Tsibouris & Associates Home | Practice Areas | Attorneys | Contact | Publications | Clients | Blog Home

Thursday, January 23, 2014

US-EU Safe Harbor: FTC Proposed Consent Orders with 12 companies for false claims.

Yesterday the FTC announced proposed consent orders with twelve companies that falsely claimed compliance with the Safe Harbor framework.  Interestingly it involved a broad range of companies, including collection agencies and NFL teams(!):
The companies were previously certified, but allowed their certifications to lapse. However, their privacy statements continued to claim they were in compliance, which in turn is a violation of Section 5 of the FTC Act. The FTC did not assert data violations per se, but focused only upon disclosure violations. EU data protection authorities have complained for some time that companies either do not due adequate due diligence of their own practices behind their certifications or let their certifications lapse with impunity.

The moral of the story? Make privacy review and recertification an annual event!

Also, the settlement allows for interested persons to provide public comments on the proposed consent orders through February 20, 2014 before making the consent orders final. We recommend our clients follow this process because it should be enlightening. We will continue to post on the status of this...  Stay tuned!


Friday, June 07, 2013

PRISM and NSA-Verizon Disclosures May Hurt EU Data Protection Regulation Efforts

By Mehmet Munur

Recent disclosures relating to PRISM and Verizon-NSA wiretapping may hurt efforts to make the EU General Data Protection Regulation less prescriptive and more business friendly for American companies. These programs will give support to the proponents of making international transfers more difficult and possibly place the U.S. Department of Commerce Safe Harbor Programs in jeopardy. Leaving aside for the moment the civil liberties arguments, which are paramount, Congress should reform the laws to better balance Fourth Amendment rights with national security imperatives and also ease burdens relating to international data transfers for multinationals.

In the recent months, there has been a concerted effort to make the upcoming EU Data Protection Regulation less prescriptive and more streamlined. There has also been an effort to ease any issues relating to international data transfers to the U.S. For example, the DoC recently issued a document titled Clarifications Regarding the U.S. – EU Safe Harbor Framework and Cloud Computing. The DoC stated that the Safe Harbor frameworks were open for cloud service providers, stated that they would not have to enter into Standard Contractual Clauses, countered some arguments made by the Article 29 Working Party relating to the Safe Harbor, and expressed confidence regarding the continued availability of the Safe Harbor after the implementation of the General Data Protection Regulation. The FTC has also kept up its efforts on this front by bringing enforcement actions under the Safe Harbor, directly communicating with the European Commission on privacy issues, and regularly attending International Conference of Data Protection and Privacy Commissioners meetings. In a similar vein, law firms and think tanks have issued white papers arguing that governments all over the world (not just the U.S.) have access to personal information held in the cloud. One white paper argues that the right of the government to access data stored in the cloud exists in every jurisdiction. The other attempts to dispel misconceptions relating to the Foreign Intelligence Surveillance Act.  

If the revelations relating to the NSA access to phone records and the scope of PRISM are true, then they may undermine these concerted efforts. European lawmakers may once again point to the U.S. and argue that the scope of the government’s access to data stored in the cloud is far greater than elsewhere in the world. This may impede the ability of the Safe Harbor to survive the revision of the EU Data Protection Directive into the General Data Protection Regulation. This may adversely impact the cloud service providers who depend on the Safe Harbor. In addition, the criticism from the EU may also apply equally to cloud service providers and other multinationals who transfer personal information—due to their internal HR data transfers or otherwise. The scrutiny from European Data Protection Authorities may become so intense that Standard Contractual Clauses and Binding Corporate Rules become the only viable alternatives. While these methods are appropriate under some circumstances, they are not appropriate for all circumstances due to cost and complexity. The added cost and complexity of the abiding by these obligations may adversely affect the bottom line of small and medium size enterprises—to say nothing about lost business due to the individuals moving to European based cloud service providers. 

Therefore, Congress should take this opportunity to revise the aging Electronic Communications Privacy Act (parts of which are unconstitutional), laws relating to National Security Letters (some of which been found unconstitutional by one district court), and FISA (which is at the center of the NSA-Verizon and PRISM disclosures) to better balance Fourth Amendment protections and to help multinationals companies with international data transfers.


Friday, January 25, 2013

Appeals Court Vacates Obama Recess Appointment

By Mehmet Munur

The U.S. Court of Appeals for the D.C. Circuit ruled today that President Obama’s appointments to the National Labor Relations Board were unconstitutional and the Board’s actions were unenforceable.  The court ruled that the Senate was in session during the appointment and that vacancies had not arisen during the recess of Senate—as those terms are used in the Constitution. This ruling is important because it may invalidate all Board decisions in the last year and also because the Consumer Financial Protection Bureau and Richard Cordray are subject to a similar lawsuit in State Nat. Bank of Big Spring v. Geithner, No: 1:12-cv-01032-ESH (D.C. Cir. June, 21 2012).

An administrative court judge found that the petitioner Noel Canning had violated the National Labor Relations Act. Canning filed exceptions to the findings with the NLRB, which affirmed the administrative court’s findings. At the time, two of the Board’s members had been properly confirmed by the Senate, but the remaining three Board members were recess appointments by President Obama. Canning argued that these three Board members had not been appointed in conformance with the Constitution and therefore there was no quorum for the Board to conduct business. The court agreed and vacated the NLRB’s order.

Article 2 Section 2 of the Constitution states that the “President shall have power to fill up all Vacancies that may happen during the Recess of the Senate, by granting Commissions which shall expire at the End of their next Session.”  The Circuit court ruled that Recess referred to “the Recess” of the Senate as opposed to “a Recess” of the Senate—making this recess distinct from any adjournment of Congress. The Circuit Court stated, “[a]s a matter of cold, unadorned logic, it makes no sense to adopt the Board’s proposition that when the Framers said ‘the Recess,’ what they really meant was ‘a recess.’ This is not an insignificant distinction. In the end it makes all the difference.” The opinion neatly summarizes the pitfalls in avoiding the checks and balances built into the Constitution, stating:

An interpretation of “the Recess” that permits the President to decide when the Senate is in recess would demolish the checks and balances inherent in the advice-and-consent requirement, giving the President free rein to appoint his desired nominees at any time he pleases, whether that time be a weekend, lunch, or even when the Senate is in session and he is merely displeased with its inaction. This cannot be the law.

After all, the Framers must have had distinct meanings in mind when they used “adjournment” and “adjourn” (without the) compared to their use of the Recess.

Going a step further, the court held that the vacancies also had not happened during the Recess. The Board argued that “happen” merely meant that the vacancy had to exist during the Recess whereas Canning argued that “happen” meant arise. The court agreed with Canning that the dictionary and contemporary meanings of the word happen governed over the broader meaning the Board advocated.  The Circuit Court stated that “[t]he term “happen” connotes an event taking place — an action — and it would be plainly incorrect to say that an event happened during some period of time when in fact it happened before that time.” As a result, the court held that vacancies had not happened during the Recess of the Senate.

If upheld by the Supreme Court, the decision could invalidate all of the Board’s orders in the last year. Richard Cordray, who was appointed during the same time, may also be subject to a similar decision when the State Nat. Bank of Big Spring v. Geithner, No: 1:12-cv-01032-ESH (D.C. Cir. June, 21 2012) comes to conclusion.

Labels: , ,


Monday, November 26, 2012

Got (website) ADA? Commercial Websites and the Accessibility Requirements of the Americans with Disabilities Act.

By Dino Tsibouris and Ken Sperl

Section 508 of the amended Workforce Rehabilitation Act requires federal agencies to make their websites accessible to disabled persons.  In 2008, the Justice Department was given the power to create rules for entities subject to the Americans with Disabilities Act (“ADA”).  One of the goals of the Justice Department under its rulemaking power was to require commercial entities to abide by the same rules as federal agencies regarding Section 508.

Before the Justice Department was given the rulemaking powers regarding the ADA, in 2006 in the Northern District of California, the case of the National Federation of the Blind, et al. v. Target Corporation, came before the court and the judge only allowed those portions of the plaintiff’s claims to continue in which the website supplemented the physical stores of Target and dismissed those claims that related to information and services unconnected to Target stores (National Federation of the Blind, et al. v Target Corporation No. C 06-01802 MHP [N.D. CA., Sept. 5, 2006]).  The judge required a “nexus” between the website and the physical location.

On June 19, 2012 in Massachusetts, in the case of National Association of the Deaf v. Netflix, Inc., Netflix argued that the ADA applies only to physical places and therefore could not apply to website-only businesses like Netflix’s “Watch Instantly” streaming service.  In denying Netflix’s motion to dismiss the judge ruled that it would be “irrational to conclude” that: “places of public accommodation are limited to actual physical structures…In a society in which business is increasingly conducted online, excluding businesses that sell services through the Internet from the ADA would run afoul of the purposes of the ADA and would severely frustrate Congress’s intent that individuals with disabilities fully enjoy the goods, services, privileges and advantages, available indiscriminately to other members of the general public.” Moreover, the judge stated that the fact that the ADA “does not include web-based services as a specific example of a public accommodation is irrelevant” since such web-based services did not exist when the ADA was passed in 1990 and because “the legislative history of the ADA makes clear that Congress intended the ADA to adapt to changes in technology.” (National Association of the Deaf v. Netflix, Inc., 3:11-cv-30168-MAP [D. Mass. June 19, 2012])  However, in a similar case in California, the judge dismissed such claims against Netflix, holding that Internet movies viewed online are not within the ADA’s definition of a “public accommodation.”

Commercial businesses using a website to enable customers to purchase their goods and services are being placed in a difficult position.  Currently, there are no regulations in place that obligate a business to make its website accessible to the disabled.  But, as evidenced by the Netflix lawsuit, courts are willing to treat the situation as though the obligation is in place.  Does a business step up, spend the money and make its website accessible before it is obligated to do so?  Making the changes could be expensive and the standards may change by the time legislation is passed that specifically obligates commercial businesses.  Or, does the business stay as it is and accept the potential risk of class action lawsuits?

Unfortunately we may not have a definitive ruling on the issues of "public accommodation" status with respect to websites in the immediate term.  Netflix settled the case in Massachusetts in early October and agreed to include closed captioning for all streamed movies by 2014 and paying $755,000 in fees to the plaintiff lawyers.  If anything, businesses should at least factor accessibility into their development efforts because this may serve as an incentive for plaintiffs lawyers in the near term.

Story at http://abclocal.go.com/kgo/story?section=news/business&id=8842650

Labels: ,


Thursday, August 09, 2012

FTC Fines Google $22.5 Million, Leads in Cookie Enforcement

By Mehmet Munur

As widely expected, the FTC issued a civil penalty against Google for violating Safari web browser users’ cookie settings. The default setting for the Safari web browser would have blocked Google’s advertising cookies. However, Google allegedly used a work around to place a cookie that then resulted in other Google tracking cookies to be placed on the users’ devices. Google also represented that the opposite would be true for Safari users. The FTC issued a monetary penalty of $22.5 million dollars mostly due to the fact that Google was already subject to the FTC order for the Google Buzz launch issues. The large civil penalty drives home the message that privacy settings on users' devices matter. Their violation—no matter how technical—may result in enforcement actions and fines.

The fine is the largest civil penalty in FTC’s history. It is also the FTC’s third settlement relating to cookies, after the Chitika enforcement action and the ScanScout enforcement action. The settlement also represents another enforcement action and first fine relating to the U.S. Department of Commerce EU Safe Harbor—due to the underlying consent order. The Department of Justice complaint lists three causes of action: (1) collecting covered data under the initial Google Consent Order, (2) serving targeted advertising in violation of the initial Google Consent Order, and (3) misrepresenting the National Advertising Initiative compliance under the initial Google Consent Order. In the proposed order, Google agrees to (1) pay the civil penalty, (2) delete the tracking cookies, and (3) report its compliance.

Interestingly, Commissioner Roach dissented from the consent decree because he did not believe that Google should be able to deny liability in this setting.  He thought this was the case because it was Google’s second time violating the FTC Act and this was a violation of an already existing consent order. He also argued that the civil penalty was small compared to Google’s revenue and profits, and, therefore, would not prevent others from engaging in similar conduct. The Commission responded in a statement to Commissioner Roach’s dissent and stated that the fine was in the public interest and that it was historic. However, the remaining commissioners appeared to confirm the notion that this was a technical violation and that it did not last for long and that it Google did not profit much from it. As a result, the differentiating factor between the Google and Chitika enforcement actions relating to cookies appear to be that Google was already under a consent order.

The civil penalty establishes the FTC as the leading privacy enforcement agency in the world, at least in my mind. While the Chitika enforcement action may have been technical in nature and likely did not get the attention of many technology companies, this civil fine will grab headlines and drive the message home unlike any enforcement action before it. Users’ privacy settings on their devices matter. If you violate them, you may be subject to an enforcement action or even a fine. I doubt, however, that the FTC will start getting the respect it deserves from the European regulators.

You may read about more about how Google placed cookies on users’ devices in violation of their browser settings on the FTC’s Chief Technologist’s blog here.

Labels: , , , ,


Tuesday, June 12, 2012

Article 29 Working Party Publishes Opinion on Exemptions for Cookies

by Mehmet Munur

The Article 29 Working Party published an opinion (WP194) today on the exemptions to the consent requirement for cookies or similar technologies under the revised E-Privacy Directive. The Working Party elaborated on types of cookies that may not require consent under certain circumstances, such as cookies that track user’s input on forms or shopping carts and cookies that store users’ language preference. Most importantly, the Working Party stated that first-party analytics cookies are not likely to create privacy risks when they are strictly limited to first-party aggregated statistical purposes, provide clear notice about these cookies in their privacy policy, and provide adequate privacy safeguards. While the Working Party deems such cookies not to be strictly necessary for the operation of a website, they also admit that the privacy risks are limited when they are configured properly.

The Working Party elaborated on the two exceptions to consent under Article 5.3 of the amended E-Privacy Directive 2009/136/EC. Under the Directive, service providers may only store information, or gain access to information already stored, on equipment if the user has given consent after having been provided with clear and comprehensive notice. The first exception to the consent requirement is information stored for the sole purpose of carrying out the transmission of a communication over an electronic communications network. The second exception to the consent requirement is information strictly necessary for provision of services explicitly requested by the user.

With regard to in construing the first exception, the Working Party stated that the following elements may be helpful:

1) The ability to route the information over the network, notably by identifying the communication endpoints.
2) The ability to exchange data items in their intended order, notably by numbering data packets,
3) The ability to detect transmission errors or data loss.

Therefore, cookies or similar technologies that fall in any of the above criteria should satisfy the exception to the consent requirement.

With regard to construing the second exception and due to the complexities in what constitutes the service, the Working Party stated that the following elements should be met:

1) A cookie is necessary to provide a specific functionality to the user (or subscriber): if cookies are disabled, the functionality will not be available.
2) This functionality has been explicitly requested by the user (or subscriber), as part of an information society service.

The Working Party then moved to the terminology relating to cookies and created some distinctions between session cookies, persistent cookies, first-party cookies, and third-party cookies. Importantly, the Working Party stressed that they would be moving away from the distinction between first-party and third-party cookies as used in the browsers. Most web browser settings would classify a cookie placed on a user’s device by the domain visited by the user as a first-party cookie and any cookie placed by another domain as a third-party cookie. The Working Party uses a slightly different definition. Using the definition of the third-party under the Directive to state that cookies that are placed on a user’s device “to describe cookies that are set by data controllers that do not operate the website currently visited by the user.” On the other hand, first-party cookies “refer to a cookie set by the data controller (or any of its processors) operating the website visited by the user, as defined by the URL that is usually displayed in the browser address bar.”

In order to determine whether the cookie is strictly necessary, the service provider must determine the lifespan of the cookie, whether it is session based or persistent, and the purposes of the processing. Therefore, the Working Party creates a continuum where first-party session cookies may be strictly necessary whereas third-party persistent cookies may not be. However, the Working Party stresses that these distinctions must be used in conjunction with the purposes of the cookies in order to determine whether consent is required.

The Working Party then discussed different examples of cookie use scenarios that may be exempt from the consent requirements. 

User Input cookies: Looking at session cookies that track user’s inputs on a webpage, the Working Party stated that these cookies would likely not require consent.
Authentication cookies: The Working Party came to a similar conclusion for sessions based authentication cookies. However, persistent cookies for logins would require consent.
User centric security cookies: User centric and user requested security cookies, for example those related to log in attempts, would also not require consent. However, this may not be the case for other cookies relating to the security of the website.
Multimedia player sessions cookies: Default flash player cookies may also not require consent to the extent they relate to technical data such as image quality, network link speed and buffering parameters. However, they should be session cookies.
Load balancing session cookies: Sessions based cookies used to balance users across different servers is likely not to require consent, either.
UI customization cookies: Session or persistent cookies relating to the user’s preference over language or appearance may also not require consent, mostly because the user shows his preference by clicking on a box or link to set these preferences. However, notice relating to the use of cookies may be required for persistent cookies.
Social plug-in cookies: The Working Party states that consent may be required from users who are not logged into the service or are not customers of the service. However, consent may not be required for users that are logged in and are requesting the service.

In addition to the above examples relating to the exempt cookies, the Working Party stated that the following cookies would not be exempted from the consent requirement: social plug-in tracking cookies, third-party advertising cookies, and first-party analytics cookies. To the extent that these cookies are used for the tracking of the individual, consent would be required. With regard to the first-party analytics cookies, the Working Party stated that these cookies “are not likely to create a privacy risk when they are strictly limited to first-party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards.” These safeguards should include a method for opting out and anonymization of identifiable information such as IP addresses. Therefore, first-party analytics cookies with the appropriate privacy controls would likely not require consent even though they are not in an exempted category. The Working Party notes, however, that the privacy risks relating to third-party analytics cookies that track users across websites are higher and would require consent.

This opinion from the Working Party opinion falls in line with the latest opinions from the UK ICO and the CNIL. The ICO and the Working Party appear to have taken a step back from the strict interpretation of the amended E-Privacy Directive that would require informed consent even for first-party analytics. In fact, the Working Party now calls for a revision of the Directive to explicitly allow for

This long awaited opinion from the Working Party brings some more detail around the difficult challenges faced by most companies in complying with the revised E-Privacy Directive. It does not negate the need to conduct audits and due diligence relating to cookies and similar technologies used by companies. It does, however, make first-party analytics cookies easier to implement.

Labels: , , , ,


Thursday, June 07, 2012

Employee Use of P2P Software Results in FTC Enforcement Actions

By Mehmet Munur

The Federal Trade Commission announced that it brought two separate enforcement actions against a debt collector and a car dealership because of the unauthorized sharing of sensitive personal information through P2P network software installed by their employees. As is common in most FTC enforcement actions, the companies will be required to cease misrepresentations about privacy and security of personal information, maintain a comprehensive information security program, and submit to third-party security audits for 20 years. These enforcement actions, once again, point to the importance of having privacy policies that align with privacy practices and the importance of having reasonable security practices in place.

The FTC complaint against the debt collector, EPN, alleges that it collected personal information without reasonable and appropriate security. EPN collected name, address, date of birth, gender, Social Security number, employer address, employer phone number, and in the case of healthcare clients, physician name, insurance number, diagnosis code, and medical visit type from its clients for debt collection purposes. EPN’s Chief Operating Officer installed a P2P application on its systems. One of its clients found the files shared on the same network and alerted EPN about it. In fact, EPN shared through this P2P application information about 3800 individuals. EPN did not have a business need for the application. FTC stated that EPN did not have an incident response plan, risk assessment, measures against P2P software use by its employees, and procedures for detecting unauthorized access to personal information. FTC alleged that these were unfair and deceptive practices under the FTC act.

It is interesting that the FTC did not point to a privacy policy for representations relating to the privacy and security of the information collected by EPN—even though EPN, doing business as Checknet, Inc., has a website privacy policy. However, the privacy policy does not have an effective date and it may have been added after the FTC investigation began.

The FTC complaint against the car dealer, Franklin’s Budget Car Sales, alleges that the dealership shared a privacy notice with its customers stating that it would restrict access to non-public personal information and that it maintained physical, electronic, and procedural safeguards that complying with federal regulations. The dealership then collected personal information such as names, Social Security numbers, addresses, telephone numbers, dates of birth, and drivers’ license numbers from consumers. FTC also alleges that the dealership did not provide an annual notice. Currently, Franklin Toyota’s website privacy policy shows the model privacy clauses—instead of a web privacy policy. They are also still the model form—without some of the choices for creating the form having been made. FTC alleges that the dealership failed to put into place reasonable security procedures—similar to EPN’s alleged failures. As a result of those failures, information relating to 95,000 consumers was shared on the P2P networks. Therefore, the FTC alleged violations of the Section 5 of the FTC Act (for misrepresenting its privacy and security measures in its privacy notice), Safeguards Rule of the GLBA (for failing to implement reasonable security practices), and the Privacy Rule of the GLBA (for failure to send annual privacy policies).

Both companies agreed to similar terms as a result of these complaints. The consent order with the dealership requires it not to misrepresent its privacy, security, and confidentiality of personal information it collects nor violate GLBA. It also requires the dealership to designate an employee accountable for information security, conduct a risk assessment, design and implement reasonable safeguards, among other things. The dealership must also submit to third-party assessments once every two years for 20 years. The debt collector’s consent order is similar—but for the GLBA requirements.

There are several lessons to be learned from the enforcement actions—some new, some old.

First, the enforcement action highlights the importance of having a privacy policy and abiding by the letter and spirit of that privacy policy to avoid an enforcement action under the FTC Act. Google, Facebook, Twitter and others ran into this same trap of having a privacy policy that did not align with their privacy and security practices.

Second, failure to have reasonable security without making any representations regarding the importance of privacy and security to an organization can still result in an enforcement action—especially where the harm to consumers may include sharing of sensitive personal information. Here, the FTC seemed perturbed by the fact that some of the personal information shared with the P2P networks may never be taken out of circulation due to the decentralized nature of P2P networks. In fact, some of this information likely included information relating to healthcare procedures.

Finally, the FTC appears to be following a “study, report, then bring enforcement actions” plan for topics of interest—as any reasonable regulator should. In the P2P space, the FTC obtained comments and looked at consumer protection and competition issues in a 2005 staff report. More recently, the FTC completed a study on widespread data breaches as a result of P2P software use by businesses in 2010 and notified about 100 organizations. The FTC also published guides for consumers and businesses relating to the P2P software use. Then, the FTC had an enforcement action against Frostwire LLC for the default settings in the P2P software that shared too much personal information. Now, the FTC brings this enforcement action against businesses that cause breaches due to the use of P2P software. The FTC has been following a similar study-report-bring-enforcement-actions plan with mobile privacy, mobile payments, and behavioral advertising issues. Therefore, I would expect more enforcement actions in those fields as a result of the plan FTC has been carrying out in this P2P area.

These latest enforcement actions are reminders that businesses must pay attention to their privacy and security practices or risk being subject to onerous consent orders prescribing privacy and security programs.

Labels: , , , , ,


Monday, March 26, 2012

FTC Issues Final Privacy Report

By Mehmet Munur

Today, the Federal Trade Commission released its final report titled Protecting Consumer Privacy in an Era of Rapid Change that announces its best practices privacy framework. The final report reinforces the FTC’s commitment to Privacy by Design, Simplified Choice for Consumers, and Greater Transparency principles. The final report reduces the scope of the privacy framework by creating an exception for small businesses and an exception for de-identified data. The report includes further information relating to when companies should provide choice for consumers and creates a new “context of the transactions” standard for choice. The final report calls on Congress to enact base-line privacy legislation. The report also calls on the industry to start complying with the privacy framework as a best practice, even though the FTC may not be able to rely on all of its recommendations in the final report for its enforcement actions. The report also commends industry actions in the behavioral advertising arena while highlighting the need to do more in order to address the implications of the report in both the online and the offline world. The FTC will focus on Do Not Track, Mobile, Data Brokers, Large Platform Providers, and Self-Regulatory Codes throughout this year to promote the implementation of the framework. Therefore, the FTC will continue the development of the privacy framework with stakeholders, industry, consumer groups, and the Department of Commerce. 

Scope of the Privacy Framework.
The final report builds on the preliminary report of the same name released in December 2010, which we discussed at the time of its release. The privacy “framework applies to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device, unless the entity collects only non-sensitive data from fewer than 5,000 consumers per year and does not share the data with third parties.” The FTC has decided to include a fewer than 5,000 consumers per year small business exception in order to reduce the impact of the privacy framework on small businesses. However, the more important reduction in scope comes in the form of what FTC defines as information that cannot be reasonably linked to a specific consumer, computer, or other device.

In its preliminary report, the FTC referenced the problems in anonymization and the disappearing distinction between personally identifiable information and non-personally identifiable information. The FTC relied on articles such as Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization by Paul Ohm and the Robust De-anonymization of Large Sparse Datasets by Arvind Narayanan and Vitaly Shmatikov relating to Netflix. However, the FTC narrowed down the reasonably linked to specific consumer, computer, or other device standard by creating another exception. A company will be able to take advantage of this exception if the company 1) takes reasonable measures to ensure that the data is de-identified, 2) publicly commits to maintaining and using the data in a de-identified fashion, and not to attempt to re-identify the data, and 3) contractually prohibits any other entities from re-identifying the data—if it shares the information with others. This approach is different than the approach suggested by Jane Yakowitz in the Tragedy of the Data Commons article, which would have allowed a freer flowing stream of anonymized data. Nevertheless, it allows entities to retain de-identified data for longer periods for research and share it with others with reasonable assurances that they will not be held liable under the privacy framework. 

Privacy by Design.
Since the release of the preliminary report, the FTC has reinforced the importance of the Privacy by Design prong of the privacy framework with the Google and Facebook enforcement actions. Therefore, the FTC remains committed the encouraging companies to create privacy as a default option in the products and services they offer. As a result, FTC believes that “[c]ompanies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.”

While the FTC’s data security requirements are easier to article under its enforcement actions, the boundaries of the reasonable collection limits data accuracy remain less clear. The Sears enforcement action and the FrostWire enforcement action likely remain important for reasonable collection limits for the online context. In this final report, the FTC explains that “[c]ompanies should limit data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law.” As a result, the relationship with the consumer play a large role in what type of information should be collected from the consumer. This requirement also fits well with the Obama administration’s Consumer Privacy Bill of Rights Respect for Context principle.

However, the FTC’s approach to the Privacy By Design prong of the framework appears to be flexible because different industries will need to collect different information. 

Simplified Consumer Choice.
The FTC has further elaborated the different actions that companies should obtain choice for while omitting choice in other, more obvious circumstances. The FTC states that “[c]ompanies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.” FTC further elaborates “whether a practice requires choice turns on the extent to which the practice is consistent with the context of the transaction or the consumer’s existing relationship with the business, or is required or specifically authorized by law.” The reasons for this revision appear to be two-fold: comply with the Consumer Privacy Bill of Rights context principle and providing a more objective standard for providing choice. Nevertheless, the FTC still believes that the five practices in the preliminary report—fulfillment, fraud prevention, internal operations, legal compliance and public purpose, and most first-party marketing—provide good examples of practices that would meet this standards.

With regards to practices that require choice, the FTC states that “companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.” At least two of those circumstances would be when “(1) using consumer data in a materially different manner than claimed when the data was collected; or (2) collecting sensitive data for certain purposes.” However, the FTC notes that the time and manner that the choice is offered will change from industry to industry and that there is not a one-size-fits all solution. In the online setting, the FTC suggested that making the choice at account creation may be advantageous. However, in an offline retailer, this choice may be made later after waiting “for a disclosed period before engaging in practices for which choice is being offered.”

Finally, the FTC alluded to the possibility that a take-it-or-leave-it approach may be appropriate in some circumstances—such as where 1) there is adequate competition, 2) transaction does not involve an essential product or service, and 3) company clearly and conspicuously discloses the terms of the transaction. 

With the Transparency prong of the framework, the FTC once again calls for “clearer, shorter, and more standardized” privacy policies, reasonable access to data, and consumer education. The FTC believes in standardized elements for privacy policies; however, it calls on the industry to develop the format and terminology for these. The FTC also states that it will work the Department of Commerce in developing these standardized elements.

The FTC also states that the right to access should be reasonable and, therefore, “proportional to the sensitivity and the intended use of the data at issue.” Once again, the FTC takes a sliding-scale approach to the disclosure of the information held by companies about individuals: the more sensitive the information, the more individualized the notice, access, and corrections rights attached to the data. 

The FTC has answered some questions with this final report, at the same time; it has left a lot to be decided by various industry groups, the Department of Commerce, and future workshops. As a result, the final report feels incomplete.

However, the final report is now supported by enforcement actions. FTC has been able to get the industry to move mainly based on the enforcement actions it has brought since the preliminary report, including Google, Facebook, cookies, and mobile apps. Therefore, FTC has brought substantive enforcement actions to support many of the prongs of the preliminary report, even though other parts of the report appear to be best practices. However, the FTC seems to be looking forward to the solutions that are in the works by the World Wide Web Consortium and the major browser developers for issues relating to behavioral advertising.

On the other hand, Congress has failed to pass any baseline privacy and data security legislation that the FTC called for. Therefore, FTC’s privacy framework will likely continue to be a work-in-progress that will take more concrete shape with each future workshop. Companies should make plans to abide by the major points of the privacy framework created by the report and to contribute to the workshops and call for comments by the FTC and Department of Commerce.

Labels: , , , ,


Tuesday, February 07, 2012

Facebook Photos - Deleted or not?

We frequently draft or revise client data protection policies. As we work with them to design and implement such policies, we emphasize the importance of the minimization of personal data, including the deletion of personal data when it is no longer needed. This is particularly of interest when our clients store employee or customer personal data at a vendor or in the cloud.

On Monday, Ars Technica highlighted the challenges of deleting personal data in this article. In the article, the author notes that photos requested to be deleted three years ago are still available.


Wednesday, January 25, 2012

European Commission Releases Proposed Revisions to the EU Data Protection Directive

by Mehmet Munur

The European Commission announced the proposed revisions to the EU Data Protection Directive today. The widely expected revisions will create uniformity by using a regulation instead of a directive, remove obligations to notify data protection authorities of data processing activities, require data breach notification, increase fines (up to %2 of a company’s global annual turnover),  streamline access, introduce a right to be forgotten, expand Binding Corporate Rules to processors, and strengthen the Data Protection Authorities. The Article 29 Working Party also issued a press release supporting the new Regulation.

The proposed regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) creates a number of changes based on the Data Protection Directive. While some of the provisions, such as the fines and the right to be forgotten, may prove controversial, other provisions relating to removal of the obligation to notify DPAs will likely be celebrated. The Regulation uses some of the same terms as those defined in the Directive 95/46/EC; however, it also introduces new definitions for terms such as personal data breach, genetic data, biometric data, binding corporate rules, and others. The Regulation also clarifies transparency principle, data minimization principle, and the obligation to obtain consent for processing of personal data. The Regulation also introduces more detailed access rights for individuals adding new elements relating to storage periods of personal information, right of rectification and erasure, data portability, and complaint resolution.  While these protections are likely to bolster the individual’s control over the personal information held by data controllers and processors, it will likely create additional burdens on data controllers and processors to enable the data subjects to exercise these rights.

The Regulation also introduces new obligations on the data controller and data processors. The Regulation will require privacy by design and default, explicitly introduce the principle of accountability, and clarify the responsibilities of joint controllers. The Regulation states that the data processor may be considered a joint data controller in the event it goes beyond the scope of data controller’s instructions. This particular provision appears to be a result of the concerns the Article 29 Working Party had over processors such as SWIFT. The Regulation will also explicitly require the cooperation of both the data controller and the data processor with the Data Protection Authorities. The security obligations of the data controller include the obligation to notify the data subject of the breach of personal data. Currently, that proposal includes a “where feasible, not later than 24 hours after having become aware” provision.  This provision is likely to be revised before the Regulation becomes law to a more reasonable time frame.

The Regulation makes the Data Protection Officer mandatory for the public sector, where processing is carried out by more than 250 people, and where the core activities of the controller or the processor consist of operations that require systemic monitoring of data subjects.  German Data Protection law provided such detailed requirements for the Data Protection Officer. Previously, the creation of such a position decreased the administrative burden on the data controllers and their obligation to notify the Data Protection Authorities with the processing of personal information.  This approach is likely to continue with the new Regulation.

The Regulation also includes further details regarding international data transfers. It specifically mentions Binding Corporate Rules. These rules now specifically refer to a data processor’s, as well as a data controller’s, ability to obtain authorization for Binding Corporate Rules.  This provision should allow service providers to obtain authorizations for BCRs and transfer personal information internationally without having to rely on Standard Contractual Clauses. However, the time and resources required to obtain authorizations for these BCRs may still be substantial. Considering that the Regulation may take some time, as long as a couple of years, to become law, we may not find out about this process for a while. Finally, the Regulation creates the European Data Protection Board that replaces the Article 29 Working Party.  This Board is to ensure the consistent application of the Regulation, review guidelines, recommendations and best practices, and issue opinions, among other responsibilities.

The Regulation comes with both advantages and disadvantages compared to the current regime in place in the EU. On the one hand, the Regulation will likely foster a more uniform approach to data protection in the EU. Once the Regulation becomes law, member states will not be required to transpose it into national law.  This will reduce the local differences in the substance of the law.  However, the Regulation still provides for independent Data Protection Authorities.  These DPAs will ultimately have different interpretations of the Regulation and as it interacts with local law and culture.  However, the European Data Protection Board will hopefully have the effect of creating more uniformity. Many will likely celebrate the end of the notification of DPAs regarding the processing of personal information. These registers of personal information were mostly automated, reviewed by few, yet required the time and resources of many corporations.  Their departure will allow the DPAs and the corporations to work on more substantive privacy and data protection issues.  Assuming that the BCR process is further streamlined, then we can see more companies and services providers getting in line to obtain authorizations.  On the other hand, the right to be forgotten, the increased fines, and the restrictions on the legal basis for processing of personal information will likely draw criticism. Hopefully, in the coming years, the Regulation will be revised to better balance some of the obligations on data controllers.

Labels: , ,