HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Comments are due December 29 on a proposal that would require banks and money transmitters to report information to the U.S. government regarding international fund transfers, including the Social Security numbers of individuals that send or receive such funds.  

On September 30, 2010, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, published a Notice of Proposed Rulemaking (NPRM)   for public comment.  The proposal would amend Bank Secrecy Act (BSA) regulations to add two new requirements.  First, banks and money transmitters would be required to report transmittal information on cross-border electronic transmittals of funds (CBETFs) on an ongoing basis; banks would have to report transfers of any amount, while money transmitters would have to report transfers of at least $1,000.   For reportable transactions of $3,000 or more, money transmitters would have to include in the report the taxpayer identification number (TIN), alien identification number, or passport number of the transmitter or recipient.  Second, the proposal would require all banks to file an annual report with FinCEN of the account numbers and TINs associated with each  account that initiated or received a CBETF. 

The information that would be reported is largely information that banks and money transmitters already collect, even though they currently are not required to report it as they would be under the proposed rule.

The proposal is aimed at furthering the government’s efforts to combat money laundering, terrorist financing, and other violations of law such as tax evasion and customs fraud.  The reports, FinCEN asserts, would greatly facilitate the ability of authorities to investigate and prosecute such activity.  The reports would be submitted to FinCEN, but could be accessed by other federal and state authorities.  This is already the case with other data currently collected pursuant to BSA.   

However, the affirmative reporting of information on all CBETFs – including account numbers and TINs – would be a significant change.  FinCEN would be given the Social Security number of every individual that uses a U.S. bank to either send or receive funds electronically across U.S. borders, and of many other persons that use money transmitters for such transfers.  This raises possible privacy and data security concerns – due both to the fact of the government having such data and to the need to prevent improper access to or misuse of the data.    

FinCEN has acknowledged the privacy and security concerns raised by the proposal and states that it will maintain sufficient procedures to keep such information safe and secure.   The data, FinCEN observes in the NPRM, “is highly sensitive data containing details about the financial activity of private persons.  Without proper safeguards, this data could be at risk of inadvertent or deliberate disclosure or misuse[.]” 

FinCEN is statutorily prohibited from issuing a final rule until it has established adequate, secure systems to accept the required reports.  For that reason, FinCEN does not expect to issue a final rule before January 1, 2012, because it does not expect to have the information technology systems in place to accept the reports before that time.  Even after a final rule is issued, FinCEN anticipates delaying the mandatory compliance date for some period to allow time for financial institutions to implement procedures to comply with the rule.

• Email This
• Print

The UK data protection authority has issued its first monetary penalties for serious data protection breaches. The two cases highlighted in the ICO press release reveal that a county council has been fined £100,000 for faxing highly sensitive information relating to child sexual abuse cases and care proceedings to the wrong recipients, on two separate occasions. The second case involves an employment services company, which has been issued with a fine of £60,000 for the loss of an unencrypted laptop. 

These are the first substantial fines imposed by the ICO, following the introduction of the new monetary penalties in April this year and the cases will attract huge attention as a result. The ICO has the power to award fines of up to £500,000 for serious breaches of the Data Protection Act, but until now, no major fines have been levied and it has been difficult to give real examples of the likely amounts for serious breaches.

The ICO has issued guidance on the new monetary penalties regime, which includes further details of the Commissioner's approach to these cases of serious data protection breach. The decision making process followed by the Commissioner is set out in a flowchart within the guidance, as follows:

The Commissioner has to be satisfied that –

a) There has been a serious contravention of section 4(4) of the Data Protection Act by the
data controller; and
b) The contravention was of a kind likely to cause substantial damage or
substantial distress; and either,
c) The contravention was deliberate; or,
d) The data controller knew or ought to have known that there was a risk that
the contravention would occur, and that such a contravention would be of a
kind likely to cause substantial damage or substantial distress, but failed to
take reasonable steps to prevent the contravention.

Once satisifed, the Commissioner will consider the level of fine to impose. The cases contained within the new press release may not be at the upper end of the scale, but they are not insignificant and should be noted by data controllers.

• Email This
• Print

On November 17th, just six weeks before the Red Flags Rule is slated for FTC enforcement, a bipartisan bill (H.R. 6420) seeking to limit the scope of the Red Flags Rule was introduced. The bill, entitled the “Red Flag Program Clarification Act of 2010,” seeks to amend the definition of “creditor” under the Fair Credit Reporting Act and, hopefully, finally put to rest the scope of coverage issue that has been the source of great controversy.

The law establishing the Red Flags Rule was passed in January 2008, with a scheduled effective date of November 1, 2008.  For financial institutions, the Rule is operative, but due to confusion and concerns over the scope of the rule – over what entities qualify as covered “creditors” -- the FTC has delayed enforcement five times. The current date for FTC enforcement to commence is December 31, 2010.  In announcing the most recent enforcement delay, the FTC stated that it was delaying enforcement of the Rule while “Congress considers legislation that would affect the scope of entities covered by the Rule.”  

The Red Flags Rule aims to prevent identity theft by ensuring that entities are aware of possible signs of identity theft. The Rule requires “financial institutions” and “creditors” who maintain “covered accounts” to develop written identity theft prevention programs. Under the current Rule, a “creditor” is broadly defined as any person or entity that (a) regularly extends, renews, or continues credit; (b) regularly arranges for the extension, renewal, or continuation of credit; or (c) any assignee of an original creditor who participates in the decision to extend, renew, or continue credit for a covered account. The broad definition of “creditor” adopted under the Rule encompasses a wide variety of organizations, including many health care entities, law firms, and accountants.

H.R. 6420 seeks to narrow the scope of the Rule by exempting from the definition of “creditor” a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The amended definition of “creditor” would also include any other creditors deemed (through rulemaking) by their appropriate regulating authority to offer or maintain “accounts that are subject to a reasonably foreseeable risk of identity theft.’’

The new legislation comes while the FTC’s application of the Rule is facing several challenges in federal court from organizations such as the American Bar Association (ABA), American Medical Association and the American Institute of Certified Public Accountants. Most recently, on November 15, 2010, the U.S. Court of Appeals for the D.C. Circuit heard oral arguments regarding the ABA’s challenge to the FTC’s application of the Rule to attorneys.

• Email This
• Print

On November 2, the General Services Administration (“GSA”) published the Proposed Security Assessment & Authorization for U.S. Government Cloud Computing guidelines, developed by an interagency team composed of representatives from the CIO Council, GSA, the National Institute of Standards and Technology (“NIST”), and other organizations.  The proposed guidelines are designed to provide a centralized system for assessing and authorizing cloud computing services for all U.S. government agencies in a manner that would provide appropriate security and maximize the efficiency of government contracting.  High impact U.S. government information services (e.g., classified military and intelligence data) would not be subject to these guidelines.  The agencies responsible for such activities would retain primary authority to assess and authorize information technology services in accordance with applicable laws and regulations.  Public comments on the proposed guidelines will be accepted until December 2, 2010.

The proposed guidelines call for security assessment and authorization of all cloud computing services for U.S. government agencies by the Federal Risk and Authorization Management Program (“FedRAMP”).  Consistent with the requirements of the Federal Information Systems Management Act, the proposed guidelines would require cloud service providers to demonstrate compliance with a variety of security obligations detailed in NIST Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations (August 9, 2009).  Some of the controls recommended within NIST SP 800-53 have been augmented in the proposed guidelines.  Examples of these modifications include:

• implementation of FIPS 140-2 compliant encryption for any Software as a Service (“SaaS”) offering that includes email and
• maintenance of at least three backups and user and system level data (one of which must be available online).

In addition to the goal of ensuring appropriate security for information used by the U.S. government, the guidelines are intended to improve the efficiency of the cloud service contracting process by creating an “authorize use, use many” system.  Once a cloud service provider has been authorized by FedRAMP for one agency, its services would be pre-authorized for other agencies. 

• Email This
• Print

Hogan Lovells Privacy Practice Leader Chris Wolf has been tapped to chair the first Transatlantic Events privacy program in the United States, which will take place in Chicago in early-March 2011.  UK-based Transatlantic Events is well known for its substantive programs in the EU.  It has brought together a prestigious panel of presenters for the Chicago program  The program agenda follows.

Attendees who reserve their places before 1 January 2011 will pay only $550.00, instead of the full rate ($750.00).   Places are limited and reserved on a "first come, first serve" basis.

Click here to register for this conference in Chicago.

"Data Protection: Global Compliance Management"
Monday, 7th of March 2011
Loyola University
Chicago, Illinois, USA

9:00 AM - 9:05 AM
Chairman's Introduction: Privacy & Data Protection overview
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

Part One: Safe Harbor, Model Clauses, BCR and the APEC Solution

9.05 AM - 9.35 AM
Data Protection: Federal Trade Commission Keynote Address.
Keynote Speaker: C. Steven Baker, Director, Midwest Region,
Federal Trade Commission

9.35 AM - 10.00 AM
BCR: Can one size fit all?
Speaker: Brian Hengesbaugh, Partner, Baker & McKenzie LLP
- Application process how it works in practice.
- Challenges/learning points.
- How do they compare to other options

10:00 AM – 10:25 AM
Data Protection: Safe Harbor and Practical Implementations
Speaker: Robert L. Rothman, President, Privacy Associates International LLC

10:25 AM - 11:10 AM
Ensuring Data Protection Law Compliance in Multiple Jurisdictions
Speaker: Liisa M. Thomas, Partner, Winston & Strawn LLP
- What are key privacy concerns for US companies that operate in multiple jurisdictions?
- What are some of the major concerns when taking a US compliance approach into the EU?
- Into other jurisdictions?
- Is a uniform compliance policy feasible?
- What are some practical steps companies that operate in multiple jurisdictions
can take for risk and compliance management

11:10 AM - 11:25 AM Coffee

Part Two: Data Protection And The Workplace

11:25 AM -11:50 AM
SARs in the current climate
Speaker: Vincent J. Vitkowsky, Partner, Edwards Angell Palmer & Dodge LLP
- A primer on the basic rules
- Some practical issues and how to address them
- Discussing the changing landscape of the law and current climate and the impact on SARs

11:50 AM - 12:15 PM
Ethical Hotlines, Compliance and Data Privacy: Creating international solutions rather than conflict!
Speaker: Robert Bond, Partner, Speechly Bircham LLP (UK)
- SOX 301(4) and reporting hotlines
- OFAC and the UK Bribery Act
- Understanding the conflicts between US and EU regimes
- Implementing workable compliance solutions for multinationals

12:15 PM - 12:40 PM
Outsourcing, Insourcing and "The Cloud"
Speaker: Rebecca S. Eisner, Partner, Mayer Brown LLP
- What are the legal issues?
- Shifting distinctions between "data controllers" and "data processors"
- Jurisdictional problems. Whose law applies?
- Offshoring. - How to address data protection in the Cloud

12:40 PM - 1:00 PM
The Data Protection Interactive
Panel Chairman: Christopher Wolf
Panelists: Liisa M. Thomas, Robert Bond, Rebecca S. Eisner,
Robert L. Rothman, Brian Hengesbaugh
- SOX, Data Protection and Hotlines
- Responding to Privacy Breaches
- Binding Corporate Rules
- Data Protection and Outsourcing
- The Cloud

1:00 PM - 2:00 PM Lunch

Part Three: Marketing, Kids and Social Networking

2:00 PM - 2:05 PM
Chairman's Introduction: Privacy & Data Protection overview
Co-Chairman: Thomas J. Smedinghoff, Partner, Wildman, Harrold, Allen & Dixon LLP

2:05 PM – 2:30 PM
When will a Marketing Director go to Prison?
Tesco Ireland has just been fined and forced to stop sending marketing emails. As the regulators get tough, where are the man-traps waiting for the unwary marketing dep’t to walk right in to?
Speaker: Tim Beadle, Director, Atrium, (UK)
- Gaining consent and what 2011's "cookie law" will require
- Behavioural vs contextual data
- Data sharing and buying

2:30 PM - 2:55 PM
Data Protection For Children: The problems of getting consent & other potential pitfalls
Speaker: Roslyn J. Kitchen, Partner, Cohen Silverman Rowan, LLP
- The ability to enforce a child's right to privacy (even when they dont think they need it).
- CARU, contract law, and protections under COPPA.
- What is verified parental consent? And when Marketers dont need it.
- When is a child not a child? How technology can help or hinder.
- On-line promotional activity directed to your child customer: sweepstakes and contests, chat rooms, product reviews, and other fun stuff!!

2:55 PM - 3.25 PM
The U.S. Perspective to Social Networking, Advertising, Marketing and Privacy Issues: Legal and Compliance - The U.S. Perspective to Social Networking and Privacy
Speaker: Edward R. McNicholas, Partner, Sidley Austin LLP
- Social Media - Advertising and Marketing
- Company Social Media Governance and Policies
- Digital Age Privacy - Does privacy really exist anymore?

3:25 PM - 3:45 PM
Panel Discussion: Social Networking, Marketing and Privacy
Panel Chairman: Thomas J. Smedinghoff
Panelists: Tim Beadle, Roslyn J. Kitchen, Edward R. McNicholas

3:45 PM - 4.00 PM Coffee

Part Four: Information Security
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

4:00 PM - 4:25 PM
Privacy and Security Litigation
Speaker: Ian C. Ballon, Greenberg Traurig LLP
- class action litigation update
- security breach update
- flash cookie litigation
- federal preemption of certain privacy and security claims
- compelling the disclosure of the identity of anonymous and pseudonymous actors
- social network issues
- winning strategies in litigation
- ways to minimize the risk of litigation

4:25 PM - 4:50 PM
Information Security: Responding to Investigations by the FTC
Speaker: Peter F. McLaughlin, Senior Counsel, Foley & Lardner LLP

4:50 PM - 5:15 PM
Managing A Crisis
Speaker: Bart A. Lazar, Partner, Seyfarth Shaw LLP
- Investigation and first response
- Notification to regulators / individuals
- Managing communication
- Managing liability

5:15 PM - 5:30 PM
Panel Discussion: Information Security
Panel Chairman: Christopher Wolf
Panelists: Ian C. Ballon, Peter F. McLaughlin, Bart A. Lazar
Guest Panelist: Thomas J. Smedinghoff

5:30 PM Chairman's final remarks and close of Conference.
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

• Email This
• Print

The article below (reprinted with permission) from Telecom Reports Daily is based on the reporter's review of a copy of the draft Privacy Green Paper from the Department of Commerce, now under review at the White House. 

Notably, the article reports:

• The Department of Commerce document is expected to be released in the coming weeks.
• In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.
• The report [says] that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs)."  
• It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.
• As for other congressional action, the report [says] that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways."
  
   

DRAFT COMMERCE REPORT RECOMMENDS
ONLINE PRIVACY OFFICE, LEGISLATION

A draft Commerce Department report that is being reviewed by the White House recommends the creation of a privacy policy office and passage of legislation that establishes “a baseline privacy framework.”  In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.

TRDaily has obtained a copy of the 54-page draft document, “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  It is the work of Commerce’s Internet Policy Task Force, which has held more than six months of consultations, issued a notice of inquiry in April (TRDaily, April 21), and held a symposium in May (TRDaily, May 7).  The document is expected to be released in the coming weeks.  The task force is a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology.

“As the Internet evolves, the Obama administration is committed to promoting policies that will preserve consumer privacy online while ensuring the Web remains a platform for innovation, jobs, and economic growth.  These are complementary goals, because consumer trust in the Internet is essential for businesses to succeed online,” said a Commerce Department spokeswoman, declining to discuss specifics of the report.  “In the coming weeks, the Commerce Department will issue a report that contains policy recommendations and seeks further input, with the aim of advancing both the domestic and global dialogue and contributing to an eventual administration-wide position on information privacy policy.”  The report is currently being reviewed by the White House Office of Management and Budget, according to a source.

Recently, the Obama administration created a federal interagency panel to work on privacy and Internet policy (TRDaily, Oct. 25).  It is chaired by Commerce General Counsel Cameron Kerry and Assistant Attorney General Christopher Schroeder.

The report said that comments submitted in response to the NOI “demonstrated a compelling need to provide additional guidance to businesses, to establish a baseline privacy framework to afford protection for consumers, and to clarify the U.S. approach to privacy to our trading partners - all without compromising the current framework’s ability to accommodate new technologies.”

However, broadband industry providers commenting on the NOI told the department last summer that online privacy protections should be pursued through self-regulation, industry standards, and best practices, rather than through regulation and legislation (TRDaily, June 16).  Public interest groups, however, saw a role for government mandates, along with other approaches advocated by industry.

The report said that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs).  Widespread adoption of comprehensive FIPPs is essential to achieving the goals we have set for the Dynamic Privacy Policy Framework.  Widespread adoption of FIPPs would protect privacy interests in data that currently receive little or no statutory privacy protection.  Also, given the flexibility inherent in the individual principles, a FIPPs baseline would help ensure consumer privacy protection as new technologies emerge.  Finally, the FIPPs-based framework that we envision would allow companies to direct resources to the principles that matter most for protecting privacy in a particular technological, business, or social context.  Legislation would authoritatively establish a FIPPs-based framework, but action by industry, civil society, the Executive Branch, and enforcement agencies can also help this framework take hold.”  It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.

As for other congressional action, the report said that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways.  The law should track the effective protections that have emerged from state security breach notification laws and permit enforcement by state authorities.”

And while it called for “baseline” privacy legislation, the report said that such a measure “should not preempt the strong sectoral laws that already provide important protections to Americans, but rather should act in concert with these protections.”

In addition, the document said that “[a]ny federal law or regulation should seek to balance the desire to create uniformity and predictability across state jurisdictions with the desire to permit states the freedom to protect consumers and to regulate new concerns that arise from emerging technologies when federal law lags behind privacy issues created by a rapidly changing technological environment.”  Among the questions posed is whether state attorneys general should be given the authority to enforce national legislation.

The report also called on the Obama administration to “review the Electronic Communications Privacy Act (ECPA), paying particular attention to assuring strong privacy protection in cloud computing and location-based services.  The goal of this effort should be to ensure that, as technology and market conditions change, ECPA continues to provide a fair balance between individuals’ expectations of privacy and the legitimate needs of law enforcement to gather the information it needs to keep us safe.”

Regarding the privacy policy office (PPO), the task force said it could either be housed within Commerce or in the Executive Office of the President.  The office would not have enforcement authority, it said. “The PPO would help guide industry-specific, multi-stakeholder undertakings in developing data privacy policies that respond to identifiable technological or business developments,” it said.  “A PPO-facilitated process would provide a way for stakeholders who are examining innovative new uses of personal information to better understand changing consumer expectations-and identify privacy risks-early in the lifecycle of new products or services.  As both a convener of diverse stakeholders and a center of Executive Branch privacy policy expertise, the PPO would work with the FTC in leading efforts to develop voluntary but enforceable codes of conduct.  Voluntary principles developed through this process would be enforceable by the Federal Trade Commission and would serve as a safe harbor for companies facing complaints about their privacy practices.”

In an Oct. 27 speech at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, NTIA Administrator Lawrence E. Strickling also stressed that the PPO “would complement, not supplant, the Federal Trade Commission or the other institutions of the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies.  A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices.”

The report also recommended an emphasis on FIPPs that focus on “enhancing transparency, encouraging greater detail in purpose specifications and use limitations, and fostering the development of verifiable auditing and accountability programs.”  It also said any legislation establishing “general FIPPs-based data privacy protection should include a safe harbor provision for companies that adhere to voluntary, enforceable codes of conduct.”  It also said that the FTC “should remain the lead consumer privacy enforcement agency for the U.S. Government,” but it sought questions on whether the FTC should be given additional rulemaking authority if voluntary enforceable codes are not established.

The report also recognized the importance of collaboration with stakeholders from other countries.  It recommended continued work by U.S. officials “toward increased cooperation among privacy enforcement authorities around the world,” that includes “a framework for mutual recognition of other countries’ privacy frameworks.”- Paul Kirby, paul.kirby@wolterskluwer.com
 

• Email This
• Print

The New York Times published a piece today with the headline "Stage Set for Showdown on Online Privacy," suggesting that the Department of Commerce and the Federal Trade Commission appear to be at odds over how to advance privacy in the United States.  It is true that the privacy community is awaiting two separate reports, the Commerce "Green Paper"  following a Notice of Inquiry on privacy and the FTC's Staff Report following the three privacy Roundtables, and no one knows exactly what the contents will be.  But for those of us following the situation here in DC, the Times piece suggesting conflict is at odds with other signals from Commerce and the FTC. 

Recall that David Vladeck recently previewed the major themes of the upcoming FTC Report at an IAPP gathering and said, on the issue of regulation vs. self-regulation, that the Commission has always supported self-regulation.   With respect to privacy and online advertising, he said  "I am disappointed in the progress of self-regulation". "Ad disclosures and icons are all good ideas, but implementation is very much a work in process."  He concluded that the Commission and the public may lose its patience with self-regulation if there is not better progress.   

Assistant Secretary of Commerce Larry Strickling addressed the global privacy commissioners conference in Jerusalem recently

First is the importance of trust.  It is imperative for the sustainability and continued growth of the Internet that we preserve the trust of all actors. For example, if users do not trust that their personal information is safe on the Internet, they will worry about using new services. If content providers do not trust that their content will be protected, they will threaten to stop putting it online.

Our approach, which we call Internet Policy 3.0, recognizes that the interplay among technical standards and design, multi-stakeholder institutions, voluntary best practices, and laws and regulations can ensure that the Internet continues to meet its economic and social potential. 

 The framework I have in mind would build on current successes with voluntary codes but provide a more accountable, institutional structure for the future.  (emphasis supplied)

The proffered approaches of the FTC and the Department of Commerce in the previews presented by the respective agencies' top officials seem remarkably similar.  The notion that the Obama Administration would stage a "showdown" with the FTC, whose leadership it appointed, seems far fetched.  But time will tell.

• Email This
• Print

Employees who claim a Facebook "zone of privacy" from their employers for complaints about working conditions got a boost recently from the National Labor Relations Board’s (NLRB).

As reported in today's New York Times, on October 27 the NLRB Hartford Regional Office issued a complaint against an ambulance service provider, American Medical Response (AMR), for terminating an employee for posting disparaging comments about her employer on Facebook.  When the employee was denied union representation by a supervisor after an incident at work, she posted negative comments about the supervisor on her Facebook page from her home computer. After discovering the posts, AMR suspended and later terminated the employee for violating a few of the company’s blogging and Internet posting policies. 

Lafe Solomon, the board’s acting general counsel, said, “This is a fairly straightforward case under the National Labor Relations Act — whether it takes place on Facebook or at the water cooler, it was employees talking jointly about working conditions, in this case about their supervisor, and they have a right to do that.”

That act gives workers a federally protected right to form unions, and it prohibits employers from punishing workers — whether union or nonunion — for discussing working conditions or unionization. The labor board said the company’s Facebook rule was “overly broad” and improperly limited employees’ rights to discuss working conditions among themselves.

New York Times

A November 2 press release explained the NLRB’s position that AMR’s policies illegally interfered with its employees’ right to engage in protected activity under the National Labor Relations Act (NLRA) – specifically, policies that prohibited employees from (1) making disparaging remarks about the company or supervisors and (2) depicting the company on the Internet without permission. Under the NLRA, an employer cannot unduly restrict its employees’ ability to discuss terms and conditions of employment, regardless of whether a union exists, for fear that such restriction will impede employees’ ability to fairly unionize. At the same time, the NLRA does not provide carte blanche for employees to criticize or disparage their employers.

Employers should keep an eye on this case and how it may affect their policies regarding employee use of the Internet and social media. Many companies have drafted broad policies like the ones cited here that purport to greatly restrict what employees can say about the company. Though such policies are most likely to be invoked when employees post material to the Internet or social media sites that exhibit clear insubordination or disloyalty to the company, the NLRB was clear in expressing its concern for the possibility for companies to use the policies to stifle union-related employee communications.

As social networking continues to grow in popularity, it is inevitable that employees will post material that criticizes or otherwise goes against the interests of their employers. For example, this past August a Massachusetts teacher was fired for comments she posted on her Facebook page after calling residents of her school district “arrogant and snobby” and her students “germ bags.” And in a recent federal case out of New Jersey that has led to discussion over employer monitoring of employee social networking sites, employees sued their employer after they were fired for starting a Facebook group to vent about work.

When employees are disciplined or terminated for material they post to the Internet, employers will need to demonstrated that their actions did not unduly restrict the employees’ ability to discuss their terms and conditions employment. To bolster this argument, employers should make clear in their Internet, blogging, or social media policies that whatever restrictions there are on employee Internet postings, employees will not be disciplined for activity protected under the NLRA.  

• Email This
• Print

 The FTC unveiled an extremely useful web site with compliance tools:

The Federal Trade Commission has a new Business Center at Business.ftc.gov that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces.

The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics.  A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information.

A new video encourages businesses to use and share the free resources in the Business Center to enhance compliance and build their customers’ trust.  Companies can use the compliance tips in their newsletters and blogs, share the resources with their social and professional networks, use the videos for in-house trainings or presentations, and order free materials to hand out at conferences or community events.

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad.

With respect to privacy compliance in particular, there are sections on   

• Behavioral Advertising

• Children's Online Privacy

• Credit Reports

• Data Security

• Gramm-Leach-Bliley Act

• Health Privacy

• Red Flags Rule

And included are

• Case Highlights (76)
• Reports and Workshops (58)
• Laws, Rules, and Guides (30)
• Compliance Documents (79)

Kudos to the FTC for such a useful resource.

• Email This
• Print

The European Commission has just released a document setting forth its proposed strategy for revisions to EU data protection rules previewed in this blog recently.

The proposed changes were introduced this way in the Commission's news release:

What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011.

 The Commission then explained:

Today's strategy sets out proposals on how to modernise the EU framework for data protection rules through a series of key goals:

• Strengthening individuals' rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.

• Enhancing the Single Market dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.

• Revising data protection rules in the area of police and criminal justice so that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.

• Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.

• More effective enforcement of the rules, by strengthening and further harmonising the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.

Finally, the Commission described "the way forward" which allows input from affected stakeholders and interested persons:

The Commission's policy review will serve as a basis for further discussion and assessment. The Commission is calling on all stakeholders and the public to comment on the review's proposals until 15 January 2011. Submissions can be made on the Commission’s public consultation web site 

Building on this, the Commission will present proposals for a new general data protection legal framework in 2011, which will then need to be negotiated and adopted by the European Parliament and the Council.

In addition, the Commission will examine other measures, such as encouraging awareness-raising campaigns on data protection rights and possible self-regulation initiatives by industry. 

• Email This
• Print

Update:  According to the Washington Post, "A key Republican lawmaker indicated Wednesday [November 3] that Internet privacy could be a legislative priority in the next Congress, as a growing number of data breaches draw increased attention from federal regulators.  Rep. Joe L. Barton (Tex.), ranking GOP member of the House Energy and Commerce Committee, signaled the legislative push in a statement about his correspondence with Facebook executives on privacy issues.  "I want the Internet economy to prosper, but it can't unless the people's right to privacy means more than a right to hear excuses after the damage is done," Barton said"

Privacy was not on the ballot yesterday, but the results may affect the prospects for privacy legislation in the new Congress.

The big news is that Congressman Rick Boucher, a respected Virginia Democrat who has served for nearly 19 years, was defeated by Morgan Griffith, a Virginia state legislator. Boucher, along with Congressman Rick Stearns (R-FL) circulated a draft comprehensive privacy bill earlier this year and promised to introduce it after harmonizing it with the bill introduced by Congressman Bobby Rush (D-IL). The election result means that Boucher no longer will chair the House Communications, Technology and the Internet Subcommittee. He may be succeeded by Stearns, who presumably would still favor privacy legislation and make it a subcommittee priority. 

Stearns said earlier this week 

I have worked on developing privacy legislation from the time I was Chairman of the Commerce, Trade & Consumer Protection Subcommittee from 2001 to 2006 and I am still working on it. 

He also is reported to have said that he does not support all the provisions of the Boucher bill and "would like to see a bill" that is less prescriptive and "allows innovation to continue to flourish."

Whether his Republican colleagues now in the majority share his zeal for greater privacy regulation following an election whose theme was less government intervention remains to be seen. Moreover, Stearns also may prefer a leadership role on another committee, leaving the privacy legislation orphaned in the subcommittee. Candidates to lead the opposition on the Communications, Technology and the Internet Subcommittee include Rep. Anna Eshoo (D-CA) whose district includes Google headquarters and Rep. Ed Markey (D-MA). Markey has been vigilant on privacy issues.

A glimpse into the privacy views of presumptive Speaker of the House John Boehner is his lawsuit under the Electronic Communications Privacy Act (ECPA) arising out of the interception and recording of a cell phone conference call Boehner had with Republican leaders concerning an ethics investigation into conduct of Newt Gingrich,  and the fact that he voted yes on retroactive immunity for telecoms' warrantless surveillance.

Whether privacy becomes a priority for the new Republican leadership is an open question, and will likely be driven by events and the headlines.

New to the US Senate is Connecticut Attorney General Richard Blumenthal, well-known for his aggressive investigations and settlements related to privacy issues. Blumenthal led the thirty-state investigation of Google concerning the company’s collection of user information while mapping out U.S. areas for Street View, and indicated despite the FTC conclusion of its investigation into the episode that his office’s investigation would continue. Blumethal also brought the first data breach enforcement action under the HITECH Act against Health Net earlier this year.  It is fair to expect Blumenthal’s focus on privacy to continue once he is sworn in.

Despite the fear that the new political landscape in Washington means nothing but gridlock, some believe that privacy is one of the few issues that “will get done”.

• Email This
• Print