HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

USA Today and "The Last Watchdog" blog published a story today on the privacy implications of ubiquitous digital sensors, in which Hogan Lovells Privacy and Information Management practice Director Chris Wolf is quoted at length. Some excerpts:

Odds are you will be monitored today — many times over.

Surveillance cameras at airports, subways, banks and other public venues are not the only devices tracking you. Inexpensive, ever-watchful digital sensors are now ubiquitous.

Over the next couple of years, the volume of data generated by digital sensors will surpass the flow of e-mails and social-network entries combined, predicts Stephen Brobst, chief technical officer at data analytics firm Teradata. “Sensors will touch nearly every aspect of our lives,” he says.

Meanwhile, technology is rapidly being developed to efficiently mine this mushrooming trove of sensor data in novel ways.

Privacy worries

But before the blessings of pervasive monitoring can be fully realized, privacy concerns need to be addressed, says Chris Wolf, director of privacy and information management at global law firm Hogan Lovells.

“What’s new is the capacity for databases to share data and therefore to put together the pieces of a puzzle that can identify us in surprising ways — ways that really could be an invasion of privacy,” Wolf says.

Wolf, the privacy attorney, says the right to move through public places anonymously could be at risk. “We don’t have to tell everybody we pass on the street our name, phone number and address,” Wolf says.

Losing the right to anonymity, he says, could “really have a chilling effect on where we go, with whom we meet and how we live our lives.”

• Email This
• Print
• Share Link

On December 1st, the FTC issued a preliminary staff report entitled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers."  Following the FTC report, on December 16th, the Department of Commerce  issued a "green paper" detailing initial  policy recommendations for online privacy in the U.S.

The FTC Privacy Report and Department of Commerce Green Paper raise important questions on commercial use of information about people.  The Commission staff outlines privacy protections businesses will be expected to provide as collection technologies advance, and the Commerce paper proposes new laws and a new federal privacy office. 

In addition to our initial impressions about the FTC Report and DOC Green Paper, we release here a Privacy and Information Management Alert that provides an in-depth analysis including:

• Development of the proposed framework;
• Description and analysis of proposed framework; and
• Concepts advanced by the report;

You can access the full Privacy and Information Management Alert here.

• Email This
• Print
• Share Link

Preserving consumer privacy online and thereby bolstering consumer trust in the Internet is essential for businesses to succeed online according to the just-released Department of Commerce Green Paper entitled “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  

The Green Paper was authored by the Internet Policy Task Force at Commerce – a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology. The paper follows a Notice of Inquiry to which many stakeholders responded, and a symposium last May. It also follows the December 1st release of the preliminary FTC Staff Report on Privacy.

• Email This
• Print
• Share Link

• Email This
• Print
• Share Link

On November 17th, just six weeks before the Red Flags Rule is slated for FTC enforcement, a bipartisan bill (H.R. 6420) seeking to limit the scope of the Red Flags Rule was introduced. The bill, entitled the “Red Flag Program Clarification Act of 2010,” seeks to amend the definition of “creditor” under the Fair Credit Reporting Act and, hopefully, finally put to rest the scope of coverage issue that has been the source of great controversy.

The law establishing the Red Flags Rule was passed in January 2008, with a scheduled effective date of November 1, 2008.  For financial institutions, the Rule is operative, but due to confusion and concerns over the scope of the rule – over what entities qualify as covered “creditors” -- the FTC has delayed enforcement five times. The current date for FTC enforcement to commence is December 31, 2010.  In announcing the most recent enforcement delay, the FTC stated that it was delaying enforcement of the Rule while “Congress considers legislation that would affect the scope of entities covered by the Rule.”  

The Red Flags Rule aims to prevent identity theft by ensuring that entities are aware of possible signs of identity theft. The Rule requires “financial institutions” and “creditors” who maintain “covered accounts” to develop written identity theft prevention programs. Under the current Rule, a “creditor” is broadly defined as any person or entity that (a) regularly extends, renews, or continues credit; (b) regularly arranges for the extension, renewal, or continuation of credit; or (c) any assignee of an original creditor who participates in the decision to extend, renew, or continue credit for a covered account. The broad definition of “creditor” adopted under the Rule encompasses a wide variety of organizations, including many health care entities, law firms, and accountants.

H.R. 6420 seeks to narrow the scope of the Rule by exempting from the definition of “creditor” a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.” The amended definition of “creditor” would also include any other creditors deemed (through rulemaking) by their appropriate regulating authority to offer or maintain “accounts that are subject to a reasonably foreseeable risk of identity theft.’’

The new legislation comes while the FTC’s application of the Rule is facing several challenges in federal court from organizations such as the American Bar Association (ABA), American Medical Association and the American Institute of Certified Public Accountants. Most recently, on November 15, 2010, the U.S. Court of Appeals for the D.C. Circuit heard oral arguments regarding the ABA’s challenge to the FTC’s application of the Rule to attorneys.

• Email This
• Print
• Share Link

The article below (reprinted with permission) from Telecom Reports Daily is based on the reporter's review of a copy of the draft Privacy Green Paper from the Department of Commerce, now under review at the White House. 

Notably, the article reports:

• The Department of Commerce document is expected to be released in the coming weeks.
• In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.
• The report [says] that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs)."  
• It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.
• As for other congressional action, the report [says] that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways."
  
  
  

  DRAFT COMMERCE REPORT RECOMMENDS
  ONLINE PRIVACY OFFICE, LEGISLATION
  
  A draft Commerce Department report that is being reviewed by the White House recommends the creation of a privacy policy office and passage of legislation that establishes “a baseline privacy framework.”  In all, the report makes 10 recommendations and poses dozens of questions on many of the proposals.  The department plans to seek formal comment on the questions in a separate “Federal Register” notice.
  
  TRDaily has obtained a copy of the 54-page draft document, “Privacy and Information Innovation: A Dynamic Privacy Framework for the Internet Age.”  It is the work of Commerce’s Internet Policy Task Force, which has held more than six months of consultations, issued a notice of inquiry in April (TRDaily, April 21), and held a symposium in May (TRDaily, May 7).  The document is expected to be released in the coming weeks.  The task force is a joint effort of the Office of Commerce Secretary Gary Locke, the National Telecommunications and Information Administration, the International Trade Administration, and the National Institute of Standards and Technology.
  
  “As the Internet evolves, the Obama administration is committed to promoting policies that will preserve consumer privacy online while ensuring the Web remains a platform for innovation, jobs, and economic growth.  These are complementary goals, because consumer trust in the Internet is essential for businesses to succeed online,” said a Commerce Department spokeswoman, declining to discuss specifics of the report.  “In the coming weeks, the Commerce Department will issue a report that contains policy recommendations and seeks further input, with the aim of advancing both the domestic and global dialogue and contributing to an eventual administration-wide position on information privacy policy.”  The report is currently being reviewed by the White House Office of Management and Budget, according to a source.
  
  Recently, the Obama administration created a federal interagency panel to work on privacy and Internet policy (TRDaily, Oct. 25).  It is chaired by Commerce General Counsel Cameron Kerry and Assistant Attorney General Christopher Schroeder.
  
  The report said that comments submitted in response to the NOI “demonstrated a compelling need to provide additional guidance to businesses, to establish a baseline privacy framework to afford protection for consumers, and to clarify the U.S. approach to privacy to our trading partners - all without compromising the current framework’s ability to accommodate new technologies.”
  
  However, broadband industry providers commenting on the NOI told the department last summer that online privacy protections should be pursued through self-regulation, industry standards, and best practices, rather than through regulation and legislation (TRDaily, June 16).  Public interest groups, however, saw a role for government mandates, along with other approaches advocated by industry.
  
  The report said that baseline legislation should be “built on an expanded set of Fair Information Practice Principles (FIPPs).  Widespread adoption of comprehensive FIPPs is essential to achieving the goals we have set for the Dynamic Privacy Policy Framework.  Widespread adoption of FIPPs would protect privacy interests in data that currently receive little or no statutory privacy protection.  Also, given the flexibility inherent in the individual principles, a FIPPs baseline would help ensure consumer privacy protection as new technologies emerge.  Finally, the FIPPs-based framework that we envision would allow companies to direct resources to the principles that matter most for protecting privacy in a particular technological, business, or social context.  Legislation would authoritatively establish a FIPPs-based framework, but action by industry, civil society, the Executive Branch, and enforcement agencies can also help this framework take hold.”  It asks whether the Federal Trade Commission should be given authority to impose rules implementing the privacy principles adopted by Congress.
  
  As for other congressional action, the report said that lawmakers “should pass a data breach law for electronic records that includes notification provisions, encourages companies to implement strict data security protocols, and allows states to build upon the law in limited ways.  The law should track the effective protections that have emerged from state security breach notification laws and permit enforcement by state authorities.”
  
  And while it called for “baseline” privacy legislation, the report said that such a measure “should not preempt the strong sectoral laws that already provide important protections to Americans, but rather should act in concert with these protections.”
  
  In addition, the document said that “[a]ny federal law or regulation should seek to balance the desire to create uniformity and predictability across state jurisdictions with the desire to permit states the freedom to protect consumers and to regulate new concerns that arise from emerging technologies when federal law lags behind privacy issues created by a rapidly changing technological environment.”  Among the questions posed is whether state attorneys general should be given the authority to enforce national legislation.
  
  The report also called on the Obama administration to “review the Electronic Communications Privacy Act (ECPA), paying particular attention to assuring strong privacy protection in cloud computing and location-based services.  The goal of this effort should be to ensure that, as technology and market conditions change, ECPA continues to provide a fair balance between individuals’ expectations of privacy and the legitimate needs of law enforcement to gather the information it needs to keep us safe.”
  
  Regarding the privacy policy office (PPO), the task force said it could either be housed within Commerce or in the Executive Office of the President.  The office would not have enforcement authority, it said. “The PPO would help guide industry-specific, multi-stakeholder undertakings in developing data privacy policies that respond to identifiable technological or business developments,” it said.  “A PPO-facilitated process would provide a way for stakeholders who are examining innovative new uses of personal information to better understand changing consumer expectations-and identify privacy risks-early in the lifecycle of new products or services.  As both a convener of diverse stakeholders and a center of Executive Branch privacy policy expertise, the PPO would work with the FTC in leading efforts to develop voluntary but enforceable codes of conduct.  Voluntary principles developed through this process would be enforceable by the Federal Trade Commission and would serve as a safe harbor for companies facing complaints about their privacy practices.”
  
  In an Oct. 27 speech at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, NTIA Administrator Lawrence E. Strickling also stressed that the PPO “would complement, not supplant, the Federal Trade Commission or the other institutions of the Federal Government, such as the professional cadre of Chief Privacy Officers we now have in multiple agencies.  A key role for the new Privacy Office would be to bring together the many different parties that are necessary to help develop privacy practices.”
  
  The report also recommended an emphasis on FIPPs that focus on “enhancing transparency, encouraging greater detail in purpose specifications and use limitations, and fostering the development of verifiable auditing and accountability programs.”  It also said any legislation establishing “general FIPPs-based data privacy protection should include a safe harbor provision for companies that adhere to voluntary, enforceable codes of conduct.”  It also said that the FTC “should remain the lead consumer privacy enforcement agency for the U.S. Government,” but it sought questions on whether the FTC should be given additional rulemaking authority if voluntary enforceable codes are not established.
  
  The report also recognized the importance of collaboration with stakeholders from other countries.  It recommended continued work by U.S. officials “toward increased cooperation among privacy enforcement authorities around the world,” that includes “a framework for mutual recognition of other countries’ privacy frameworks.”- Paul Kirby, paul.kirby@wolterskluwer.com
   

• Email This
• Print
• Share Link

The New York Times published a piece today with the headline "Stage Set for Showdown on Online Privacy," suggesting that the Department of Commerce and the Federal Trade Commission appear to be at odds over how to advance privacy in the United States.  It is true that the privacy community is awaiting two separate reports, the Commerce "Green Paper"  following a Notice of Inquiry on privacy and the FTC's Staff Report following the three privacy Roundtables, and no one knows exactly what the contents will be.  But for those of us following the situation here in DC, the Times piece suggesting conflict is at odds with other signals from Commerce and the FTC. 

Recall that David Vladeck recently previewed the major themes of the upcoming FTC Report at an IAPP gathering and said, on the issue of regulation vs. self-regulation, that the Commission has always supported self-regulation.   With respect to privacy and online advertising, he said  "I am disappointed in the progress of self-regulation". "Ad disclosures and icons are all good ideas, but implementation is very much a work in process."  He concluded that the Commission and the public may lose its patience with self-regulation if there is not better progress.   

Assistant Secretary of Commerce Larry Strickling addressed the global privacy commissioners conference in Jerusalem recently

First is the importance of trust.  It is imperative for the sustainability and continued growth of the Internet that we preserve the trust of all actors. For example, if users do not trust that their personal information is safe on the Internet, they will worry about using new services. If content providers do not trust that their content will be protected, they will threaten to stop putting it online.

Our approach, which we call Internet Policy 3.0, recognizes that the interplay among technical standards and design, multi-stakeholder institutions, voluntary best practices, and laws and regulations can ensure that the Internet continues to meet its economic and social potential. 

 The framework I have in mind would build on current successes with voluntary codes but provide a more accountable, institutional structure for the future.  (emphasis supplied)

The proffered approaches of the FTC and the Department of Commerce in the previews presented by the respective agencies' top officials seem remarkably similar.  The notion that the Obama Administration would stage a "showdown" with the FTC, whose leadership it appointed, seems far fetched.  But time will tell.

• Email This
• Print
• Share Link

 The FTC unveiled an extremely useful web site with compliance tools:

The Federal Trade Commission has a new Business Center at Business.ftc.gov that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces.

The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics.  A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information.

A new video encourages businesses to use and share the free resources in the Business Center to enhance compliance and build their customers’ trust.  Companies can use the compliance tips in their newsletters and blogs, share the resources with their social and professional networks, use the videos for in-house trainings or presentations, and order free materials to hand out at conferences or community events.

The FTC works to prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop and avoid them. To file a complaint or get free information on consumer issues, visit ftc.gov or call toll-free, 1-877-FTC-HELP (1-877-382-4357); TTY: 1-866-653-4261. Watch a new video, How to File a Complaint, at ftc.gov/video to learn more. The FTC enters consumer complaints into the Consumer Sentinel Network, a secure online database and investigative tool used by more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad.

With respect to privacy compliance in particular, there are sections on   

• Behavioral Advertising

• Children's Online Privacy

• Credit Reports

• Data Security

• Gramm-Leach-Bliley Act

• Health Privacy

• Red Flags Rule

And included are

• Case Highlights (76)
• Reports and Workshops (58)
• Laws, Rules, and Guides (30)
• Compliance Documents (79)

Kudos to the FTC for such a useful resource.

• Email This
• Print
• Share Link

Update:  According to the Washington Post, "A key Republican lawmaker indicated Wednesday [November 3] that Internet privacy could be a legislative priority in the next Congress, as a growing number of data breaches draw increased attention from federal regulators.  Rep. Joe L. Barton (Tex.), ranking GOP member of the House Energy and Commerce Committee, signaled the legislative push in a statement about his correspondence with Facebook executives on privacy issues.  "I want the Internet economy to prosper, but it can't unless the people's right to privacy means more than a right to hear excuses after the damage is done," Barton said"

Privacy was not on the ballot yesterday, but the results may affect the prospects for privacy legislation in the new Congress.

The big news is that Congressman Rick Boucher, a respected Virginia Democrat who has served for nearly 19 years, was defeated by Morgan Griffith, a Virginia state legislator. Boucher, along with Congressman Rick Stearns (R-FL) circulated a draft comprehensive privacy bill earlier this year and promised to introduce it after harmonizing it with the bill introduced by Congressman Bobby Rush (D-IL). The election result means that Boucher no longer will chair the House Communications, Technology and the Internet Subcommittee. He may be succeeded by Stearns, who presumably would still favor privacy legislation and make it a subcommittee priority. 

Stearns said earlier this week 

I have worked on developing privacy legislation from the time I was Chairman of the Commerce, Trade & Consumer Protection Subcommittee from 2001 to 2006 and I am still working on it. 

He also is reported to have said that he does not support all the provisions of the Boucher bill and "would like to see a bill" that is less prescriptive and "allows innovation to continue to flourish."

Whether his Republican colleagues now in the majority share his zeal for greater privacy regulation following an election whose theme was less government intervention remains to be seen. Moreover, Stearns also may prefer a leadership role on another committee, leaving the privacy legislation orphaned in the subcommittee. Candidates to lead the opposition on the Communications, Technology and the Internet Subcommittee include Rep. Anna Eshoo (D-CA) whose district includes Google headquarters and Rep. Ed Markey (D-MA). Markey has been vigilant on privacy issues.

A glimpse into the privacy views of presumptive Speaker of the House John Boehner is his lawsuit under the Electronic Communications Privacy Act (ECPA) arising out of the interception and recording of a cell phone conference call Boehner had with Republican leaders concerning an ethics investigation into conduct of Newt Gingrich,  and the fact that he voted yes on retroactive immunity for telecoms' warrantless surveillance.

Whether privacy becomes a priority for the new Republican leadership is an open question, and will likely be driven by events and the headlines.

New to the US Senate is Connecticut Attorney General Richard Blumenthal, well-known for his aggressive investigations and settlements related to privacy issues. Blumenthal led the thirty-state investigation of Google concerning the company’s collection of user information while mapping out U.S. areas for Street View, and indicated despite the FTC conclusion of its investigation into the episode that his office’s investigation would continue. Blumethal also brought the first data breach enforcement action under the HITECH Act against Health Net earlier this year.  It is fair to expect Blumenthal’s focus on privacy to continue once he is sworn in.

Despite the fear that the new political landscape in Washington means nothing but gridlock, some believe that privacy is one of the few issues that “will get done”.

• Email This
• Print
• Share Link

From a guest blog by Hogan Lovells Privacy and Information Management leader Christopher Wolf on The Last Watchdog

Whose job is it to protect the privacy of personal information? That is the burning question in Washington these days.

Privacy is receiving so much attention right now not just because of headlines about Facebook and Google and their privacy missteps, but because we live in a time when people are sharing volumes of information about themselves and others on social networks, and when technology that can collect, share, analyze and store information about people is advancing at a staggering pace.

Think geo-tracking, behavioral-targeted advertising, and sensors collecting data about us connected to the Internet.

So who should be protecting our privacy? Some say that the government should finally pass a comprehensive privacy law that strictly regulates the collection and use of data.

Others say that companies using personal data have a responsibility to protect privacy, but should not be shackled by one-size-fits-all laws and regulations, lest economic progress on the Internet – one of the few bright spots in the economy – be stifled.

And then there are those who say people should be smart enough to protect themselves by being careful about what information they share online.

So who is right? They all are right.

Read more

• Email This
• Print
• Share Link

This post was provided by Gabriela Kennedy and Heidi Gleeson of Hogan Lovells' Hong Kong office.
 

The recent large scale sale of personal data by Hong Kong's Octopus Holdings Ltd. for the purposes of direct marketing is currently being investigated by the Hong Kong Privacy Commissioner and has prompted calls for reforms to the data protection regime.

The Octopus case

Octopus Holdings Ltd. operates the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets. The cards may also be used as a student card or as an access card for residential apartments or office buildings.

In addition to the electronic payment facilities, Octopus Rewards Limited, a company which is wholly owned by Octopus Holdings Ltd. (referred collectively as "Octopus") operates a rewards program linked to the Octopus card, whereby card holders earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). While the electronic payment facilities of the Octopus card may be used without registering and providing any personal data, card holders wishing to take advantage of the Rewards Program must first register with Octopus. Card holders are requested to supply a broad range of personal information on the registration form (some of which is required for the application to proceed), including name, identity card or passport number, gender, month and year of birth, contact details, marital status, education level, occupation, income and interests.

Octopus provided the personal information of almost 2 million card holders to six insurance companies for direct-marketing over a four and a half year period, earning the company HK$44 million in revenue.

The application form for the Rewards Program was drafted in such a way as to give Octopus very broad rights to deal with the personal information of card holders. In signing the application form for the Rewards Program, card holders automatically consented to their personal data being disclosed to any third party (at Octopus's discretion) and used for direct marketing purposes. The only way that card holders were able to opt-out from their personal information being sent to third parties was to first sign the form (thereby consenting to the distribution and sale of their data to any third party), and later call Octopus to opt-out, a process which Octopus conceded would take approximately three days. The application form cross-referred to a separate set of terms and conditions relating to data protection/privacy, making it unlikely that the card holder would fully understand the scope of their consent prior to signing the form. Even if card holders understood that by signing the registration form they consented to their personal information being sold to third parties, it is likely that given the inconvenient and time consuming opt-out procedure, they would be reluctant to take the necessary steps to protect their personal information.

Investigation by the Privacy Commissioner

On 21 July 2010, the Privacy Commissioner ordered a formal enquiry into Octopus's practices to ascertain whether the collection and disclosure of card holders' personal data for direct marketing purposes was in contravention of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Commissioner exercised his powers under the Ordinance to hold a hearing to summon witnesses to assist with the investigation.

The Privacy Commissioner is yet to issue the final report on the investigation. However, in response to the mounting public concern regarding the handling of personal data under the Rewards Program, on 30 July 2010 the Privacy Commissioner took the unusual step of issuing an interim report, containing his preliminary findings as well as interim recommendations to Octopus regarding its handling of personal data.

The Privacy Commissioner made 12 recommendations regarding Octopus's handling of personal data, including the following:

• Card holders should be able to submit their applications for the Rewards Program using only their names and Octopus card numbers.
• Consent to use personal data for direct marketing purposes should be expressly given and should not be deemed.
• The parties to whom personal data may be transferred should be clearly identified.
• Octopus should not disclose personal information other than name and contact information for direct marketing purposes, as any additional information is unnecessary and excessive.

The Privacy Commissioner is yet to issue a final determination on the matter. If Octopus is found to have breached the Ordinance it is likely to be because the scope of the information collected was arguably excessive for the purposes for which it was collected.

Calls for reform

As Octopus sold the personal information of almost 2 million people (almost a third of the population of Hong Kong) to third parties, the case received a fair amount of publicity and has generated debates in the media and has led to calls for reform of the data protection regime in Hong Kong.

Hong Kong's Personal Data (Privacy) Ordinance is currently under review by the Government. A number of amendments have been proposed, partly in response to the increasing concern of the public relating to protection of personal data. The Government published a consultation document on 28 August 28 2009, inviting public comment on the proposed amendments to the Ordinance. The consultation period ended on 30 November 2009. The Government is yet to make any further announcements in relation to the reforms, but given the profound impact that the proposed changes may have on various sectors of the community and the recent furore over the Octopus case, it is expected that further changes may be introduced when the bill is made public.

Gabriela Kennedy (Partner) (gabriela.kennedy@hoganlovells.com) and Heidi Gleeson (Foreign Legal Assistant), Hogan Lovells, Hong Kong.

• Email This
• Print
• Share Link

In this interview with Forbes, I share some perspectives on

(1) the prospects for an online privacy bill passing this year;

(2) some of the issues raised by the Rush privacy bill currently pending in Congress;

(3) the efficacy of FTC enforcement;

(4) the problems with the concept of a "Do Not Track" list, which has been proposed; and

(5) the need for reform of the Electronic Communications Privacy Act.

• Email This
• Print
• Share Link

The Platform for Privacy Preferences Project, or P3P, involves browser technology that allows a user to set privacy conditions and state what personal information may be seen by websites.     Websites usuing P3P are supposed to respect the user's settings.  Heralded as a privacy enhancing technology when the World Wide Web Consortium recommended it in 2002, adoption of the automated tool, it has never caught on and the vast majority of consumers don't use it.

Nevertheless, a just-released study by Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald and Robert McGuire of the Carnegie Mellon Cy Lab has concluded that large numbers of websites are misrepresenting their P3P privacy practices, "thus misleading users and rendering privacy protection tools ineffective."  From the Abstract:

"Platform for Privacy Preferences (P3P) compact policies (CPs) are a collection of three-character and four-character tokens that summarize a website's privacy policy pertaining to cookies. User agents, including Microsoft's Internet Explorer (IE) web browser, use CPs to evaluate websites' data collection practices and allow, reject, or modify cookies based on sites' privacy practices. CPs can provide a technical means to enforce users' privacy preferences if CPs accurately reflect websites' practices. Through automated analysis we can identify CPs that are erroneous due to syntax errors or semantic conflicts. We collected CPs from 33,139 websites and detected errors in 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites. Our work identifies potentially misleading practices by web administrators, as well as common accidental mistakes. We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors. 98% of invalid CPs resulted in cookies remaining unblocked by IE under it's default cookie settings. It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective. Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies."

Just as a recent University of California-Berkeley study about flash cookies and privacy prompted a series of lawsuits recently against Quantcast and Clearspring and users of their technology, there is speculation that the Carnegie Mellon study may inspire new lawsuits and investigations.  The websites using P3P compact policies are not without their defenses however, so it remains to be seen whether the study serves as a sturdy "platform for plaintiffs' preferences."

• Email This
• Print
• Share Link

• Email This
• Print
• Share Link

The Federal Communications Commission (FCC) issued a Public Notice seeking comment on a Petition for Expedited Clarification and Declaratory Ruling (Petition) filed by Global Tel*Link Corporation (Global Tel) regarding its outbound calling practices.  The Petition raises several key issues under the Telephone Consumer Protection Act (TCPA) and related FCC rules, including whether certain calls (e.g., non-telemarketing calls) should be exempt from some of the TCPA’s restrictions on the use of prerecorded messages and autodialers.  Given the broad applicability of the TCPA and the FCC’s rules, this new proceeding could affect any company that places calls using prerecorded messages or autodialers.

The TCPA and the FCC’s rules prohibit, among other things, the use of automatic telephone dialing systems (“autodialers”) or artificial or prerecorded messages when calling, inter alia, telephone numbers assigned to wireless services, absent an emergency or the “prior express consent” of the called party.  Of note, the restriction against placing these calls to mobile phones without prior express consent applies regardless of whether the call is a “telemarketing” call.  The TCPA and the FCC’s rules also make it unlawful to place a non-emergency telephone call to a residential line “using an artificial or prerecorded voice” without the recipient’s “prior express consent” (although there are some exceptions).   

As described in the Petition, Global Tel provides outbound calling services for prison inmates.  For certain outbound calls (e.g., some calls from inmates to mobile phone numbers), Global Tel sets up a billing arrangement with the called party before connecting the called party to the inmate.  For example, when the inmate places a call, Global Tel initiates an “automated interactive voice response notification” to:

• inform the called party that an inmate is trying to make contact;
• get consent for the call; and
• establish the billing arrangement. 

Global Tel then puts the call through. 

Concerned that these inmate calls could expose the company to liability under the TCPA and the FCC’s rules, Global Tel has asked the FCC to exempt the calls from TCPA enforcement.  For example, Global Tel argues that the calls to landline phones serve no commercial purpose, are not an unsolicited advertisement, and include an opt-out mechanism so that called parties can avoid future calls.  Regarding calls to mobile telephone numbers, Global Tel argues, among other things, that it can be presumed that the inmate has dialed a cell phone number because that is the number at which the called party wishes to be reached.  Moreover, the called party may have only a wireless phone (and not a landline phone).  Separately, Global Tel argues that its calls do not involve the use of an autodialer or predictive dialer.

Although the Petition is focused on Global Tel’s situation, the FCC’s decision in this proceeding could affect many companies that rely on the use of prerecorded messages or autodialers as part of their communications strategy.  Nonetheless, the FCC has established a very short comment period for this item – comments will be due just 15 days after the item appears in the Federal Register, and replies are due 25 days after the item appears in the Federal Register.

• Email This
• Print
• Share Link

The UK government has announced plans to launch a new website www.data.gov.uk , which will allow public access to official data, and has called on web-founder Sir Tim Berners-Lee, to assist.  The website aims to improve transparency and will be similar to the US site 'data.gov', which already includes information from the US defense department and NASA.

The plan, initiated by PM Gordon Brown last year, is to develop a website for the public to find information and to make reports to public service providers, including traffic and crime statistics.  In addition, various applications will be available to enable users to discover details of planning applications (in PlanningAlerts), or report potholes (in FillThatHole).

So far, the site has been in test mode, for developers to try out its features and provide feedback, but once 'live', it is hoped that public users will benefits from having the information and services in one place and see it as an alternative to requesting disclosure under the Freedom of Information Act, as BBC News reports - http://news.bbc.co.uk/1/hi/technology/8470797.stm

• Email This
• Print
• Share Link

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) released two regulations relating to the Medicare and Medicaid incentives authorized by the American Recovery and Reinvestment Act of 2009 (ARRA).  Both rules have public comment periods of 60 days and are scheduled to be published in the Federal Register on January 13, 2010.  Final rules are expected to be issued in the spring of 2010.

EHR Incentives for “Meaningful Use”

The CMS Proposed Rule defines the criteria for “meaningful use” of certified electronic health record (EHR) technology. “Eligible professionals” (EPs) and hospitals that meet this criteria will be eligible for incentive payments beginning in 2011.

CMS proposes to phase in meaningful use criteria in three stages. The Proposed Rule focuses on the Stage 1 criteria, and CMS plans to propose Stage 2 and Stage 3 criteria in future rulemaking, with a goal of issuing proposed Stage 2 standards by the end of 2011 and proposed Stage 3 standards by the end of 2013. 

For Stage 1, which begins in 2011, CMS has proposed 25 objectives, or measures, for EPs and 23 objectives for eligible hospitals, all of which must be met in order for a provider to be deemed a meaningful EHR user.

Standards, Implementation and Certification Criteria

The ONC Interim Final Rule sets forth initial standards, implementation specifications and certification criteria for EHR technology.  These provisions specify the capabilities and related standards that certified EHR technology must include in order to support the proposed Stage 1 requirements for meaningful use.  This Rule goes into effect 30 days after publication in the Federal Register.

According to ONC, the standards set forth in the Rule “rely heavily on existing standards for the interoperability of health information technologies, including those established and/or promoted by Health Level 7 (HL7), the National Institute of Standards and Technology (NIST) and Integrating the Healthcare Enterprise (IHE).”  The standards, which fall into the categories of vocabulary, content exchange, transport and privacy/security, also rely upon classification and nomenclature systems such as SNOMED CT, ICD-9 and 10, X12, LOINC, NCPDP and RxNorm. 

ONC will issue a separate Notice of Proposed Rulemaking relating to the testing and certification process for EHRs and EHR Modules in early 2010. 

• Email This
• Print
• Share Link

On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first obtaining their parents’ consent.

Iconix, which owns, licenses, and markets several popular apparel brands, including Mudd, Candie’s, Bongo, and OP, required consumers on many of its websites to provide personal information, including full name, email address, mailing address, and phone number, in order to receive brand updates, enter sweepstakes, and participate in other website features.  According to the FTC, one of the websites allowed consumers to share photos and personal stories online.  In connection with the collection of personal information, the websites required that consumers provide their date of birth. 

The FTC alleged that since 2006, Iconix knowingly collected, maintained, and/or disclosed personal information of approximately 1,000 children under the age of 13 without first notifying their parents or obtaining parental consent, in violation of COPPA.  Additionally, the FTC alleged that Iconix’s statements in its online privacy policy that it would not seek to collect personal information from children under 13 without prior parental consent and that it would delete any such information about which it became aware, were misrepresentations, constituting deceptive acts or practices in violation of Section 5 of the FTC Act.

The settlement order requires Iconix to pay a $250,000 civil penalty, delete all personal information collected and maintained in violation of COPPA, and comply with certain consumer education, record-keeping, and reporting requirements.

Interestingly, this appears to be a fairly large settlement amount for a relatively small number of children whose information was allegedly collected in violation of COPPA.  Previous recent FTC COPPA settlements include the 2008 Sony BMG Music settlement, which involved a $1 million civil penalty and the collection of personal information from over 30,000 children; the 2008 imbee.com settlement, involving a $130,000 civil penalty and the collection of personal information from 10,500 children; and the 2006 Xanga.com settlement, which imposed a $1 million civil penalty and involved the collection of personal information from 1.7 million children.

• Email This
• Print
• Share Link

I was honored to be invited to speak at the IBM IT Services Legal Summit today in New York City on the topic of ethics and privacy.  As a launching pad for my discussion of privacy ethics, I used the episode from earlier in the year involving Justice Scalia and Fordham University Professor Joel Reidenberg whose privacy law class created a "digital dossier" on the Justice and his famiiy, using publicly available online information.

It seems unlikely that there are workable ethical guidelines to restrict access to and use of publicly available information on the Internet.  If information is on the Internet, searchable through Google, it is unlikely society can set new norms to restrict access. 

[P]ending a societal change in the ethics of what we do with information we can access online, what can be done?

Well, one place to start is at the input side of things. Before people reveal information about themselves or allow data to be collected about them, since it appears to be fair game once it is collected, what is the ethical duty to put people on notice on the collection side? 

I said that the duty, in which privacy lawyers play an important role, is to provide clear, easy-to-access notice to consumers before data is collected, referencing the recent Sears case at the FTC and the ongoing debate abut behavioral advertising.

A copy of my prepared remarks is available here. 

• Email This
• Print
• Share Link

It sounds like an ‘April fool,’ but the story this week that people can sign up to a new internet game where they spot crimes on CCTV cameras posted in Britain and earn points for doing so might actually be true.  Both the Daily Mail and the Guardian’s online news pages featured stories about this bizarre game, which may be launched in November 2009 following a trial in Stratford-upon-Avon.

Customers have the opportunity to sign up to the service and have their CCTV monitored by the public in return for a fee.  Footage from the camera would be streamed on to a website to be used in the game.  Shopkeepers are an obvious target market for the service, but the police, local authorities and home owners may also be encouraged to sign up.

According to press releases, the service provider ‘Internet Eyes,’ offers users (players of the game) the chance to “earn reward money, have a chance at reducing crime, potentially become a hero and save lives.”  Users would compete to earn up to £1,000 per month, collecting points for viewing live CCTV footage and pressing a button whenever they see any suspicious activity.  If and when a crime is suspected, these alerts will be sent, by SMS, to the customer, in real-time, allowing them to take immediate action, or no action, as they wish.  Apparently it is possible to lose points for a false alarm and a ‘3 strikes and you’re out’ rule will apply.

The website also promises to feature a so-called ‘rogue’s gallery’ of ‘criminals,’ with details of their offenses and details of the user responsible for spotting them.

Internet Eyes says its service aims to reduce crime, but civil liberties campaigners and the assistant information commissioner have their doubts about the legality of the idea itself.  Disclosing images of identifiable individuals on the internet for entertainment raises serious issues under the Data Protection Act and the Human Rights Act.  The Guardian reports that the ICO will be ‘talking to’ Internet Eyes shortly.  Watch this space!

• Email This
• Print
• Share Link

The Federal Trade Commission has just announced that it will host a series of day-long public roundtable discussions on the East and West Coasts "to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data."  The first roundtable discussion will occur on December 7th at the FTC Conference Center in Washington.

It has been widely-reported that the FTC is examining new ways to think about privacy and these discussions will further that examination. 

As the Commission explained the focus of the first roundtable:

Such [technology and business] practices [to be examined] include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

The initial questions the FTC has presented for comment at the first workshop are:

1. What risks, concerns, and benefits arise from the collection, sharing, and use of consumer information?  For example, consider the risks and/or benefits of information practices in the following contexts: retail or other commercial environments involving a direct consumer-business relationship; data broker and other business-to-business environments involving no direct consumer relationship; platform environments involving information sharing with third party application developers; the mobile environment; social networking sites; behavioral advertising; cloud computing services; services that collect sensitive data, such as information about adolescents or children, financial or health information, or location data; and any other contexts you wish to address.
    
2. Are there commonly understood or recognized consumer expectations about how information concerning consumers is collected and used? Do consumers have certain general expectations about the collection and use of their information when they browse the Internet, participate in social networking services, obtain products from retailers both online and offline, or use mobile communications devices? Is there empirical data that allows us reliably to measure any such consumer expectations?  How determinative should consumer expectations be in developing policies about privacy?
    
3. Do the existing legal requirements and self-regulatory regimes in the United States today adequately protect consumer privacy interests? If not, what are the particular privacy interests that warrant increased protection? How have changes in technology, and in the way consumer data is collected, stored, and shared, affected consumer privacy? What are the costs, benefits, and feasibility of technological innovations, such as browser-based controls, that enable consumers to exercise control over information collection? How might increased privacy protections affect technological innovation?

The FTC has explained that individuals and organizations may submit requests to participate as panelists in the December dicussion, and may recommend topics for inclusion on the agenda. The requests and recommendationshave been directed to privacyroundtable@ftc.gov.   More details can be found here.

• Email This
• Print
• Share Link