security laws that have nationwide effects. It also highlights privacy-enhancing practices and technologies adopted by businesses aware of the advantages of self-regulation over prescriptive rules and the need to self-regulate and innovate to avoid restrictive regulation.

Read more here.

• Email This
• Print
• Share Link

David Vladeck, Director of the Division of Consumer Protection at the Federal Trade Commission, today spoke at the IAPP Privacy Academy in Baltimore, and offered the FTC vision for future privacy protection.  Here are some highlights:

• FTC will continue to bring cases to ensure that companies reasonably ensure safeguards for consumer privacy
• FTC will bring more cases involving pure privacy protections, in addition to data security cases, building on the Sears case.  "You can expect more cases like that in the future."  (This suggests a greater focus on how notice and choice is given and the degree to which privacy options are implemented, such as in the recent US Search enforcement).  "Consumer choice must control."
• We will be focusing our efforts on new technologies, such as our enforcement in the Twitter case.   FTC has hired new technologists and has created a mobile lab to address smart phones and mobile apps.
• There will be increased international cooperation on privacy, as evidenced by the Global Privacy Enforcement Network (GPEN) announced last week.  Recent cooperation brought down the latest spam operation in the world, resulting in a  25% drop in spam worldwide,

Vladeck also spoke on the formulation of new privacy policy following the FTC Roundtables.

• Past approaches to consumer privacy have not kept pace with technology.  (1) Notice and choice is a failed paradigm as implemented.  The problem is exacerbated by mobile devices, where one has to scroll down through hundreds of screens to read a privacy policy; (2) Focusing on harms is not the best way to address privacy violations.
• The Roundtables demonstrated that (1) Data persists longer than people expect; (2)  The difference between PII and non-PII is blurring; (3)  Consumers understand very little about how their information is used and shared; (4)  Often, consumers do not interact with or have direct contact with companies that handle their information; (5) Technology can provide important privacy solutions.
• When is the Report coming out?  "This Fall"
• What will he Report say?  "This is impossible to answer as Commissioners are still to review and will provide input"  But here are the big picture issues in the report:  (1)  Importance of Privacy by Design -- thinking about good data hygiene from the very beginning; (2) Increased transparency is needed about data practices -- we need better privacy notices, in a more consistent, shorter formats; (3)  We need to simplify consumer choice -- especially regarding uses of data they would not expect..  Privacy choices should be presented at the point when the consumer is providing the data.  And more consistent policies that allow comparison may allow competition for privacy practices.  We need more protection for sensitive information.  Consumer choice once exercised must be respected.  "The FTC will not tolerate a technology arms race to circumvent privacy protecting technology" (4)  On the thorny problem of access, companies collecting and aggregating data used for purposes beyond consumer expectation is a problem,.  There is no easy solution to the access question, and the FTC will consider the cost of access to the data broker industry.  (5)  There should be better consumer education about how tracking on the Internet works and what are their choices on privacy.
• The Report will be issued in DRAFT with opportunity for public comment.  Even when finalized, the Report will not be the end of the debate but " the beginning of the next phase of the debate on privacy."  One key component must be flexibility and adaptability,
• "Do Not Track" is not off the table, and will be considered, despite its complexity.
• On the issue of regulation vs. self-regulation:  The Commission has always supported self-regulation, but the Commission has supported privacy laws like the telemarketing law.  With respect to privacy and online advertising, "I am disappointed in the progress of self-regulation".  Ad disclosures and icons are all good ideas, but implementation is very much a work in process."  The Commission and the public may lose its patience with self-regulation if there is not better progress.
• On the Boucher and Rush legislative proposals, I am concerned that the bills place too much reliance on already overburdened privacy policies.   Also, it is premature to conclude that existing private initiatives are sufficiently robust to provide safe harbors.
• On data security, legislation that requires reasonable security and notice of breaches creating a reasonable risk of harm will provide sorely needed broad based protections at the federal level.  For the first time, the FTC would have the general right to obtain a civil penalty, which is important.  We see too many companies ignoring well-known vulnerabilities that are easily plugged.  Penalties would help convince those companies to comply.
• My vision for consumer privacy in 2011 in beyond:  In my privacy utopia, companies are building in privacy from the start; consumers have access to information about privacy; the FTC continues its enforcement regime, with the help of consumer watchdog organizations.  The time for companies using trial and error to protect privacy should come to an end.

• Email This
• Print
• Share Link

On Wednesday, September 15th the Future of Privacy Forum (FPF) announced the papers that were selected as “privacy papers for policy makers” at an event held at George Washington Law School. FPF is the privacy think tank founded and co-chaired by Hogan Lovells’ Chris Wolf. These works were deemed by the FPF to be the recent scholarship dealing with privacy issues that will prove most useful to policy makers. The papers that were selected are:

• Privacy on the Books and on the Ground – Kenneth A. Bamberger and Deirdre K. Mulligan
• What is Privacy Worth? – Alessandro Acquisti, Leslie John, and George Lowenstein
• Misplaced Confidences: Privacy and the Control Paradox – Laura Brandimarte, Alessandro Acquisti, and George Lowenstein
• Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach – Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor
• How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies – Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow
• Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes – Ira Rubinstein

You can view these papers, along with the papers that received notable mentions, on FPF’s website at http://www.futureofprivacy.org/the-privacy-papers/.

The papers were discussed by a panel, including:

• David Vladeck, Director of the Bureau of Consumer Protection for the Federal Trade Commission (FTC)
• Jules Polonetsky, Co-Chair of the FPF
• Christopher Wolf, Co-Chair of the FPF and Partner at Hogan Lovells
• Dan Solove, Professor, The George Washington University Law School
• Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance & Government Affairs, LexisNexis
• Brendon Lynch, Chief Privacy Officer, Microsoft

The conversation focused on how these papers could be used by policy makers to bridge the gap between scholarship and how organizations implement privacy practices on the ground. In his remarks, David Vladeck described how the FTC looks to academic writing to help inform its regulatory priorities. He referenced FTC’s series of roundtable discussions held in late 2009 and early 2010 that were influenced by recent scholarship, including the winning papers. These discussions, and the resulting recommendations, are being used to create an FTC Report that was promised as a follow-up to the roundtables. Mr. Vladeck predicted that the report would be released by the end of October, subject to the Commission’s approval process, and he broadly hinted that some proposed changes to the privacy framework may be forthcoming.

• Email This
• Print
• Share Link

On Wednesday, September 15th at 8:45 AM EDT, there will be a live webcast of a program featuring privacy scholarship voted most useful to US policy makers, "Privacy Papers for Policy Makers," presented by the Future of Privacy Forum (FPF), which I founded and co-chair. 

Our featured speaker will be David Vladeck, head of Consumer Protection at the FTC. 

Discussion will be led by my FPF co-chair, Jule Polonetsky, as well as Mr. Vladeck and

Professor Dan Solove, The George Washington University Law School
Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance & Government Affairs, LexisNexis
Brendon Lynch, Chief Privacy Officer, Microsoft 

The program may be viewed live at 8:45 AM EDT at http://www.law.gwu.edu/News/Videos/Pages/Privacy.aspx.

It is also available for audio only at  800-884-7907, access code: 379342

• Email This
• Print
• Share Link

On Wednesday, September 15th at 8:30 AM in the Moot Courtroom of the George Washington University School of Law, there will be a program featuring privacy scholarship selected by the Future of Privacy Forum Advisory Board as the best “Privacy Papers for Policy Makers,” representing cutting-edge research and analytical work on a variety of privacy topics.  I founded and co-chair the Future of Privacy Forum, which is a think tank focused on advancing consumer privacy in ways that are business practical.

We solicited papers that clearly analyzed current and emerging privacy issues, and either proposed achievable short-term solutions or offered fresh analysis that could lead to new approaches and solutions. Academics, privacy advocates and Chief Privacy Officers on FPF’s Advisory Board reviewed all submitted papers, emphasizing clarity, practicality and overall utility as the most important criteria for inclusion.

The hope is that this relevant and timely scholarship helps inform policy makers in Congress, at the FTC, and in other federal and state agencies as they address privacy issues. This compilation is also being provided to policy makers abroad.

Leading the discussion on the 15th will be David Vladeck, Director of the Bureau of Consumer Protection at the Federal Trade Commission, who will be joined by Carol DiBattiste, Chief Privacy Officer of Lexis Nexis; Brendon Lynch, Chief Privacy Officer at Microsoft, GW Law Professor Dan Solove, as well as my FPF co-chair and director, Jules Polonetsky.

To attend, please e-mail lauren@futureofprivacy.org

• Email This
• Print
• Share Link

With the new "school year" comes a plethora of privacy events featuring Hogan Lovells attorneys:

On September 9th, the International Association of Privacy Professionals will present this Web Conference on "The Evolution of FTC Privacy Enforcement Actions—What More Granular Enforcement Means for Respondents and Businesses" featuring Hogan Lovells attorneys Chris Wolf and Tim Tobin and FTC Attorney Kandi Parsons.

It is a given that there can be no privacy without data security.  Chief Security Officer magazine is presenting the Security Standard conference on September 13 and 14 at the Marriott Brooklyn Bridge in New York City to explore  the complexities of modern security strategies, addressing identity management, cloud security, data protection, risk management and privacy.  For registration information, click here

Hogan Lovells' Chris Wolf will be presenting the following session on September 13:

Negotiating with Your Cloud Provider:  Standard service agreements don’t go far enough in protecting your data and your organization in the event of security incidents or outages at cloud providers. In this session, learn how to negotiate the right terms and penalties to get the protection you need from your cloud provider, from identity management to business continuity, incident response plans and more.

On September 14th, Pike & Fischer (a BNA company) will present this Web Conference entitled "Legal Landmines in Europe for Internet-Based Businesses" and featuring Hogan Lovells attorneys from our Paris Office David Taylor, Winston Maxwell, and Chris Wolf from Washington, DC, as well as Google's Global Privacy Counsel Peter Fleischer.

On September 21st, Hogan Lovells will present a complimentary webinar on NAFTA Privacy featuring top governmental privacy officials from Canada, US, and Mexico, as well as the Chief Privacy Leader of General Electric, and moderated by Hogan Lovells' Chris Wolf.   More information can be found here  To register, please click here.

And later in September....

You are invited to join Hogan Lovells at the upcoming Online Trust Alliance 5^th Anniversary "Online Trust & Cybersecurity Forum" being hosted at Georgetown University, September 22 to 24.  Of particular interest on Wednesday the 22d are three pre-conference workshops focusing on(1) email regulatory compliance, (2)  email and domain authentication, and (3) malvertising.  More information on the agenda and registration information are posted here .

Thursday keynotes include the US Secretary of Commerce Gary Locke, Greg Link of CoveyLink, Howard Schmidt (White House Cybersecurity Coordinator) and Randall Rothenberg (IAB) as well as dozens of other business and industry leaders.  Friday Representative Cliff Stearns is speaking and kicking off a privacy roundtable following by sessions on data breach remediation, identity management and privacy policy makeovers.

At the September 24th session, Christopher Wolf of Hogan Lovells will participate in this panel:

Data Breach & ID Theft; Detection & Remediation *
Despite increased security prevention investments and employee training, incidents of data loss are increasing. Companies need to pro-actively plan for the worst case understanding the focus is not if an event will occur, but when. An effective plan includes an orchestrated play book to be deployed on moment’s notice. This session will examine steps businesses can take to protect consumers and their brands by reviewing elements of an effective plan including consumer education.  Session will also examine the role consumers have in the chain of trust and steps they can take to protect their identity.

• Chris Shenefelt, Executive Vice President, Global Operations, Intersections Inc.

• Anne Wallace, President, Identity Theft Assistance Corporation

• Christopher Wolf, Director, Privacy & Information Management Practice, Hogan Lovells

OTA has offered readers of the Hogan Lovells Blog the opportunity to register by August 31^st for only $399.50 for the two day program and save 50%.  Use discount code Hogan50  Register at https://otalliance.org/dc.html

AMP Summit is "an annual forum for influentials and thought leaders in the activist, media and political spheres."   Public officials and regulators, experts from think tanks, trade associations, and public relations, and members of the media will attend. This conference in Washingrton at the Marriott Metro Center "is intended to inspire new thinking, challenge traditional strategies, and create opportunities to learn from each other."   Detailed information can be found here .

Chris Wolf from Hogan Lovells will participate on a panel on Friday, September 24th from 3:50 to 5 PM entitled "Privacy in the Internet Age: Does DC Have a Role to Play?" with Lillie Coney of the Electronic Privacy Information Center and  Berin Szoka of the Progress and Freedom Foundation, moderated by Bruce Mehlman of Mehlman, Vogel, Catagnetti.

Also, as shown here, Quentin Archer from the Hogan Lovells London Office will be co-chairing the Sedona Conference International Programme on Cross-Border E-Discovery and Privacy on 15 and 16 September in Washington, DC.

• Email This
• Print
• Share Link

With much of the privacy regulatory and policy world on vacation, I took a few days outside of Washington to hear what people are thinking about where privacy law is going.  I have just returned from "Geek Week" in Seattle, WA, where I particiated in a new program entitled "pii2010" which "explore[d] the future of digital privacy, identity and innovation, and how to strike a balance between protecting sensitive information and enabling new technologies and business models. Hosted by technology analyst Larry Magid, it [was] an all-hands-on-deck conference where industry executives, technologists, consumer advocates, policy experts and other stakeholders [came] together as a group to examine critical issues.  "Lively" doesn't beging to describe the event, with audience members intervening at will and peppering the panelists with questions and "colorful" comments,  It was a little like a blog come to life.  One major take-away:  there are widely divergent views on the role of government and regulation in protecting online privacy. 

Washington Internet Daily provided a report of the event and my participation, a small excerpt of which is here:

Rumors of the death of the notice-and-choice privacy framework have been greatly exaggerated.Despite regular declarations from FTC officials over the past several months that the framework needs to be replaced, privacy advocates speaking to the pii2010 conference Thursday gave every indication that won't happen.

"For better or worse, we are stuck with a notice-and-choice paradigm" and must work within it, said Christopher Wolf, co-chairman of the Future of Privacy Forum. "I don't see how you get rid of choice," said Fran Maier, president of TRUSTe.  The likelihood of any privacy bill passing this year is "virtually nonexistent," and if Republicans retake at least one house of Congress in the midterm elections, it drops, Wolf said. The bills offered by Reps. Bobby Rush, D-Ill., and Rick Boucher, D-Va., chairmen of the House Commerce Consumer Protection and Communications subcommittees, are "incredibly complex," Wolf said. "I just see enormous wrangling" over their provisions from industry and activists. The bills have been helpful to "start conversation" with stakeholders, though, Maier said.

 

More likely is faster development of "common law" by the FTC, which has "really gotten into the weeds" on privacy-related issues, especially data security, said Wolf, who represents clients before the commission. The parties targeted in FTC investigations rarely put up much of a fight, as exemplified by Sears' conceding that its tracking software installed on customers' computers crossed the line, he said: There's no reason to think the commission will go easier on privacy disputes.

 

The Future of Privacy Forum is "trying to proselytize" for better self-regulation by industry, as with the "Power-I" icon being tested in online ads, but not trying to halt privacy legislation that gives companies a safe harbor for following best practices, Wolf said. The forum is running a "privacy papers for policymakers" competition whose winners will be announced Sept. 15 at a George Washington University law school event with David Vladeck, director of the FTC Consumer Protection Bureau, he said.

 

• Email This
• Print
• Share Link

Readers of the Hogan Lovells Chronicle of Data Protection may be interested in this upcoming webinar featuring Hogan Lovells attorneys from Europe and the United States, as well as Google's European Privacy Counsel, Peter Fleischer.  This event is being produced by Pike & Fischer, a Bureau of National Affairs (BNA) Company.  Here is the Pike & Fischer/BNA announcement with link to registration information:

BNA Webinar
Legal Landmines in Europe for Internet-Based Businesses
June 30, 12:30 p.m. to 2:00 p.m. ET

So you think your business practices are EU-compliant? You could be blindsided by European laws and regulations that are foreign—in every sense of the word—to your accustomed way of doing business. The recent conviction of three Google executives by an Italian judge is one notable example. Don't be caught off guard. Join Pike & Fischer's panel of legal experts as they expose European laws (both enacted and proposed) that potentially render U.S.-based Internet businesses liable for intellectual property, privacy, e-commerce, speech, and other violations.

Peter Fleischer, Global Privacy Counsel, Google, and Winston Maxwell and David Taylor, both partners with Hogan Lovells in Paris, will cover a wide range of topics, including data retention obligations, collection of personal data, and liability for user-generated content. The session will be moderated by Christopher Wolf, Partner, Hogan Lovells in Washington, DC.  

For further information: http://www.pf.com/eventDetail.asp?id=105&type=1.
 

• Email This
• Print
• Share Link

  While the Hogan Lovells Chronicle of Data Protection primarily is designed for news and analysis of developments in the field of privacy and data protection, we want to take the opportunity of the recent combination of Hogan & Hartson with Lovells to inform our readers of the global breadth and depth of our practice. While each of the legacy firms was celebrated for its privacy and information management practices, the coming together of the lawyers from the two firms has created a practice group that is unparalleled in the world.  Hogan Lovells helps clients address privacy and data protection globally and in regard to specific national laws in countries around the world, through our 40 offices in the Americas, Europe, the Middle East and across Asia.

In the coming weeks, we will detail the privacy practices resident in various offices around the world.

Last week, selected partners from the global privacy and information management practice met in Geneva, Switzerland to discuss practice coordination and cooperation, and to focus on how we together can better serve our clients as a unified group.   (Regrettably, some of the partners scheduled to participate were grounded due to the Icelandic ash cloud including, notably, practice co-leader Marcy Wilder). Joining the discussion and pictured above are (from left to right)  Winston Maxwell (Paris), Quentin Archer (London), Steffan Schuppert (Munich), Gonzalo Gallego (Madrid), David Taylor (Paris), Marco Berliri (Rome), Wim Nauwelaerts (Brussels) and practice co-leader Christopher Wolf (Washington).

To provide an illustration of our global capabilities,  tomorrow (20 May 2010) the firm will host a webinar entitled “Hogan Lovells Trans-Atlantic Discussion on the Privacy Challenges Facing Multi-National Corporations”. This will be the first webinar by the Privacy and Information Management Group at Hogan Lovells, featuring privacy lawyers on both sides of the Atlantic from the former Hogan & Hartson and Lovells. Quentin Archer (London), Steffan Schuppert (Munich), Wim Nauwalaerts (Brussels), Lynda Marshall (Washington), Marcy Wilder (Washington) and Christopher Wolf (Washington) will explore contemporary privacy law challenges facing companies doing business in multiple jurisdictions around the world, such as:

• Cross-Border Transfers of Data Internationally
• Managing Employees in Multiple Jurisidctions
• Onine Marketing Issues Around the World
• Data Security and Data Breach Requirements
• The Obligations Concerning Health Data Around the World
• National Trends with International Ramifications

The panelists will explain how a coordinated international approach to privacy compliance is cost-

effective and is an optimal way to limit risk and protect privacy.

Readers of the Hogan Lovells Chronicle of Data Protection are cordially invited to attend our webinar.  Please register by clicking here.

• Email This
• Print
• Share Link

 We are pleased to announce that Hogan & Hartson LLP and Lovells LLP have combined to form Hogan Lovells, effective May 1, 2010.

Our new firm now has about 2,500 lawyers in more than 40 offices throughout the United States, Europe, Asia, the Middle East, and Latin America. We are excited about the expanded global capabilities that Hogan Lovells can offer our clients, including a broader range of legal services in virtually all major international markets. Though we are a new firm, our fundamental values and our commitment to excellence remain unchanged.

We believe that this is a great combination that will benefit all our clients. In the Privacy and Information Management area especially, the combination gives us even greater breadth and depth.

The compliance challenges and business risks related to personal data are significant and growing. With advances in technology, personal information increasingly is collected, stored, used, and shared. At the same time, the regulation of data use and security is increasing worldwide.

Hogan Lovells has one of the largest and most experienced Privacy and Information Management practices in the world, spanning the United States, the EU, and Asia. The group assists clients with all of their compliance challenges, drafting policies and providing advice.

• We are among the very few law firms that can help you achieve compliance both globally and in regard to specific national laws.
• Our lawyers are conversant with local regulations, the laws affecting cross-border data transfers, and the laws regulating sectors that collect sensitive personal information, such as finance and health.
• We represent clients in adversarial matters concerning the use of data, whether at the level of the EU data protection authorities, or before the U.S. Federal Trade Commission, Department of Health and Human Services, state attorneys general or in private party litigation.
• We play an important role in the development of public policy regarding the future regulation of privacy.

Awards and Rankings

• Recognized for our "deep and thorough understanding of the privacy issues surrounding the healthcare sector," Chambers Global: USA (2010)
• Ranked in the first tier and awarded "plaudits for delivering an 'exceptional standard,'" Legal 500: Europe, Middle East & Africa (2010)
• "Probably the most sophisticated clutch of privacy advisors in the country," Legal 500 US (2009)
• "The Brussels team is lauded for its protection expertise," Chambers Global: Europe-wide (2009)

For more information about the new HoganLovells Privacy and Information practice, visit our web site.

• Email This
• Print
• Share Link

The privacy and data security enforcement agenda at the Federal Trade Commission is evolving. Consent decrees are imposing stricter and more specific standards on business with respect to the collection, usage, storage, sharing and disposal of personal information. Recent changes in leadership at the FTC, and public statements from the FTC Chairman and the Director of the Bureau of Consumer Protection, suggest more aggressive privacy and data security enforcement in the coming years. And the entire paradigm of privacy protection, including its foundation of notice and choice, is under reexamination after a series of FTC Roundtables conducted in later-2009 and early-2010.

For businesses under the jurisdiction of the FTC, the impact of this evolving enforcement agenda is significant. Greater attention than ever must be paid to the issue of notice and choice, as well as to the physical, technical and administrative safeguards provided for personal information, to ensure that specific statutory standards enforced by the FTC are met and that the general consumer protection standard of Section 5 is also satisfied.

Historically, enforcement actions by the Commission under Section 5 of the FTC Act focused on businesses that failed to adhere to promises they made about privacy and data security. In many of these cases, the FTC determined that a business’s failure to adhere to their own policies and promises constituted an unfair business practice. In the middle of the last decade, however, the enforcement focus at the FTC began to change. Rather than concentrating enforcement activities exclusively on businesses that failed to adhere to their own promises, the Commission began to look more at whether a business’s actual privacy and data security practices were reasonable.

The many reports of data security breaches required under state laws gave the FTC several new enforcement targets – businesses whose lax data security led to breaches that had to be reported publicly. In these cases, unreasonably lax practices led to a complaint of unfairness under Section 5. Also noteworthy about this phase of FTC enforcement was that nearly all of these cases involved instances in which privacy and security failures resulted in substantial consumer harm. In recent years FTC enforcement has become more “granular,” in the sense that the FTC enforcement staff examines specific details of respondents’ privacy practices and information security measures when assessing “reasonableness.”

By clicking on this link, you will be taken to a 45-minute multimedia presentation on the new directions in enforcement at the FTC, with in-depth cases analysis, including the recent Dave & Busters consent decree involving the absence of filters for outgoing data to protect against the loss of personal data. 

• Email This
• Print
• Share Link

Hogan & Hartson privacy attorneys, including Chris Wolf, will be participating in the Chubb Social Media Risk Innovation Event, hosted from April 26-29 by the Chubb Group of Insurance Companies and its technology partner, Imaginatik.  The event is an online, interactive session with risk managers, other business professionals, agents, and brokers in which pariticipants will collectively identify risks and potential mitigation strategies regarding the use and potential misuse of social media.  Hogan & Hartson attorneys will be on hand throughout the event to facilitate the discussion and contribute expertise regarding legal risks businesses face from sanctioned and unsanctioned corporate and employee use of social media.

Demonstrating the power of social media, musician Dave Carroll posted a video seen by millions of people on YouTube chastising an airline he accused of breaking his guitar. View an invitation from Dave to Chubb's Social Media Risk Innovation Event.

You may self-register on-line at https://chubbsocialmedia.imaginatik.com. The first 500 people to register will receive a free download of "Perfect Blue," Dave's new album.

Once registered, you may participate in this online event either remotely via your PC, laptop, smartphone, (e.g., BlackBerry, iPhone, etc.) or at Chubb booth #1511 at the RIMS Conference in Boston, MA. We also welcome you to invite clients you believe would be interested in participating in this event by forwarding this email and its self-registration link.

Chubb will award prizes to participants who submit the most ideas and whose ideas generate the greatest amount of collaboration. The prizes include cash donations to charities, ranging from $500 to $2,000, in the names of the top three scoring participants.

• Email This
• Print
• Share Link

Today is "Data Privacy Day", which is being marked around the world, including here in Berkeley, CA at the FTC's "Exploring Privacy" Roundtable.  The purpose of this roundtable discussion, the second in a series of three, is to "explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation."  Today's discussion, like the one that took place at the first roundtable in Washington, is focusing on whether the traditional paradigm of Fair Information Practices -- and especially notice and choice -- suffices to allow consumers to understand and control what information is collected about them and used by others for marketing and other purposes.  Professor Paul Schwartz, on the cloud computing panel, just commented on how typically-complex privacy policies provide "TMI" (too much information) for a consumer to understand and act on.  And Harriet Pearson of IBM also commented on how simply providing a list of companies processing data in the clouds -- service providers -- would not be meaningful for consumers, a proposition with which Scott Shipman of Ebay agreed.

On the issue of meaningful notice, see yesterday's New York Times article on the emergence of an eye-catching icon attached to online ads to attract consumer attention, on which they can click to get information about  what information is being collected about them to deliver targeted ads.  (Full disclosure: the Future of Privacy Forum, the think tank that I founded and co-chair, was instrumental in development of the icon.)

• Email This
• Print
• Share Link

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

• Email This
• Print
• Share Link

The University of Denver Law Review today presented a Syposium on "Cyber Civil Rights: New Challenges for Civil Rights and Civil Liberties in Our Networked Age."  Hogan & Hartson partner (and privacy group co-chair) Christopher Wolf delivered remarks on "Accountability for Online Hate Speech: What Are The Lessons From 'Unmasking' Laws?” 

Chris observed that online anonymity and the privacy it shields can be used as a sword to injure the human dignity of others who are victimized by hate speech.  It also can be used to mislead and indoctrinate young people.

The Internet, in large part because of the shield of online anonymity, has become the medium through which hate groups plot and promote real-world violence, recruit and indoctrinate like-minded haters, mislead and distort information for those – like students – who innocently link to their content. There are, of course, notorious hate mongers who use their real identities and revel in the limelight.   But the vast majority of hate spewed online is done so anonymously. The Internet content of hate mongers – words, videos, music, and social network postings – serve to offend the human dignity of the intended victims, minorities and those who hate groups identify as “the other”.   

Chris went on point out the problem of cyberbullying and hate-filled comments appended to mainstream news articles online.  After reviewing the legal regimes used to "unmask" online copyright infringers, those who commit defamation online and KKK members while marching in groups, Chris acknolwedges the First Amendment limitations on legal regulation of anonymous speech online and proposes a self-regulatory regime by online companies to address hate speech online.  A copy of his full remarks can be found here. 

• Email This
• Print
• Share Link

As the 31st annual International Conference of Data Protection and Privacy Commissioners wraps up in Madrid, capped by the announcement that next year’s conference will occur in Jerusalem, to be hosted by the Israeli Information and Technology Authority, some reflections:

• Security vs. Privacy   There continues to be a tension between the need for security from terrorist and criminal attacks and the right to be free of excessive collection and retention of personal data by governments.  This was the focus of the remarks of the Spanish Minister of the Interior and the US Secretary of Homeland Security, and a panel of experts from around the world who concluded that there needs to be greater focus on the need for all of the information that is harvested from citizens.  The pre-conference session of The Public Voice organized by the Electronic Privacy Information Center resulted in a Madrid Declaration that warned that "privacy law and privacy institutions have failed to take full account of new surveillance practices."

• Corporate Accountability and New Privacy-Enhancing Technologies  Presentations by corporate representatives of Google, Microsoft, eBay, Yahoo!, Procter & Gamble, Accenture and others showed that corporate accountability for privacy (a concept advanced enthusiastically by our friend Marty Abrams of the Center for Information Policy Leadership) is guided not only by the need to be legally compliant but also by the recognition that in our information society, responsible data management will build consumer trust.  There was an impressive demonstration of various new technologies that provide greater transparency and more robust notice to individuals about the collection of data about them, and that give them greater control over the collection, use, transfer and retention of personal data.  For example, Google unveiled new privacy tools and Jules Polonetsky, my co-chair at the Future of Privacy Forum, illustrated the array of technologies available to protect the privacy of children.  The greater demonstration of such “self-regulation” through corporate accountability and the deployment of privacy-enhancing technology was recognized at the conference as an essential pillar of privacy protection. 

• US Law and Enforcement  In the panel on children’s privacy, John Avila of the Walt Disney Company, gave a compelling overview of the breadth and depth of US legal protections for privacy, which includes COPPA to protect kids, and which he pointed out focuses on the areas of greatest privacy concern (such as financial and health privacy).  There were also presentations on the robust enforcement of US privacy laws by the FTC and other authorities, and the innovations in regulation that include, for example, data security breach notification laws which serve as a model for new regulation in Europe.  My conversations with various EU Data Protection Commissioners indicated a growing respect for the US scheme of data protection, in stark contrast to the official EU position that the US lacks adequate protections for personal data which prohibit the cross-border transfer of data to the US absent special arrangements (such as Safe Harbor participation, model contracts or Binding Corporate Rules).

• Cloud Computing and the Smart Grid  There was a focus on the privacy issues implicated by new technologies such as the next generation of cloud computing and the Smart Grid.

• Cross-Border Harmonization of Regulation  Another important theme of the conference concerned cross-border harmonization of privacy regulation, even among countries in the EU that operate under the common principles of the EU Directive but whose laws often reflect differences in detail and application.  In that regard, the European Commission is in the process of soliciting views on the new challenges for personal data protection in order to maintain an effective and comprehensive legal framework to protect individual’s personal data within the EU. 

As with many such conferences, the value of the formal program was augmented by the opportunity of data protection regulators to meet informally with representatives of civil society, privacy advocates, privacy lawyers, and corporate privacy officials.  The interactions over lunch and dinner, and at the wonderful art galleries of Madrid (where tours were made part of the official agenda), allowed for the sharing of perspectives and ideas, and a recognition that no matter which sector is involved, those gathering in Madrid share the commitment to the protection of personal  privacy.

Next year in Jerusalem!
 

• Email This
• Print
• Share Link

Today at the 31st International Conference of Data Protection and Privacy in Madrid, US Secretary of Homeland Security spoke to those of us in attendance about her goal of a US-EU binding agreement on data sharing and privacy.  See this account from former Hogan & Hartson partner Mary Ellen Callahan, now Chief Privacy Officer at DHS, who accompanied Secretary Napolitano to Europe.

Following the ceremonial opening of the conference and addresses from senior government officials from Spain and the US, the delegates got down to work on granular issues of privacy and data protection.  Look for more reports as the meeting progresses.

• Email This
• Print
• Share Link

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event,  is that the European Commission is seriously considering  new  data security breach notification laws. Previously, the Commission and  the European Council had focused only on breaches at telecom companies and ISPs.

The Commission’s Information Society Commissioner, Viviane Reding,  now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

• Email This
• Print
• Share Link

Starting on Tuesday, November 3d, Hogan & Hartson will be live blogging from international privacy events in Madrid.  Chris Wolf from the firm's Washington Office and Wim Nauwelaerts from the Brussels Office, both senior lawyers in the Privacy and Data Security Practice, will provide timely reports from side events leading to the 31st International Conference of Data Protection and Privacy Commissioners

The civil society conference The Public Voice: Global Privacy Standards in a Global World to be presented by the Electronic Privacy Information Center;  and 

The Data Protection and  Privacy Workshop to be presented by the International Association of Privacy Professionals.    

Then, starting on Wednesday, November 4th, we will bring you reports from the "main event", which the host, the Spanish Data Protection Agency (AEPD), has described as "the largest forum dedicated to privacy in the world, which every year brings together the highest authorities and institutions guaranteeing data protection and privacy, as well as experts in the field from every continent. "

Watch for our daily reports.

• Email This
• Print
• Share Link

Readers of our blog are cordially invited to a complimentary Hogan & Hartson webinar on the legal issues arising from Cloud Computing on Tuesday, October 6 from 11 AM - 12:30 PM EDT.  To request an invitation to the webinar, please e-mail:  jbhowe@hhlaw.com

Cloud computing allows businesses to use the remote computing power of others to handle data and data applications. For most businesses, it is not a question of whether but how to use cloud computing. Cloud computing — a unique form of outsourcing — can reduce costs, improve service delivery, and allow business innovation not feasible with proprietary servers and on-site software.

So the question is how a company can use the new services in ways that protect the company and its data. As with any transfer of valuable company information, there are legal issues and legal risks that must be addressed.

In this webinar, you will learn and have an opportunity to ask questions about these issues and more:

• What exactly is cloud computing? What forms does it take?
• What steps should a company take to protect its intellectual property, including trade secrets and confidential information, in the cloud?
• Is data in the cloud safe from government view, and what can you do to protect it?
• How should you address the privacy law issues implicated by cloud computing, especially in light of the international legal rules on the cross-border transfer of data?
• What labor and employment law issues are implicated by sending data to the cloud?
• How does a company deal with e-discovery when using cloud computing?
• What data security safeguards should a company put in place before outing data in the cloud?
• Whose responsibility is it if there is a data breach and how are the requirements of data security breach notification laws met?
• What are the contracting issues with cloud computing and the best practices for getting a solid cloud computing contract?
• How do companies and cloud service providers handle service level issues?

• Email This
• Print
• Share Link

By Lynda Marshall, Chris Wolf, Marcy Wilder and Tracy Gray

Hello and welcome to the Hogan & Hartson Chronicle of Data Protection.   

We are delighted to introduce you to our privacy blog.  Our goal is to use this blog to bring you timely updates on a wide-range of issues in the privacy arena, including the evolving role of privacy and data protection in health law and policy, security safeguards, international compliance and e-commerce.  The practical implications of changing privacy regulations affect us all, both as professionals and personally, and we hope this blog will serve as a key source of information for you in navigating this ever-changing field.

We also hope you will have the chance to catch some of Hogan & Hartson's privacy team at the IAPP Privacy Academy in Boston, September 16 - 18th.    H&H attorneys will be on the following panels:

• Data Retention - the Monster in the Servers, September 17th at 2:15, featuring Chris Zaetta, Hogan & Hartson, and Andy Holleman, Chief Privacy Officer and Associate General Counsel, Qwest Communications
• In to the Breach - Dealing with the Aftermath of a Data Breach, September 18th at 11 AM, featuring Christopher Wolf, Hogan & Hartson, Chris Cwalina, Vice President and Associate General Counsel, Intersections, Inc., and Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance and Government Affairs, LexisNexis Group
• Pie in the Sky - Looking at a Cloud Contract at Ground Level, September 18th at 11 AM, featuring Zenas Choi, Hogan & Hartson, and Geff Brown, Senior Attorney,  Law and Corporate Affairs, Microsoft Corporation

Thanks for joining us, and we look forward to being a helpful guide in the world of privacy.

• Email This
• Print
• Share Link

The Federal Trade Commission has just announced that it will host a series of day-long public roundtable discussions on the East and West Coasts "to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data."  The first roundtable discussion will occur on December 7th at the FTC Conference Center in Washington.

It has been widely-reported that the FTC is examining new ways to think about privacy and these discussions will further that examination. 

As the Commission explained the focus of the first roundtable:

Such [technology and business] practices [to be examined] include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

The initial questions the FTC has presented for comment at the first workshop are:

1. What risks, concerns, and benefits arise from the collection, sharing, and use of consumer information?  For example, consider the risks and/or benefits of information practices in the following contexts: retail or other commercial environments involving a direct consumer-business relationship; data broker and other business-to-business environments involving no direct consumer relationship; platform environments involving information sharing with third party application developers; the mobile environment; social networking sites; behavioral advertising; cloud computing services; services that collect sensitive data, such as information about adolescents or children, financial or health information, or location data; and any other contexts you wish to address.
    
2. Are there commonly understood or recognized consumer expectations about how information concerning consumers is collected and used? Do consumers have certain general expectations about the collection and use of their information when they browse the Internet, participate in social networking services, obtain products from retailers both online and offline, or use mobile communications devices? Is there empirical data that allows us reliably to measure any such consumer expectations?  How determinative should consumer expectations be in developing policies about privacy?
    
3. Do the existing legal requirements and self-regulatory regimes in the United States today adequately protect consumer privacy interests? If not, what are the particular privacy interests that warrant increased protection? How have changes in technology, and in the way consumer data is collected, stored, and shared, affected consumer privacy? What are the costs, benefits, and feasibility of technological innovations, such as browser-based controls, that enable consumers to exercise control over information collection? How might increased privacy protections affect technological innovation?

The FTC has explained that individuals and organizations may submit requests to participate as panelists in the December dicussion, and may recommend topics for inclusion on the agenda. The requests and recommendationshave been directed to privacyroundtable@ftc.gov.   More details can be found here.

• Email This
• Print
• Share Link