HL Chronicle of Data Protection

Upcoming Compliance Deadline for Massachusetts Service Provider Contracts

eric.bukstein@hoganlovells.com (Eric Bukstein) — Fri, 27 Jan 2012 05:30:11 -0500

This blog entry was contributed by Kate Abramson, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office.

Massachusetts information security regulations (“Standards for the Protection of Personal Information of Residents of the Commonwealth”) took effect on March 1, 2010. In approximately five weeks, covered companies face a compliance deadline relating to their third party service provider contracts.

To reduce the risk of data breaches involving third-party service providers, the regulations require companies to take reasonable measures to select vendors capable of “maintaining appropriate security measures to protect such personal information consistent with [the] regulations and any applicable federal regulations.” Furthermore, the regulations mandate that companies contractually require their service providers to safeguard personal information in accordance with the Massachusetts regulations and applicable federal requirements.

The contract provision includes a grandfather clause, providing that all contracts entered into before March 1, 2010 are exempt from complying with this requirement until March 1, 2012.

Accordingly, companies that own or license personal information of Massachusetts residents must ensure they have specifically contracted with their service providers to implement and maintain such security measures before the pending deadline.

While the regulations only affect companies possessing personal information of Massachusetts residents, companies outside the scope of these regulations should nonetheless consider amending their contracts in conformity with the Massachusetts regulations to ensure that service providers are aware of their obligations to safeguard personal information.

VIDEO: In Honor of Data Privacy Day, Hogan Lovells Privacy Lawyers Talk About the Year Ahead in Privacy

ian.macfarlane@hoganlovells.com (Ian MacFarlane) — Thu, 26 Jan 2012 05:30:46 -0500

Happy Data Privacy Day to all!

Privacy Torts in Canada and the International Convergence of Privacy Law

daniel.solove@hoganlovells.com (Daniel Solove) — Wed, 25 Jan 2012 17:59:39 -0500

In a recent case, the Court of Appeal for Ontario, Canada recognized the privacy torts that are widely-recognized in the United States. Many foreign common law jurisdictions, including the United Kingdom and other countries, have steadfastly refused to recognize the privacy torts spawned by the 1890 law review article by Samuel Warren and Louis Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890). These torts – intrusion upon seclusion, public disclosure of private facts, false light, and appropriation of name or likeness – are known collectively as “invasion of privacy.” In the case of Jones v. Tsige, 2012 ONCA 42 (Jan. 18, 2012), the Court of Appeal for Ontario finally recognized the US privacy tort of intrusion upon seclusion – intentionally intruding upon a person’s seclusion or solitude, or into his private affairs.

In the UK, courts have continued to reject the Warren and Brandeis privacy torts, and instead embrace a different tort known as breach of confidence. Nevertheless, courts in the UK have stretched the breach of confidence tort in the past decade to quite closely resemble the US privacy torts. See Neil M. Richards & Daniel J. Solove, Privacy's Other Path: Recovering the Law of Confidentiality, 96 Geo. L.J. 123 (2007). And in the US, the breach of confidentiality tort (the US analogue to the breach of confidence tort) has been developing rapidly during the last two decades. The result is that privacy tort law in the US and UK is converging.

Canadian tort law is converging too, as demonstrated by Jones. In Jones, Tsige and Jones both worked at the Bank of Montreal, but they didn’t know each other. Tsige began a relationship with Jones’s former husband. Tsige began to access Jones’s personal bank accounts many times during a 4-year period. The court, in recognizing a cause of action for intrusion upon seclusion, noted several Ontario cases, provincial case law, legislative enactments, and Charter law to reach the conclusion that “the time has come to recognize invasion of privacy as a tort in its own right.”

The recognition of the US privacy torts by a Canadian court is further demonstration of a general trend – the convergence of privacy law across countries around the world. Although profound differences in the law remain between countries, there has also been significant convergence. Although Professor James Whitman famously argued that cultural differences would make harmonization of privacy law between the US and EU practically impossible, see James Q. Whitman, The Two Western Cultures of Privacy: Dignity Versus Liberty, 113 Yale L.J. 1151 (2004), both the US and EU and most of the rest of the world have embraced the Fair Information Practices (FIPs) as the cornerstone of their approach toward to protecting privacy. The FIPs emerged in the US and were more widely and comprehensively adopted in the EU, but much US privacy legislation embodies some of the FIPs.

And the convergence is increasing. More gaps continue to get filled in US privacy legislation. States in the US have taken the lead in data security notification legislation, and other countries are beginning to follow suit – as is the federal government with the new HITECH data security breach notification requirements.

Slowly, the privacy law of many countries is beginning to converge, with different countries adopting each other’s legal approaches to privacy issues. The US has often been left out of the process, often not perceived by other countries as a leader in privacy law. Although the law of the US has many significant problems, and it is lagging behind the law of many countries in many dimensions, there are areas where the US law is still looked to for guidance. Data security breach notification is one such area, as is the tort law of privacy. With creative, practical, and effective laws, the US can once again take a more active leadership role in the international law of privacy. And taking such a role is important, for the US can add a pragmatic perspective to other regulatory approaches. But to have other nations embrace such pragmatism, US privacy law must be more vigorous and effective. Strengthening US privacy law might in the short term lead to more regulatory burdens on industry, but it might also work to industry’s benefit in the long run by enhancing the US’s leadership role in privacy and by having an increased influence on foreign regulation.

European Commission Releases Official Draft of Groundbreaking Data Protection Regulation

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Wed, 25 Jan 2012 10:43:04 -0500

This blog post was provided by Quentin Archer, a partner in the London office of Hogan Lovells

The European Commission today published its proposal for a new Data Protection Regulation. The Regulation, which is not likely to come into force before 2014, is intended to harmonise data protection law in all 27 EU Member States and thus remove current differences which have proved problematic for business and individuals. Upon final passage of the Regulation, the current 1995 Data Protection Directive will be repealed.

Though considerably longer than the 1995 Directive, the Regulation does not provide a complete code. Much will be left to detailed legislation delegated to the Commission which will no doubt emerge over the next two years.

Key features of the new Regulation include the following:

Individuals and organisations will only need to deal with one supervisory authority, located in the country of their main establishment or residence, rather than the fragmentary jurisdiction currently provided by the Directive. The Commission has heralded this as providing a "one-stop shop."
Organisations outside the EU will be subject to its provisions if they process personal data to offer goods or services to EU residents, or monitor their behaviour. If they are subject to its rules, then subject to certain exceptions they must appoint a representative.
A new principle of accountability will require data controllers to demonstrate their compliance with the law by maintaining extensive documentation on their processing, implementing appropriate security requirements and performing impact assessments when required. This replaces the current requirement of notification. While this removes one bureaucratic procedure, it appears to replace it with something no less time consuming.
Organisations with more than 250 employees will need to appoint independent data protection officers whose principal task is to monitor the data processing of the organisation.
There are new rights to have data deleted (the "right to be forgotten") and to move data from one service to another ("data portability") which will have a particular effect in relation to social media.
Obligations to provide information to data subjects, and to document that information, are expanded and enhanced.
Data breaches must be reported to supervisory authorities without undue delay and where feasible within 24 hours. Serious breaches must also be reported to individuals affected.
Binding corporate rules are expressly recognised in the Regulation as an appropriate form of compliance for international transfers. They will be subject to approval by only one supervisory authority, thus shortening the current very long approval process.
Where consent is to be a ground for data processing, it must be explicit. Implied consent will no longer be possible. Once given, consent can be withdrawn at any time.
Fines may be imposed by supervisory authorities for breaches, reaching up to 2% of an organisation's annual turnover in the most serious cases.

An earlier draft of the Regulation was leaked in late November, and there are several differences between that draft and the final version. In particular, there is no requirement for consent to direct marketing in all cases, no provision that compliance with orders of non-EU courts for production of personal data will be unlawful without official sanction, no minimum fines, and the maximum fine is 2% of turnover rather than 5%. In her press conference today, however, Vice-President Viviane Reding, EU Commissioner for Justice, denied that there had been any watering down of her own initial proposals.

The draft Regulation now has to enter the political process of the EU Co-Decision Procedure under which agreement will need to be reached between the European Parliament and the Council. There is no certainty as to how long that process may take, but there will undoubtedly be considerable debate over the coming months.

Supreme Court Decision in Warrantless GPS Tracking Case Offers Little Guidance in Consumer Privacy Context

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Tue, 24 Jan 2012 07:04:50 -0500

Sometimes Fourth Amendment cases (which by definition arise in a governmental context) have implications for consumer privacy law since the "reasonable expectation of privacy" analysis can be employed in both areas. Yesterday's U.S. Supreme Court 9-0 ruling in United States v. Jones that the warrantless attachment of a GPS device to a car for monitoring purposes violated the Fourth Amendment offers little guidance in the consumer privacy context as the majority of the Court did not rely on an "expectation of privacy" analysis. The Court's main opinion, written by Justice Scalia, focused on narrow issue of whether there was a trespass when the GPS device was attached to the suspect's car. Concluding that a trespass occurred, the majority of the Court found that a warrant was required under the Fourth Amendment. Justice Scalia delivered the opinion of the Court in which Chief Justice Roberts, and Justices Kennedy, Thomas and Sotomayor joined. Justice Sotomayor wrote her own concurring opinion and Justice Alito filed an opinion concurring in the judgment in which Justices Ginsburg, Breyer and Kagan joined.

The main opinion of the Court chose not to address the issue of whether the suspect had a reasonable expectation of privacy not to be monitored, which was another available avenue of analysis. Justice Alito said: "I would analyze the question presented in this case by asking whether respondent's reasonable expectations of privacy were violated by the long-term monitoring of the movements of the vehicle he drove." And Justice Sotomayor in her concurrence illustrated how far the Court could have gone to address the "reasonable expectation of privacy" issue:

[I]t may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. (citation omitted). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. Perhaps, as Justice Alito notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constituttionally protected”).

Had the Court engaged in a "reasonable expectation of privacy" analysis, that could have had an impact on the use of tort and consumer protection law to pursue privacy claims. One could imagine the FTC declaring "unfair" under Section 5 the kind of data use deemed to have violated a reasonable expectation of privacy under the Fourth Amendment.

Announcement from European Commission on Comprehensive Data Protection Reform Coming Wednesday

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Mon, 23 Jan 2012 09:45:41 -0500

Despite suggestions that the European Commission proposal for a comprehensive reform of EU data protection rules would be delayed until the Spring, an announcement is scheduled for this Wednesday, January 25 at 12:30 PM CET (6:30 AM EST). The press conference with Viviane Reding, Vice-President of the European Commission in charge of Justice will be live streamed here.

It appears that the requirement for notice within 24 hours of a data security breach will be part of the proposal despite objections based on experience with the 49 jurisdictional data security laws in the United States that it is often impossible to assess much less notify within such a short time-period. Also, the potential financial penalty of up to 5% of an entity's global world-wide turnover for violations of the privacy regulation was a subject of enormous controversy when leaked; it now appears that the upper limit of the financial penalty will be 2%, which is still a very significant amount.

In a speech on Saturday to the Digital Life Design conference in Munich, Ms. Reding previewed what the Commission's proposals will include. (A link to a video of her speech is here.)

Some excerpts, as reported by the Wall Street Journal Tech Europe blog -- Here, Ms. Reding speaks of the change to a regulation from a directive:

A company will have to comply with one law for the whole of the EU territory. It will only have to deal with one single data protection authority. It will be the data protection authority of the member state in which the company has its main establishment. It will not matter anymore which data protection authority deals with a case. All data protection authorities in whatever EU country will have the same adequate tools and powers to enforce EU-law.

On international data transfers:

It seems odd that data held by a European company is adequately protected whilst it is inside the borders of the European Union, but not when it is transferred to a different part of that same company in Asia or South America.

In the Internet age, data protection laws need to take account of this global dimension. If they only focus on the activities of a company within a given country, they will not reflect reality.

I therefore want to improve the current system of binding corporate rules to make these exchanges less burdensome and more secure.

On individual control of data:

First, people need to be informed about the processing of their data in simple and clear language. Internet users must be told which data is collected, for what purposes and how long it will be stored. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated.

Second, whenever users give their agreement to the processing of their data, it has to be meaningful. In short, people’s consent needs to be specific and given explicitly.

Thirdly, the reform will give individuals better control over their own data. I will include easier access to one’s own data in the new rules. People must be able to easily take their data to another provider or have it deleted if they no longer want it to be used.

And on the right to be forgotten:

The right to be forgotten is of course not an absolute right. There are cases where there is a legitimate and legally justified interest to keep data in a data base. The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history. Neither must the right to be forgotten take precedence over freedom of expression or freedom of the media.

The announcement from the European Commission comes as the world marks Data Privacy Day. On its part, the Commission produced this video which focuses on an individual's responsibility to keep certain life details private in light of the harm to career that is possible from too much information being shared.

Noteworthy Data Privacy Day Program to be Live-Streamed on January 26

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Fri, 20 Jan 2012 09:20:29 -0500

In honor of Data Privacy Day, the National Cyber Security Alliance and Facebook will present a live-streamed program on Thursday, January 26 at 9:30 a.m. ET at the George Washington University Law School.

"The Intersection of Privacy & Security of Privacy & Security" will feature:

The Honorable Julie Brill, Commissioner, Federal Trade Commission

Rick Buck, Head of Privacy GSI, eBay

Erin Egan, Chief Privacy Officer, Policy, Facebook

David Hoffman, Director of Security Policy and Global Privacy Officer, Intel

Gerard Lewis, Vice President, Deputy General Counsel & Chief Privacy Officer, Comcast

Ari Schwartz.Senior Policy Advisor, Office of the Secretary, U.S. Department of Commerce

JoAnn C. Stonier, Global Privacy & Data Protection Officer, MasterCard Worldwide

Bob Quinn, Senior Vice President-Federal Regulatory & Chief Privacy Officer, AT&T

Moderator: Christopher Wolf, Director Hogan Lovells Privacy and Information Management practice; Founder/Co-Chair, Future of Privacy Forum

To RSVP for the event, please click here.

On the day of the event, you can view it live here.

Spanish Data Protection Authority Launches Public Consultation on Cloud Computing

gonzalo.gallego@hoganlovells.com (Gonzalo Gallego) — Tue, 17 Jan 2012 09:34:27 -0500

By Pablo Rivas in our Madrid Office

Following the example of the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés or CNIL), the Spanish Data protection Authority (Agencia Española de Protección de Datos or AEPD) has opened a public consultation on cloud computing to learn the opinions and experiencse of service providers and users.

Interested parties have until January 27 to submit their comments. This public consultation is an good opportunity to enhance the AEPD's understanding of problems on data protection arising from cloud computing and may also help the AEPD find viable solutions and alternatives for data protection compliance within the cloud computing encironment.

Interested parties can participate in the public consultation by fulfilling and online form (in Spanish) accessible by the AEPD's website, www.agpd.es.

We will keep you posted on the conclusions of this public consultation of the AEPD.

California Attorney General Launches On-line Breach Reporting Form

candace.martin@hoganlovells.com (Candace J. Martin) — Fri, 13 Jan 2012 10:14:32 -0500

The California Attorney General recently launched an on-line form for businesses to report breaches of security. Effective January 1 of this year, any person or business who issues a breach notification to more than 500 California residents as a result of a single breach is required under the California breach law ((California Civil Code s. 1798.29(a) and California Civ. Code s. 1798.82(a)) to submit notice of the breach to the California Attorney General. The form requires businesses to upload a copy of a sample breach notification form and to submit additional information related to the breach, including:

· The Date of the breach

· Date notice was provided to affected individuals

· Type of personal information involved

· Type of breach

In addition to the on-line reporting form, the new site also includes a section where residents can view a listing of all breaches that have been submitted to the Attorney General’s office.

European Data Protection Supervisor Releases "Inventory" of 2012 Priorities

bret.cohen@hoganlovells.com (Bret Cohen) — Tue, 10 Jan 2012 16:09:40 -0500

On January 10, Peter Hustinx, the European Data Protection Supervisor (EDPS), released his annual "Inventory" of issues of strategic importance for 2012, along with an annex of the relevant Commission proposals and other documents that have been recently adopted or otherwise require the attention of the EDPS. The strategic proposals can be grouped into four main categories:

Towards a new legal framework for data protection. The European Commission has almost finalized its proposal for a new legislative framework, a draft of which was disclosed last month and which is likely to be published by the end of January. Hustinx will issue an opinion on the legislative proposal in early 2012, closely follow the review process, and continue to fulfill his advisory role throughout the legislative process by intervening at the appropriate stages.
Technological developments and the Digital Agenda, IP rights, and Internet. Of the European Commission's work in the area of new technologies, Hustinx will focus on the policy issues of Internet monitoring, IP enforcement, and takedown procedures (focusing on IP rights and privacy); cloud computing services (focusing on jurisdictional issues); e-Health; and a pan-European framework for electronic identification, authentication, and signature (focusing on e-security and privacy by design).
Further developing the Area of Freedom, Security, and Justice. The items in this area at the top of Hustinx's agenda are immigration, border control, anti-terrorism, and internal security strategy, focusing on ensuring the right balance between privacy and security.
Financial sector reform. Hustinx plans to issue a package of opinions on data protection issues with legislative proposals concerning the regulation and supervision of financial markets and actors, including the legislative package for the revision of the banking legislation; the market abuse regulation; the regulation and the directive on markets in financial instruments; and the revision of the credit rating agencies regulation.

Hustinx also identified trends of focus for 2012, which include:

Employment of effective information-gathering and investigative tools by administrative authorities (both EU and national).
Significant exchanges of information between national authorities, quite often involving EU bodies and large-scale databases (with or without a central part) of increasing size and processing power.
Developments in the field of technology, mainly due to the widespread use of the Internet and geolocation technologies.

The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies, focusing on monitoring the EU administration's processing of personal data; advising on policies and legislation that affect privacy; and cooperating with similar authorities to ensure consistent data protection. Hustinx is serving a five-year term as the EDPS, which expires in 2013.

Announcing Our New Hogan Lovells Privacy Partner Tim Tobin

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Wed, 04 Jan 2012 11:36:37 -0500

We are delighted to announce that Tim Tobin, a key player in the Hogan Lovells Privacy and Information Management practice, has become a partner at our firm.

Tim Tobin’s entire professional career, even before law school, has had a privacy law focus. As an early practitioner in the relatively new field of privacy law, Tim has established himself as a "go-to guy" in the entire range of privacy law.

Tim graduated from the George Mason University School of Law in May 2001 in the top 10% of his class, magna cum laude. Tim attended the evening program at George Mason law, working full time throughout law school. At law school, he was on the Law Review and served as Articles Editor of the Law Review.

Tim had a professional career prior to, and during law school. He worked at the U.S. Parole Commission within the U.S. Department of Justice, from 1992 to January 2000. It was in this government job that Tim first became familiar with, and handled privacy issues relating to the Freedom of Information Act (FOIA), the Privacy Act, and similar issues relating to victim privacy and Government records.

Tim joined Hogan Lovells practice director Chris Wolf at their previous firm, after a stint at a communications law-focused firm, and he assisted in all manner of privacy and data security issues for clients. At the previous firm, Tim served as senior editor of a comprehensive legal treatise on privacy law published by the Practising Law Institute (PLI) that has been highly praised.

Throughout his legal career, Tim has focused on a wide range of privacy and data security law matters. He provides compliance counselling to clients on the wide array of privacy and data security laws, and is deeply experienced in litigation, regulatory agency investigations, agency rulemaking processes, and public policy issues. Tim has worked with clients across a range of industries including those involved with the Internet, new media and communications as well as financial services, airlines, hotel, transportation, sports and entertainment, among many others.

Tim writes and speaks frequently on privacy law topics, including recently at the Los Angeles Auto Show on the topic of new automobile technologies and privacy. He is the Smart Grid expert for the Future of Privacy Forum, and he leads the firm's pro bono efforts in a new privacy pro bono initiative spearheaded by IBM and the IAPP.

Tim has distinguished himself by his prodigious work ethic, his comprehensive knowledge of privacy law which he translates into thorough and practical advice for clients, and for his strategic insights on contested matters. He also is known as a really nice guy.

We are delighted to announce his advancement to partner.

Google's Peter Fleischer: "A lot more privacy enforcement actions in 2012. And the sanctions are going to go through the roof."

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Tue, 03 Jan 2012 15:28:41 -0500

Federal Trade Commissioner Julie Brill frequently has commented that when it comes to privacy enforcement, more "cops on the beat" is better. In today's guest blog, reprinted with permission from the blog of Google's Global Privacy Counsel Peter Fleischer, the spectre of multiple privacy enforcement authorities with substantial fining authority is raised:

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros.

And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year.

And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.

(emphasis supplied)

For Auld Lang Syne: US President Recognizes "Privacy as a Cardinal Principle of American Liberty"

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Fri, 30 Dec 2011 12:35:31 -0500

The year was 1974.

Happy new year to the readers of the Hogan Lovells Chronicle of Data Protection!

District Court Dismisses Most Claims Related to Heartland Data Breach

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Thu, 22 Dec 2011 10:09:53 -0500

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

A federal judge dismissed all but one of the claims (PDF) brought against Heartland Payment Systems, a payment card processor, in a class action lawsuit stemming from a breach of Heartland’s computer systems, demonstrating that it may be difficult to hold companies legally responsible for breaches of their data. The plaintiffs of the class action lawsuit, nine financial institutions that issued payment cards to consumers affected by the breach, balked at Heartland’s settlement offers and instead sought relief from the court, alleging breach of contract, negligence, misrepresentation, and violations of several states’ consumer-protection statutes. Only the alleged violation of Florida’s consumer-protection statute survived Heartland’s motion to dismiss, an outcome which may deter future plaintiffs affected by data breaches from rejecting settlement offers to litigate their claims.

As early as December 2007, a ring of hackers, led by notorious cyber-criminal Albert Gonzalez, gained access to Heartland’s computer systems and installed programs that allowed them to obtain the payment-card information stored on those systems. The breach continued over the course of many months before Heartland discovered the rogue programs in January 2009, by which time the hackers had already obtained the payment-card information of approximately 130 million consumers.

As a result of the massive breach, one of the largest ever involving payment-card information, numerous lawsuits were filed against Heartland by both consumers whose payment-card information was compromised and financial institutions that issued payment cards to the affected consumers. Those lawsuits were consolidated and split into two tracks, one that addressed the claims of the consumers and one that addressed the claims of the financial institutions.

Heartland has settled the majority of the lawsuits stemming from the breach. Last year, Heartland settled the consumers’ claims, agreeing to pay up to $175 to each consumer to cover out-of-pocket expenses and charges incurred due to the breach and up to $10,000 to victims of identity theft resulting from the breach. Heartland also agreed to settlements with the four major payment card brands and the financial institutions that utilize their networks to issue credit to consumers, agreeing to pay $3.6 million to American Express, $60 million to Visa, $41.1 million to MasterCard, and $5 million to Discover. However, the financial institutions were not bound by these settlements unless they chose to accept their terms. Although most financial institutions did so, some determined that the proposed settlements did not adequately cover their losses from the breach and instead elected to reject the settlements and litigate the matter.

The resulting litigation is an on-going class action lawsuit against Heartland. The financial institution plaintiffs alleged that the breach of Heartland’s computer systems resulted from Heartland’s failure to adequately safeguard its computer systems and caused the plaintiffs to incur significant expenses replacing credit and debit cards and reimbursing fraudulent transactions. The financial institution plaintiffs’ complaint (PDF) asserted claims for breach of contract and implied contract; negligence and negligence per se; negligent and intentional misrepresentation; and violations of the consumer-protection statutes in California, Colorado, Florida, Illinois, New Jersey, New York, Texas, and Washington.

In a December 1, 2011 opinion, Judge Lee Rosenthal of the U.S. District Court for the Southern District of Texas granted Heartland’s motion to dismiss (PDF) with respect to all but one of the claims asserted by the financial institution plaintiffs. Judge Rosenthal dismissed the contract claims due to the fact that the plaintiffs were: (1) not in a direct contractual relationship with Heartland; (2) not third party beneficiaries of Heartland’s contracts with other banks; and (3) not entitled to consequential damages. He dismissed the negligence claims because the plaintiffs’ damages were solely economic in nature and thus barred by the economic loss doctrine. The consumer-protection claims were dismissed for various reasons including that the plaintiffs were not “consumers” protected by the state statute.

Heartland’s alleged violation of the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) was the lone claim that survived Heartland’s motion to dismiss. Heartland argued in its motion to dismiss that the plaintiffs lacked standing to assert a claim under the FDUTPA because only consumers, as the word is traditionally used, may assert such claims. In denying Heartland’s motion to dismiss, Judge Rosenthal highlighted that in 2001 the Florida Legislature amended the statutory provision that creates a private right of action for violations of the FDUTPA to use the word “persons” instead of “consumers” when identifying who may bring a claim. To this point, he stated that the “Florida Legislature’s use of word ‘person’ in creating a private right of action suggests a broader reach than the word ‘consumer.’”

Although all of the plaintiffs’ other claims were dismissed, the court granted the plaintiffs leave to amend their claims for breach of contract and implied contract (but only in certain limited situations); express misrepresentation; negligent misrepresentation based on nondisclosure; and violations of the California, Colorado, Illinois, and Texas consumer-protection statutes. However, the claims for negligence and violations of the consumer-protection statutes in New Jersey, New York, and Washington were dismissed with prejudice and without leave to amend. The plaintiffs must file the amended complaint by December 23, 2011.

Invitation to January 12 Event for Bay Area Readers of the HL Chronicle of Data Protection

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Wed, 21 Dec 2011 10:57:04 -0500

We are pleased to invite Bay Area readers of the Hogan Lovells Chronicle of Data Protection to a morning event in Palo Alto on January 12, 2012, "Privacy and Information Management: A Global Perspective on What Businesses Should Expect in 2012."

Change is in the air for privacy law and regulation worldwide. The privacy practice at Hogan Lovells spans the globe across our 40 offices in the United States, Europe, Latin America, the Middle East, and Asia. This program will reflect the perspectives of the lawyers in our worldwide privacy practice, and will present the viewpoints of U.S. leaders from the Federal Trade Commission, a prominent technology-focused NGO, and academia, as we take a look back at privacy law developments in 2011 and take stock of the expected developments and focus on privacy law in 2012.

The program will feature FTC Commissioner Julie Brill, Jim Dempsey from the Center for Democracy and Technology and Ryan Calo from the Stanford Law School Center for Internet and Society. It will be moderated by Hogan Lovells Privacy and Information Management practice directors Marcy Wilder and Chris Wolf.

If you would like an invitation to register for this event, please contact justin.portaz@hoganlovells.com

Privacy of Private Pilots Upheld

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Mon, 19 Dec 2011 14:01:43 -0500

A serious challenge to the personal privacy of private aviators was averted on December 1st, when the Federal Aviation Administration (FAA) rescinded a rule that would have terminated a long-standing procedure whereby private pilots were permitted to shield their flights from real-time flight tracking information made available to the public.

The National Business Aviation Association (NBAA) filed comments opposing the change as out of step with mainstream government policy regarding personal privacy. Despite receiving hundreds of similar comments from the general aviation community, the FAA adopted the change as proposed. Henceforth, the only applicants eligible to shield their flights from public tracking would be those who could demonstrate a "valid security concern." Generalized concerns about personal privacy would no longer suffice, the agency said.

The NBAA joined forces with the Aircraft Owners and Pilots Association (AOPA) and challenged the new rule in the D.C. Circuit. In November, budget legislation covering the Department of Transportation (DOT) was enacted along with an amendment that prohibited the FAA from using appropriated funds to implement the new restrictions.

On December 1st – one day before a scheduled oral argument in the appeal – the FAA announced that it was rescinding the new rule in its entirety and on a permanent basis. The Federal Aviation Administration has announced that, effective immediately, those wanting to enroll aircraft in the Block Aircraft Registration Request (BARR) program would no longer need to provide a "valid security concern" in order to be included in the program.

Hogan Lovells represented the NBAA and the AOPA in this matter.

Article 29 Working Party Rebuffs European OBA Industry... Again

bret.cohen@hoganlovells.com (Bret Cohen) — Fri, 16 Dec 2011 16:27:08 -0500

In an opinion adopted on December 8, the EU Article 29 Working Party again rebuffed the Online Behavioral Advertising (OBA) industry’s self-regulatory proposal for the placement of cookies on European citizens’ computers for the purposes of targeted advertising while only providing notice and offering an opportunity to opt out of the tracking. If you didn’t catch it the first, second, third, or fourth time around, the Working Party again proclaimed that European law requires affirmative, opt-in consent prior to the placement of any cookie for tracking purposes. In this most recent opinion, the Working Party broke down the OBA industry proposal, and then—in a rebuttal of the industry’s contention that the opinion will result in the proliferation of dreaded browser pop-up windows—offered up a number of methods of obtaining consent not involving pop-ups.

What Went Wrong

Much of the opinion is dedicated to describing what elements of self-regulatory proposal, in the opinion of the Working Party, violate EU law, particularly in the areas of notice, choice, and data retention. Though some of these criticisms are not new, the Working Party crystallized its viewpoints on the issue, including the following.

(1) An icon accompanying targeted ads that is linked to the information website www.youronlinechoices.eu does not provide adequate notice.

In its June 2010 OBA opinion, the Working Party cited the use of contextual icons attached to ads that can be clicked to learn about cookies and express preferences as an example “which the Working Party finds both positive and necessary.” The current opinion, however, made clear that icons are not sufficient to provide notice because consumers today don’t know what they mean. That said, the Working Party recognized the usefulness of icons as a means to complement other forms of notice, but only after the user has provided consent to process data for OBA purposes (or if used to direct the user to a more fulsome mechanism to obtain consent). In that context, the Working Party suggested that the word “advertising” alongside the icon is not sufficient even to inform users that the ad uses cookies for OBA purposes, and stated “at minimum” the language should include the phrase “personalized advertising.”

The Working Party also took the opportunity to reiterate its position from its 2010 OBA opinion that at minimum, notice for OBA should include:

what entity is responsible for serving the cookie and collecting the related information;
that the cookie will be used to create profiles;
what type of information will be collected to build such profiles;
the fact that the profiles will be used to deliver targeted advertising; and
the fact that the cookie will enable the user’s identification across multiple websites.

(2) The use of an opt-out cookie is not sufficient to provide consent.

The industry proposal would permit consumers who visit the www.youronlinechoices.eu website to download an opt-out cookie to record their refusal to participate in OBA. In addition to criticizing the proposal for not following an opt-in approach, the Working Party noted other aspects of the opt-out system that it believed violated EU law, including that:

“it has been demonstrated that” ad networks continue to collect information from users’ computers even after the opt-out cookie is downloaded;
the approach does not offer the possibility of managing and deleting previously installed tracking cookies; and
the www.youronlinechoices.eu website itself contains links to a number of JavaScript functions that collect personal data (such as IP addresses) without consent.

(3) The notice to users lacks necessary provisions on the scope of data collection and data retention.

The Working Party took the position that notice to users about OBA must disclose how much data is collected by the different advertising networks, how long it is stored, and for what purposes it is processed. At minimum, the notice should address the period during which consent can be considered valid, and after which data must then be deleted.

What Went Right

The Working Party did commend the industry proposal in a couple areas. It noted the proposal’s “interesting approaches” on how to make consent mechanisms more effective, such as industry’s commitment to engaging in educational initiatives to inform individuals and businesses about OBA. The opinion also, unsurprisingly, welcomed the proposal’s principle that a user’s explicit consent is required prior to creating or targeting OBA segments that make use of sensitive data (i.e., data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sex life).

Suggestions for Consent

One of the most frequent complaints about the Working Party’s position on OBA has been that by requiring opt-in consent for targeted advertisements, users will be subjected to countless pop-up requests whenever a website wishes to place a cookie. The Working Party opinion attempted to dispel this notion by proposing a number of alternatives to or ways to mitigate the annoyance of pop-ups, including:

An opt-in cookie approach: Under such an approach, the first time a user visits a website served by an ad network, the ad network can display a message on the page prompting the user for consent to participate in OBA (the Working Party suggests that this message can be where the ad normally would appear). If the user then opts in, he or she can receive targeted advertising on all websites associated with that ad network without having to be prompted again for consent. If the user declines, the ad network should place an opt-out cookie.
A static information banner on the top of a website: Such a banner, like the one present on the website of the UK Information Commissioner Office, would request the user’s consent to set cookies, with a hyperlink to a privacy policy containing a full notice.
A splash screen upon entering a website: Users would be presented with the option to consent before entering the website, such as when breweries require users to confirm they are of age before they enter the site.
Click-to-consent: The Working Party singled out the method used by the German e-zine Heise that defaults a button associated with cookies to light grey. Only once the user clicks on and “activates” the button will the cookie be placed and the third party be able to send and receive user data. This process, however, would need to be transparent to users.
Browser plug-ins: Though the Working party repeatedly has said that browser settings permitting users to opt out of cookies are not sufficient to provide informed consent, it would support default opt-out browser settings accompanied by ad network plug-ins and extensions through which users would indicate their wish to opt in to online tracking. Interestingly, this is the polar opposite of the opt-out browser plug-ins available today, which assume tracking as the default and permit users to opt out of OBA.
Where a website uses several ad providers, group together all necessary consent requests in one presentation: This would the need for users to confront multiple, serial pop-ups. As an example, the Working Party cited the interface on www.youronlinechoices.eu, which provides a single interface to permit users to opt out of multiple ad networks.

The Working Party also noted that EU law does not require informed consent for certain cookies necessary to facilitate the user’s requested services, such as session cookies, shopping basket cookies, and security cookies (though notice is required before placing these cookies). Therefore, no additional consent mechanisms are required to place these cookies.

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

bret.cohen@hoganlovells.com (Bret Cohen) — Thu, 08 Dec 2011 06:35:03 -0500

EU privacy law is under scrutiny and proposals for change are coming. The European Commission (EC) last year announced an upcoming reform of the EU Data Protection Directive (95/46/EC), which was a hot topic of last week’s IAPP Europe Data Protection Congress in Paris (in which Hogan Lovells privacy lawyers from around the world participated). Changes are anticipated near the end of January. Some of the details of those changes, however, have emerged earlier than expected, as this week the EC circulated for comment two proposed legal instruments that likely will form the baseline of the EU’s data protection framework for years to come.

The first legal instrument is a draft General Data Protection Regulation, which sets forth a general framework for EU data protection and is intended to replace the 16-year-old Data Protection Directive with a region-wide regulation. The fact that the instrument is fashioned as a regulation is significant. Under EU law, regulations have binding legal force as soon as they are passed, whereas directives must be enacted into law by each individual EU Member State. A frequent criticism of the Data Protection Directive was that the EU Member States enacted and applied it differently, leading to uneven implementation and forum shopping. By changing the format to a regulation, there is less room for variation between the Member States, which in theory should lead to greater certainty for EU citizens and organizations.

The draft Regulation contains a number of significant changes to the Data Protection Directive, particularly in the areas of (1) jurisdiction, governance, and cross-border transfers, (2) data subject rights, (3) data controller/processor obligations, and (4) remedies, liability, and sanctions. These changes include:

Jurisdiction / Governance / Cross-Border Transfers

The declaration that EU data protection law applies to data controllers outside of the EU when processing activities are “directed to” or “serve to monitor the behaviour of” EU data subjects, including for commercial or professional services such as offering products or services. Factors to be considered when determining whether processing activities are “directed to” EU data subjects include (a) the international nature of the activities; (b) the use of a language or a currency other than the language or currency generally used in the country in which the controller is established; and (c) the use of a top-level domain (e.g., “.co.uk” or “.com”) other than that of the country in which the controller is established.
The use of Binding Corporate Rules (BCRs) to legitimize intra-company cross-border data transfers to countries without data protection laws deemed “adequate” by the EC would be streamlined and extended, including the use of BCRs to cover data processors and groups of companies, and with an eye to covering cloud computing. Unlike the current process, in which BCRs must be reviewed by at least three DPAs (one “lead” and two “reviewers”) and some Member States require additional authorization, BCRs would be validated only by one lead DPA. Once a BCR is validated by the lead DPA, it would be valid for the whole EU without needing authorization from any other Member State.
Each data controller or processor only will be subject to the enforcement jurisdiction of the one data protection authority (DPA) of the Member State in which the organization has its “main establishment,” which is where the organization’s “central administration” in the EU is located. This usually will be where the organization makes its management decisions regarding the purposes, conditions, and means of processing personal data.
DPAs would be obligated to carry out investigations and inspections upon request from other DPAs and to mutually recognize each others’ decisions. Rules are provided for joint operations and operations by one Member State within another Member State’s territory.
To ensure consistent application of the directive, the Article 29 Working Party would be updated to an independent “European Data Protection Board” that, in addition to its current duties, would have the authority to issue official opinions regarding the interpretation of the Regulation. These opinions would be subject to the review of the EC.

Data Subject Rights

To process personal data for any commercial direct marketing purpose, organizations would need to obtain the explicit, opt-in consent of the data subject.
Where consent is used to legitimize data processing (even outside the marketing context), it would need to be explicit, opt-in consent. Moreover, consent would not be valid where there is a “significant imbalance” in power between the data subject and data controller. The prime example of this is in the employment relationship. These rules essentially would be a codification of parts of this past summer’s Article 29 Working Party opinion on consent.
The creation of a “right to be forgotten” that would permit data subjects to request that data controllers erase all personal data relating to them and abstain from further disseminating that information, unless there are legitimate grounds to retain the data. In a particularly controversial portion of this proposal, data controllers would be required to “ensure the erasure of any public Internet link to, copy of, or replication of the personal data relating to the data subject contained in any publicly available communication service which allows or facilitates the search of or access to this personal data.” This proposal is in line with recent statements made by EU authorities regarding the retention of data on social networking sites. Some have doubted the ability to “ensure” such complete erasure, especially when much of the content on the public Internet is shared and backed up.
The creation of a right to portability, through which data subjects would be able to request a copy of their stored data and move it from one service provider to another, without hindrance.

Data Controller/Processor Obligations

Data controllers would be required to notify data breaches to both the individuals concerned and data protection authorities within 24 hours of the breach being discovered (although notification to individuals would be required only when the breach "is likely to adversely affect the protection of the personal data or privacy" of the individual, a limitation not present in obligation to notify the data protection authority). Currently, EU law only requires Member States to enact laws creating a breach notification obligation for telecommunications operators (which some Member States have yet to enact), although some Member States (such as Austria and Germany) do have security breach notification requirements for data controllers other than telecom operators.
Data controllers would be required to minimize the volume of personal data that they collect and process, and to set default settings so that user personal data will not be made public by default.
Data controllers and data processors would be required to appoint a data protection officer if (a) they employ over 250 employees or (b) their “core activities” require “regular and systematic” monitoring of data subjects.
Prior to processing personal data in a way that is “likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes,” organizations would be required to conduct a data protection impact assessment. The draft Regulation does not define exactly what processing would fall into this definition, though it does list a few examples that “likely” would, including (a) running automated models to analyze or predict a person’s performance at work, creditworthiness, economic situation, location, health, personal preferences, reliability, or behavior, where the result will affect the data subject; (b) the processing of certain types of sensitive data; (c) conducting video surveillance; and (d) utilizing large-scale filing systems containing genetic, biometric, or children’s data.
The elimination of the obligation of organizations to generally notify data protection authorities of any automatic processing of personal data, replacing it with an obligation to maintain documentation on processing operations under their responsibility.

Remedies, Liability, and Sanctions

Data subjects, and qualified public interest groups on behalf of data subjects or themselves, would have the right to lodge complaints either with DPAs or courts for violations of the Regulation. Currently, some Member States’ DPAs do not have such authority.
The creation of three levels of fines for intentional or negligent violations of the Regulation, with the maximum penalty for certain offenses being 5% of an organization’s annual worldwide turnover.

Besides the Regulation, the second legal instrument released is a draft Police and Criminal Justice Data Protection Directive. This directive sets forth rules relating to cross-border transfer and other processing of personal data for law enforcement purposes, with an eye toward facilitating the sharing of this information between law enforcement agencies while still complying with data protection law. Though this Directive is directed toward law enforcement and not the private sector, it does apply where personal data may be required and used by law enforcement authorities (e.g., data related to bank transfers, data collected when buying an airline ticket, traffic and telecommunications data), so it will have at least a tangential effect on the private sector.

Notably, these instruments are just preliminary drafts, and may differ when the EC releases the official drafts, which is still slated to happen in January. Even then, the drafts still will need to be debated and passed before coming into law, a process which is likely to at least a couple years. Therefore, there is still time for these legal instruments to be significantly modified before they are ultimately adopted.

IAPP Europe Data Protection Congress, Paris - Day 2 - Summary of Peter Hustinx' keynote address

lionel.desouza@hoganlovells.com (Lionel de Souza) — Wed, 07 Dec 2011 15:30:00 -0500

On the second day of the IAPP Europe Data Protection Congress held in Paris, France, the keynote speech was given by Peter Hustinx, the European Data Protection Supervisor.

In his address, Mr. Hustinx offered an opinion on where he thinks the revision of the European data protection framework is headed. Basing his remarks on a Stanford Law review article, "Privacy in the books and privacy on the ground," he advocated the revision of the European data protection framework which would provide innovative and efficient means to deliver privacy on the ground, by empowering data subjects and data protection authorities, as well as providing greater legal certainty for data controllers.

For the European Data Protection Supervisor, increased continuity of principles is to be expected from the revised framework , but it is thought that it will aim for innovation in the implementation of practices. This will, in all likelihood, lead to stronger roles for data controllers, data subjects and data protection authorities.

What it will mean for controllers, he continued, is that there will be a boost in responsibility as a result of the accountability principle. This new principle will certainly require the creation of internal roles, the implementation of internal procedures and independent audits, and the publication of those results. In this respect, Mr. Hustinx believes that privacy by design will be a feature of the new legislation and that general data breach notifications will form part of the project.

On the other hand, he stated that it seems logical and appropriate for there to be a "loosening" of the ex-ante controls by authorities.

On the data subjects' side, we should be expecting greater empowerment in the exercise of rights already granted and potentially the granting of "a few more rights."

For the authorities, he believes that the new framework should result in more effective supervision through uniform standards on independence and enforcement powers and topic selections. In this respect, the Article 29 Working Party (expect a name change!) will play a crucial role, providing greater transparency in its analyses.

Finally, he emphasised the importance of global cooperation and convergence in privacy standards and enforcement practices.

Answering questions from the audience, the EDPS stressed that, Privacy by Design would be happening and that data controllers should not ask themselves "What should I do?" but rather "do it and prove what [they] have done!". However, the concept of Privacy by Design will not be defined specifically or in any detail in the new legislation.

He also addressed questions regarding the role of data protection officers which he believes is bound to increase and become more and more strategic in order to evidence compliance with the accountability principle.

An injunction too far: The Court of Justice of the European Union (ECJ) rules out injunctions against ISPs that allow general filtering to prevent illegal downloading

winston.maxwell@hoganlovells.com (Winston Maxwell) — Mon, 05 Dec 2011 13:26:45 -0500

By David Taylor, Partner, Paris

In what is both a highly anticipated and expected ruling issued on 24 November 2011, the Court of Justice of the European Union (the "ECJ") has held that under EU law, a national court cannot impose an injunction requiring an ISP to install a wide ranging filtering system in order to tackle illegal downloading since such an injunction is incompatible with EU law and the associated limitations on intermediary liability.

The ECJ judged that European directives on E-Commerce, Copyright Harmonisation, Enforcement of Intellectual Property Rights and Data Protection can prevent National Courts from imposing general filtering measures on internet service providers ("ISPs") to block illegal downloading using peer to peer ("P2P") networks.

The ECJ ruling follows a request from the Brussels Appeal Court which had before it a case brought by the Belgian collecting society SABAM (Société Belge des Auteurs, Compositeurs et éditeurs) against Belgian ISP Scarlet Extended ("Scarlet").

The original case goes back a number of years now. In 2004, SABAM discovered that subscribers of Scarlet were using the ISP's services to illegally download, through P2P networks, protected works from its catalogue, without authorisation and without paying royalties. SABAM thus requested that a Belgian Court issue an injunction against Scarlet forcing it to implement all necessary measures to block any such downloading or uploading of illegal files via P2P networks without authorisation.

On 29 June 2007, the Brussels Tribunal of First Instance agreed with SABAM and granted this injunction. Scarlet immediately lodged an appeal on the basis that the Court was in fact imposing an obligation to monitor on them and that as such it was incompatible with the E-Commerce directive and fundamental rights.

The Brussels Appeal Court proceeded to ask the ECJ whether an injunction imposing such a filtering system was compliant with the provisions of various directives, namely the 2000 E-Commerce Directive[1], the 2001 Directive for Copyright harmonisation[2], the 2004 Directive on the Enforcement of Intellectual Property Rights[3], the 1995 Directive on Data Protection[4] and the 2002 Directive on Data Protection in the field of Electronic Communications[5].

In essence the Brussels Appeal Court sought guidance as to whether these directives could be interpreted as allowing a national court to order an ISP to implement a general filtering system as a preventive measure, at its own cost and for an indefinite period, thereby monitoring all electronic communications across its network between all its subscribers.

The ECJ found that the system as described would require the ISP in question to engage in an active observation of the entirety of the data traffic on its network and that a ruling imposing such an obligation would constitute a breach of article 15 of the 2000 E-Commerce directive which prohibits European Union Member States from imposing general monitoring obligations on ISPs.

In addition to this analysis, the ECJ underlined that whilst intellectual property rights had to be protected as part of the property right established by the Charter of Fundamental Rights of the European Union, a balance had to be struck between this and the preservation of other fundamental rights.

In this respect, the Court found that the implementation of a filtering system similar to the one requested by SABAM would restrict the freedom of the ISP concerned to conduct its business, and that the immense complexity and costs associated with the implementation of the system contradicted the provisions of the Directive on the Enforcement of Intellectual Property Rights. In addition the ECJ also held that the effect would not be limited to the ISP but could also affect the fundamental rights of internet users' rights namely their right to the protection of their personal data and right to receive or impart information and communicate freely since the system would, in all likelihood, not allow for the necessary level of granularity sufficient to distinguish between files exchanged legally and illegally, catching in its net both categories of files, regardless of their status. The Court emphasized that users' freedom of expression rights were affected only insofar as the system might block lawful communications, such as exchanges of copyright-protected works that are legal under a statutory exception to copyright. Right holders will applaud this decision for indirectly confirming that illegal file transfers are in no way protected by the fundamental right to freedom of expression. While this principle seems obvious, it is often overlooked in the net neutrality debate.

Privacy law observers will be disappointed by how little attention the court pays to privacy law. The court simply states that users' privacy rights will be affected, and then moves on to discuss freedom of expression. One of the most complex issues in the fight against illegal content is how to balance potential infringements of data protection and privacy rights against other fundamental rights such as the protection of property or the protection of human dignity. A balance is possible, as the Court previously said in the Promusicae case. But the Court here provides no guidance on how the balance should be struck.

Observers will also be disappointed that the Court did not address the fundamental defect raised by the Advocate General, ie. the absence in Belgium of a specific law targeting this kind of filtering. According to the Advocate General, the absence of a specific law constitutes a fatal flaw in the Belgium system, and made it unnecessary to move on to the balancing test.

The decision is an important one as it clearly sets the principles applicable to the implementation of filtering measures in accordance with European legislation. In this respect, it underlines the impossibility for national legislators and jurisdictions to impose general rules or injunctions on ISPs to monitor the electronic communications traffic which they convey. As such rights owners cannot necessarily look towards ISPs to provide a blanket against piracy – and indeed many would say this was clearly the intention of the E-Commerce Directive back in 2000. Many experts recognize the limitations of ISP filtering[6], and policy makers[7] increasingly want to involve a variety of Internet intermediaries, including ISPs, payment service providers, Internet advertising networks, Internet addressing firms and search engines in the fight against illegal content online.

While the SABAM decision can be interpreted as a step forward in favour of "net neutrality", it should still be noted that the ECJ does not rule out all types of filtering systems in principle. Thus it is not the end of the story for rights owners and indeed, it appears that certain filtering systems, if clearly defined and limited in time and in scope, could well be regarded as compliant with European legislation. Thus rights owners can and will continue to apply for and be granted injunctions under national law against intermediaries, such as ISPs, where their services are being misused by third parties to infringe. However, any such injunctions clearly must comply with and respect the limitations arising under EU law. Thus we can expect to see further litigation until we have clarity on the acceptability, scope and extent of filtering and monitoring in the EU.

The full judgment is available here

Ground breaking modification of the Spanish laws

gonzalo.gallego@hoganlovells.com (Gonzalo Gallego) — Thu, 01 Dec 2011 08:59:33 -0500

By Pablo Rivas in our Madrid Office

A decision last week by the Court of Justice of the European Union ("ECJ") introduces an important change to the Spanish data protection framework. Prior to the decision, Spain did not recognize the "legitimate interest" justification for the processing of personal data; "legitimate interest" was only applicable for the processing of data collected from public sources or where the "legitimate interest" was specifically provided for in Spanish or European Community law. As a result, companies had to rely on data subjects' consent as the way of carrying out the majority of the data processing in Spain.

The ECJ’s ruling may change this, although the actual impact of the decision is unclear. The ECJ concluded that the "legitimate interest" justification for the processing of personal data as set forth in the Data Protection Directive also should be available in Spain. However, the Spanish Data Protection Agency ("SDPA") issued a press release following the decision which stated that companies may not carry out processing of data exclusively based on their "legitimate interest," but will be required to balance both their "legitimate interest" and fundamental rights and freedoms of the data subjects involved in the data processing.

Based on the press release, it appears that the SDPA, at least at the beginning, will adopt a restrictive approach with respect the application of the "legitimate interest" justification, although it also is likely that the SDPA will have to revise some of its criteria for evaluating matters such as whistleblowing or geolocation services in which the Working Party 29 advocates for applying the "legitimate interest." We will keep you posted on developments.

The Ruling of the ECJ is published in English and can be found HERE

ISPs agree to 'five strikes' graduated response

winston.maxwell@hoganlovells.com (Winston Maxwell) — Wed, 30 Nov 2011 08:06:46 -0500

Hogan Lovells partner Daniel Brenner speculates on the impact of the July 2011 Memorandum of Understanding between major U.S. ISPs and content owners. The Center for Copyright Information (CCI) will be responsible for administering the new gradu ated response system, and for defining privacy standards that right holders and ISPs must apply. Will the mitigation measures promised by ISPs be effective in curbing copyright piracy? Will the MOU's limitation to P2P exchanges limit the system's effectiveness? Read the full story here.

FTC Announces Settlement with Facebook

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 29 Nov 2011 16:32:03 -0500

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) this afternoon announced a proposed consent decree with the prominent social network Facebook, settling allegations that Facebook violated Section 5 of the FTC Act by failing to live up to representations made to consumers regarding its privacy practices. The settlement imposes a series of measures that Facebook must undertake to better protect the privacy of its users, including the development of a written comprehensive privacy program. The FTC also required Facebook to obtain independent privacy compliance assessments initially and on a bi-annual basis for the next 20 years. Given the FTC's recent consent decrees with Google and Twitter and associated audit and record-keeping obligations, the FTC now effectively has regulatory oversight over the privacy and data security practices of the three most prominent social networking companies in the United States.

The FTC’s complaint (PDF) alleges that Facebook violated Section 5 of the FTC Act, which prohibits unfair or deceptive trade practices, by repeatedly failing to live up to the privacy promises it made to its now approximately 750 million users. The complaint sets forth the following instances in which Facebook allegedly made unfair or deceptive promises concerning its privacy practices:

Deceptive Privacy Settings: Although Facebook informed users that they could “control who can see” their profile information by using privacy settings to restrict access to their profiles, these settings did not prevent certain third party applications from accessing users’ profile information.
Unfair and Deceptive Privacy Changes: Facebook made changes to its website that made public information that users previously designated as private, without adequate notice to the users (much like what was alleged in the Google Buzz consent decree).
Deception Regarding Application Access: Facebook represented to users that third-party applications would only be able to access such user profile information that was necessary to operate the application, but in some instances applications were given nearly unlimited access to users’ profile information.
Deception Regarding Sharing with Advertisers: Facebook promised that it would not share users’ information with third-party advertisers, but it provided advertisers with information about its users.
Deception Regarding “Verified Apps” Program: Facebook claimed that it verified the security of applications that sought certification through the “Verified Apps” program, but it took no steps to verify the security of a “Verified” application beyond those which it may have taken regarding any other application.
Deception Regarding Deletion of User Content: Facebook represented to its users that their profile information, including photos and videos, would be inaccessible upon the deletion of their accounts, but Facebook continued to allow third parties to access this content after the users’ accounts were deleted or deactivated.

The FTC’s enforcement action against Facebook is yet another example of the FTC’s ongoing effort to ensure that websites live up to the privacy promises they make to consumers. Jon Leibowitz, Chairman of the FTC, remarked that “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users,” and noted that the “FTC action will ensure” that Facebook’s innovations will not come at the expense of consumer privacy.

US-EU Safe Harbor Framework Violations

The alleged violations of Section 5 of the FTC Act also include a failure to comply with the substantive privacy requirements of the US-EU Safe Harbor Framework ("Safe Harbor"). The Safe Harbor is a voluntary framework that allows companies to transfer personal data from the EU to the US in compliance with EU law. Since at least 2009, Facebook has maintained self-certification with the Department of Commerce under the Safe Harbor program, under which it has declared its compliance with the seven Safe Harbor privacy principles in its public Privacy Policy and on the US Department of Commerce website. In its complaint, the FTC alleged that Facebook, due to the failure to live up to many of the representations it made about its privacy practices, failed to comply with the Safe Harbor principles of Notice and Choice that required it to inform individuals about all the purposes for which it collected their data and to give those individuals a choice about how their information would be used.

Terms of Proposed Settlement

Under the consent decree (PDF), the FTC bars Facebook from further misrepresenting its privacy practices and requires it to: (i) obtain opt-in consent from users prior to making changes that override their privacy preferences; (ii) ensure that a user’s information cannot be accessed by anyone after a reasonable period of time, not to exceed 30 days, following the user’s deletion of his or her account; (iii) establish and maintain a written comprehensive privacy program that addresses the privacy risks related to the development and management of new and existing products and services and protects the privacy and confidentiality of users’ information; and (iv) obtain audits performed by an independent, third-party professional every two years for the next 20 years certifying that it has a privacy program in place that satisfies the requirements of the FTC consent decree.

In advance of the FTC’s announcement, Mark Zuckerberg, founder and CEO of Facebook, today posted an entry on The Facebook Blog detailing the measures that Facebook will take to protect the privacy of its users. These measures include the creation of two new corporate officer roles: Chief Privacy Officer – Policy, and Chief Privacy Officer – Products. Zuckerberg stated that the new corporate officer positions “will further strengthen the processes that ensure that privacy control is built into our products and policies.”

Live Blogging from the IAPP Privacy Congress in Paris

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Tue, 29 Nov 2011 03:15:28 -0500

Barbara Bennett, Stefan Schuppert, Winston Maxwell. Lionel De Souza and I are the Hogan Lovells lawyers participating in the IAPP Privacy Congress in Paris. I am moderating and participating in sessions on cloud computing with Bojana Bellamy of Accenture, and a panel on convergence with Lord Richard Allan of Facebook and Wendi Lozada-Smith of AT&T This entry contains a live blog from the opening session.

The Privacy Congress comes on the eve of the European Commission's proposal for revision of the EU privacy framework and the anticipated release of the Department of Commerce White Paper and FTC Report on privacy. So the future of privacy law is very much in focus.

The Chair of the Dutch Data Protection Authority and Chair of the Article 29 Working Party, Jacob Kohnstamm is the opening speaker.

The patchwork of laws across Europe requires a region-wide regulation to provide a level playing field and uniformity. This should be the focus of the upcoming proposal for revision from the European Commission of the legal framework.

The present norms, which are technologically neutral, should persist and be strengthened.

Given the increasing cross-border context of issues, the Article 29 Working Party will have to play a stronger role in interpretation and clarification. More frequent guidance on issues such as the definitions of "personal data" and "consent" will be needed, while still recognizing the independence of national Data Protection Authorities. Powers of DPAs need to be harmonized and strengthened, including the ability is enjoin data processing and to levy fines. Up to now, there have been no significant court judgments in terms of fines.

Article 29 Working Party needs a new name to reflect its true role and importance.

Data controllers need to ensure compliance and to demonstrate such compliance. Privacy should be first step when launching new products and services, not the last step. Privacy by Design and transparency are essential.

Companies should be able to seek guidance externally from privacy professionals just as they do with respect to competition law.

The Chairman went on to criticize Google, Facebook and the Online Behavioral Advertising industry for their interactions with DPAs and the Article 29 Working Party, and suggested that under the new regime, their conduct would have been different.

In the Q and A session, which became an especially lively exchange, Peter Fleischer of Google pointed out that changes to Google Buzz were made even before a letter of complaint from the Article 29 Working Party had been received,.

The Chairman re-assured a questioner that innovation is taken into account along with privacy when the Article 29 Working Party considers regulation. "We are paid to deal with privacy, however."

The main task of DPA is enforcement and not to sit with individual companies on what they should be doing, in an advisory capacity.

On the Global Privacy Enforcement Network (GPEN), the Chairman said the idea was for information sharing during enforcement actions, but he observed that the national restrictions on information sharing has not produced as much cooperation as envisioned, but the Commissioners are committed to working together more across borders.

The second speaker is Viviane Reding, Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship.

I will share some of the contents of the forthcoming European Commission recommendations on the revision of the Data Protection framework: Codes of practice such as Binding Corporate Rules are not explicitly forseen in the current Directive but are recognized as a matter of practice by the Article 29 Working Party. One of the strengths of BCRs is legal certainty and flexibility. (Interesting that the primary focus here is on the BCR code of conduct concept, similar to the anticipated focus on codes of conduct by the US Department of Commerce in its White Paper.)

My reform plans for BCRs: Simplification -- Approval from each member state currently required, which is costly and an administrative burden. A waste of time and money, and sometimes detrimental to credibility and efficiency of DPAs. I propose that BCRs be based on EU law, with streamlined approval process and a single point of contact. Once approved by one DPA, not further approval needed. BCRs should be used by companies of any size, and should cover everything from paper-based filing system to cloud computing. Consistent Enforcement -- Enforcement should be possible by any DPA (unlike now where not all DPAs have enforcement power). DPAs and courts should be able to enforce. Innovation in Enforcement -- We need to encourage innovation in enforcement and embrace new technology. First, we need to consider geographical borders. Data controllers and subjects m realities. Data subjects, controllers and processors may be in different jurisdictions. BCRs should apply to all internal (inside the EU) and external (in the US, India, Asia and South America) processing. BCRs should apply both to data controllers and processors. This would extend to cloud computing.

BCRs will faciliate international interoperability.

We are in time so of difficult economic times and decisions. While bringing member states out of their debt crisis, we need to do everything to promote economic growth. I will do my utmost to ensure that data protection reform will both reinforce fundamental protection of individual rights and promote growth.

Ms. Reding did not take questions.

Geolocation services: a five country survey

winston.maxwell@hoganlovells.com (Winston Maxwell) — Mon, 28 Nov 2011 07:51:43 -0500

Hogan Lovells privacy attorneys examine the challenges of deploying geolocation services in five jurisdictions, including France, Spain, Germany, the United States and Hong Kong. Privacy laws in each jurisdiction differ, including on the definition of "personal data," and on the degree of user consent that is required. The article also examines the WP Art. 29 opinion 13/2011 on "Geolocation services on smart mobile devices." See the full article here.

Full Length Video of Cloud Computing and Privacy Session Available Through This Entry

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Tue, 22 Nov 2011 16:34:46 -0500

Hogan Lovells Privacy and Information Management practice leader Chris Wolf moderated a panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders, as reported here. A blog entry by Susie Adams, Chief Technology Officer of Microsoft Federal, containing a full-length video of the session is available by clicking here.

FTC Extends Deadline for COPPA Comments from Nov. 28 to Dec. 23

bret.cohen@hoganlovells.com (Bret Cohen) — Fri, 18 Nov 2011 17:20:08 -0500

The FTC today extended to December 23 the deadline for public comments to its proposed revisions to the Children’s Online Privacy Protection Rule, which regulates the collection of personal information online from children under 13 under the Children’s Online Privacy Protection Act (“COPPA”). Back in September, we extensively summarized the FTC’s announcement of the proposed revisions, which contemplate several major changes to the existing COPPA regime including:

clarifying that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages;
a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information – all of which may impact companies’ behavioral advertising activities;
streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
changing the existing COPPA enforcement program to require “safe harbor programs” to exercise more oversight.

The previous deadline for the submission of comments was November 28.

Cross-Border Data Flows Free from Overly Restrictive Rules Touted by Industry and Government

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Mon, 14 Nov 2011 13:43:22 -0500

At a time when leaders in the EU are poised to propose privacy rules that could well restrict the activities of US businesses, Google , Microsoft , Citigroup, IBM , GE and other major American companies have urged the United States to push for trade rules that protect the free flow of information over the Internet. In particular, the group's Report available here urges that countries avoid "digital protectionism," and the report specifically addresses security and privacy:

Security and Privacy. The business community supports the right of governments to ensure the safety, security and privacy of its citizens and recognizes that approaches may differ between countries and across sectors. At the same time, as in any measure affecting international trade, governments must be able to communicate clearly the rules, rationale and compliance procedures governing these interests to businesses and individuals and make certain that those procedures are not overly disguised restriction to international trade. For example, some countries have discriminated in favor of local businesses by selectively applying filtering regimes which degrade service; by mandating the use of domestic products or intellectual property; by requiring product certifications to be carried out locally; by rerouting traffic from global Internet brands to local competitors; or by applying their laws in a manner that discriminates against foreign suppliers or services. In addition, governments often work outside of established legal frameworks or processes when seeking commercial, financial or personal data, which raises a host of concerns about privacy, safety and security.

US Deputy Chief Technology Officer Danny Weitzner, in a similar vein, warned today in a speech to the US Chamber of Commerce that EU rules may be too stringent and that the Obama Administration will work to convince European regulators that voluntary but enforceable industry codes of conduct are the way to go. Also, the FTC today applauded the approval by the forum on Asia-Pacific Economic Cooperation (APEC) of a new initiative to harmonize cross-border data privacy protection among members of APEC designed to enhance the protection of consumer data that moves between the United States and other APEC members.

Reflections from Brussels on the Mexico City DPA Conference

hldataprotection@hoganlovells.com (HL Chronicle of Data Protection) — Fri, 11 Nov 2011 08:10:18 -0500

This entry comes from Elisabethann Wright, a Partner in our Brussels Office, who presented at the 33d International Congress of Data Protection and Privacy Commissioners in Mexico City last week. Elisabethhann focuses on EU law relating to life sciences, with particular emphasis on pharmaceutical law, medical devices, food law, and the environment. In Mexico, she drew upon her experience assisting clients in clinical trial agreements, adverse event reporting, product withdrawals and challenges to national authority and EU Institution decisions concerning classification and marketing of medicinal products and medical devices.

At the Mexico City gathering of international Data Commissioners, officials from a number of EU Member States expressed disappointment at the low levels of compliance with their data privacy obligations demonstrated by data controllers in their territory. One Data Commissioner estimated that a depressing 95% of data controllers failed to comply with their obligations.

One consequence of this failure will be an apparent change in approach by Data Commissioners. While Commissioners and their officials previously have sought to advise and support data controllers in understanding and fulfilling their role and obligations, the future approach, influenced at least in part by the ambivalence displayed by data controllers, will focus on compliance. Several Commissioners expressed an intention to make enforcement of obligations their priority in the future.

The possibility of a single approach to the protection and use of data generated in relation to clinical trials was the subject of my panel during the Congress. Similarities of approach evidently exist between territories in relation to some aspects of data privacy in clinical trials. This includes the nature and content of patient informed consent forms. However, the suitability of basing secondary investigation on initial informed consent varies widely, as do the restrictions imposed on transfer of clinical data from one territory to another. The possibility that a single acceptable approach to these issues could be found was discussed. However, the general consensus was that, at least from a legislative perspective, a single approach is unlikely to evolve in the near future.

Among the snippets of information demonstrating the evolution of official approaches to data collection that I gathered from the Congress was the fact that, when Neil Armstrong brought back soil and rock samples from the moon in 1969, he was required to complete an import form to bring them on to US territory. “One large step for mankind but still subject to regulation." Future uses of data to benefit mankind likely will be met with similar regulation, and as it appears from the comments of regulators meeting in Mexico, disregard and non-compliance will increasingly be met with enforcement.

Complimentary 11/15/11 Lunchtime Event on Cloud Computing Hosted by Microsoft Moderated by Hogan Lovells Privacy Leader

christopher.wolf@hoganlovells.com (Christopher Wolf ) — Thu, 10 Nov 2011 12:24:34 -0500

Hogan Lovells Privacy and Information Management practice leader Chris Wolf will moderate a complimentary lunchtime panel on cloud computing on Tuesday, November 15th in Washington, DC featuring government and industry leaders. Readers of the Hogan Lovells Chronicle of Data Protection are invited to attend and participate.

For a place at the event, please send an e-mail to the the address below dcrsvp@microsoft.com