The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

What’s More Challenging? Establishing Privacy Class Action Standing, or Climbing Mount Kilimanjaro?

Two opinions recently issued from the Northern District of California have important implications for parties seeking privacy class actions. Both opinions highlight the evolving jurisprudence around establishing standing for consumer privacy lawsuits.

In re Apple iPhone Application Litigation

On November 25, 2013, Judge Lucy Koh granted Apple’s motion for summary judgment on all of plaintiffs’ claims in In re Apple iPhone Application Litigation, 11-MD-02250-LHK (N.D. Cal. Nov. 25, 2013). Plaintiffs alleged that Apple violated its Privacy Policy by allowing third parties to access iPhone users’ personal information. Based on those misrepresentations, plaintiffs claimed they overpaid for their iPhones, and that their iPhones’ performance suffered. Plaintiffs also alleged that Apple violated its Software License Agreement (“SLA”) when it falsely represented that customers could prevent Apple from collecting geolocation information by turning off the iPhone’s Location Services setting. Plaintiffs alleged that, contrary to this representation, Apple continued to collect certain geolocation information from iPhone users even if those users had turned the Location Services setting off. Based on the SLA misrepresentations, plaintiffs alleged they overpaid for their iPhones and suffered reduced iPhone performance. Plaintiffs argued that Apple’s alleged conduct constituted a violation of California’s unfair competition law (“UCL”) and the Consumer Legal Remedies Act (“CLRA”).

Judge Koh disagreed, finding that plaintiffs failed to create a genuine issue of material fact concerning their standing under Article III, the UCL, and the CLRA. Judge Koh held that plaintiffs presented enough evidence of injury—that plaintiffs purportedly overpaid for their iPhones and suffered reduced iPhone performance. Conversely though, Judge Koh held that plaintiffs could not establish that such injury was causally linked to Apple’s alleged misrepresentations. Judge Koh ruled that actual reliance was essential for standing. Accordingly, plaintiffs must have (1) seen the misrepresentations; and (2) acted on those misrepresentations.  Judge Koh noted that none of the plaintiffs had even seen the alleged misrepresentations prior to purchasing their iPhones, or at any time thereafter. Because none of the plaintiffs had even seen the misrepresentations, they could not have relied upon such misrepresentations. Without reliance, Judge Koh held that plaintiffs’ claims could not survive.

In re Google, Inc. Privacy Policy Litigation

On December 3, 2013, Judge Paul Grewal granted Google’s motion to dismiss in In re Google, Inc. Privacy Policy Litigation, Case No. C-12-01382-PSG (N.D. Cal. Dec. 3, 2013), but not based on lack of standing. The claims stemmed from Google’s change in its privacy policies. Before March 1, 2012, Google maintained separate privacy policies for each of its products, and those policies purportedly stated that Google would only use a user’s personally-identifying information for that particular product. Google then introduced a new privacy policy informing consumers that it would commingle data between products. Plaintiffs contend that the new privacy policy violated Google’s prior privacy policies. Plaintiffs also alleged that Google shared PII with third parties to allow third parties to develop apps for Google Play.

In assessing standing, Judge Grewal noted that “injury-in-fact has proven to be a significant barrier to entry,” and that establishing standing in the Northern District of California is akin to climbing Mount Kilimanjaro. Notwithstanding the high burden, Judge Grewal found that plaintiffs adequately alleged standing.

Plaintiffs alleged standing based on (1) commingling of personally identifiable information; (2) direct economic injury; and (3) statutory violations. With respect to the commingling argument, plaintiffs contended that Google never compensated plaintiffs for the value associated with commingling PII amongst different Google products. Judge Grewal rejected this argument, noting that a plaintiff may not establish standing by pointing to a defendant’s profit; rather, plaintiff must actually suffer damages as a result of defendant’s conduct.

With respect to plaintiffs’ allegations of direct economic injury, Judge Grewal held that those allegations sufficed to confer standing. Plaintiffs argued they suffered direct economic injuries because of reduced performance of Android devices (plaintiffs had to pay for the battery power used by Google to send data to third parties). Plaintiffs also argued that they overpaid for their phones and had to buy different phones because of Google’s practices. These allegations sufficed to establish injury. Based on Judge Koh’s opinion in Apple, one key issue in the Google case will likely be whether any of the plaintiffs actually read and relied upon Google’s privacy policies.

Finally, Judge Grewal found that standing could be premised on the alleged violation of statutory rights. This ruling is consistent with the trend in other federal courts. Though Judge Grewal ultimately dismissed the complaint for failure to state a claim, the opinion’s discussion of standing will be informative to both the plaintiff and defense bars in privacy litigation.

The Apple and Google lawsuits represent a fraction of the many lawsuits seeking to recover damages and/or injunctive relief for the improper collection and/or use of consumer information. Establishing standing remains a difficult hurdle for plaintiffs in consumer privacy lawsuits, though courts are increasingly accepting standing arguments based on statutory violations and allegations of economic injuries. The Apple decision is on appeal, so we will see if the Ninth Circuit sheds further light on issues of standing in privacy lawsuits.


1 Comment

Privacy and Data Protection Impacting on International Trade Talks

European Commission

The European Union and the United States are currently negotiating a broad compact on trade called the Transatlantic Trade and Investment Partnership (“TTIP”). While the negotiations themselves are non-public, among the issues that are reported to be potential obstacles to agreement are privacy and data protection. Not only does the European Union mandate a much stronger set of data protection and privacy laws for its member states than exist in the United States, but recent revelations of U.S. surveillance practices (including of European leaders) have highlighted the legal and cultural divide.

In an October 29, 2013 speech in Washington, D.C., Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, emphasized that Europe would not put its more stringent privacy rules at risk of weakening as part of the TTIP negotiations. She said in part,

Friends and partners do not spy on each other. Friends and partners talk and negotiate. For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. That is why I am here in Washington: to help rebuild trust.

You are aware of the deep concerns that recent developments concerning intelligence issues have raised among European citizens. They have unfortunately shaken and damaged our relationship.

The close relationship between Europe and the USA is of utmost value. And like any partnership, it must be based on respect and trust. Spying certainly does not lead to trust. That is why it is urgent and essential that our partners take clear action to rebuild trust….

The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs.

But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data.

This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable….

Beyond the TTIP talks, the divergence between European and U.S. privacy practices is putting new pressure on an existing legal framework, the Safe Harbor that was adopted after the enactment of the EU Data Protection Directive. A number of EU committees and political groups are either criticizing or recommending revocation of the Safe Harbor, a development that could significantly change the risk management calculus for the numerous companies which move personal information between the United States and Europe.


Leave a comment

California Continues to Expand Consumer Privacy Protections, Enacting Further Amendments to CalOPPA and the Data Breach Notification Law

On September 27, California Governor Jerry Brown signed into law two bills—both to take effect January 1, 2014—that expand the online privacy protections for California residents.  These two new laws were the second and third enacted during September, as the Governor signed a bill imposing restrictions on the advertising of certain products marketed to minors earlier that week, and demonstrate that the California legislature continues to prioritize consumer privacy by amending its legislation to reflect changes in the way websites collect, and consumers provide, personal information online.

“Do Not Track” Disclosures

The first bill, AB 370, amends the California Online Privacy Protection Act (“CalOPPA”) (Cal. Bus. & Prof. Code § 22575 et seq.), requiring that the privacy policy posted on all commercial websites include a disclosure explaining how the website operator responds to mechanisms, such as “Do Not Track” signals, that provide consumers with the ability to exercise choice regarding personally identifiable information collection over time and across third-party websites.

The new law states that website operators may satisfy this requirement by providing a clear and conspicuous hyperlink in the privacy policy that links to a description, including the effects, of any program or protocol the operator follows that offers consumers that choice, but defines neither the content of the disclosure nor “do not track.”

Data Breach Notification for Disclosure of Online Account Access Information

The second bill, SB 46, amends California’s data breach notification law (Cal. Civ. Code § 1798 et seq.), adding to the definition of “personal information” certain information that would permit access to an online account, and imposing additional disclosure requirements if a breach involves personal information that would permit access to an online account or email account.  Specifically, the legislation adds to the definition of personal information “a user name or email address, in combination with a password or security question and answer that would permit access to an online account.”   A breach of this information, if unencrypted, of any California resident would trigger the state’s data breach notification obligations.

In the case of disclosure of this type of personal information, however, a company will be permitted to notify affected California residents by alternative means.  If the breach involves no other personal information, a company may notify the affected resident in electronic or other form that directs the resident to change his/her password and security question or answer, as applicable, or to take other steps appropriate to protect the affected online account and all other online accounts with the same user name or email address and password or security question and answer.

However, if the breach involves the login credentials of an email account furnished by the company, it cannot provide notification to that email address, but may provide notice by:  (1) one of the methods currently permitted under the law for notification of a breach of unencrypted personal information; or (2) by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an IP address or online location from which the company knows the resident customarily accesses the account.


Leave a comment

Federal Trade Commission Announces Privacy Settlement with Myspace

The FTC has reined another tech giant, albeit a waning one, into a settlement agreement over alleged privacy violations. On May 8, the FTC announced a consent decree with Myspace LLC that forbids it from misrepresenting its privacy policies and requires it to institute a comprehensive privacy policy and submit to biennial audits for compliance for twenty years. This is the third settlement that the FTC has achieved with a major tech company in the social networking arena– the agency reached similarly structured settlement agreements with Google and Facebook last year.

The FTC’s Allegations

The FTC’s allegations stem from a gap between Myspace’s privacy policy and its practices from January 2009 until June 2010. In its policy, Myspace promised that it would not share a user’s personally identifiable information (defined as name, email, mailing address, phone number or credit number) without notice and user consent; that its means for delivering customized ads and sharing browsing data with advertisers; and that it complied with the U.S.-E.U. Safe Harbor framework for data protection.

However, when Myspace displayed ads from certain unaffiliated third parties to logged-in users, Myspace provided the advertiser or its affiliate with the viewer’s “Friend ID,” which is a persistent unique numerical identifier assigned to each Myspace user. This left third parties a few clicks away from accessing a host of other information about the user. For most users, the Friend ID could be used to get the users’ full name and any other information designated as public in the users’ settings. The public information could then be combined with additional information harvested by the advertiser’s tracking cookie and by any other means.

According the FTC, the representations that Myspace made in its privacy policies were thus false and misleading statements and constituted deceptive acts or practices in violation of Section 5 of the FTC Act. The agency also alleged that Myspace misrepresented its compliance with the US-EU Safe Harbor framework: to transfer personal data lawfully from the E.U. to the U.S., companies must self-certify that they meet certain privacy principles about collection and use of uder data, including Notice and Choice. According to the FTC, Myspace also misrepresented its compliance – although it did not make the offending statements about Safe Harbor compliance until December 2010, after the time period of its other deceptive practices.

Settlement Terms

The order forbids Myspace from misrepresenting its privacy practices, including collection, disclosure and third-party sharing, of all “covered information.” This includes a user’s name, address, e-mail address or chat screen name, phone number, photos and videos, IP address, device ID or other permanent identifier, contact list or physical location. Like the Google and Facebook settlements, the order requires Myspace to establish and maintain a comprehensive privacy program and submit to biennial assessments of its privacy programs by an independent auditor for 20 years. Myspace must also retain a plethora of related documents for five years, including all “widely disseminated statements” about Myspace’s privacy practices, complaints or communications with law enforcement about the order, or any documents that call into question Myspace’s compliance.

The 20-year timeframe, which has been the standard in FTC’s previous privacy consent decrees, has raised some snickers among commentators about Myspace’s longevity, given the site’s declining market share. Founded in 2003, the site was acquired by News Corp. for $580 million in 2005 and for a while dwarfed Facebook’s number of users. However, it was sold to Specific Media for $35 million last year and its number of unique users is less than half of its 2008 peak.

The agreement will be subject to public comment until June 8, after which the Commission will decide whether to make the proposed consent order final.

Links


Leave a comment

New Developments on Canadian Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

  • businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
  • CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

  • simply include the name by which they carry on business (rather than both that and their legal name);
  • include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
  • include the information in the above point on a website that “is readily accessible” (rather than via a single click);
  • use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
  • simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.


Leave a comment

White House Announces Privacy Policy Framework

The Executive Office of the President today released a 52-page framework document setting out the Obama Administration’s policies "for protecting privacy and promoting innovation in the global digital economy."  The policy framework includes four principal elements: A Consumer Privacy Bill of Rights, a multistakeholder process to agree how the principles in the Consumer Privacy Bill of Rights apply in particular business contexts, effective enforcement, and a commitment to increase interoperability with the privacy frameworks of international partners. 

The Administration acknowledges that existing United States privacy law and policy "effectively address some privacy issues" but adds that "additional protections are necessary to preserve consumer trust" in the online environment.  The framework therefore calls for consumer data privacy legislation, under which the FTC and State Attorneys General would have authority to enforce the Consumer Privacy Bill of Rights.

The baseline protections – described as "privacy principles recognized throughout the world" – established in the Consumer Privacy Bill of Rights are:

Individual Control: Consumers have a right to exercise control over what personal data companies collect from them and how it is used.

Transparency: Consumers have a right to easily understandable and accessible information about privacy and security practices.

Respect for Context: Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which they provide the data.

Security: Consumers have a right to secure and responsible handling of personal data.

Access and Accuracy: Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is accurate.

Focused Collection: Consumers have a right to reasonable limits on the personal data that companies collect and retain.

Accountability: Consumers have a right to have personal data handled by companies with appropriate measures in place to assure that they adhere to the Consumer Privacy Bill of Rights.

Going forward, the Administration encourages privacy stakeholders, including the private sector, to implement the Consumer Privacy Bill of Rights through the auspices of the Commerce Department; it also commits to work with Congress to "write these flexible, general principles into law."


Leave a comment

Comparing CAN-SPAM to Canada’s new Anti-Spam Law

Those who operate or have customers in the U.S. market, are already familiar with the requirements of the 2003 CAN-SPAM Act. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation linked below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

More steps will be needed under CASL to be permitted to communicate online.

Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability:

www.slideshare.net/fmclaw/casl-vs-canspam-canadas-antispam-law


Leave a comment

59th Antitrust Law Spring Meeting: National Privacy Policies as Barriers to Entry in International Competition

As the last day of the ABA Antitrust Law’s Spring Meeting wraps up, this morning’s panel, "National Privacy Policies as Barriers to Entry in International Competition" discussed differences in international law and approaches to privacy internationally.

Panelists include Ronald D. Lee, Arnold & Porter LLP, Kim Alexander-Cook, nNovation LLP, Sarretta McDonough, Gibson Dunn & Crutcher LLP, and Hugh Stevenson, Deputy Director for International Consumer Affairs, Federal Trade Commission.  Aryeh Friedman, Pfizer Inc., was the session chair.

Continue reading


Leave a comment

U.S. Department of Commerce Publishes “Green Paper” on Privacy

The U.S. Department of Commerce Internet Policy Task Force published on December 16, 2010 its “Green Paper” on privacy. Entitled “Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework” (the “Framework”), it recommends considering a new framework for addressing online privacy issues in the United States. While the Framework does not express a commitment to specific policy proposals, it identifies and discusses areas of policy and possible approaches.

Gary Locke, Secretary of Commerce wrote in the foreword to the Framework that “protect[ing] the tremendous economic and social value of the Internet without stifling innovation requires a fresh look at Internet policy.” Indeed, the Framework notes that the world has much changed in the last 15 years, as new devices such as personal computers and mobile phones have transformed both the economy and people’s social life. Ninety-six % of working Americans use the Internet as part of their daily life, and sixty-two % of Americans use the Internet as an integral part of their jobs (p.14). Uses of personal data have multiplied, but privacy laws have not kept up with these changes.  

Online retail sales accounted for over $140 billion in retail sales for U.S. companies in 2009 (p.14). But consumers are concerned about their privacy, and thus companies not protecting the privacy of their customers may very well lose them. Consumer expectations that the personal data collected by companies ”will be used consistently with clearly stated purposes and protected from misuses is fundamental to commercial activities on the Internet” (p.15).

The Framework includes policy recommendations under four broad categories:

1. Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles (FIPPs)

The Framework notes that, “from the consumer perspective, the current system of notice-and-choice does not appear to provide adequately transparent descriptions of personal data use which may leave consumers with doubts (or even misunderstandings) about how companies handle personal data and inhibit their exercise of informed choices” (p.22). Under a Notice-and-Choice model, “consumers ‘privacy rights depend on their ability to understand and act on each individual privacy policy” (p. 31), which may prove an overwhelming task.

The first recommendation of the Framework is to recognize a full set of Fair Information Practice Principles (FIPPS) as a foundation for commercial data privacy. A FIPPS-based framework would promote transparency and clarity and would also “protect the privacy of personal information in commercial contexts not covered by an existing sectoral law.” Such framework would serve as a “the basis for recognizing expanding interoperability between U.S. and international commercial data privacy frameworks” (p. 22). It would also foster compatibility in privacy protection across industry sectors (p.24).They would do so by filling gaps in current data privacy protections. The Department of Commerce would not develop comprehensive and prescriptive rules (p.32).

Such framework would leave in place existing sectoral laws. Recommendation #8 of the Framework states that “A baseline commercial data privacy framework should not conflict with the strong sectoral laws and policies that already provide important protections to Americans, but rather should act in concert with these protections”(p. 58).

2. Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through the collaborative efforts of multi-stakeholder groups, the Federal Trade Commission, and a Privacy Policy Office within the Department of Commerce

As the mere development of FIPPSs is probably not enough to provide sufficient privacy protection, the Framework also recommends creating voluntary codes of conduct that would promote informed consent and safeguard personal information.

 

The government can also play a role by coordinating and encouraging the stakeholders. For doing so, the Framework recommends establishing a Privacy Policy Office (PPO) in the Department of Commerce, which would be both a convener of diverse stakeholders and a center of the Administration’s  commercial data privacy policy expertise (p.45). A flow chart on the”Creation and Operations of Proposed Privacy Policy Office” is available on p. 48 of the Framework.

 

It would focus exclusively on commercial data privacy. The PPO would work with the FTC to develop voluntary but enforceable codes of conduct, as, in some contexts, FIPPS might not be sufficiently protective (p. 41).Companies would voluntarily adopt such codes of conduct, but this commitment would be enforceable by the FTC. There would be a safe harbor for companies that commit and adhere to “an appropriate voluntary code of conduct” (p.43).

 

3. Encourage Global Interoperability

 

The lack of cross-border interoperability in privacy principles and regulation creates barriers to cross-border data flow, and companies have to bear a significant compliance cost. If global interoperability of data privacy approaches would be improved, it would have a positive effect on U.S. services exportations and thus would benefit the U.S. economy (p.14).

 

The Framework notes that disparate privacy laws have a growing impact on global competition, and “disparate approaches to commercial data privacy can create barriers to both trade and commerce, harming both consumers and companies” (p. 53). Because of the differences both in form and in substance between the U.S. and other privacy laws, it is increasingly complicated for companies to provide good and services in global markets. Since the European Union and others countries trading with the U.S. have adopted omnibus privacy laws, companies must thus demonstrate that their privacy practices adequately comply with the U.S. The U.S. must renew its commitment to leadership in the global privacy policy debate by developing an online privacy framework “that enhances trust and encourages innovation.”

 

In order to do so, and also to generally decrease regulatory barriers to trade and commerce, the U.S. Government should work with its allies and trading partners “to promote low-friction, cross-border data flow through increased global interoperability of privacy frameworks” (p.7). Privacy laws around the world have substantive differences, yet these laws “are frequently based on the same fundamental values” (p.7). The U.S. should work with its allies to find practical means of bridging differences. The U.S. should also continue to support the APEC Data Privacy Pathfinder Project initiated in 2007 by the Asia Pacific Economic Cooperation. It is a set of collaborative projects taken on by APEC member-economies to develop and test the essential practical elements of a system that would enable accountable cross-border data flows under the guidance of APEC data privacy principles, and its endorsement should be secured during the 2011 APEC year, which will be hosted by the U.S.

 

4. Ensure Nationally Consistent Security Breach Notification Rules

The Framework recommends that a federal commercial data security breach notification be enacted. This federal law would set national standards, and addresses how to reconcile inconsistent State laws, as the difference between the different State laws comes with an undue cost to U.S. businesses, as they “must comply with several dozen variations on the same theme” (p. 57). This federal law would not, however, preempt other federal security breach notification laws. Both the FTC and State authorities would have authority to enforce the law.


Leave a comment

Will the U.S. have soon a Data Protection Commissioner?

The Wall Street Journal reported last week that the Obama administration plans to introduce soon new Internet privacy legislation. The Wall Street Journal also reported that the administration will create a new position to oversee these efforts, which should be announced in the next few weeks, when a much anticipated U.S. Department of Commerce report on privacy will be published.
The White House National Science and Technology Council already announced last month the launch of a new Subcommittee on Privacy and Internet Policy. Its members will be representatives from more than a dozen Departments, agencies and Federal offices, and will be co-chaired by Cameron Kerry, the Department Commerce General Counsel, and by Department of Justice Assistant Attorney General Christopher Schroeder. The co-chairs wrote: “[r]ecognizing the global nature of the digital economy and society, the Subcommittee will monitor and address global privacy policy challenges and develop approaches to meeting those challenges through coordinated U.S. government action.”
According to the Wall Street Journal article, this Subcommittee should help to implement the Department of Commerce’s recommendations into policy. Although the proposals of the Department of Commerce privacy report are not yet known, one may gather some clues from Mr. Kerry’s remarks last month, when he was one of the panelists at the OECD 30th Annual Privacy Guidelines Conference in Jerusalem. He stated that “the time has come to adapt the legal and policy framework and avoid fragmented, inconsistent, and unpredictable rules that frustrate innovation and undermine essential consumer trust.”
Should this be interpreted as a U.S. commitment to have a comprehensive internet/data privacy law? Currently, the U.S. privacy laws are diverse, and legal remedies stem from federal laws, state laws, common law, and case law. Mr. Kerry was careful to add that “[b]uttressing these [privacy] laws and legal remedies is a robust system of industry self-regulation, combined with informal agency guidance and enforcement by the Federal Trade Commission and state attorneys general. Taken together, these strands weave a fabric of privacy protection as strong in practice as any omnibus system.”
Will the U.S. soon have a Data Protection Commissioner, as most Western nations do? If so, it will be interesting to find out how the new Data Commissioner will share his responsibilities with the Federal Trade Commission. Mr. Kerry stated that “[a] federal privacy office would help our efforts to bolster the role of privacy policy and urge greater privacy by design. Such an office would work closely with the FTC, while respecting its status as an independent enforcement authority.” However, the Wall Street Journal reports that the Republicans are unlikely to support a bill which would expand the Federal Trade Commission’s enforcement powers.
European Union Data Protection Commissioners have struggled in the past because of lack of enforcement powers. As the European Union may soon expand criminal penalties to enforce data protection, the U.S. will need to decide whether a comprehensive Internet privacy legislation and a Data Protection Commissioner with the power to enforce it, is the route that needs to be taken to preserve consumers’ trust in the Internet, while promoting electronic  commerce, cultural and social exchange on the Internet.