The Guide reflects amendments to the Rule made last December, when the FTC revised the Rule to adopt the narrower definition of “creditor” that was included in the Red Flag Program Clarification Act of 2010 (see this post for additional details). The prior definition of creditor, which was originally so broad as to include virtually all businesses that accept deferred payment for goods or services, was limited to entities that grant credit or defer payment for goods and services and regularly and in the ordinary course of business:

• Obtain or use consumer reports (i.e., credit reports or other information obtained from a consumer reporting agency) in connection with a credit transaction;
• Furnish information to consumer reporting agencies in connection with a credit transaction; or
• Advance funds to or on behalf of a person, in certain cases.

To help businesses understand the type of conduct that would make them a creditor, the Guide presents a series of questions that businesses should ask, such as whether they regularly grant or arrange credit or whether they get or use consumer reports in connection with a credit transaction. The Guide also includes a series of FAQs to help answer some anticipated questions on the scope of the Rule and compliance with its requirements. For example, the FAQs help clarify that, for purposes of the Rule, “advancing funds” means making a loan or providing financing, but does not include deferring the payment of debt or the purchase of goods and services alone. The FAQs also explain that even a business that does not use credit reports directly—such as a company that contracts with a third party to pull consumers’ reports and evaluate their creditworthiness—is considered to be using credit reports regularly and in the ordinary course of business.

If a business has established that it is a financial institution or creditor, the next step is to determine whether the business’s accounts fall into one of two categories of “covered accounts”: (1) a consumer account that involves or allows multiple payments and transactions, and (2) any other account with a “reasonably foreseeable” risk of identity theft. The Guide includes tips on making this determination.

Finally, for businesses that are financial institutions or creditors that maintain covered accounts, the Guide concludes with a four-step process for complying with the Rule. First, there must be a written identity theft prevention program with reasonable policies and procedures in place to identity suspicious patterns or practices indicating the possibility of identity theft. Second, procedures must be in place to detect these patterns and practices as red flags for identity theft. Third, the program should spell out appropriate actions that need to be taken when a red flag is detected. And finally, the program must detail how it will be kept current to deal with new and emerging threats.

There is a fair amount of flexibility in the Rule, as indicated by this new Guide. Although the Rule has requirements on how to incorporate an identity theft protection program into the daily operations of a business, it allows flexibility in designing a program suited to the needs of a particular business, understanding that some business might require more complexity than others.

In all, the revised Guide provides a useful resource for businesses looking to determine whether they are subject to the Rule and/or to develop an identity theft protection program that meets the Rule’s requirements.

Adnan Zulfiqar, an associate in our Washington, DC office, contributed to this entry.

According to Fleur Pellerin, the French Minister for Digital Economy, the Minister of Justice has rejected the latest version of the draft EU Data Protection Regulation.  In Parliamentary questioning on 11 June, the Minister confirmed the French Government’s commitment to ensuring adequate protection of personal data, but stated that the French Government’s opposition is based on the current concept of “one stop shop” for data controllers established in more than one Member state of the European Union. This position follows the CNIL’s expression of concern because of the potential difficulties data subjects could face in submitting complaints to a foreign data protection authority.

On the topic of international transfers, the Minister for Digital Economy also mentioned the fact that the French Government called the current international transfers safeguards “not satisfactory at all” and, in particular the Safe Harbor system which has been described as “less protective than the European framework.” This position was later confirmed by the Minister and the President of the French data protection authority, Isabelle Falque-Pierrotin, in a debate held at the Parliament on “Internet and personal data.”

These statements confirm the current difficulties met by European authorities to reach an agreement on a new framework for data protection. It has been reported that other jurisdictions (e.g. Spain, Italy, and Germany) also have expressed their opposition to the text as is, which will certainly cause further delays in the adoption of the awaited reform.

Chambers USA

Chambers noted our practice for “outstanding client service and scope of knowledge,” and spotlighted our leading healthcare-focused work. Legal 500 sources said that they “value [our practice] for providing ‘pragmatic, business-relevant advice with minimal legalese.’”

The practice is also hailed as top tier global privacy and data protection practice by Chambers Global in its 2013 edition.

The key source of the Commissioner’s concerns is that the prescriptive nature of the Regulation will impose a significant additional administrative burden on regulators.  Coupled with the abolition of notification fees, the ICO’s current source of funding, the Commissioner suggests the ICO would no longer be able to intervene on the basis of risk and proportionality, and that this would make it less effective.

Aspects of the Regulation which the Commissioner identifies as being of particular concern are:

• The emphasis on punishment and sanctions at the expense of awareness raising and education
• The requirement for all data breaches to be notified to Data Protection Authorities, rather than just those that pose significant risk
• Prior authorization to be required for international transfers where this is not required under current regime
• Limited discretion for Data Protection Authorities over administrative sanctions, which are imposed on the basis of process failures rather than privacy risks
• Participation in a consistency mechanism that is insufficiently risk-based and contains unrealistic time limits

On April 26th, the Spanish Data Protection Agency (“SDPA”) issued its long-awaited guidance on the Spanish cookies regulation, which requires companies seeking to place cookies on users’ devices to obtain those users’ prior opt-in consent after providing them with clear and complete information about the use of cookies and the purposes for which data collected via cookies will be processed.  The guidance, which the SDPA drafted in collaboration with industry, takes a business-oriented approach and provides companies with several alternatives for complying with the regulation’s notice and consent requirements. 

The cookies regulation is set forth in Article 22.2 of Act 34/2002 on Information Society Services and Electronic Commerce, which was amended by the Royal Decree Law 13/2012 in 2012 to implement the EU e-Privacy Directive in Spain.

Notice

In the guidance, the SDPA sets forth a number of different ways that notice can be provided to users, including by providing the requisite information to users in two steps or layers. In the “first layer”, users accessing a website would be informed, through a banner, of the fact that the website uses cookies, the purposes for which cookies are installed on users’ devices, whether cookies belong to the website owner or to a third party, and the specific action that would constitute consent to the use of cookies.  The “first layer” would also include a link to the “second layer” (i.e., the “cookies policy”), which would contain more detailed information about the use of cookies.

Consent

The SDPA states in the guidance that implied consent may constitute valid consent to the use of cookies. However, the SDPA clarifies that silence or inaction does not constitute valid consent. Rather, a user must perform a conscious and positive action in order to provide his/her consent. Examples of such an action include clicking on any content on the website or using the scroll bar within the website. In any event, as noted above, in order for an action to constitute consent, users must be informed that by performing such an action they are consenting to the use of cookies.

The SDPA also states in the guidance that a company may obtain consent from users not only for the use of cookies on the website on which such consent is requested, but also for the use of cookies on similar websites operated by that company.

Third Party Cookies

Finally, the guidance examines situations in which websites use cookies that belong to a third party (i.e., third party cookies). With respect to third party cookies, the SDPA states that both the website owner and the third party controlling the cookie are responsible for complying with the cookies regulation (e.g., providing notice and obtaining consent).

Enforcement

Following the release of the guidance on the cookies regulation, it is likely that the SDPA will pay greater attention to companies’ policies and procedures regarding the use of cookies. Therefore, companies should review their cookies-related policies and procedures in order to ensure they are consistent with the criteria set forth by the SDPA in the guidance.

Specifically, the UK government is preparing an initial impact assessment on the potential effects of the Directive in the UK and has launched the call for evidence in order to gather data to inform the evidence base for this assessment. The consultation document invites evidence in three main areas:

• information on what the requirements and costs are for existing reporting mechanisms;
• input on the additional requirements and costs for business if the measures set out in the Directive are implemented; and
• views on additional benefits which would result from implementing the measures set out in the Directive.

The consultation closes on June 21, 2013, and is available here.

The discussion is centering on how, in addition to the current focus on notice, choice, and purpose specification at time of data collection, use analysis can be used a tool of data protection.  There is a focus on the “harms” or “impacts” of information to help guide determinations about uses and use conditions in context.  The participants seem to agree a use analysis can serve as means effectively to implement the Fair Information Practice Principles (FIPPs), helping to determine when and how notice, consent, access, etc. can be implemented.  Focusing on use in a sense shifts the analysis away from relying predominantly on the protections at the time of collection of data, which makes sense in a world where there are multiple channels of collection of data about people, as well as potential beneficial (and non-risky) uses of data for “Big Data” analytical purposes.

Documents relevant to the discussion include the English translation of the CNIL’s 2012 report, Methodology for Privacy Risk Management, and the World Economic Forum’s 2013 report, Unlocking the Value of Personal Data: From Collection to Usage.

The White Paper  follows Wolf and Maxwell’s 2012 White Paper, A Global Reality: Governmental Access to Data in the Cloud, which debunked the oft-repeated misconception of critics of the U.S. government that the 2001 USA PATRIOT Act gives U.S. law enforcement greater powers of access to data stored with a third-party Cloud computing service than governments elsewhere.  Most recently, these critics have focused their attention on another law, Section 702 of the Foreign Intelligence Surveillance Act (“FISA”), enacted under the FISA Amendments Act of 2008 and codified at 50 U.S.C. § 1881a (frequently referred to just as Section 1881a), which sets out rules governing the surveillance and collection of evidence about persons suspected of being part of a terrorist organization or acting as spies for foreign governments.  One member of the European Parliament is quoted as saying recently that FISA allows the US government to “browse the cloud without a warrant.”

The White Paper, which compares Section 1881a to procedures in similar investigations in Australia, Canada, France, Germany, and the United Kingdom, concludes that Section 1881a imposes at least as much, if not more, due process and oversight on foreign intelligence surveillance than other the other countries afford in similar circumstances.  Section 1881a contains codified rules and procedures governing such surveillance — particularly the limitation to the investigation of statutorily-defined “foreign intelligence information,” judicial oversight, and legislative oversight — that impose detailed restrictions on law enforcement officers.

Incongruously, some commentators compare Section 1881a to normal criminal investigations in Europe.  That is comparing apples to oranges.  Because countries generally provide greater and more visibly protective due process protections in standard criminal proceedings than when conducting foreign intelligence surveillance, it is misleading to compare standard criminal investigative procedures in Europe with American foreign intelligence procedures under Section 1881a.

The New York Times reported on May 13 that U.S. companies showed up in force at the International Data Protection Day conference that day in Berlin.  The Times article also mentioned the presence of Hogan Lovells at the conference.  In addition to the heightened interest in data protection evidenced by U.S. business that is described in the NY Times, the Berlin conference showcased the continued sparring between the EU and the U.S. on the adequacy of U.S. privacy laws and also provided a comprehensive update on data protection developments worldwide.  The topics for the day began with the proposed EU data protection regulation and ended with U.S. privacy and security enforcement, with numerous developments in other countries sandwiched in between.

In the Times article, the reporter focused on the determined opposition of U.S. technology companies to the proposed EU data protection regulation, which contains unworkable requirements like the “Right to be Forgotten” and staggering penalties of up to 2% of a company’s worldwide “turnover” (i.e., global revenue).  The article notes that the parliamentary vote on the regulation has been delayed by a large number of proposed amendments.

Indeed, a view circulating sotte voce at the conference was that the arguments of those technology companies may be having their intended result.  The threat of choking off future investment in the EU, coupled with the current economic downturn, may have created at least momentary hesitance among those whose support is necessary for the EU regulation to be adopted.

However, it was David Vladeck and U.S. enforcement that may have created the biggest stir the first day of the conference.  Giving a spirited defense of U.S. privacy and security laws, which the EU tends to discount and still finds “inadequate”, Vladeck, former Director of the FTC’s Bureau of Consumer Protection, enumerated an impressive list of aggressive privacy and security enforcement actions undertaken by the FTC.  The EU may have more stringent requirements, but it is known also for a noticeable lack of enforcement.

Drama aside, the bulk of the first day of the conference was devoted almost entirely to data protection laws in countries other than the EU or the U.S., a subject that may not be as provocative as the new regulation or the EU-U.S. name-calling, but in the end may be more noteworthy.  Speakers described numerous developments in Asia, Latin America and the Middle East, virtually all of which adopt an EU-like approach to data protection regulation, though each with its own twist.

The take-home from the first day of the conference was that data protection laws are here to stay and global businesses may ignore them at their peril.  In the end, the laws of countries other than the EU and U.S. may pose the greatest challenges to businesses.  More than 90 countries were reported to have adopted data protections laws and the number continues to increase.  Companies are faced with somehow harmonizing these laws into coherent and workable data protection compliance programs.  To make matters worse, these international laws in many cases appear to combine the most demanding aspects of both the EU and U.S. approaches–stringent requirements and vigorous enforcement.