HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Hogan Lovells partner Daniel Brenner speculates on the impact of the July 2011 Memorandum of Understanding between major U.S. ISPs and content owners.   The Center for Copyright Information (CCI) will be responsible for administering the new gradu ated response system, and for defining privacy standards that right holders and ISPs must apply.  Will the mitigation measures promised by ISPs be effective in curbing copyright piracy?   Will the MOU's limitation to P2P exchanges limit the system's effectiveness?   Read the full story here.

• Print

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) this afternoon announced a proposed consent decree with the prominent social network Facebook, settling allegations that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices.  The settlement imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program.  The FTC also required Facebook to obtain independent privacy compliance assessments initially and on a bi-annual basis for the next 20 years.  Given the FTC's recent consent decrees with Google and Twitter and associated audit and record-keeping obligations, the FTC now effectively has regulatory oversight over the privacy and data security practices of the three most prominent social networking companies in the United States.

• Print

Barbara Bennett, Stefan Schuppert, Winston Maxwell. Lionel De Souza and I are the Hogan Lovells lawyers participating in the IAPP Privacy Congress in Paris.  I am moderating and participating in sessions on cloud computing with Bojana Bellamy of Accenture, and a panel on convergence with Lord Richard Allan of Facebook and Wendi Lozada-Smith of AT&T  This entry contains a live blog from the opening session.

The Privacy Congress comes on the eve of the European Commission's proposal for revision of the EU privacy framework and the anticipated release of the Department of Commerce White Paper and FTC Report on privacy.  So the future of privacy law is very much in focus.

The Chair of the Dutch Data Protection Authority and Chair of  the Article 29 Working Party, Jacob Kohnstamm is the opening speaker.

The patchwork of laws across Europe requires a region-wide regulation to provide a level playing field and uniformity.  This should  be the focus of the upcoming proposal for revision from the European Commission of the legal framework.

The present norms, which are technologically neutral, should persist and be strengthened.

Given the increasing cross-border context of issues, the Article 29 Working Party will have to play a stronger role in interpretation and clarification.  More frequent guidance on issues such as the definitions of "personal data" and "consent" will be needed, while still recognizing the independence of national Data Protection Authorities.  Powers of DPAs need to be harmonized and strengthened, including the ability is enjoin data processing and to levy fines.  Up to now, there have been no significant court judgments in terms of fines.

Article 29 Working Party needs a new name to reflect its true role and importance.

Data controllers need to ensure compliance and to demonstrate such compliance.  Privacy should be first step when launching new products and services, not the last step.  Privacy by Design and transparency are essential.

Companies should be able to seek guidance externally from privacy professionals just as they do with respect to competition law.

The Chairman went on to criticize Google, Facebook and the Online Behavioral Advertising industry for their interactions with DPAs and the Article 29 Working Party, and suggested that under the new regime, their conduct would have been different.

In the Q and A session, which became an especially lively exchange, Peter Fleischer of Google pointed out that changes to Google Buzz were made even before a letter of complaint from the Article 29 Working Party had been received,.

The Chairman re-assured a questioner that innovation is taken into account along with privacy when the Article 29 Working Party considers regulation.  "We are paid to deal with privacy, however."

The main task of DPA is enforcement and not to sit with individual companies on what they should be doing, in an advisory capacity.

On the Global Privacy Enforcement Network (GPEN), the Chairman said the idea was for information sharing during enforcement actions, but he observed that the national restrictions on information sharing has not produced as much cooperation as envisioned, but the Commissioners are committed to working together more across borders.

The second speaker is Viviane Reding, Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship.

I will share some of the contents of the forthcoming European Commission recommendations on the revision of the Data Protection framework:  Codes of practice such as Binding Corporate Rules are not explicitly forseen in the current Directive but are recognized as a matter of practice by the Article 29 Working Party.  One of the strengths of BCRs is legal certainty and flexibility.  (Interesting that the primary focus here is on the BCR code of conduct concept, similar to the anticipated focus on codes of conduct by the US Department of Commerce in its White Paper.)

My reform plans for BCRs: Simplification -- Approval from each member state currently required, which is costly and an administrative burden.  A waste of time and money, and sometimes detrimental to credibility and efficiency of DPAs.  I propose that BCRs be based on EU law, with streamlined approval process and a single point of contact.  Once approved by one DPA, not further approval needed.  BCRs should be used by companies of any size, and should cover everything from paper-based filing system to cloud computing. Consistent Enforcement -- Enforcement should be possible by any DPA (unlike now where not all DPAs have enforcement power).  DPAs and courts should be able to enforce.  Innovation in Enforcement -- We need to encourage innovation in enforcement and embrace new technology.  First, we need to consider geographical borders.  Data controllers and subjects m realities. Data subjects, controllers and processors may be in different jurisdictions.   BCRs should apply to all internal (inside the EU) and external (in the US, India, Asia and South America) processing.  BCRs should apply both to data controllers and processors.  This would extend to cloud computing.

BCRs will faciliate international interoperability.

We are in time so of difficult economic times and decisions.  While bringing member states out of their debt crisis, we need to do everything to promote economic growth.  I will do my utmost to ensure that data protection reform will both reinforce fundamental protection of individual rights and promote growth.

Ms. Reding did not take questions.

• Print

Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong.  Privacy laws in each jurisdiction differ, including on the definition of "personal data," and on the degree of user consent that is required.  The article also examines the WP Art. 29 opinion 13/2011 on "Geolocation services on smart mobile devices."  See the full article here. 

• Print

Hogan Lovells Privacy and Information Management practice leader Chris Wolf moderated a panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders, as reported here.  A blog entry by Susie Adams, Chief Technology Officer of Microsoft Federal, containing a full-length video of the session is available by clicking here.

• Print

The FTC today extended to December 23 the deadline for public comments to its proposed revisions to the Children’s Online Privacy Protection Rule, which regulates the collection of personal information online from children under 13 under the Children’s Online Privacy Protection Act (“COPPA”). Back in September, we extensively summarized the FTC’s announcement of the proposed revisions, which contemplate several major changes to the existing COPPA regime including:

• clarifying that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
• a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information – all of which may impact companies’ behavioral advertising activities;
• streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
• changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
• enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
• changing the existing COPPA enforcement program to require “safe harbor programs” to exercise more oversight.

The previous deadline for the submission of comments was November 28.

• Print

At a time when leaders in the EU are poised to propose privacy rules that could well restrict the activities of US businesses, Google , Microsoft , Citigroup, IBM , GE and other major American companies have urged the United States to push for trade rules that protect the free flow of information over the Internet.  In particular, the group's Report available here urges that countries avoid "digital protectionism," and the report specifically addresses security and privacy:

Security and Privacy. The business community supports the right of governments to ensure the safety, security and privacy of its citizens and recognizes that approaches may differ between countries and across sectors. At the same time, as in any measure affecting international trade, governments must be able to communicate clearly the rules, rationale and compliance procedures governing these interests to businesses and individuals and make certain that those procedures are not overly disguised restriction to international trade. For example, some countries have discriminated in favor of local businesses by selectively applying filtering regimes which degrade service; by mandating the use of domestic products or intellectual property; by requiring product certifications to be carried out locally; by rerouting traffic from global Internet brands to local competitors; or by applying their laws in a manner that discriminates against foreign suppliers or services. In addition, governments often work outside of established legal frameworks or processes when seeking commercial, financial or personal data, which raises a host of concerns about privacy, safety and security.

US Deputy Chief Technology Officer Danny Weitzner, in a similar vein, warned today in a speech to the US Chamber of Commerce that EU rules may be too stringent and that the Obama Administration will work to convince European regulators that voluntary but enforceable industry codes of conduct are the way to go.  Also, the FTC today applauded the approval by the forum on Asia-Pacific Economic Cooperation (APEC) of a new initiative to harmonize cross-border data privacy protection among members of APEC designed to enhance the protection of consumer data that moves between the United States and other APEC members.

• Print

This entry comes from Elisabethann Wright, a Partner in our Brussels Office, who presented at the 33d International Congress of Data Protection and Privacy Commissioners in Mexico City last week. Elisabethhann focuses on EU law relating to life sciences, with particular emphasis on pharmaceutical law, medical devices, food law, and the environment. In Mexico, she drew upon her experience assisting clients in clinical trial agreements, adverse event reporting, product withdrawals and challenges to national authority and EU Institution decisions concerning classification and marketing of medicinal products and medical devices.

At the Mexico City gathering of international Data Commissioners, officials from a number of EU Member States expressed disappointment at the low levels of compliance with their data privacy obligations demonstrated by data controllers in their territory. One Data Commissioner estimated that a depressing 95% of data controllers failed to comply with their obligations.

One consequence of this failure will be an apparent change in approach by Data Commissioners. While Commissioners and their officials previously have sought to advise and support data controllers in understanding and fulfilling their role and obligations, the future approach, influenced at least in part by the ambivalence displayed by data controllers, will focus on compliance. Several Commissioners expressed an intention to make enforcement of obligations their priority in the future.

The possibility of a single approach to the protection and use of data generated in relation to clinical trials was the subject of my panel during the Congress. Similarities of approach evidently exist between territories in relation to some aspects of data privacy in clinical trials. This includes the nature and content of patient informed consent forms. However, the suitability of basing secondary investigation on initial informed consent varies widely, as do the restrictions imposed on transfer of clinical data from one territory to another. The possibility that a single acceptable approach to these issues could be found was discussed. However, the general consensus was that, at least from a legislative perspective, a single approach is unlikely to evolve in the near future.

Among the snippets of information demonstrating the evolution of official approaches to data collection that I gathered from the Congress was the fact that, when Neil Armstrong brought back soil and rock samples from the moon in 1969, he was required to complete an import form to bring them on to US territory. “One large step for mankind but still subject to regulation."  Future uses of data to benefit mankind likely will be met with similar regulation, and as it appears from the comments of regulators meeting in Mexico, disregard and non-compliance will increasingly be met with enforcement. 

• Print

Hogan Lovells Privacy and Information Management practice leader Chris Wolf will moderate a complimentary lunchtime panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders.  Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend and participate.

For a place at the event, please send an e-mail to the the address below dcrsvp@microsoft.com

• Print

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) yesterday announced settlements with two online companies for deceptively collecting personal information from consumers.  In the first enforcement action against the use of Flash cookies, the FTC alleged that ScanScout, an online behavioral advertiser that was recently acquired by Tremor Video, circumvented user choice by collecting information through Flash cookies even while telling consumers they could opt out of this collection through other means. In the case of Skid-e-Kids, a social networking website that targets children, the FTC alleged violations of both the FTC Act and Children’s Online Privacy Protection Act (“COPPA”) for the collection of personal information from children without parental consent. 

• Print

The Federal Communications Commission (FCC) has released a Notice of Apparent Liability for Forfeiture (NAL) against Travel Club Marketing, Inc. (Travel Club) in the amount of $2.96 Million for apparent violations of the Telephone Consumer Protection Act (TCPA) and related FCC rules regarding the delivery of prerecorded messages, as well as its Caller ID rules.  This enforcement action serves as a reminder to companies placing autodialed calls or delivering prerecorded messages to ensure that such calls and messages comply with the TCPA and the FCC's rules.

• Print

By Pablo Rivas and Marta Jaureguizar in our Madrid Office

On October 20th, the Spanish Data Protection Authority, the Agencia Espanola de Protecccion de Datos (AEPD), announced an unprecedented decision against an individual who impersonated someone on a social networking site and thus engaged in identity theft.  The AEPD fined the individual who had created a profile in a sexually-oriented social network using personal details of a third person, including that person's name, surname, phone number, and photo.  Notably, the AEPD did not  proceed against the online host of the impersonator's content.

The impersonation was found to be a processing of the impersonated individual's personal data without his/her consent, constituting an infringement of the Spanish Data Protection Act 15/1999, of 13 December 1999.  While online impersonation has been the subject of judicial actions in Spain, this was the first exercise of the regulator's authority under the data protection law. 

• Print