HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

On an uncharacteristically cool but bright and sunny late August day, yesterday Washington, D.C.-based lawyers in the Privacy and Information Management (PIM) practice traveled west one hour from DC to the Marriott Ranch in Hume, Virginia to take stock of current trends in privacy law and to discuss ways in which the practice can better serve its clients in the dynamic times ahead.  After a short trail ride on horseback, the group got down to business and spent the afternoon sitting on the porch of the Marshall  Manor House built in 1814 by James Marshall (the brother of then-Supreme Court Justice John Marshall).

In full-group and break-out interactive sessions, the PIM lawyers talked out how we can prepare clients for anticipated developments in privacy and information security law, including:

• Increased Congressional focus, through proposed legislation and hearings, on online tracking, data security breaches, children’s privacy, and consumer control over the collection and use of personal data.
• More enforcement actions from the FTC, HHS, in the states and through attempted class actions.
• The broadening applicability of HIPAA to entities previously not covered and the applicability of “general” privacy rules to health-related entities
• Greater challenges for companies operating internationally given the proposed changes in the EU framework and increased regulatory enforcement abroad
• The further deployment of cloud computing and social media by businesses.
• The demand, created in part by greater media attention, for heightened privacy and data security protections for consumer and employee data, and the threats to reputation and brand from inadequate attention.

The group came up with a framework for ways to better inform our clients of new developments, to share our learning and to collaborate with in-house privacy professionals and to continue to distinguish our privacy practice as one known for being able to handle the entire range of privacy and data security matters, including especially those involving cutting-edge and novel issues, and one that can provide global coverage on privacy matters by involving our colleagues across the firm’s 40 offices in 27 countries.

The late-Summer gathering "out West" energized the PIM group lawyers for a busy Fall ahead.

• Print

This entry was drafted by Winston Maxwell and Lionel de Souza.

On August 26th,  France published a Presidential Order (Ordonnance) that implements the November 25, 2009 package of EU telecoms directives. The Ordonnance contains measures on data breach notifications, data security audits and cookies. These measures are  limited to providers of electronic communications services and therefore are not, for the time being, applicable to all data controllers.

Data Security Breaches.    All providers of public electronic communications services are required immediately to inform the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) of any data security breach.  A data security breach is defined as "any security breach that results accidentally or in an illicit manner in the destruction, loss, alteration, disclosure or unauthorized access to personal data which is processed in the context of the supply to the public of electronic communications services." The Ordonnance does not contain any materiality threshold. Consequently each and every breach, no matter how small, must be reported to the CNIL. Every provider of public electronic communications services must also keep a journal of data breaches, indicating the details of the breach, its effect and the remedial measures taken. The journal must be shown to the CNIL on request. 

Notification to data subjects: if the data breach "can adversely affect the personal data or privacy of a subscriber or other individual, the operator must also immediately inform the interested party." However, this notification requirement can be waived if the CNIL finds that "appropriate protection measures were taken by the provider to ensure that the data are incomprehensible to any unauthorized person and such measures were applied to the data concerned by the breach." The Ordonnance contains no materiality threshold here either. Yet the Ordonnance states that the CNIL can, "after examining the seriousness of the breach, order the provider also to inform the interested party." This provision suggests that there may in fact be a "seriousness" threshold after all in connection with notifications to data subjects, but that the decision would be the CNIL's and will certainly depend on the reactivity and containment measures demonstrated by the service provider.

• Print

The EU's Article 29 Working Party has just published a letter addressed to the Online Behavioural Advertising (OBA) Industry regarding the self-regulatory Framework proposed by industry to satisfy the requirement of the revised ePrivacy Directive for user consent before cookies may be placed on a computer for tracking (and targeted advertising) purposes.  The letter was sent in advance of a meeting apparently scheduled for sometime in September between the Working Party and industry representatives to discuss the proposals to satisfy the Cookie Directive.

Simply put, the Working Party has rejected every proposal put forward by industry to avoid the necessity of consumers affirmatively consenting to every placement of cookies by every party proposing to place such cookies.  OBA industry representatives have said that the specific, multiple consent arrangement will impede e-commerce and degrade the user's online experience, heralding a return to multiple pop-ups requiring choices before users may continue to see content.  So far, the Working Party's position is that there is no substitute for a form containing an explanation about the placement of cookies with a box for the consumer to check "I accept," provided by every entity proposing to place a cookie.

The Article 29 Working Party's specific complaints about the industry proposals:

• A prominent opportunity to object to tracking by cookies can never be the same thing as a specific opt in.
• The complaint that multiple ad network providers will lead to multiple pop-ups on web sites is not well-founded, since once consent has been given to a network, the pop-up need not appear subsequently.  (The Working Party did not address the issue of what happens before any consents are given and multiple pop-ups seeking consent in fact appear on a given web site except to suggest that perhaps a "centralized way" can be established to obtain consent.)
• Browser settings rejecting cookies are insufficient since the default is to accept cookies.
• Icons attached to ads that can be clicked to learn about cookies and express preferences are inadequate because consumers today don't know what the icons mean, and since the Directive applies whether the cookies track personal data or not, the information provided when the icon is clicked making such distinction is inconsistent with the notice requirement.  The icon also was criticized as providing too "indirect" a way to provide notice.

Attached to the Working Party's statement of reasons about the inadequacy of the OBA industry's proposals was a letter from the FTC's Director of Consumer Protection David Vladeck responding to an EU request for the FTC's position on transparency and consumer choice in connection with behavioral advertising.  Notably, the letter explains the value of targeted advertising (while, of course, citing the privacy concerns) and notes "the number of steps to improve transparency and consumer choice" the OBA industry has taken recently.  The letter also notes the guidance the FTC has provided on how to give consumers the "Do Not Track"  power.  The letter from Mr. Vladeck speaks of consumers having a "meaningful opportunity" to control data collection practices, but stops far short of anything resembling the requirements of the Cookie Directive, and the Working Party's reaffirmation, for express opt in for the placement of every tracking cookie.

• Print

Bloomberg Law conducted a video interview this week with Hogan Lovells Privacy and Information Management practice co-director Chris Wolf on current privacy law issues, ranging from how important privacy is to the continued growth of e-commerce, to EU-US relations, to Do Not Track, to the RIght to be Forgotten.  A link to the YouTube archived version of the interview is here.

• Print

by Hanno Timner

On February 16, 2011, the Higher Labor Court of Berlin-Brandenburg Germany ruled that an employer has the right to access and review work-related email correspondence of an employee during his/her absence from work (e.g. for reasons of illness or vacation).  According to this ruling, such a review of the employee’s email is not prevented by an employee’s right to use the company email system for private correspondence as well.  Through its decision, the Higher Labor Court has contributed to the ongoing debate in Germany about whether permitting an employee to use company equipment for private email correspondence leads to an application of the so-called "secrecy of telecommunications" (Telekommunikationsgeheimnis) and thus effectively precludes an employer's right to access the employee’s email correspondence at all, including the business correspondence.

In the case at hand, the plaintiff was unable to work due to a long-term illness.  The employer unsuccessfully tried to contact the employee to obtain her consent to the employer accessing and reading her business-related email correspondence in order to respond to customers’ requests.  After several weeks, the employer circumvented the employee’s password and, in the presence of a member of the local works council and the company’s internal data protection officer, read and printed the employee’s business related email correspondence.  The employer did not read or print email correspondence labeled “private.”  The employee’s attempt to obtain a court order prohibiting her employer from accessing her email account during any future absences without her explicit consent was unsuccessful.  The Higher Labor Court did not accept the plaintiff's reasoning that, due the fact that the plaintiff, as well as all other employees, was permitted to use the company’s computer system for private email correspondence, her employer should be considered a so-called “provider of telecommunication services” and thus be required to observe the “secrecy of telecommunications” according to Sec. 88 Telecommunications Act (Telekommunikationsgesetz).

The Higher Labor Court ruling supports a number of recent court decisions which are opposed to the prevailing view in the legal literature and to the position of the German Federal Government (which commented on the issue recently in connection with the law-making procedure for the Employee Data Protection Act), holding that an employer does qualify as a "provider of telecommunication services" and therefore must observe the “secrecy of telecommunications” if the employer permits private email correspondence using the employer’s IT-system.  Such secrecy of telecommunications permits only a professional provider of telecommunication services to collect call detail records or any other information relating to telecommunication services, insofar as required for billing purposes or in order to cure technical defects.

The Higher Labor Court's view is based on the reasoning that allowing use of a company email system for private communication is merely a side effect of the employment relationship and does not fall under the scope of the Telecommunications Act.  Additionally, the Court correctly pointed to the fact that the secrecy of telecommunications, if applicable, would only protect ongoing email traffic and not prevent the employer from accessing business-related email correspondence which has already arrived in the email inbox.

It remains to be seen whether the German Federal Labor Court will have an opportunity to decide this question, thereby putting an end to the ongoing debate about an employer's rights to access its employees' email correspondence.  In the absence of such final ruling by the Federal Labor Court, the Higher Federal Labor Court ruling should constitute a sound basis for employers to access employees' business-related email correspondence, even without the employees' explicit consent, provided that the employer does not interfere with ongoing email traffic and does not access emails which are clearly private.

(See: LAG Berlin-Brandenburg, ruling of 16 February 2011, file number: 4 Sa 2132/19, DB 2011, 1281-1282.)

• Print

Law 360, the daily online news source about the legal profession, has just published this interview with Chris Wolf, who along with Marcy Wilder, leads the Hogan Lovells Privacy and Information Management practice.  The wide-ranging interview includes Chris' views on current challenges in privacy law and reflections on his career.

Chris has a variety of public appearances coming up in September, including:

• A presentation in Los Angeles on September 10 on the unique privacy issues facing the LGBT community at the National LGBT Bar Association Lavender Law Conference with Facebook's Privacy Counsel Ed Palmieri and others.
• A "moot court" workshop on cloud computing (with Michelle Dennedy, Chief Privacy Officer of McAfee) at IAPP's Navigate in Dallas on September 14.
• A session on September 15 at the IAPP Academy in Dallas entitled  "Will There Be a 'Privacy Bill of Rights' and If So, What Will It Mean?" with Justin Brookman from the Center for Democracy and Technology and Jules Polonetsky, Chris' co-chair and Director of the Future of Privacy Forum.
• A presentation on September 20 in Chicago at the Fall Meeting of the Merchant Risk Council on Legislative and Regulatory Developments on Privacy in the United States.
• A free webinar on September 22 at 2 PM EDT presented by the Mobile Marketing Association "Privacy Fundamentals for Mobile--What You Need to Know To Successfully Navigate the Landscape" with co-presenters Alan Chapell, Fran Maier and Jules Polonetsky.

In October, Chris will present a paper on The Role of Government in Commercial Cybersecurity at ITU Telecom World in Geneva and will co-chair with Yuli Edelstein,  Israel's Minister of Public Affairs and the Diaspora, a hearing in London of the Internet Hate Speech Task Force of the Inter-Parliamentary Coalition for Combatting Anti-Semitism, whose members include privacy experts Jane Horvath from Google, Chuck Cosson from Microsoft and Professors Jeffrey Rosen and Danielle Citron.

• Print

UPDATE:  In the FTC's first case involving apps, the Commission today announced a COPPA settlement with W3 Innovations, a developer of mobile applications for Apple’s iPhone and iPod Touch, which will be required to pay a $50,000 penalty and delete illegally collected data.  The FTC said the app developers illegally collected and disclosed personal information from tens of thousands of children under age 13 without their parents’ prior consent:

In addition to collecting and maintaining children’s email addresses, the FTC alleges that the defendants also allowed children to publicly post information, including personal information, on message boards. These interactive apps send and receive information via the Internet, and are online services covered by the COPPA Rule, according to the FTC complaint.

The FTC’s COPPA Rule requires that website operators notify parents and obtain their consent before they collect, use, or disclose children’s personal information. The Rule also requires that website operators post a privacy policy that is clear, understandable, and complete.

According to the complaint, the defendants did not provide notice of their information- collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children. The FTC charged that those practices violated the COPPA Rule.

 Some say “PC’s may be going the way of the typewriter”  given the proliferation and growing reliance on tablets and mobile devices, which are handling more of the computing once done exclusively on personal computers. An article in today’s Wall Street Journal  explains:

[m]obile devices have [] helped disrupt the distribution and pricing of software. The "app store" model, pioneered by Apple and emulated by Google and others, has given tablet and smartphone users speedy access to programs that are frequently free or cost less than $5—undermining a model that grew up around stores selling disk-based PC programs that routinely cost $40 to more than $100

With apps come an array of privacy issues.  With software hosted locally, the privacy issues are circumscribed. The user knows who is getting his or her data and how it will be used.  In the app world, which often implicates cloud computing, there is a serious question of how app developers will handle privacy. A recent study by the Future of Privacy Forum, founded and co-chaired by Hogan Lovells’ privacy lead Chris Wolf, found that nearly three-quarters of the most -downloaded mobile apps lacked even a basic privacy policy.  In May, Sen. Al Franken (D-Minn.) sent a letter to the chief executives of Apple and Google asking that their companies require app makers to have clear, understandable privacy policies. 

In a New York Times article today entitled “Industry Tries to Streamline Privacy Policies for Mobile Users,” a new tool for app developers to create a mobile privacy policy is described as is an industry-led effort to provide an opt-out of targeted advertising based on the collection of user information.  On the issue of whether an app developer should spend money to develop a privacy policy to advise and empower consumers with respect to the collection and use of information from them, Hogan Lovells’ Chris Wolf is quoted:

The cost for a legal consultation, which can range from a couple of hundred dollars to thousands, can also be a deterrent for small app developers looking to create privacy policies. But Christopher Wolf, a partner at the Hogan Lovells law firm and a co-chairman of the Future of Privacy Forum, said app developers should not claim cost as an excuse.

“I think it’s a cop-out for app developers to say they don’t have the budget for it,” Mr. Wolf said. “It’s an investment for any business that deals in consumer data. They ought to build it into the development cost.”

“Privacy by Design,” which has been described as a growing global trend, at a minimum requires app developers to articulate what they are doing with personal data, e.g.  in privacy policies. A resource to assist app developers in building privacy into their apps is hosted in a new web site, www.applicationprivacy.org developed by the Future of Privacy Forum.  Also, the Privacy & Advocacy committee of the Mobile Marketing Association (MMA) is focused on outlining global best practices as they relate to protecting the consumer's private information.  The MMA is hosting a free webinar on September 22 in which Hogan Lovells’ Chris Wolf will participate, and described this way:

As mobile marketing continues to grow, the use of data for analysis and personalization has become increasingly important in successfully providing relevant services to users. Some of the uses of mobile data, such as location and device IDs have started drawing scrutiny by media, policymakers and advocates.

What are the issues that are creating concerns? How can you avoid the risks? What are the emerging best practices? What is the MMA doing? Join leaders of the MMA and the Future of Privacy Forum to learn how you can navigate the legal and policy challenges facing the mobile advertising ecosysytem.

Registration for the free MMA webinar is accessible here.

• Print

This post was contributed by Gabriela Kennedy, a Partner, and Zuzana Hecko, a Summer Intern, both of the Intellectual Property, Media and Technology Group of Hogan Lovells Hong Kong

On July 7, the Hong Kong Privacy Commissioner for Personal Data (“the Commissioner”) issued a consultation document setting out the mechanism for a Data User Return Scheme (“the Scheme”).  Provisions allowing the Commissioner to request returns from specific data users are already present in Part IV of the Personal Data (Privacy) Ordinance ("the Ordinance").  So far, the Commissioner has not exercised this right, but following a survey of practices in other jurisdictions and taking into account the heightened awareness of privacy rights and corporate sensitivity about personal data, the Commissioner is now of the view that it is time to introduce the Scheme in Hong Kong.

The consultation document (PDF) seeks views on the implementation and operational framework for  the Scheme in Hong Kong.

Benefits of the Scheme

The Scheme aims to provide better protection of personal data among corporate data users.  Once the Scheme is implemented data users will be required to submit an annual return detailing the personal data they control and the purposes of collection or processing of such data.  Data users may provide more information than prescribed by the Commissioner if they so wish in order to show their commitment to the protection of personal data of their customers.  It is hoped that the Scheme will lead to greater accountability and transparency of data protection practices of corporations as well as an enhancement of their data privacy protection standards.  Companies required to submit Data User Returns will need to take care when filling them in and provide correct information as the intentional provision of false or misleading information constitutes an offense under the Ordinance (attracting a fine of HK$10,000 and imprisonment for up to 6 months).  It is also an offense not to submit a return or to submit it late (although a penalty will be applied for the late submission of a return this will not rule out a prosecution for late submission).

The Commissioner will keep a Register of Data Users, in effect a database of data users, which would contain all the information submitted annually by data users.  The register will be available to the public for inspection, thus giving data subjects an opportunity to understand data users' privacy practices and compare them with the practices of other data users.  Data subjects will have a single point of access to information about how Data Users handle their personal data.

• Print

The advocate general of the European Court of Justice issued his long awaited opinion in the SABAM case, a case that discusses the ability of ISPs to filter Internet content in order to detect illegal copyright infringements.  The advocate general highlights the tension between privacy rights and copyright, and the criteria that must be satisfied in order for a filtering measure to be constitutionally valid in Europe.  In the SABAM case, the advocate general found that one of the constitutional criteria was lacking, because Belgium had not enacted a specific law that would permit the kind of filtering that had been ordered by the court in the SABAM case.   The opinion is summarized by Hogan Lovells privacy lawyer Winston Maxwell in a recent article.  The article also discusses the TalkTalk case in the United Kingdom.

• Print

In a recent article Christopher Wolf looks back at the eG8 conference and pleads for better transatlantic cooperation on privacy matters, explaining the tension between U.S. First Amendment traditions, and certain European proposals including the right to be forgotten.

• Print