HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

On the second day of the IAPP Europe Data Protection Congress held in Paris, France, the keynote speech was given by Peter Hustinx, the European Data Protection Supervisor.

In his address, Mr. Hustinx offered an opinion on where he thinks the revision of the European data protection framework is headed. Basing his remarks on a Stanford Law review article, "Privacy in the books and privacy on the ground," he advocated the revision of the European data protection framework which would provide innovative and efficient means to deliver privacy on the ground, by empowering data subjects and data protection authorities, as well as providing greater legal certainty for data controllers.

• Email This
• Print

Barbara Bennett, Stefan Schuppert, Winston Maxwell. Lionel De Souza and I are the Hogan Lovells lawyers participating in the IAPP Privacy Congress in Paris.  I am moderating and participating in sessions on cloud computing with Bojana Bellamy of Accenture, and a panel on convergence with Lord Richard Allan of Facebook and Wendi Lozada-Smith of AT&T  This entry contains a live blog from the opening session.

The Privacy Congress comes on the eve of the European Commission's proposal for revision of the EU privacy framework and the anticipated release of the Department of Commerce White Paper and FTC Report on privacy.  So the future of privacy law is very much in focus.

The Chair of the Dutch Data Protection Authority and Chair of  the Article 29 Working Party, Jacob Kohnstamm is the opening speaker.

The patchwork of laws across Europe requires a region-wide regulation to provide a level playing field and uniformity.  This should  be the focus of the upcoming proposal for revision from the European Commission of the legal framework.

The present norms, which are technologically neutral, should persist and be strengthened.

Given the increasing cross-border context of issues, the Article 29 Working Party will have to play a stronger role in interpretation and clarification.  More frequent guidance on issues such as the definitions of "personal data" and "consent" will be needed, while still recognizing the independence of national Data Protection Authorities.  Powers of DPAs need to be harmonized and strengthened, including the ability is enjoin data processing and to levy fines.  Up to now, there have been no significant court judgments in terms of fines.

Article 29 Working Party needs a new name to reflect its true role and importance.

Data controllers need to ensure compliance and to demonstrate such compliance.  Privacy should be first step when launching new products and services, not the last step.  Privacy by Design and transparency are essential.

Companies should be able to seek guidance externally from privacy professionals just as they do with respect to competition law.

The Chairman went on to criticize Google, Facebook and the Online Behavioral Advertising industry for their interactions with DPAs and the Article 29 Working Party, and suggested that under the new regime, their conduct would have been different.

In the Q and A session, which became an especially lively exchange, Peter Fleischer of Google pointed out that changes to Google Buzz were made even before a letter of complaint from the Article 29 Working Party had been received,.

The Chairman re-assured a questioner that innovation is taken into account along with privacy when the Article 29 Working Party considers regulation.  "We are paid to deal with privacy, however."

The main task of DPA is enforcement and not to sit with individual companies on what they should be doing, in an advisory capacity.

On the Global Privacy Enforcement Network (GPEN), the Chairman said the idea was for information sharing during enforcement actions, but he observed that the national restrictions on information sharing has not produced as much cooperation as envisioned, but the Commissioners are committed to working together more across borders.

The second speaker is Viviane Reding, Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship.

I will share some of the contents of the forthcoming European Commission recommendations on the revision of the Data Protection framework:  Codes of practice such as Binding Corporate Rules are not explicitly forseen in the current Directive but are recognized as a matter of practice by the Article 29 Working Party.  One of the strengths of BCRs is legal certainty and flexibility.  (Interesting that the primary focus here is on the BCR code of conduct concept, similar to the anticipated focus on codes of conduct by the US Department of Commerce in its White Paper.)

My reform plans for BCRs: Simplification -- Approval from each member state currently required, which is costly and an administrative burden.  A waste of time and money, and sometimes detrimental to credibility and efficiency of DPAs.  I propose that BCRs be based on EU law, with streamlined approval process and a single point of contact.  Once approved by one DPA, not further approval needed.  BCRs should be used by companies of any size, and should cover everything from paper-based filing system to cloud computing. Consistent Enforcement -- Enforcement should be possible by any DPA (unlike now where not all DPAs have enforcement power).  DPAs and courts should be able to enforce.  Innovation in Enforcement -- We need to encourage innovation in enforcement and embrace new technology.  First, we need to consider geographical borders.  Data controllers and subjects m realities. Data subjects, controllers and processors may be in different jurisdictions.   BCRs should apply to all internal (inside the EU) and external (in the US, India, Asia and South America) processing.  BCRs should apply both to data controllers and processors.  This would extend to cloud computing.

BCRs will faciliate international interoperability.

We are in time so of difficult economic times and decisions.  While bringing member states out of their debt crisis, we need to do everything to promote economic growth.  I will do my utmost to ensure that data protection reform will both reinforce fundamental protection of individual rights and promote growth.

Ms. Reding did not take questions.

• Email This
• Print

International Association of Privacy Professionals (IAPP) Web Conference

The FTC Privacy Report – A First Look into New Frameworks for Businesses and Policymakers

Date: December 14, 2010
Event start time: 1:00 pm (GMT-05:00) Eastern Time (US & Canada)
Via IAPP Web Conference Service (Registration required)

The FTC has just issued a preliminary report asking for comments on new controls and standards for the online protection of individuals’ privacy. The report details an expansion in scope and breadth of what may constitute consumer data and asks for feedback on sweeping new standards. Join a Web conference examining this important new development in the evolution of consumer privacy. 

Presenters and Hosts:

Robert Belair, Partner, Arnall Golden Gregory LLP

Christopher Wolf, Partner, Hogan Lovells  US LLP

Panelists:

Edward W. Felten, Chief Technologist, Office of the Chairman, FTC, (effective Jan. 1)

Peder Magee, Senior Staff Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, FTC

To register, click here

• Email This
• Print

With the new "school year" comes a plethora of privacy events featuring Hogan Lovells attorneys:

On September 9th, the International Association of Privacy Professionals will present this Web Conference on "The Evolution of FTC Privacy Enforcement Actions—What More Granular Enforcement Means for Respondents and Businesses" featuring Hogan Lovells attorneys Chris Wolf and Tim Tobin and FTC Attorney Kandi Parsons.

It is a given that there can be no privacy without data security.  Chief Security Officer magazine is presenting the Security Standard conference on September 13 and 14 at the Marriott Brooklyn Bridge in New York City to explore  the complexities of modern security strategies, addressing identity management, cloud security, data protection, risk management and privacy.  For registration information, click here

Hogan Lovells' Chris Wolf will be presenting the following session on September 13:

Negotiating with Your Cloud Provider:  Standard service agreements don’t go far enough in protecting your data and your organization in the event of security incidents or outages at cloud providers. In this session, learn how to negotiate the right terms and penalties to get the protection you need from your cloud provider, from identity management to business continuity, incident response plans and more.

On September 14th, Pike & Fischer (a BNA company) will present this Web Conference entitled "Legal Landmines in Europe for Internet-Based Businesses" and featuring Hogan Lovells attorneys from our Paris Office David Taylor, Winston Maxwell, and Chris Wolf from Washington, DC, as well as Google's Global Privacy Counsel Peter Fleischer.

On September 21st, Hogan Lovells will present a complimentary webinar on NAFTA Privacy featuring top governmental privacy officials from Canada, US, and Mexico, as well as the Chief Privacy Leader of General Electric, and moderated by Hogan Lovells' Chris Wolf.   More information can be found here  To register, please click here.

And later in September....

You are invited to join Hogan Lovells at the upcoming Online Trust Alliance 5^th Anniversary "Online Trust & Cybersecurity Forum" being hosted at Georgetown University, September 22 to 24.  Of particular interest on Wednesday the 22d are three pre-conference workshops focusing on(1) email regulatory compliance, (2)  email and domain authentication, and (3) malvertising.  More information on the agenda and registration information are posted here .

Thursday keynotes include the US Secretary of Commerce Gary Locke, Greg Link of CoveyLink, Howard Schmidt (White House Cybersecurity Coordinator) and Randall Rothenberg (IAB) as well as dozens of other business and industry leaders.  Friday Representative Cliff Stearns is speaking and kicking off a privacy roundtable following by sessions on data breach remediation, identity management and privacy policy makeovers.

At the September 24th session, Christopher Wolf of Hogan Lovells will participate in this panel:

Data Breach & ID Theft; Detection & Remediation *
Despite increased security prevention investments and employee training, incidents of data loss are increasing. Companies need to pro-actively plan for the worst case understanding the focus is not if an event will occur, but when. An effective plan includes an orchestrated play book to be deployed on moment’s notice. This session will examine steps businesses can take to protect consumers and their brands by reviewing elements of an effective plan including consumer education.  Session will also examine the role consumers have in the chain of trust and steps they can take to protect their identity.

• Chris Shenefelt, Executive Vice President, Global Operations, Intersections Inc.

• Anne Wallace, President, Identity Theft Assistance Corporation

• Christopher Wolf, Director, Privacy & Information Management Practice, Hogan Lovells

OTA has offered readers of the Hogan Lovells Blog the opportunity to register by August 31^st for only $399.50 for the two day program and save 50%.  Use discount code Hogan50  Register at https://otalliance.org/dc.html

AMP Summit is "an annual forum for influentials and thought leaders in the activist, media and political spheres."   Public officials and regulators, experts from think tanks, trade associations, and public relations, and members of the media will attend. This conference in Washingrton at the Marriott Metro Center "is intended to inspire new thinking, challenge traditional strategies, and create opportunities to learn from each other."   Detailed information can be found here .

Chris Wolf from Hogan Lovells will participate on a panel on Friday, September 24th from 3:50 to 5 PM entitled "Privacy in the Internet Age: Does DC Have a Role to Play?" with Lillie Coney of the Electronic Privacy Information Center and  Berin Szoka of the Progress and Freedom Foundation, moderated by Bruce Mehlman of Mehlman, Vogel, Catagnetti.

Also, as shown here, Quentin Archer from the Hogan Lovells London Office will be co-chairing the Sedona Conference International Programme on Cross-Border E-Discovery and Privacy on 15 and 16 September in Washington, DC.

• Email This
• Print

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event,  is that the European Commission is seriously considering  new  data security breach notification laws. Previously, the Commission and  the European Council had focused only on breaches at telecom companies and ISPs.

The Commission’s Information Society Commissioner, Viviane Reding,  now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

• Email This
• Print

Data security breaches remain a major risk for any company or entity that handles personal information.  The costs of a breach and harm to reputation can be significant.

At the IAPP Privacy Academy in Boston on September 18, I moderated a session on dealing with the aftermath of a data breach.  I was fortunate to have an expert panel -- Chris Cwalina, Vice President, Associate General Counsel, Intersections Inc. and Carol DiBarriste, SVP Privacy, Security, Compliance and Government Affairs, LexisNexis Group. You can view a copy of our Powerpoint presentation.

There is useful information in the slide deck including information on the current legislative landscape -- note the analysis of currently-pending HR 2221 and a review of recent state laws, as well as some points on the variations in the requirements of breach notification laws. 

Fundamentally, you will find helpful tips on what to do in the aftermath of a breach, and how to take steps in advance of a breach to minimize the risks.

The session in Boston concluded with a recommendation that companies conduct an assessment of how they are collecting, using, sharing, storing, securing, and disposing of personal data -- for only by understanding how data is handled can the risk of a breach (and its expensive effects) truly be avoided.  Hogan & Hartson regularly conducts such risk management assessments for our clients, which often results in recommendations on how to close the "gaps" -- how to improve policies, practices, training and auditing.

• Email This
• Print