European Commission Releases Proposed Revisions to the EU Data Protection Directive

by Mehmet Munur

The European Commission announced the proposed revisions to the EU Data Protection Directive today. The widely expected revisions will create uniformity by using a regulation instead of a directive, remove obligations to notify data protection authorities of data processing activities, require data breach notification, increase fines (up to %2 of a company’s global annual turnover),  streamline access, introduce a right to be forgotten, expand Binding Corporate Rules to processors, and strengthen the Data Protection Authorities. The Article 29 Working Party also issued a press release supporting the new Regulation.


The proposed regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) creates a number of changes based on the Data Protection Directive. While some of the provisions, such as the fines and the right to be forgotten, may prove controversial, other provisions relating to removal of the obligation to notify DPAs will likely be celebrated. The Regulation uses some of the same terms as those defined in the Directive 95/46/EC; however, it also introduces new definitions for terms such as personal data breach, genetic data, biometric data, binding corporate rules, and others. The Regulation also clarifies transparency principle, data minimization principle, and the obligation to obtain consent for processing of personal data. The Regulation also introduces more detailed access rights for individuals adding new elements relating to storage periods of personal information, right of rectification and erasure, data portability, and complaint resolution.  While these protections are likely to bolster the individual’s control over the personal information held by data controllers and processors, it will likely create additional burdens on data controllers and processors to enable the data subjects to exercise these rights.

The Regulation also introduces new obligations on the data controller and data processors. The Regulation will require privacy by design and default, explicitly introduce the principle of accountability, and clarify the responsibilities of joint controllers. The Regulation states that the data processor may be considered a joint data controller in the event it goes beyond the scope of data controller’s instructions. This particular provision appears to be a result of the concerns the Article 29 Working Party had over processors such as SWIFT. The Regulation will also explicitly require the cooperation of both the data controller and the data processor with the Data Protection Authorities. The security obligations of the data controller include the obligation to notify the data subject of the breach of personal data. Currently, that proposal includes a “where feasible, not later than 24 hours after having become aware” provision.  This provision is likely to be revised before the Regulation becomes law to a more reasonable time frame.

The Regulation makes the Data Protection Officer mandatory for the public sector, where processing is carried out by more than 250 people, and where the core activities of the controller or the processor consist of operations that require systemic monitoring of data subjects.  German Data Protection law provided such detailed requirements for the Data Protection Officer. Previously, the creation of such a position decreased the administrative burden on the data controllers and their obligation to notify the Data Protection Authorities with the processing of personal information.  This approach is likely to continue with the new Regulation.

The Regulation also includes further details regarding international data transfers. It specifically mentions Binding Corporate Rules. These rules now specifically refer to a data processor’s, as well as a data controller’s, ability to obtain authorization for Binding Corporate Rules.  This provision should allow service providers to obtain authorizations for BCRs and transfer personal information internationally without having to rely on Standard Contractual Clauses. However, the time and resources required to obtain authorizations for these BCRs may still be substantial. Considering that the Regulation may take some time, as long as a couple of years, to become law, we may not find out about this process for a while. Finally, the Regulation creates the European Data Protection Board that replaces the Article 29 Working Party.  This Board is to ensure the consistent application of the Regulation, review guidelines, recommendations and best practices, and issue opinions, among other responsibilities.

The Regulation comes with both advantages and disadvantages compared to the current regime in place in the EU. On the one hand, the Regulation will likely foster a more uniform approach to data protection in the EU. Once the Regulation becomes law, member states will not be required to transpose it into national law.  This will reduce the local differences in the substance of the law.  However, the Regulation still provides for independent Data Protection Authorities.  These DPAs will ultimately have different interpretations of the Regulation and as it interacts with local law and culture.  However, the European Data Protection Board will hopefully have the effect of creating more uniformity. Many will likely celebrate the end of the notification of DPAs regarding the processing of personal information. These registers of personal information were mostly automated, reviewed by few, yet required the time and resources of many corporations.  Their departure will allow the DPAs and the corporations to work on more substantive privacy and data protection issues.  Assuming that the BCR process is further streamlined, then we can see more companies and services providers getting in line to obtain authorizations.  On the other hand, the right to be forgotten, the increased fines, and the restrictions on the legal basis for processing of personal information will likely draw criticism. Hopefully, in the coming years, the Regulation will be revised to better balance some of the obligations on data controllers.

Read More...

Proposed EU Privacy Rules Concern Businesses

A proposed change to EU privacy law is going to be released this week, proposing a single regulator and increased penalties. It would also include 24 hour data breach disclosure. We will discuss this more once they are released.

Read More...

Binding Corporate Rules and the Proposed EU Data Protection Regulation

by Mehmet Munur

The proposed revisions to the EU Data Protection Directive with a regulation sometime next year is likely to result in multitude of changes for privacy regulation in the EU and around the world and may make the use of Binding Corporate Rules more attractive for midsize companies and data processors. While 2011 was the year of Privacy by Design, 2012 may end up being the year of the BCRs if this proposed regulation becomes law.


The revision to the EU Data Protection Directive is likely to be a regulation instead of a directive, which may result in more uniform data protection laws across the EU. Nevertheless, EU data protection law is based on local employment and labor law to a certain extent. Therefore, there is bound to be some variation in implementation and the differences in culture and enforcement are likely to continue. While there will be many exciting and controversial changes to the Directive, from enormous fines to right to oblivion, BCRs have already taken center stage. (You may read more about the proposed revisions to the EU Data Protection Directive titled “Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” here.)

The original BCR system was overly bureaucratic and costly. When the BCR system first started, the applicant would have to seek authorization from each Data Protection Authority In the EU. Considering all of the language and cultural barriers to reviewing a set of rules, this process was mired with reviews and re-reviews until every DPA’s requirements were met. In fact, Peter Fleischer called BCRs data protection for the rich. Then the system was more streamlined with 5-7 DPA reviews with a single DPA acting as the lead. This shrank the time in obtaining from years to around 9 months. However, the process is still expensive and cumbersome. That may not be the case with the revisions to the Directive.

During her keynote address for the IAPP Europe Data Protection Congress, European Commissioner Viviane Reding shared her plans to make binding corporate rules even more effective with simplicity, consistent enforcement, and innovation. She pointed to the bureaucratic nature of the BCR approval stating:

I see this legal fragmentation as a costly administrative burden. It wastes time and money. It is detrimental to the credibility and efficiency of data protection authorities and data protection tools.

I intend to propose a consistent and streamlined approval process with a single point of contact for companies amongst the data protection authorities. And, once the binding corporate rules are approved by one data protection authority, I want them to be recognised by all European data protection authorities. And there should be no need for additional national authorisation in case of further transfers.

Though some DPAs have disagreed with this approach, others have already started pushing for companies to start preparing for these BCRs. Considering that the BCRs are likely to be broad enough to apply to processors as well as data controllers, using BCRs for inter-company as well as intra-company transfers may become a reality in the near future.

                                                                                        

Therefore, if they are simplified and expanded to processors, 2012 may indeed be the year of the Binding Corporate Rules. Instead of relying solely on Standard Contractual Clauses, midsize companies can obtain authorization using one DPA for all of their intra-company data flows. Furthermore, they may also be able to obtain BCR authorization as safe processors.  This should enable cloud service providers to provide cloud services to other companies using their BCRs. Using the older BCR system, companies were only able to obtain BCR authorization applying to data for which they were the data controllers. With this new system, BCRs for data processors should also be possible. As a result,  BCRs should become a true option for midsize companies and processors of all kinds--and quite likely a favored option for cloud service providers.

You may read about some of the BCRs that have already been approved by the EU DPAs below. Note, however, that it is the underlying processes and policies that support the BCRs that are difficult to prove and implement. Nevertheless, these BCRs should prove useful in finding out what the DPAs are looking for in these policies.

BP

Daimler Benz

Deutsche Telekom (http://www.telekom.com/static/-/15714/1/code-of-conduct-si)

eBay

GE

HP
Intel

Michelin

Philips (2)

Sanofi Aventis

Spencer Stuart

Aside from these companies, the following companies have obtained authorization for BCRs:

Accenture

Atmel Corporation

Bank Austria Creditanstalt

Bristol Myers Squibb

Cargill

CareFusion Incorporated

Deutsche Post DHL
First Data

Hyatt Hotel Corporation

International SOS

IMS Health Incorporated

JPMorgan Chase

Novo Nordisk

Safran  

Schering

Their policies may also be available publicly. We hope to have this list updated with the appropriate links in the near future.

Read More...

FTC Announces Enforcement Action Against Facebook

by Mehmet Munur

Recent reports about the FTC and Facebook nearing a settlement were true because today the FTC announced that it had entered into a proposed settlement with Facebook for Facebook's failure to keep its users' information on Facebook private and repeatedly allowing users' information to be shared and made public.The proposed settlement bars Facebook from making misrepresentations about its privacy and security practices, requires it to obtain affirmative express consent before enacting changes that override privacy preferences, as well as the usual FTC enforcement requirements regarding a privacy program and a 20-year duration. The 8 count complaint includes violation of the U.S. Department of Commerce EU Safe Harbor Framework, marking the second substantive enforcement action of the FTC after the Google Buzz enforcement action. The enforcement action reinforces (1) previous FTC enforcement actions relating to aligning  privacy policies and practices, (2) the importance of using screenshots for attorneys working on technology and privacy projects, and (3) the viability of the Safe Harbor as a method of transfer for personal information from the EU.


The first count of the FTC complaint relates to the deceptive privacy settings for Facebook.  There, the FTC alleges that users' profile privacy settings relating "Only Friends" or "Friends of Friends" were accessible through Facebook's Platform Application.  While this sharing exceed the scope of only friends and friends of friends, it was not effectively disclosed to the users, resulting in a false or misleading representation.

The second and third counts in the FTC complaint relate to Facebook's 2009 changes to its privacy policy. As a result of Facebook's changes to its privacy practices in November 19, 2009, users prior choices regarding their publicly available information was overridden. As a result, users' friends list was available to everyone and users became visible in Facebook searches. When Facebook changed these settings back using a privacy wizard, FTC alleged that it left out material facts regarding changes to overriding users' previous privacy settings. Facebook's failure to clearly state make the effects of these changes to the users constituted a deceptive act.  Facebook's application of these privacy settings to the user's previously collected information without countervailing benefits to the consumer constituted unfair act under the FTC Act.

This third count is important and requires some more discussion. The FTC has maintained for some time, at least since the Toysmart enforcement action, that material retrospective changes to privacy policies without the express consent of the users constitute unfair trade practices. Now, the FTC further elaborates on the point and states that the users must not only provide affirmative consent, but that the consent must be properly informed.  The Article 29 Working Party made a similar point in its recent guidance regarding the definition of
consent in WP187. Even though Facebook used a privacy wizard to enable users to change their privacy settings, the disclosure of information was not adequate.  In other words, the FTC's unfairness claim against Facebook brings together the Toysmart enforcement action and the Sears enforcement action. 

The fourth count in the FTC complaint relates to the amount of access Facebook provides to its Platform Applications. The FTC argued that Facebook had stated in various locations that the Platform Applications needed access to the users' profile information that was required for the applications to work.  In fact, he FTC alleged, the applications received more information than they were required to work, such as the users' relationship status, photos, and videos. In effect, the FTC argues here that Facebook's statements and processes failed the Data Integrity Principle of the Safe Harbor, without necessarily stating it. This principle is also explained in Article 6(C) of the EU Data Protection Directive stating that personal data must be "adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed"  In simplest terms, Facebook's statements regarding its actions its actions did not entirely line up with its statements.

The fifth count of the FTC complaint relates to Facebook's sharing of information with advertisers, despite its statements to the contrary.  The sixth count of the FTC complaint relates to Facebook's Verified Apps program.  There, Facebook made statements that its Verified Apps were "secure, respectful and transparent"  and that these apps had passed Facebook's review.  In fact, Facebook had taken no steps to verify the security of these applications, which turned out to be a false and misleading representation.  The seventh count related to Facebook's failure to prevent access to deactivated accounts. FTC alleges that Facebook allowed others to access users' photos, videos, and other Facebook content after the accounts were deactivated. These actions, once again, constituted false or misleading statements.

The eighth and final count of the FTC complaint alleges violations of the EU Safe Harbor, which Facebook joined in 2007.  This enforcement action against Facebook also happens to be the second substantive Safe Harbor enforcement action and the fourth overall.  The FTC's first substantive enforcement action was against Google over the roll out of Google Buzz. Here, Facebook's failure to obtain the affirmative informed consent of its users for the changes in its privacy practices and its failure to clearly state the purposes and means of processing of the information it collects resulted in the violations of the Notice and Choice Principles of the Safe Harbor.

As a result of the enforcement action, Facebook entered into a proposed  consent order.  The consent order, among other things, (1) prohibits Facebook from making misrepresentations about its privacy or security practices, (2) requires it to obtain express and informed consent for changes that materially exceed restrictions placed by users, (3) requires it to establish a comprehensive privacy program, (4) requires it to obtain biennial third party assessments of its practices, (5) requires it to retain appropriate records, and (6) terminates in 20 years.

The FTC's enforcement action against Facebook is important for several reasons.  First, it affects half a billion people around the globe and provides them with fundamental privacy protections under the watchful eye of the FTC.  Second, it expounds on privacy principles previously articulated by the FTC in new ways and shows the importance of clear and unambiguous privacy policies and practices.  Note that Facebook used a privacy wizard in order allow its users to change their privacy practices but its statements were still deceptive and unfair. As a result, the enforcement action once again highlights the importance of brief and accurate privacy statements, which was the lesson that the FTC was attempting to teach in the Sears enforcement action.

Third, the enforcement action demonstrates the importance of screenshots. FTC's hiring of its first full time technologist has led to some changes.  The FTC is now using screenshots more than ever in its complaints.  The Facebook complaint is the first complaint (that I am aware of) where the screenshots were in the body of the complaint instead of the exhibits, which is where the Google Buzz screenshots were located. Now, however, the screenshots take center stage in the many of the counts of the FTC complaint.  This makes perfect sense as the web takes place on the screen, whether on a desktop, laptop, phone, tablet or TV.  This may seem like a minor difference, however, it marks an important shift. The regulators and litigators are increasingly looking at the presentation of companies practices as well as the words in their privacy statements. Therefore, any implementation of a product or service that requires interaction on an electronic device requires that attorneys, as well as the programmers, closely examine work product using screenshots. Though this point is abundantly clear to many technology and privacy attorneys before, the Facebook FTC enforcement action should make it clear to all attorneys.  Reviewing screenshots of any product or service is crucial for the successful implementation of any project and is mandatory for the defense of any claim relating to privacy or technology.

Finally, the increasing number of EU Safe Harbor enforcement actions by the FTC shows that the promises of the Enforcement Principle of the Safe Harbor are not hollow.  EU Data Protection Authorities continue to point to the Binding Corporate Rules as the preferred method of transfer of personal information to countries with inadequate protections under the EU Data Protection Directive. However, the BCRs are beyond the reach of many companies due to their extensive time and resource requirements. Until the EU Data Protection Directive is amended to allow even a more streamlined BCR process, the Safe Harbor will remain the main choice of U.S. companies (under FTC and DoT jurisdiction) wishing to transfer personal information from the EU.

Read More...

FTC Announces Enforcement Actions Against Social Network and Online Advertiser

by Mehmet Munur

The Federal Trade Commission announced an enforcement action against Skid-e-kids and a separate enforcement action against online advertiser ScanScout. The enforcement action against ScanScout involved the violations of Section 5 and the use of Flash cookies without disclosing their use in its privacy policy. The enforcement action against Skid-e-kids involved violations of COPPA and the failure to obtain parental consent. Once again, these enforcement actions highlight the importance of drafting accurate privacy policies and following through on those promises.

The enforcement action against Skid-e-kids resembles the enforcement action against W3 Innovations, LLC due to its mobile application failing to pass muster under COPPA. According to the Skid-e-kids FTC complaint, Skid-e-kids promoted  itself as “Facebook and Myspace for kids” and permitted kids to register and create accounts, create public posts, upload posts, among other things. The registration process collected birth date, gender, username, password, and email address from the registrants. However, children were not required to provide parents’ email address to obtain consent. At the same time, Skid-e-kids’ privacy policy stated that it would require email addresses of parents that would be used to obtain consent and to notify them about Skid-e-kids’ privacy policy. In practice, Skid-e-kids never collected the email addresses of the parents, never contacted them to notify them of its privacy practices, and never obtained consent from the parents. As a result, the FTC alleges violations of COPPA and FTC Act.

The resulting consent order requires Skid-e-kids to refrain from violating COPPA, delete the personal information from the children, and place a notice on its website with links to the On Guard Online website. In addition, the FTC imposed a civil penalty of $100,000 but suspended all but a $1,000 of this penalty. The consent order requires Skid-e-kids to retain a privacy professional with COPPA experience to conduct assessments, retain records, and report its compliance with the consent order to the FTC.

The enforcement action against ScanScout, on the other hand, resembles the enforcement action against Chitika. According to the FTC ‘s ScanScout complaint, ScanScout acts as a intermediary between websites and advertisers and publishes advertising space on videos. ScanScout decides which video advertising should be delivered to which user. Unlike the Chitika enforcement action that used HTTP cookies, ScanScout used Flash Cookies from April 2007 to September 2009. At that time, deletion of browser’s HTTP cookies did not result in the deletion of Flash cookies—though since then Adobe and the major browsers have finalized APIs that result in the deletion of Flash cookies by the deletion of HTTP cookies. However, at the same time, ScanScout’s Privacy Policy stated that a user could opt out receiving a cookie by changing their browser settings. In practice, however, the users could not opt out receiving these cookies, and therefore, could not stop the tracking by ScanScout.

The resulting agreement and consent order requires ScanScout to provide a clear and prominent method to enable users to opt out of having their data that can be associated with a particular user collected by ScanScout. This opt-out must last at least 5 years and ScanScout must display links in the advertisements it serves for this opt-out mechanism. The agreement and consent order also comes with other compliance and reporting obligations and lasts for 20 years.

Together, these two enforcement actions, once again, highlight the importance of having accurate privacy policies in place. These two companies came under the FTC’s radar not just due to their actions, but also due to the statements regarding their privacy policies. ScanScout’s privacy policy had not been updated to show that it was using Flash cookies in order to track users. There was also a clear mismatch between what Skid-e-kids’s privacy policy stated and what it did in practice. Attorneys may draft the most intricate privacy policies; however, without processes to ensure that those policies are in place in operations, most businesses are open to FTC enforcement actions or lawsuit by their users. As a result, drafting and implementation of privacy policies must include not just the legal department, but all departments involved in the execution of actions outline in the privacy policy.

Read More...

Consumer Financial Protection Bureau Issues Supervision Manual 1.0

We represent a number of financial service providers, so it is important to understand the laws that govern them. However, it is also important to understand how their regulators view the law as well. The Consumer Financial Protection Bureau just released its supervision manual which is a very useful tool to help guide the creation and delivery of financial services online:

Federal government regulators usually have manuals for their examiners. Our manual provides our examiners with direction on how to determine if providers of consumer financial services are complying with consumer protection laws - and how to determine if the providers have adequate policies and procedures in place to comply with those laws.

The manual is located here.

Read More...

ISSA Social Media Summit

Dino and I will be presenting at the ISSA Social Media Summit  that will be held on October 19, 2011 from 11am to 4pm at the J. Liu restaurant in Worthington following the regular ISSA chapter meeting.  Dino will be part of a lunch panel wh Brent Huston from MicroSolved, Inc., Kevin Shea from JP Morgan Chase, Ray Vazquez from Infinitive, and Brian Mannion from Nationwide.  Dino and I will join Justin Root from Porter Wright on the Social Media and Legal Risk panel presentation following this lunch panel.  Brian Mannion and Kevin Shea will follow with an in-house perspective on Social Media after our presentation.  Brent Huston from MicroSolved will close with the security issues affecting Social Media.  You may find out more information and register for the summit here.

Read More...

Effective Privacy and Security Compliance Requires an Understanding of Data Flows within the Company

We were recently interviewed by Nymity regarding understanding an organization's data flows.  We focused on data flow mapping and how companies can build and use these maps for effective privacy and security compliance.  We also discussed recent privacy enforcement actions in relation to data flows and the importance of understanding local laws and regulations.  You may read the interview titled "Effective Privacy and Security Compliance Requires an Understanding of Data Flows within the Company" here.

Read More...

FTC Announces Second Mobile Application Settlement

by Mehmet Munur

The FTC announced an enforcement action against the two marketers of mobile applications on Apple and Google mobile application stores that claimed, among other things, to cure acne by “resting the iPhone against your skin’s acne-prone areas for 2 minutes daily to improve skin health without prescription drugs.” This is the second enforcement action that the FTC brought against mobile application developers. The first mobile application enforcement action was for violations of COPPA.

According to the FTC complaint against AcneApp, the advertisement for the application contained statements that the application was an effective treatment for acne and that the representations relating to the application were false and misleading. The description of the application stated that it had been developed by a dermatologist and a British Journal of Dermatology study showed the effectiveness of the treatment. As a result, the FTC alleged that the marketer’s actions amounted unfair and deceptive trade practices under Section 5 of the FTC Act.

The accompanying agreement and consent order requires the marketers to pay $14,294 in fines to the FTC . It also prohibits the marketers from representing that the AcneApp provides effective treatment for Acne unless they have reliable scientific evidence substantiating that representation. The consent order also contains record keeping requirements relating to all advertisements and notification requirements. As is customary with FTC enforcement action, the order terminates in 20 years. However, it does not include any third party assessments, which is usual for enforcement actions relating to security breaches. The complaint and the agreement sand consent order for the second application (aptly titled Acme Pwner) marketer are similar in nature. However, the fines are limited to $1,700.

This enforcement action is the second enforcement action for the FTC in the mobile space. At the time of the first enforcement action, we proclaimed that the FTC would continue to be active in this area. This is yet another indication of the FTC’s willingness to bring enforcement actions in the mobile space. We expect the next enforcement action to be based on the privacy or security practices of a mobile application directed towards adults.

Read More...

California Updates its Breach Notification Law

Last week, California governor Jerry Brown signed into law SB 24 which updates California's existing data breach notification law (SB 1386) by adding new requirements for data breach notices sent to affected California residents. The bill was sponsored by State Senator Joe Simitian, whose office provided a fact sheet summarizing the bill's main points:

1. Establishes standard, core content -- such as the type of information breached, time of breach, and toll-free telephone numbers and addresses of the major credit reporting agencies -- for security breach notices in California;



2. Requires public agencies, businesses, and persons subject to California’s security breach notification law, if more than 500 California residents are affected by a single breach, to send an electronic copy of the breach notification to the Attorney General; and,



3. Requires public agencies, businesses and persons subject to California’s security breach notification law, if they are utilizing the substitute notice provisions in current law, to also provide that notification to the Office of Information Security or the Office of Privacy Protection, as applicable.

Read More...