Among its provisions, the TCPA makes it unlawful to “initiate any telephone call to any residential telephone line using an artificial or prerecorded voice without the prior express consent of the called party.” The statute also provides for the national Do Not Call registry and restricts the initiation of telephone solicitations to consumers’ telephone numbers that appear on this registry. The FCC has promulgated regulations implementing these restrictions, and the TCPA provides a private right of action to any “person who has received more than one telephone call within any 12-month period by or on behalf of the same entity in violation of the regulations” (emphasis added).

In federal cases in which the plaintiffs sought to hold the DISH Network LLC and EchoStar Satellite, LLC liable for alleged violations of the provisions mentioned above committed by third parties who were marketing those entities’ services to consumers, the courts sought the FCC’s opinion on two questions:

1. Under the TCPA, does a call placed by an entity that markets the seller’s goods or services qualify as a call made on behalf of, and initiated by, the seller, even if the seller does not physically place the call?
2. What should determine whether a telemarketing call is made “on behalf of” a seller, thus triggering liability for the seller under the TCPA?

In its lengthy response, the FCC clarified that while a seller does not generally “initiate” calls made through a third-party telemarketer within the meaning of the TCPA, it nonetheless may be held vicariously liable under federal common law principles of agency for violations of either provision that are committed by third-party telemarketers.

Key themes of the Report include:

• data sharing in the public sector;
• additional staffing and resources of the ODPC;
• complaints from individuals, in particular in relation to data subject access rights and direct marketing;
• increased data security breach notifications; and
• audit outcomes.

Data Sharing in the Public Sector

The ODPC accepts that data sharing can increase efficiency in the delivery of public services, but has long raised concerns regarding data sharing in the public sector. The Report details the ODPC’s extensive investigation of data sharing through the Department of Social Protection’s INFOSYS system, uncovering “a disturbing failure of governance in some of the public bodies investigated.” The Report emphasizes (1) the importance of proportionality, (2) that permitted data sharing must have a clear basis in law, a clear justification, strict access and security controls, and secure data disposal procedures, and (3) that only the minimum data necessary to achieve the stated public service objective may be shared.

Increased Resources 

Irish Data Protection Commissioner Billy Hawkes raised in the ODPC’s previous annual report the increased strain on the ODPC’s limited resources, which will likely be increased under the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). Under the Proposed Regulation, organizations with multiple European establishments will benefit from a lead supervisory authority where they have a “main establishment,” and organizations with only one European establishment will be regulated by a sole supervisory authority. Dublin has in recent years attracted a number of large multinational tech firms, including Facebook and Twitter, and there is speculation that further organizations will set up their sole or main establishments in Ireland ahead of implementation of the Proposed Regulation. Consequently the ODPC foresees increased regulatory oversight of multinational companies.

In response to Billy Hawkes’ request for additional resources, the Irish Government has announced a 20 percent increase in the ODPC’s budget and additional staff, including a Chief Technology Advisor, specialist legal advisor and additional administrative staff.

Complaints

The ODPC received 1,349 complaints which were opened for investigation during 2012, marking a new record and an increase of 16 percent compared to last year’s 1,161 complaints. 606 of the 1,349 complaints related to unsolicited direct marketing via SMS text messages, phone calls, fax messages and emails, and 442 complaints related to data subject access rights. The vast majority of complaints were resolved without the need for a formal decision, and only a total of 36 formal decisions were taken. The majority of enforcement notices related to data subject access rights.

Security Breach Notifications

During 2012, the ODPC received 1,666 personal data security beach notifications, up from 1,167 received last year. Since July 2011, telecommunication companies and Internet service providers (“ISPs”) have been required to notify data security breaches under S.I. 366 of 2011 (implementing the European E-Privacy Directive). In September 2012, two telecommunication companies were prosecuted for failure to notify.

The Report provides a breakdown of types of breaches and shows that the most common cause of a breach is postal mailing breaches (e.g., mailing information to the incorrect recipient). Theft of IT equipment and website security account for the two least common causes of personal data security breach notifications.

ODPC Audits

Under the Irish Data Protection Acts 1988 and 2012, the Commissioner is empowered to conduct privacy audits and inspections to ensure compliance with the Acts and to identify possible breaches. During 2012, the ODPC conducted 40 audits, representing an increase of 21 percent from the previous year. Audited organizations included Facebook Ireland, county and city councils, and a number of Irish banks. The ODPC’s follow-up audit of Facebook Ireland, completed in September 2012, found that the great majority of recommendations had been fully implemented, although full implementation of the ODPC’s recommendations had not been achieved in relation to new user education, deletion of social plug-in impression data for EU users, account deletion, and minimizing ad targeting based on sensitive personal data.

For more information on the Proposed Regulation, visit our EU Data Protection Regulation Tracker.

“I look forward to continuing to work with DPIAC and the DHS Privacy Office in its important mission. Protecting privacy continues to be a priority, particularly in light of ever-increasing security risks,” said Sotto.

Sotto deploys a team of partners, associates and other privacy and data security professionals reaching across the United States, Europe and Asia to address regulatory, enforcement and litigation risks, as well as threats to companies’ systems, personal data and confidential business information. Last month, the FBI Director’s senior cybersecurity adviser Paul M. Tiao joined Hunton & Williams as a partner in the Privacy and Data Security practice group and is based in the firm’s Washington, D.C. office.

Sotto was recently named to The National Law Journal’s “The 100 Most Influential Lawyers in America” list. Under her leadership, Chambers and Partners rated Hunton & Williams in “Band 1” for privacy and data security in its Chambers USA, Chambers Global and Chambers UK guides. Computerworld ranked the firm as #1 globally for privacy and data security in each of its four surveys of more than 4,000 corporate privacy leaders.

Read the full press release.

The existing Law on the Protection of Consumer Rights and Interests has been in effect for about 20 years, although there have been vigorous discussions in recent years about amending this law. Proposed amendments have gained momentum due to the frequent occurrences of illegal disclosures of consumer personal information.

The current law provides no mechanisms for preventing or addressing these events. For example, the current law does not contain any provisions that protect the personal information of consumers. The Proposed Amendment would address this omission by providing that:

• consumers are entitled to the protection of their personal information such as their name and image when purchasing goods or receiving services;
• when collecting and using consumers’ personal information, companies must (1) comply with the principles of legality, fairness and necessity; (2) expressly inform the consumer of the purpose, method and scope of such collection and use; (3) publish their policies on the collection and use of personal information; (4) comply with relevant legal requirements and consumers’ preferences; and (5) obtain consumers’ consent to the collection and use of the personal information;
• companies must keep consumers’ personal information confidential, and must not disclose, amend, destroy, sell or illegally provide the consumer personal information to others;
• technical and other measures must be taken by companies to secure consumer personal information, and any destruction or loss of such information must be mitigated; and
• companies are not permitted to send any commercial digital information to any consumer without the consumer’s consent or request, including when the consumer expressly rejects the provision of such information.

The foregoing provisions are not new, but are instead consistent with provisions previously established under the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet, which was enacted in December 2012. The Proposed Amendment appears to extend existing rules applicable to the Internet information services sector to the realm of consumer protection. Similar provisions have been in effect for several years at the provincial level under provincial consumer protection regulations.

We will provide an update when the final version of the Proposed Amendment is officially enacted by the National People’s Congress.

While the FTC did not officially analyze any of these companies’ practices, the letters demonstrate that the FTC will not delay enforcement for companies whose practices are not in compliance with the updated Rule by July 1, 2013. The FTC did mention, however, that it will exercise prosecutorial discretion in enforcing the Rule, particularly with respect to smaller businesses that have attempted to comply in good faith soon after the deadline.

View the text of the updated COPPA Rule and our previous post on the updated Rule.

The Administration’s proposal is not expected to expand the government’s legal authority to conduct surveillance. Title 18 of the Federal Code and the Foreign Intelligence Surveillance Act already authorize the government to obtain a court order for surveillance of wire, oral or electronic communications of serious criminal suspects and national security threats. Instead, the proposal likely will create strong financial incentives for companies (in particular webmail providers and social networking sites) to develop the intercept capabilities necessary to comply with such orders in a timely fashion. Under current law, such providers are only required to provide the government with technical assistance.

In the early 1990s, the government confronted an earlier version of this problem when the telecommunications industry was developing and implementing new digital cell phone technology. In response, Congress enacted the Communications Assistance for Law Enforcement Act (“CALEA”) in 1994. CALEA required “telecommunications carriers” to develop network intercept capabilities to isolate and deliver communications to the government. Over the years, through interpretation by the Federal Communications Commission, CALEA has been expanded to apply to facilities-based broadband Internet access and certain types of Voice over Internet Protocol (“VoIP”) services. However, CALEA still does not cover Internet-based communication modalities such as webmail, social networking sites or peer-to-peer services. The Administration’s proposal is expected to create incentives for providers of such services to be able to comply with court orders for electronic surveillance.

The Administration’s review of the FBI proposal has sparked a heated, public debate between law enforcement and the technology industry over competing considerations regarding national security, the desire to minimize any effect on the competitiveness and innovation of U.S. companies, and concerns that mandating intercept capabilities will create new cybersecurity vulnerabilities. As reported in Bloomberg, Paul Tiao, partner at Hunton & Williams and former senior counselor for Cybersecurity and Technology to the FBI Director Robert Mueller, said, “The challenge is how to develop a system that enables the FBI and law enforcement agencies to protect the country without undermining the competitiveness and innovation of Internet entrepreneurs.”

An interagency task force within the Administration has been examining ways to modify the FBI proposal to address the “going dark” problem without undercutting innovation or creating cybersecurity risks. According to news accounts, the FBI originally proposed to broaden the scope of CALEA to cover Internet communications service providers. In response to concerns that this change would undercut innovation, the FBI modified its proposal to target only those companies that previously have been served with a court order or have been warned by the government that they are likely to be served with one. Under this proposal, companies that are not likely to be served with an order (e.g., start-ups that have only a small number of users) would not be required to devote engineering resources and time to developing a wiretap intercept capability.

We will provide updated information as this issue develops.

The Report highlights a lack of understanding of the Proposed Regulation by UK businesses. Of the 506 businesses surveyed, 87 percent of respondents were unable to estimate the likely cost of complying with the requirements of the Proposed Regulation, and 82 percent of respondents were unable to quantify their current spending on data protection compliance.

The uncertainty surrounding the cost implications of the Proposed Regulation is an important issue. The European Commission has estimated net savings of €2.3 billion attributable to the Proposed Regulation; in contrast, the UK Ministry of Justice has forecasted that compliance with the Proposed Regulation would cost the UK between £100 million and £360 million per year. The Report suggests that the financial impact is in fact unknown, stating that “what is best for business” must be based on valid evidence, and that the reform is “too important for guesswork.”

The Report also reveals that many businesses in the UK already are voluntarily implementing some of the provisions that will become mandatory, such as the appointment of a data protection officer. According to the Report, the vast majority of respondents with over 250 employees already employ staff with a job position focused on data protection compliance, as do most companies that maintain more than 100,000 records and have a greater perceived risk of security breaches.

In the ICO’s news release on the Report, the ICO “urge[s] the European Commission to take on board what [the Report] says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or lobbying regulators.”

For more information on the Proposed Regulation, visit our EU Data Protection Regulation Tracker.

The FTC noted that data broker companies that collect, distribute or sell consumer credit information are consumer reporting agencies (“CRAs”) under the FCRA. As CRAs, the data broker companies must verify the identities of their customers requesting the consumer information and ensure that these customers have a legitimate purpose for receiving the information.

As part of the test-shopping operation, FTC staff members posing as individuals or representatives of companies contacted 45 data broker companies seeking information about consumers to make decisions related to creditworthiness, eligibility for insurance and suitability for employment. According to the FTC, ten out of the 45 data broker companies appeared to violate FCRA requirements for CRAs. The FTC sent warning letters to the ten companies, which include 4Nannies, Brokers Data, Case Breakers, ConsumerBase, Crimcheck.com, People Search Now, U.S. Information Search, US Data Corporation and USA People Search. According to the FTC’s letters, the companies offered (1) “pre-screened” lists of consumers for making offers of credit; (2) consumer information for use in making insurance decisions; or (3) consumer information for employment purposes, without ensuring that that consumers’ information was protected.

The FTC issued the letters on May 2, 2013, in conjunction with an international privacy practice transparency sweep conducted by the Global Privacy Enforcement Network, which connects privacy enforcement authorities to promote and support cooperation in cross-border enforcement of privacy laws. The FTC’s letters are not official notices that the data broker companies are subject to FCRA requirements, nor are they formal complaints against the companies. Rather, these letters serve to remind the data broker companies to determine whether they are CRAs by reviewing their practices and how to comply with the FCRA if they are subject to its requirements. The letters come after the FTC had issued Orders to File Special Report in December 2012 to nine data brokerage companies, seeking information about how these companies collect and use personal data about consumers.