HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Hogan Lovells Privacy and Information Management practice Leader Chris Wolf recently was interviewed by the Bureau of National Affairs (BNA) in a video on what companies should be doing as changes in privacy law get mulled at the FTC, in Congress and internationally. Chris observes that companies collecting, using, sharing and storing personal data should anticipate change, and should begin to provide greater transparency about data collection and use, greater consumer choice over such collection and use, practice data minimization and use specification, and be prepared for changes in the law whether they come legislatively or through regulatory enforcement.

BNA graciously has given us permission to provide access to the video for readers of the Hogan Lovells Chronicle of Data Protection. View the video below or access it here. 

• Print

On April 26, the Supreme Court heard oral arguments in Sorrell v. IMS Health – the first case heard by the Court that considers the limitations that a state may put on mining health data for commercial purposes. Specifically, this case raises the issue of how the government regulation of data mining practices impacts both the privacy rights of individuals and the speech rights of companies – both data mining companies and their customers. 

• Print

Bisnow, the well-known publisher of industry-specific newsletters and presenter of conferences, is hosting a program on Consumer Data Privacy in Washington, DC on the morning of  Tuesday, April 26th at the Capital Hilton Hotel.  The program is sponsored by Hogan Lovells and will be moderated by the Directors of the Hogan Lovells Privacy and Information Management Group, Marcy Wilder and Chris Wolf, and will feature:

Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Federal Trade Commission

Jane Horvath, Global Privacy Counsel, Google

Hooman Radfar, CEO, Clearspring

Robert Quinn, Senior Vice-President/Regulatory and Chief Privacy Officer, AT&T

Stuart Pratt, President and CEO, Consumer Data Industry Association

Justin Brookman, Director, Project on Consumer Privacy, Center for Democracy and Technology

For those in the Washington area interested in attending, click here.  Given the legislative and regulatory activity going on in Washington these days, the program is sure to be informative and thought-provoking.

• Print

By Winston Maxwell (Paris) and Marco Berliri (Rome)

The European Union's Article 29 Working Party published on April 11, 2011 an opinion on smart metering, recommending Privacy by Design, data minimization, and consumer interface options that give customers increased control over their data and privacy settings.

The opinion indicates that most data collected by smart meters will be considered "personal data" under the Data Protection Directive because the data will be associated with a unique identifier such as a meter identification number, which in turn can be linked to a living individual. The opinion states that the "data controller" will in most cases be the energy supplier, but that the grid operator may also be controller, as may be the third party service provider (so-called Energy Service Companies, or ESCOs). As mentioned in the Art 29 WP's opinion 1/2010 on data controllers and processors, it is not infrequent for there to be more than one controller.

• Print

Gastón Fernández (Associate), Hogan Lovells, Beijing, PRC, contributed this entry

While personal data privacy law has been developing in many jurisdictions with the increasing prevalence of internet usage, the People's Republic of China has not yet enacted comprehensive laws or regulations governing the collection, use and transfer of personal data. However, this may change soon, as indicated by the recent issuance of the draft Information Security Technology -- Guide of Personal Information Protection (the "Guidelines", issued jointly by the General Administration of Quality Supervision Inspection and Quarantine and the Standardization Administration of the PRC on 30 January 2011). The draft Guidelines were developed in consultation with the Ministry of Industry and Information Technology, the government agency charged with regulating the telecoms and internet industries, and would create broadly applicable rules and principles for handling and transferring personal information. Although the draft Guidelines could be revised before implementation and have not yet been enacted, upon entering into force they could significantly impact business practices relating to storage, processing and transfer of information.

• Print

The long-awaited privacy bill from Senators Kerry and McCain was introduced today, and the Senators provided this summary, along with this press release.   The bill follows the call by the Obama Administration for a Privacy Bill of Rights.

Senator Kerry offered this overview on his web site:

On April 12, 2011, Senator Kerry and Senator McCain introduced a Commercial Privacy Bill of Rights to establish a baseline code of conduct for how personally identifiable information and information that can uniquely identify an individual or networked device are used, stored, and distributed.  This legislation would go a long way to increasing consumer trust in the market and generating additional activity as a result as well as protecting people from unscrupulous actors in the market by creating a set of basic rights to which all Americans are entitled.

These privacy rights include:

• The right to security and accountability: Collectors of information must implement security measures to protect the information they collect and maintain.

• The right to notice, consent, access, and correction of information:  Collectors of information must provide clear notice to individuals on the collection practices and the purpose for such collection.  Additionally, the collector must provide the ability for an individual to opt-out of any information collection that is unauthorized by the Act and provide affirmative consent (opt-in) for the collection of sensitive personally identifiable information.  Respecting companies existing relationships with customers and the ability to develop a relationship with a potential customers, the bill would require robust and clear notice to an individual of his or her ability to opt-out of the collection of information for the purpose of transferring it to third parties for behavioral advertising.  It would also require collectors to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution.

• The right to data minimization, constraints on distribution, and data integrity: Collectors of information would be required to collect only as much information as necessary to process or enforce a transaction or deliver a service, but allow for the collection and use of information for research and development to improve the transaction or service and retain it for only a reasonable period of time.  Collectors must bind third parties by contract to ensure that any individual information transferred to the third party by the collector will only be used or maintained in accordance with the bill’s requirements.  The bill requires the collector to attempt to establish and maintain reasonable procedures to ensure that information is accurate.

Other key elements of the Kerry-McCain Commercial Privacy Bill of Rights include:

• Enforcement:  The bill would direct State Attorneys General and the Federal Trade Commission (FTC) to enforce the bill’s provisions, but not allow simultaneous enforcement by both a State Attorney General and the FTC.  Additionally, the bill would prevent private rights of action. 

• Voluntary Safe Harbor Programs:  The bill allows the FTC to approve nongovernmental organizations to oversee safe harbor programs that would be voluntary for participants to join, but would have to achieve protections as rigorous or more so as those enumerated in the bill.  The incentive for enrolling in a safe harbor program is that a participant could design or customize procedures for compliance and the ability to be exempt from some requirements of the bill.

• Role of Department of Commerce:  The Act directs the Department of Commerce to convene stakeholders for the development of applications for safe harbor programs to be submitted to the FTC.  It would also have a research component for privacy enhancement as well as improved information sharing. 

   

• Print

On 15 March 2011, the Commissioner issued his inspection report.  Whilst the Report noted that TransUnion had in place comprehensive and detailed policies regarding the handling of consumer credit data it also noted areas where there was room for improvement and made twenty recommendations for TransUnion to enhance its personal data system. 

• Print

The Securities and Exchange Commission (SEC) announced yesterday that three former executives of GunnAllen Financial, Inc., a Tampa-based broker-dealer, agreed to settle charges that they had violated Regulation S-P by failing to protect confidential information about their customers. This action marked the first time that the SEC had assessed financial penalties against individuals charged solely with violations of Regulation S-P, which requires broker-dealers, investment advisers, and other financial institutions under the SEC's jurisdiction to protect their customers' nonpublic personal information and to provide their customers the right to opt out of having their information shared with unaffiliated third parties. 

• Print

Hogan Lovells has organized two programs over the past year to discuss developments in "NAFTA privacy" (privacy laws in Canada, the US and Mexico).  The most recent program was a panel at the IAPP Global Privacy Summit moderated by Hogan Lovells Privacy and Information Management Practice Director Chris Wolf, along with the Chief Privacy Leader at General Electric Nuala O'Connor Kelly.  Participating were FTC Commissioner Julie Brill, Ontario Privacy Commissioner Ann Cavoukian and Deputy Commissioner Ken Anderson, and Mexico's Privacy (IFAI) President Commissioner Jacqueline Peschard Mariscal. 

Courtesy of BNA, here is a report on the update provided by Mexico's Privacy (IFAI) President Commissioner Peschard Mariscal:

Data Protection

Mexico Will Not Rush to Compliance Review, Enforcement of New Law, DPA Chief Assures

Mexico's data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country's new data protection law begin taking effect in July, the head of the DPA, the Instituto Deral De Acceso a la Información Pública (IFAI), said March 10 at a conference.

As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline Peschard Mariscal said.

But the government will not immediately begin verification activity, she said. Instead, the IFAI will focus on training and education of covered entities in the requirements of the rules, Mariscal said at a session of the International Association of Privacy Professionals Global Privacy Summit.

Mexico's Federal Law Protecting Personal Data in Private Possession regulates for the first time on a federal level how businesses and individuals handle personal data. It technically took effect July 6, 2010 (9 PVLR 1016, 7/12/10), but the implementing rules are not expected before this July, according to the IFAI (10 PVLR 368, 3/7/11).

Enforcement of the new law is slated to begin in January 2012, Mariscal confirmed at the conference panel entitled "Privacy: What You Need to Consider When Doing Business in North America."

Sufficient DPA Funding for Enforcement?

In July, the Public Information Institute of the Federal District (InfoDF), the Mexico City agency that handles transparency and data protection for the city, warned in July 2010 that the IFAI needed a larger budget for the new data protection law to function properly (9 PVLR 1016, 7/12/10).

Panel moderator Christopher Wolf, director of Hogan Lovells LLP's privacy and information management practice in Washington, asked Mariscal if the IFAI has sufficient funding and enforcement staff to carry out its data protection duties.

"The office has received the necessary budget to carry out its mission," Mariscal responded.

Mexico has a federal system of government with both a national government and regional government in the 31 states and the federal district in Mexico City, she said. But unlike the Canadian model, in which the provinces may pass laws to supplant the federal Personal Information Protection and Electronic Documents Act (PIPEDA) for all or some categories of data (see related report in this issue), the Mexico federal law will remain the primary law in the country. In that scenario, funding the national IFAI is built into the law, she said.

Preventative Approach Is Goal

Nevertheless, "our aim is to have a preventative approach,"in part to control costs, by using approaches such as privacy-by-design, rather than focus on adverse enforcement actions, Mariscal said.

Fellow panelists Ann Cavoukian and Ken Anderson, respectively the privacy commissioner and assistant privacy commissioner for the Canadian Province of Ontario, applauded Mexico's focus on privacy–by-design, a method that works to protect privacy at the front end of the design and implementation process for new information systems and technology rather than through after-the-fact enforcement.

Cavoukian has been a leader in developing privacy-by-design and sees it as a tool that every data protection authority should employ (see related report in this issue).

Mariscal also noted that under the new law, there are opportunities for covered entities to work toward a resolution of privacy concerns raised by the IFAI before the filing of any formal enforcement action through an administrative appeal process.

The law authorizes fines of up to ₱16 million ($1.3 million) for companies misusing personal data, and provides for doubling the fines to about ₱32 million ($2.6 million) when the personal data is deemed sensitive.

But Mariscal reminded the audience that implementing privacy law in Mexico will require a "cultural shift for a people that are not used to protecting personal data." In that environment, taking a preventative, educational approach is necessary before taking the next steps to implement stricter, more specific sectoral protection rules, and take enforcement action, she said.

Commissioner Julie Brill of the U.S. Federal Trade Commission agreed that educating and working with businesses towards privacy solutions is normally preferable to simply setting rules and then engaging in strict enforcement.

By Donald G. Aplin

 

Full text (in Spanish) of Mexico's Federal Law Protecting Personal Data in Private Possession  

Reproduced with permission from Privacy & Security Law Report, 10 PVLR 455 (Mar. 21, 2011).

Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033)

• Print

On March 28, 2011, the U.S. District Court for the Northern District of California held, in Facebook, Inc. v. MAXBOUNTY, Inc., case no. CV-10-4712-JF, that messages sent by Facebook users to their Facebook friends’ walls, news feeds or home pages are “electronic mail messages” under the CAN-SPAM Act. The court, in denying the defendant MAXBOUNTY’s motion to dismiss, rejected that CAN-SPAM applies only to traditional e-mail as it is commonly understood. The ruling is the most expansive judicial interpretation to date of the types of messages falling within the purview of the CAN-SPAM Act. The court did not reach or otherwise address the underlying merits of the CAN-SPAM claims.

• Print