In Bloomberg BNA’s Privacy and Security Law Report, Hogan Lovells attorneys Des Hogan, Michelle Kisloff, and Christopher Wolf have published an article describing the higher-risk litigation and enforcement environment in which companies in the United States now operate. After analyzing recent class actions and regulatory developments, the article offers guidance on how companies can reduce their financial and reputational exposure.
Click here to read the article. James Denvil, an associate in our Washington office, contributed to the article.
A recent federal court opinion raises concerns that privacy cases alleging violations of a standard user license agreement may be susceptible to class certification.
Last week, the U.S. District Court for the Northern District of Illinois certified a class in a consumer privacy lawsuit against comScore, Inc. Plaintiffs allege that comScore exceeded the scope of the consent obtained from consumers who downloaded the company’s software. They allege that the software collects information beyond that disclosed in the company’s terms of service, and that the software collects confidential information about the users instead of filtering or later purging that information. Continue Reading
The European Union’s Article 29 Data Protection Working Party (“WP29″), which consists of the 27 data protection authorities of the EU Member States, has published the “Opinion 03/2013 on purpose limitation” (Working Paper WP203), adopted on 2 April 2013 (the “Opinion”). The WP29 analyzes and interprets the elements of this principle, and gives numerous examples with practical guidance for valid notices, consents, and further compatible uses. Continue Reading
Development of the new Cybersecurity Framework is now in full swing. President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity (which we previously covered) calls on NIST to lead the development of a Cybersecurity Framework that will provide “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risk.” Pursuant to the Executive Order, NIST must publish a preliminary version of the Framework by October 2013 and a final version by February 2014. This is a significant development in the United States because, once finalized, the Framework will likely become an authoritative benchmark against which the cybersecurity efforts of businesses across many sectors and industries will be measured.
The Executive Order requires NIST to engage in an “open public review and comment process” to develop the Framework. To that end, NIST has set up a series of workshops and requests for written comments to inform the Framework’s development. And NIST has established a website to host all materials related to its development of the Cybersecurity Framework. On April 3, NIST hosted the first such workshop to kick off the discussion. Reflecting the significance of the Framework’s development, the auditorium hosting the workshop was packed, with numerous additional attendees participating via webcast. Continue Reading
There have been a number of recent developments related to the European Commission’s (EC’s) proposed Data Protection Regulation. For example, last week, one parliamentary committee announced that its vote on the Regulation will have to be delayed because the committee has received thousands of proposed amendments; another parliamentary committee adopted an opinion generally endorsing the Regulation; and the French Minister of Justice stated that France “actively supports” the data protection reform.
The European Union’s Article 29 Data Protection Working Party (“WP29“), which consists of the 27 data protection authorities of the European Union Member States, has published its “Opinion on Apps in Smart Devices“, adopted on 27 February 2013 (the “Opinion“).
Applicability of EU laws
According to WP29, the 1995 Data Protection Directive applies to all mobile applications (“apps”) available to European users regardless of where the application developer is located. The WP29’s view is that because the mobile devices in which the apps reside are “instrumental in the processing of personal data from and about the user,” the devices become “processing equipment” triggering the application of EU data protection law. This is so even where the data controller directing the processing (generally the app developer) is not established in the EU. WP29 notes that the so-called “cookie consent provisions” of the 2002 ePrivacy Directive (the “Cookie Rule”) also apply to apps downloaded by European users: users’ consent must be obtained prior to installing or accessing any information stored on their devices. In sum, EU law applies to any app downloaded by a European user.
On March 8th, the United States Court of Appeals for the Ninth Circuit, sitting en banc, held in United States v. Cotterman (PDF) that the Fourth Amendment requires border agents to have at least a reasonable suspicion of criminal activity before they may conduct a forensic examination of a person’s electronic device. Hogan Lovells lawyers briefed and Hogan Lovells partner Chris Handman argued as amicus on behalf of the Constitution Project, a bipartisan, not-for-profit organization that promotes consensus-based solutions to the significant constitutional questions facing Americans in the 21st century.
In this case, border agents seized a laptop that was presented for inspection at the United States-Mexico border by a U.S. citizen seeking reentry into the country. The laptop was held for two days, transported over 170 miles to a secondary search facility, and subjected to forensic examination. Only then was illegal material located on the computer.
Hogan Lovells today announced the formation of the Coalition for Privacy and Free Trade. The formation of the new coalition follows the announcement by President Obama that the United States and the European Union soon will commence negotiations for a Transatlantic Free Trade Agreement (formally, the Transatlantic Trade and Investment Partnership (TTIP)), and Japan’s announcement of its intention to join the ongoing Trans Pacific Partnership (TPP) negotiations.
The objectives of the Coalition are to address the issue of non-tariff trade barriers that result from disparate privacy/data protection law frameworks around the world, and to promote interoperability and international comity between differing national frameworks. Membership is open to businesses committed to digital free trade and to the protection of personal privacy.
Recognizing the changes enabled by mobile devices and social technologies, the Federal Trade Commission has published the first update in over twelve years of its guidelines for online advertising.
The new guide, .com Disclosures: How to Make Effective Disclosures in Digital Advertising, parallels the 2000 original, Dot Com Disclosures: Information About Online Advertising, and uses much of the same language and approach. But there are differences, of course; and some ambiguity remains regarding what constitutes appropriate disclosure in some key circumstances.
For example, the guide states that disclosures must be clear and conspicuous on all devices and platforms on which the associated ads are disseminated. Little specific guidance is offered, however, regarding how far advertisers must go to ensure whether disclosures remain clear and conspicuous when devices, platforms, operating systems, apps, and software packages are updated or used in novel ways. For example, are advertisers responsible when a disclosure appropriate for a television broadcast is streamed to a small mobile device with inadequate screen resolution?
Advertisers, the guide suggests, should also use best practices to reduce the likelihood that disclosures will be deleted when space-constrained ads (e.g., commercial Tweets) are republished. Again, little guidance is offered as to how advertisers should do this or what forms of republication advertisers should consider. Advertisers may wonder how to approach screenshots posted on blogs, videos posted on sharing sites, links posted on social media platforms, and other increasingly common scenarios.
The Commission’s Business Center blog posted some key points that businesses should take from the report: Continue Reading
Chambers Global has just been released, and we are pleased to report that the Hogan Lovells privacy and data protection practice has been ranked in the exclusive top tier of only five firms in the world. This recognition is gratifying and we appreciate the recognition from our clients and the profession of the Hogan Lovells’ teamwork, responsiveness, and work product. We also congratulate our colleagues at the other ranked firms. Together, we have made a once obscure practice area a critical service for organizations, for whom data and proper handling of data is essential.
Here is an excerpt from the Chambers Global guide:
This team enters the top band this year having earned widespread praise for the calibre of its global practitioners. Sources are also struck by the team’s continued international expansion. The group acts on issues including multi-jurisdictional outsourcing, data transfers, data collection and internal compliance. It also advises major multinationals on international crisis incidents and related notification obligations.