HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

As the Data Protection Authority and Privacy Commissioner Conference in Jerusalem winds up, Hogan Lovells Privacy and Information Management Practice Leader Christopher Wolf shares this report published in the Huffington Post which he co-authored with his co-chair of the Future of Privacy Forum think tank, Jules Polonetsky:

Modern democracies agree that the issue must be addressed, but the path to agreement is rough. This may describe the current political situation in the Middle East, but it also describes the conundrum of a global framework to protect the personal information of individuals in an increasingly technological age. All sides recognize that personal privacy is exposed in ways never before seen, but what legal framework is best to ensure responsible data practices is open to great debate.

We live in a time when companies are compiling digital dossiers about us, and are collecting information about our web browsing, our searches and our shopping habits. Geo-location data from our mobile phones is allowing a wide range of services, and new forms of online technology also allow targeted, so-called "behavioral" advertising. The increasing use of social networks, shows that people are more willing than ever to publish and share information about themselves, which provides an even richer trove of information that can be used to analyze consumers and predict their interests. And governments are eager to access the data in the name of national security.

Not all data collection and use is bad, of course. The use of online data subsidizes free content and enables new services. It is allowing us to better connect with each other. But lack of transparency about what is going on with personal data is a real problem, because it takes away personal control over who gets to see and use our information.

This week, in Jerusalem, regulators and policy-makers from around the world are meeting to discuss the best way to fix the world's increasing privacy problems. There will be no disagreement over the technological threats to privacy. But disagreement is likely on what framework is best to improve individual privacy protections in this technological age. In the EU and in Israel, the preferred legal framework is an across-the-board privacy law for all data, while the US takes a more focused, harms-based approach to the protection of privacy

So how do we get an improved global baseline of privacy, one that allows people to understand what is going on with their information and that gives them control?

There is much to commend the mandate in the EU and Israel that all businesses that collect and use personal information must have privacy top of mind for all data. But even in the EU, there is an emerging understanding that specific privacy problems require more focused attention.

The hallmark of the current legal and regulatory privacy regime in the United States is its focus and flexibility. Lawmakers have enacted strict laws about financial privacy, health privacy, and children's privacy. They recognized that financial data, medical data and personal information of kids deserve priority protection. Other personal information is protected through enforcement actions initiated by the Federal Trade Commission and state regulators.

Indeed, while the US lacks a comprehensive across-the-board privacy law like that in the EU and Israel, our framework of shared lawmaking authority and targeted enforcement has led to better privacy protection than ever according to a new study by professors at the University of California at Berkeley. The threat of enforcement plays a large role in getting companies to better protect privacy. In the last year we have seen important steps by companies and trade groups that have real promise. For example, companies have started to venture beyond legalistic privacy policies and are using more intuitive symbols or icons to begin to alert users to different kinds of data use. And companies are coming together in voluntary, self-regulatory groups with new privacy standards.

Interestingly, the idea of self-regulation is gaining a foothold of sorts in the EU, just as legislative proposals for comprehensive privacy law been introduced in the US Congress. So, while the privacy officials meeting in Jerusalem this week are unlikely to change their views on what is the best legal framework to protect privacy, they will have a chance to see the benefits of alternative approaches. This ultimately may lead to more common ground in the quest to protect the personal privacy of people around the world.

Wolf and Polonetsky are co-chairs of the Future of Privacy Forum, a think tank in Washington, DC that promotes responsible data practices.

Relatedly, see this report on proposals for reform of the EU Data Protection Directive and this report on the presentation Chris Wolf made at the Jerusalem conference on the effectiveness of the US enforcement model.

Word has it that the 33d Annual Conference of DPAs and Privacy Commissioners will take place in 2011 in Mexico, where a new national privacy law is being implemented.  While it does not quite have the biblical ring of last year's proclamation  upon the selection of Israel as the site of the DPA meeting, "Next year in Jerusalem":  El año que viene en México!

• Email This
• Print

On October 27, the Commodity Futures Trading Commission (CFTC) published two Notices of Proposed Rulemaking (NPRMs) proposing privacy rules under the Gramm-Leach-Bliley Act (GLBA) and affiliate marketing and data disposal rules under the Fair Credit Reporting Act (FCRA). 

The rulemakings were prompted by the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act).

The CFTC, an independent federal agency, maintains oversight over the commodity and financial futures and options markets.  The Dodd-Frank Act creates two new categories of entities that are subject to CFTC jurisdiction:  “swap dealers” and “major swap participants.”  Thus, the CFTC has proposed that those two types of entities would explicitly be subject to the CFTC’s existing GLBA privacy rules, first issued in 2001. Those rules impose certain obligations regarding the treatment of consumers' nonpublic personal information - in particular, restricting the ability of a covered entity to disclose such information to a party not affiliated with that entity. 

The CFTC’s second NPRM proposes to implement sections of FCRA dealing with affiliate marketing and data disposal.  The CFTC's proposed affiliate marketing rule would closely resemble the affiliate marketing rules issued by the Federal Trade Commission and the federal banking agencies in late 2007. While the CFTC has joined those agencies in other rulemakings, it did not join that particular rulemaking.  However, the Dodd-Frank Act specifically authorizes the CFTC to issue rules implementing the affiliate marketing and data disposal provisions of FCRA.

As with the other agencies' affiliate marketing rules, under the proposed rule an entity generally could not use a consumer's "eligibility information" received from an affiliate to make marketing solicitations to that consumer unless the consumer had first been given notice that such marketing may occur, a reasonable opportunity to opt-out of such use, and had not opted out. 

The disposal rule would require entities subject to CFTC jurisdiction that possess or maintain consumer information to develop and implement written policies and procedures for the proper safeguarding and disposal of such information.  The policies and procedures would be required to address, among other things, administrative, technical, and physical safeguards for consumer information, including protections against unauthorized access to or use of such information in connection with its disposal.  Such requirements are similar to the disposal rules issued by the FTC and federal banking agencies in 2004.

The CFTC is proposing to make the rules effective on July 21, 2011, the planned "transfer date" on which certain authority over consumer protection matters is to be transferred from other federal agencies to the Consumer Financial Protection Bureau created by Dodd-Frank. 

Public comments are due on each proposal by December 27, 2010.

• Email This
• Print

The 32d Annual International Conference of Data Protection and Privacy Commissioners begins this week in Jerusalem.  Hogan Lovells Privacy and Information Management Leader Christopher Wolf will be a panelist and will present a paper entitled: "Targeted Enforcement and Shared Lawmaking Authority as Catalysts for Data Protection in the United States."  An article adapted from that presentation appears in this week's BNA Privacy and Security Law Report and BNA graciously has allowed us to provide a reprint of that article here.

The focus of the international privacy meeting in Israel will be the challenges presented to existing legal regimes by advances in technology and the willingness of people -- especially young people -- to share great amounts of personal information online.  It is widely agreed that current laws need reexamination and possible revision in light of new ways to collect and share personal data.  It is in that conext that the "Targeted Enforcement and Shared Lawmaking Authority" paper is offered for international consideration to demonstrate effective aspects of US law. 

The paper begins:

Modern democracies are committed to the protection of personal data. There are various approaches to achieving protection, ranging from the comprehensive regulatory approach of the European Union, to the harms-based APEC framework, to the sectoral and geographic approach of the United States, which relies heavily on Federal Trade Commission (FTC) enforcement against unfair or deceptive consumer practices and the combination of federal and state laws. The US framework frequently is criticized for the absence of a comprehensive privacy law. Indeed that perceived deficiency has resulted in a persistent finding by the EU that the US lacks “adequate protection” for personal data, requiring legal work-arounds for the cross-border transfer of personal data from the EU to the US. At the same time, there is global recognition of a need to re-examine privacy governance to cope with the implications of new technologies, and to protect generations of technology users.  

Without debating the primacy of one approach to the protection of privacy over another, it nevertheless is useful to look beyond labels and common perceptions to examine the effective aspects of the United States regime (emphasis supplied). This paper discusses the effectiveness of enforcement by the FTC under its jurisdiction to police unfair and deceptive practices, and the experience in individual states as incubators of new privacy and data security laws that have nationwide effects. It also highlights privacy-enhancing practices and technologies adopted by businesses aware of the advantages of self-regulation over prescriptive rules and the need to self-regulate and innovate to avoid restrictive regulation.

Read more here.

• Email This
• Print

Out of Brussels comes the news that the European Commission has circulated a document containing a draft strategy for improvements in data protection, including a long-awaited set of proposals for revamping of the EU Data Protection Directive. The proposals are prompted by the changes in technology and changes in the ways in which people share information since the adoption of the Directive in the 1990’s. It appears that the Commission intends to propose changes in the law and non-legislative steps to bring about the changes that are being discussed.  

According to Bloomberg, "[c]hanges could be made to the document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011." 

The key components of the new EU strategy appear to include:

• The establishment of EU-wide registration forms for databases;
• Specific new rules on privacy notices, including the promulgation of EU “standard form privacy information notices” and special rules with respect to minors;
• New rules that strengthen and clarify the concept of consent to the collection, use and transfer of data;
• New rules on data minimization;
• The creation of a “right to be forgotten” by giving a right to demand deletion of data no longer needed for the purpose for which it was collected);
• The creation of a right of “data portability,” allowing individuals to take his/her photos, medical records or a list of friends from an application or service and transfer them into another one;
• New rules on what constitutes “sensitive data”;
• New remedies for violations of privacy, including expanded criminal sanctions and  empowering data protection authorities with the right to go to court;
• The establishment of security breach notification rules;
• Clarification on the legal rules that will attach to data stored in the cloud, regardless of the geographic location of the controller;
• The possible introduction of an “accountability” principle to ensure compliance with data protection laws;
• New rules that make the appointment of corporate Data Protection Officers mandatory, along with privacy impact assessments and the employment of privacy by design principles
• The encouragement of self-regulatory schemes and privacy seals;
• Improvements in current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations;
• Clarification of  the Commission’s adequacy procedure and improved specification of the criteria and standards for assessing the level of data protection in a  third countries;
• A re-definition of  standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments.
• Clarifying and strengthening the status and the powers of the national Data Protection Authorities in the new legal framework, including the concept of "complete independence";
• Exploration of ways to improve the cooperation and coordination between Data Protection Authorities and to ensure better enforcement of EU rules, particularly on issues having a cross-border dimension. This may include strengthening the role of the Article 29 Working Party and providing it with additional powers in order to give a European response to breaches of data protection rules at EU level, or to create a European Data Protection Authority.
• Enhancing international privacy enforcement in a cooperative fashion.

Any one of the proposed changes would be news, but taken together, they suggest a dramatic set of possible changes with respect to data protection in the EU. 

• Email This
• Print

At its recent annual meeting, the Society of Professional Journalists (SPJ) unanimously adopted a resolution calling for revision of the Family Educational Rights and Privacy Act (FERPA).  According to a report by the Student Press Law Center, SPJ Freedom of Information Committee Chairman Dave Cuillier said

[T]he need for a resolution on student privacy came about several years ago when the Columbus Dispatch did an investigation on abuse of the Family Educational Rights and Privacy Act. Since that time, many journalists continue to have access problems.  We want to make sure this issue stays alive because this is a huge problem.

The Resolution in its entirety appears here:

• Email This
• Print

This post was prepared by Neil O'Hanlon and Robert Hawk of Hogan Lovells' Los Angeles and Silicon Valley offices, respectively.

Bateman v. American Multi-Cinema, Inc.

Executive Summary

The Ninth Circuit Court of Appeals in a class action seeking a substantial award of statutory damages under the Fair and Accurate Credit Transactions Act (FACTA) reversed the denial of class certification, holding that the lower court had abused its discretion in finding that a class action was not a superior method for adjudicating claims.

Background

The plaintiff alleged that the defendant had violated FACTA by printing more than the last five digits of consumers' credit or debit card numbers on electronically printed receipts, and the plaintiff sought to recover on behalf of himself and other putative class members statutory damages ranging from $100 to $1,000 for each willful (knowing or reckless) violation of FACTA. The district court in Los Angeles denied class certification, finding that a class action was not the superior method of litigating the case on three grounds: (1) the disproportionality between the potential liability and the actual harm suffered, (2) the enormity of the potential damages (ranging from $29,000,000 to $290,000,000), and (3) the defendant's good faith compliance with FACTA requirements within a few weeks following the filing of the lawsuit.

Ninth Circuit's Decision

In determining that the district court had abused its discretion in denying class certification, the Ninth Circuit noted that since at least 1972 many courts had denied class certification for "proportionality" reasons, on the basis that a class action was not a superior method of adjudicating claims when the defendant's potential liability would be completely out of proportion to any harm suffered by the plaintiff. The opinion noted that this reasoning has prevailed in the vast majority of district courts within the Ninth Circuit in cases where plaintiffs sought to certify classes in FACTA lawsuits.

The Ninth Circuit distinguished contrary authority by examining congressional intent in enacting the statutory damages provision in FACTA. In particular, it determined that the statute clearly provided for an award of statutory damages upon proof of a willful violation, without any cap on such damages in the case of class actions. The Ninth Circuit presumed that statutory damages serve a compensatory function, noting that FACTA also authorized an award of punitive damages in addition to any actual or statutory damages. Apart from compensating victims, statutory damages were also found to serve as a deterrent. Most importantly, the Court found that Congress had determined that the range of $100 to $1,000 per violation was appropriate compensation, and that a district court had no discretion to depart from the specified range. In tying the hands of the district court, the Ninth Circuit noted that although Congress had amended FACTA in other respects, it did nothing to limit the availability of class relief or the amount of aggregate damages. Furthermore, the Court noted that if district courts were permitted in their discretion to decide whether a potential award would be so disproportionate to the actual harm that a class action would not be the superior method of adjudication, such "unguided discretion" would result in non-uniform decisions about class certification.

Having disposed of the disproportionality argument, the Ninth Circuit made quick work of the district court's other two grounds for denying class certification. It concluded that although certification might result in an enormous potential liability for defendant, with the consequent pressure to settle and avoid the risk of potentially ruinous liability, this factor could not be properly considered in determining whether to certify a class in a FACTA action, in the absence of any supporting congressional intent. Furthermore, the Ninth Circuit dismissed the argument against certification that the defendant had quickly complied with the requirements of FACTA after being sued, since Congress did not include any safe harbor or otherwise limit damages on account of belated compliance.

• Email This
• Print

The European Commission has filed a complaint against the United Kingdom in the European Court of Justice (ECJ) alleging a failure by the UK government to implement EU directives on privacy and data protection. The case arises out of the incident involving BT Group's testing of targeted advertising using technology from Phorm without the express consent of consumers. The European Commission started its investigation earlier this year, and was not persuaded by the responses it received from the UK authorities:

The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC in three specific areas:

There is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications

 

Current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as 'freely given, specific and informed indication of a person’s wishes

 

Current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not," 

 

In April, then-EU Telecoms Commissioner Viviane Reding drew a line in the sand:  "I call on the UK authorities to change their national laws and ensure that national authorities are duly empowered and have proper sanctions at their disposal to enforce EU legislation on the confidentiality of communications." (Ms. Reding currently is European Commissioner for Justice, Fundamental Rights and Citizenship and presumably was influential in the decision of the Commission to sue the UK.)  The UK government is facing fines in the case just brought by the Commission.

• Email This
• Print

From a guest blog by Hogan Lovells Privacy and Information Management leader Christopher Wolf on The Last Watchdog

Whose job is it to protect the privacy of personal information? That is the burning question in Washington these days.

Privacy is receiving so much attention right now not just because of headlines about Facebook and Google and their privacy missteps, but because we live in a time when people are sharing volumes of information about themselves and others on social networks, and when technology that can collect, share, analyze and store information about people is advancing at a staggering pace.

Think geo-tracking, behavioral-targeted advertising, and sensors collecting data about us connected to the Internet.

So who should be protecting our privacy? Some say that the government should finally pass a comprehensive privacy law that strictly regulates the collection and use of data.

Others say that companies using personal data have a responsibility to protect privacy, but should not be shackled by one-size-fits-all laws and regulations, lest economic progress on the Internet – one of the few bright spots in the economy – be stifled.

And then there are those who say people should be smart enough to protect themselves by being careful about what information they share online.

So who is right? They all are right.

Read more

• Email This
• Print