HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

This month saw the launch of the ICO's first code of practice on online privacy, following extensive consultation earlier in the year. The code provides good practice advice for organisations providing goods and services using the web and explains how the Data Protection Act applies to the collection and use of personal data online.

The code is divided into the following 7 chapters, and also includes a helpful annex and glossary of terms, for those less familiar with online jargon. You can read on to see our summarised highlights of the code, but we also recommend reading the full guidance document on the ICO website, through the link provided above. It should be of particular interest to businesses engaged in behavioural advertising, online sales and cloud computing.

 

• Email This
• Print

Quentin Archer, a partner in the London Office of Hogan Lovells, provides this report

The Article 29 Working Party (set up under Article 29 of the European Data Protection Directive) has been very productive over the last month as the summer holidays approach, issuing four opinions, one report and one set of FAQs.  In recent years we have come to expect these spikes in publications at the middle and end of each year, which are perhaps more a product of the Working Party's internal approvals process than any indication of unusual activity. 

Behavioral Advertising

In June, the Working Party issued Opinion 2/2010 (WP171) on online behavioral advertising.  The Working Party notes that both the E-Privacy Directive and the Data Protection Directive are relevant to online behavioral advertising, and goes into some detail on the requirements of the E-Privacy Directive (amended in 2009) that cookies should be employed for this purpose only with the informed consent of users.  It recommends that advertising network providers should limit in time the scope of consents given by users, offer the possibility for consents to be revoked easily and create visible tools to be displayed where monitoring takes place.  In relation to general data protection obligations, it emphasizes the importance of transparency regarding processing of personal data and points out that the responsibility for ensuring transparency will be shared between different service providers in relation to behavioral advertising.  However, the Working Party does not prescribe how legal obligations should be fulfilled from a technological point of view, and instead invites industry to undertake a dialog with it to explore how the legal framework set out in the Opinion can be satisfied.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Controller-Processor Standard Clauses

On 12th July 2010, the Working Party issued FAQs (WP176) designed to address issues raised by the entry into force of the Commission Decision of 5th February 2010 on the new controller-processor standard clauses.  Several of the FAQs address the situation where personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based sub-processor, which is not specifically contemplated by the new clauses.  As the new clauses cannot be used to effect this, the Working Party suggests different solutions to address the problem.  The remainder of the FAQs answer a variety of questions which might arise where the processor to whom the data are transferred is located outside the EEA, such as whether a data exporter's consent to sub-processing must be specific or can be general, and whether sub-processing agreements can be made in respect of more than one data exporter.

Data Retention

On 13th July, the Article 29 Working Party issued Report 01/2010 (WP172) on its second joint enforcement action, which concerned the implementation of the Data Retention Directive (Directive 2006/24/EC).  The Data Retention Directive derogates from the provisions of the E-Privacy Directive by requiring Member States to ensure that certain categories of communications data are retained for periods of not less than six months and not more than two years.  This is in contrast to the general principle in Article 6 of the E-Privacy Directive, which requires such data to be erased or anonymised when it is no longer needed for the purposes of the transmission of a communication.

The data protection authorities of 25 EEA member states contributed to the joint enforcement action, circulating questionnaires and conducting onsite investigations in certain cases.  It was discovered that there were significant differences between Member States regarding retention of internet services traffic data, with variations in retention periods.  A more uniform picture emerged in relation to the retention of telephone traffic data.  The Working Party established that there was inconsistent implementation at domestic level as a result of differing views over the scope of the Directive, notably whether it was meant to be a derogation from the general obligation to erase traffic data upon conclusion of an electronic communication, or whether instead it affected only data which providers were already allowed to store for subscriber billing and interconnection payments purposes in accordance with Article 6(2) of the E-Privacy Directive.  The Working Party recalled its previous opinions on the Data Retention Directive and (awaiting the decision of the Commission as to whether or not to amend or repeal the Directive) it laid down specific recommendations to ensure increased harmonization, more secure data transmission and standardized handover procedures.

For a more detailed discussion of the provisions of this opinion, see our analysis here.

Accountability

Also on 13th July, the Working Party issued Opinion 3/2010 on the principle of accountability (WP173). The Opinion proposes that a new principle on accountability should be introduced (as part of amendments to the Data Protection Directive) which would require data controllers to put in place appropriate and effective measures to ensure that the principles and obligations set out in the Directive are complied with, and to demonstrate this to supervisory authorities upon request.  It is hoped that this will provide a practical means of ensuring the observance of data protection rules as well as helping data protection authorities in their supervision and enforcement tasks.

FEDMA

The third opinion, also adopted on 13th July was Opinion 4/2010 on the European Code of Conduct of FEDMA for the Use of Personal Data in Direct Marketing (WP174).  The approval of draft community codes of conduct is anticipated in Article 27(3) of the Data Protection Directive, and indeed the European Code of Conduct of FEDMA (the Federation of European Direct and Interactive Marketing) had been the subject of a previous favorable opinion of the Working Party in June 2003.  The subject matter of the present Opinion was an annex to the Code dealing with the specific problems created by the on-line world, with special reference to provisions designed to protect children.  The annex (which is exhibited to the Opinion) was approved by the Working Party and FEDMA was encouraged to promote it within the direct marketing sector.

RFID

The final July 13th opinion is the Opinion 5/2010 on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications.  The opinion comments on an industry framework for RFID privacy impact assessments (PIA).  Although the Working Party agreed with the broad framework of the industry report, it indicated three concerns:  (1) no section of the PIA requires the RFID operator to identify risks associated with the RFID application; (2) the proposed framework fails to encourage the RFID operator to identify risks to individuals related to carrying RFID tags in everyday life; and (3) lack of clarity regarding RFID tag deactivation in the retail sector.  As a result of these concerns, the Working Party encouraged stated it could not endorse the proposed document.

• Email This
• Print

On July 19, Rep. Bobby Rush (D-Ill.), chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, introduced a privacy bill, H.R. 5777, that would codify certain fair information principles into law for "covered entities" that collect, maintain, use, and transfer to third parties any "covered information" (consisting of personally identifiable information as well as any "unique identifier," including IP addresses).  Covered entities would be those that (a) store covered information from or about at least 15,000 individuals; (b) collect covered information from or about at least 10,000 individuals during any 12-month period; (c) collect or store "sensitive information" (defined as an individual's medical history, race or ethnicity, religious beliefs, sexual orientation or behavior, financial information, precise geolocation information, biometric data, or Social Security number); or (d) use covered information to study, monitor, or analyze the behavior of individuals as the entity's primary business.  The bill, titled the “BEST PRACTICES Act,” would require each covered entity, with some exceptions, to do the following:

• Make specific privacy disclosures to individuals whose personal information it collects or maintains "in concise, meaningful, timely, prominent, and easy-to-understand notice or notices" in a manner to be specified by the Federal Trade Commission (FTC);
• Provide individuals with a "reasonable means" to opt out of the information collection and use for non-operational purposes (though covered entities would be permitted to require consent to the collection and use as a condition of service to individuals with which it has a direct relationship);
• Obtain opt-in consent before (a) disclosing covered information to third parties (except for joint marketing purposes); (b) collecting, using, or disclosing sensitive information; or (c) monitoring all or substantially all of an individual's Internet or computer activity;
• Obtain opt-in consent to any "material" changes to privacy practices governing previously collected information or sensitive information;
• Establish "reasonable procedures" to assure the accuracy of the covered information or sensitive information collected, assembled, or maintained, with the FTC issuing rules on what is "reasonable";
• Upon request and subject to identity verification, provide individuals with "reasonable access" to, and the ability to dispute the accuracy or completeness of, covered or sensitive information about that individual if such information may be used for purposes that could result in an "adverse decision" against the individual, in a manner to be specified by the FTC;
• Establish, implement, and maintain "reasonable and appropriate" administrative, technical, and physical safeguards for covered information stored and used by the entity;
• Provide a process for individuals to file complaints concerning policies and procedures required by the bill;
• Conduct a privacy risk assessment prior to the implementation of any plans by which the entity intends to collect, or believes there is a reasonable likelihood it will collect, covered or sensitive information from or about more than 1,000,000 individuals;
• Retain covered or sensitive information only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement; and
• Conduct periodic assessments to evaluate whether it is necessary to continue to retain information already collected, and whether ongoing information collection practices remain necessary for a legitimate business purpose.

The bill would provide exceptions from certain provisions for:

• Covered entities that participate in FTC-sanctioned industry self-regulatory programs that provide alternate mechanisms for obtaining consumer consent to information collection and use.  These programs, at minimum, would be required to (a) provide a clear and conspicuous opt-out mechanism (which may be a preference management tool that will enable individuals to make more detailed choices about the transfer of covered information to a third party); (b) provide a clear and conspicuous mechanism to set communication, online behavioral advertising, and other preferences that, when selected by the individual, applies the individual's selected preferences to all covered entities participating in the program; and (c) establish procedures for the review of applications, periodic assessment of members, and enforcement of violations for covered entities participating in the program;
• The collection, use, or disclosure of aggregated or anonymized information (allowing the FTC to set rules regarding the levels of aggregation or anonymization necessary to qualify for the exception); and
• Activities covered by other federal privacy laws.

If enacted, the bill could be enforced by the FTC or state attorneys general, with civil penalties authorized up to $5,000,000 for each type of violation.  The bill also would create a private right of action for individuals whose covered or sensitive information is "willfully" collected or used without the required consent, allowing recovery of actual damages not more than $1,000, punitive damages, and costs and attorney's fees.  There would be a two-year statute of limitations.

This bill contains a number of provisions similar to a discussion draft of privacy legislation published by Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fl.) in May.  Like the Boucher-Stearns proposal (which has not been formally introduced), the Rush bill would usher in a series of stricter European-like privacy protections to the collection and use of information, now regulated on an ad hoc basis by the FTC under its authority to regulate unfair and deceptive trade practices under Section 5 of the FTC Act.

Rush will conduct a hearing on July 22 at 2:00 PM to discuss the bill and the Boucher-Stearns proposal.

• Email This
• Print

Winston Maxwell, a partner in Hogan Lovells’ Paris Office prepared this entry.

On July 13, 2010 the EU’s Article 29 Data Protection Working Party adopted a report (http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp172_en.pdf ) describing how ISPs and telecom carriers retain traffic data for law enforcement purposes in Europe. The European Data Retention Directive 2006/24/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:HTML) was supposed to harmonize national laws on data retention. But according to the working party’s report, harmonization is seriously flawed in a number of respects.

The report confirms what we have heard from a number of our communications clients: each Member State has slightly different rules for retaining traffic data for law enforcement purposes, particularly when it comes to IP-based communications. The duration for retaining the data are different from country to country, and the kind of data to be retained are in many cases different. For a pan-European communications providers, this creates a real headache, because specific procedures and systems have to be created for each Member State where the communications provider does business. 

• Email This
• Print

The Department of Health and Human Services (HHS) introduced sweeping changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Enforcement Rules in its Notice of Proposed Rulemaking issued on July 8. 

Some of the major changes introduced under the Proposed Rule include:

·         Business Associates and Business Associate Agreements— HHS modifies the current definition of business associates to explicitly include several new entities, most importantly sub-contractors who create, receive or transmit protected health information (PHI) on behalf of business associates. Subcontractors who meet this criterion are now business associates and consequently required to enter into business associate agreements with business associates and subject to direct liability under the HIPAA Rules.

The Proposed Rule also makes a number of modifications to the business associate agreement contractual requirements, including (but not limited to) requiring that business associate agreements include language that require business associates to report breaches of unsecured PHI to covered entities, and to the extent a business associate is carrying out any covered entity Privacy Rule obligations, comply with the relevant Privacy Rule requirements that apply to the covered entity.

The Proposed Rule proposes a one year transition period for compliance with the new business associate agreement requirements for certain existing contracts. 

·         Security Rule— The Proposed Rule makes § 164.306 of the Security Rule, which sets out general rules that apply to all standards and implementation sections of the Security Rule, apply to business associates. HHS also introduces several other changes to the Security Rule with respect to business associates in the Proposed Rule.

·         Marketing— HHS proposes significant, complex revisions to the exceptions to the definition of “marketing” and solicits comments on a number of its proposals, including the distinction it draws in the Proposed Rule between treatment and health care operations communications.

• Email This
• Print

In a speech to at Atlantic Council in Washington, DC on 9 July, Viviane Reding, Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship announced that she has begun exploratory talks with the United States for a comprehensive EU-US agreement for personal data protection standards to apply whenever personal data needs to be transferred across the Atlantic for the purposes of police and judicial cooperation in criminal matters.  Vice-President Reding said:  "The aim is clear: to provide legal certainty to data transfers by ensuring that all these transfers are subject to high standards of data protection on both sides of the Atlantic."

Also appearing at the Atlantic Council with Vice-President Reding was Department of Homeland Security Secretary Janet  Napolitano who, according to the Atlantic Council web site

noted that the United States has a long tradition of insisting on personal privacy — and is in some ways, such as a cultural antipathy to national identification cards and showing passports at hotel check-ins and the like, even more privacy conscious than Europe— the fact of the matter is that protection of personal data does not rise to the level of fundamental right in our society. 

That difference in approach in the US from the EU, with its Charter of Fundamental Rights which very specifically guarantees a right to personal data protection, suggests that the road to a bilateral treaty will be long.

Likewise, the path to the EU recognizing the US as a country with "adequate protections" allowing the cross-border flow of personal data without the encumbrances of model contract clauses, the EU-US Safe Harbor or Binding Corporate Rules seems distant.  Still, at a dinner this author had with Vice-President Reding with her delegation following her Atlantic Council (and her deposit of the new EU "Bill of Rights" a the National Archives), I was able to preview some of the themes of my upcoming presentation at the PLI Privacy Law Institute in Chicago on Monday, 19 July entitled "Is the Tide Turning? The Impact of the HITECH Act & Other Federal Regulation."  I conveyed to Ms. Reding that the time has come for the EU to reappraise the US level of protection given the FTC's "common law of consent decrees" through which specific rules on data protection have arisen, given the forty-six state data security breach notification laws which have prompted heightened attention to the protection of personal data, and given the application and enforcement of the many other sectoral and geographic privacy laws. 

• Email This
• Print

This morning the Office of Civil Rights (OCR) issued a notice of proposed rulemaking to modify the HIPAA Privacy, Security, and Enforcement Rules.  The proposed modifications would extend parts of the HIPAA Privacy Rule and virtually all of the Security Rule to the business associates of HIPAA covered entities, impose new limits on the use and disclosure of protected health information for marketing, prohibit the sale of protected health information without patient consent, expand individuals’ rights to access their information and permit patients to restrict the disclosure of certain information to health plans.  In addition, the proposed rule will strengthen and expand HIPAA’s enforcement provisions.  Comments will be accepted on the new rule for 60 days following publication in the Federal Register, which is currently scheduled for July 14, 2010.  Hogan Lovells attorneys are reviewing the proposed rule and will post highlights shortly.

• Email This
• Print

On June 24, the FTC announced a proposed consent order with social networking service provider Twitter, Inc. The Twitter investigation is consistent with the FTC’s longstanding interest in policing the data privacy and security practices of social networking services, dating back to the FTC’s first online privacy case against Geocities in 1998.  

Within the general framework of FTC information security jurisprudence, this investigation reflects three noteworthy developments. First, the investigation demonstrates the broad reach of FTC Act § 5 concerning data security, extending well beyond protection of the kinds of data traditionally considered sensitive (e.g., Social Security Numbers and payment card numbers). Second, the complaint introduces security expectations, concerning controlling administrator-level access to information systems, that had not been previously expressed by the FTC. Third, this enforcement action appears to show that the FTC considers the protection of personal information critical at all stages of the business lifecycle, from start-up to wind-down.

A. Data Security Obligations Are Not Limited to Sensitive Personal Information

The FTC alleges that lapses in Twitter’s data security practices resulted in unauthorized person’s gaining access to user accounts containing mobile telephone numbers, email addresses, and IP addresses. Unlike prior data security investigations, there is no allegation that unauthorized persons gained access to the traditionally identified forms of sensitive personal information, such as SSNs, financial account numbers, government ID numbers, or consumer reports. Nor is there any allegation that the affected information revealed sensitive personal characteristics (e.g., medical conditions) either directly or as revealed by purchases. There may be a number of explanations for this departure from past precedent.  

1. Consumer Expectations Influence Security Obligations

All the data types affected by the security incidents suffered by Twitter were stored in areas that were allegedly described by Twitter as non-public. Hence, the FTC concerns appear to stem in part from the fact that consumers submitted such information to Twitter under the impression that Twitter would prevent unauthorized sharing. Accordingly, consumer expectations, rather than any fixed list of data elements, may dictate the steps that a company is expected to take to protect such data. Such a standard may have far reaching implications for websites, particularly those that encourage visitors to build profiles that are not intended for public display, including social networking services that offer users the option of maintaining “private” (or otherwise limited access) profiles.  

2. Fraud Prevention

Among the consequences of Twitter’s alleged failure to secure its systems was the misuse of existing Twitter accounts to transmit fraudulent messages. The FTC does not discuss the public policy concerns posed by the transmission of fraudulent messages in any great detail. Nonetheless, concerns likely include reputational damage, particularly for public figures and businesses (e.g., the Twitter incident resulted in fraudulent tweets transmitted from the accounts of President Barack Obama and Fox News). In addition, recent press reports indicate that criminals have used compromised social network accounts to attack the account holder’s friends list with messages containing malicious software or fraudulent pleas for money.  

B. Securing Administrator Level System Access

The attacks perpetrated against Twitter allegedly exploited weaknesses in the security measures used to limit administrator level access. Because administrator level privileges allow users to manipulate the settings and content of individual user accounts, the attackers were then able to take control of numerous accounts to view private information and engage in fraudulent activity.  

The specific security lapses cited by the FTC included the failure to:

• establish or enforce strong password policies;
• prevent the storage of administrative passwords in plaintext in employees’ private email accounts;
• suspend or disable administrative accounts after a number of failed login attempts;
• provide a separate login page for administrative access the address of which was made known only to authorized users;
• enforce periodic changes of administrative passwords (e.g., 90-day expiration);
• restrict access to administrative controls based on employees’ job functions; and
• impose other restrictions on administrative access, such as by restricting access to specified IP addresses.

• Email This
• Print

 Florian Unseld in the Hogan Lovells Munich office prepared this entry.  Florian specializes in data protection, information technology and intellectual property law. His work focuses on advising on all aspects of national and international data protection law including major cross-border projects. Florian also advises on the drafting and negotiating of contracts, software-licensing and the legal form and realization of IT-projects.

Introduction

The German authority, the Düsseldorfer Kreis, has issued an opinion that requires additional steps for German entities using the EU-US Safe Harbor for the transfer of personal data from Germany to the United States. 

This is a somewhat startling development as it previously was assumed that registration under the Safe Harbor by a US recipient of personal data from the EU was, by itself, adequate for the transfers to proceed.  Now, in Germany at least, greater diligence is required by the exporter of the data to the US to confirm that the Safe Harbor principles are followed by the recipient in the US.

The Düsseldorfer Kreis is a working group of representatives from Germany's sixteen state data protection authorities that provides a uniform "German" approach to data protection questions.  It issued a Decision (dated 28/29 April 2010) ("Decision") on the transfer of personal data from German companies to U.S. companies which are certified under the U.S.-EU Safe Harbor framework ("Safe Harbor"). The Decision responded to criticism of the Safe Harbor, in particular that (some) US companies represent that they are formally registered but do not adequately live up to the commitments the registration connotes. 

The representation by a U.S. entity that it is Safe Harbor certified now is not enough according to the Düsseldorfer Kreis because, in its view, European and U.S. regulators currently do not ensure that the U.S. companies comply with the self-certification.

The Federal Trade Commission in the United States is charged with enforcement of the Safe Harbor, to ensure that entities claiming registration are in fact registered and compliant.  See our previous report on FTC enforcement activity.  It appears that FTC enforcement power and its record of enforcement was inadequate in the eyes of the German officials.

What more is needed when the Safe Harbor is used for Germany-US personal data transfers?

German companies now are obliged to assess certain minimum criteria prior to transferring personal data to Safe Harbor-registered US companies:

(1) German companies exporting personal data must confirm that the US entity actually is registered  on the Safe Harbor, and is not just claiming that it is registered. 

(2) There must be confirmation that the US recipient is fulfilling its Safe Harbor obligations of notice  to individuals whose data is collected; specification of the purpose for which the data is collected and used; disclosure of whatever third parties subsequently receive the data once it is transferred to the US; provision of a mechanism for data subjects to limit the use and disclosure of data; and a complaint process for data subjects.    

(3) The German company must also document its assessment and provide its documentation to the competent data protection authority upon request.

(4)  In case any infringement of the Safe Harbor Principles or the expiration of a registration is detected, the data protection authorities should be informed.

Perspective

European regulators take data protection seriously and are taking steps to bolster enforcement. German companies transferring personal data to the US now have to be careful which Safe Harbor certified company to choose -- or whether even to switch to other approved safeguards (e.g., Standard Contractual Clauses), an alternative solution proposed by the Düsseldorfer Kreis.  It remains to be seen whether this additional level of Safe Harbor diligence will be required  by other European regulators.

• Email This
• Print