Posted on January 3, 2012 by Christopher Wolf

Google's Peter Fleischer: "A lot more privacy enforcement actions in 2012. And the sanctions are going to go through the roof."

Federal Trade Commissioner Julie Brill frequently has commented that when it comes to privacy enforcement, more "cops on the beat" is better.  In today's guest blog, reprinted with permission from the blog of Google's Global Privacy Counsel Peter Fleischer, the spectre of multiple privacy enforcement authorities with substantial fining authority is raised:

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros.

And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year.

And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.

(emphasis supplied)

Tags: , , , , , , ,
Posted on November 11, 2011 by HL Chronicle of Data Protection

Reflections from Brussels on the Mexico City DPA Conference

This entry comes from Elisabethann Wright, a Partner in our Brussels Office, who presented at the 33d International Congress of Data Protection and Privacy Commissioners in Mexico City last week. Elisabethhann focuses on EU law relating to life sciences, with particular emphasis on pharmaceutical law, medical devices, food law, and the environment. In Mexico, she drew upon her experience assisting clients in clinical trial agreements, adverse event reporting, product withdrawals and challenges to national authority and EU Institution decisions concerning classification and marketing of medicinal products and medical devices.

At the Mexico City gathering of international Data Commissioners, officials from a number of EU Member States expressed disappointment at the low levels of compliance with their data privacy obligations demonstrated by data controllers in their territory. One Data Commissioner estimated that a depressing 95% of data controllers failed to comply with their obligations.

One consequence of this failure will be an apparent change in approach by Data Commissioners. While Commissioners and their officials previously have sought to advise and support data controllers in understanding and fulfilling their role and obligations, the future approach, influenced at least in part by the ambivalence displayed by data controllers, will focus on compliance. Several Commissioners expressed an intention to make enforcement of obligations their priority in the future.

The possibility of a single approach to the protection and use of data generated in relation to clinical trials was the subject of my panel during the Congress. Similarities of approach evidently exist between territories in relation to some aspects of data privacy in clinical trials. This includes the nature and content of patient informed consent forms. However, the suitability of basing secondary investigation on initial informed consent varies widely, as do the restrictions imposed on transfer of clinical data from one territory to another. The possibility that a single acceptable approach to these issues could be found was discussed. However, the general consensus was that, at least from a legislative perspective, a single approach is unlikely to evolve in the near future.

Among the snippets of information demonstrating the evolution of official approaches to data collection that I gathered from the Congress was the fact that, when Neil Armstrong brought back soil and rock samples from the moon in 1969, he was required to complete an import form to bring them on to US territory. “One large step for mankind but still subject to regulation."  Future uses of data to benefit mankind likely will be met with similar regulation, and as it appears from the comments of regulators meeting in Mexico, disregard and non-compliance will increasingly be met with enforcement. 

Tags: , , ,
Posted on November 8, 2011 by Mark Brennan

FCC Proposes $2.96 Million Forfeiture for TCPA Violations

The Federal Communications Commission (FCC) has released a Notice of Apparent Liability for Forfeiture (NAL) against Travel Club Marketing, Inc. (Travel Club) in the amount of $2.96 Million for apparent violations of the Telephone Consumer Protection Act (TCPA) and related FCC rules regarding the delivery of prerecorded messages, as well as its Caller ID rules.  This enforcement action serves as a reminder to companies placing autodialed calls or delivering prerecorded messages to ensure that such calls and messages comply with the TCPA and the FCC's rules.

In the NAL, the FCC found that Travel Club had apparently violated the TCPA and the FCC’s TCPA rules by delivering 144 unsolicited, prerecorded messages to 113 cellular telephone numbers.  Under the TCPA and the FCC’s implementing rules, the delivery of prerecorded messages to wireless telephone numbers is prohibited (absent an emergency) unless the caller has obtained “prior express consent” from the called party.  The FCC also found that Travel Club apparently violated the TCPA and related FCC rules by delivering 41 unsolicited, prerecorded advertising messages to the residential telephone lines (e.g., landlines) of 29 consumers.  The calls did not qualify for any of the exemptions to the TCPA restriction against the delivery of prerecorded calls to residential telephone lines.  

In addition, the FCC found in the NAL that Travel Club apparently violated section 64.1601(e) of the FCC’s rules, which requires that telemarketers transmit certain Caller ID information, including information that enables consumers to make do-not-call requests during regular business hours.

The FCC imposed the maximum penalty of $16,000 per call for each of Travel Club’s 185 apparent violations, for a total proposed forfeiture of $2,960,000.  Although the FCC has previously considered $4,500 per message to be an appropriate base amount for delivering an unsolicited, prerecorded message, it noted that it was imposing the maximum penalty because of the number of Travel Club’s “apparent willful, repeated violations” and its “apparent deceptive and evasive conduct.” 

Again, companies should ensure that their calling practices comply with the TCPA and the FCC’s rules, as well as FTC and state requirements.  Otherwise, they risk not only class action litigation, but also potential regulatory enforcement fines that are imposed on a per-call basis.
Tags: , , , , , , ,
Posted on April 6, 2011 by Christopher Wolf

Update on Mexico's New Privacy Law: No Immediate Enforcement, But Companies Expected to Appoint Privacy Officer and Have Written Policies

 

Hogan Lovells has organized two programs over the past year to discuss developments in "NAFTA privacy" (privacy laws in Canada, the US and Mexico).  The most recent program was a panel at the IAPP Global Privacy Summit moderated by Hogan Lovells Privacy and Information Management Practice Director Chris Wolf, along with the Chief Privacy Leader at General Electric Nuala O'Connor Kelly.  Participating were FTC Commissioner Julie Brill, Ontario Privacy Commissioner Ann Cavoukian and Deputy Commissioner Ken Anderson, and Mexico's Privacy (IFAI) President Commissioner Jacqueline Peschard Mariscal. 

Courtesy of BNA, here is a report on the update provided by Mexico's Privacy (IFAI) President Commissioner Peschard Mariscal:

Data Protection

Mexico Will Not Rush to Compliance Review, Enforcement of New Law, DPA Chief Assures

Mexico's data protection authority will not rush to carry out compliance inspections or take enforcement actions when rules implementing the country's new data protection law begin taking effect in July, the head of the DPA, the Instituto Deral De Acceso a la Información Pública (IFAI), said March 10 at a conference.

As soon as the final rules are published in July, the government expects businesses and other covered entities to begin following the basic requirements that they appoint an individual to be in charge of data protection and establish written data security and privacy policies, IFAI President Commissioner Jacqueline Peschard Mariscal said.

But the government will not immediately begin verification activity, she said. Instead, the IFAI will focus on training and education of covered entities in the requirements of the rules, Mariscal said at a session of the International Association of Privacy Professionals Global Privacy Summit.

Mexico's Federal Law Protecting Personal Data in Private Possession regulates for the first time on a federal level how businesses and individuals handle personal data. It technically took effect July 6, 2010 (9 PVLR 1016, 7/12/10), but the implementing rules are not expected before this July, according to the IFAI (10 PVLR 368, 3/7/11).

Enforcement of the new law is slated to begin in January 2012, Mariscal confirmed at the conference panel entitled "Privacy: What You Need to Consider When Doing Business in North America."

Sufficient DPA Funding for Enforcement?

In July, the Public Information Institute of the Federal District (InfoDF), the Mexico City agency that handles transparency and data protection for the city, warned in July 2010 that the IFAI needed a larger budget for the new data protection law to function properly (9 PVLR 1016, 7/12/10).

Panel moderator Christopher Wolf, director of Hogan Lovells LLP's privacy and information management practice in Washington, asked Mariscal if the IFAI has sufficient funding and enforcement staff to carry out its data protection duties.

"The office has received the necessary budget to carry out its mission," Mariscal responded.

Mexico has a federal system of government with both a national government and regional government in the 31 states and the federal district in Mexico City, she said. But unlike the Canadian model, in which the provinces may pass laws to supplant the federal Personal Information Protection and Electronic Documents Act (PIPEDA) for all or some categories of data (see related report in this issue), the Mexico federal law will remain the primary law in the country. In that scenario, funding the national IFAI is built into the law, she said.

Preventative Approach Is Goal

Nevertheless, "our aim is to have a preventative approach,"in part to control costs, by using approaches such as privacy-by-design, rather than focus on adverse enforcement actions, Mariscal said.

Fellow panelists Ann Cavoukian and Ken Anderson, respectively the privacy commissioner and assistant privacy commissioner for the Canadian Province of Ontario, applauded Mexico's focus on privacyby-design, a method that works to protect privacy at the front end of the design and implementation process for new information systems and technology rather than through after-the-fact enforcement.

Cavoukian has been a leader in developing privacy-by-design and sees it as a tool that every data protection authority should employ (see related report in this issue).

Mariscal also noted that under the new law, there are opportunities for covered entities to work toward a resolution of privacy concerns raised by the IFAI before the filing of any formal enforcement action through an administrative appeal process.

The law authorizes fines of up to 16 million ($1.3 million) for companies misusing personal data, and provides for doubling the fines to about 32 million ($2.6 million) when the personal data is deemed sensitive.

But Mariscal reminded the audience that implementing privacy law in Mexico will require a "cultural shift for a people that are not used to protecting personal data." In that environment, taking a preventative, educational approach is necessary before taking the next steps to implement stricter, more specific sectoral protection rules, and take enforcement action, she said.

Commissioner Julie Brill of the U.S. Federal Trade Commission agreed that educating and working with businesses towards privacy solutions is normally preferable to simply setting rules and then engaging in strict enforcement.

By Donald G. Aplin

 

Full text (in Spanish) of Mexico's Federal Law Protecting Personal Data in Private Possession  

Reproduced with permission from Privacy & Security Law Report, 10 PVLR 455 (Mar. 21, 2011).

Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033)

Tags: , , , ,
Posted on March 30, 2011 by Eric Bukstein

FTC Announces Proposed Google Buzz Settlement: First Time FTC Requires Comprehensive Privacy Program

Google Buzz logoThe Federal Trade Commission (“FTC”) today announced a proposed settlement with Google relating to charges that Google used deceptive practices and violated its own privacy policies when Google launched its social network "Google Buzz". The vote of the Commission to accept the settlement was 5-0.

For the first time ever, the FTC is requiring a "Comprehensive Privacy Program" and affirmative consent to any new or additional uses of previously collected data.

In February 2010, Google rolled out Google Buzz, which was a social networking program integrated with many of Google’s services, including Gmail. In its complaint against Google, the FTC alleged that Google violated both Section 5 of the FTC Act and the substantive privacy requirements of the U.S.-EU Safe Harbor Framework. The proposed consent order would impose significant requirements on Google privacy practices for the next twenty years, including a requirement that Google implement a comprehensive privacy program and undergo regular, independent privacy audits.

Section 5 Violations

In its complaint, the FTC alleges that Google users were not given adequate notice that information that was previously private would be shared publicly through Buzz. The choices presented to users were “Sweet! Check out Buzz” or “Nah, go to my Inbox.” 

According to the FTC, the Google process did not give users a full picture of the information sharing that was done through Google Buzz, which included the public display of lists of people a user chatted or emailed with most often. This automatic generation of lists of “followers” led to the generation of lists for certain users that included: “individuals against whom [a user] had obtained [a] restraining [order]; abusive ex-husbands; clients of mental health professionals; clients of attorneys; children; and recruiters [the user] had emailed regarding job leads.” 

The FTC also noted that even if a user clicked “Nah, go to my inbox,” he might still be enrolled in certain Buzz features. The FTC also alleges that privacy controls for Google Buzz were complicated and difficult to locate, making it hard for users to control privacy settings or to turn off the Buzz service. According to the FTC, these representations gave some users a mistaken belief that they had opted out of or exercised control over Buzz functionality. This failure adequately to disclose exactly how Buzz worked and what a user must do not to have his data shared amounted to a deceptive act or practice in the eyes of the FTC.

The FTC based its Section 5 allegations of deceptive acts or practices on the fact that Google’s actions when it launched Buzz violated terms in its own privacy policies. At the time Buzz was launched, Google’s Gmail privacy policy made the following representation:

"Gmail stores, processes and maintains your messages, contact lists and other data related to your account in order to provide the service to you."

In addition, the following representation was included in Google’s privacy policy that applies to all of Google’s products:

"When you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."

The FTC alleges that Google did not use information received from users who signed up for Gmail only for the purpose of providing the user with Gmail service, but rather Google used this information to populate Google Buzz. Additionally, the FTC alleges that Google did not seek user consent before using information provided by Gmail users for Google Buzz.

U.S.-EU Safe Harbor Framework Violations

Since 2005, Google has maintained self-certification with the Department of Commerce under the U.S.-EU Safe Harbor Framework (“Safe Harbor”). The Safe Harbor is a voluntary framework that allows a U.S. company to transfer E.U. data lawfully to the U.S. in compliance with the E.U. Data Directive’s adequacy standard, which requires EU Member States to have laws that prohibit transfers of data to countries outside of the EU unless the European Commission has made a determination that a country’s laws ensure adequate data protection. In order to join the Safe Harbor, Google certified that it complied with seven principles that have been deemed to meet the EU’s adequacy standard. 

The FTC alleges that Google’s actions when launching Buzz did not adhere to certain Safe Harbor principles, including the notice and choice principles. The notice principle requires a company to inform individuals about the purposes for which it collects and uses personal information. The choice principle requires that a company must allow individuals to exercise certain choices about the way their data is used. The FTC claims that Google did not give Gmail users notice or choice about data that was collected by Gmail and subsequently used for Google Buzz. Notably, this is the first time the FTC has alleged violations of the privacy requirement imposed by self-certification to the U.S.-EU Safe Harbor Framework.

Terms of Proposed Settlement

The FTC released a consent order, which outlines the terms of the settlement between the FTC and Google. The proposed settlement bars Google from making any misrepresentations relating to: (i) Google’s collection and use of user data; (ii) the extent to which Google users can exercise control over the collection, use, or disclosure of data; and (iii) the extent to which Google is in compliance with the U.S.-EU Safe Harbor Framework or other government-sponsored compliance programs. 

The proposed consent order also requires Google to clearly and prominently disclose any “new or additional” data sharing with third parties of personal information that Google has previously collected across all of Google’s products and services. 

This disclosure is not limited to just “material” new or additional data sharing and must include the identity of the third parties and the purpose for Google’s sharing the data. Google must also obtain affirmative consent from Google users before sharing this information.

Google is also required to establish and maintain a comprehensive privacy program. This is the first time the FTC has required a company to implement a comprehensive privacy program. This privacy program must be documented in writing and be reasonably designed to address privacy risks and protect the privacy and confidentiality of user data. According to the FTC’s analysis of the consent order, the order requires Google to:

  • designate an employee or employees to coordinate and be responsible for the privacy program;
  • identify reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized collection, use, or disclosure of covered information and assess the sufficiency of any safeguards in place to control these risks;
  • design and implement reasonable privacy controls and procedures to control the risks identified through the privacy risk assessment and regularly test or monitor the effectiveness of the safeguards’ key controls and procedures;
  • develop and use reasonable steps to select and retain service providers capable of appropriately protecting the privacy of covered information they receive from respondent, and require service providers by contract to implement and maintain appropriate privacy protections; and
  • evaluate and adjust its privacy program in light of the results of the testing and monitoring, any material changes to its operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on the effectiveness of its privacy program.

Within 180 days, and every two years thereafter for the next twenty years, Google must obtain a privacy assessment and report from a “qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession.” Further, Google will be subject to certain compliance and reporting requirements, allowing the FTC to inspect copies of various documents for various time periods, including:

  • “widely disseminated [privacy] statements” for three years;
  • consumer complaints alleging unauthorized collection, use, or disclosure of personal information for six years;
  • documents that “contradict, qualify, or call into question Google’s compliance with the consent order” for five years; and
  • materials relied on to prepare the privacy assessment discussed above for three years.

The consent order would apply for twenty years, subject to extension if Google is found to be in violation of the order.

Consenting Opinion of Commissioner J. Thomas Rosch

Commissioner Rosch accepted the proposed consent agreement, however he wrote a separate concurring statement to indicate that he has concerns about the provision that requires Google to notify and obtain affirmative consent before any new or additional uses of previously collected data. Commissioner Rosch points out that Google’s privacy policy did not indicate that it would obtain opt-in consent from consumers. He fears that this requirement goes beyond what Google has promised consumers in its privacy policy and that this requirement may be contrary to public interest. He explains:

"In short, on the face of it, Part II seems to be contrary to Google’s self-interest. I therefore ask myself if Google willingly agreed to it, and if so, why it did so. Surely it did not do so simply to save itself litigation expense. But did it do so because it was being challenged by other government agencies and it wanted to “get the Commission off its back”? Or did it do so in hopes that Part II would be used as leverage in future government challenges to the practices of its competitors? In my judgment, neither of the latter explanations is consistent with the public interest."

Google Response to Proposed Settlement

Alma Whitten, Google’s Director of Privacy, Product & Engineering, released a statement on the Official Google Blog. Whitten wrote:

"[W]e don’t always get everything right. The launch of Google Buzz fell short of our usual standards for transparency and user control—letting our users and Google down. While we worked quickly to make improvements, regulators—including the U.S. Federal Trade Commission—unsurprisingly wanted more detail about what went wrong and how we could prevent it from happening again. Today, we’ve reached an agreement with the FTC to address their concerns. We’ll receive an independent review of our privacy procedures once every two years, and we’ll ask users to give us affirmative consent before we change how we share their personal information.

We’d like to apologize again for the mistakes we made with Buzz. While today’s announcement thankfully put this incident behind us, we are 100 percent focused on ensuring that our new privacy procedures effectively protect the interests of all our users going forward."

Comments on Consent Order

A description of the consent agreement will be published by FTC in the Federal Register. The agreement is open for public comment for thirty days – through May 1, 2011. After the comment period, the FTC will decide whether to make the proposed order final. 

Electronic comments can be submitted here.
Tags: , , , ,
Posted on September 30, 2010 by Christopher Wolf

Vladeck Presents Vision for Future Privacy Protection at IAPP Academy

David Vladeck, Director of the Division of Consumer Protection at the Federal Trade Commission, today spoke at the IAPP Privacy Academy in Baltimore, and offered the FTC vision for future privacy protection.  Here are some highlights:

  • FTC will continue to bring cases to ensure that companies reasonably ensure safeguards for consumer privacy
  • FTC will bring more cases involving pure privacy protections, in addition to data security cases, building on the Sears case.  "You can expect more cases like that in the future."  (This suggests a greater focus on how notice and choice is given and the degree to which privacy options are implemented, such as in the recent US Search enforcement).  "Consumer choice must control."
  • We will be focusing our efforts on new technologies, such as our enforcement in the Twitter case.   FTC has hired new technologists and has created a mobile lab to address smart phones and mobile apps.
  • There will be increased international cooperation on privacy, as evidenced by the Global Privacy Enforcement Network (GPEN) announced last week.  Recent cooperation brought down the latest spam operation in the world, resulting in a  25% drop in spam worldwide,

Vladeck also spoke on the formulation of new privacy policy following the FTC Roundtables.

  • Past approaches to consumer privacy have not kept pace with technology.  (1) Notice and choice is a failed paradigm as implemented.  The problem is exacerbated by mobile devices, where one has to scroll down through hundreds of screens to read a privacy policy; (2) Focusing on harms is not the best way to address privacy violations.
  • The Roundtables demonstrated that (1) Data persists longer than people expect; (2)  The difference between PII and non-PII is blurring; (3)  Consumers understand very little about how their information is used and shared; (4)  Often, consumers do not interact with or have direct contact with companies that handle their information; (5) Technology can provide important privacy solutions.
  • When is the Report coming out?  "This Fall"
  • What will he Report say?  "This is impossible to answer as Commissioners are still to review and will provide input"  But here are the big picture issues in the report:  (1)  Importance of Privacy by Design -- thinking about good data hygiene from the very beginning; (2) Increased transparency is needed about data practices -- we need better privacy notices, in a more consistent, shorter formats; (3)  We need to simplify consumer choice -- especially regarding uses of data they would not expect..  Privacy choices should be presented at the point when the consumer is providing the data.  And more consistent policies that allow comparison may allow competition for privacy practices.  We need more protection for sensitive information.  Consumer choice once exercised must be respected.  "The FTC will not tolerate a technology arms race to circumvent privacy protecting technology" (4)  On the thorny problem of access, companies collecting and aggregating data used for purposes beyond consumer expectation is a problem,.  There is no easy solution to the access question, and the FTC will consider the cost of access to the data broker industry.  (5)  There should be better consumer education about how tracking on the Internet works and what are their choices on privacy.
  • The Report will be issued in DRAFT with opportunity for public comment.  Even when finalized, the Report will not be the end of the debate but " the beginning of the next phase of the debate on privacy."  One key component must be flexibility and adaptability,
  • "Do Not Track" is not off the table, and will be considered, despite its complexity.
  • On the issue of regulation vs. self-regulation:  The Commission has always supported self-regulation, but the Commission has supported privacy laws like the telemarketing law.  With respect to privacy and online advertising, "I am disappointed in the progress of self-regulation".  Ad disclosures and icons are all good ideas, but implementation is very much a work in process."  The Commission and the public may lose its patience with self-regulation if there is not better progress.
  • On the Boucher and Rush legislative proposals, I am concerned that the bills place too much reliance on already overburdened privacy policies.   Also, it is premature to conclude that existing private initiatives are sufficiently robust to provide safe harbors.
  • On data security, legislation that requires reasonable security and notice of breaches creating a reasonable risk of harm will provide sorely needed broad based protections at the federal level.  For the first time, the FTC would have the general right to obtain a civil penalty, which is important.  We see too many companies ignoring well-known vulnerabilities that are easily plugged.  Penalties would help convince those companies to comply.
  • My vision for consumer privacy in 2011 in beyond:  In my privacy utopia, companies are building in privacy from the start; consumers have access to information about privacy; the FTC continues its enforcement regime, with the help of consumer watchdog organizations.  The time for companies using trial and error to protect privacy should come to an end.

 

Tags: , ,
Posted on October 21, 2009 by LexBlog

FTC Settles Safe Harbor Enforcement Actions with Six Companies

In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they are current with their Safe Harbor certifications.  In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program.

The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies’ misrepresentations are deceptive.  The scope of the FTC’s actions is limited to the companies’ lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.

The proposed settlement agreements, open for public comment until November 5th, prohibits each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party.  In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC. 

 

The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program.  We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and likely further actions against companies with lapsed certifications.

 

The FTC complaints, proposed settlements and related documents are available at http://ftc.gov/opa/2009/10/safeharbor.shtm.

Tags: , , , ,
Posted on August 27, 2009 by Timothy Tobin

Hogan & Hartson Prepares Guidance on Business Compliance with FTC Identity Theft Red Flags Rule

Businesses may be facing their last chance to comply with the FTC identity theft Red Flags Rule as the compliance deadline was extended over the Summer to November 1, 2009. On July 29, 2009, the Federal Trade Commission (“FTC”) announced that it will delay enforcement of its identity theft “Red Flags Rule”until November 1, 2009. This is the third time the FTC has delayed the enforcement date of the Red Flags Rule and each time the rationale has been largely the same – concern that some companies were “uncertain” or “not aware” that they were subject to the Rule (the prior delayed enforcement dates were May 1, 2009 and August 1, 2009). The latest announcement was accompanied by further FTC commitments to educate businesses about compliance with the Red Flags Rule. Given the confusion surrounding the Rule and its broad scope, companies that have not yet done so should carefully assess whether the Red Flags Rule applies to them and if so, develop an appropriate program.  Hogan & Hartson's guidance on this latest Red Flags development is attached here.

Tags: , , , , , ,