HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The FTC yesterday issued a staff report calling upon members of the mobile app ecosystem to provide better privacy notices to parents about mobile apps directed to children.  The report, titled "Mobile Apps for Kids: Privacy Disclosures are Disappointing," highlights the findings from an FTC survey of the mobile apps for children available in the Apple App Store and the Android Market. 

The FTC evaluated the types of apps offered to children, the disclosures provided to users in the app stores and on the app developers' websites, interactive features such as connectivity with social media, and the ratings and parental controls offered for the apps.  FTC Chairman Jon Leibowitz stated that "right now, it is almost impossible to figure out which apps collect what data and what they do with it," and said the children's app ecosystem must "wake up" and provide "easily accessible, basic information, so that parents can make informed decisions about the apps their kids use."

• Email This
• Print

On February 13, 2012, Paris Office partner Winston Maxwell published in the French trade journal Edition Multimedi@.  His article examines the European Commission's proposed regulation on data protection, focusing on:

•  the Commission's choice of a Regulation as opposed to a Directive,
•  the new obligations that would be imposed on companies including
  • the accountability principle;
  • Privacy by Design; and
  • the obligation to conduct privacy impact assessments (PIA) for certain kinds of processing. 

The article describes:

•  the proposed changes to the rules on applicable law, which are designed to bring certain non-European websites within the scope of European privacy rules;
•  the proposed "right to be forgotten";
• and the right to data portability. 

The original French version of the article, published in Edition Multimedi@, is available here.

• Email This
• Print

We are delighted to announce that Tim Tobin, a key player in the Hogan Lovells Privacy and Information Management practice, has become a partner at our firm.

Tim Tobin’s entire professional career, even before law school, has had a privacy law focus. As an early practitioner in the relatively new field of privacy law, Tim has established himself as a "go-to guy" in the entire range of privacy law.  

Tim graduated from the George Mason University School of Law in May 2001 in the top 10% of his class, magna cum laude. Tim attended the evening program at George Mason law, working full time throughout law school. At law school, he was on the Law Review and served as Articles Editor of the Law Review. 

Tim had a professional career prior to, and during law school. He worked at the U.S. Parole Commission within the U.S. Department of Justice, from 1992 to January 2000.  It was in this government job that Tim first became familiar with, and handled privacy issues relating to the Freedom of Information Act (FOIA), the Privacy Act, and similar issues relating to victim privacy and Government records.          

Tim joined Hogan Lovells practice director Chris Wolf at their previous firm, after a stint at a communications law-focused firm, and he assisted in all manner of privacy and data security issues for clients.  At the previous firm,  Tim served as senior editor of a comprehensive legal treatise on privacy law published by the Practising Law Institute (PLI) that has been highly praised.  

Throughout his legal career, Tim has focused on a wide range of privacy and data security law matters. He provides compliance counselling to clients on the wide array of privacy and data security laws, and is deeply experienced in litigation, regulatory agency investigations, agency rulemaking processes, and public policy issues. Tim has worked with clients across a range of industries including those involved with the Internet, new media and communications as well as financial services, airlines, hotel, transportation, sports and entertainment, among many others.

Tim writes and speaks frequently on privacy law topics, including recently at the Los Angeles Auto Show on the topic of new automobile technologies and privacy.  He is the Smart Grid expert for the Future of Privacy Forum, and he leads the firm's pro bono efforts in a new privacy pro bono initiative spearheaded by IBM and the IAPP.

Tim has distinguished himself by his prodigious work ethic, his comprehensive knowledge of privacy law which he translates into thorough and practical advice for clients, and for his strategic insights on contested matters.  He also is known as a really nice guy.

We are delighted to announce his advancement to partner.

• Email This
• Print

On the second day of the IAPP Europe Data Protection Congress held in Paris, France, the keynote speech was given by Peter Hustinx, the European Data Protection Supervisor.

In his address, Mr. Hustinx offered an opinion on where he thinks the revision of the European data protection framework is headed. Basing his remarks on a Stanford Law review article, "Privacy in the books and privacy on the ground," he advocated the revision of the European data protection framework which would provide innovative and efficient means to deliver privacy on the ground, by empowering data subjects and data protection authorities, as well as providing greater legal certainty for data controllers.

• Email This
• Print

Hogan Lovells partner Daniel Brenner speculates on the impact of the July 2011 Memorandum of Understanding between major U.S. ISPs and content owners.   The Center for Copyright Information (CCI) will be responsible for administering the new gradu ated response system, and for defining privacy standards that right holders and ISPs must apply.  Will the mitigation measures promised by ISPs be effective in curbing copyright piracy?   Will the MOU's limitation to P2P exchanges limit the system's effectiveness?   Read the full story here.

• Email This
• Print

Barbara Bennett, Stefan Schuppert, Winston Maxwell. Lionel De Souza and I are the Hogan Lovells lawyers participating in the IAPP Privacy Congress in Paris.  I am moderating and participating in sessions on cloud computing with Bojana Bellamy of Accenture, and a panel on convergence with Lord Richard Allan of Facebook and Wendi Lozada-Smith of AT&T  This entry contains a live blog from the opening session.

The Privacy Congress comes on the eve of the European Commission's proposal for revision of the EU privacy framework and the anticipated release of the Department of Commerce White Paper and FTC Report on privacy.  So the future of privacy law is very much in focus.

The Chair of the Dutch Data Protection Authority and Chair of  the Article 29 Working Party, Jacob Kohnstamm is the opening speaker.

The patchwork of laws across Europe requires a region-wide regulation to provide a level playing field and uniformity.  This should  be the focus of the upcoming proposal for revision from the European Commission of the legal framework.

The present norms, which are technologically neutral, should persist and be strengthened.

Given the increasing cross-border context of issues, the Article 29 Working Party will have to play a stronger role in interpretation and clarification.  More frequent guidance on issues such as the definitions of "personal data" and "consent" will be needed, while still recognizing the independence of national Data Protection Authorities.  Powers of DPAs need to be harmonized and strengthened, including the ability is enjoin data processing and to levy fines.  Up to now, there have been no significant court judgments in terms of fines.

Article 29 Working Party needs a new name to reflect its true role and importance.

Data controllers need to ensure compliance and to demonstrate such compliance.  Privacy should be first step when launching new products and services, not the last step.  Privacy by Design and transparency are essential.

Companies should be able to seek guidance externally from privacy professionals just as they do with respect to competition law.

The Chairman went on to criticize Google, Facebook and the Online Behavioral Advertising industry for their interactions with DPAs and the Article 29 Working Party, and suggested that under the new regime, their conduct would have been different.

In the Q and A session, which became an especially lively exchange, Peter Fleischer of Google pointed out that changes to Google Buzz were made even before a letter of complaint from the Article 29 Working Party had been received,.

The Chairman re-assured a questioner that innovation is taken into account along with privacy when the Article 29 Working Party considers regulation.  "We are paid to deal with privacy, however."

The main task of DPA is enforcement and not to sit with individual companies on what they should be doing, in an advisory capacity.

On the Global Privacy Enforcement Network (GPEN), the Chairman said the idea was for information sharing during enforcement actions, but he observed that the national restrictions on information sharing has not produced as much cooperation as envisioned, but the Commissioners are committed to working together more across borders.

The second speaker is Viviane Reding, Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship.

I will share some of the contents of the forthcoming European Commission recommendations on the revision of the Data Protection framework:  Codes of practice such as Binding Corporate Rules are not explicitly forseen in the current Directive but are recognized as a matter of practice by the Article 29 Working Party.  One of the strengths of BCRs is legal certainty and flexibility.  (Interesting that the primary focus here is on the BCR code of conduct concept, similar to the anticipated focus on codes of conduct by the US Department of Commerce in its White Paper.)

My reform plans for BCRs: Simplification -- Approval from each member state currently required, which is costly and an administrative burden.  A waste of time and money, and sometimes detrimental to credibility and efficiency of DPAs.  I propose that BCRs be based on EU law, with streamlined approval process and a single point of contact.  Once approved by one DPA, not further approval needed.  BCRs should be used by companies of any size, and should cover everything from paper-based filing system to cloud computing. Consistent Enforcement -- Enforcement should be possible by any DPA (unlike now where not all DPAs have enforcement power).  DPAs and courts should be able to enforce.  Innovation in Enforcement -- We need to encourage innovation in enforcement and embrace new technology.  First, we need to consider geographical borders.  Data controllers and subjects m realities. Data subjects, controllers and processors may be in different jurisdictions.   BCRs should apply to all internal (inside the EU) and external (in the US, India, Asia and South America) processing.  BCRs should apply both to data controllers and processors.  This would extend to cloud computing.

BCRs will faciliate international interoperability.

We are in time so of difficult economic times and decisions.  While bringing member states out of their debt crisis, we need to do everything to promote economic growth.  I will do my utmost to ensure that data protection reform will both reinforce fundamental protection of individual rights and promote growth.

Ms. Reding did not take questions.

• Email This
• Print

Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong.  Privacy laws in each jurisdiction differ, including on the definition of "personal data," and on the degree of user consent that is required.  The article also examines the WP Art. 29 opinion 13/2011 on "Geolocation services on smart mobile devices."  See the full article here. 

• Email This
• Print

By Dan Brenner, Technonology, Media and Telecoms Practice

The network neutrality debate in the U.S. has moved to the appeal courts as the 2010 FCC Order, which becomes effective on Nov. 20, awaits review.  Meanwhile, two E.U. developments presage more regulatory steps forward. The result is movement away from the European Commission’s wait-and-see communique announced just last April. 

On Oct. 7, the European Data Protection Supervisor Opined on network neutrality and protection of privacy. The decision represents a relatively balanced review of the need for internet service providers (ISPs) to manage traffic and the impulse for “function creep where the initial purposes could easily evolve into commercial or other exploitation of information collected.” The Opinion recognizes that both the content and the traffic data processed by ISPs are protected by the right of confidentiality of correspondence of the E.U. Charter.   Use of either requires “free, specific and informed indication of wishes”.

• Email This
• Print

This entry was drafted by Winston Maxwell and Lionel de Souza.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

• Email This
• Print

The advocate general of the European Court of Justice issued his long awaited opinion in the SABAM case, a case that discusses the ability of ISPs to filter Internet content in order to detect illegal copyright infringements.  The advocate general highlights the tension between privacy rights and copyright, and the criteria that must be satisfied in order for a filtering measure to be constitutionally valid in Europe.  In the SABAM case, the advocate general found that one of the constitutional criteria was lacking, because Belgium had not enacted a specific law that would permit the kind of filtering that had been ordered by the court in the SABAM case.   The opinion is summarized by Hogan Lovells privacy lawyer Winston Maxwell in a recent article.  The article also discusses the TalkTalk case in the United Kingdom.

• Email This
• Print

In a recent article Christopher Wolf looks back at the eG8 conference and pleads for better transatlantic cooperation on privacy matters, explaining the tension between U.S. First Amendment traditions, and certain European proposals including the right to be forgotten.

• Email This
• Print

A financial services industry group released guidance this week on managing the risks associated with using social media, including data protection concerns.  The guidance, titled "Social Media Risks and Mitigation," was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies.  The 71-page report details numerous risks that banks and other financial companies may face when using social media, including compliance, legal, operational and reputational risks.  These risks are discussed in the context of three types of social media use:

• By a financial institution to communicate with or service the financial institution's customers
• By the financial institution's employees in their personal or professional capacities
• By the financial institution's employees or contractors outside the office

The guidance thus addresses sector-specific regulatory requirements, such as Gramm-Leach-Bliley Act compliance and FINRA rules applicable to securities firms.  It also addresses concerns that are relevant to financial institutions as employers, such as bank employees' personal use of social media.

The BITS report is particularly significant because it responds to a need for guidance in an industry that is increasingly using social media, but still lacks clear rules from regulators regarding such activities.  While FINRA has issued guidance on use of social media by firms subject to FINRA's oversight, the federal banking agencies have not , to date, issued detailed guidance to the banking industry on banking compliance issues raised by use of social media.  

Also, while targeted at the financial services sector, the report also has relevance to many other types of users of social media.  It gives guidance, for instance, on coordinating a company's social media policies with its other policies, and performing a risk assessment to determine the risks a company's social media activities could pose.

• Email This
• Print

On May 6, 2011, the California PUC (CPUC) issued a proposed decision  by CPUC President Peevey addressing smart grid privacy and security. The proposed decision is part of a longstanding proceeding we first discussed here. 

The proposed decision represents a significant step towards a set of smart grid privacy rules in the United States during a time that smart grid privacy is attracting increasing global attention. For example, as discussed in the Chronicle of Data Protection post on April 18, 2011, the European Union’s Article 29 Working Party issued smart meter guidelines last month.

• Email This
• Print

Hogan Lovells Privacy and Information Management practice Leader Chris Wolf recently was interviewed by the Bureau of National Affairs (BNA) in a video on what companies should be doing as changes in privacy law get mulled at the FTC, in Congress and internationally. Chris observes that companies collecting, using, sharing and storing personal data should anticipate change, and should begin to provide greater transparency about data collection and use, greater consumer choice over such collection and use, practice data minimization and use specification, and be prepared for changes in the law whether they come legislatively or through regulatory enforcement.

BNA graciously has given us permission to provide access to the video for readers of the Hogan Lovells Chronicle of Data Protection. View the video below or access it here. 

• Email This
• Print

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

• Email This
• Print

On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance (Financial Institution Letter FIL-56-2010, "FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers") urging banks under its supervision to ensure that they have written policies for the erasure or destruction of sensitive or confidential customer information stored in photocopiers, fax machines, or printers.  Such storage may occur when the device's hard drive or flash memory stores digital images of documents that were photocopied, faxed, or printed using the device.

This is a particular concern for banks that lease office equipment - which may be used to process a significant amount of confidential information relating to financial transactions - and then return the equipment or sell it to another party.  If the memory of such devices is left intact, it is possible that such a third party could access data constituting "nonpublic personal information" under the Gramm-Leach-Bliley Act, such as information in consumers' loan applications or account statements, or other confidential information.

FDIC-supervised banks must, therefore, implement written policies and procedures to ensure that a hard drive or flash memory in office equipment containing sensitive data is erased, encrypted or destroyed prior to the device being returned to a leasing company, sold, or otherwise disposed of.  If the bank chooses to erase or encrypt the hard drive rather than destroy it, the bank should ensure that the method used will render the information on the disk unrecoverable.

While FIL-56-2010 applies only to banks supervised by the FDIC, all financial institutions are required to ensure the proper safeguarding and disposal of customer information.  Therefore, even non-FDIC-supervised financial institutions would be well advised to consider and implement the guidance contained in FIL-56-2010.

• Email This
• Print

On Wednesday, September 15th the Future of Privacy Forum (FPF) announced the papers that were selected as “privacy papers for policy makers” at an event held at George Washington Law School. FPF is the privacy think tank founded and co-chaired by Hogan Lovells’ Chris Wolf. These works were deemed by the FPF to be the recent scholarship dealing with privacy issues that will prove most useful to policy makers. The papers that were selected are:

• Privacy on the Books and on the Ground – Kenneth A. Bamberger and Deirdre K. Mulligan
• What is Privacy Worth? – Alessandro Acquisti, Leslie John, and George Lowenstein
• Misplaced Confidences: Privacy and the Control Paradox – Laura Brandimarte, Alessandro Acquisti, and George Lowenstein
• Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach – Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor
• How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies – Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow
• Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes – Ira Rubinstein

You can view these papers, along with the papers that received notable mentions, on FPF’s website at http://www.futureofprivacy.org/the-privacy-papers/.

The papers were discussed by a panel, including:

• David Vladeck, Director of the Bureau of Consumer Protection for the Federal Trade Commission (FTC)
• Jules Polonetsky, Co-Chair of the FPF
• Christopher Wolf, Co-Chair of the FPF and Partner at Hogan Lovells
• Dan Solove, Professor, The George Washington University Law School
• Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance & Government Affairs, LexisNexis
• Brendon Lynch, Chief Privacy Officer, Microsoft

The conversation focused on how these papers could be used by policy makers to bridge the gap between scholarship and how organizations implement privacy practices on the ground. In his remarks, David Vladeck described how the FTC looks to academic writing to help inform its regulatory priorities. He referenced FTC’s series of roundtable discussions held in late 2009 and early 2010 that were influenced by recent scholarship, including the winning papers. These discussions, and the resulting recommendations, are being used to create an FTC Report that was promised as a follow-up to the roundtables. Mr. Vladeck predicted that the report would be released by the end of October, subject to the Commission’s approval process, and he broadly hinted that some proposed changes to the privacy framework may be forthcoming.

• Email This
• Print

With the new "school year" comes a plethora of privacy events featuring Hogan Lovells attorneys:

On September 9th, the International Association of Privacy Professionals will present this Web Conference on "The Evolution of FTC Privacy Enforcement Actions—What More Granular Enforcement Means for Respondents and Businesses" featuring Hogan Lovells attorneys Chris Wolf and Tim Tobin and FTC Attorney Kandi Parsons.

It is a given that there can be no privacy without data security.  Chief Security Officer magazine is presenting the Security Standard conference on September 13 and 14 at the Marriott Brooklyn Bridge in New York City to explore  the complexities of modern security strategies, addressing identity management, cloud security, data protection, risk management and privacy.  For registration information, click here

Hogan Lovells' Chris Wolf will be presenting the following session on September 13:

Negotiating with Your Cloud Provider:  Standard service agreements don’t go far enough in protecting your data and your organization in the event of security incidents or outages at cloud providers. In this session, learn how to negotiate the right terms and penalties to get the protection you need from your cloud provider, from identity management to business continuity, incident response plans and more.

On September 14th, Pike & Fischer (a BNA company) will present this Web Conference entitled "Legal Landmines in Europe for Internet-Based Businesses" and featuring Hogan Lovells attorneys from our Paris Office David Taylor, Winston Maxwell, and Chris Wolf from Washington, DC, as well as Google's Global Privacy Counsel Peter Fleischer.

On September 21st, Hogan Lovells will present a complimentary webinar on NAFTA Privacy featuring top governmental privacy officials from Canada, US, and Mexico, as well as the Chief Privacy Leader of General Electric, and moderated by Hogan Lovells' Chris Wolf.   More information can be found here  To register, please click here.

And later in September....

You are invited to join Hogan Lovells at the upcoming Online Trust Alliance 5^th Anniversary "Online Trust & Cybersecurity Forum" being hosted at Georgetown University, September 22 to 24.  Of particular interest on Wednesday the 22d are three pre-conference workshops focusing on(1) email regulatory compliance, (2)  email and domain authentication, and (3) malvertising.  More information on the agenda and registration information are posted here .

Thursday keynotes include the US Secretary of Commerce Gary Locke, Greg Link of CoveyLink, Howard Schmidt (White House Cybersecurity Coordinator) and Randall Rothenberg (IAB) as well as dozens of other business and industry leaders.  Friday Representative Cliff Stearns is speaking and kicking off a privacy roundtable following by sessions on data breach remediation, identity management and privacy policy makeovers.

At the September 24th session, Christopher Wolf of Hogan Lovells will participate in this panel:

Data Breach & ID Theft; Detection & Remediation *
Despite increased security prevention investments and employee training, incidents of data loss are increasing. Companies need to pro-actively plan for the worst case understanding the focus is not if an event will occur, but when. An effective plan includes an orchestrated play book to be deployed on moment’s notice. This session will examine steps businesses can take to protect consumers and their brands by reviewing elements of an effective plan including consumer education.  Session will also examine the role consumers have in the chain of trust and steps they can take to protect their identity.

• Chris Shenefelt, Executive Vice President, Global Operations, Intersections Inc.

• Anne Wallace, President, Identity Theft Assistance Corporation

• Christopher Wolf, Director, Privacy & Information Management Practice, Hogan Lovells

OTA has offered readers of the Hogan Lovells Blog the opportunity to register by August 31^st for only $399.50 for the two day program and save 50%.  Use discount code Hogan50  Register at https://otalliance.org/dc.html

AMP Summit is "an annual forum for influentials and thought leaders in the activist, media and political spheres."   Public officials and regulators, experts from think tanks, trade associations, and public relations, and members of the media will attend. This conference in Washingrton at the Marriott Metro Center "is intended to inspire new thinking, challenge traditional strategies, and create opportunities to learn from each other."   Detailed information can be found here .

Chris Wolf from Hogan Lovells will participate on a panel on Friday, September 24th from 3:50 to 5 PM entitled "Privacy in the Internet Age: Does DC Have a Role to Play?" with Lillie Coney of the Electronic Privacy Information Center and  Berin Szoka of the Progress and Freedom Foundation, moderated by Bruce Mehlman of Mehlman, Vogel, Catagnetti.

Also, as shown here, Quentin Archer from the Hogan Lovells London Office will be co-chairing the Sedona Conference International Programme on Cross-Border E-Discovery and Privacy on 15 and 16 September in Washington, DC.

• Email This
• Print

This post was provided by Julia Peng of Hogan Lovells' Beijing office.

On 19 October 2010, the People’s Republic of China (“PRC”) State Administration of Industry and Commerce ("SAIC") issued the Second Revision of the PRC Consumer Protection Law (Draft for Comments) (the "Draft Consumer Law"). A significant addition to the Draft Consumer Law is a provision for the protection of consumers’ personal data.

According to Article 14 of the Draft Consumer Law, consumers enjoy the right to have their personal data protected when purchasing and using goods and services. The same article also clarifies the scope of the personal data which is protected. It includes a consumer's name, gender, age, profession, contact details, health condition, family, properties, purchase records and other information closely related to the consumer or their families 

• Email This
• Print

This post was provided by Gabriela Kennedy and Olivia Lennox-King Stewart of Hogan Lovells’ Hong Kong office.

The Constitutional and Mainland Affairs Bureau (the "CMAB") published a Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, inviting comments on the proposed amendments. The consultation period closed on 30 November 2009.

Prior to the Consultation Document being released, the Privacy Commissioner for Personal Data presented to CMAB and the Government the results of his own review of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Consultation Document included some but by no means all of the issues captured in the Commissioner’s review.

In November 2009, the Commissioner released his submissions on the Consultation Paper, responding to the proposals CMAB had formulated. The Commissioner states in his submissions that they were intended to "let the public know more about the issues before making their submissions", and noted that the Government's proposals were "more moderate and conservative than those made by the Commissioner".  

• Email This
• Print

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

• Email This
• Print

On October 15, 2009, the French Data Protection Authority, the CNIL, issued a white paper regarding the privacy risks of nanotechnologies.  In its white paper, the CNIL attempts to identify the privacy risks associated with RFID tags which are so small they can be injected into the human body.   The CNIL mentions RFID tags used to trace Alzheimer patients, which the CNIL considers would satisfy the proportionality test set forth in French law.  Other tags, such as an RFID tag injected under the skin which permits nightclub users to pay for their drinks, are more problematic. 

The risks outlined in the CNIL document are not unlike those already identified in connection with RFID devices and the “Internet of things.”  Of particular concern are the small size and potential ubiquity of tracing devices, both of which make it difficult for citizens to control the personal data that is collected about them.  The CNIL recommends application of Privacy by Design methodology to nanotechnologies so that privacy is incorporated into nanotechnology applications from the time of their initial design.  The same recommendation applies to security associated with these devices.  In fact, the CNIL emphasizes the security risks of potential viruses or malware which could be introduced into nanotechnologies so as to permit them to be used for improper purposes.  To prevent such, the CNIL recommends integrating security by design in nanotechnologies in a multi-disciplinary and cooperative approach. 

The CNIL mentions several key principles that should guide any nanotechnology application, such as the right for citizens to “turn off” the device thereby guaranteeing the right to “be forgotten” and to remain anonymous. 

In its white paper the CNIL also recommends clear labeling of nanotechnology applications, comparing nanotechnologies to genetically modified foods for which France has required special labeling which informs consumers about the product being purchased before actual purchase.  The CNIL further suggests that French law should be broadened to ensure that the CNIL has responsibility to implement these general principles, although it does not suggest specific language or legislation.

In conclusion, the CNIL’s consultation document regarding nanotechnologies is not fundamentally different from the European Commission’s recommendations on RFIDs, except that the CNIL puts more emphasis on bio-ethic issues, undoubtedly due to the fact that many of the nanotechnology applications will somehow be linked to the human body, which obviously raises significant privacy issues.

The CNIL's paper was issued as part of a national debate on nanotechnologies, organized by the French government in the Spring of 2009.

• Email This
• Print

This past June France enacted an Internet anti-piracy law commonly known as the "HADOPI" or "three strikes" law, because after a certain number of warnings an online infringer's Internet access would be cut off.   On June 10th, the French Constitutional Court found a portion of the law unconstitutional.  Specifically, the court held that because terminating an individual's Internet access affects that individual's right to free expression, a fundamental right, a decision to terminate access must be made by a court after a careful balancing of interests.  Because the HADOPI law gave Internet access termination power to an agency, the court held that grant of authority unconsitutional.  Further background on this decision can be found in our update on the HADOPI law and the French Consitutional Court's decision .

On September 22, 2009, the French parliament passed a bill intended to remedy the enforcement gap left by the court's decision.  This bill, known as HADOPI 2,  empowers French courts, instead of the HADOPI administrative agency, with the authority to cut off the Internet access of copyright infringers or of individuals who are manifestly negligent in their duty to protect their broadband access line against illegal downloading.

The cornerstone of the new law is an affirmative duty imposed on French broadband subscribers to take measures to ensure that their broadband access is not used for infringing file sharing.  If the subscriber ignores this duty and the broadband access is used for illegal downloading, the subscriber of the line may have his or her Internet access cut off for a limited time.  If the subscriber installs certain approved protection technologies (and no one is yet sure what those technologies will be), the subscriber will be deemed to have fulfilled his or her duty of care.

• Email This
• Print