HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

In 2008, when several network operators began experiments with behavioral advertising firms NebuAd and Phorm, privacy advocates cried foul, arguing that network operators should never be allowed to monitor traffic for advertising purposes because the threats to privacy are too great.  In testimony before the U.S. Congress, some network operators retorted that what certain network operators and NebuAd proposed to do is similar to what large Internet advertising networks already do when they plant cookies on users' terminals to track behavior.  Why should network operators be held to a different standard than advertising networks at the edge of the network? 

Everyone agrees that monitoring online behavior can constitute a serious violation of privacy, and that user consent is critical. But what kind of consent: opt-in or opt-out?  In Europe the recently amended e-Privacy directive appears to require an opt-in regime for cookies, but many wonder how an opt-in regime can work in practice.  The 2008 NebuAd and Phorm turmoil did not focus on consent but on whether behavioral advertising can ever be done by network operators, regardless of the users' consent.  For some, it is unthinkable that network operators could get into the behavioral advertising business, regardless of the safeguards put in place

One of the telecom operators who experimented with NebuAd in 2008 was sued in federal court for illegally monitoring user traffic.  Users brought a class action for illegal interceptions and invasion of privacy.  On December 13, 2010 a U.S. District Court in Montana held that users of the network had consented to the operator's use of NebuAd monitoring technology.  The court found that the operator "gave Plaintiffs specific notice of when the NebuAd Appliance trial would commence and provided a link for its customers to opt out of the NebuAd Appliance if they so chose."  It is not clear in the decision whether users got individual e-mails, or whether the specific notice was only posted on the operator's website.

• Print

The FTC Privacy Report and Department of Commerce Green Paper raise important questions on commercial use of information about people.  The Commission staff outlines privacy protections businesses will be expected to provide as collection technologies advance, and the Commerce paper proposes new laws and a new federal privacy office. 

In addition to our initial impressions about the FTC Report and DOC Green Paper, we release here a Privacy and Information Management Alert that provides an in-depth analysis including:

• Development of the proposed framework;
• Description and analysis of proposed framework; and
• Concepts advanced by the report;

You can access the full Privacy and Information Management Alert here.

On December 1st, the FTC issued a preliminary staff report entitled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers."  Following the FTC report, on December 16th, the Department of Commerce  issued a "green paper" detailing initial  policy recommendations for online privacy in the U.S.

• Print

The Future of Privacy Forum is conducting a survey on the reaction of privacy enthusiasts to the recently-issued FTC and Commerce privacy reports, as described below.   You are invited to participate and share your views.

From the Future of Privacy Forum blog:

It’s been an extremely busy few weeks in the privacy world as of late.   A little more than two weeks ago, the FTC released their long-awaited staff report on “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,”  and yesterday the Department of Commerce’s Internet Safety Task Force released their privacy Green Paper,  “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  The reviews on both have ranged across both ends of the spectrum and have brought increased media attention to the ideas of a ‘Do Not Track’ list, a ‘Privacy Bill of Rights,’ and the creation of a Federal CPO.  

But now it’s time for a little more research into what privacy enthusiasts really think of these two reports.  What will they mean for the future of privacy and how will they impact our national policy when it comes to privacy protections for consumers?  Will they spur legislation or will the industry see them as a signal to start embracing stronger self-regulation mechanisms?  

We want to know what privacy enthusiasts think of the latest reports from the FTC and Department of Commerce so we’re asking all those interested to participate in a brief survey.  The survey can be seen here, and should take no more than five minutes to complete.  All participants should complete the survey no later than December 31, 2010, and we will announce the results shortly thereafter.  

We look forward to your thoughts and thank you in advance for participating!

• Print

Preserving consumer privacy online and thereby bolstering consumer trust in the Internet is essential for businesses to succeed online according to the just-released Department of Commerce Green Paper entitled “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  

The Green Paper was authored by the Internet Policy Task Force at Commerce – a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology. The paper follows a Notice of Inquiry to which many stakeholders responded, and a symposium last May. It also follows the December 1st release of the preliminary FTC Staff Report on Privacy.

• Print

Hong Kong   Data protection is currently a hot topic in Hong Kong. This is largely due to the furor caused by the discovery of the large scale sale of personal data by Hong Kong's Octopus Rewards Limited (a company owned by Octopus Holdings Limited) over a number of years. We reported previously that the Hong Kong Privacy Commissioner launched an investigation into Octopus Rewards Limited and Octopus Holdings Limited. In October the Hong Kong Privacy Commissioner issued his final report on the sale of personal data by Octopus for the purposes of direct marketing. A Guidance Note providing practical guidance on compliance with the requirements under the Personal Data (Privacy) Ordinance (the "Ordinance") relating to use of personal data for direct marketing was published on the same day.

On 18 October 2010 the Constitutional and Mainland Affairs Bureau (the "CMAB") published a consultation paper which summarises the responses to the consultation of the review of the Ordinance undertaken last year and puts forward the current proposals for reform. The CMAB has proposed 37 amendments to the Ordinance and the public are invited to comment on the proposals until 31 December 2010.

• Print

International Association of Privacy Professionals (IAPP) Web Conference

The FTC Privacy Report – A First Look into New Frameworks for Businesses and Policymakers

Date: December 14, 2010
Event start time: 1:00 pm (GMT-05:00) Eastern Time (US & Canada)
Via IAPP Web Conference Service (Registration required)

The FTC has just issued a preliminary report asking for comments on new controls and standards for the online protection of individuals’ privacy. The report details an expansion in scope and breadth of what may constitute consumer data and asks for feedback on sweeping new standards. Join a Web conference examining this important new development in the evolution of consumer privacy. 

Presenters and Hosts:

Robert Belair, Partner, Arnall Golden Gregory LLP

Christopher Wolf, Partner, Hogan Lovells  US LLP

Panelists:

Edward W. Felten, Chief Technologist, Office of the Chairman, FTC, (effective Jan. 1)

Peder Magee, Senior Staff Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, FTC

To register, click here

• Print

On December 7, the Federal Trade Commission (FTC) released an Advance Notice of Proposed Rulemaking (ANPR) seeking comment on how to address telemarketing practices designed to circumvent existing Caller ID rules, and how to make Caller ID a more useful tool for screening unwanted calls. 

The FTC’s Telemarketing Sales Rule (TSR) currently requires telemarketers to provide consumers who use Caller ID services with either the telemarketer’s telephone number or the number of the seller or charitable organization represented by the telemarketer. These rules are designed to encourage accountability and enable the FTC and law enforcement agencies to identify improper telemarketing practices (e.g., calling numbers from the Do Not Call registry). The FTC has initiated numerous enforcement actions in recent years, charging telemarketers with concealing their identities from consumers by using advanced technologies to block, “spoof,” or manipulate the names and numbers that appear on Caller ID. 

The ANPR seeks comments on a number of Caller ID issues, including:

• How widespread is consumer use of Caller ID services?
• Do consumers use other services, such as call-blocking equipment, to avoid unwanted calls?
• Would changes to the TSR improve the ability of Caller ID or other services to disclose the source of telemarketing calls or otherwise block calls?
• Should the Caller ID provisions recognize or anticipate certain developments in telecommunications technologies related to the transmission and use of Caller ID information? 
• Should the Caller ID provisions specify the characteristics of the phone number that a telemarketer must transmit to a Caller ID service? For example, the FTC could require that the phone number transmitted be one that is listed in publicly available phone directories, be one with an area code and prefix that are associated with the physical location of the telemarketer’s place of business, be one that is answered by a live representative, or be such that an automated service can identify the telemarketer by name.
• Should the Caller ID provisions allow the use of trade names or product names (instead of the actual name of the seller or telemarketer) in Caller ID displays?
• Should the FTC further harmonize its Caller ID provisions with the regulations promulgated by the FCC pursuant to the Telephone Consumer Protection Act? 

Comments on the ANPR are due on or before January 28, 2011.

(A special thanks to Aaron George for his assistance in preparing this entry.)

• Print

Dr. Stefan Schuppert in the Hogan Lovells Munich office prepared this entry.  Stefan is a member of the Hogan Lovells Privacy practice and the  IP, Media & Technology group and advises companies in the fields of information technology and new media concerning intellectual property, contract law and data protection.

On November 23, the data protection authority (DPA) of the German Federal State of Hamburg imposed a €200,000 fine [link in German] against the Hamburg-based savings & loan Hamburger Sparkasse due to violations of the German Federal Data Protection Act (the BDSG) for, among other reasons, using neuromarketing techniques without customer consent.   The case – which attracted much negative publicity in Germany, including page 1 headlines and "top spots" in television news – may very well influence the assessment of neuromarketing techniques under data protection laws beyond Germany. 

• Print

Commissioner Jule Brill is the keynote speaker at today's IAPP Practical Privacy program on the Federal Trade Commission and consumer privacy in Washington, DC.  Obviously, the just-released FTC Report is the hot topic.

Among the highlights of Commissioner Brill's remarks:

• Privacy through the lens of Black Friday and Cyber Monday, the "high holy days of consumerism" -- A number of consumers detailed their purchases online through "online exhibitionism," including even uploaded videos in which teenage girls showed off their purchases.  So, with so many people chosing to make public what they have a right to keep private, why is the FTC looking for new and better ways to protect people's privacy?  It is simple, the Commission's mandate is to preserve consumer control over private data.  It is their choice to share, but "we make sure that consumers understand the implications of revealing information and are empowered to protect their information."
• Up to now, the FTC has been playing defense -- enforcing privacy rights that cause tangible harm only after the fact.  The notice and choice, and no harm/no foul paradigm does not do enough to protect consumers.
• The FTC Report reflects a new paradigm:  (1)  Privacy at every stage of development of products and services; (2)  Simplification of consumer choice; (3)  Increased transparency "but we are not throwing away the harm model, as our enforcement will show."  Indeed, we are not throwing away anything, we are building on the current platform of protection.
• The most-talked about recommendation, the proposal of a Do Not Track mechanism:  "I want to dispel concerns that have arisen."  (1)  The FTC is not proposing a list like "Do Not Call" but rather a "browser-based approach" that communicates their preferences to every web site visited.  "I want to commend browser providers on developing these controls for consumers who show that the recommended approach is technologically-feasible."  (2)  Do Not Track will not result in consumers en masse opting out., as the Roundtables demonstrated.  "I am reminded of 'Miracle on 34th Street' where Macy's is featured as the consumer friendly store, providing choices to consumers.  Mr. Macy in the film would have been eager to compete on privacy, and advertisers today should show consumers of the benefits of collecting and using their information for tailored advertising."
• Should we wait for industry to come up with a self-regulatory system or look to a new law enacted by Congtress?  If industry does not adopt Do Not Track, then I support a law that gives the Commission APA rulemaking authority and civil penalties, along with the ability to respect self-regulatory regimes.  I am discouraged by the immediate reaction of some in industry to even the concept of Do Not Track.
• The Commission is not recommending the possibility of legislation outside of the "Do Not Track" arena but Commissioner Brill thinks the Report could serve as a roadmap for more general legislative proposals.
• Consumer deserve greater access to information about them in databases. 
• More cops on the beat are better.  Even though browser controls for tracking that if ignored by marketers could violate existing laws enforced by others, Commissioner Brill believes that FTC authority to enforce is important.

• Print

Just a day before releasing its long-awaited draft privacy report, the FTC foreshadowed some of its findings relating to requirement of transparency in privacy notices.  It did so by entering into a consent agreement with EchoMetrix for inadequately disclosing that data collected using parental web-monitoring software would be included in a database sold to marketers. This settlement reinforces the FTC’s position, established last year in its settlement with Sears, that notices to consumers relating to material privacy practices cannot be “buried” in privacy policies, terms of use, or license agreements.

• Print

European Data Protection Supervisor Peter Hustinx traveled in frigid, snowy conditions from Brussels to London on 2 December for an interview presentation at the London Offices of Hogan Lovells attended by lawyers from the Hogan Lovells global Privacy and Information Management Practice as well as clients and friends of the firm. 

The interview coincided with visits to Europe of US Hogan Lovells privacy partners Barbara Bennett, Marcy Wilder and Chris Wolf, who participated in the IAPP Privacy Congress in Paris earlier in the week, and meetings with EU Hogan Lovells privacy colleagues in London, including: 

Quentin Archer (London)

Roger Tym (London)

Mac Macmillan (London)

Winston Maxwell (Paris)

Stefan Schuppert (Munich)

Hanno Timner (Berlin)

Marco Berliri (Rome)

Gonzalo Gállego (Rome)

Lionel de Souza (Paris)

Massimiliano Masnada (Rome)

Messrs. Maxwell and Schuppert and Ms. Wilder presented in Paris on Binding Corporate Rules and Mr. Wolf presented on the balancing of fundamental rights of privacy and anti-piracy. The London meetings were organized by Barbara Bennett and Quentin Archer and focused on global developments in privacy law and how best to provide seamless privacy law services to clients around the world with multi-jurisdictional needs.

The session with Mr. Hustinx, conducted by Hogan Lovells practice leader Chris Wolf, started with the observation that the firm’s practice is now the largest privacy practice in the world, and thus what happens in the EU with respect to privacy has great significance for clients of the firm. The focus of the interview was on the recently-issued draft agenda of the European Commission on privacy. 

Mr. Hustinx spent about an hour discussing many of the details of the draft agenda, including the process for its consideration, the concepts of the “right to be forgotten,” changes to the ways in which notice and choice are implemented, how national privacy laws might be harmonized across the EU, how cross-border transfers outside the EU might be facilitated, and the efficacy of increased enforcement and penalties.

Two observations by Mr. Hustinx stand out:

• The current EU data protection framework will stay in place for the next 4 to 5 years, as the process for consideration and implementation of the changes embodied in the Commission’s draft agenda will be lengthy and thorough.
• The day will come when the United States privacy framework will be recognized by the EU as providing “adequate protection” and thus allowing cross-border transfers without the employment of auxillary legal tools. Mr. Hustinx concurred in the observation that the FTC Report issued on 1 December contained concepts now present under the EU Directive and paralleled in significant ways the Commission’s draft privacy agenda. Mr. Hustinx declined to say when the time for the EU adequacy recognition for the US would come, but suggested it was not in the immediate future. He applauded the closer working relationship between the US and the EU on privacy matters, following a mention of greater US governmental attention to privacy issues, and said there are privacy protection concepts from around the world that may be adopted in the EU – that global exchanges of best practices is in everyone’s interests.

Hogan Lovells expresses enormous appreciation to Mr. Hustinx for meeting with us, and especially for the arduous travel to and from London he endured to be with us.

• Print

The Bureau of National Affairs (BNA) Privacy Law Watch published the following report on yesterday's FTC Privacy Report, featuring observations by Hogan Lovells Privacy and Information Practice Leader Chris Wolf, which we reproduce here, with permission of BNA:

Privacy

FTC Proposes Industry-Led ‘Do-Not-Track'
Mechanism in Long-Awaited Privacy Report

The Federal Trade Commission Dec. 1 published its long-awaited report on consumer privacy policy, a document that featured a call on industry to adopt a proposed set of self-regulatory best practices as well as several general policy recommendations for federal lawmakers to consider.

Notably, the FTC did not call for federal legislation or for additional regulatory powers to enforce industry compliance with whatever self-regulatory measures are eventually adopted.

Internet privacy policymaking is challenging for a number of reasons, the regulators said. Consumer expectations surrounding online privacy differ widely; the harms are often noneconomic and difficult to quantify; and technology changes rapidly, the report noted.

• Print

The FTC today released a long-awaited Staff Report (though in preliminary form) that examines the status of privacy law and enforcement by the agency and proposes a framework for greater  consumer privacy protections in the products and services developed by businesses.   The Report, which follows a series of public roundtable discussions on privacy held by the FTC over the past year, is comprehensive in identifying many pressing privacy issues.

• Print