HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

The Federal Trade Commission (“FTC”) today announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when Google launched its social network "Google Buzz". The vote of the Commission to accept the settlement was 5-0.

For the first time ever, the FTC is requiring a "Comprehensive Privacy Program" and affirmative consent to any new or additional uses of previously collected data.

In February 2010, Google rolled out Google Buzz, which was a social networking program integrated with many of Google’s services, including Gmail. In its complaint against Google, the FTC alleged that Google violated both Section 5 of the FTC Act and the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. The proposed consent order would impose significant requirements on Google privacy practices for the next twenty years, including a requirement that Google implement a comprehensive privacy program and undergo regular, independent privacy audits.

• Print

As recently reported by the data  protection authority of the German Federal State of Bavaria in its annual review, a US court recently accepted the data protection authority's limitation on the scope of discovery involving documents with personal information.  The issue of EU data protection rules conflicting with US discovery requests is a recurring one, and this episode demonstrates an instance of international comity.

A German company was the subject of a non-party discovery request in a US civil action to produce company documents located in Germany.  The documents, including emails, were connected to the plaintiff and its business, as well as to the development and distribution of products of the German company. The German company itself was not a party to plaintiff's lawsuit. However, the German company belonged to the same group of companies as the defendant. The plaintiff claimed that the defendant and the German company had gained unauthorized access to business secrets of the plaintiff, and the discovery request was directed to this claim.   

• Print

The German Federal Court of Labor ruled on 23 March 2011 that an internal data protection officer's appointment may not be validly terminated because the employer wants to transfer this function to a service provider as external data protection officer. Internal and external data protection officers are widely used in Germany, partly because their appointment is mandatory due to the number of employees processing personal data, partly because their appointment frees the company from filing registrations with local data protection authorities. The use of service providers as external service providers has become more popular after September 2009, when the amendments to the German Federal Data Protection Act provided stronger protection for employees acting as internal data protection officers against termination or withdrawal of their function. This ruling strengthens the position of the employee exercising this function and limits any German employer's ability to outsource this function to an external service provider.

The data protection officer's function includes the right to contact local data protection authorities if in doubt, and the officer mandatorily reports directly to the company's management.

• Print

Update 3-24-11:  We have learned that Senator Kerry's office has circulated to selected parties a new version of the draft privacy bill amending the version that is the subject of this blog entry, but has not publicly shared it.  When it is distributed publicly, we will report on any changes.

At last week's Senate Commerce Committee hearing on privacy, Senator John Kerry (D-MA) announced that he will be introducing privacy legislation in this session of Congress.  A draft of the Kerry legislation, which also currently lists Senator John McCain (R-AZ) as a co-sponsor, has been circulating around Washington and was published yesterday by the BNA Electronic Commerce & Law Reporter.  We share a copy of the draft  "Commercial Privacy Bill of Rights Act of 2011" here.

The FTC is given privacy rulemaking authority for the first time in the draft law as well as the authority to approve (and enforce) industry-created Safe Harbor programs.  However, as detailed below, the proposed law would impose major and significant new obligations on businesses dealing with personal information.

Major provisions to note:

• Covered information includes "personally identifiable information(PII)" as well as "unique identifier information(UII)" and "any information collected in connection with PII or UII that may be used to identify an individual."  Geographical addresses of a physical place of residence are included within the scope of PII.   Email addresses would be included if individuals' names are part of them, but the draft brackets questions over whether that should mean first name or last name or legal name or maiden name or nickname or initials or names embedded with other letters or characters, as in Danny123@xyz.com.  Telephone numbers other than work numbers are included within the scope.  Credit card account numbers are within the scope.  Unique persistent identifiers, such as cookies, user IDs, processor serial numbers or device serial numbers "if used to identify a specific individual."  Biometric data such as fingerprints and retina scans are covered.  And, if used transferred or maintained in connection with the above, birth dates, birth certificate or adoption numbers and place of birth are covered, as is geolocation data and "any other information concerning an individual that may reasonably be used to identify that individual.  Sensitive personally identifiable information is defined in one short paragraph as PII "which if lost, compromised, or disclosed without authorization could result in harm to an individual."

• Print

In a decision published on 2 March 2011, the French data protection authority (the “CNIL”)  announced a simplification of the formalities regarding data processing in France done on behalf of non-EU entities.

Under French data protection law, the general rule is that a data controller processing personal data in France is required to either file a notification or obtain an authorization from the CNIL prior to the implementation of the processing. Such obligations apply not only to French entities or entities having local presence in France but also to entities located outside the EU but which use “processing means” (such as servers, third party service providers, etc.) on the French territory.

In order to comply with this requirement, foreign entities wishing to use the services of French companies to process their personal data in France are required to appoint a representative in France which acts as their local point of contact with the CNIL and completes the required formalities on their behalf.

In consideration of the development of such services in the fields of human resources or client and prospect management, the CNIL, using its regulatory powers for data protection formalities in France, has decided to exempt non-EU companies using service providers located in France to process their human resources and/or their client and prospects data from the completion of formalities. In such cases, the appointment of a local representative is therefore no longer required either.

Finally, it should also be noted that this exemption from formalities also applies to the “return transfer” of data from the French service provider to the non-EU based data controller. While international transfers of data from France to a jurisdiction not regarded as providing an adequate level of protection to personal data generally are subject to prior authorization from the CNIL, the exemption expressly indicates that such “return transfers” would be justified and dispensed from prior authorization on the basis of the “performance of an agreement” exceptions provided for in sections 69 (5°) and 69 (6°) of the French law, which implement into French law the provisions of sections 21(5) and 21(6) of the 1995 European Directive on data protection.

The full text of this exemption (exemption #15) can be found here (in French).

• Print

This report was prepared by William Ferreira in the Hogan Lovells US LLP Government Contracts practice. 

On March 16, Congressman Jim Langevin (D-RI) introduced legislation that would reform the way IT security would be monitored and managed within the federal government.  The legislation also would overhaul the Federal Information Security Management Act of 2002 (FISMA), and has important implications for government contractors.  The bill, known as the Executive Cyberspace Coordination Act, comes on the heels of a report indicating that the federal government is “not prepared” for cybersecurity threats of the 21st century. The bill is one of several cybersecurity measures pending in congress.  The legislation has received bipartisan support and is similar to a bill introduced in the Senate in February.

The legislation would create a National Office of Cyberspace (NOC) in the White House, headed by a presidential appointee confirmed by the Senate. The NOC would operate a “Federal Cybersecurity Practice Board”, responsible for (1) issuing security controls, in coordination with the National Institute of Standards and Technology (or NIST), for government-networked computers and information infrastructure, (2) evaluating federal information security risks, and (3) developing minimum security standards for products and services procured and used by the government. 

With respect to the proposal to reform FISMA, that statutory scheme has been criticized by security professionals as a “paperwork” exercise that focused too heavily on mechanical compliance processes as opposed to actual security controls. Under the new legislation, federal agencies would be required to implement an information security program that uses “automated technical monitoring of information infrastructure used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”. The new focus would be on real-time monitoring of the effectiveness of security controls and continuous identification of deficiencies and potential security risk.  

• Print

Our friend Fran Maier, President of TRUSTe, provided this insightful report on yesterday's privacy hearing before the Senate Commerce Committee that I attended, and she graciously has agreed to allow us to reprint it here:  (Thanks, Fran!)

While I couldn’t be in Washington, D.C. today for the Senate Commerce’s Committee’s hearing on “The State of Online Consumer Privacy” (copies of hearing testimony here) I’ve been able to check in with a wide range of attendees and get perhaps more of a bird’s eye view.

Key themes:

It’s all about Trust: Every panelist talked about the importance of trust to continue to reap the benefits of the Internet.

Group M’s John Montgomery: “We want to build consumer trust in the online experience, and therefore we believe that consumers should be able to choose whether and how their data is collected or used for online behavioral advertising”

Importance of Innovation

Intuit CPO Barbara Lawler: “As we enter this important discussion, it is necessary to further emphasize the importance of both respect for the consumer participation and control of information and the value and benefit of continued innovation, in particular where the future of economic growth is going—data driven innovation. The key to our success and to ensuring balance among these interests is earning the customers trust.”

Evolving definition of privacy

Microsoft’s Erich Andersen: “In the digital era, privacy is no longer about being ‘let alone.’ Privacy is about knowing what data is being collected and what is happening to it, having choices about how it is collected and used, and being confident that it is secure.” Note: I’d add “accountability” to the list too.

Technology + Policy + Self Regulation

Ashkan Soltani (researcher): ” To be effective, privacy protections for consumers online will likely require both a technical and policy component, working in tandem, and I believe these discussions here today are a great step in making that union a reality.”

Consumer Privacy Bill or Rights in legislation, including incentives for Safe Harbors and Self-Regulation

Committee Chairman Rockefeller: ”There is an online privacy war going on, and without help, consumers will lose. We must act to give Americans the basic online privacy protections they deserve.”

A few things to ponder:

• Do our legislators have broad understanding that privacy issues are not only online?
• Do they understand that privacy issues are abundant beyond behavioral advertising?
• Is industry ready to embrace self regulatory programs, such as TRUSTe’s, to balance potential legislation?
• Will consumers step up and make the choices that we are all committed to providing?
• Finally, how can we ensure that the combo of Legislation + Co or Self Regulation and Technology meets the bar for better privacy?

You can watch a video recording of the hearing here.

• Print

A highly-placed official in the Obama Administration has confirmed that in testimony to be delivered tomorrow before the Senate Commerce Committee, Larry Strickling,  Assistant Secretary in the U.S. Department of Commerce, will announce that the Administration supports baseline privacy legislation that will set broad privacy protections consistent with the Department's recently issued Green Paper, but not detailed prescriptions.  The legislative concept supported by the Obama Administration would have the Commerce Department working with stakeholders to develop Codes of Conduct enforceable by the Federal Trade Commission, that would also create a "Safe Harbor" (the contours of which are unspecified).  The proposed framework is intended  to promote interoperability with foreign frameworks, perhaps leading to a recognition bythe EU of the US privacy law as providing adequate protection.

This is the first time the Administration has expressed support for a federal privacy law.

• Print

The Federal Trade Commission (FTC) yesterday announced a settlement with Chitika, Inc. over its failure to honor consumers’ choice in contravention of representations made in its online privacy policy. The announcement is notable in that it comes in the wake of the FTC’s December 2010 Preliminary Staff Report and is the FTC’s first consent settlement relating to privacy with an online advertising network. As disclosed in its website privacy policy, Chitika offered consumers the choice of opting-out of its online network advertising. However, Chitika did not disclose to consumers that the opt-out cookie would expire and disappear from their browsers only 10 days after being set. The FTC therefore believes Chitika’s actions were false and misleading, constituting deceptive trade practices in violation of Section 5 of the FTC Act.     

• Print

The D.C. Circuit Court of Appeals has dismissed as moot a lawsuit challenging the applicability to lawyers of the "Red Flags Rule," which requires financial institutions and creditors to implement identity theft prevention programs. The organized Bar had challenged the applicability of the Rule to lawyers and had won in the lower court. Since the Red Flag Clarification Act recently passed by Congress would exempt most lawyers from coverage under the Rule, the Court found that litigation no longer is necessary or appropriate.

By way of background, the Red Flags Rule was promulgated by the Federal Trade Commission ("FTC") and the federal banking agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). Under the Rule, a "creditor" -- which was defined broadly to include any business that accepts deferred payment for goods or services -- must establish a written identity theft prevention program if it offers certain types of consumer accounts. In April 2009, the FTC issued an Extended Enforcement Policy stating that "professionals, such as lawyers or health care providers, who bill their clients after services are rendered" would be considered creditors subject to the Rule. The American Bar Association ("ABA") sued to prevent the Rule from applying to attorneys.

• Print

This week marks the annual gathering of more than 1500 privacy professionals in Washington, D.C. for the International Association of Privacy Professionals Global Privacy Summit.  Attorneys from the Hogan Lovells Privacy and Information Management Practice are presenting in a number of sessions, a reflection of the breadth of our practice and experience. 

Here is the calendar of the Hogan Lovells appearances:

Wednesday, March 9, 8AM to Noon  -- Security Breach 101: Mark Paulding

Wednesday, March 9, 8AM to Noon --  Managing Data Breach Challenges and Constituencies after HITECH: Chris Zaetta

Wednesday, Marcy 9, 1 PM to 5 PM  -- Pie in the Sky: The Intersection of Cloud Computing and Privacy Law Issues: Zenas Choi

Thursday, March 10, 10 to 11 AM --  Privacy Issues in Consumer and Patient Online Health Products and Systems: Melissa Bianchi

Thursday, March 10, 1:45 to 2:45 PM --  NAFTA Privacy: Chris Wolf

Friday, March 11, 10:30 to 11:30 AM --  Privacy v. Anti-Piracy: Chris Wolf

Friday, March 11, 10:30 to 11:30 AM -- Navigating Financial Privacy Compliance in a Post–Dodd-Frank World: Elizabeth Khalil

For those attending the IAPP Summit, please stop by the Hogan Lovells booth in the exhibition hall to meet lawyers from the group and to receive a cookie -- the fortune kind not the tracking kind.

• Print

This report comes to us from Gonzalo Gallego a partner in the Hogan Lovells privacy practice resident in Madrid: 

Spain has a new penalty regime for violations of privacy, with many minimum and maximum fines lowered. This is viewed as a business-friendly development  at a time when the Spanish Data Protection Agency (“SPDA” or “Agency”) has earned a reputation as one of the more enforcement-oriented DPAs in the EU, and when one of its high-visibility enforcement efforts is under scrutiny.  This new regime entered into force on 6 March 2011 and is applicable to all data controllers and data processors processing personal data under the Spanish laws.

The modifications were announced just as Europe’s highest court is set to rule on the propriety of the SPDA ordering Google to remove links to web content that allegedly infringed the privacy of individuals, which Google has challenged as a violation of free expression.

These are the main modifications in the penalties now available to the SPDA under Spanish law:

• Print

Representative Cliff Stearns (R-FL), the co-sponsor of the first major legislative proposal on privacy in the last session of Congress,  the Boucher-Stearns bill,  spoke yesterday at an event on Capitol Hill about his plans to re-introduce the legislation in modified form.  While not providing many details, he said the legislation he plans to introduce will be focused on "broad privacy goals" like giving consumers clear disclosures about the data that is collected online about them.  The framework reportedly would allow the FTC to approve five-year self-regulatory programs from industry.  In a press release, the Congressman said "This draft is based on legislation I introduced in 2005, H.R. 1263. This draft takes a different approach, but one I think balances privacy with innovation."

• Print

The U.S. Supreme Court today in FCC v. AT&T, Inc., reversed the U.S. Court of Appeals for the Third Circuit, holding that “personal privacy” under the Freedom of Information Act (“FOIA”) does not extend to corporations even though they are defined as “persons” under the statute. Chief Justice Roberts, writing for the Court, expressed his “trust that AT&T will not take [the decision] personally.” The decision was 8-0. (Justice Kagan did not participate.)

The Supreme Court’s analysis hinged on its conclusion that “person” and “personal” are two very different words and that the adjectival form of one word does not necessarily have the same or similar meaning as the underlying noun. Given the commonly understood meaning of the word personal and the term “personal privacy,” and given the context of FOIA and the provision at issue’s relationship to other FOIA sections, the Court concluded that personal privacy does not extend to corporations or other artificial entities. 

• Print