HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

On June 22, the Article 29 Working Party established by the 1995 European Directive on Data Protection published an opinion declaring that online advertisers who want to target ads by tracking consumers' surfing habits must obtain the consumers' affirmative opt-in consent to such data collection. At the same time, the Working Party lauded certain privacy-enhancing practices incorporated into behavioral advertising today and it encouraged industry to develop technologies to comply with the framework and “to exchange views” with the Working Party on the use of such technologies.

Behavioral Advertising is Regulated in the EU by Two Primary Sources

The Working Party explained that behavioral advertising ecosystem is regulated in the EU by two primary sources. The first is Article 5(3) of EU Directive 2002/58 (the ePrivacy Directive) that requires that organizations wishing to store or access information on an individual’s computer to obtain the consent of the individual before doing so. The ePrivacy Directive is to be implemented in the national laws of EU member states law by June 2011. 

The Opinion explained that since behavioral advertising relies on the placement of cookies (small data files) on individuals’ computers to aid in the tracking of their web browsing habits, the ePrivacy Directive applies. In addition, the Opinion went on to specify that if the behavioral advertising involves the collection of any personally identifiable information (PII), including an individual’s IP address (which is recognized as PII in the EU), then the EU Directive 95/46/EC (the Data Protection Directive) also applies.

Opt-In Consent Requirement and Opt-Out Deficiencies Explained

The major theme of the opinion is that under the ePrivacy Directive, meaningful, informed consent must be obtained by an individual before any information is collected and used for behavioral advertising purposes. The opinion went a long way in discussing what the Working Party considers to be meaningful consent in the behavioral advertising context.

Currently, consumers can "opt out" of behavior tracking through control panels offered by certain online advertising services or by relying on default web browser settings through which Internet users automatically accept all cookies that websites request to place on their computers. Users are therefore automatically “enrolled” in behavioral advertising, and can only stop the practice (if they know it is occurring) by blocking or deleting cookies.

The Working Party rejected this “opt-out” approach, concluding that it does not sufficiently allow individuals the ability to exercise choice on whether to share their information with behavioral advertisers. Instead, it stated that notice to individuals should explicitly reference the ad network that will place the cookie and describe how the information will be used once it is collected. Then, the individual should be given the opportunity to “opt in” to the sharing of their information for behavioral advertising purposes. 

Once a user opts in, separate consent would not need to be obtained every time the user visited a website participating in the ad network, but separate consent would need to be periodically obtained (the opinion did not specify a time period) and the user would need to be afforded the opportunity to easily revoke consent.

Room for Innovation

While the Working Party charted a path for behavioral advertisers to follow in the EU, it also left room for behavioral advertisers to deviate from that path, so long as they utilize methods to ensure that users understand and sufficiently consent to behavioral tracking. Specifically, the Working Party cited the Future of Privacy Forum’s efforts in developing icons to place on targeted ads with links to additional information, and called these efforts an example “which the Working Party finds both positive and necessary.” It also recognized tools that enable users to access the preference profiles maintained about them by ad networks, and to modify them and erase them if desired. A final area that the Working Party cited for improvement was the provision of privacy-protective default settings for web browsers, a development it called “paramount.”

Other Obligations

The Working Party drew on other legal sources, most prominently the Data Protection Directive, to list some other obligations for those engaging in behavioral advertising. Specifically, it stated that:

• Email This
• Print

• Email This
• Print

Yesterday, the Supreme Court reversed a decision of the Ninth Circuit in City of Ontario v. Quon and unanimously decided in favor of a public employer that had engaged in a review of employee text messages for a legitimate work-related purpose.

Justice Kennedy, writing for all members of the Court except Justice Scalia (who supported the outcome in a concurrence) expressly avoided a decision on what expectation of privacy might be reasonable in new communications devices.  "The Court must proceed with care when considering the whole concept of privacy expectations in communications made on electronic equipment owned by a government employer," he wrote.  Instead, the Court assumed the employee, a police officer in Ontario, California, had such an expectation of privacy in his text messages sent on a pager but found that the employer’s review of the messages for administrative/accounting reasons was not unreasonable.      

 For background on the specific facts of the case, see our prior blog post regarding the oral argument before the Supreme Court and our discussion of the case after the Supreme Court granted certiorari.

As observed by Hogan Lovells in an Associated Press interview  “the decision made clear that ‘if the employer is doing something for a legitimate business purpose, it’s not likely to be [deemed by a court to be] unreasonable.’”   Notably, Justice Kennedy in responding to comments of Justice Scalia in his concurrence, observed that just as the public employer's search was reasonable because of its legitimate administrative/accounting purpose, it would also be "regarded as reasonable and normal in the private-employer context".

If, as seems likely, the legitimate business purpose of an employer's search becomes a primary focus of courts following this decision, an earlier e-mail private employer privacy tort cases  Smyth v. Pillsbury, C.A. No.95-5712, (E.D. Pa. 1996) could have new vitality. Smyth held  that held the employer’s legitimate purpose for monitoring trumped an employee'ss expectation of privacy even where employees were told by the employer that that they would not be monitored. 

That is not to say that employer policies limiting or eliminating expectations of privacy are not important, as the Court yesterday observed in dicta: 

[E]mployer policies concerning communications will of course shape the reasonable expectations of their employees, especially to the extent that such policies are clearly communicated.  

Notably, the Courts’ discussion of appropriate employer policies was in the context of the issue not decided, the reasonable expectation of the employees. But as we reported recently with respect to a New Jersey Supreme Court case on private employer monitoring, employer-set expectations are still very important when it comes to the boundaries for employer searches of electronic communications.    

 While the court expressly did not resolve fundamental issues concerning employees’ expectation of privacy in workplace electronic communications, private employers are well-advised to continue: (1) implementing workplace monitoring policies that clearly communicate the scope of employer rights to monitor workplace electronic communications (over any medium); (2) deploying  appropriate training and other practices to minimize the risk that an employer’s actions might undermine its official policies through mixed signals (and therefore result in employees having an expectation of privacy); and (3)  to only engage in monitoring for “legitimate, work related purpose[s]” that are not “excessive in scope."

• Email This
• Print

The Federal Communications Commission and the Food and Drug Administration jointly announced this week an upcoming public forum to discuss the review process for “Life-Saving Wireless Medical Technology.” The joint public forum is scheduled for July 26-27, 2010 and written comments in advance of the meeting are due June 25, 2010.

The FCC and FDA share joint regulatory authority over wireless-enabled medical devices, most notably those relying upon commercial broadband wireless networks to relay patient information back to providers. As described in the FCC news release, “[t]he joint public meeting . . . reflects a commitment by the two agencies to work even more closely to ensure the safety and reliability of [these] devices while increasing their availability to consumers and health care providers. This collaboration is a critical step in the development and approval of new wireless medical devices . . . .” The two agencies expressed a desire to develop a collaborative, streamlined process for review of new devices.

The accompanying Public Notice included a list of questions on which the agencies are seeking written comments in advance of the public forum. These topics include:

• Data integrity and reliability issues arising from the use of allocated spectrum, the use of unlicensed devices, and the use of commercial networks and applications, and needs, uses, and risks for ‘medical-grade’ wireless technology and communications.

• Medical device and system security issues including inadvertent and intentional intrusion.

• View on current FDA and FCC regulatory requirements, including the relationship between FDA approval/clearance and FCC certification of applications, and post market and compliance requirements

The request also solicited comments on additional topics appropriate for inclusion in the forum.

• Email This
• Print

The Federal Communications Commission (FCC) issued a Public Notice seeking comment on a Petition for Expedited Clarification and Declaratory Ruling (Petition) filed by Global Tel*Link Corporation (Global Tel) regarding its outbound calling practices.  The Petition raises several key issues under the Telephone Consumer Protection Act (TCPA) and related FCC rules, including whether certain calls (e.g., non-telemarketing calls) should be exempt from some of the TCPA’s restrictions on the use of prerecorded messages and autodialers.  Given the broad applicability of the TCPA and the FCC’s rules, this new proceeding could affect any company that places calls using prerecorded messages or autodialers.

The TCPA and the FCC’s rules prohibit, among other things, the use of automatic telephone dialing systems (“autodialers”) or artificial or prerecorded messages when calling, inter alia, telephone numbers assigned to wireless services, absent an emergency or the “prior express consent” of the called party.  Of note, the restriction against placing these calls to mobile phones without prior express consent applies regardless of whether the call is a “telemarketing” call.  The TCPA and the FCC’s rules also make it unlawful to place a non-emergency telephone call to a residential line “using an artificial or prerecorded voice” without the recipient’s “prior express consent” (although there are some exceptions).   

As described in the Petition, Global Tel provides outbound calling services for prison inmates.  For certain outbound calls (e.g., some calls from inmates to mobile phone numbers), Global Tel sets up a billing arrangement with the called party before connecting the called party to the inmate.  For example, when the inmate places a call, Global Tel initiates an “automated interactive voice response notification” to:

• inform the called party that an inmate is trying to make contact;
• get consent for the call; and
• establish the billing arrangement. 

Global Tel then puts the call through. 

Concerned that these inmate calls could expose the company to liability under the TCPA and the FCC’s rules, Global Tel has asked the FCC to exempt the calls from TCPA enforcement.  For example, Global Tel argues that the calls to landline phones serve no commercial purpose, are not an unsolicited advertisement, and include an opt-out mechanism so that called parties can avoid future calls.  Regarding calls to mobile telephone numbers, Global Tel argues, among other things, that it can be presumed that the inmate has dialed a cell phone number because that is the number at which the called party wishes to be reached.  Moreover, the called party may have only a wireless phone (and not a landline phone).  Separately, Global Tel argues that its calls do not involve the use of an autodialer or predictive dialer.

Although the Petition is focused on Global Tel’s situation, the FCC’s decision in this proceeding could affect many companies that rely on the use of prerecorded messages or autodialers as part of their communications strategy.  Nonetheless, the FCC has established a very short comment period for this item – comments will be due just 15 days after the item appears in the Federal Register, and replies are due 25 days after the item appears in the Federal Register.

• Email This
• Print

On July 1, 2010, final regulations will go into effect that impose new obligations on entities that furnish information about individuals (“data furnishers”) to consumer reporting agencies (“CRAs”) for use in reports about those individuals.  These regulations require data furnishers to institute reasonable policies and procedures that (1) ensure the accuracy and integrity of furnished information and (2) allow individuals to formally dispute the correctness of certain information that is furnished about them to CRAs directly with the data furnisher.

What Is a CRA, and Who Is a Data Furnisher?

The regulations were issued on July 1, 2009 jointly by a number of federal agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003, which amended the Fair Credit Reporting Act (“FCRA”).  Under the FCRA, a CRA is generally defined as an entity that regularly engages in assembling any information about individuals for the purpose of providing a report to a third party bearing on the individual’s creditworthiness, character, general reputation, personal characteristics, or mode of living, where such a report is expected to be used as a factor in establishing the individual’s eligibility for personal credit, insurance, or employment purposes.  As the name sounds, the most common type of CRA is a credit bureau, but companies that perform background checks for employment purposes, or compile such information about a company’s employees to report for employment purposes, are also considered CRAs.

Accuracy and Integrity Rules and Guidelines

The accuracy and integrity rules within the new regulations require data furnishers to “establish and implement reasonable written policies and procedures regarding the accuracy and integrity of the information relating to consumers that it furnishes to a consumer reporting agency.”  “Accuracy” means that information furnished about an individual correctly:

• Email This
• Print

The Office of the National Coordinator for Health IT (ONC) has organized a workgroup under the auspices of the HIT Policy Committee to move forward on and maintain consistency with respect to a range of privacy and security issues. This new “Privacy & Security Tiger Team” will be co-chaired by Deven McGraw, Center for Democracy & Technology, and Paul Egerman, a health IT consultant, and comprised of members of the Health IT Policy and Standards Committees, as well as of the National Committee on Vital and Health Statistics (NCVHS).

The Tiger Team will work over the next few months to address the privacy and security requirements of the HITECH Act, as well as the needs of the new organizations – such as state health information exchanges and regional health IT extension centers – created under that law. The group held its first meeting June 9 and at it discussed: at what level its policy recommendations should be; the overarching issues raised by NHIN Direct; and what privacy and security frameworks should be in place.

The group met again on June 10 to continue its discussions. ONC expects the Tiger Team’s work to be completed by late fall 2010.
 

• Email This
• Print

By Eric Bukstein

As energy companies across the country are gearing up to start providing electrical service through “Smart Grids,” California is one of the first jurisdictions to begin creating a regulatory framework for the operation of a Smart Grid.  On May 21, 2010, the California Public Utilities Commission (“CPUC”) issued a proposed decision, authored by Commissioner Nancy Ryan, providing California energy companies with details on what information must be included in any Smart Grid deployment plans submitted to the CPUC by a July 1, 2011 deadline.  The CPUC currently is taking comments on the decision, which will be considered and finalized by the entire commission.  While the proposed decision addresses some privacy and data security issues, the CPUC stated that further proceedings will focus more specifically on information access and privacy protections.

Smart Grids provide for a two-way flow of information and electricity, allowing both customers and utilities more control over energy consumption and costs, increasing the reliability of the energy grid, and allowing for a more efficient delivery of energy.  Utilities’ use of smart grids raises privacy concerns because of the possibility of linking personal information to granular details about energy use.  For an excellent background on Smart Grids and the privacy issues they present, see the white paper, Smart Privacy for the Smart Grid: Embedding Privacy in the Design of Electricity Conservation, co-authored by Hogan Lovells partner, Christopher Wolf.

CPUC’s proceeding started after the California legislature passed a law in September of 2009 requiring the CPUC “to determine the requirements for a Smart Grid deployment plan” by July 1, 2010.  This decision was the result of a year of proceedings in which the CPUC received comments from stakeholders as to how to best implement this law and move toward the deployment of a Smart Grid. 

The CPUC’s proposed decision addresses many issues beyond privacy, laying down an outline, by way of eight topics which need to be addressed, for a utility company’s Smart Grid deployment plan.  The CPUC specifically added Grid Security and Cyber Security Strategy to a list of topics, which were initially suggested by utility companies, that should be addressed in each utility company’s deployment plans.  The full list of categories is as follows:

1.      Smart Grid Vision Statement;

2.      Deployment Baseline;

3.      Smart Grid Strategy;

4.      Grid Security and Cyber Security Strategy;

5.      Smart Grid Roadmap;

6.      Cost Estimates;

7.      Benefits Estimates; and

8.      Metrics.

Regarding privacy and data security, the proposed decision asks utility companies to assess these issues in two areas.  First, as part of a privacy impact assessment to be included in a baseline report (item 2 above), which analyzes current practices, the utility company must address the following questions:

• What data is the utility now collecting?
• For what purpose is the data being collected?
• With whom will the utility currently share the data?
• How long will the utility currently keep the data?
• What confidence does the utility have that the data will [sic] is accurate and reliable enough for the purposes for which the data is used?
• How does the utility protect the data against loss or misuse?
• How do individuals have access to the data about themselves?
• What audit, oversight and enforcement mechanism does the utility have in place to ensure that the utility is following their own rules?

Second, in a section of the proposed decision devoted to information security, the CPUC requires a utility company to describe “security strategies” that “address physical, cyber and human threats for grid operations with implementation of Smart Grid technologies.”  Each Smart Grid deployment plan needs to discuss how it will incorporate National Institute of Standards and Technology (“NIST”) requirements and guidelines into the security program of the utility.  The CPUC declined to adopt specific Smart Grid security standards at this time, but recommends that utility companies consult documents, prepared by NIST and the Department of Homeland Security, for guidance when preparing security plans.  The CPUC also directed that each deployment plan should contain a systematic risk assessment, including a “security audit based on industry best practices.”  This assessment should address:

"The prevention of, preparation for, protection against, mitigation of, response to, and recovery from security threats for the utilities’ advanced meter and communications infrastructure, distribution grid management, and distribution grid management with implementation of other Smart Grid technologies and infrastructure, including all major subsystems and utility storage of customer information."

Additionally, the CPUC orders that each deployment plan discuss the following questions:

·        What types of information about customers are or will be collected via the smart meters, and what are the purposes of the information collection?  Could the information collection be minimized without diminishing the specified purposes?

·        Does the utility have or expect to have other types of devices, such as programmable communicating thermostats (PCTs), which can collect information about customers?  If so, what types of information is collected, and what are the purposes of the information collection?  Could the information collection be minimized without interfering with the specified purposes?

·        What types of information, if any, does the utility plan to collect from the smart meter and HAN gateway?

·        How frequently will the utility take readings from the smart meter?  Is this frequency subject to change?  Will customers control this frequency?

·        For each type of information identified above, for what purposes will the information be used?  The purposes should be articulated with specificity, e.g., “targeted marketing” instead of “promoting energy efficiency.”

·        For each type of information collected, for how long will the information be retained, and what is the purpose of the retention?  Could the retention period be shortened without diminishing the specified purpose?

·        What measures are or will be employed by the utility to protect the security of customer information?

·        Has the utility audited or will it audit its security and privacy practices, both internally and by independent outside entities?  If so, how often will there be audits?  What are the audit results to date, if any?

• Email This
• Print

Readers of the Hogan Lovells Chronicle of Data Protection may be interested in this upcoming webinar featuring Hogan Lovells attorneys from Europe and the United States, as well as Google's European Privacy Counsel, Peter Fleischer.  This event is being produced by Pike & Fischer, a Bureau of National Affairs (BNA) Company.  Here is the Pike & Fischer/BNA announcement with link to registration information:

BNA Webinar
Legal Landmines in Europe for Internet-Based Businesses
June 30, 12:30 p.m. to 2:00 p.m. ET

So you think your business practices are EU-compliant? You could be blindsided by European laws and regulations that are foreign—in every sense of the word—to your accustomed way of doing business. The recent conviction of three Google executives by an Italian judge is one notable example. Don't be caught off guard. Join Pike & Fischer's panel of legal experts as they expose European laws (both enacted and proposed) that potentially render U.S.-based Internet businesses liable for intellectual property, privacy, e-commerce, speech, and other violations.

Peter Fleischer, Global Privacy Counsel, Google, and Winston Maxwell and David Taylor, both partners with Hogan Lovells in Paris, will cover a wide range of topics, including data retention obligations, collection of personal data, and liability for user-generated content. The session will be moderated by Christopher Wolf, Partner, Hogan Lovells in Washington, DC.  

For further information: http://www.pf.com/eventDetail.asp?id=105&type=1.
 

• Email This
• Print

This post was provided by Julia Peng of Hogan Lovells' Beijing office.

On 19 October 2010, the People’s Republic of China (“PRC”) State Administration of Industry and Commerce ("SAIC") issued the Second Revision of the PRC Consumer Protection Law (Draft for Comments) (the "Draft Consumer Law"). A significant addition to the Draft Consumer Law is a provision for the protection of consumers’ personal data.

According to Article 14 of the Draft Consumer Law, consumers enjoy the right to have their personal data protected when purchasing and using goods and services. The same article also clarifies the scope of the personal data which is protected. It includes a consumer's name, gender, age, profession, contact details, health condition, family, properties, purchase records and other information closely related to the consumer or their families 

• Email This
• Print

This post was provided by Gabriela Kennedy and Olivia Lennox-King Stewart of Hogan Lovells’ Hong Kong office.

The Constitutional and Mainland Affairs Bureau (the "CMAB") published a Consultation Document on the Review of the Personal Data (Privacy) Ordinance (the "Consultation Document") on 28 August 2009, inviting comments on the proposed amendments. The consultation period closed on 30 November 2009.

Prior to the Consultation Document being released, the Privacy Commissioner for Personal Data presented to CMAB and the Government the results of his own review of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Consultation Document included some but by no means all of the issues captured in the Commissioner’s review.

In November 2009, the Commissioner released his submissions on the Consultation Paper, responding to the proposals CMAB had formulated. The Commissioner states in his submissions that they were intended to "let the public know more about the issues before making their submissions", and noted that the Government's proposals were "more moderate and conservative than those made by the Commissioner".  

• Email This
• Print