HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

Chris Wolf, co-chair of the Hogan Lovells Privacy and Information Management Practice today testified before the United States Senate Judiciary Subcomittee on Privacy, Technology and the Law at a hearing on “The Video Privacy Protection Act: Protecting Viewer Privacy in the 21st Century.”  His spoken testimony follows, and a copy of his written testimony is available here.

 

Chairman Franken, Ranking Member Coburn, and distinguished members of the Subcommittee. Thank you for the opportunity to testify today.

My name is Christopher Wolf and I am a privacy lawyer at Hogan Lovells, where I lead that firm’s global privacy practice. I am also a privacy advocate. As part of my pro bono work, I won a leading case against the government for violating the Electronic Communications Privacy Act. I am part of a group advising the OECD on its privacy guidelines. I am on the EPIC Advisory Board. And I founded and co-chair the Future of Privacy Forum, a think tank with an Advisory Board from business, consumer advocacy, and academia, focused on practical ways to advance privacy. 

Fundamentally, privacy is about control. Indeed, a principal goal of privacy law is to put choices and decisions in the hands of informed consumers.

• Email This
• Print

 Happy Data Privacy Day to all!

• Email This
• Print

In a recent case, the Court of Appeal for Ontario, Canada recognized the privacy torts that are widely-recognized in the United States.  Many foreign common law jurisdictions, including the United Kingdom and other countries, have steadfastly refused to recognize the privacy torts spawned by the 1890 law review article by Samuel Warren and Louis Brandeis, The Right to Privacy,  4 Harv. L. Rev. 193 (1890).  These torts – intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness – are known collectively as “invasion of privacy.”  In the case of Jones v. Tsige, 2012 ONCA 42 (Jan. 18, 2012), the Court of Appeal for Ontario finally recognized the US privacy tort of intrusion upon seclusion – intentionally intruding upon a person’s seclusion or solitude, or into his private affairs.

• Email This
• Print

In honor of Data Privacy Day, the National Cyber Security Alliance and Facebook will present a live-streamed program on Thursday, January 26 at 9:30 a.m. ET at the George Washington University Law School. 

"The Intersection of Privacy & Security of Privacy & Security" will feature:

The Honorable Julie Brill, Commissioner, Federal Trade Commission

Rick Buck, Head of Privacy GSI, eBay

Erin Egan, Chief Privacy Officer, Policy, Facebook

David Hoffman, Director of Security Policy and Global Privacy Officer, Intel

Gerard Lewis, Vice President, Deputy General Counsel & Chief Privacy Officer, Comcast

Ari Schwartz.Senior Policy Advisor, Office of the Secretary, U.S. Department of Commerce

JoAnn C. Stonier, Global Privacy & Data Protection Officer, MasterCard Worldwide 

Bob Quinn, Senior Vice President-Federal Regulatory & Chief Privacy Officer, AT&T

Moderator:  Christopher Wolf, Director Hogan Lovells Privacy and Information Management practice; Founder/Co-Chair, Future of Privacy Forum

To RSVP for the event, please click here.

On the day of the event, you can view it live here.

• Email This
• Print

We are delighted to announce that Tim Tobin, a key player in the Hogan Lovells Privacy and Information Management practice, has become a partner at our firm.

Tim Tobin’s entire professional career, even before law school, has had a privacy law focus. As an early practitioner in the relatively new field of privacy law, Tim has established himself as a "go-to guy" in the entire range of privacy law.  

Tim graduated from the George Mason University School of Law in May 2001 in the top 10% of his class, magna cum laude. Tim attended the evening program at George Mason law, working full time throughout law school. At law school, he was on the Law Review and served as Articles Editor of the Law Review. 

Tim had a professional career prior to, and during law school. He worked at the U.S. Parole Commission within the U.S. Department of Justice, from 1992 to January 2000.  It was in this government job that Tim first became familiar with, and handled privacy issues relating to the Freedom of Information Act (FOIA), the Privacy Act, and similar issues relating to victim privacy and Government records.          

Tim joined Hogan Lovells practice director Chris Wolf at their previous firm, after a stint at a communications law-focused firm, and he assisted in all manner of privacy and data security issues for clients.  At the previous firm,  Tim served as senior editor of a comprehensive legal treatise on privacy law published by the Practising Law Institute (PLI) that has been highly praised.  

Throughout his legal career, Tim has focused on a wide range of privacy and data security law matters. He provides compliance counselling to clients on the wide array of privacy and data security laws, and is deeply experienced in litigation, regulatory agency investigations, agency rulemaking processes, and public policy issues. Tim has worked with clients across a range of industries including those involved with the Internet, new media and communications as well as financial services, airlines, hotel, transportation, sports and entertainment, among many others.

Tim writes and speaks frequently on privacy law topics, including recently at the Los Angeles Auto Show on the topic of new automobile technologies and privacy.  He is the Smart Grid expert for the Future of Privacy Forum, and he leads the firm's pro bono efforts in a new privacy pro bono initiative spearheaded by IBM and the IAPP.

Tim has distinguished himself by his prodigious work ethic, his comprehensive knowledge of privacy law which he translates into thorough and practical advice for clients, and for his strategic insights on contested matters.  He also is known as a really nice guy.

We are delighted to announce his advancement to partner.

• Email This
• Print

The year was 1974.

Happy new year to the readers of the Hogan Lovells Chronicle of Data Protection!

• Email This
• Print

We are pleased to invite Bay Area readers of the Hogan Lovells Chronicle of Data Protection to a morning event in Palo Alto on January 12, 2012, "Privacy and Information Management:  A Global Perspective on What Businesses Should Expect in 2012."

Change is in the air for privacy law and regulation worldwide. The privacy practice at Hogan Lovells spans the globe across our 40 offices in the United States, Europe, Latin America, the Middle East, and Asia. This program will reflect the perspectives of the lawyers in our worldwide privacy practice, and will present the viewpoints of U.S. leaders from the Federal Trade Commission, a prominent technology-focused NGO, and academia, as we take a look back at privacy law developments in 2011 and take stock of the expected developments and focus on privacy law in 2012.

The program will feature FTC Commissioner Julie Brill, Jim Dempsey from the Center for Democracy and Technology and Ryan Calo from the Stanford Law School Center for Internet and Society.  It will be moderated by Hogan Lovells Privacy and Information Management practice directors Marcy Wilder and Chris Wolf.

If you would like an invitation to register for this event, please contact justin.portaz@hoganlovells.com

• Email This
• Print

On the second day of the IAPP Europe Data Protection Congress held in Paris, France, the keynote speech was given by Peter Hustinx, the European Data Protection Supervisor.

In his address, Mr. Hustinx offered an opinion on where he thinks the revision of the European data protection framework is headed. Basing his remarks on a Stanford Law review article, "Privacy in the books and privacy on the ground," he advocated the revision of the European data protection framework which would provide innovative and efficient means to deliver privacy on the ground, by empowering data subjects and data protection authorities, as well as providing greater legal certainty for data controllers.

• Email This
• Print

Barbara Bennett, Stefan Schuppert, Winston Maxwell. Lionel De Souza and I are the Hogan Lovells lawyers participating in the IAPP Privacy Congress in Paris.  I am moderating and participating in sessions on cloud computing with Bojana Bellamy of Accenture, and a panel on convergence with Lord Richard Allan of Facebook and Wendi Lozada-Smith of AT&T  This entry contains a live blog from the opening session.

The Privacy Congress comes on the eve of the European Commission's proposal for revision of the EU privacy framework and the anticipated release of the Department of Commerce White Paper and FTC Report on privacy.  So the future of privacy law is very much in focus.

The Chair of the Dutch Data Protection Authority and Chair of  the Article 29 Working Party, Jacob Kohnstamm is the opening speaker.

The patchwork of laws across Europe requires a region-wide regulation to provide a level playing field and uniformity.  This should  be the focus of the upcoming proposal for revision from the European Commission of the legal framework.

The present norms, which are technologically neutral, should persist and be strengthened.

Given the increasing cross-border context of issues, the Article 29 Working Party will have to play a stronger role in interpretation and clarification.  More frequent guidance on issues such as the definitions of "personal data" and "consent" will be needed, while still recognizing the independence of national Data Protection Authorities.  Powers of DPAs need to be harmonized and strengthened, including the ability is enjoin data processing and to levy fines.  Up to now, there have been no significant court judgments in terms of fines.

Article 29 Working Party needs a new name to reflect its true role and importance.

Data controllers need to ensure compliance and to demonstrate such compliance.  Privacy should be first step when launching new products and services, not the last step.  Privacy by Design and transparency are essential.

Companies should be able to seek guidance externally from privacy professionals just as they do with respect to competition law.

The Chairman went on to criticize Google, Facebook and the Online Behavioral Advertising industry for their interactions with DPAs and the Article 29 Working Party, and suggested that under the new regime, their conduct would have been different.

In the Q and A session, which became an especially lively exchange, Peter Fleischer of Google pointed out that changes to Google Buzz were made even before a letter of complaint from the Article 29 Working Party had been received,.

The Chairman re-assured a questioner that innovation is taken into account along with privacy when the Article 29 Working Party considers regulation.  "We are paid to deal with privacy, however."

The main task of DPA is enforcement and not to sit with individual companies on what they should be doing, in an advisory capacity.

On the Global Privacy Enforcement Network (GPEN), the Chairman said the idea was for information sharing during enforcement actions, but he observed that the national restrictions on information sharing has not produced as much cooperation as envisioned, but the Commissioners are committed to working together more across borders.

The second speaker is Viviane Reding, Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship.

I will share some of the contents of the forthcoming European Commission recommendations on the revision of the Data Protection framework:  Codes of practice such as Binding Corporate Rules are not explicitly forseen in the current Directive but are recognized as a matter of practice by the Article 29 Working Party.  One of the strengths of BCRs is legal certainty and flexibility.  (Interesting that the primary focus here is on the BCR code of conduct concept, similar to the anticipated focus on codes of conduct by the US Department of Commerce in its White Paper.)

My reform plans for BCRs: Simplification -- Approval from each member state currently required, which is costly and an administrative burden.  A waste of time and money, and sometimes detrimental to credibility and efficiency of DPAs.  I propose that BCRs be based on EU law, with streamlined approval process and a single point of contact.  Once approved by one DPA, not further approval needed.  BCRs should be used by companies of any size, and should cover everything from paper-based filing system to cloud computing. Consistent Enforcement -- Enforcement should be possible by any DPA (unlike now where not all DPAs have enforcement power).  DPAs and courts should be able to enforce.  Innovation in Enforcement -- We need to encourage innovation in enforcement and embrace new technology.  First, we need to consider geographical borders.  Data controllers and subjects m realities. Data subjects, controllers and processors may be in different jurisdictions.   BCRs should apply to all internal (inside the EU) and external (in the US, India, Asia and South America) processing.  BCRs should apply both to data controllers and processors.  This would extend to cloud computing.

BCRs will faciliate international interoperability.

We are in time so of difficult economic times and decisions.  While bringing member states out of their debt crisis, we need to do everything to promote economic growth.  I will do my utmost to ensure that data protection reform will both reinforce fundamental protection of individual rights and promote growth.

Ms. Reding did not take questions.

• Email This
• Print

Hogan Lovells Privacy and Information Management practice leader Chris Wolf moderated a panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders, as reported here.  A blog entry by Susie Adams, Chief Technology Officer of Microsoft Federal, containing a full-length video of the session is available by clicking here.

• Email This
• Print

Hogan Lovells Privacy and Information Management practice leader Chris Wolf will moderate a complimentary lunchtime panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders.  Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend and participate.

For a place at the event, please send an e-mail to the the address below dcrsvp@microsoft.com

• Email This
• Print

The International Telecommunications Union (ITU) is the agency of the United Nations focused on information and communications technology. It currently is hosting the ITU Telecom World in Geneva, and invited Hogan Lovells' Chris Wolf, in his capacity as founder and co-chair of the Future of Privacy Forum, to submit a paper and participate in a panel on cybersecurity challenges.  

Chris' paper, entitled The Role of Government in Commercial Cybersecurity: Public-Private Partnerships and Improvements in Government Data Security Rather Than Government Control as the Optimal Model is available here.

And here is the text of Chris' prepared remarks for delivery today in Geneva:

Christopher Wolf’s Remarks at the ITU Telecom World,  Geneva, October 26, 2011

Thank you for inviting me to speak with you today.

ITU Telecom World 2011 here in Geneva has brought together heads of state, leaders of government and international organizations together with corporate CEOs, mayors of top cities, thought leaders, innovator and researchers.  I am honored and humbled to be included among such an elite group.

And among the topics being explored here at the ITU gathering, perhaps none is as pressing as the issue of cybersecurity.  So I am especially pleased to be on this panel exploring that issue.

My part of this program, in contrast with the other presentations, has a truly “macro” focus: the role of government in achieving cybersecurity.

In the paper I prepared for this session, I observe that given the dramatic increase in cybersecurity incidents, some look to government to take control of the cybersecurity problem.   And in my paper, I have concluded that not only is government control not possible in most modern democracies, but it is not the best approach at all.

In my own country, the United States, there are restrictions on the government “taking charge” of the flow of information through network access, monitoring, and/or control, as well as the limitations of government technical capabilities.  As a result, US cybersecurity policy is collaborative, with the government working with industry to develop flexible standards rather than prescribing complex regulations. The result is a process-oriented, thematic approach to commercial cybersecurity that is more likely to produce optimal business practices.

Indeed, government control of cybersecurity is ill-advised even in non-democratic countries, such as China. I currently am examining the so-called MLPS proposals in China, which would require indigenous Chinese technology for cybersecurity, and am concluding that a restrictive and prescriptive approach to information security blocks the adoption of best available technology and practices.

After reviewing frameworks in the US, the EU and Asia, I have concluded that government’s principal role in protecting cyberspace is and should be through (1) law enforcement, (2) improvements to its own cybersecurity and sharing its research and experience with industry and the public, and (3) engaging in a public-private dialogue about cybersecurity through which it has incorporates suggestions from industry into cybersecurity policy.

• Email This
• Print

On October 13th, the SEC's Division of Corporation Finance issued a Disclosure Guidance that urges public companies to evaluate their cybersecurity risks and, if material, to disclose those risks to investors.

On October 31st, Hogan Lovells will present a complimentary webinar exploring the impact of the Disclosure Guidance featuring senior lawyers in the Hogan Lovells Capital Markets and Privacy and Information Management practices, as well as a managing director of Stroz Friedberg LLC, a technology firm assisting clients with digital risks.

For more information, and to register, click here.

Since all businesses using the Internet are, to some degree, vulnerable to intrusions, what does the new guidance actually mean for public companies?  That question and these will be addressed in the webinar:

• When does the risk of intrusion become material? 
• What are the triggers for reporting?  
• What assessments are required?  
• Does every company suffering a data security breach have to report it to the SEC?   
• What has to be reported?
• How can the reporting company make public disclosure of cybersecurity risks in a way that will not make the company a target for attacks?
• What is the best way for a company to wrap its arms around a cyberattack so it can make the appropriate disclosure?
• What steps should a company take to insure its disclosure is a fair, accurate, and timely description of the attack? 

Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend.

• Email This
• Print

On October 14, 2011, the Department of Defense (DOD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA) published a proposed rule that would amend the Federal Acquisition Regulation (FAR) to strengthen government contractor privacy training.

Specifically, the proposed rule would require the employees of federal government contractors who work with government records containing personally identifiable information to undergo privacy training on an annual basis. The purpose of this amendment to FAR would be to extend existing Privacy Act training requirements to the employees of government contractors who work with covered systems of records.

For complete details and analysis, see this Alert from the Hogan Lovells Government Contracts and Privacy and Information Management practices. 

• Email This
• Print

Today, the Future of Privacy Forum (FPF), a Washington-based privacy think tank founded and co-chaired by Hogan Lovells privacy practice director Chris Wolf, released the newest edition of its Privacy Papers for Policy Makers. This year’s compilation highlights leading privacy writings voted by the FPF Advisory Board to be most useful for policy makers on Capitol Hill and within federal agencies who are focusing on how to improve the protection of personal privacy. 

The writings cover a wide array of topics, including recommendations on how to reform notice and choice to empower consumer control over the collection and use of their data; understanding and valuing the use of personal identifiable information and explaining the benefits of “online obscurity”.

The 2011 Privacy Papers for Policy Makers are:

Accountability as the Basis for Regulating Privacy: Can Information Security Regulations Inform Privacy Policy? Mary J. Culnan

Against Notice Skepticism (Forthcoming, 87 Notre Dame Law Review – 2010) Ryan Calo

The Case for Online Obscurity Woodrow Hartzog and Frederic Stutzman

Dispelling the Myths Surrounding De-Identification: Anonymization Remains a Strong Tool for Protecting Privacy (Seen in the Canadian Law Review, Vol. 8, No. 9, August 2011) Dr. Ann Cavoukian and Khaled El Emam

The Failure of Online Social Network Privacy Settings Michelle Madejski, Maritza Johnson and Steven Bellovin

The PII Problem: Privacy and a New Concept of Personally Identifiable Information Paul M. Schwartz and Daniel J. Solove

Notable Mentions:

Flash Cookies and Privacy II: Now with HTML5 and ETag RespawningChris Hoofnagle, Mika Ayenson, Deitrich James Wambach, Ashkan Soltani and Nathan Good

Regulating Privacy by Design Ira S. Rubinstein

The feedback that FPF received from Capitol Hill and other federal agencies after publishing the first edition of this publication demonstrated it was an important resource for policymakers as they explored the myriad privacy issues confronting the public. With that in mind, it is expected that this year’s edition should enlighten leaders with the insights of prominent privacy scholars.

The works featured and digested were selected by members of the Advisory Board of the Future of Privacy Forum (scholars, privacy advocates and Chief Privacy Officers) based on criteria emphasizing clarity, practicality and overall utility. Two of the papers were selected by the chairpersons of the annual Privacy Law Scholars Conference (PLSC)  to receive the International Association of Privacy Professionals (IAPP) award for the best papers presented at the 2011 PLSC event in Berkeley, CA last June.

The authors of the papers will be honored at a Washington, D.C. reception tonight. 

• Email This
• Print

The European Commission’s Vice-President for a Digital Agenda, Neelie Kroes earlier this week indicated that the EC is aiming for a 2012 Cloud strategy that reflects the EU focus on human rights. She has recruited former federal Chief Information Officer Vivek Kundra to be an adviser in the creation of the strategy.

As reported in the Washington Internet Daily, Kroes and Kundra were speaking at Salesforce.com’s Dreamforce conference in San Francisco where Kroes said that because "this is by definition a global issue," Europe should work with the U.S. and Asia in setting policy. But she also said that privacy and other human rights considerations are central to the way Europe approaches issues like this, "even if it's taking more time" to complete policymaking, "the human rights system ... is the basis of our democracy," Kroes is reported to have said.

In this connection, recall that Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner has proclaimed that as essential "pillar" of EU citizens' privacy rights is "protection regardless of location" which has obvious implications for the Cloud.

"[P]rotection regardless of data location" [] means that homogeneous privacy standards for European citizens should apply independently of the area of the world in which their data is being processed. They should apply whatever the geographical location of the service provider and whatever technical means used to provide the service. There should be no exceptions for third countries' service providers controlling our citizens' data. Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules.

(The EU also generally takes the position that its privacy laws cover nationals from countries outside the EU whose data is processed in the EU, but France's data protection authority, the CNIL recently exempted certain outsourcing services performed in France, a move followed by India with respect to its new privacy law, to the relief of companies performing outsourcing services in India.)

Presumably, Mr. Kundra's involvement in Vice-President Kroe's efforts to develop a Cloud strategy will help temper the rigid application of EU privacy laws to data stored in the Cloud.

• Email This
• Print

On an uncharacteristically cool but bright and sunny late August day, yesterday Washington, D.C.-based lawyers in the Privacy and Information Management (PIM) practice traveled west one hour from DC to the Marriott Ranch in Hume, Virginia to take stock of current trends in privacy law and to discuss ways in which the practice can better serve its clients in the dynamic times ahead.  After a short trail ride on horseback, the group got down to business and spent the afternoon sitting on the porch of the Marshall  Manor House built in 1814 by James Marshall (the brother of then-Supreme Court Justice John Marshall).

In full-group and break-out interactive sessions, the PIM lawyers talked out how we can prepare clients for anticipated developments in privacy and information security law, including:

• Increased Congressional focus, through proposed legislation and hearings, on online tracking, data security breaches, children’s privacy, and consumer control over the collection and use of personal data.
• More enforcement actions from the FTC, HHS, in the states and through attempted class actions.
• The broadening applicability of HIPAA to entities previously not covered and the applicability of “general” privacy rules to health-related entities
• Greater challenges for companies operating internationally given the proposed changes in the EU framework and increased regulatory enforcement abroad
• The further deployment of cloud computing and social media by businesses.
• The demand, created in part by greater media attention, for heightened privacy and data security protections for consumer and employee data, and the threats to reputation and brand from inadequate attention.

The group came up with a framework for ways to better inform our clients of new developments, to share our learning and to collaborate with in-house privacy professionals and to continue to distinguish our privacy practice as one known for being able to handle the entire range of privacy and data security matters, including especially those involving cutting-edge and novel issues, and one that can provide global coverage on privacy matters by involving our colleagues across the firm’s 40 offices in 27 countries.

The late-Summer gathering "out West" energized the PIM group lawyers for a busy Fall ahead.

• Email This
• Print

Bloomberg Law conducted a video interview this week with Hogan Lovells Privacy and Information Management practice co-director Chris Wolf on current privacy law issues, ranging from how important privacy is to the continued growth of e-commerce, to EU-US relations, to Do Not Track, to the RIght to be Forgotten.  A link to the YouTube archived version of the interview is here.

• Email This
• Print

Law 360, the daily online news source about the legal profession, has just published this interview with Chris Wolf, who along with Marcy Wilder, leads the Hogan Lovells Privacy and Information Management practice.  The wide-ranging interview includes Chris' views on current challenges in privacy law and reflections on his career.

Chris has a variety of public appearances coming up in September, including:

• A presentation in Los Angeles on September 10 on the unique privacy issues facing the LGBT community at the National LGBT Bar Association Lavender Law Conference with Facebook's Privacy Counsel Ed Palmieri and others.
• A "moot court" workshop on cloud computing (with Michelle Dennedy, Chief Privacy Officer of McAfee) at IAPP's Navigate in Dallas on September 14.
• A session on September 15 at the IAPP Academy in Dallas entitled  "Will There Be a 'Privacy Bill of Rights' and If So, What Will It Mean?" with Justin Brookman from the Center for Democracy and Technology and Jules Polonetsky, Chris' co-chair and Director of the Future of Privacy Forum.
• A presentation on September 20 in Chicago at the Fall Meeting of the Merchant Risk Council on Legislative and Regulatory Developments on Privacy in the United States.
• A free webinar on September 22 at 2 PM EDT presented by the Mobile Marketing Association "Privacy Fundamentals for Mobile--What You Need to Know To Successfully Navigate the Landscape" with co-presenters Alan Chapell, Fran Maier and Jules Polonetsky.

In October, Chris will present a paper on The Role of Government in Commercial Cybersecurity at ITU Telecom World in Geneva and will co-chair with Yuli Edelstein,  Israel's Minister of Public Affairs and the Diaspora, a hearing in London of the Internet Hate Speech Task Force of the Inter-Parliamentary Coalition for Combatting Anti-Semitism, whose members include privacy experts Jane Horvath from Google, Chuck Cosson from Microsoft and Professors Jeffrey Rosen and Danielle Citron.

• Email This
• Print

Whether you keep up with breaking news through social media or always have your mobile device handy, now you can access the latest privacy and data protection news in your favorite way. On Facebook, visit our page at www.facebook.com/hldataprotection and click the “Like” button, or follow @HLPrivacy on Twitter, to receive notice of new blog posts and upcoming Hogan Lovells privacy events. And for on-the-go reading there’s also our mobile web app, which you can access from most tablets and mobile devices, including iPad, iPhone, and Droid, at http://mobapp.hoganlovells.com/privacy.  (This entry tells you how to create an icon for the mobile app on your iPhone.)
 

• Email This
• Print

The Chronicle of Data Protection mobile web app is now available at http:// mobapp.hoganlovells.com/privacy. The free app enables you to access the latest postings from this blog, on the go. The app can be accessed from most tablets and mobile devices, including iPad, iPhone, and Droid. 

To create an icon for your iPhone or iPad, access the URL above through the Safari browser on your device.  Then click on the bottom toolbar "square with an arrow" icon (that is used to e-mail links) which will allow you to "Add to Home Page" and, voila, you have an icon for the HL Chronicle of Data Protection allowing you to access mobile-formatted content!

Of course, there is a mobile app specific privacy policy for our new app!

Enjoy.

• Email This
• Print

The Tony Awards for the best in Broadway will be handed out in New York on Sunday.  This week, the "Tony Awards for Privacy Law" were handed out by Chambers, a leading guide to law firms and practices that conducts client surveys.  The performance of the Hogan Lovells privacy lawyers yielded the top ranking in Band 1, with the practice leaders also personally highly ranked.  Here are some editorial excerpts from Chambers:

The Hogan Lovells merger has strengthened the reach and capabilities of this group…

The team is widely praised for its expertise in state, federal and EU privacy laws and operates across a wide range of sectors including media and healthcare.

Christopher Wolf is widely regarded as an expert in the field. His practice revolves around data security breach notification, behavioral marketing and e-commerce. Clients describe him as “practical and knowledgeable. The advice he provides is always thoughtful and considered.”  

Marcy Wilder is a healthcare privacy specialist. She counsels clients on HIPAA and HITECH legislation compliance and is admired for her "pragmatic approach and great network of contacts." Both attorneys are based in Washington, DC.

Client quotes in the Chambers guide:

“From a client service perspective, this team is really outstanding.”  

“The team has an excellent understanding of the politics and PR issues surrounding privacy law.”

Last month, another law firm guide, Legal 500, also ranked the Hogan Lovells privacy law practice as a "first tier firm":

The [Hogan & Hartson] merger with Lovells has significantly extended the group’s global reach, creating the largest privacy practice in the US, which advises high-profile clients … on topical issues including behavioral advertising, the Smart Grid, health information privacy and security, and mobile applications.

Hogan Lovells US LLP’s privacy and information management practice group is led by the ‘smart, knowledgeable’ Christopher Wolf and healthcare privacy expert Marcy Wilder in Washington DC.

They ‘are always timely, have good industry knowledge and helpful contacts, and provide practical advice’.

The practice remains at the forefront of FTC enforcement work and privacy work, handling prominent FTC investigations.

Wolf represents leading privacy think tank the Future of Privacy forum, which is focused on emerging privacy challenges in FTC, FCC and NIST regulatory proceedings.

International data transfer privacy specialist Lynda Marshall is recommended.

The group maintains a market-leading position in healthcare-related privacy work, advising on HIPAA-related matters and the implications of the Health Information Technology for Economic and Clinical Health Act (HITECH) Act 2009, which addresses privacy and security concerns associated with the electronic transmission of health information. Wilder, who has ‘good contacts with regulators and helps manage incidents’.

The lawyers in the Hogan Lovells privacy practice appreciate the recognition, especially as it reflects client satisfaction with the work we do for them.  Having taken a moment to bask in the glow of the awards, now it is back to work!

 Photo courtesy of DigitalArt

• Email This
• Print

My fellow Hogan Lovells Privacy and Information Management practice leader, Marcy Wilder, and I are delegates to the eG8 Forum in Paris, where later today I will be a speaker at the session on privacy.  CEOs of Google, Facebook, News Corporation and other Internet companies are participating in the Forum.  G8 Chair President Sarkozy hopes the eG8 Forum -- the prequel to the G8 gathering of world leaders starting tomorrow in Deauville, France -- will lead to greater international cooperation in Internet governance.  Skeptics fear that the Forum is a stalking horse for greater legal regulation of the Internet, as reported here. Nevertheless, the gathering has provided a remarkable opportunity for the sharing of ideas and perspectives on the future of the Internet. 

Here are my prepared remarks for the privacy session at the eG8 Forum:  

 

As the only privacy lawyer on today's panel, I appreciate the opportunity to share my perspectives.  As we all know, data is the raw material of our Information Age. But the scale and scope of data collection and use are accelerating in ways previously unimaginable. The Internet, mobile devices, and new forms of networked sensors are combining to produce more and more data that can be collected, analyzed, shared and stored. Thus, according to a new McKinsey study we heard about yesterday here at the eG8 Forum, we are entering the era of “big data,” the label for the vast and increasing amounts of digital information being produced every day. 

The potential of big data, according to McKinsey, is more efficient and competitive businesses, a stronger world economy and better-served consumers, including with better health care services. The experts at McKinsey are concerned however that before the end of the decade, there will not be enough trained personnel to analyze all of the data. 

They also note the issue of personal privacy, an issue underlying the growing concern about the amount of data being collected about our lives and used by businesses, often without our knowledge or consent. While not a focus of the McKinsey study on big data, the world leaders gathering soon in Deauville, France for the annual G8 Summit will be considering the issue of privacy as they address the agenda item on how best to advance the Internet. Presumably, they understand – as a US Commerce Department report recently noted – that if privacy concerns increase, trust in the Internet will decrease, creating an economic drag on the Internet’s potential.

The G8 leaders will be informed by our work.  And I hope our discussion of Internet privacy will not divide on geographic lines, with representatives from the EU, which has an omnibus privacy law, expressing disdain for the American targeted approach to privacy protection, and those with a US orientation complaining about over-regulation of privacy.  If that is how the discussion evolves, that will be too bad, for there is greater need than ever for global strategies to protect privacy, and countries on both sides of the Atlantic have much to learn from each other.  

To be sure, the regional approaches to privacy protection differ even as we share a commitment to the OECD’s Fair Information Practice Principles. In the EU, the Data Protection Directive, implemented through national legislation, is an across-the-board regulation of personal data that places strict limits on the collection, use and retention of personal information. The US, by contrast, has chosen to legislate at the federal level with respect to sensitive data such as health, financial and children’s data, and to target enforcement on privacy violations through the regulatory powers of the Federal Trade Commission and state attorneys general. A number of states have stepped in, too, to regulate the collection, use and security of personal data. Nearly all of the states have data security breach notification laws to inform people when their personal data is at risk.

Privacy self-regulation by businesses and industry groups also is an American tradition, as more and more companies recognize that violations of privacy tarnishes brands and alienates consumers. As the privacy think tank I founded and co-chair, the Future of Privacy Forum, has noted, the recent initiative by industry to empower consumers to stop online tracking of their web activities by advertisers is an example of self-regulatory effort to protect privacy.   

While the American approach to privacy may be untidy, in contrast to an omnibus law, a recent Berkeley study concluded that the combination of laws and increased attention by business to the importance of privacy has led to a notably more privacy-protective environment than existed in the 1990’s. And there is recognition in the US that more has to be done to protect privacy. A report from the Federal Trade Commission will be finalized soon on new approaches to privacy protection and legislators on Capitol Hill are focusing on privacy as never before.

Still, the EU takes the position that the US lacks “adequate protection” for the personal data of EU citizens and thus bans the cross-border transfer of such data to the US unless special legal undertakings are made by US businesses to receive the data.

In the US, with our First Amendment traditions, we have trouble understanding the justification for certain EU legal actions in the name of privacy, such as "super injunctions" preventing "tweets" naming litigants in civil actions, enforcement of the so-called “right to be forgotten” against a search engine merely for linking to an unflattering article about someone on the Web. Nor do we understand how a Google executive can be convicted criminally for a random posting by a YouTube user that was said to violate personal privacy.

Despite these differences, there is an emerging consensus on both sides of the Atlantic that people are entitled to greater privacy protections. There is much that can be done cooperatively to advance such protections, like cooperation in cross-border enforcement against multi-national privacy violators, and the adoption of “Privacy by Design” as a standard to be followed by businesses at every stage in the development of new technologies.

In the era of big data, privacy is too important to be overshadowed by claims of legal framework superiority. The eG8 and G8 are good places to sound the chord of cooperation in the advancement of personal privacy.   

I am pleased to be part of the discussion.

 

• Email This
• Print

Last week week, the New York Times published an article entitled "Europe Leads in Pushing for Privacy of User Data," which observed:

As pressure grows for technology companies like Apple and Google to adjust how their phones and devices gather data, Europe seems to be where the new rules are being determined.

After detailing some of the recent activities of Data Protection Authorities in the EU concerning location privacy, the article crticized the US framework:

In the United States, there is no single agency dedicated to privacy, and while the Federal Trade Commission and the Federal Communications Commission can deal with violations of privacy, those agencies are mainly focused on enforcing fair business practices.

In response, Christopher Wolf, Co-Director of the Hogan Lovells Privacy and Information Management practice wrote a Letter to the Editor, which was published today by the New York Times.  Chris said that last week's article "leaves the impression that privacy is less of a policy concern in the United States than it is in the European Union."    He went on to respond

There has also been an intense focus on protection of consumer data on Capitol Hill, in the agencies and in the media.  Privacy is just as much an American concern as it is a European one.  Our approach to how best to achieve privacy for personal data may differ from that of our European colleagues, but our commitment is equal.

Chris also cited the recent Bamberger/Mulligan study, "Privacy on the Books and on the Ground" in support of the proposition that privacy protection is robust in the United States: 

A recent study by two professors at the University of California at Berkeley presented a different picture [than that in the Times article].  The combination of aggressive privacy and data security enforcement by the Federal Trade Commission, the existence of data security breach notification laws across the country and the appointment of chief privacy officers in many institutions have led to a much stronger American privacy framework than ever before.

• Email This
• Print

Bisnow, the well-known publisher of industry-specific newsletters and presenter of conferences, is hosting a program on Consumer Data Privacy in Washington, DC on the morning of  Tuesday, April 26th at the Capital Hilton Hotel.  The program is sponsored by Hogan Lovells and will be moderated by the Directors of the Hogan Lovells Privacy and Information Management Group, Marcy Wilder and Chris Wolf, and will feature:

Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Federal Trade Commission

Jane Horvath, Global Privacy Counsel, Google

Hooman Radfar, CEO, Clearspring

Robert Quinn, Senior Vice-President/Regulatory and Chief Privacy Officer, AT&T

Stuart Pratt, President and CEO, Consumer Data Industry Association

Justin Brookman, Director, Project on Consumer Privacy, Center for Democracy and Technology

For those in the Washington area interested in attending, click here.  Given the legislative and regulatory activity going on in Washington these days, the program is sure to be informative and thought-provoking.

• Email This
• Print

Our friend Fran Maier, President of TRUSTe, provided this insightful report on yesterday's privacy hearing before the Senate Commerce Committee that I attended, and she graciously has agreed to allow us to reprint it here:  (Thanks, Fran!)

While I couldn’t be in Washington, D.C. today for the Senate Commerce’s Committee’s hearing on “The State of Online Consumer Privacy” (copies of hearing testimony here) I’ve been able to check in with a wide range of attendees and get perhaps more of a bird’s eye view.

Key themes:

It’s all about Trust: Every panelist talked about the importance of trust to continue to reap the benefits of the Internet.

Group M’s John Montgomery: “We want to build consumer trust in the online experience, and therefore we believe that consumers should be able to choose whether and how their data is collected or used for online behavioral advertising”

Importance of Innovation

Intuit CPO Barbara Lawler: “As we enter this important discussion, it is necessary to further emphasize the importance of both respect for the consumer participation and control of information and the value and benefit of continued innovation, in particular where the future of economic growth is going—data driven innovation. The key to our success and to ensuring balance among these interests is earning the customers trust.”

Evolving definition of privacy

Microsoft’s Erich Andersen: “In the digital era, privacy is no longer about being ‘let alone.’ Privacy is about knowing what data is being collected and what is happening to it, having choices about how it is collected and used, and being confident that it is secure.” Note: I’d add “accountability” to the list too.

Technology + Policy + Self Regulation

Ashkan Soltani (researcher): ” To be effective, privacy protections for consumers online will likely require both a technical and policy component, working in tandem, and I believe these discussions here today are a great step in making that union a reality.”

Consumer Privacy Bill or Rights in legislation, including incentives for Safe Harbors and Self-Regulation

Committee Chairman Rockefeller: ”There is an online privacy war going on, and without help, consumers will lose. We must act to give Americans the basic online privacy protections they deserve.”

A few things to ponder:

• Do our legislators have broad understanding that privacy issues are not only online?
• Do they understand that privacy issues are abundant beyond behavioral advertising?
• Is industry ready to embrace self regulatory programs, such as TRUSTe’s, to balance potential legislation?
• Will consumers step up and make the choices that we are all committed to providing?
• Finally, how can we ensure that the combo of Legislation + Co or Self Regulation and Technology meets the bar for better privacy?

You can watch a video recording of the hearing here.

• Email This
• Print

A highly-placed official in the Obama Administration has confirmed that in testimony to be delivered tomorrow before the Senate Commerce Committee, Larry Strickling,  Assistant Secretary in the U.S. Department of Commerce, will announce that the Administration supports baseline privacy legislation that will set broad privacy protections consistent with the Department's recently issued Green Paper, but not detailed prescriptions.  The legislative concept supported by the Obama Administration would have the Commerce Department working with stakeholders to develop Codes of Conduct enforceable by the Federal Trade Commission, that would also create a "Safe Harbor" (the contours of which are unspecified).  The proposed framework is intended  to promote interoperability with foreign frameworks, perhaps leading to a recognition bythe EU of the US privacy law as providing adequate protection.

This is the first time the Administration has expressed support for a federal privacy law.

• Email This
• Print

The D.C. Circuit Court of Appeals has dismissed as moot a lawsuit challenging the applicability to lawyers of the "Red Flags Rule," which requires financial institutions and creditors to implement identity theft prevention programs. The organized Bar had challenged the applicability of the Rule to lawyers and had won in the lower court. Since the Red Flag Clarification Act recently passed by Congress would exempt most lawyers from coverage under the Rule, the Court found that litigation no longer is necessary or appropriate.

By way of background, the Red Flags Rule was promulgated by the Federal Trade Commission ("FTC") and the federal banking agencies pursuant to the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"). Under the Rule, a "creditor" -- which was defined broadly to include any business that accepts deferred payment for goods or services -- must establish a written identity theft prevention program if it offers certain types of consumer accounts. In April 2009, the FTC issued an Extended Enforcement Policy stating that "professionals, such as lawyers or health care providers, who bill their clients after services are rendered" would be considered creditors subject to the Rule. The American Bar Association ("ABA") sued to prevent the Rule from applying to attorneys.

• Email This
• Print

This week marks the annual gathering of more than 1500 privacy professionals in Washington, D.C. for the International Association of Privacy Professionals Global Privacy Summit.  Attorneys from the Hogan Lovells Privacy and Information Management Practice are presenting in a number of sessions, a reflection of the breadth of our practice and experience. 

Here is the calendar of the Hogan Lovells appearances:

Wednesday, March 9, 8AM to Noon  -- Security Breach 101: Mark Paulding

Wednesday, March 9, 8AM to Noon --  Managing Data Breach Challenges and Constituencies after HITECH: Chris Zaetta

Wednesday, Marcy 9, 1 PM to 5 PM  -- Pie in the Sky: The Intersection of Cloud Computing and Privacy Law Issues: Zenas Choi

Thursday, March 10, 10 to 11 AM --  Privacy Issues in Consumer and Patient Online Health Products and Systems: Melissa Bianchi

Thursday, March 10, 1:45 to 2:45 PM --  NAFTA Privacy: Chris Wolf

Friday, March 11, 10:30 to 11:30 AM --  Privacy v. Anti-Piracy: Chris Wolf

Friday, March 11, 10:30 to 11:30 AM -- Navigating Financial Privacy Compliance in a Post–Dodd-Frank World: Elizabeth Khalil

For those attending the IAPP Summit, please stop by the Hogan Lovells booth in the exhibition hall to meet lawyers from the group and to receive a cookie -- the fortune kind not the tracking kind.

• Email This
• Print

Representative Cliff Stearns (R-FL), the co-sponsor of the first major legislative proposal on privacy in the last session of Congress,  the Boucher-Stearns bill,  spoke yesterday at an event on Capitol Hill about his plans to re-introduce the legislation in modified form.  While not providing many details, he said the legislation he plans to introduce will be focused on "broad privacy goals" like giving consumers clear disclosures about the data that is collected online about them.  The framework reportedly would allow the FTC to approve five-year self-regulatory programs from industry.  In a press release, the Congressman said "This draft is based on legislation I introduced in 2005, H.R. 1263. This draft takes a different approach, but one I think balances privacy with innovation."

• Email This
• Print

Two webinars, one afternoon.  On Thursday, February 24, Hogan Lovells Privacy and Information Management Practice Director Chris Wolf will participate in a BNA webinar (along with Senior Governmental Affairs Advisor Nancy Granese of Hogan Lovells and Jules Polonetsky of the Future of Privacy Forum) on privacy developments in Washington, and an Experian webinar on data security breach notification laws (along with Reed Freeman of Morrison & Foerster and Tony Hadley of Experian).  Both pay-to-view programs are open for sign-up now.

What to Expect from Washington in Privacy Law in 2011

Privacy is a non-partisan issue, and 2011 is being viewed as the year in which significant changes may emerge. Media attention has focused on online collection and use of consumer data for marketing purposes, and government access to personal data stored in the “cloud”. Meanwhile, proposals for change in the US privacy framework have emerged from the Federal Trade Commission, Department of Commerce, and the U.S. Congress. Additionally, proposals for privacy law reform have been proposed in the European Union.

This BNA webinar will focus on Washington’s influence on privacy law reform, and provide the insiders' view of what changes are likely coming in 2011.

Program Highlights:

• Learn what the realistic prospects are for new privacy laws and regulations.

• Which privacy best practices may emerge from the recent proposals for reform?

• What will the FTC and the Department of Commerce do in the privacy and data security realm?

• Hear an evaluation of the role of self-regulation.

• Who are the players in Washington who can affect privacy policy changes

You may register here.

State Legislation Past and Present:  The Effects of Data Breach Notification and Resolution

In 2010, security breach-related legislation was revised or newly enacted in five states and introduced in at least 18 additional states. Join us for a discourse on the effects and new developments state laws have imposed on data breach notification and resolution. 

Learn how companies that have experienced breaches have fared given the new laws and what lessons have been learned. Our panel of privacy experts will address specific examples of how data breaches occur and what steps their clients have taken to mitigate the risk of a breach in the first 72 hours. They will investigate how these laws have been applied in real-life scenarios and the implications for:

• Data breaches resulting from third party vendors
   
• Data leakage and referring headers
   
• How breach laws affect medical laws already in place
   
• Cyber risk insurance and what it means to compliance

You may register here.

• Email This
• Print

Hogan Lovells offices worldwide are celebrating Data Privacy Day today. The internationally-recognized day, which is observed in the United States, Canada, and 27 European countries, serves to raise awareness and promote data privacy and protection education.

As part of Hogan Lovells' commitment to fostering dialogue around issues including consumer privacy protection, misuse of information, and online safety, planned Data Privacy Day activities will include:

• Hogan Lovells lawyers from the Privacy and Information Management Practice in the Washington, D.C. office will participate in a new program, the "Privacy Law Salon" in Miami Beach, FL, a Cambridge Forums conference organized by practice director Christopher Wolf, practice Senior Policy Advisor Professor Daniel Solove from the George Washington University Law School, and Berkeley Law Professors Paul Schwartz and Chris Hoonagle, and will involve practice co-director Marcy Wilder and privacy lawyers Barbara Bennett, Lynda Marshall, Chris Zaetta, and Tim Tobin. Numerous Hogan Lovells clients also are participating in the Privacy Law Salon and Department of Commerce General Counsel and co-chair of the new federal privacy committee in the White House Office of Science and Technology, Cameron Kerry will address the group.
• A data protection seminar in our Hong Kong office titled, "A Survival Guide to Data Protection in Hong Kong" will be presented by Hogan Lovells partner Gabriela Kennedy.
• Lawyers in our Madrid office will partner with the Spanish Data Protection Agency for a discussion about data privacy with students. Internal seminars, discussions, and games related to data protection and privacy will take place in many offices.
• Hundreds of Hogan Lovells lawyers in Washington, D.C., New York, California, and London will receive a fortune cookie from the Privacy and Information Management Practice (a subtle reference to the use of tracking cookies online -- a current privacy focus) to raise awareness of how the privacy practice can help clients.

Washington, D.C. office partners Christopher Wolf and Marcy Wilder, co-directors of Hogan Lovells' Privacy and Information Management practice group, coordinated the events. Hogan Lovells is well positioned to assist clients around the globe and in a wide array of industries with advice and representation in the rapidly changing area of privacy and data security law. With offices located throughout the Americas, Europe, Asia, and the Middle East, Hogan Lovells is unique in it ability to provide global assistance on privacy and data security matters. We draw upon the extensive experience of our technology, health, communications, and consumer protection lawyers to provide advice and counsel across a wide range of subject matters and industries.

The Privacy and Information Management practice group's blog, The Chronicle of Data Protection is the source for privacy and information security news and trends. 

• Email This
• Print

We are delighted to share this news with readers of the Hogan Lovells Chronicle of Data Protection:

FOR IMMEDIATE RELEASE

Hogan Lovells Adds Leading Privacy Professor Daniel Solove as Senior Policy Advisor

WASHINGTON, D.C., 3 January 2011 – Hogan Lovells US LLP announced today that Professor Daniel J. Solove, an internationally-known leader in privacy law, has joined the Washington, D.C. office as a Senior Policy Advisor to the Privacy and Information Management Practice.

 

With Professor Solove’s arrival, Hogan Lovells will be able to offer clients his insights and experience from years of scholarship in privacy and engagement with the privacy community.

 

Christopher Wolf, Director of the privacy practice at Hogan Lovells, said: “Having Dan Solove available to consult with us and our clients on privacy law matters is an amazing opportunity. Dan is universally regarded as one of the top privacy scholars in the country, someone who not only is a widely-heralded for his knowledge but also someone who understands the practical aspects of privacy protection.”

 

Professor Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. Professor Solove is the author of numerous books, including Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale, forthcoming 2011), Understanding Privacy (Harvard 2008), The Future of Reputation: Gossip and Rumor in the Information Age (Yale 2007) (winner of the 2007 McGannon Award), and The Digital Person: Technology and Privacy in the Information Age (NYU 2004).

 

Professor Solove is also the author of a textbook, Information Privacy Law with Aspen Publishing Co. now in its third edition, with co-author Professor Paul Schwartz. Professor Solove also co-authored with Professor Paul Schwartz the forthcoming Privacy Law Fundamentals to be published by the International Association of Privacy Professionals (IAPP) in 2011. Additionally, Professor Solove is the author of several other textbooks, including Privacy and the Media (1st edition, Aspen Publishing Co. 2009) and Privacy, Information, and Technology (2nd edition, Aspen Publishing Co. 2009), all with Paul Schwartz.

He has published nearly 40 articles and essays, which have appeared in leading law reviews, including the Yale Law Journal, Stanford Law Review, Columbia Law Review, Michigan Law Review, N.Y.U. Law Review, Chicago Law Review, U. Pennsylvania Law Review, among others.

 

Professor Solove has testified before Congress and has served as an expert witness in privacy cases. He has been interviewed and featured in several hundred media broadcasts and articles, including the New York Times, Wall Street Journal, Washington Post, Chicago Tribune, USA Today, Associated Press, Time, Newsweek, People, Reader’s Digest, ABC, CBS, NBC, CNN, NPR, and C-SPAN’s “Book TV.” 

 

Marcy Wilder, also a Director of the privacy practice at Hogan Lovells observed: “One of the hallmarks of the Hogan Lovells privacy practice is the advice we provide to clients not only on existing legal requirements but on how to anticipate changes in privacy law and regulation. Having Dan Solove as part of our team enhances our ability to help clients ‘look around corners’ and be prepared for coming privacy developments.”

 

Warren Gorrell, Co-CEO of Hogan Lovells added: “Our global privacy practice is recognized for its breadth and depth, and adding Professor Solove to the team is a real coup.”

About Hogan Lovells

www.hoganlovells.com

Hogan Lovells combines the breadth of business-oriented legal advice and high-quality service that clients have come to expect through working with its two founding firms – Hogan & Hartson and Lovells.

"Hogan Lovells" or the "firm" refers to the international legal practice comprising Hogan Lovells International LLP, Hogan Lovells US LLP, Hogan Lovells Worldwide Group (a Swiss Verein), and their affiliated businesses, each of which is a separate legal entity. Hogan Lovells International LLP is a limited liability partnership registered in England and Wales with registered number OC323639. Registered office and principal place of business: Atlantic House, Holborn Viaduct, London EC1A 2FG. Hogan Lovells US LLP is a limited liability partnership registered in the District of Columbia.

###

• Email This
• Print

The Future of Privacy Forum is conducting a survey on the reaction of privacy enthusiasts to the recently-issued FTC and Commerce privacy reports, as described below.   You are invited to participate and share your views.

From the Future of Privacy Forum blog:

It’s been an extremely busy few weeks in the privacy world as of late.   A little more than two weeks ago, the FTC released their long-awaited staff report on “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers,”  and yesterday the Department of Commerce’s Internet Safety Task Force released their privacy Green Paper,  “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  The reviews on both have ranged across both ends of the spectrum and have brought increased media attention to the ideas of a ‘Do Not Track’ list, a ‘Privacy Bill of Rights,’ and the creation of a Federal CPO.  

But now it’s time for a little more research into what privacy enthusiasts really think of these two reports.  What will they mean for the future of privacy and how will they impact our national policy when it comes to privacy protections for consumers?  Will they spur legislation or will the industry see them as a signal to start embracing stronger self-regulation mechanisms?  

We want to know what privacy enthusiasts think of the latest reports from the FTC and Department of Commerce so we’re asking all those interested to participate in a brief survey.  The survey can be seen here, and should take no more than five minutes to complete.  All participants should complete the survey no later than December 31, 2010, and we will announce the results shortly thereafter.  

We look forward to your thoughts and thank you in advance for participating!

• Email This
• Print

International Association of Privacy Professionals (IAPP) Web Conference

The FTC Privacy Report – A First Look into New Frameworks for Businesses and Policymakers

Date: December 14, 2010
Event start time: 1:00 pm (GMT-05:00) Eastern Time (US & Canada)
Via IAPP Web Conference Service (Registration required)

The FTC has just issued a preliminary report asking for comments on new controls and standards for the online protection of individuals’ privacy. The report details an expansion in scope and breadth of what may constitute consumer data and asks for feedback on sweeping new standards. Join a Web conference examining this important new development in the evolution of consumer privacy. 

Presenters and Hosts:

Robert Belair, Partner, Arnall Golden Gregory LLP

Christopher Wolf, Partner, Hogan Lovells  US LLP

Panelists:

Edward W. Felten, Chief Technologist, Office of the Chairman, FTC, (effective Jan. 1)

Peder Magee, Senior Staff Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, FTC

To register, click here

• Email This
• Print

Commissioner Jule Brill is the keynote speaker at today's IAPP Practical Privacy program on the Federal Trade Commission and consumer privacy in Washington, DC.  Obviously, the just-released FTC Report is the hot topic.

Among the highlights of Commissioner Brill's remarks:

• Privacy through the lens of Black Friday and Cyber Monday, the "high holy days of consumerism" -- A number of consumers detailed their purchases online through "online exhibitionism," including even uploaded videos in which teenage girls showed off their purchases.  So, with so many people chosing to make public what they have a right to keep private, why is the FTC looking for new and better ways to protect people's privacy?  It is simple, the Commission's mandate is to preserve consumer control over private data.  It is their choice to share, but "we make sure that consumers understand the implications of revealing information and are empowered to protect their information."
• Up to now, the FTC has been playing defense -- enforcing privacy rights that cause tangible harm only after the fact.  The notice and choice, and no harm/no foul paradigm does not do enough to protect consumers.
• The FTC Report reflects a new paradigm:  (1)  Privacy at every stage of development of products and services; (2)  Simplification of consumer choice; (3)  Increased transparency "but we are not throwing away the harm model, as our enforcement will show."  Indeed, we are not throwing away anything, we are building on the current platform of protection.
• The most-talked about recommendation, the proposal of a Do Not Track mechanism:  "I want to dispel concerns that have arisen."  (1)  The FTC is not proposing a list like "Do Not Call" but rather a "browser-based approach" that communicates their preferences to every web site visited.  "I want to commend browser providers on developing these controls for consumers who show that the recommended approach is technologically-feasible."  (2)  Do Not Track will not result in consumers en masse opting out., as the Roundtables demonstrated.  "I am reminded of 'Miracle on 34th Street' where Macy's is featured as the consumer friendly store, providing choices to consumers.  Mr. Macy in the film would have been eager to compete on privacy, and advertisers today should show consumers of the benefits of collecting and using their information for tailored advertising."
• Should we wait for industry to come up with a self-regulatory system or look to a new law enacted by Congtress?  If industry does not adopt Do Not Track, then I support a law that gives the Commission APA rulemaking authority and civil penalties, along with the ability to respect self-regulatory regimes.  I am discouraged by the immediate reaction of some in industry to even the concept of Do Not Track.
• The Commission is not recommending the possibility of legislation outside of the "Do Not Track" arena but Commissioner Brill thinks the Report could serve as a roadmap for more general legislative proposals.
• Consumer deserve greater access to information about them in databases. 
• More cops on the beat are better.  Even though browser controls for tracking that if ignored by marketers could violate existing laws enforced by others, Commissioner Brill believes that FTC authority to enforce is important.

• Email This
• Print

European Data Protection Supervisor Peter Hustinx traveled in frigid, snowy conditions from Brussels to London on 2 December for an interview presentation at the London Offices of Hogan Lovells attended by lawyers from the Hogan Lovells global Privacy and Information Management Practice as well as clients and friends of the firm. 

The interview coincided with visits to Europe of US Hogan Lovells privacy partners Barbara Bennett, Marcy Wilder and Chris Wolf, who participated in the IAPP Privacy Congress in Paris earlier in the week, and meetings with EU Hogan Lovells privacy colleagues in London, including: 

Quentin Archer (London)

Roger Tym (London)

Mac Macmillan (London)

Winston Maxwell (Paris)

Stefan Schuppert (Munich)

Hanno Timner (Berlin)

Marco Berliri (Rome)

Gonzalo Gállego (Rome)

Lionel de Souza (Paris)

Massimiliano Masnada (Rome)

Messrs. Maxwell and Schuppert and Ms. Wilder presented in Paris on Binding Corporate Rules and Mr. Wolf presented on the balancing of fundamental rights of privacy and anti-piracy. The London meetings were organized by Barbara Bennett and Quentin Archer and focused on global developments in privacy law and how best to provide seamless privacy law services to clients around the world with multi-jurisdictional needs.

The session with Mr. Hustinx, conducted by Hogan Lovells practice leader Chris Wolf, started with the observation that the firm’s practice is now the largest privacy practice in the world, and thus what happens in the EU with respect to privacy has great significance for clients of the firm. The focus of the interview was on the recently-issued draft agenda of the European Commission on privacy. 

Mr. Hustinx spent about an hour discussing many of the details of the draft agenda, including the process for its consideration, the concepts of the “right to be forgotten,” changes to the ways in which notice and choice are implemented, how national privacy laws might be harmonized across the EU, how cross-border transfers outside the EU might be facilitated, and the efficacy of increased enforcement and penalties.

Two observations by Mr. Hustinx stand out:

• The current EU data protection framework will stay in place for the next 4 to 5 years, as the process for consideration and implementation of the changes embodied in the Commission’s draft agenda will be lengthy and thorough.
• The day will come when the United States privacy framework will be recognized by the EU as providing “adequate protection” and thus allowing cross-border transfers without the employment of auxillary legal tools. Mr. Hustinx concurred in the observation that the FTC Report issued on 1 December contained concepts now present under the EU Directive and paralleled in significant ways the Commission’s draft privacy agenda. Mr. Hustinx declined to say when the time for the EU adequacy recognition for the US would come, but suggested it was not in the immediate future. He applauded the closer working relationship between the US and the EU on privacy matters, following a mention of greater US governmental attention to privacy issues, and said there are privacy protection concepts from around the world that may be adopted in the EU – that global exchanges of best practices is in everyone’s interests.

Hogan Lovells expresses enormous appreciation to Mr. Hustinx for meeting with us, and especially for the arduous travel to and from London he endured to be with us.

• Email This
• Print

Hogan Lovells Privacy Practice Leader Chris Wolf has been tapped to chair the first Transatlantic Events privacy program in the United States, which will take place in Chicago in early-March 2011.  UK-based Transatlantic Events is well known for its substantive programs in the EU.  It has brought together a prestigious panel of presenters for the Chicago program  The program agenda follows.

Attendees who reserve their places before 1 January 2011 will pay only $550.00, instead of the full rate ($750.00).   Places are limited and reserved on a "first come, first serve" basis.

Click here to register for this conference in Chicago.

"Data Protection: Global Compliance Management"
Monday, 7th of March 2011
Loyola University
Chicago, Illinois, USA

9:00 AM - 9:05 AM
Chairman's Introduction: Privacy & Data Protection overview
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

Part One: Safe Harbor, Model Clauses, BCR and the APEC Solution

9.05 AM - 9.35 AM
Data Protection: Federal Trade Commission Keynote Address.
Keynote Speaker: C. Steven Baker, Director, Midwest Region,
Federal Trade Commission

9.35 AM - 10.00 AM
BCR: Can one size fit all?
Speaker: Brian Hengesbaugh, Partner, Baker & McKenzie LLP
- Application process how it works in practice.
- Challenges/learning points.
- How do they compare to other options

10:00 AM – 10:25 AM
Data Protection: Safe Harbor and Practical Implementations
Speaker: Robert L. Rothman, President, Privacy Associates International LLC

10:25 AM - 11:10 AM
Ensuring Data Protection Law Compliance in Multiple Jurisdictions
Speaker: Liisa M. Thomas, Partner, Winston & Strawn LLP
- What are key privacy concerns for US companies that operate in multiple jurisdictions?
- What are some of the major concerns when taking a US compliance approach into the EU?
- Into other jurisdictions?
- Is a uniform compliance policy feasible?
- What are some practical steps companies that operate in multiple jurisdictions
can take for risk and compliance management

11:10 AM - 11:25 AM Coffee

Part Two: Data Protection And The Workplace

11:25 AM -11:50 AM
SARs in the current climate
Speaker: Vincent J. Vitkowsky, Partner, Edwards Angell Palmer & Dodge LLP
- A primer on the basic rules
- Some practical issues and how to address them
- Discussing the changing landscape of the law and current climate and the impact on SARs

11:50 AM - 12:15 PM
Ethical Hotlines, Compliance and Data Privacy: Creating international solutions rather than conflict!
Speaker: Robert Bond, Partner, Speechly Bircham LLP (UK)
- SOX 301(4) and reporting hotlines
- OFAC and the UK Bribery Act
- Understanding the conflicts between US and EU regimes
- Implementing workable compliance solutions for multinationals

12:15 PM - 12:40 PM
Outsourcing, Insourcing and "The Cloud"
Speaker: Rebecca S. Eisner, Partner, Mayer Brown LLP
- What are the legal issues?
- Shifting distinctions between "data controllers" and "data processors"
- Jurisdictional problems. Whose law applies?
- Offshoring. - How to address data protection in the Cloud

12:40 PM - 1:00 PM
The Data Protection Interactive
Panel Chairman: Christopher Wolf
Panelists: Liisa M. Thomas, Robert Bond, Rebecca S. Eisner,
Robert L. Rothman, Brian Hengesbaugh
- SOX, Data Protection and Hotlines
- Responding to Privacy Breaches
- Binding Corporate Rules
- Data Protection and Outsourcing
- The Cloud

1:00 PM - 2:00 PM Lunch

Part Three: Marketing, Kids and Social Networking

2:00 PM - 2:05 PM
Chairman's Introduction: Privacy & Data Protection overview
Co-Chairman: Thomas J. Smedinghoff, Partner, Wildman, Harrold, Allen & Dixon LLP

2:05 PM – 2:30 PM
When will a Marketing Director go to Prison?
Tesco Ireland has just been fined and forced to stop sending marketing emails. As the regulators get tough, where are the man-traps waiting for the unwary marketing dep’t to walk right in to?
Speaker: Tim Beadle, Director, Atrium, (UK)
- Gaining consent and what 2011's "cookie law" will require
- Behavioural vs contextual data
- Data sharing and buying

2:30 PM - 2:55 PM
Data Protection For Children: The problems of getting consent & other potential pitfalls
Speaker: Roslyn J. Kitchen, Partner, Cohen Silverman Rowan, LLP
- The ability to enforce a child's right to privacy (even when they dont think they need it).
- CARU, contract law, and protections under COPPA.
- What is verified parental consent? And when Marketers dont need it.
- When is a child not a child? How technology can help or hinder.
- On-line promotional activity directed to your child customer: sweepstakes and contests, chat rooms, product reviews, and other fun stuff!!

2:55 PM - 3.25 PM
The U.S. Perspective to Social Networking, Advertising, Marketing and Privacy Issues: Legal and Compliance - The U.S. Perspective to Social Networking and Privacy
Speaker: Edward R. McNicholas, Partner, Sidley Austin LLP
- Social Media - Advertising and Marketing
- Company Social Media Governance and Policies
- Digital Age Privacy - Does privacy really exist anymore?

3:25 PM - 3:45 PM
Panel Discussion: Social Networking, Marketing and Privacy
Panel Chairman: Thomas J. Smedinghoff
Panelists: Tim Beadle, Roslyn J. Kitchen, Edward R. McNicholas

3:45 PM - 4.00 PM Coffee

Part Four: Information Security
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

4:00 PM - 4:25 PM
Privacy and Security Litigation
Speaker: Ian C. Ballon, Greenberg Traurig LLP
- class action litigation update
- security breach update
- flash cookie litigation
- federal preemption of certain privacy and security claims
- compelling the disclosure of the identity of anonymous and pseudonymous actors
- social network issues
- winning strategies in litigation
- ways to minimize the risk of litigation

4:25 PM - 4:50 PM
Information Security: Responding to Investigations by the FTC
Speaker: Peter F. McLaughlin, Senior Counsel, Foley & Lardner LLP

4:50 PM - 5:15 PM
Managing A Crisis
Speaker: Bart A. Lazar, Partner, Seyfarth Shaw LLP
- Investigation and first response
- Notification to regulators / individuals
- Managing communication
- Managing liability

5:15 PM - 5:30 PM
Panel Discussion: Information Security
Panel Chairman: Christopher Wolf
Panelists: Ian C. Ballon, Peter F. McLaughlin, Bart A. Lazar
Guest Panelist: Thomas J. Smedinghoff

5:30 PM Chairman's final remarks and close of Conference.
Chairman: Christopher Wolf, Partner, Hogan Lovells US LLP

• Email This
• Print

As the Data Protection Authority and Privacy Commissioner Conference in Jerusalem winds up, Hogan Lovells Privacy and Information Management Practice Leader Christopher Wolf shares this report published in the Huffington Post which he co-authored with his co-chair of the Future of Privacy Forum think tank, Jules Polonetsky:

Modern democracies agree that the issue must be addressed, but the path to agreement is rough. This may describe the current political situation in the Middle East, but it also describes the conundrum of a global framework to protect the personal information of individuals in an increasingly technological age. All sides recognize that personal privacy is exposed in ways never before seen, but what legal framework is best to ensure responsible data practices is open to great debate.

We live in a time when companies are compiling digital dossiers about us, and are collecting information about our web browsing, our searches and our shopping habits. Geo-location data from our mobile phones is allowing a wide range of services, and new forms of online technology also allow targeted, so-called "behavioral" advertising. The increasing use of social networks, shows that people are more willing than ever to publish and share information about themselves, which provides an even richer trove of information that can be used to analyze consumers and predict their interests. And governments are eager to access the data in the name of national security.

Not all data collection and use is bad, of course. The use of online data subsidizes free content and enables new services. It is allowing us to better connect with each other. But lack of transparency about what is going on with personal data is a real problem, because it takes away personal control over who gets to see and use our information.

This week, in Jerusalem, regulators and policy-makers from around the world are meeting to discuss the best way to fix the world's increasing privacy problems. There will be no disagreement over the technological threats to privacy. But disagreement is likely on what framework is best to improve individual privacy protections in this technological age. In the EU and in Israel, the preferred legal framework is an across-the-board privacy law for all data, while the US takes a more focused, harms-based approach to the protection of privacy

So how do we get an improved global baseline of privacy, one that allows people to understand what is going on with their information and that gives them control?

There is much to commend the mandate in the EU and Israel that all businesses that collect and use personal information must have privacy top of mind for all data. But even in the EU, there is an emerging understanding that specific privacy problems require more focused attention.

The hallmark of the current legal and regulatory privacy regime in the United States is its focus and flexibility. Lawmakers have enacted strict laws about financial privacy, health privacy, and children's privacy. They recognized that financial data, medical data and personal information of kids deserve priority protection. Other personal information is protected through enforcement actions initiated by the Federal Trade Commission and state regulators.

Indeed, while the US lacks a comprehensive across-the-board privacy law like that in the EU and Israel, our framework of shared lawmaking authority and targeted enforcement has led to better privacy protection than ever according to a new study by professors at the University of California at Berkeley. The threat of enforcement plays a large role in getting companies to better protect privacy. In the last year we have seen important steps by companies and trade groups that have real promise. For example, companies have started to venture beyond legalistic privacy policies and are using more intuitive symbols or icons to begin to alert users to different kinds of data use. And companies are coming together in voluntary, self-regulatory groups with new privacy standards.

Interestingly, the idea of self-regulation is gaining a foothold of sorts in the EU, just as legislative proposals for comprehensive privacy law been introduced in the US Congress. So, while the privacy officials meeting in Jerusalem this week are unlikely to change their views on what is the best legal framework to protect privacy, they will have a chance to see the benefits of alternative approaches. This ultimately may lead to more common ground in the quest to protect the personal privacy of people around the world.

Wolf and Polonetsky are co-chairs of the Future of Privacy Forum, a think tank in Washington, DC that promotes responsible data practices.

Relatedly, see this report on proposals for reform of the EU Data Protection Directive and this report on the presentation Chris Wolf made at the Jerusalem conference on the effectiveness of the US enforcement model.

Word has it that the 33d Annual Conference of DPAs and Privacy Commissioners will take place in 2011 in Mexico, where a new national privacy law is being implemented.  While it does not quite have the biblical ring of last year's proclamation  upon the selection of Israel as the site of the DPA meeting, "Next year in Jerusalem":  El año que viene en México!

• Email This
• Print

The 32d Annual International Conference of Data Protection and Privacy Commissioners begins this week in Jerusalem.  Hogan Lovells Privacy and Information Management Leader Christopher Wolf will be a panelist and will present a paper entitled: "Targeted Enforcement and Shared Lawmaking Authority as Catalysts for Data Protection in the United States."  An article adapted from that presentation appears in this week's BNA Privacy and Security Law Report and BNA graciously has allowed us to provide a reprint of that article here.

The focus of the international privacy meeting in Israel will be the challenges presented to existing legal regimes by advances in technology and the willingness of people -- especially young people -- to share great amounts of personal information online.  It is widely agreed that current laws need reexamination and possible revision in light of new ways to collect and share personal data.  It is in that conext that the "Targeted Enforcement and Shared Lawmaking Authority" paper is offered for international consideration to demonstrate effective aspects of US law. 

The paper begins:

Modern democracies are committed to the protection of personal data. There are various approaches to achieving protection, ranging from the comprehensive regulatory approach of the European Union, to the harms-based APEC framework, to the sectoral and geographic approach of the United States, which relies heavily on Federal Trade Commission (FTC) enforcement against unfair or deceptive consumer practices and the combination of federal and state laws. The US framework frequently is criticized for the absence of a comprehensive privacy law. Indeed that perceived deficiency has resulted in a persistent finding by the EU that the US lacks “adequate protection” for personal data, requiring legal work-arounds for the cross-border transfer of personal data from the EU to the US. At the same time, there is global recognition of a need to re-examine privacy governance to cope with the implications of new technologies, and to protect generations of technology users.  

Without debating the primacy of one approach to the protection of privacy over another, it nevertheless is useful to look beyond labels and common perceptions to examine the effective aspects of the United States regime (emphasis supplied). This paper discusses the effectiveness of enforcement by the FTC under its jurisdiction to police unfair and deceptive practices, and the experience in individual states as incubators of new privacy and data security laws that have nationwide effects. It also highlights privacy-enhancing practices and technologies adopted by businesses aware of the advantages of self-regulation over prescriptive rules and the need to self-regulate and innovate to avoid restrictive regulation.

Read more here.

• Email This
• Print

David Vladeck, Director of the Division of Consumer Protection at the Federal Trade Commission, today spoke at the IAPP Privacy Academy in Baltimore, and offered the FTC vision for future privacy protection.  Here are some highlights:

• FTC will continue to bring cases to ensure that companies reasonably ensure safeguards for consumer privacy
• FTC will bring more cases involving pure privacy protections, in addition to data security cases, building on the Sears case.  "You can expect more cases like that in the future."  (This suggests a greater focus on how notice and choice is given and the degree to which privacy options are implemented, such as in the recent US Search enforcement).  "Consumer choice must control."
• We will be focusing our efforts on new technologies, such as our enforcement in the Twitter case.   FTC has hired new technologists and has created a mobile lab to address smart phones and mobile apps.
• There will be increased international cooperation on privacy, as evidenced by the Global Privacy Enforcement Network (GPEN) announced last week.  Recent cooperation brought down the latest spam operation in the world, resulting in a  25% drop in spam worldwide,

Vladeck also spoke on the formulation of new privacy policy following the FTC Roundtables.

• Past approaches to consumer privacy have not kept pace with technology.  (1) Notice and choice is a failed paradigm as implemented.  The problem is exacerbated by mobile devices, where one has to scroll down through hundreds of screens to read a privacy policy; (2) Focusing on harms is not the best way to address privacy violations.
• The Roundtables demonstrated that (1) Data persists longer than people expect; (2)  The difference between PII and non-PII is blurring; (3)  Consumers understand very little about how their information is used and shared; (4)  Often, consumers do not interact with or have direct contact with companies that handle their information; (5) Technology can provide important privacy solutions.
• When is the Report coming out?  "This Fall"
• What will he Report say?  "This is impossible to answer as Commissioners are still to review and will provide input"  But here are the big picture issues in the report:  (1)  Importance of Privacy by Design -- thinking about good data hygiene from the very beginning; (2) Increased transparency is needed about data practices -- we need better privacy notices, in a more consistent, shorter formats; (3)  We need to simplify consumer choice -- especially regarding uses of data they would not expect..  Privacy choices should be presented at the point when the consumer is providing the data.  And more consistent policies that allow comparison may allow competition for privacy practices.  We need more protection for sensitive information.  Consumer choice once exercised must be respected.  "The FTC will not tolerate a technology arms race to circumvent privacy protecting technology" (4)  On the thorny problem of access, companies collecting and aggregating data used for purposes beyond consumer expectation is a problem,.  There is no easy solution to the access question, and the FTC will consider the cost of access to the data broker industry.  (5)  There should be better consumer education about how tracking on the Internet works and what are their choices on privacy.
• The Report will be issued in DRAFT with opportunity for public comment.  Even when finalized, the Report will not be the end of the debate but " the beginning of the next phase of the debate on privacy."  One key component must be flexibility and adaptability,
• "Do Not Track" is not off the table, and will be considered, despite its complexity.
• On the issue of regulation vs. self-regulation:  The Commission has always supported self-regulation, but the Commission has supported privacy laws like the telemarketing law.  With respect to privacy and online advertising, "I am disappointed in the progress of self-regulation".  Ad disclosures and icons are all good ideas, but implementation is very much a work in process."  The Commission and the public may lose its patience with self-regulation if there is not better progress.
• On the Boucher and Rush legislative proposals, I am concerned that the bills place too much reliance on already overburdened privacy policies.   Also, it is premature to conclude that existing private initiatives are sufficiently robust to provide safe harbors.
• On data security, legislation that requires reasonable security and notice of breaches creating a reasonable risk of harm will provide sorely needed broad based protections at the federal level.  For the first time, the FTC would have the general right to obtain a civil penalty, which is important.  We see too many companies ignoring well-known vulnerabilities that are easily plugged.  Penalties would help convince those companies to comply.
• My vision for consumer privacy in 2011 in beyond:  In my privacy utopia, companies are building in privacy from the start; consumers have access to information about privacy; the FTC continues its enforcement regime, with the help of consumer watchdog organizations.  The time for companies using trial and error to protect privacy should come to an end.

• Email This
• Print

On Wednesday, September 15th the Future of Privacy Forum (FPF) announced the papers that were selected as “privacy papers for policy makers” at an event held at George Washington Law School. FPF is the privacy think tank founded and co-chaired by Hogan Lovells’ Chris Wolf. These works were deemed by the FPF to be the recent scholarship dealing with privacy issues that will prove most useful to policy makers. The papers that were selected are:

• Privacy on the Books and on the Ground – Kenneth A. Bamberger and Deirdre K. Mulligan
• What is Privacy Worth? – Alessandro Acquisti, Leslie John, and George Lowenstein
• Misplaced Confidences: Privacy and the Control Paradox – Laura Brandimarte, Alessandro Acquisti, and George Lowenstein
• Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach – Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor
• How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies – Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow
• Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes – Ira Rubinstein

You can view these papers, along with the papers that received notable mentions, on FPF’s website at http://www.futureofprivacy.org/the-privacy-papers/.

The papers were discussed by a panel, including:

• David Vladeck, Director of the Bureau of Consumer Protection for the Federal Trade Commission (FTC)
• Jules Polonetsky, Co-Chair of the FPF
• Christopher Wolf, Co-Chair of the FPF and Partner at Hogan Lovells
• Dan Solove, Professor, The George Washington University Law School
• Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance & Government Affairs, LexisNexis
• Brendon Lynch, Chief Privacy Officer, Microsoft

The conversation focused on how these papers could be used by policy makers to bridge the gap between scholarship and how organizations implement privacy practices on the ground. In his remarks, David Vladeck described how the FTC looks to academic writing to help inform its regulatory priorities. He referenced FTC’s series of roundtable discussions held in late 2009 and early 2010 that were influenced by recent scholarship, including the winning papers. These discussions, and the resulting recommendations, are being used to create an FTC Report that was promised as a follow-up to the roundtables. Mr. Vladeck predicted that the report would be released by the end of October, subject to the Commission’s approval process, and he broadly hinted that some proposed changes to the privacy framework may be forthcoming.

• Email This
• Print

On Wednesday, September 15th at 8:45 AM EDT, there will be a live webcast of a program featuring privacy scholarship voted most useful to US policy makers, "Privacy Papers for Policy Makers," presented by the Future of Privacy Forum (FPF), which I founded and co-chair. 

Our featured speaker will be David Vladeck, head of Consumer Protection at the FTC. 

Discussion will be led by my FPF co-chair, Jule Polonetsky, as well as Mr. Vladeck and

Professor Dan Solove, The George Washington University Law School
Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance & Government Affairs, LexisNexis
Brendon Lynch, Chief Privacy Officer, Microsoft 

The program may be viewed live at 8:45 AM EDT at http://www.law.gwu.edu/News/Videos/Pages/Privacy.aspx.

It is also available for audio only at  800-884-7907, access code: 379342

• Email This
• Print

On Wednesday, September 15th at 8:30 AM in the Moot Courtroom of the George Washington University School of Law, there will be a program featuring privacy scholarship selected by the Future of Privacy Forum Advisory Board as the best “Privacy Papers for Policy Makers,” representing cutting-edge research and analytical work on a variety of privacy topics.  I founded and co-chair the Future of Privacy Forum, which is a think tank focused on advancing consumer privacy in ways that are business practical.

We solicited papers that clearly analyzed current and emerging privacy issues, and either proposed achievable short-term solutions or offered fresh analysis that could lead to new approaches and solutions. Academics, privacy advocates and Chief Privacy Officers on FPF’s Advisory Board reviewed all submitted papers, emphasizing clarity, practicality and overall utility as the most important criteria for inclusion.

The hope is that this relevant and timely scholarship helps inform policy makers in Congress, at the FTC, and in other federal and state agencies as they address privacy issues. This compilation is also being provided to policy makers abroad.

Leading the discussion on the 15th will be David Vladeck, Director of the Bureau of Consumer Protection at the Federal Trade Commission, who will be joined by Carol DiBattiste, Chief Privacy Officer of Lexis Nexis; Brendon Lynch, Chief Privacy Officer at Microsoft, GW Law Professor Dan Solove, as well as my FPF co-chair and director, Jules Polonetsky.

To attend, please e-mail lauren@futureofprivacy.org

• Email This
• Print

With the new "school year" comes a plethora of privacy events featuring Hogan Lovells attorneys:

On September 9th, the International Association of Privacy Professionals will present this Web Conference on "The Evolution of FTC Privacy Enforcement Actions—What More Granular Enforcement Means for Respondents and Businesses" featuring Hogan Lovells attorneys Chris Wolf and Tim Tobin and FTC Attorney Kandi Parsons.

It is a given that there can be no privacy without data security.  Chief Security Officer magazine is presenting the Security Standard conference on September 13 and 14 at the Marriott Brooklyn Bridge in New York City to explore  the complexities of modern security strategies, addressing identity management, cloud security, data protection, risk management and privacy.  For registration information, click here

Hogan Lovells' Chris Wolf will be presenting the following session on September 13:

Negotiating with Your Cloud Provider:  Standard service agreements don’t go far enough in protecting your data and your organization in the event of security incidents or outages at cloud providers. In this session, learn how to negotiate the right terms and penalties to get the protection you need from your cloud provider, from identity management to business continuity, incident response plans and more.

On September 14th, Pike & Fischer (a BNA company) will present this Web Conference entitled "Legal Landmines in Europe for Internet-Based Businesses" and featuring Hogan Lovells attorneys from our Paris Office David Taylor, Winston Maxwell, and Chris Wolf from Washington, DC, as well as Google's Global Privacy Counsel Peter Fleischer.

On September 21st, Hogan Lovells will present a complimentary webinar on NAFTA Privacy featuring top governmental privacy officials from Canada, US, and Mexico, as well as the Chief Privacy Leader of General Electric, and moderated by Hogan Lovells' Chris Wolf.   More information can be found here  To register, please click here.

And later in September....

You are invited to join Hogan Lovells at the upcoming Online Trust Alliance 5^th Anniversary "Online Trust & Cybersecurity Forum" being hosted at Georgetown University, September 22 to 24.  Of particular interest on Wednesday the 22d are three pre-conference workshops focusing on(1) email regulatory compliance, (2)  email and domain authentication, and (3) malvertising.  More information on the agenda and registration information are posted here .

Thursday keynotes include the US Secretary of Commerce Gary Locke, Greg Link of CoveyLink, Howard Schmidt (White House Cybersecurity Coordinator) and Randall Rothenberg (IAB) as well as dozens of other business and industry leaders.  Friday Representative Cliff Stearns is speaking and kicking off a privacy roundtable following by sessions on data breach remediation, identity management and privacy policy makeovers.

At the September 24th session, Christopher Wolf of Hogan Lovells will participate in this panel:

Data Breach & ID Theft; Detection & Remediation *
Despite increased security prevention investments and employee training, incidents of data loss are increasing. Companies need to pro-actively plan for the worst case understanding the focus is not if an event will occur, but when. An effective plan includes an orchestrated play book to be deployed on moment’s notice. This session will examine steps businesses can take to protect consumers and their brands by reviewing elements of an effective plan including consumer education.  Session will also examine the role consumers have in the chain of trust and steps they can take to protect their identity.

• Chris Shenefelt, Executive Vice President, Global Operations, Intersections Inc.

• Anne Wallace, President, Identity Theft Assistance Corporation

• Christopher Wolf, Director, Privacy & Information Management Practice, Hogan Lovells

OTA has offered readers of the Hogan Lovells Blog the opportunity to register by August 31^st for only $399.50 for the two day program and save 50%.  Use discount code Hogan50  Register at https://otalliance.org/dc.html

AMP Summit is "an annual forum for influentials and thought leaders in the activist, media and political spheres."   Public officials and regulators, experts from think tanks, trade associations, and public relations, and members of the media will attend. This conference in Washingrton at the Marriott Metro Center "is intended to inspire new thinking, challenge traditional strategies, and create opportunities to learn from each other."   Detailed information can be found here .

Chris Wolf from Hogan Lovells will participate on a panel on Friday, September 24th from 3:50 to 5 PM entitled "Privacy in the Internet Age: Does DC Have a Role to Play?" with Lillie Coney of the Electronic Privacy Information Center and  Berin Szoka of the Progress and Freedom Foundation, moderated by Bruce Mehlman of Mehlman, Vogel, Catagnetti.

Also, as shown here, Quentin Archer from the Hogan Lovells London Office will be co-chairing the Sedona Conference International Programme on Cross-Border E-Discovery and Privacy on 15 and 16 September in Washington, DC.

• Email This
• Print

With much of the privacy regulatory and policy world on vacation, I took a few days outside of Washington to hear what people are thinking about where privacy law is going.  I have just returned from "Geek Week" in Seattle, WA, where I particiated in a new program entitled "pii2010" which "explore[d] the future of digital privacy, identity and innovation, and how to strike a balance between protecting sensitive information and enabling new technologies and business models. Hosted by technology analyst Larry Magid, it [was] an all-hands-on-deck conference where industry executives, technologists, consumer advocates, policy experts and other stakeholders [came] together as a group to examine critical issues.  "Lively" doesn't beging to describe the event, with audience members intervening at will and peppering the panelists with questions and "colorful" comments,  It was a little like a blog come to life.  One major take-away:  there are widely divergent views on the role of government and regulation in protecting online privacy. 

Washington Internet Daily provided a report of the event and my participation, a small excerpt of which is here:

Rumors of the death of the notice-and-choice privacy framework have been greatly exaggerated.Despite regular declarations from FTC officials over the past several months that the framework needs to be replaced, privacy advocates speaking to the pii2010 conference Thursday gave every indication that won't happen.

"For better or worse, we are stuck with a notice-and-choice paradigm" and must work within it, said Christopher Wolf, co-chairman of the Future of Privacy Forum. "I don't see how you get rid of choice," said Fran Maier, president of TRUSTe.  The likelihood of any privacy bill passing this year is "virtually nonexistent," and if Republicans retake at least one house of Congress in the midterm elections, it drops, Wolf said. The bills offered by Reps. Bobby Rush, D-Ill., and Rick Boucher, D-Va., chairmen of the House Commerce Consumer Protection and Communications subcommittees, are "incredibly complex," Wolf said. "I just see enormous wrangling" over their provisions from industry and activists. The bills have been helpful to "start conversation" with stakeholders, though, Maier said.

 

More likely is faster development of "common law" by the FTC, which has "really gotten into the weeds" on privacy-related issues, especially data security, said Wolf, who represents clients before the commission. The parties targeted in FTC investigations rarely put up much of a fight, as exemplified by Sears' conceding that its tracking software installed on customers' computers crossed the line, he said: There's no reason to think the commission will go easier on privacy disputes.

 

The Future of Privacy Forum is "trying to proselytize" for better self-regulation by industry, as with the "Power-I" icon being tested in online ads, but not trying to halt privacy legislation that gives companies a safe harbor for following best practices, Wolf said. The forum is running a "privacy papers for policymakers" competition whose winners will be announced Sept. 15 at a George Washington University law school event with David Vladeck, director of the FTC Consumer Protection Bureau, he said.

 

• Email This
• Print

Readers of the Hogan Lovells Chronicle of Data Protection may be interested in this upcoming webinar featuring Hogan Lovells attorneys from Europe and the United States, as well as Google's European Privacy Counsel, Peter Fleischer.  This event is being produced by Pike & Fischer, a Bureau of National Affairs (BNA) Company.  Here is the Pike & Fischer/BNA announcement with link to registration information:

BNA Webinar
Legal Landmines in Europe for Internet-Based Businesses
June 30, 12:30 p.m. to 2:00 p.m. ET

So you think your business practices are EU-compliant? You could be blindsided by European laws and regulations that are foreign—in every sense of the word—to your accustomed way of doing business. The recent conviction of three Google executives by an Italian judge is one notable example. Don't be caught off guard. Join Pike & Fischer's panel of legal experts as they expose European laws (both enacted and proposed) that potentially render U.S.-based Internet businesses liable for intellectual property, privacy, e-commerce, speech, and other violations.

Peter Fleischer, Global Privacy Counsel, Google, and Winston Maxwell and David Taylor, both partners with Hogan Lovells in Paris, will cover a wide range of topics, including data retention obligations, collection of personal data, and liability for user-generated content. The session will be moderated by Christopher Wolf, Partner, Hogan Lovells in Washington, DC.  

For further information: http://www.pf.com/eventDetail.asp?id=105&type=1.
 

• Email This
• Print

  While the Hogan Lovells Chronicle of Data Protection primarily is designed for news and analysis of developments in the field of privacy and data protection, we want to take the opportunity of the recent combination of Hogan & Hartson with Lovells to inform our readers of the global breadth and depth of our practice. While each of the legacy firms was celebrated for its privacy and information management practices, the coming together of the lawyers from the two firms has created a practice group that is unparalleled in the world.  Hogan Lovells helps clients address privacy and data protection globally and in regard to specific national laws in countries around the world, through our 40 offices in the Americas, Europe, the Middle East and across Asia.

In the coming weeks, we will detail the privacy practices resident in various offices around the world.

Last week, selected partners from the global privacy and information management practice met in Geneva, Switzerland to discuss practice coordination and cooperation, and to focus on how we together can better serve our clients as a unified group.   (Regrettably, some of the partners scheduled to participate were grounded due to the Icelandic ash cloud including, notably, practice co-leader Marcy Wilder). Joining the discussion and pictured above are (from left to right)  Winston Maxwell (Paris), Quentin Archer (London), Steffan Schuppert (Munich), Gonzalo Gallego (Madrid), David Taylor (Paris), Marco Berliri (Rome), Wim Nauwelaerts (Brussels) and practice co-leader Christopher Wolf (Washington).

To provide an illustration of our global capabilities,  tomorrow (20 May 2010) the firm will host a webinar entitled “Hogan Lovells Trans-Atlantic Discussion on the Privacy Challenges Facing Multi-National Corporations”. This will be the first webinar by the Privacy and Information Management Group at Hogan Lovells, featuring privacy lawyers on both sides of the Atlantic from the former Hogan & Hartson and Lovells. Quentin Archer (London), Steffan Schuppert (Munich), Wim Nauwalaerts (Brussels), Lynda Marshall (Washington), Marcy Wilder (Washington) and Christopher Wolf (Washington) will explore contemporary privacy law challenges facing companies doing business in multiple jurisdictions around the world, such as:

• Cross-Border Transfers of Data Internationally
• Managing Employees in Multiple Jurisidctions
• Onine Marketing Issues Around the World
• Data Security and Data Breach Requirements
• The Obligations Concerning Health Data Around the World
• National Trends with International Ramifications

The panelists will explain how a coordinated international approach to privacy compliance is cost-

effective and is an optimal way to limit risk and protect privacy.

Readers of the Hogan Lovells Chronicle of Data Protection are cordially invited to attend our webinar.  Please register by clicking here.

• Email This
• Print

 We are pleased to announce that Hogan & Hartson LLP and Lovells LLP have combined to form Hogan Lovells, effective May 1, 2010.

Our new firm now has about 2,500 lawyers in more than 40 offices throughout the United States, Europe, Asia, the Middle East, and Latin America. We are excited about the expanded global capabilities that Hogan Lovells can offer our clients, including a broader range of legal services in virtually all major international markets. Though we are a new firm, our fundamental values and our commitment to excellence remain unchanged.

We believe that this is a great combination that will benefit all our clients. In the Privacy and Information Management area especially, the combination gives us even greater breadth and depth.

The compliance challenges and business risks related to personal data are significant and growing. With advances in technology, personal information increasingly is collected, stored, used, and shared. At the same time, the regulation of data use and security is increasing worldwide.

Hogan Lovells has one of the largest and most experienced Privacy and Information Management practices in the world, spanning the United States, the EU, and Asia. The group assists clients with all of their compliance challenges, drafting policies and providing advice.

• We are among the very few law firms that can help you achieve compliance both globally and in regard to specific national laws.
• Our lawyers are conversant with local regulations, the laws affecting cross-border data transfers, and the laws regulating sectors that collect sensitive personal information, such as finance and health.
• We represent clients in adversarial matters concerning the use of data, whether at the level of the EU data protection authorities, or before the U.S. Federal Trade Commission, Department of Health and Human Services, state attorneys general or in private party litigation.
• We play an important role in the development of public policy regarding the future regulation of privacy.

Awards and Rankings

• Recognized for our "deep and thorough understanding of the privacy issues surrounding the healthcare sector," Chambers Global: USA (2010)
• Ranked in the first tier and awarded "plaudits for delivering an 'exceptional standard,'" Legal 500: Europe, Middle East & Africa (2010)
• "Probably the most sophisticated clutch of privacy advisors in the country," Legal 500 US (2009)
• "The Brussels team is lauded for its protection expertise," Chambers Global: Europe-wide (2009)

For more information about the new HoganLovells Privacy and Information practice, visit our web site.

• Email This
• Print

The privacy and data security enforcement agenda at the Federal Trade Commission is evolving. Consent decrees are imposing stricter and more specific standards on business with respect to the collection, usage, storage, sharing and disposal of personal information. Recent changes in leadership at the FTC, and public statements from the FTC Chairman and the Director of the Bureau of Consumer Protection, suggest more aggressive privacy and data security enforcement in the coming years. And the entire paradigm of privacy protection, including its foundation of notice and choice, is under reexamination after a series of FTC Roundtables conducted in later-2009 and early-2010.

For businesses under the jurisdiction of the FTC, the impact of this evolving enforcement agenda is significant. Greater attention than ever must be paid to the issue of notice and choice, as well as to the physical, technical and administrative safeguards provided for personal information, to ensure that specific statutory standards enforced by the FTC are met and that the general consumer protection standard of Section 5 is also satisfied.

Historically, enforcement actions by the Commission under Section 5 of the FTC Act focused on businesses that failed to adhere to promises they made about privacy and data security. In many of these cases, the FTC determined that a business’s failure to adhere to their own policies and promises constituted an unfair business practice. In the middle of the last decade, however, the enforcement focus at the FTC began to change. Rather than concentrating enforcement activities exclusively on businesses that failed to adhere to their own promises, the Commission began to look more at whether a business’s actual privacy and data security practices were reasonable.

The many reports of data security breaches required under state laws gave the FTC several new enforcement targets – businesses whose lax data security led to breaches that had to be reported publicly. In these cases, unreasonably lax practices led to a complaint of unfairness under Section 5. Also noteworthy about this phase of FTC enforcement was that nearly all of these cases involved instances in which privacy and security failures resulted in substantial consumer harm. In recent years FTC enforcement has become more “granular,” in the sense that the FTC enforcement staff examines specific details of respondents’ privacy practices and information security measures when assessing “reasonableness.”

By clicking on this link, you will be taken to a 45-minute multimedia presentation on the new directions in enforcement at the FTC, with in-depth cases analysis, including the recent Dave & Busters consent decree involving the absence of filters for outgoing data to protect against the loss of personal data. 

• Email This
• Print

Hogan & Hartson privacy attorneys, including Chris Wolf, will be participating in the Chubb Social Media Risk Innovation Event, hosted from April 26-29 by the Chubb Group of Insurance Companies and its technology partner, Imaginatik.  The event is an online, interactive session with risk managers, other business professionals, agents, and brokers in which pariticipants will collectively identify risks and potential mitigation strategies regarding the use and potential misuse of social media.  Hogan & Hartson attorneys will be on hand throughout the event to facilitate the discussion and contribute expertise regarding legal risks businesses face from sanctioned and unsanctioned corporate and employee use of social media.

Demonstrating the power of social media, musician Dave Carroll posted a video seen by millions of people on YouTube chastising an airline he accused of breaking his guitar. View an invitation from Dave to Chubb's Social Media Risk Innovation Event.

You may self-register on-line at https://chubbsocialmedia.imaginatik.com. The first 500 people to register will receive a free download of "Perfect Blue," Dave's new album.

Once registered, you may participate in this online event either remotely via your PC, laptop, smartphone, (e.g., BlackBerry, iPhone, etc.) or at Chubb booth #1511 at the RIMS Conference in Boston, MA. We also welcome you to invite clients you believe would be interested in participating in this event by forwarding this email and its self-registration link.

Chubb will award prizes to participants who submit the most ideas and whose ideas generate the greatest amount of collaboration. The prizes include cash donations to charities, ranging from $500 to $2,000, in the names of the top three scoring participants.

• Email This
• Print

Today is "Data Privacy Day", which is being marked around the world, including here in Berkeley, CA at the FTC's "Exploring Privacy" Roundtable.  The purpose of this roundtable discussion, the second in a series of three, is to "explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation."  Today's discussion, like the one that took place at the first roundtable in Washington, is focusing on whether the traditional paradigm of Fair Information Practices -- and especially notice and choice -- suffices to allow consumers to understand and control what information is collected about them and used by others for marketing and other purposes.  Professor Paul Schwartz, on the cloud computing panel, just commented on how typically-complex privacy policies provide "TMI" (too much information) for a consumer to understand and act on.  And Harriet Pearson of IBM also commented on how simply providing a list of companies processing data in the clouds -- service providers -- would not be meaningful for consumers, a proposition with which Scott Shipman of Ebay agreed.

On the issue of meaningful notice, see yesterday's New York Times article on the emergence of an eye-catching icon attached to online ads to attract consumer attention, on which they can click to get information about  what information is being collected about them to deliver targeted ads.  (Full disclosure: the Future of Privacy Forum, the think tank that I founded and co-chair, was instrumental in development of the icon.)

• Email This
• Print

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

• Email This
• Print

The University of Denver Law Review today presented a Syposium on "Cyber Civil Rights: New Challenges for Civil Rights and Civil Liberties in Our Networked Age."  Hogan & Hartson partner (and privacy group co-chair) Christopher Wolf delivered remarks on "Accountability for Online Hate Speech: What Are The Lessons From 'Unmasking' Laws?” 

Chris observed that online anonymity and the privacy it shields can be used as a sword to injure the human dignity of others who are victimized by hate speech.  It also can be used to mislead and indoctrinate young people.

The Internet, in large part because of the shield of online anonymity, has become the medium through which hate groups plot and promote real-world violence, recruit and indoctrinate like-minded haters, mislead and distort information for those – like students – who innocently link to their content. There are, of course, notorious hate mongers who use their real identities and revel in the limelight.   But the vast majority of hate spewed online is done so anonymously. The Internet content of hate mongers – words, videos, music, and social network postings – serve to offend the human dignity of the intended victims, minorities and those who hate groups identify as “the other”.   

Chris went on point out the problem of cyberbullying and hate-filled comments appended to mainstream news articles online.  After reviewing the legal regimes used to "unmask" online copyright infringers, those who commit defamation online and KKK members while marching in groups, Chris acknolwedges the First Amendment limitations on legal regulation of anonymous speech online and proposes a self-regulatory regime by online companies to address hate speech online.  A copy of his full remarks can be found here. 

• Email This
• Print

As the 31st annual International Conference of Data Protection and Privacy Commissioners wraps up in Madrid, capped by the announcement that next year’s conference will occur in Jerusalem, to be hosted by the Israeli Information and Technology Authority, some reflections:

• Security vs. Privacy   There continues to be a tension between the need for security from terrorist and criminal attacks and the right to be free of excessive collection and retention of personal data by governments.  This was the focus of the remarks of the Spanish Minister of the Interior and the US Secretary of Homeland Security, and a panel of experts from around the world who concluded that there needs to be greater focus on the need for all of the information that is harvested from citizens.  The pre-conference session of The Public Voice organized by the Electronic Privacy Information Center resulted in a Madrid Declaration that warned that "privacy law and privacy institutions have failed to take full account of new surveillance practices."

• Corporate Accountability and New Privacy-Enhancing Technologies  Presentations by corporate representatives of Google, Microsoft, eBay, Yahoo!, Procter & Gamble, Accenture and others showed that corporate accountability for privacy (a concept advanced enthusiastically by our friend Marty Abrams of the Center for Information Policy Leadership) is guided not only by the need to be legally compliant but also by the recognition that in our information society, responsible data management will build consumer trust.  There was an impressive demonstration of various new technologies that provide greater transparency and more robust notice to individuals about the collection of data about them, and that give them greater control over the collection, use, transfer and retention of personal data.  For example, Google unveiled new privacy tools and Jules Polonetsky, my co-chair at the Future of Privacy Forum, illustrated the array of technologies available to protect the privacy of children.  The greater demonstration of such “self-regulation” through corporate accountability and the deployment of privacy-enhancing technology was recognized at the conference as an essential pillar of privacy protection. 

• US Law and Enforcement  In the panel on children’s privacy, John Avila of the Walt Disney Company, gave a compelling overview of the breadth and depth of US legal protections for privacy, which includes COPPA to protect kids, and which he pointed out focuses on the areas of greatest privacy concern (such as financial and health privacy).  There were also presentations on the robust enforcement of US privacy laws by the FTC and other authorities, and the innovations in regulation that include, for example, data security breach notification laws which serve as a model for new regulation in Europe.  My conversations with various EU Data Protection Commissioners indicated a growing respect for the US scheme of data protection, in stark contrast to the official EU position that the US lacks adequate protections for personal data which prohibit the cross-border transfer of data to the US absent special arrangements (such as Safe Harbor participation, model contracts or Binding Corporate Rules).

• Cloud Computing and the Smart Grid  There was a focus on the privacy issues implicated by new technologies such as the next generation of cloud computing and the Smart Grid.

• Cross-Border Harmonization of Regulation  Another important theme of the conference concerned cross-border harmonization of privacy regulation, even among countries in the EU that operate under the common principles of the EU Directive but whose laws often reflect differences in detail and application.  In that regard, the European Commission is in the process of soliciting views on the new challenges for personal data protection in order to maintain an effective and comprehensive legal framework to protect individual’s personal data within the EU. 

As with many such conferences, the value of the formal program was augmented by the opportunity of data protection regulators to meet informally with representatives of civil society, privacy advocates, privacy lawyers, and corporate privacy officials.  The interactions over lunch and dinner, and at the wonderful art galleries of Madrid (where tours were made part of the official agenda), allowed for the sharing of perspectives and ideas, and a recognition that no matter which sector is involved, those gathering in Madrid share the commitment to the protection of personal  privacy.

Next year in Jerusalem!
 

• Email This
• Print

Today at the 31st International Conference of Data Protection and Privacy in Madrid, US Secretary of Homeland Security spoke to those of us in attendance about her goal of a US-EU binding agreement on data sharing and privacy.  See this account from former Hogan & Hartson partner Mary Ellen Callahan, now Chief Privacy Officer at DHS, who accompanied Secretary Napolitano to Europe.

Following the ceremonial opening of the conference and addresses from senior government officials from Spain and the US, the delegates got down to work on granular issues of privacy and data protection.  Look for more reports as the meeting progresses.

• Email This
• Print

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event,  is that the European Commission is seriously considering  new  data security breach notification laws. Previously, the Commission and  the European Council had focused only on breaches at telecom companies and ISPs.

The Commission’s Information Society Commissioner, Viviane Reding,  now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

• Email This
• Print

Starting on Tuesday, November 3d, Hogan & Hartson will be live blogging from international privacy events in Madrid.  Chris Wolf from the firm's Washington Office and Wim Nauwelaerts from the Brussels Office, both senior lawyers in the Privacy and Data Security Practice, will provide timely reports from side events leading to the 31st International Conference of Data Protection and Privacy Commissioners

The civil society conference The Public Voice: Global Privacy Standards in a Global World to be presented by the Electronic Privacy Information Center;  and 

The Data Protection and  Privacy Workshop to be presented by the International Association of Privacy Professionals.    

Then, starting on Wednesday, November 4th, we will bring you reports from the "main event", which the host, the Spanish Data Protection Agency (AEPD), has described as "the largest forum dedicated to privacy in the world, which every year brings together the highest authorities and institutions guaranteeing data protection and privacy, as well as experts in the field from every continent. "

Watch for our daily reports.

• Email This
• Print

Readers of our blog are cordially invited to a complimentary Hogan & Hartson webinar on the legal issues arising from Cloud Computing on Tuesday, October 6 from 11 AM - 12:30 PM EDT.  To request an invitation to the webinar, please e-mail:  jbhowe@hhlaw.com

Cloud computing allows businesses to use the remote computing power of others to handle data and data applications. For most businesses, it is not a question of whether but how to use cloud computing. Cloud computing — a unique form of outsourcing — can reduce costs, improve service delivery, and allow business innovation not feasible with proprietary servers and on-site software.

So the question is how a company can use the new services in ways that protect the company and its data. As with any transfer of valuable company information, there are legal issues and legal risks that must be addressed.

In this webinar, you will learn and have an opportunity to ask questions about these issues and more:

• What exactly is cloud computing? What forms does it take?
• What steps should a company take to protect its intellectual property, including trade secrets and confidential information, in the cloud?
• Is data in the cloud safe from government view, and what can you do to protect it?
• How should you address the privacy law issues implicated by cloud computing, especially in light of the international legal rules on the cross-border transfer of data?
• What labor and employment law issues are implicated by sending data to the cloud?
• How does a company deal with e-discovery when using cloud computing?
• What data security safeguards should a company put in place before outing data in the cloud?
• Whose responsibility is it if there is a data breach and how are the requirements of data security breach notification laws met?
• What are the contracting issues with cloud computing and the best practices for getting a solid cloud computing contract?
• How do companies and cloud service providers handle service level issues?

• Email This
• Print

By Lynda Marshall, Chris Wolf, Marcy Wilder and Tracy Gray

Hello and welcome to the Hogan & Hartson Chronicle of Data Protection.   

We are delighted to introduce you to our privacy blog.  Our goal is to use this blog to bring you timely updates on a wide-range of issues in the privacy arena, including the evolving role of privacy and data protection in health law and policy, security safeguards, international compliance and e-commerce.  The practical implications of changing privacy regulations affect us all, both as professionals and personally, and we hope this blog will serve as a key source of information for you in navigating this ever-changing field.

We also hope you will have the chance to catch some of Hogan & Hartson's privacy team at the IAPP Privacy Academy in Boston, September 16 - 18th.    H&H attorneys will be on the following panels:

• Data Retention - the Monster in the Servers, September 17th at 2:15, featuring Chris Zaetta, Hogan & Hartson, and Andy Holleman, Chief Privacy Officer and Associate General Counsel, Qwest Communications
• In to the Breach - Dealing with the Aftermath of a Data Breach, September 18th at 11 AM, featuring Christopher Wolf, Hogan & Hartson, Chris Cwalina, Vice President and Associate General Counsel, Intersections, Inc., and Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance and Government Affairs, LexisNexis Group
• Pie in the Sky - Looking at a Cloud Contract at Ground Level, September 18th at 11 AM, featuring Zenas Choi, Hogan & Hartson, and Geff Brown, Senior Attorney,  Law and Corporate Affairs, Microsoft Corporation

Thanks for joining us, and we look forward to being a helpful guide in the world of privacy.

• Email This
• Print

The Federal Trade Commission has just announced that it will host a series of day-long public roundtable discussions on the East and West Coasts "to explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data."  The first roundtable discussion will occur on December 7th at the FTC Conference Center in Washington.

It has been widely-reported that the FTC is examining new ways to think about privacy and these discussions will further that examination. 

As the Commission explained the focus of the first roundtable:

Such [technology and business] practices [to be examined] include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation.

The initial questions the FTC has presented for comment at the first workshop are:

1. What risks, concerns, and benefits arise from the collection, sharing, and use of consumer information?  For example, consider the risks and/or benefits of information practices in the following contexts: retail or other commercial environments involving a direct consumer-business relationship; data broker and other business-to-business environments involving no direct consumer relationship; platform environments involving information sharing with third party application developers; the mobile environment; social networking sites; behavioral advertising; cloud computing services; services that collect sensitive data, such as information about adolescents or children, financial or health information, or location data; and any other contexts you wish to address.
    
2. Are there commonly understood or recognized consumer expectations about how information concerning consumers is collected and used? Do consumers have certain general expectations about the collection and use of their information when they browse the Internet, participate in social networking services, obtain products from retailers both online and offline, or use mobile communications devices? Is there empirical data that allows us reliably to measure any such consumer expectations?  How determinative should consumer expectations be in developing policies about privacy?
    
3. Do the existing legal requirements and self-regulatory regimes in the United States today adequately protect consumer privacy interests? If not, what are the particular privacy interests that warrant increased protection? How have changes in technology, and in the way consumer data is collected, stored, and shared, affected consumer privacy? What are the costs, benefits, and feasibility of technological innovations, such as browser-based controls, that enable consumers to exercise control over information collection? How might increased privacy protections affect technological innovation?

The FTC has explained that individuals and organizations may submit requests to participate as panelists in the December dicussion, and may recommend topics for inclusion on the agenda. The requests and recommendationshave been directed to privacyroundtable@ftc.gov.   More details can be found here.

• Email This
• Print