HL Chronicle of Data Protection

Thoughts on Privacy and Data Security from the May 11 PLI Cloud Computing Seminar

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 15 May 2012 09:54:24 -0500

Every one of the eleven presenters at a May 11 Practising Law Institute seminar program entitled “Cloud Computing 2012: Cut Through the Fluff and Tackle the Critical Stuff” recognized privacy and data security as critical issues faced by cloud computing customers and service providers alike. Opening the program with an introduction to cloud computing, program co-chair Janine Anthony Bowen, a partner at Jack Attorneys and Advisors (Atlanta), characterized privacy and data security as risks that must be recognized and managed by those seeking the cost savings, scalability and other benefits that cloud computing can offer. Her co-presenter, Rachel Beth Evans, Senior Legal Counsel at Accenture (San Francisco), included privacy and data security among the primary areas on which prospective cloud computing customers should pursue due diligence inquiries with respect to their own needs, based not only on the types of data they propose to put into the cloud but also service provider policies and practices.

Hogan Lovells partner Chris Wolf (Washington, DC) surveyed the panoply of laws and regulations with which cloud computing customers and, in many cases, service providers must comply. He also offered attendees a preview of a Hogan Lovells White Paper that surveys the rights of national governments in ten jurisdictions to access data in the cloud. The complete White Paper will be published on this blog on May 23. Audrey Roh, Senior Attorney with the U.S. Department of Housing and Urban Development (Washington, DC), who surveyed cloud computing initiatives by U.S. government agencies, highlighted “information security, cybersecurity and privacy” as challenges in government cloud computing contracts. Her co-presenter, Jason Silverman, a partner at McKenna, Long and Aldridge (Washington, DC), directed attention to compliance with export regulations in connection of movement of data to the cloud and discussed “deemed exports” that can occur even when service providers do not send data outside the country.

Megan Herzler, Assistant General Counsel and Director of Data Privacy at Xcel Energy (Minneapolis, MN), and Boris Segalis, a partner at InfoLawGroup (New York City), offered practical guidance for managing privacy and data security risks in cloud computing transactions beginning with RFPs and service provider due diligence and continuing through the life of a cloud computing contract. Their thought-provoking recommendations included the importance of making preparations for the eventuality of a data security breach and having in place contractors who can assist with responses such as breach notification, credit monitoring and call center support for affected persons. Hogan Lovells partner Philip Porter (Northern Virginia), a program co-chair, and H. Ward Classen, Deputy General Counsel of Computer Sciences Corporation (Hanover, MD), engaged in a mock negotiation of a hypothetical cloud computing contract, which included defining privacy and data security obligations and remedies for breach of those obligations. The program concluded with a dialogue by Jeremy Feinberg, Statewide Special Counsel for Ethics for the New York State office of Court Administration, and Maura Grossman, a partner at Wachtell, Lipton, Rosen & Katz, on obligations of lawyers to their clients when the lawyers move client data to the cloud. At the forefront of these obligations is the use of reasonable care in selecting service providers and in exploring the service providers’ policies and procedures for maintaining the confidentiality and security of client data.

While the program explored a broad range of issues that must be addressed and risks that must be managed in cloud computing transactions, the presenters made it clear that privacy and data security issues are in the forefront. Practising Law Institute will sponsor a similar program in San Francisco and by webcast on June 11.

ABA Commission Proposes Ethics Rule Requiring Adequate Data Security

scott.loughlin@hoganlovells.com (Scott Loughlin) — Mon, 14 May 2012 03:59:47 -0500

Data protection long has been a legal responsibility for lawyers. The American Bar Association now is proposing to make clear that the protection of a client’s data is an ethical responsibility of the lawyer as well.

The Commission on Ethics 20/20 of the American Bar Association released its Report to the House of Delegates recommending several modifications to the ABA Model Rules of Professional Conduct regarding lawyers’ use of technology and protection of client confidences. The proposals will be considered at the ABA’s 2012 Annual Meeting, and several of these proposed modifications incorporate established concepts from existing data protection and breach notification laws.

Comments to existing Rule 1.6 of the ABA Rules indicate that lawyers must act competently to safeguard information against inadvertent or unauthorized disclosures. The Commission concluded, however, that “technological change has so enhanced the importance of this duty that it should be identified in the black letter of Rule 1.6 and described in more detail through additional Comment language.” The proposed Model Rule 1.6(c), which uses language commonly found in data breach notification statutes, states:

A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client.

A Comment explains that an unauthorized disclosure is not a violation of the proposed Rule if the lawyer made “reasonable efforts” to avoid the disclosure. In evaluating whether reasonable efforts were made, the proposed Rule cites the following factors:

sensitivity of the information
likelihood of disclosure if additional safeguards are not employed
cost and difficulty of implementing additional safeguards
extent to which the safeguards adversely affect the lawyer’s ability to represent clients

The Commission also proposes that the ABA develop and offer a “user-friendly website” to provide guidance on lawyers’ use of common technology, information about the latest data security standards and the administrative, technical and physical safeguards that should be implemented by lawyers. The website will be designed to respond to rapidly developing security standards in a way that ethics rules cannot.

In addition, the Commission proposes to make clear that a lawyer’s professional duty of competence includes knowledge of the “benefits and risks” of technology associated with the legal practice. In the words of the Commission, “lawyers must understand technology in order to provide clients with the competent and cost-effective services that they expect and deserve.”

These proposed Rules together serve as a reminder of the importance of implementing effective policies and procedures that prevent a data breach. A breach already frequently results in significant financial and reputational costs under existing laws, and now the Commission has made clear that a breach may affect a lawyer’s status with the bar and legal practice. In the event that other professional accreditation bodies follow the Commission’s lead, the consequences of a breach will only become more widespread and punitive to businesses and professionals alike.

Capitol Hill Focus on Privacy Reveals Rifts; Upcoming Program in House Announced

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Fri, 11 May 2012 08:32:08 -0500

The headline in The Hill reads"Senators Clash Over Internet Privacy" and describes Wednesday's hearing on consumer privacy before the Senate Commerce Science and Transportation Committee. On one side -- Senators Rockefeller (D-WVA) and Kerry (D-MA), strong proponents of baseline privacy legislation, and on the other was Senator Pat Toomey (R-PA), who questions whether there is the need at all for legislation and who expressed concern over compliance costs threatening innovation. Caught in the cross-fire were FTC Chair Jon Leibowitz and Department of Commerce General Counsel Cam Kerry, who were discussing the details of proposed legislation and enforceable self-regulatory regimes. Committee Chair Rockefeller promised to move privacy legislation this year, and Senators Kerry and McCain, authors of a comprehensive bill, have offered to compromise, but most observers agree that passage of a privacy law is unlikely this year.

A timely program on pending proposals will be presented by the Congressional Internet Caucus Advisory Committee in the Rayburn House Office building on Monday, May 14, moderated by Hogan Lovells privacy leader Chris Wolf.

Some highlights from Wednesday's hearing:

I am afraid … that the need to monetize consumers' data will win out over privacy concerns

Self-regulation is inherently one-sided

Consumers' rights always seem to lose out to the industry's needs.

-- Senator Jay Rockefeller

Neither this committee … nor the Commerce Department fully understand what consumers want or need with regard to privacy

It's important that companies have maximum flexibility to work with their customers. Companies are already currently competing on privacy. This is a sign of a healthy, functioning and competitive market — something we should be encouraging.

-- Senator Pat Toomey

Only companies that profit from assembling personal information have yet to conclude there is a need for comprehensive privacy legislation.

-- Senator John Kerry

Myspace Settles with FTC Regarding "Constructive Sharing" of PII with Third-Party Advertisers

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 08 May 2012 20:44:15 -0500

On May 8, the Federal Trade Commission agreed to settle allegations that Myspace misrepresented its data practices regarding the use and sharing of its users’ personally identifiable information, a deceptive act or practice in violation of Section 5 of the FTC Act.

The primary data practice at issue was Myspace’s sharing of the unique identifier assigned to the profile of each Myspace user (called a “Friend ID”) with third-party advertisers, who could then use the identifier to access that user’s profile (and the PII maintained on that profile), a practice which the FTC alleged was contrary to Myspace’s representations regarding its use and sharing of PII.

The FTC focused on the fact that the Friend ID, despite being non-PII, was linked to a user’s Myspace profile so that third-party advertisers could use the Friend ID to easily obtain the PII resident on a user’s profile. In effect, the FTC took the position that by sharing the Friend IDs with third parties, Myspace also constructively shared all of the PII accessible from a user’s Myspace profile with those third parties. As such, this enforcement action may signal that a business can’t get around promises not to share PII with third parties by simply sharing a piece of non-PII that enables a third party to subsequently obtain access to PII maintained by that business.

In this case, the non-PII at issue was directly linked to PII – as the unique Friend ID was the only information needed to locate a user’s online profile – so the FTC alleged that Myspace should have foreseen that the third-party advertisers would be able to obtain access to users’ PII. However, it remains to be seen if the FTC will apply this concept of constructive sharing of PII to situations where the downstream linkage of non-PII to PII by third parties is less foreseeable (e.g., if a third party employs a sophisticated de-anonymization algorithm to re-identify an individual based on non-PII obtained from a business).

Myspace assigned each user profile a unique Friend ID, and a user’s online profile could be accessed by typing the Friend ID assigned to that profile in the URL after the slash in “www.myspace.com/”. By pulling up a user’s Myspace profile, one could obtain access to “basic profile information,” including the user’s profile picture, location, gender, age, display name, and full name (unless the user has elected to opt out of making his or her full name public, an election which the FTC reported, as of July 2010, was made by only approximately 16% of Myspace users). In addition, if a user had chosen to make his or her profile available to anyone, the Friend ID could be used to obtain access to any information or content – such as photos, videos, messages, and comments – on the user’s Myspace profile. Thus, the Friend ID was the key which enabled anyone to obtain access to a significant amount of PII about a Myspace user.

Myspace displays advertisements on its site that are served by third-party advertisers, and the FTC alleged that Myspace shared the Friend IDs (as well as the ages and genders) of users that clicked on these advertisements with the third-party advertisers. Due to this data sharing, a third-party advertiser would be have been able to use the Friend IDs to access users’ Myspace profiles and gather the PII noted above, such as the users’ full names, which the third-party advertiser could combine with any information obtained via cookies in order to target ads to those users.

The FTC noted that Myspace failed to always fully encrypt the Friend IDs and other information provided to third-party advertisers. Although the FTC did not elaborate on this point, the reference to encryption raises the question of whether the FTC would have deemed Myspace’s data sharing practices to be in compliance with federal law if the Friend IDs had been encrypted in the hands of both Myspace and the third-party advertisers at all times.

The FTC’s Complaint – Myspace Misrepresented Its Data Practices

In pertinent part, Myspace represented that: (1) it would not use or share a user’s PII with third parties without first providing notice to and obtaining consent from users; (2) the customization of advertisements on the Myspace site did not allow third-party advertisers to obtain a user’s PII or to individually identify the user; and (3) a user’s web browser activity was anonymized when shared with third-party advertisers. However, in its complaint (PDF), the FTC alleged that Myspace’s practice of sharing Friend IDs with third-party advertisers was contrary to these representations. To this point, the FTC noted in its news release that “[a]dvertisers could use the Friend ID to locate a user's Myspace profile to obtain personal information publicly available on the profile and . . . could combine the user's real name and other personal information with additional information to link broader web-browsing activity to a specific individual.” As such, these representations were false or misleading, and constituted deceptive acts or practices in violation of Section 5 of the FTC Act.

The FTC also alleged that Myspace failed to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor"), which was contrary to its representations that it was in compliance with Safe Harbor. This misrepresentation also constituted a deceptive act or practice in violation of Section 5 of the FTC Act.

Terms of the Proposed Settlement

The proposed consent decree (PDF) prohibits Myspace from misrepresenting its data practices, including the extent to which it shares certain information with third parties and the extent to which it complies with the US-EU Safe Harbor Framework. In addition, Myspace is required to implement a comprehensive privacy program, obtain biennial assessments of its comprehensive security program for a period of 20 years, and comply with several reporting and administrative requirements.

Online Tracking for Analytical Purposes Explained

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Sun, 06 May 2012 08:39:57 -0500

With his co-chair of the Future of Privacy Forum Jules Polonetsky, Hogan Lovells Privacy practice leader has authored a piece in the Huffington Post on the reasons for, operation of and benefits of online tracking for analytical purposes (as contrasted with tracking for targeted ad delivery). The piece is re-printed in its entirety here:

There has been much attention and debate over Web tracking for the past decade. Many of the concerns focus around behavioral advertising, the widespread practice of ad networks that use cookies to keep track of the site's users visit in order to tailor the ads they see across the Web. Advertising trade groups claim that the practice is needed to provide ads that are relevant to users. But critics consider the ads are subliminal, unfairly manipulating users based on secret information. Others are concerned about the creation of profiles that could be used to discriminate against users who visit health-related or other sensitive sites. And some just think the ads are creepy.

Industry has responded by labeling the ads with a symbol that is intended to alert users about the tracking and how they can opt-out of the targeting. The Federal Trade Commission has upped the ante, pressing for a Do Not Track feature that would allow users to tell websites via their browser that tracking was verboten. The Obama administration has jumped in, applauding a compromise agreement by trade groups to halt tailor of ads when users activate the Do Not Track option.

The debate continues, with companies claiming the extra revenue from data-targeted ads is needed to support Web publishers and with advocates continuing to object to the practice as unfair.

The fireworks around behavioral ads have obscured many of the other, less provocative reasons that websites work with tracking companies. By setting a unique number, a cookie, on users' browsers, websites and advertisers can know how many unique users visited a website or saw an ad that was delivered across many sites. They can frequency cap an ad to make sure that each user sees the giant pop-up ad that slows access to the site only one time. By reading the same cookie relayed by a user on a website when an ad is delivered and then again when a user visits an advertiser's site, the company can learn which ads are bringing users to their site.

But what about users who see banner ads online and then end up purchasing at the store? Although online commerce is growing rapidly, most purchases are still made by users showing up in person at a store. Major offline retailers won't spend their dollars online without some understanding of whether the online ads they pay for are working. How can an advertiser who buys ads online learn that users who saw the ads are more likely to spend at their store than users who were not exposed to the ads?

Despite the challenge of the jump from virtual ad to physical store, savvy research analysts have long figured out how to provide advertisers with reports that do just that. Here is how it works: An advertiser buys ads that are delivered by an ad server on the site of a Web publisher such as AOL, Yahoo or the Wall Street Journal that has a substantial number of registered users. Each time an ad is delivered, a flag is added to the profile the publisher has about the user who saw the ad. The user's name is then hashed and the hash, with its flag, is sent to a service provider who will help join the "anonymized" data. That same service provider has been holding a similarly hashed copy of sales transactions from the retailer's customer database. The hashed users from the publisher are matched with the corresponding retailer data and a report is prepared. This summarized report tells the retailer, if the ads have been working, that customers who made large purchases or many purchases were more likely to have seen the advertiser's ads than the general audience.

This practice of tracking users to prepare summarized analytic reports such as this is now fairly commonplace. Some companies go to great lengths to ensure anonymity using encryption and third-party doubleblind processes via intermediaries to add privacy protections to the procedure. Leading companies are proud of their successful ad campaigns and publicize case studies proclaiming the prowess of their ads.

Some critics point out that TV, radio and magazine advertisers measure ad effectiveness using research panels of users who sign up to provide feedback. Why do websites need to measure effectiveness with greater precision, given the complaints about tracking? But these other media can rely on the power of their message which is supported by sound, pictures, and emotional stories. Users can recall the good ads, and the best become part of pop culture. "Good to the last drop" -- Maxwell House. "If I were an Oscar Meyer Weiner." "Mikey likes it!"

The tiny Web banner ad can hardly compete with TV, radio and magazines except for in one way, in being precisely measurable.

And that's the rest of the story.

The authors are co-chairs of the Future of Privacy Forum, a think tank dedicated to advancing responsible data practices.

SEC and CFTC Propose Identity Theft Red Flags Rules

michael.epshteyn@hoganlovells.com (Michael Epshteyn) — Thu, 03 May 2012 09:18:06 -0500

May 7, 2012 marks the end of the comment period for the proposed identity theft red flags rules and guidelines issued jointly by the Securities and Exchange Commission and the Commodities Future Trading Commission. The Proposed Rules, which would apply to certain broker-dealers, investment companies, investment advisers, futures commission merchants, commodity pool operators, introducing brokers, and other SEC- and CFTC-regulated entities, are substantially similar to the identity theft red flags rules and guidelines issued in 2007 by the Federal Trade Commission and the federal banking agencies ("FTC Red Flags Rules") pursuant to the Fair and Accurate Credit Transactions Act ("FACTA"), which amended the Fair Credit Reporting Act ("FCRA").

The Dodd-Frank Wall Street Reform and Consumer Protection Act further amended the FCRA and transferred rulemaking and enforcement authority over the identity theft red flags rules to the SEC and CFTC with respect to the entities under their jurisdiction.

Importantly, the Proposed Rules do not contain new requirements that are were not already included in the FTC Red Flags Rules, nor do they expand the scope of those rules to cover entities that were not previously subject to their requirements. The SEC and CFTC noted in the preamble to the Proposed Rules that most of the entities over which they have jurisdiction are likely to already be in compliance with the FTC Red Flags Rules to the extent their activities fall within the scope of those regulations. Thus, these entities would not need to implement new red flags programs in response to the Proposed Rules. However, because the FTC Red Flags Rules were not specific to the securities industry and there was some confusion as to which entities were subject to their requirements, the Proposed Rules should help clarify the circumstances in which the red flags requirements apply.

However, because the FTC Red Flags Rules were not specific to the securities industry and there was some confusion as to which entities were subject to their requirements, the Proposed Rules should help clarify the circumstances in which the red flags requirements apply.

The Proposed Rules, like the FTC Red Flags Rules, apply to "financial institutions" and "creditors" that offer or maintain "covered accounts," including all accounts that "a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions" as well as "any other account ... for which there is a reasonably foreseeable risk to customers ... from identity theft." The Proposed Rules clarify that the term "financial institution" includes any "futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, swap dealer, or major swap participant that directly or indirectly holds a transaction account belonging to a consumer." The Proposed Rules also apply to broker-dealers, registered investment advisers, and registered investment companies that meet the definitions of "financial institution" or "creditor" under the FCRA. Additionally, under the Proposed Rules, "covered accounts" include margin accounts and brokerage or mutual fund accounts that permit wire transfers or other payments to third parties.

Under the Proposed Rules, each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. If so, the entity must develop and maintain a written identity theft prevention program that includes reasonable policies and procedures to:

identify relevant "red flags," which are patterns, practices, or specific activities that indicate the possible existence of identity theft in connection with a covered account;
detect red flags that have been incorporated into the program;
respond appropriately to any red flags that are detected; and
update the program periodically to reflect changes in risk.

The initial written program must be approved by the board of directors or a committee of the board of directors, and the board or senior management must be involved in the oversight and administration of the program. In addition, the program must provide for appropriate staff training and oversight of service provider arrangements.

Entities that are regulated by the SEC or CFTC but have not implemented an identity theft prevention program under the FTC Red Flags Rules should evaluate whether the Proposed Rules apply to their circumstances.

A copy of the Proposed Rules is available here. As noted, comments on the Proposed Rules are due by May 7.

Blogging from the IAPP London Data Protection Intensive

quentin.archer@hoganlovells.com (Quentin Archer) — Thu, 26 Apr 2012 11:50:11 -0500

This report is provided by London partner Quentin Archer:

London, April 26 2012: IAPP Europe is currently holding its Data Protection Intensive 2012 in London, of which Hogan Lovells is a sponsor. On the second day the conference heard from keynote speakers on the regulatory landscape in Ireland and on the economics of privacy.

Billy Hawkes, Data Protection Commissioner for Ireland, spoke in particular about the audit of Facebook carried out by his office. Alessandro Acquisti of Carnegie Mellon University illustrated with some interesting examples how transparency and control are not enough to ensure privacy. Privacy was instead more about protection from control.

In describing the general approach of his office, Billy Hawkes said that concerns of privacy should ideally not inhibit innovation. The office should act as an enabler, and it followed the "yes, but" approach of the UK Information Commissioner.

There had been a lot of focus on social networks. They were designed for data sharing, and were a free service in exchange for personal data used to target advertising. People make their own choices, so much of the responsibility lies with the individual. But choices must be made clear. Data protection law guarantees some control, but once you've signed up it's not hugely different from another deal - as long as the user knows what the deal is.

The Article 29 Working Party's WP 163 is helpful in analysing the legal relationships. A lot of activities fall outside data protection law. But there is frequently a record kept of what may be essentially a private conversation. The network provider must guarantee basic access rights as well as other fundamental data protection rights.

He went into some detail on the audit of Facebook which his office had undertaken in 2011. This had been a public audit, with the agreement of the company. The scope of the audit was wide, since for users in Europe, the Middle East and Africa their agreement is with Facebook Ireland. The office conducts about 30 audits a year, but usually these are not made public.

In conducting the audit the Commissioner took account of complaints and comments received from the Norwegian Consumer Council and an organisation called "Europe - v - Facebook" run from Austria. The audit took three months. Facebook fully co-operated. The report was published just before Christmas 2011. It made various recommendations with a timetable for implementation over six months and a formal review in July 2012.

In relation to transparency, the recommendations were that there should be a clearer data use policy, more prominent information on photo tagging, and clearer information on ad targeting and third party applications. On user control there should be informed choices on data sharing, rights of access, membership of groups, and control over applications. There should be an ability to opt out of tagging, and control over the extent of the audience for data posted on the site.

On data retention there needed to be a proper data retention policy, and a greater ability to delete data items and whole accounts. Regarding security and compliance there should be more oversight over third party apps and employee access to data. The European compliance function should be strengthened.

Much action had already been undertaken by Facebook and the Commissioner's office had remained in contact with them. Based on their dealings with the company to date they did not expect to use enforcement powers. It was possible that some issues would be raised in the courts, if for example the Europe - v - Facebook group didn't agree with the results.

Under the proposed EU Framework other DPAs would have the right to take part. The case highlighted the need for international co-operation, in particular with US and Canadian authorities. The new Regulation should recognise this international dimension. There must not be a "Fortress Europe" approach.

A principal contribution of EU data protection law was to give the user control over their data. One key conundrum was the extent to which terms and conditions can be offered on a "take it or leave it" basis. Another was how far the legitimate interest test could really extend.

Alessandro Acquisti of Carnegie Mellon University spoke about the economics of privacy.

He said that privacy was about transparency and control, but these were perhaps not enough to guarantee privacy. A lot depended on how the user was treated.

As an illustration he described how when you frame a problem you influence the solution. His team had gone to a mall outside Pittsburgh and offered people free VISA spending cards. One was a 10-dollar card whose utilisation by the user was not tracked. The other was a 12-dollar card whose use was tracked. Half the group were first offered a 10-dollar card and later told the 12-dollar card was available. The other half were offered the 12-dollar card first. The attitude people had to privacy seemed to depend on whether they were first offered a 10-dollar card or a 12-dollar card. One in two people given the 10 dollar card first did not want to trade up to the 12, but only 10% first offered the 12-dollar tracked card opted to trade down to the anonymous 10-dollar card.

Control can lead to paradoxical outcomes. Can more control lead to less privacy?

He had devised a questionnaire on ethical behaviour. Some questions asked about sensitive matters, others not. All respondents were told that answers to all questions were voluntary. However, half the respondents were in addition given a permission check box which they could fill in so that they could positively consent to release of data on certain answers. It seems that people given the check box option felt that they had more control, and as a consequence those respondents allowed more publication of their responses, particularly in relation to the more intrusive questions.

As for transparency, less than 3% of users read privacy policies. 75% of people think that the existence of a privacy policy implies protection. 54% of policies were beyond the grasp of 57% of internet users.

There could be "sleights of privacy", as a conjuror may have a sleight of hand. As an example he cited a questionnaire given to students. Some students were told that only their fellow students would see their responses, while others were told that both students and faculty members would see them. There was a higher propensity to answer questions in the first group, as one would expect. However this difference vanished in the second group if there was a delay between notice and answer – even a delay of 10 seconds. The same happened if respondents were distracted by another question.

There was also the issue of pervasive influence, or biased judgments. He gave an example of tests carried out on respondents who were asked to consider information about a fictional character and conclude whether they liked him or not. The results showed that respondents valued a recent good deed, but ignored an old one. However they deprecated a bad deed, however long ago it might have been.

Technology now provided the ability to find out a great deal about people. He gave the example of how it was possible to identify someone from a photograph using facial recognition software and social network data, from which social security numbers and even credit scores could be derived. All of this was publicly available.

In conclusion he said that privacy was more about protection from control. Regulation was important, as there was so much opportunity for deception. Default settings were crucial. Privacy enhancing technologies were increasingly good, and if we could incentivise the deployment of PETs we would have our cake and eat it!

Blogging from IAPP London: BCRs Key to Accountability and Interoperability

winston.maxwell@hoganlovells.com (Winston Maxwell) — Thu, 26 Apr 2012 08:57:23 -0500

Binding Corporate Rules (BCRs) were the focus of a session yesterday at the IAPP Europe Data Protection Conference in London. Florence Raynal from the French data protection agency (CNIL) stressed that BCRs not only facilitate cross-border data transfers, they constitute the backbone for global privacy compliance programs and accountability. The CNIL is working on a toolkit for BCRs, focusing on their scalability for small- and medium-sized enterprises. Accenture's Bojana Bellamy stressed that privacy compliance needs to be brought into a corporation's mainstream compliance programs, just like anti-corruption, competition and financial reporting.

Bellamy challenged the idea that BCRs have to be pre-approved by DPAs: "Safe Harbor is based on self-certification, standard contractual clauses are too, why should BCRs be the exception?" Raynal said that prior review of companies' BCRs was important to identify serious gaps, such as the absence of a liability clause. "We're reviewing these BCRs not only on our own behalf, but on behalf of the other European DPAs. We have to do a good job." Richard Thomas of LLD predicted that once BCRs take off, DPAs won't be able to cope with the volume. "Self-certification has to be the final objective here," Thomas said.

Are BCR's inevitable? "BCRs are synonymous with effective compliance programs," according to Raynal. They establish rules, and procedures to make sure that the rules are effectively applied, through internal controls, training, and audits. This is exactly what the draft EU Data Protection Regulation will require from all companies. The panel expressed some frustration that the draft Regulation treats BCRs only in the context of international data transfers, instead of addressing them as a means of implementing full accountability under Article 22 of the draft Regulation.

One member of the audience recommended that EU and US policymakers abandon the labels "BCRs" and "Safe Harbor" when they speak about interoperability. "We should use a neutral term such as "compliance programs," so we're talking the same language. In a later session, Caitlin Fennessy of the US Department of Commerce said that the work that the CNIL and the Department of Commerce are doing to map BCRs to the APEC Cross Border Privacy Rules (CBPR) is an excellent practical example of interoperability.

IAPP panelists agree BCRs have a bright future, but that their utility would be enhanced if they permitted free data transfers between different BCR-holding organizations as well as with organizations certified under the APEC CBPR framework. If that were to occur, BCRs could help deliver global interoperability, the holy grail of global privacy professionals and regulators.

Blogging from the IAPP London Data Protection Intensive

quentin.archer@hoganlovells.com (Quentin Archer) — Wed, 25 Apr 2012 13:05:18 -0500

This report is provided by London partner Quentin Archer:

London, April 25 2012: IAPP Europe is currently holding its Data Protection Intensive 2012 in London, of which Hogan Lovells is a sponsor. The conference heard from specialists in the Nordic countries on current issues in the region, concentrating in particular on cloud computing.

The contributions from speakers from Finland, Sweden and Norway demonstrated that there was advanced consideration of cloud computing issues, including in particular three recent decisions of the Swedish regulator. They had collaborated on an investigation into Facebook. However there were also practical differences in regulation in the region which needed to be addressed.

Reijo Aarnio, Finnish Data Protection Ombudsman, stated that education was a large part of his task. He promoted data protection teaching as part of schooling. As a result of the activities of his office, data protection was also being considered actively in the context of new legislation in various areas.

He said that there was much discussion on data breaches, but often we see only the tip of the iceberg. The Finnish Parliament would shortly bring forward rules on breach notification. He welcomed the introduction of the principle of accountability. It reflected work he had been doing on developing a data balance sheet, which will appear in English on his website in a few weeks.

On enforcement, the Scandinavian investigation of Facebook was not the first example of regional co-operation, but it showed how well it could work.

In answer to a question on how the new EU Regulation and the regulators themselves could properly promote EU competitiveness, since excessive regulation might drive out data processing which consumers really wanted, he pointed out that in assessing competitiveness it was necessary to bear in mind that contract law was to be harmonised as well as data protection. Data protection should not be considered in isolation.

Dan Jerker B. Svantesson of Bond University spoke on Swedish aspects.

As in many other places a popular topic was cloud computing. An organisation called Cloud Sweden had published on legal issues in the field. The Swedish DPA, the Datainspektionen, had been very active in making and publishing some recent decisions relating to cloud computing. They demonstrated that data protection rules can hinder cloud computing to some degree.

The first decision related to an agreement between Google and Salem Municipality for a SaaS service. The Datainspektionen found that Google had a unilateral right to change the terms of the contract, which meant that the municipality could not be certain if it was complying with privacy law or not. A contract term that Google could use data processed for the creation of products was also a problem.

The contract allowed Google to engage third parties to process data without informing the municipality. This meant that the municipality did not know at any one time who had its data. The Datainspektionen decided that controllers needed to have a contract with each processor and to know who they were. This created problems with transfers outside the EU as well. Controversially, the Datainspektionen felt that Swedish law should apply to the processing relationship in order to ensure that the municipality was compliant with Swedish privacy law..

The privacy impact assessment used in that instance was apparently not very advanced, so may have given a false sense of security. The Datainspektionen stressed that the controller always remains liable for use of the data handed to the processor, irrespective of how the processor structures its operations.

The second decision concerned the use of Dropbox, a file-sharing service (provided by Amazon) where a municipality was again the customer. The service was intended to be used to store corporate information such as minutes of meetings. However, it was discovered that employees of the municipality were using the service to store more sensitive information, a fact of which the municipality were aware. The Datainspektionen said that the municipality must implement proper privacy policies in such a case.

The third decision concerned Brevo AB, which operated a form of digital letter box on a Microsoft platform. The question arose as to whether it was a controller or processor in relation to the data stored on its service. The Datainspektionen found that it was a controller, contrary to Brevo's arguments. The Datainspektionen also found that Brevo was in breach of the law as it did not know (as in the Salem case mentioned above) who was processing the data, since Microsoft claimed the right to sub-contract processing without notice to Brevo.

In conclusion it may be necessary for cloud providers to be more realistic in contract terms, and customers more rigorous in vetting them.

Thomas Nortveldt of the Norwegian Consumer Council said he was probably the only consumer representative at the conference. Despite their consumer focus, however, the Council did recognise that customers needed to provide data to receive services, and service providers needed to process that data.

The Council had been active in making a complaint against Facebook and Zynga. It asked the Norwegian DPA whether it had jurisdiction but was told that it did not, because Facebook was based in Ireland. This led to the (perhaps surprising) conclusion that because of the fairly small establishment of Facebook in Ireland the Irish commissioner had jurisdiction over all Facebook users except those in the US and Canada.

The Council had developed with ICT Norway a project on the value of products uploaded to cloud services, aiming at a self-regulatory norm for secure storage in the cloud. It had created a seal of approval for online services. It had also conducted a survey on the attitude of consumers to cloud services. It found that people were concerned about loss of control over data, wanted Norwegian law to apply so that they knew they were protected, and wanted to know where their data was.

Kaisa Olkkonen of Nokia drew some comparative conclusions on approaches across the region. There were some differing practices in Nordic countries, e.g. on BCR mutual recognition and treatment of model clauses. Notification duties differed, leading to potential difficulties where both controller and processor were obliged to notify exactly the same processing.

The Nordic regulators were generally not penalising cookie use as long as users were properly informed - they were not currently insisting on consent.

There were differences in relation to breach notification. In Finland all companies with online services were under a duty to notify security breaches. Rules differed from one country to another as to whether it was necessary to notify just the DPA or users also. It was generally hoped that DPAs would not be overburdened with notifications to no purpose, especially when the new Regulation came into force.

Blogging from the IAPP London Data Protection Intensive

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Wed, 25 Apr 2012 07:07:16 -0500

This report is provided by London partner Quentin Archer:

London, April 25 2012: IAPP Europe is currently holding its Data Protection Intensive 2012 in London, of which Hogan Lovells is a sponsor. The keynote speakers on the first day of the conference were Christopher Graham, UK Information Commissioner, and Terry von Bibra, VP Advertising Marketplaces EMEA for Yahoo! Inc.

Christopher Graham spoke in favour of more proportionate regulation, pointing out that the ICO could not do everything. The ICO was there to promote information rights in general - the right to know as well as the right to privacy.

The ICO keeps track of public concerns. In its 2011 survey, protecting personal information was of more concern to the UK populace than unemployment, health and national security, coming second only to crime.

Enforcement is not the only answer to good regulation. It is also important to empower and educate citizens and businesses.

On cookies, the clock is ticking, as the 26th May deadline is approaching - enforcement will be realistic and pragmatic. The ICO had been asked whether analytics cookies were "essential" and so not subject to regulation. In his personal view the answer was "no", but he was hardly going to put all work of the office on hold to pursue the issue of analytics and cookies. However, if he found that there were complaints about companies who had really done nothing to attempt to comply with the cookie rules, then we could expect that he would be active.

Very recently the ICO's staff had been doing mystery shopping to see what personal data was left on discarded storage devices. They had discovered that mobile and memory sticks were largely clean, but an alarming number of secondhand hard drives offered for sale contained a worrying amount of corporate and personal information. So an initiative to warn the public about this was being launched today.

The ICO offers a carrot and stick approach to regulation. Its Good Practice function offered free audits to check for compliance and has been very successful. But the stick were the civil monetary penalties, of which there had been fourteen so far. They key point in deciding on a penalty was what the data controller knew about the likelihood of risk. There will be more enforcement, and one can expect a more rigorous approach in some cases.

Revamping the EU Framework will be a long haul. The ICO wants compliance, consistency, co-operation, proportionate intervention and a global perspective. He does not want over-regulation.

Terry von Bibra of Yahoo! pointed out that his company provided an enormous number of free services, all funded by advertising. They have to derive a yield from the pages delivered to users.

At the same time privacy is very important to their users. They had to create a global approach to serve their users.

Yahoo used a Content Optimisation Relevance Engine (CORE) to determine what content was of relevance to users at different times of the day. It personalised the site for users and had improved the click-through rate from the home page by 300%.

This was about using data for the benefit of the user, but of course the same model was used for advertising too.

Now they offer users the chance to peronalise their advertising experience, through Yahoo! Ad Interest Manager. This was a good example of privacy by design. The user's choices are fed back to third parties whose advertisements were displayed on Yahoo! to ensure that the user's wishes were respected.

Yahoo! is also participating with browser manufacturers in a similar initiative.

On the new EU Regulation, Terry von Bibra favors a good compromise between protecting privacy and delivering to the user the information he or she needs. The rules on consent had to be realistic - it is too hard for small companies to collect data by setting up user accounts, for example.

The right to be forgotten means different things to different people - but it has to be developed in a way which did not harm the rights and interests of other users.

At the heart of the issue, however, is trust - Yahoo! would have no business if it were to lose the trust of its users. Users are concerned with their privacy, but they did not want their user experience to be impaired. That balance had to be respected by both regulators and business.

Guidance on Establishing and Maintaining a Privacy Management Infrastructure

bret.cohen@hoganlovells.com (Bret Cohen) — Tue, 24 Apr 2012 16:59:07 -0500

Privacy law compliance means not only ensuring that compliance gaps are identified and remediated, but also that there is a privacy management infrastructure to ensure that privacy issues are handled on an ongoing basis. Attending to the infrastructure task can be challenging.

To aid in this effort, on April 17th Canada's privacy commissioner, along with the privacy commissioners of the provinces of Alberta and British, issued a guidance document entitled "Getting Accountability Right with a Privacy Management Program," along with an "At a Glance" two-page summary. The guidance document provides easy-to-understand, high-level advice on how to operationalize a privacy management program.

Although the guidance is given in the context of compliance with Canadian privacy law, there has been an increasing focus by privacy regulators in the US and abroad on the establishment of comprehensive privacy programs for organizations that collect, use, and share personal information. For example, one of the bedrock principles of last month's Federal Trade Commission privacy framework recommendation was the adoption of a baseline "Privacy by Design" principle through which the FTC recommended that businesses maintain comprehensive data management procedures throughout the lifecycle of their products and services. The Canadian guidance provides a sound and practical framework for organizations looking to implement Privacy by Design that face the obvious question: "Where do I start?"

The following is an brief overview of the guidance, as relevant to all organizations, Canadian or not, looking to implement a privacy management infrastructure:

Obtain organizational commitment: The first building block of privacy compliance is the development of an internal governance structure that fosters a culture respectful of privacy. This involves getting buy-in from senior management; establishing a Privacy Officer responsible for monitoring compliance; establishing a Privacy Office that ensures privacy protection is built into every major function involving the use of personal information; and creating reporting mechanisms reflected in internal controls.
Establish program controls: Privacy program controls help ensure that what is mandated in the governance structure is implemented within the organization. This involves conducting a personal information inventory; establishing policies relating to (i) the collection, use, retention, and disposal of personal information, (ii) access to and correction of personal information, and (iii) security of personal information; providing for risk assessments; setting up training and education for personnel; establishing breach and incident management response protocols; creating procedures to manage service providers with access to personal information; and developing procedures for informing individuals of their privacy rights.
Assess and revise the privacy program on an ongoing basis: Once a privacy program is established, the organization must maintain the program to ensure ongoing effectiveness, compliance, and accountability. This involves developing an oversight and review plan; updating the personal information inventory; revising policies as necessary; promptly addressing privacy and security assessments; reviewing and modifying training and education programs; reviewing and adapting breach and incident management response protocols; reviewing and fine-tuning contracts with service providers; and updating and clarifying external communications explaining privacy practices.

HIPAA Violations Cost Phoenix Cardiac Surgery Group $100,000 after OCR Investigation

marcy.wilder@hoganlovells.com (Marcy Wilder) — Wed, 18 Apr 2012 11:56:07 -0500

On April 17^th, Phoenix Cardiac Surgery, P.C. agreed to pay a $100,000 fine and put in place a corrective action plan under a resolution agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) following an extensive investigation into the health care provider's HIPAA privacy and security practices. The investigation was triggered by a complaint filed with HHS alleging that the physician group was posting clinical and surgical appointments on an internet-based calendar that was publicly available. The investigation was significant in part due to its scope, as OCR examined the group’s privacy practices going back to 2003 and found them wanting.

The agency investigated the complaint at hand and found that the physician group did not have adequate safeguards and failed to put in place business associate contracts with internet-based e-mail and calendar service providers that were storing and transmitting patient information. OCR, however, went further and examined the group’s privacy and security practices dating back to 2003. The agency found that the physician group did not implement adequate policies and procedures, document employee training on the Privacy and Security Rules, identify a security officer, or conduct the requisite risk analysis. OCR Director Leon Rodriquez stated that “this case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.” He further asserted that “we hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

The resolution agreement makes clear that vendors that store and transmit patient information, including providers of internet-based e-mail and calendar services, are business associates and require HIPAA business associate agreements. In addition, the case serves as a reminder that policies and procedures, risk assessments, documentation and training are key elements of a HIPAA compliance program. The resolution agreement can be read here.

Just last month, OCR announced a $1,500,000 settlement with Blue Cross Blue Shield of Tennessee (BCBST) for potential violations of the HIPAA Privacy and Security Rules. Recent enforcement actions suggest a heightened willingness by OCR to sanction covered entities for HIPAA violations.

Hogan Lovells-Authored Opinion Piece Examines Idea of Legally Restricting Sharing on Social Media

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 17 Apr 2012 07:18:58 -0500

In an opinion piece published in the San Francisco Chronicle, Hogan Lovells privacy leader Chris Wolf addressed the issue of whether Congress should pass a law restricting the manner in which individuals might choose to share information through social media. The context for the discussion was the Video Privacy Protection Act (VPPA) and the idea of a limit on so-called "frictionless sharing" -- available for music and news articles -- with respect to users of streaming video services like Netflix, and their desire automatically to share every video they watch on social media services like Facebook. Under one reading of the VPPA, written authorization is required "at the time of disclosure," to share details of one's video watching, thus blocking automatic, frictionless sharing, and a proposal is floating in the Senate to embed such a restriction through an amendment to the VPPA.

Chris explained the issue this way:

Advocates of restrictions on frictionless sharing are concerned that Facebook users might inadvertently disclose through the automatic sharing tool that they watched a controversial movie, causing personal embarrassment. They propose that, as to movies only and as a matter of law, users must choose on a case-by-case basis what movies they want to post on Facebook.

But he concluded:

A law limiting the ability of people to choose to share all of the movies they watch online is not what privacy law should be about. Privacy is about empowering individuals with the ability to choose what information they want to disclose, and to whom. It is not the business of privacy law to decide.

And Chris explained:

Of course, not everyone wants to share their viewing experiences with their friends online, and they don't have to share. And if someone prefers to share their video watching experiences on a case-by-case basis, he or she can do so manually. Similarly, a person who chooses to share on a continuous basis can disable the share function before watching a streaming video that he or she wants to exclude from online posting.

As much as some senators may conclude that sharing all the movies you watch is TMI, the law should permit people to share as they choose, and companies should not face legal penalties for providing them with the choice.

The opinion piece in the San Francisco Chronicle follows Chris' testimony earlier this year before the Senate Judiciary Privacy Subcommittee.

At Last, the EU Cookies Regulation Is Implemented in Spain

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 10 Apr 2012 18:18:33 -0500

This blog post was provided by Pablo Rivas in our Madrid Office

On April 2, after almost a year of delay, Spain published Royal Decree-Law 13/2012 requiring opt-in consent to place cookies as required by the EU e-Privacy Directive (2009/136/EC, modifying Directive 2002/58/EC).

Previously, the use of cookies by service providers was regulated by Article 22 of Law 34/2002 on Information Services and Electronic Commerce ("ISSA"), which implemented in part the EU Directive on Electronic Commerce (2000/31/EC). Under that law, when a service provider placed cookies it was required to inform users of the cookies' existence and the purposes for which the cookies were used. In addition, service providers had to give users an option to reject cookies using a simple and free method, unless those cookies were used to facilitate the operation of an electronic communication network or to carry out an explicit request of a user. In practice, Spanish companies complied with this requirement by providing users with information about how to disable cookies through their web browsers.

Royal Decree-Law 13/2012 dramatically modifies Article 22 of the ISSA by requiring service providers who want to use "devices" to store and recover data on users' equpment (including cookies) to obtain those users' explicit consent for such use after providing them with clear and complete information about their use. In particular, service providers now must disclose the purposes for which personal data will be processed pursuant to the Spanish data protection law. This modification makes clear the need to obtain the prior, opt-in consent of users before placing cookies, as compared to the previous law, which only required service providers to inform users of their ability to opt out.

In line with Recital (66) of Directive 2009/136/EC, service providers can still rely on the settings of a web browser or other application to provide opt-in consent, provided that users take an express action to establish the setting when installing or upgrading the browser or application, where technically feasible and effective. Moreover, the new law does not modify the exemption in the ISSA that permits service providers to place cookies to facilitate the operation of an electronic communication network or to carry out an explicit request of a user.

CNIL Chief Offers Frank Comments on EU Regulation at Hogan Lovells-Sponsored Gathering in Paris

winston.maxwell@hoganlovells.com (Winston Maxwell) — Fri, 06 Apr 2012 06:21:27 -0500

At a March 27 event organized by American Chamber of Commerce in France and sponsored by Hogan Lovells, CNIL chairperson Isabelle Falque-Pierrotin said that the proposed new European regulation represents a “new paradigm” for business, because it will share the load of regulation between businesses and data protection authorities. Other speakers, including the EU Data Protection Supervisor and an official from the US Embassy in France also provided insights.

Here is a video of the keynote speech by CNIL Chair Isabelle Falque-Pierrotin, at the AmCham France, EU General Data Protection & Privacy Regulation Conference on 27 March 2012:

Here is a video of EU Data Protection Supervisor Peter Hustinx at the 27 March Conference, commenting on "accountability" and consent:

Here is a video of US Embassy in France Minister Counselor Wendela Moore on the White House privacy program and on the "long history" of privacy protection in the United States:

More on what Mme Falque-Pierrotin said at the gathering....

Co-Regulation: Falque-Pierrotin said “co-regulation is the good answer,” indicating that the CNIL has already been applying the accountability principle: French law has already provided for the possibility to name data protection officers (DPOs) in companies, the CNIL has begun delivering privacy seals in connection with auditing and training procedures, and the CNIL has been the champion at a European level for binding corporate rules (BCRs).

Compliance Pack: Falque-Pierrotin indicated that compliance will be the biggest issue for businesses over the coming years, and that the CNIL was preparing a “compliance pack” to help businesses implement effective compliance programs. The pack will be based in large part on the CNIL’s existing practices in BCRs.

EU-US Convergence, But Issues With US Approach: Although the US and the EU are converging in terms of substance, Falque-Pierrotin cautioned that significant differences in approach still exist. She commented that President Obama's Consumer Bill of Rights would not be binding without legislation, and that the codes of conduct would only be mandatory for companies who choose to sign them. Falque-Pierrotin expressed skepticism regarding self regulatory frameworks.

Sanctions: “Sanctions should be adjusted depending on whether a company has implemented accountability mechanisms” said Falque-Pierrotin, recommending a sort of “leniency program” similar to what exists in competition law.

Problems with Centralized Approach: The CNIL chairperson criticized certain aspects of the proposed regulation’s “one-stop shop” approach, indicating that the extremely centralized approach may not be well adapted for all businesses, particularly bricks-and-mortar. Finally, Falque-Pierrotin expressed her vision that BCRs should not be looked at as simply a tool for transferring data within the corporate group, but rather as a global compliance architecture that would permit transfers not only within the group but with other entities. The CNIL is working with the Department of Commerce to identify “points of interconnection” between BCRs and the US's vision for cross-border data transfers.

Lessons from the Power Ventures Case Include "Terms of Use Can Create Computer Fraud and Abuse Act Liability"

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Thu, 05 Apr 2012 10:01:37 -0500

This entry was prepared by Sachi Jepson in the firm's Washington Office

Power Ventures is known as the company with the slogan "all your friends in just one place." The slogan refers to the company’s website, Power.com, created to allow users to aggregate data from their various social networking sites and messaging services. But Power Ventures appears to be quite a bit less powerful vis a vis Facebook, due to a February ruling from a federal district court about Power Ventures’ marketing practices and the applicability of the Computer Fraud and Abuse Act and state impermissible computer access statute.

The saga began in December 2008. Power kicked off its service by encouraging users to recruit new Power.com members (and offering a chance to win $100). To make it easy for users to send recruitment e-mails, Power provided them with lists of their Facebook friends from which they could select people to receive automated invitations from an @facebook.mail.com e-mail address.

Facebook objected to this practice and asked Power to stop, to no avail. Thereafter, Facebook brought suit alleging CAN-SPAM violations, violations of California Penal Code § 502, and violations of the Computer Fraud and Abuse Act. In response, Power filed a countersuit against Facebook alleging “anti-competitive practices.”

In its ruling, the federal district court in the Northern District of California found that Power’s conduct (1) violated CAN-SPAM, (2) violated California Penal Code § 502, and (3) violated the CFAA.

With respect to CAN-SPAM, the court agreed with Facebook that Power’s email headings violated the statute, which states that information is “materially misleading” if it disguises the origin of the email, making it hard for a recipient to identify the sender. The emails inviting Facebook users to sign up for Power.com contained no return address or information enabling recipients to respond directly to Power. Although the body of the emails did discuss Power.com, the court found that the misleading header alone was sufficient to violate CAN-SPAM.

An interesting component of this discussion was the court’s consideration of email “origination.” Since the emails were actually sent by Facebook users, using Facebook’s servers, there is a technical question as to whether Power is solely responsible as the “originator.” Ultimately, the court found that Power’s “Launch Program” and its money inducements were enough to count them responsible for the emails. From the courts’ perspective: “the fact that [Power] used a program that was created and controlled by another to send e-mails with misleading headers does not absolve them of liability for sending those e-mails.”

On the issue of California Penal Code § 502, the court Order dated July 30, 2011 explained that an entity accessing a computer network in ways that violated the network’s Terms of Use, without more, is not enough to establish that the use was “without permission” within the meaning of § 502. However, the court found that Power did more than simply access the network. In a bit of technical ninjutsu, Power anticipated that Facebook would attempt to block them and preemptively created a system to rotate IP addresses. Even though Power did nothing after Facebook started blocking IP address to further circumvent the blocks, the court had little sympathy, asserting that it found “no reason to distinguish between methods of circumvention built into a software system to render barriers ineffective and those which respond to barriers after they have been imposed.”

Finally, the court also found Power liable under the CFAA since significant resources were expended in Facebook’s efforts to stop Power’s unauthorized access. The CFAA holds one liable who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains,” among other things, “information from any protected computer.” 18 U.S.C. § 1030(a)(2). Both civil and criminal liability are possible here. Facebook easily showed it met the $5,000 “loss” threshold for standing under the CFAA—which counts reasonable costs associated with damage assessment and restoration work—through expenses spent trying to stop Power’s unauthorized access. From there, the court found the calculus rather simple. Power had (1) accessed Facebook without permission from Facebook, (2) obtained information from Facebook’s website, and (3) Facebook suffered sufficient damage. Ergo, CFAA violated.

The case is significant for its CFAA implications, since the court’s opinion supports a broad definition of illegal access under the CFAA to include violations of a website's Terms of Use. The CFAA is a statute intended to reduce hacking but increasingly used to impose criminal charges. Just a few years ago, it was unthinkable to come up against criminal charges for violating a website’s Terms of Use. But the notion is becoming thinkable. Coupled with a string of decisions holding employees criminally liable for violating workplace policies (e.g. US v. Nosal, US v. Rodriguez, and US v. John), this decision raises serious questions about the scope and limitations of liability under the CFAA.

Interestingly, the court deemed Power’s access to Facebook “unauthorized,” even though Facebook users themselves authorized Power’s interactions. After all, Facebook users are the ones who own the content to their own profiles. But it was Facebook’s Terms of Use that carried the case, in the end. Before potential Facebook users create an account they must agree to these Terms—which prohibit automated scripts that collect information from Facebook, commercial use of Facebook without permission, or impersonation of anyone or anything through Facebook. The Terms were where the court looked to determine whether Power’s access to Facebook was authorized for CFAA purposes.

The lesson to be learned from the Power Ventures’ experience is that it is time for companies to re-examine (or become aware of) the website policies of sites they access, lest they unwittingly come under civil and perhaps even criminal CFAA charges. Also, cautious, meticulous drafting of one’s Terms of Use is key to reserving a vehicle for legal redress.

Article 29 Working Party issues critical opinion of the Commission's new proposed data protection framework

lionel.desouza@hoganlovells.com (Lionel de Souza) — Fri, 30 Mar 2012 16:32:28 -0500

The Article 29 Working Party released on March 29, 2012 its opinion on the European Commission's proposed new data protection Regulation and Directive (WP191 - Opinion 01/2012 on the data protection reform proposals). The Working Party expresses strong reservations about the proposed Directive on data processing for police and criminal justice matters, criticizing the Commission's use of two different legal instruments to cover subjects that could be addressed in a single text. The Working Party finds the proposed Directive on police and criminal justice matters “disappointing in its lack of ambition compared to the Regulation”.

Regarding the proposed Regulation, the Working Party suggested improvements:

The text should further clarify concepts such as the definition of data subject, the definition of personal data (to address discrepancies regarding IP addresses for instance), and the definition of biometric data. The rights of minors should be better defined (through better definition of the role of representatives, etc.) and the right to be forgotten should be accompanied by provisions to permit better enforcement, including against third parties. The text should add an obligation to anonymise or pseudonymise personal data where feasible and proportionate based on the purpose of the processing;
The Working Party suggested that the provision on data breach notification be changed to exclude “minor data breaches” and to introduce a “two-step approach” whereby only the notification of the breach itself must take place within 24 hours after becoming aware of it and additional information would be provided in second phase after more detailed investigations;
The text should better define the concept of main establishment and the role of the one-stop shop lead data protection authority (certain terms appear to be conflicting or overlapping, the definition of the roles of the lead data protection authority and that of the other interacting data protection authorities requires further refinement). The Commission should also better clarify the obligations imposed on data controllers in the context of the accountability principle, and better limit the European Commission's power in adopting "delegated and implementing acts". The extent of delegated acts draws "serious reservations" from the Working Party;
The proposal should better adjust the obligations of data controllers based on their effective role rather than on the basis of factors disconnected from data protection considerations (e.g. the proposed thresholds that would trigger the applicability of certain provisions should be related to the "nature and extent of the processing" in a manner that could resemble the threshold proposed by the US Federal Trade Commission, eg. the processing of non-sensitive data of less than 5,000 persons per year);
Data protection authorities should have discretion in the way they administer sanctions and levy fines in consideration of the actions of the data controller and the seriousness of the breach. DPAs should be equipped with additional financial, human and technical measures due to their increased responsibilities;
DPAs and the future European Data Protection Board (EDPB) should have a bigger role in shaping policy; they should be independent and have effective power.

The Working Party was not able to reach consensus on the opinion. The DPAs from Belgium and Romania abstained because they object to the Commission's use of a regulation as the legal instrument; the Czech data protection authority abstained for no reasons given, and the Estonian DPA voted against the opinion because the DPA “sees too many essential disconcerting aspects in the packet (…).”

Supreme Court Holds Privacy Act Recovery Only Available When There is Economic Loss

tim.tobin@hoganlovells.com (Timothy Tobin) — Wed, 28 Mar 2012 18:06:49 -0500

Today, the U.S. Supreme Court in FAA v. Cooper held in a 5-3 decision that the “actual damages” clause in the Privacy Act is not sufficiently clear to authorize the recovery of non-pecuniary damages, such as for mental or emotional distress. While the Court acknowledged that the term “actual damages” is “sometimes understood to include nonpecuniary harm” and that such a reading is not “inconceivable,” it concluded that the term was not sufficient to overcome the sovereign immunity canon of statutory construction, which requires “an unmistakable statutory expression of congressional intent to waive the Government’s immunity.”

The decision is narrowly decided and appears unique to the Privacy Act or perhaps other statutes that provide for private rights of action against the Government. The decision is not particularly instructive as to statutory schemes that authorize the recovery of “actual damages” in private party litigation, such as the Fair Credit Reporting Act (FCRA). Under FCRA and other statutory regimes, lower courts have interpreted the term “actual damages” to include nonpecuniary harm. As Justice Alito, writing for the majority explained:

Because the term ‘actual damages’ has this chameleon-like quality, we cannot rely on any all-purpose definition but must consider the particular context in which the term appears.

It was not disputed that the Government's underlying conduct had violated the Privacy Act. But, the majority found it significant that the respondent-plaintiff did not allege any pecuniary or economic loss in the suit. The Court looked back at its 2004 Doe v. Chao decision, where it had held that to recover damages under the Privacy Act, a Plaintiff must establish not only the Government's breach of the statute, but actual damages (without deciding the meaning of actual damages). In Doe, the Court had analogized the remedial provisions of the Privacy Act to common law torts of slander and libel per quod. Under those claims, plaintiffs must first prove “special damages” i.e., actual pecuniary loss, before they can recover “general damages,” which encompass noneconomic harms such as harm to reputation and emotional distress. The Court found this:

suggests the possibility that Congress intended the term “actual damages” … to mean “special damages. The basic idea is that Privacy Act victims, like victims of libel per quod or slander, are barred from any recovery unless they can first show actual – that is, pecuniary or material – harm. Upon showing some pecuniary harm they can recover the statutory minimum of $1,000, presumably for any unproven harm.

The Court found support for the "plausibility" of this interpretation in Congress’ express refusal to authorize “general damages” in the Privacy Act (an uncodified section of the Privacy Act established a Commission to consider whether Congress should be liable for general damages, something the Commission recommended, but Congress did not act upon). As to Respondent’s argument that the Act’s exclusion of general damages meant only that Congress meant to exclude damages that could not be proved, the Court stated that in defamation and privacy cases,

the affront to the plaintiff’s dignity and the emotional harm done are called general damages to distinguish them from proof of actual economic harm which is called special damages. Therefore the converse of general damages is special damages, not all proven damages as respondent would have it.

Justice Sotomayor, writing for the dissent, argued that the majority placed too much weight on the sovereign immunity canon of construction. In her view the plain meaning of the term "actual damages" was enough to nullify that canon. Both the majority opinion and Justice Sotomayor utilized the Black’s Dictionary definition of “actual damages." Unlike the majority opinion, however, which referred to the definition as circular, Justice Sotomayor stated that there was nothing unclear about the definition and that it covers injury alleged and proved.

Justice Sotomayor went further and agreed with the majority that context is relevant. Given the Privacy Act was expressly designed to create safeguards to protect against breaches that could result in “substantial harm, embarrassment, inconvenience, or unfairness” to individuals and because mental or emotional distress is “the primary, and often only, damages sustained as a result of an invasion of privacy,” Justice Sotomayor found the context of the Privacy Act supported a more expansive reading of actual damages. As she further explained, if Congress wanted to limit recovery to situations involving only economic loss, it could have used the term “special damages” in the statute. As to the Privacy Act’s exclusion of general damages, Justice Sotomayor cited to the Court’s opinion in Doe v. Chao for support that the exclusion was intended to address unproven damages only.

Seventh Circuit Limits Damages Recovery under the VPPA

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Wed, 28 Mar 2012 06:36:49 -0500

On March 6, the Court of Appeals for the Seventh Circuit decided an interlocutory appeal in the class action lawsuit Sterk v. Redbox, holding that damages are not available under the Video Privacy Protection Act (VPPA) for violations of subsection (e) of the statute, the “Destruction of Old Records” provision. The court analyzed the statute and concluded that the damages provision only applies to a video tape service provider’s knowing disclosure of a consumer’s personally identifiable information—such as video viewing history—in violation of subsection (b) of the statute. This limitation on the scope of the damages provision is consistent with the approach taken by the Court of Appeals for the Sixth Circuit in a 2004 case.

Enacted in 1988 after Supreme Court nominee Robert Bork’s video viewing history was published in the Washington City Paper during his confirmation hearings, the VPPA places restrictions on video tape service providers’ use, disclosure, and retention of consumers’ personally identifiable information. Subsection (b) of the VPPA prohibits video tape service providers from disclosing personally identifiable information except in certain, limited circumstances, and subsection (e) requires video tape service providers to “destroy personally identifiable information as soon as practicable, but no later than one year from the date the information is no longer necessary for the purpose for which it was collected.” The damages provision in subsection (c) of the VPPA establishes a private right of action which includes liquidated damages in the amount of $2,500 for any act “in violation of this section.”

In Sterk v. Redbox, the class action plaintiffs alleged that Redbox violated the VPPA by maintaining consumers’ credit card information and video viewing history longer than necessary, in violation of subsection (e) of the VPPA. Redbox filed a motion to dismiss, arguing, in pertinent part, that the private right of action established in subsection (c) does not apply to violations of subsection (e). The district court denied Redbox’s motion, holding that the damages provision applies to all subsections of the VPPA, a decision which Redbox appealed to the Seventh Circuit.

The Seventh Circuit engaged in a thorough review of the statutory language, noting that the “statute is not well drafted” due to its failure to specify the scope of the damages provision, and held that the private right of action created by subsection (c) only applies to violations of the disclosure provision in subsection (b). The court relied on two key factors in reaching this decision: (1) the location of the damages provision vis-à-vis the prohibitions in subsections (b), (d), and (e); and (2) the absence of injury in the event that a video tape service provider fails to timely destroy consumers’ personally identifiable information as required by subsection (e).

With regard to the first factor, the court reasoned that since Congress did not place the damages provision at the end of the statute, it intended to limit the provision’s application to the single prohibition that precedes subsection (c)—the prohibition on the disclosure of personally identifiable information. Judge Posner, writing for the court, stated, “[i]f (c) appeared after all the prohibitions, which is to say after (d) and (e) as well as (b), the natural inference would be that any violator of any of the prohibitions could be sued for damages. But instead (c) appears after just the first prohibition, the one in subsection (b), prohibiting disclosure.”

In addition to its analysis regarding the location of the damages provision, the court also noted that no injury would result from a failure to timely destroy consumers’ information in the absence of a corresponding unauthorized disclosure of such information. Thus, there is no need to award damages for the mere unlawful retention of information without a subsequent unauthorized disclosure. To this point Judge Posner stated, “[h]ow could there be injury, unless the information, not having been destroyed, were disclosed? If, though not timely destroyed, it remained secreted in the video service provider’s files until it was destroyed, there would be no injury.” Furthermore, if retention for an unlawful period of time is followed by an unauthorized disclosure, then that would constitute a violation of subsection (b) and the aggrieved consumer would be entitled to damages pursuant to subsection (c).

The Seventh Circuit’s decision is consistent with the Sixth Circuit’s interpretation of the VPPA in Daniel v. Cantrell, wherein the court held that the damages provision of the VPPA only applies to subsection (b). In this 2004 case the Sixth Circuit also relied, in part, on the location of the damages provision in its interpretation of the statute.

Details on FTC Recommendation of Legislation to Address Practices of Information Brokers

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 27 Mar 2012 16:32:26 -0500

Yesterday, the Federal Trade Commission (FTC) issued its report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers.” In a previous blog post we provided an overview of the report and noted that one of the five “action items” highlighted by the FTC in the report is to focus on the practices of information brokers (also referred to in the report and otherwise as “data brokers”). Most notably, the FTC calls on Congress to consider enacting targeted legislation to provide greater transparency for, and control over, the practices of information brokers and to allow consumers to access their data maintained by information brokers. The FTC notes in the report that Congress could model any such legislation on H.R. 2221 (the “Data Accountability and Trust Act”), a bill that the House passed during the 111^th Congress, as well as similar bills introduced in the 112^th Congress.

H.R. 2221 was passed by the House on December 8, 2009, but died in the Senate. The bill contained several provisions relating to information security, such as a data breach notification provision and a provision requiring entities that own or possess personal information to establish security policies and procedures. In addition, the bill included some data accuracy and access provisions that were targeted specifically to information brokers. In pertinent part, the bill would require information brokers to:

· establish reasonable procedures to assure the maximum possible accuracy of the personal information it collects, assembles, or maintains;

· allow each individual whose personal information it maintains to review such information, at the individual’s request at least one time per year and at no cost to the individual; and

· allow each individual whose personal information it maintains to dispute the accuracy of any such information, correcting the information as necessary.

However, the bill would deem any information broker that is engaged in activities subject to the Fair Credit Reporting Act (“FCRA”) and that is in compliance with sections 609, 610, and 611 of the FCRA to be in compliance with these data accuracy and access provisions.

Several bills were also introduced during the 112^th Congress that contained data accuracy and access provisions similar to those in H.R. 2221. These bills are: (1) Data Accountability and Trust Act, H.R. 1707, 112th Congress (2011); (2) Data Accountability and Trust Act of 2011, H.R. 1841, 112th Congress (2011); and (3) Data Security and Breach Notification Act of 2011, S. 1207, 112th Congress (2011).

IAPP Web Conference on FTC Final Staff Report to Be Moderated by Hogan Lovells Partner

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 27 Mar 2012 15:22:25 -0500

To register, click here.

FTC Releases Final Privacy Report

mark.brennan@hoganlovells.com (Mark Brennan) — Mon, 26 Mar 2012 11:43:14 -0500

Today the Federal Trade Commission (FTC) issued its long-awaited final privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” which is intended to articulate “best practices” for companies that collect and use consumer data, and to assist Congress as it considers new privacy legislation.

The Report calls for companies to implement (1) privacy by design, (2) simplified consumer choice, and (3) greater transparency; and (4) it recommends that Congress pass baseline privacy legislation. The Report also encourages companies to incorporate substantive privacy protections (e.g., data security, collection limits, retention and disposal practices, data accuracy) and maintain comprehensive data management procedures throughout product and service life-cycles. In addition, companies should give consumers a choice about their data at a time and in a context in which the consumer is making the decision, and obtain affirmative express consent before collecting sensitive data or making material retroactive changes to privacy representations. Access to data should be proportionate to the sensitivity of the data and the nature of its use, and privacy notices should be clearer, shorter, and more standardized.

FTC Chairman Jon Leibowitz commented on the Report that "[i]f companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy."

Although much of the Report retains the FTC’s earlier privacy framework proposals, it includes revised recommendations in several key areas:

Small Business Carve-Out: To address concerns raised by small businesses, the final privacy framework does not apply to companies that collect only non-sensitive data from fewer than 5,000 consumers a year, provided that they do not share the data with third parties.

Approach to Determining Whether Data is “Reasonably Linkable” and Thus Covered by Privacy Protections: The Report clarifies that data is not “reasonably linkable” to the extent that a company: (1) takes reasonable steps to ensure that the data is de-identified; (2) commits publicly not to re-identifying the data; and (3) contractually prohibits downstream recipients from attempting to re-identify the data.

Choice: The Report modifies the FTC’s proposed approach to how companies should provide privacy choices to consumers. Under the revised approach, companies can collect and use consumer data without providing a choice for “practices that are consistent with the context of the transaction, consistent with the company’s relationship with the consumer, or as required or specifically authorized by law.” Although first-party marketing generally does not require choice, certain practices such as tracking consumers across websites (e.g., deep packet inspection, social website plug-ins, “retargeting”), collecting sensitive data, and sharing with separately-branded affiliates likely require choice. The Report notes that a “take-it-or-leave-it” choice approach for important products and services raises concerns in situations where consumers have limited alternatives (e.g., patented medical devices, broadband Internet access).

Data Broker Legislation: The FTC recommends new targeted legislation to address the practices of information brokers, and recognizes that the more sensitive the data, the greater the protections needed.

The new framework applies to both online and offline contexts and to data that is “reasonably linkable” to specific consumers, computers, or devices.

The Report also highlights five “action items” that the FTC will focus on over the next year to promote the new privacy framework:

1. Do Not Track: The FTC will work with industry to implement an “easy-to-use, persistent, and effective Do Not Track system.”

2. Mobile: The FTC recommends that companies providing mobile services improve their privacy practices, including through the use of shorter, more meaningful disclosures. The FTC is planning to update is online advertising guidelines and hold a workshop on mobile privacy disclosures.

3. Data Brokers: As mentioned above, the FTC is supporting targeted legislation to provide consumers with greater access to the personal information held by data brokers. It also recommends that data brokers develop a centralized website to identify themselves to consumers and describe their information practices, and to detail the access rights and other choices they provide with respect to consumer data.

4. Large Platform Providers: The FTC is planning to host a public workshop in the second half of 2012 to explore privacy issues associated with “comprehensive” online tracking that can be conducted by ISPs, operating systems, browsers, and other large platforms. This technology neutral approach focuses on function rather than labels.

5. Self-Regulatory Codes: The FTC will participate in the Department of Commerce’s upcoming multistakeholder process to develop voluntary, enforceable industry codes of conduct.

Copy of Final FTC Privacy Report Now Available

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Mon, 26 Mar 2012 09:59:15 -0500

Here is a copy of the just-released Federal Trade Commission Final Privacy Report, "Protecting Consumer Privacy in an Era of Rapid Change". An analysis will follow.

Crystal-balling Monday's FTC Announcement of its Final Privacy Report

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Fri, 23 Mar 2012 17:06:25 -0500

The Federal Trade Commission has scheduled a press conference for Monday March 26th at 11 AM to announce its final report on a proposed privacy framework for businesses and policymakers. The report has been pending since December of 2010 when it was issued in draft, and the final Report follows a period in which interested parties submitted comments in response to a lengthy set of questions posed by the Commission staff.

Issues addressed in the draft are likely to be refined. For example, the draft Report detailed the limitations of the current notice and choice model (for example, the burden on consumers in reading and understanding privacy policies) and that likely will be restated. Proposals for new ways to provide transparency and empower consumers could well be included in the Report.

The knotty issue of what constitutes PII subject to protection also may be addressed in the Report, including a specification of what constitutes commonly accepted practices that remove the need for consumer consent.

The FTC can be expected to advocate a framework calling for companies to promote consumer privacy throughout their organizations and at every stage of the development of their products and services. This includes incorporating substantive privacy protections -- such as data security and retention practices -- into business processes (such as is touted in the Privacy by Design model developed by the Privacy Commissioner of Ontario, Dr. Ann Cavoukian), and maintaining comprehensive data management procedures throughout the lifecycle of products and services. The FTC has imposed requirements for comprehensive privacy programs in the recent consent decrees with Google and Facebook.

One specific proposal contained within the Draft Report was a "Do Not Track" mechanism that the FTC proposed be advanced either by legislation or enforceable industry self-regulation. That issue can be expected to be addressed in the Final Report. Presumably, the Commission will acknowledge the substantial progress that was been made by industry and NGOs since the draft Report was issued. Indeed, the proposal of the Digital Advertising Alliance on Do Not Track took center stage at the White House when the Administration's privacy blueprint was unveiled in February.

It will not be surprising for the Report to echo the Administration’s call for a comprehensive privacy law, enhanced FTC authority and multi-stakeholder formed codes of conduct.

Since the release of the draft issues like Apps, geolocation privacy, and data brokers have been in the headlines and have been the subject of FTC activity. It will not be surprising to see those issues addressed as well.

When the Report is issued, the Hogan Lovells Chronicle of Data Protection will provide an analysis for its readers.

Stay tuned!

Opinion Piece on Privacy and Hate Speech Following Rutgers Student Conviction

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Fri, 23 Mar 2012 08:18:16 -0500

Hogan Lovells Privacy and Information Management practice leader Chris Wolf has authored an opinion piece on CNN.com entitled "Lessons from Rutgers on Privacy and Hate Speech" in which he draws upon the recent conviction of Rutgers student Dharun Ravi for invasion of privacy and bias intimidation to suggest steps to be taken to address online privacy and hate speech. Chris currently co-chairs the Inter-Parliamentary Coalition for Combatting Anti-Semitism Task Force on Internet Hate, and chairs the Internet Task Force of the Anti-Defamation League.

Tension Between Privacy Law and Other Interests Highlighted in Recent German Episode

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Thu, 15 Mar 2012 08:38:10 -0500

Chris Wolf, Hogan Lovells Privacy and Information Management Practice Director, has a column in Slate, the daily Web magazine addressing the tension between privacy laws and other societal interests, and the potential for inflexible application of privacy laws in the EU. His discussion is in the context of the prosecution of two reporters for invading the privacy of a former Nazi commando who had been in hiding for decades. The reporters obtained a videotaped confession from the former Nazi and yet faced more prison time than the mass killer was likely to serve. Ultimately, they were acquitted.

The criminal invasion-of-privacy case against the reporters put into sharp focus the automatic and inflexible application of privacy law in circumstances where flexibility and discretion appear to be called for. Press freedom groups around Europe protested the prosecutor's zeal against the reporters. They argued that secret-taping laws exist in many places in Europe (as they do in various U.S. jurisdictions), but that if ever there were a case for prosecutorial discretion and refraining from putting reporters on trial, this was it. The confession the reporters extracted was very much in the public interest and helped bring to justice a Nazi war criminal. Moreover, the reporters were threatened with more time in jail for their privacy transgressions than Boere [the former Nazi] may serve for murdering innocent people, given his age.

Chris tied the recent prosecution to the pending EU Regulation on data protection, which he noted "contains a 'right to be forgotten' that [the former Nazi] Heinrich Boere might have appreciated." And he concluded his column with this observation:

As the proposed EU regulation that includes the “right to be forgotten” is considered, policymakers in Europe will be grappling with the balance between privacy and free expression, privacy and innovation, privacy and law enforcement access to data, and many other areas where the right of the individual and the rights of others can clash. In a digital world that doesn’t easily stop at country borders, decisions EU policymakers take to balance these competing rights will be have global implications and will affect the laws governing the values of civil society for generations.

Unlike the decision to prosecute the Dutch reporters for privacy violations in the Boere case, the proposals for a new EU privacy regulation are open to public discussion and input. The issues that will be discussed will not be as compelling as those involved with reporters unmasking a Nazi war criminal’s deeds, but the Boere incident serves as a reminder that privacy rights must be weighed against other rights, and that inflexible rules can lead to unintended and unjust results.

The full column in Slate is available here.

China's New Privacy Regulations Go Into Effect

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Wed, 14 Mar 2012 16:18:02 -0500

This blog entry is provided by Jun Wei and Roy Zou from the Hogan Lovells Beijing Office

March 15 marks the effective date of new privacy regulations issued on December 29, 2011 by the Ministry of Industry and Information Technology of the People's Republic of China entitled Several Provisions on Regulation of the Order of Internet Information Service Market,. The new regulation defines the personal information protection requirements applicable to Internet Information Service Providers (“IISPs”).

Under the new regulation, however, there is no clearly definition of "IISPs". Article 2 of the Measures for the Administration of Internet Information Services (effective since September 25, 2000) defines the term "Internet information services (IIS)" as service activities of providing information through the Internet to the user, which include commercial and non-commercial services. Commercial IIS refers to providing Internet users with information via the Internet in exchange for compensation, or providing Web page creation services. Non-commercial IIS refers to providing Internet users with open-source and shared-information services via the Internet on a non-compensatory basis. Under the above definition, all entities in China providing information services through the Internet to web users could be considered as IISPs (that is, both commercial IISPs and non-commercial IISPs), and therefore are subject to this new regulation.

The new regulation is the first national level of regulation that provides a definition of "user personal information" and that contains specific obligations and liabilities of IISPs to protect user personal information. Specifically:

Definition of "User Personal Information": Under the new regulation, "user personal information" is defined as the information relevant to the users that can ascertain the identity of the users independently or in combination with other information.
Obligations and Liabilities of IISPs: IISPs are prohibited from (a) collecting user personal information or providing user personal information to third parties without the user’s consent; and (b) collecting information that is not necessary to provide their services, or using user personal information for any purpose other than providing those services.
Additional Obligations: The new regulation requires IISPs to expressly inform the user of the method, content and purpose for collecting and processing personal information after consent for collection has been provided by the user. In addition, IISPs are required to properly safeguard personal information of users and take remedial measures to mitigate any harm resulting from actual or potential disclosure of the person information kept by IISPs. In the event of disclosure with potentially serious repercussions, IISPs must immediately report the event to the competent telecommunication authority and cooperate in any investigation conducted by the authority.
Penalties for Non-Compliance: The new regulation sets out penalties against non-compliance, including an official warning and possible concurrent fine of more than RMB 10, 000 but less than RMB 30, 000, and providing an announcement to the public.

The exponential increase in the ability of technology to collect and analyse personal data has seen a corresponding global response in the development of privacy and personal information protection laws and regulations. This new regulation is the most recent attempt by Chinese authorities to provide stronger protection for personal data collection for users in China, and will certainly come into play with the rapid growth in everything from targeted consumer advertising to cloud computing.

HHS Announces First Enforcement Action Resulting From Self-Reported HITECH Breach

marcy.wilder@hoganlovells.com (Marcy Wilder) — Wed, 14 Mar 2012 14:19:17 -0500

On March 13, 2012, the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced its settlement with Blue Cross Blue Shield of Tennessee (BCBST). The settlement marks the first enforcement action resulting directly from the filing by a covered entity of a breach notification report required by the Health Information Technology for Economic and Clinical Health (HITECH) Act Breach Notification Rule.

Under the terms of the settlement, BCBST will pay HHS $1,500,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Additionally, BCBST signed a corrective action plan (CAP) to address gaps in its HIPAA compliance program.

The settlement covers the October 2009 theft of 57 unencrypted hard drives from a data storage closet at a former BlueCross leased call center. The hard drives contained information about more than 1 million health plan members, including names, social security numbers and health plan identification numbers. The drives held audio and video recordings of customer service calls.

BCBST had relocated its staff from the call center earlier in the year, and surrendered most of the leased property – except for a network data closet – to a property management company. Notably, the network data closet was secured by biometric and keycard scan security with a magnetic lock and an additional door with a keyed lock, and the property management company continued to provide security services. The drives in the network data closet had been scheduled to be moved the first week of November 2009.

HHS found that BCBST failed to implement appropriate safeguards required by the HIPAA Security Rule, including (1) the failure to implement appropriate administrative safeguards by not performing the required security evaluation in response to operational changes, and (2) the failure to implement appropriate physical safeguards by not having adequate facility access controls.

In addition to the fine, the CAP requires BCBST to review, revise, and maintain its Privacy and Security policies and procedures to ensure they are consistent with HIPAA and include certain content specified by HHS, to conduct “regular and robust” trainings for all BCBST workforce members who have access to electronic PHI, to perform monitor reviews to ensure maintained BCBST compliance with the CAP, and to submit biannual reports to HHS.

The settlement demonstrates HHS’ continued commitment to actively enforcing HIPAA. In HHS’ press release announcing the settlement, OCR Director Leon Rodriguez stated that the Breach Notification Rule will serve as an “important enforcement tool” for HHS. He also emphasized the importance of covered entities having comprehensive HIPAA compliance programs.

The facts disclosed in the resolution agreement do not constitute the types of significant lapses in security practices typically associated with HHS security enforcement actions and could suggest increasing expectations by OCR regarding the types of administrative and physical safeguards required. It also suggests a more clear focus on process and documentation requirements, considering that the CAP requires a documented risk assessment, policies and procedures, training, and documentation of such training. Going forward, HIPAA covered entities and business associates are advised to ensure that their security compliance and training programs are documented in accord with the HIPAA Security Rule specifications.

Read the HHS Resolution Agreement.

Germany: Parliament Appoints Hogan Lovells Lawyer as Expert for Public Hearing Regarding Whistleblower Jurisdiction and Data Protection

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Wed, 07 Mar 2012 12:12:08 -0500

On March 5, 2012, the Committee of Labor and Social Affairs of the German Parliament (Deutscher Bundestag) held a hearing on a draft bill on whistleblowing (17/8567) introduced by the Social Democrat Party as well as on a proposal of the left-wing party DIE LINKE (17/6492). So far, Germany has not introduced specific whistleblowing statutes, but rather handles whistleblowing issues on a case law basis. The draft legislation presented contains extensive provisions protecting whistleblowers in German enterprises.

The Committee has appointed Hogan Lovells lawyer Tim Wybitul as official expert for a hearing on whistleblowing provisions. Tim has particular expertise in the field of German and EU data privacy. Among the other experts heard were representatives of the German employers' association, the Federation of German Trade Unions, and Josef Winter, Chief Compliance Officer and Klaus Moosmayer, Chief Counsel Compliance of Siemens AG, as well as other data privacy and employment law experts.

Most experts agreed that legislation protecting whistleblowers acting in good faith would be preferable to the current unsettled legal situation. At present, whistleblowers acting in good faith are protected by Section 612a of the German Civil Code, which generally prohibits retaliation against employees who lawfully exert their employee rights.

The draft legislation presented does not contain specific data privacy provisions, which was strongly criticized by several experts. There are few data processing issues in Germany which cause as much controversy as internal whistleblowing structures. Whistleblowing should be regarded as a means to demonstrate grievances, which is rightfully an issue of adherence to legal obligations and not of “telling on” or denouncing, which implicates the target’s ability to know and confront the accuser. However, because of concerns relating to the view of whistleblowing as denouncing, European and, in particular, German supervisory authorities for data protection often view internal whistleblowing structures implemented by enterprises with skepticism. For instance, German data protection supervisory authorities have published a working paper on internal whistleblowing structures, which states that information provided by whistleblowers on an anonymous basis should be permissible only under extraordinary circumstances. Moreover, the working paper states that the implementation of internal whistleblowing structures requires prior formal examination (Vorabkontrolle) by the internal data protection officer of the controller.

The German Federal Data Protection Act (Bundesdatenschutzgesetz – "BDSG") is counted among the strictest data privacy jurisdictions globally. The BDSG sees enterprises entertaining internal whistleblowing structures as data controllers responsible for the adherence to all applicable data privacy rules. The processing of personal data is generally prohibited by the BDSG, unless the processing is justified by German or EU statutory provisions. Sarbanes Oxley reporting obligations or other foreign statutes are not regarded as permission statutes in the light of the BDSG, but respective whistleblowing duties may be taken into account when applying German data privacy rules. In contexts other than whistleblowing rhe data subject may consent to the processing of his or her data, but this would require specific consent. So in the whistleblowing context, some view the subjects of whistleblowing complaints as having to provide consent to the processing of the personal data about them.

The processing of personal data of employees in the context of internal whistleblowing may be permitted by Section 32 BDSG, which requires a thorough balancing of interests in each individual case. Section 32 BDSG is generally considered to be too vague and imprecise to provide clear guidelines as to what data processing is permissible in a whistleblowing context. Hence, under currently applicable German data privacy laws, the permissibility of each instance of data processing involved in operating an internal whistleblowing system needs to be thoroughly analyzed. This pertains, in particular, to whistleblowing structures permitting cross border transfer of personal data outside the EU, which are highly criticized by German data protection supervisory authorities. A draft bill on employee data protection by the German Government is expected to be enacted in 2012 – unfortunately this draft bill does not cover data privacy in internal whistleblower structures.

In light of the described unclear legal position with regard to the compliance of internal whistleblowing structures with German data privacy law, several experts strongly suggested that any German whistleblowing regime should describe permissible processes and clear guidelines for the implementation and operation of whistleblowing structures.

The German Parliament is going to deliberate on the opinions provided during the Committee hearing before deciding on how to proceed with the draft legislation.

Hogan Lovells Submits Comments on Proposed EU Regulation to UK Ministry of Justice

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Tue, 06 Mar 2012 07:48:37 -0500

The United Kingdom Ministry of Justice is engaged in a consultation on the impact of the proposal of the European Commission for a Data Protection Regulation to replace the EU Directive and implementing legislation, and solicited submissions by 6 March. On 29 February 2012, Hogan Lovells held a session in London for clients where we sought and obtained views on the impact of the proposals made by the European Commission for a new Data Protection Regulation. Yesterday, the firm made a submission to the Ministry of Justice on the proposed Regulation. This document contains a distillation of our own observations and comments made to us by clients since the proposals first became public knowledge.

A copy of the submission is available here.

In the submission, we address many aspects of the proposal of the European Commission, including the costs of compliance, impact assessments, the "right to be forgotten," data portability, international transfers, data breaches, jurisdiction and penalties.

This project was initiated and organized by London data protection partner Quentin Archer, with contributions by London partner Roger Tym, Paris partner Winston Maxwell and other lawyers in the firm's privacy practice.