Last month, bankrupt company RadioShack settled with a coalition of seventeen attorneys general to destroy most of the company’s customer data in its files. The agreement was part of a Bankruptcy Court-approved $26.2 million sale of RadioShack’s assets.
The Federal Trade Commission has published new guidance that “summarizes lessons learned” from the FTC’s 50-plus data security settlements while also announcing a series of data security conferences. In the new guidance titled “Start With Security: A Guide for Business,” the FTC acknowledges that the data security requirements contained in the settlements apply only to the affected companies. However, the settlements—and the FTC’s distillation of them—reveal regulatory expectations and identify risks that can affect companies of all types and sizes. In this post, we summarize the FTC’s new guidance and provide details on the FTC’s data security conferences happening this fall.
On June 30, 2015, the French data protection authority, the CNIL, announced that it gave notice to 20 websites to comply with the consent requirements applicable to cookies. After patiently waiting for almost a year to give websites the opportunity to comply with the cookie notice and consent rules explained in its official guidance from December 2013, the CNIL launched a series of audits (27 online audits, 24 on-site audits and 2 hearings) in October 2014.
After the recent release of the discussion draft of its Framework for Cyber-Physical Systems, the National Institute for Standards and Technology has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities.
Last week, U.S. District Court Judge Edward M. Chen denied AT&T Mobility’s motion to dismiss the Federal Trade Commission’s (FTC’s) October 2014 complaint alleging that AT&T engaged in unfair and deceptive practices in connection with its retail mobile broadband data services. AT&T argued that its status as a common carrier makes it exempt from enforcement of the FTC Act. The court disagreed. At issue is the scope of the common carrier exemption.
Earlier this month, the Canadian Radio-television and Telecommunications Commission’s Chief Compliance and Enforcement Officer issued a Notice of Violation and $1.1 million penalty to Compu-Finder for four violations of the Canadian Anti-Spam Legislation. Although Compu-Finder was apparently engaged in “flagrant” CASL violations, according to the Chief Compliance and Enforcement Officer, the CRTC also confirmed that it is assessing CASL complaints and that “a number of investigations are currently underway.” Therefore, organizations engaging with individuals located in Canada should review their communications and marketing practices for compliance under CASL and other applicable law.
In its recent Open Internet Order, the U.S. Federal Communications Commission determined that broadband Internet access services are appropriately classified as common carrier “telecommunications services” under the Telecommunications Act of 1996. In doing so, the agency established itself as the primary U.S. data privacy and security regulator for those services and triggered additional requirements under the Act. It also promised a future rulemaking that could result in a sea change in how ISPs and their business partners interact with consumer data. Although the decision is widely expected to be appealed in court, organizations operating across the broadband ecosystem would be prudent to assess the potential impact on their current and planned online service portfolio.
On March 16, the U.S. Commerce Department’s Internet Policy Task Force published a Request for Public Comment for input on the key cybersecurity issues affecting the digital ecosystem and digital economic growth. The IPTF aims to coordinate and facilitate consensus-based multistakeholder processes to generate collective guidance and identify best practices. Through this effort, the IPTF seeks to broaden the focus of federal cybersecurity efforts beyond securing critical infrastructure. A number of key cybersecurity challenges have been identified in the Request for Public Comment, and the IPTF is inviting commenters to highlight other topic areas that the IPTF should consider including as part of this process.
This week, the National Institute of Standards and Technology released a preliminary discussion draft of its Framework for Cyber-Physical Systems. The draft has an ambitious goal: to create an integrated framework of standards that will form the blueprint for the creation of a massive interoperable network of cyber-physical systems (CPS), also known as the “Internet of Things.” In 2014, NIST established the cyber-physical systems public working group (CPS PWG)—an open public forum which includes representatives from government, industry, and academia—to develop the CPS framework. By creating a common framework at an early stage of the Internet of Things, the CPS PWG hopes to ensure the development of a secure, integrated, and interoperable ecosystem of connected devices. The CPS PWG will continue to solicit input as it refines the draft and works to finalize the framework for use in multiple industry sectors.
On March 4, the U.S. Commerce Department’s National Telecommunications and Information Administration announced it is seeking comments on how to structure a new multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. NTIA also announced that it will likely hold its first multistakeholder meeting within 90 days.
An issue that has started to appear on the privacy agenda is privacy and the “connected car.” Automakers here in the United States have taken the lead on privacy, and have answers to many of the inevitable privacy questions. Late last year the major automakers voluntarily agreed to a set of privacy and data security principles that will regulate how automakers collect, use, and share information. No other industry in the “Internet of Things” ecosystem of which connected cars are a part has done as much or has gone as far as automakers. The automakers understand that without the trust of consumers, new technologies will not be as readily embraced. The Privacy Principles provide a strong basis for such trust.
The status of consumer data security law in the United States is at a crossroads. Last week, the White House released a discussion draft of its Consumer Privacy Bill of Rights Act of 2015, which would require businesses collecting personal information to maintain safeguards reasonably designed to ensure the security of that information. And yesterday, the Third Circuit held oral argument in FTC v. Wyndham Worldwide Corp., in which the district court last April denied Wyndham’s challenge to the Federal Trade Commission’s data security enforcement efforts.
On Friday, February 27, the White House released its promised draft privacy and data security legislation. The proposed Consumer Privacy Bill of Rights Act of 2015 contains few, if any, surprises and would codify the framework that the White House proposed in 2012, imposing privacy and data security requirements across sectors and industries. The proposal has drawn criticism from the Federal Trade Commission and privacy advocates for not containing enough consumer protections, and from the business community for a lack of clarity and the potential to stifle innovation and to create other unintended consequences. In this post, we summarize the Act and some of the ramifications if it were to be adopted in its current form.
Hogan Lovells’ leading Privacy and Information Management practice will actively participate at this week’s IAPP Global Privacy Summit 2015. Enclosed is a listing of events in which our lawyers will be featured.
On February 26, the U.S. Department of Education issued guidance aimed at assisting schools and school districts when considering whether the use of online educational services and mobile applications complies with student privacy laws. The guidance consisted of two main components. First, the Department published a document entitled Protecting Student Privacy While Using Online Educational Services: Model Terms of Service, which evaluates common privacy-related provisions in online Terms of Service and analyzes how they comply with student privacy requirements. Second, the Department produced a user-friendly, 10-minute training video directed to K-12 administrators, teachers, and staff about schools’ privacy obligations when using online educational services and applications. Finally, the guidance encourages school administrators to check the Student Privacy Pledge when considering whether to use online educational services in the classroom.
Following President Obama’s announcement last month that the administration would be proposing a consumer privacy bill of rights, the Obama Administration today posted its proposed legislation. Check back here soon for further information about the proposal.
Undoubtedly one of the more mind-bending exemptions to apply under the Freedom of Information Act 2000 (FOIA) is the exemption for personal information (s.40) (although sections 30 and 36 are also up there!). This is partly due to s. 40’s close link with the Data Protection Act 1998 (DPA). Not one to hog the limelight, the DPA has typically been cited in past litigation as a secondary or even tertiary issue to the main action when there is a claim for breach of confidence or breach of privacy. This led to a scarcity of judicial rulings on the DPA prior to the FOIA. However, in the Tribunal and higher court decisions flowing from the FOIA, certain aspects of the DPA have frequently been examined when public authorities seek to rely on the s. 40 exemption. Consequently there have been a number of rulings on the scope of personal data and on the ‘legitimate interests’ ground as a legal basis for disclosing such information. These rulings have been based on the DPA which itself implements the EU Data Protection Directive 95/46/EC. But the Directive is due to be replaced by an EU Regulation in the next few years. What will this mean for how the s. 40 exemption under FOIA is interpreted?
In 2014, the Internet of Things and big data were two of the hottest buzz words among privacy professionals. This year, “robotics” may be one of our oft-spoken words. In this post, we look at two of the challenges that robotics brings. One challenge facing privacy professionals is how to address potential privacy issues as autonomous robots powered by big data and network connectivity are brought into our personal spaces. Another, often equally challenging issue, is how to implement robotics in a legal and regulatory landscape that was designed, in many cases, for the relatively slow-paced technologies of the Internet where the chirps of dial-up modems broadcast our connections.
On February 15, the White House issued a Presidential Memorandum on safeguarding privacy, civil rights, and civil liberties in the domestic use of Unmanned Aircraft Systems. The memorandum launches a multi-stakeholder process to establish voluntary baseline privacy standards for commercial use of UAS and establishes principles that will govern the federal government’s use of UAS.
A new law in China taking affect in March of this year will provide businesses with a clearer understanding of what types of information are protected as consumer personal information in China. This new definition will clarify companies’ obligations with respect to the use and processing of that information under other Chinese laws and regulations. A failure by businesses to recognise these new requirements can lead to onerous penalties including fines.
The FTC denied AgeCheq’s application for approval of a proposed verifiable parental consent (VPC) method under COPPA. Under COPPA, operators of online services that are directed to children are required, except for limited situations, to obtain VPC prior to collecting personal information from children. Specifically, COPPA requires operators to obtain verifiable parental consent, taking into consideration available technology and any method must be reasonable calculated in light of available technology, to ensure that the person providing consent is the child’s parent. COPPA further provides a non-exhaustive list of acceptable methods that include (i) obtaining a form signed by a parent; (ii) receiving a credit/debit card or certain other online payment mechanisms if associated with a monetary transaction; (iii) a parent calling a toll-free number; (iv) parental consent by videoconference; (v) verifying parental identity against a form of government-issued identification; and (vi) traditional “email plus” where children’s personal information will be used for internal purposes only.
Today, the White House released a report titled, “Big Data and Differential Pricing.” The report examines the concern that companies will use the consumer information they collect to more effectively charge different prices to different customers. While it finds that there are substantive concerns about differential pricing in the era of Big Data, it concludes that “many of [these concerns] can be addressed by enforcing existing antidiscrimination, privacy, and consumer protection laws.” The report also calls for increased transparency into how companies use and trade their data as a way to promote competition and better inform consumer choice.