The Council of the EU failed to make any progress towards the adoption of an agreed negotiating position on the Data Protection Regulation at its meeting on Friday, 6 December 2013. While momentum had begun to build following the vote by the EU Parliament’s LIBE Committee in October, expectations of progress within the Council were dampened by the formal agenda circulated before the Justice and Home Affairs (JHA) Committee met, which tabled a review of the current state of play and detailed discussion of the one-stop-shop issue.
With the new year fast approaching, the Federal Trade Commission and the National Telecommunications & Information Administration, a bureau within the Department of Commerce, recently announced a number of privacy initiatives for 2014 that will break new ground for both agencies and will impact a wide array of industries.
On November 27, the European Commission released a strategy memo on rebuilding trust in the mechanisms allowing data to flow from the European Union (“EU”) to the United States. The Commission recognizes that EU-U.S. data flows are essential to the strategic and economic partnerships between the two markets. However, revelations about U.S. surveillance programs have, according to the Commission, caused EU Member States and citizens to believe that the current data transfer mechanisms do not provide adequate protections for personal data. To address those concerns and rebuild trust in transatlantic data flows, the Commission recommends six initiatives, including specific recommendations for reforming the U.S. privacy framework. Of particular note, the Commission identified several shortcomings with the EU-U.S. Safe Harbor framework and offered 13 recommendations for reform. And the Commission once again calls on the United States to adopt comprehensive privacy legislation.
A new paper published by the Future of Privacy Forum examines the appropriate privacy paradigm for the world of the Internet of Things. The paper was co-authored by Hogan Lovells Privacy and Information Management practice leader Christopher Wolf who also is the founder and co-chair of the Future of Privacy Forum (with co-author Jules Polonetsky). The [...]
On November 19, 2013 the Federal Trade Commission will hold its first ever workshop on the Internet of Things. The Workshop does not aim to debate regulation or codes of conduct, but is rather a fact finding mission aimed at uncovering the privacy and security concerns inherent in the Internet of Things, where a range of devices collect and communicate personal information perpetually.
On October 25, 2013, the Standing Committee of China’s National People’s Congress passed an amendment (“Amendment”) to the 1993 Law of Protection of Consumer Rights and Interests, which addresses longstanding issues related to e-commerce fraud and illegal disclosures of consumers’ personal information. The Amendment, which takes effect on March 15, 2014, reforms China’s 20-year-old consumer protection law by providing more robust protections to consumers, including provisions that restrict the collection, use, and disclosure of consumers’ personal information and require consent to send commercial communications.
On October 22, the FTC announced a settlement with national “rent-to-own” retailer Aaron’s, Inc. on charges that it knowingly assisted its franchisees in tacitly collecting images and information about their customers. Specifically, the FTC alleges that Aaron’s “played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.”
The EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) voted on Monday to adopt its report on the draft General Data Protection Regulation and the separate Directive for the law enforcement sector. This vote sets out the Parliament’s position for its negotiations with the Council and Commission (known as the “trialogue” stage). The Committee aims to have a plenary Parliamentary vote in March before the Parliamentary elections.
Last month, the FTC announced its settlement with technology company TRENDNet over charges that the company’s lax security practices led to the public exposure of private video feeds. TRENDNet manufactures a range of networking hardware, including Internet-accessible surveillance cameras. According to the FTC complaint, some of the feeds from these cameras were disclosed online without authorization. Under the terms of the settlement, TRENDNet is enjoined from misrepresenting the security and privacy features of its Internet-accessible products and their associated apps, and the company must establish a comprehensive security program subject to biennial third-party assessments. The FTC describes this settlement as the conclusion of the agency’s first enforcement action “against a marketer of an everyday product with interconnectivity to the Internet” – also known as the “Internet of Things.” Our post addresses what insights the settlement provides regarding the FTC’s current approach to enforcing security standards and indicates that the FTC may be broadening its characterization of sensitive data.
On October 17, Jan Albrecht, rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”), issued a release in which he claims that “Edward Snowden and the PRISM scandal laid the ground” for including a prohibition against telecommunications and Internet companies transferring data to other countries’ governmental authorities unless otherwise permitted by EU law. Albrecht’s release offers 10 points to describe the draft Regulation that LIBE is scheduled to vote upon on October 21. If LIBE adopts the draft, the Parliament, Council, and Commission will begin work on negotiating the final legislation, which parliamentarians hope will be adopted before elections in May 2014.
On 14 October, the Article 29 Working Party of EU data protection commissioners published a Working Document providing guidance on obtaining consent for cookies, some eighteen months after the effective date of the so-called “cookie consent law” which required EU websites to obtain consent from Internet users before before placing cookies on their devices. The document analyses, to some extent, the practices more commonly used by website operators to obtain the required consent, and attempts to answer the question as to what measures would “be legally compliant for a website operating across all EU Member States.”
On Monday, a European Parliament Inquiry established to investigate the recent U.S. National Security Agency surveillance revelations indicated that its final report would recommend suspension of the popular EU-U.S. Safe Harbor Framework.
On Wednesday, Harriet Pearson, a partner in Hogan Lovells’ Privacy and Information Management Practice, appeared on the Cyberlaw and Business Report Internet radio show to discuss newly enacted California privacy laws. This blog post contains a link to the interview and a downloadable podcast.
At the 35th annual Conference of Data Protection Authorities and Privacy Commissioners in Warsaw, Poland today, Hogan Lovells partner and privacy practice lead Christopher Wolf spoke on the issue of privacy and trade in light of the ongoing Transatlantic Trade and Investment Partnership negotiations between the EU and the U.S. This post contains prepared remarks to the commissioner’s on the need for interoperable cross-border privacy standards and the merits of the U.S. privacy regime.
With the focus this summer on nation-states’ collection of electronic data, an important question went unanswered – what rights do individuals have to challenge government access to their data? We set out to answer that question in the fourth installment in Hogan Lovells’ White Paper series examining government access to data held by service providers. In the White Paper, available through this blog post, we compared the ability of citizens and non-citizens to challenge government access to data in the U.S., France, Germany, the UK, and Australia, concluding that of the countries surveyed, the right of redress appears strongest in the United States.
The UK Information Commissioner’s Office (the “ICO”) recently published further guidance on encryption on its blog. The ICO has taken the position for some time that if a business holds sensitive personal information on portable or mobile devices, it should protect that information using appropriate encryption software. If that does not occur and such information is compromised, the ICO has stated that it may pursue regulatory action. The guidance does not modify the ICO’s position on encryption, but it does explain in layman’s terms what the ICO means by encryption and the different types of encryption that are available, so non-technical data protection officers may find it a helpful introduction to this topic.
Price discrimination based on tracking of Internet Protocol addresses – numerical identifiers assigned to devices that are connected to the Internet – was in the news again this week after a Belgian Member of the European Parliament, Marc Tarabella, called for action from the European Commission to investigate the practice.
Somewhat of a furor has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application, claiming that the company “seriously invaded” the privacy of those individuals.
The Organization for Economic Cooperation and Development (OECD) has released a revision of its 1980 Privacy Guidelines. The fundamental elements of the original guidelines, the Fair Information Practice Principles (FIPPs), remain in place, but the OECD recognizes the revolutionary changes in technology since the first OECD Guidelines, and the importance of the digital economy and [...]
On August 26, the California legislature passed AB 370, which would require commercial websites and other online services such as mobile apps to include language in their privacy policies disclosing whether the service uses third-party vendors to track users across a network of other websites or online services, and how the users can opt out of such tracking using a centralized “do not track” signal or other mechanism. If signed by the governor, as expected, this bill would apply de facto to most websites and mobile apps by virtue of their accessibility in California, and would require revision of many privacy policies as a result.
The bromide that people in glass houses should not throw stones comes to mind when one hears European Union authorities criticizing the U.S. privacy framework as a whole because of the recent National Security Agency revelations.
Earlier this summer, EU Vice-President Viviane Reding called EU data protection reform “the answer to PRISM [one of the Snowden NSA disclosures]” and called PRISM a “wake-up call.” Reding said that the EU-U.S. safe harbor “may not be so safe after all” and warned that the commission will present a “solid assessment” of the safe harbor by the end of the year, ominously suggesting that the withdrawal of an adequacy finding for the safe harbor (required under EU law for it to remain in effect).
On September 1, China’s Provisions on the Protection of the Personal Information of Telecommunications and Internet Users will come into force, affecting a wide range of consumer-facing websites, including corporate sites, product information sites, and social media pages. This post examines some of the requirements of the Provisions, and provides a link to a comprehensive Hogan Lovells Corporate Alert describing recent privacy-related legislative developments in China.