& INFORMATION LAW UPDATE
The Safe Harbor program was created by agreement between the U.S. Department of Commerce and the European Commission in 1998 to bridge the gap between the U.S. approach to regulating privacy and the EUs more stringent approach, as embodied in the European Union Data Protection Directive1 (EU DPD). There are actually 2 Safe Harbors: the U.S-E.U. Safe Harbor, which applies to data transfers from E.U. countries to the U.S., and the U.S.-Swiss Safe Harbor, which applies to data transfers from Switzerland to the US. The Swiss framework encompasses the E.U. requirements. With the exception of a few countries2 that the E.U. has determined have adequate data privacy laws, transfers from the E.U. to countries other than the U.S. are subject to certain standard contractual clauses promulgated by the European Commission. These clauses are incorporated into model contracts that can be used by businesses that choose to do so.
E.U. Safe Harbor. In order to self-certify under the E.U. Safe Harbor, organizations must comply with the following 7 commonly accepted fair information principles that have been effectively codified into the Safe Harbor framework:
There are a several advantages for businesses that elect to participate in the Safe Harbor, including the relative practicality of its streamlined approach for complying with the E.U.s stringent privacy framework, and its natural fit for certain methods and types of data transfers.
Rather than being subject to the rules of various E.U. DPAs, participating organizations are subject to Federal Trade Commission (FTC) enforcement. FTC enforcement offers some measure of consistency for U.S. companies because it removes any requirements that they negotiate directly with individual E.U. member DPAs. Participating in the Safe Harbor also lowers costs by guaranteeing that almost all data protection claims by E.U. citizens against U.S. companies will be heard in the United States.
Safe Harbor Alternatives.
There are some alternatives to the Safe Harbor framework, including for cross border data transfers from the E.U. to a country other than the U.S. These alternatives include Model Contracts and Binding Corporate Rules.3
Model Contracts consist of a set of standard contract clauses for data protection that the European Commission requires in contracts between a company within the E.U. and a company or data processor outside the E.U. This approach subjects organizations that choose to use it to the governing law of the E.U. country from which the data is exported, as well as third-party beneficiary rules granting rights to the data subject, and specific notification, consent, and data security clauses.
The disadvantages of Model Contracts relative to the Safe Harbor framework include that the standard clauses cannot be modified. Some E.U. countries require filing the agreements with the DPA. In addition, certain changes involving the corporation or business processes, such as a merger, require that the agreements be updated to reflect that a result that could open the door to renegotiation of other terms.
A multinational corporation or a group of closely affiliated companies can, alternatively, take advantage of Binding Corporate Rules (BCRs) for intra-group transfers only. These rules must be binding on all parts of the company or companies in the group, regardless of their physical location and require approval by the DPA in each country from which the company wishes to transfer data (though some E.U. countries have agreed to recognize the decisions of certain other E.U. DPAs). The E.U. has released guidelines for what must be included in the BCRs that include a dozen rights that a data subject must be entitled to enforce, purpose limitations on collection and use of data, security measures, and regular audits.
The global economy poses privacy compliance challenges for companies of all sizes, raising significant legal risk and increased costs associated with cross-border data transfers. Businesses whose operations include such data transfers may want to consider the U.S.-E.U. Safe Harbor as a method of minimizing those risks and lowering compliance costs. Doing so may offer the additional advantage of enhancing an organizations ability to compete on the basis of privacy.
Companies Welcome Clarification of Indias Data Privacy and Security
U.S. companies had sounded alarms about application of the rules to outsourcing service providers, including data processing and customer call centers.4 These companies were particularly concerned about their ability to comply with a prior written consent requirement (including specified methods for obtaining consent). The companies also raised concerns that the rules appeared to apply to any information processed within India about anyone, anywhere in the world. For example, a data processing center in India, hired by a U.S. insurance company to process insurance claims, would need to obtain direct express consent from every client of the insurance company before the Indian company could process their claims. Companies claimed that such a scenario would increase compliance costs so significantly as to deter future outsourcing to India. In response, Indian officials indicated that they did not plan to enforce the rules against U.S. companies5 and subsequently published the clarifications described below.
MCIT clarified that a body corporate providing services relating
to collection, storage, dealing or handling of sensitive personal data
or information under contractual obligation with a legal entity located
within or outside India is exempt from the rules consent and
disclosure requirements. For example, an Indian data processing firm under
contract with an American credit card company to process financial transactions,
that involve sensitive personal information, would be bound by the contract
with the American company, including the security practices detailed therein,
as well as Indias new data transfer, and reasonable security practices
rules, but not the prior consent and disclosure sections of the new rules.
The clarifications do not alter the fundamental objective of rules, which is to protect personal privacy and preserves the framework contemplated by the IT Act. In furtherance of this objective the rules create the new data category, sensitive personal information, defined as: (1) passwords; (2) financial information such as Bank account or credit card or debit card or other payment instrument details; (3) physical, physiological and mental health condition; (4) sexual orientation; (5) medical records and history; (6) Biometric information; and (7) information related to these categories collected for processing, storage, or providing a service. The definition excludes any information that is freely available, accessible in the public domain, or furnished under Indias Right to Information Act, 2005.6
Together with the clarifications the rules require the following:
Changes to the FTCs regulatory review process could also impact your business and you may want to consider submitting comments that alert the agency about the possible impact of its regulatory review procedures on your business.
Data Collection. Before collecting sensitive personal information, covered entities must obtain consent, in writing or electronically, directly from the data subject for the particular purpose for which that information will be used. The data subject must be given notice of what information is being collected, why it is being collected, who is collecting the information, and to whom the information will be disclosed. The information may be retained only so long as necessary to achieve the purpose for which it was collected. Consent may be withdrawn.
Disclosure. Prior consent must be obtained from a data subject before disclosing his or her information to a third party; that third party is prohibited from further disclosing the information. Transfer of sensitive personal information by a body corporate to any other person or company, within or outside India, is permitted only so long as that third party complies with the Rules and either the individual consents to the transfer or the transfer is necessary to perform a contract between the individual and the company.
It should be noted that even when an Indian organization is exempt from the basic consent and disclosure rules, the rules, as clarified, continue to limit Indian companies from transferring sensitive data to individuals or organizations within or outside India if those organizations or Individuals do not ensure the same level of data protection as provided by these Privacy Rules.7 Therefore, though the MCIT clarification means that Indian companies that contract with foreign companies are exempt from the basic consent and disclosure rules, they may only transfer sensitive personal information with that foreign company if that foreign companys internal security practices provide similar data protections as the Indian rules.
U.S. outsourcing companies, including those that use Indian service providers, should be familiar with the rules, including the recent clarifications. Even if the rules can now be seen as generally not applying to companies outside India, they continue to impose restrictions on Indian companies seeking to transfer sensitive personal data to entities within or outside India if those companies fail to ensure the same level of data protection required under the rules.
In addition, U.S. outsourcing companies should review the terms of their agreements to ensure that they are structured in a way that minimizes compliance costs in light of MCITs guidance. These companies should closely monitor future developments including potential further clarifications or modifications, as well as modifications by European or other Data Protection Authorities to their privacy regulatory frameworks in light of the rules as clarified.
Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules, 2011, Gazette of India,
part II, section III(i) (Apr. 11, 2011), available at http://www.mit.gov.in/
Data Protection Authority Deals Blow to Social Advertising
Last month Johannes Caspar, the data protection supervisor in the German state of Hamburg, asked Facebook to disable its facial recognition feature or risk a fine.1 That feature scans photos uploaded by users to Facebook and, based on previously uploaded photos that have been tagged with peoples names, suggests names to tag the people in the new photo. The Hamburg DPA alleged that the feature violated the privacy rights of those tagged in the photo under German and European privacy laws, and could subject Facebook to a €300,000 fine. Facebook responded that the feature complies with German and European law, and that the person in the photo has the final say as to whether they wish to be tagged.
The data protection commissioner in the German state of Schleswig-Holstein, Thilo Weichert, subsequently ordered state offices and websites in Schleswig-Holstein to remove Facebooks Like button from their websites, claiming it violates German and E.U. data protection laws.2 This feature enables Facebook users who want to share a products content on Facebook to do so by clicking the like button. Liking content appears on a users friends newsfeeds and is typically construed as an endorsement of the product or brand. Mr. Weichert expressed concern that government websites, in particular, were passing on information about visitors to Facebook through the Like button and fan pages, and that Facebook was then building profiles of visitors to those government websites. Facebook denied this, claiming that while they do collect information such as the IP address of those who click on a Like button, that information is deleted within 90 days.
Facebook subsequently announced that it would sign a voluntary code of conduct. Such self-regulatory codes of conduct were in the process of being considered by German authorities. Nevertheless, on September 11, Germanys consumer protection minister, Ilse Aigner, released a statement that she had advised Germanys other ministers to avoid using Facebook and remove any Facebook buttons from government websites.3 In her letter to the other ministers, Aigner warned them not to use Facebook due to concerns with data protection and security. The consumer protection ministry followed the letter with a statement extending the warning to private companies.
Germany-based Businesses and those with German users currently using the complained of Facebook tools should pay close attention to developments at Germanys Ministry of Consumer Protection. Though Minister Aigners statements thus far have been merely advisory, it is clear that the Ministry anticipates taking more concrete measures regarding social media tools in the coming months. Websites operating in the German state of Schleswig-Holstein should take particular care, and implement the required changes by the end of September to avoid the imposition of fines or other sanctions.
Kevin J. OBrien, Germany Investigating Facebook Tagging Feature,
N.Y. TIMES, Aug. 3, 2011, http://www.nytimes.com/2011/08/04/technology/germany-investigates-facebook-tagging.html
The EU Cookie Law: Perfect Recipe for Consent Elusive While Laws
Implementation Remains Unclear
In 2002, the European Union (EU) enacted the EU Data Protection Directive1 (the e-Privacy Directive), which was intended in part to protect individual privacy arising from the online collection, processing and use of the personal data of EU citizens.
European website operators that are directed to EU users are subject to the Cookie Law. Websites that are located outside the EU and that are directed to EU users are probably also subject to the law. It requires that:
EU Member States were required to implement their own versions of the Law by May 25, 2011. That deadline has come and gone, and many EU countries have not yet done so. Some are currently considering legislative proposals.
The UK introduced implementing regulations in May but indicated that it will delay enforcement for a year while it works with browser manufacturers to create a new system for obtaining consent through browser settings an approach that is seen as being at odds with the Cookie Law. Despite delayed enforcement, UK officials have stated that companies must nevertheless begin implementing its requirements. The Information Commissioners Office (ICO), the UK enforcement authority has offered some guidance on how to obtain consent, including suggesting the use of pop-ups to prompt users to choose their preferences.
There has been considerable debate about what constitutes adequate consent under the Cookie Law, as well as concern that suggested methods will be disruptive for website users and add significant compliance costs for business.
A recent effort to promote an industry consent mechanism (part of an advertising industry self- regulatory code of conduct that enables advertisers to place an icon on targeted ads that users can click and be taken to a website that allows them to turn off such ads) was recently rejected by the Article 29 Working Party (the independent EU advisory body on privacy and data protection). The Working Party admonished that use of icons in place of statements or actions would not constitute valid consent under the Cookie Law because a chance to object to cookie tracking is not the same as a specific (verbal) opt- in. Moreover, icons attached to ads that link users to a website where they can learn about cookies and express preferences are inadequate since the Cookie Law applies irrespective of whether cookies collect personal data.
Other language in the Cookie Law appears to authorize the use of browser settings or other applications as valid means of obtaining consent, although the Working Party seems to have rejected this approach, too on grounds that the default is to accept cookies.
Adequate mechanisms for obtaining user consent will continue to be a primary focus of attention by both industry and regulators.
The lack of implementation of the Cookie Law by many EU member states along with ambiguities about the laws key requirements may cause businesses to wonder why bother? The recent pronouncement by the Article 29 Working Party that the advertising industrys self-regulatory code is not cookie law compliant can be seen as a signal by this influential body that simply ignoring the law should be seen as high risk.
Accordingly, businesses subject to the law should evaluate their current compliance strategies, including their data collection and use practices for adherence to commonly accepted the fair implementation principles. These principles are embodied in the Cookie Law and in other privacy regulatory frameworks in the U.S. and elsewhere. Other measures that can be taken now include:
Proposes Consumer Data Privacy Protection Regime
If adopted, the proposal would add another privacy law to the growing web of global privacy laws that businesses must contend with. Businesses would be required to seek prior consent in order to use personal data, such as identity card numbers, telephone numbers and physical addresses. Subject to certain exceptions, businesses would also be required to give consumers access to their personal data and the right to access and amend it. Interestingly, MICA proposes treating existing personal data as if consent was already obtained until the effective date of the proposal, after which new consent would be required for businesses seeking to use that data for purposes other than that for which it was initially collected.
In addition, a Data Protection Commission (DPC) would be established to oversee compliance and public education about data privacy. The DPC would have the authority to issue orders mandating remedial measures for certain types of violations and impose monetary penalties of up to $1 million for serious data breaches. The proposal also includes a Do Not Track registry.
Apart from protecting consumer privacy, a key objective of the proposal is to enhance Singapores status as a trusted hub for global data management and processing services consistent with other international frameworks for protecting privacy, such as the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data and the Asia-Pacific Economic Cooperation Privacy Framework.
The proposal comes as a growing number of U.S. businesses seek to compete with foreign companies that already have a Singapore presence by establishing offices there.
proposal was issued as a consultation paper, which can be
MCIA is seeking public comments, which must be filed with MICA before
5 PM October 25, 2011.
|The U.S.: Privacy in the News|
Seeks Comment on Proposed Amendments to COPPA Rule
Changes would include:
In 2010 the FTC accelerated scheduled review of the rule to address mounting concerns about threats to childrens privacy posed by their adoption of rapidly evolving technologies, including accessing, viewing and interacting with content over mobile devices. During the review period the FTC expanded enforcement including applying the rule to such new technologies as mobile apps.
The FTC proposes the following changes:
Operators of childrens websites and other online services, including those operating over emerging platforms such as mobile apps, as well as general audience sites subject to COPPA, should closely monitor developments in this proceeding to anticipate how the proposed changes could affect their business and regulatory strategies.
Highlight New "Supercookies" Used to Track Web Activity for
The first report, Flash Cookies and Privacy, released in August 2009, examined the use of persistent Local Stored Objects (LSOs), more commonly known as Flash cookies, to track users despite the users attempts to protect their online privacy by taking such steps as deleting cookies. The findings in this report were the linchpin in class actions against some of the advertisers and websites that the report found to be using Flash cookies.
Clearspring, whose Addthis tool allows website visitors to share a websites content on social media and used Flash cookies to track people who visited websites with Addthis installed, was a named defendant in one of the actions. That lawsuit, along with a similar action against Quantcast, was settled this year, with the companies agreeing to not use LSOs in their products.2
The 2011 Report, along with additional work by Jonathan Meyer at Stanford,3 has similarly formed the basis for allegations in lawsuits against websites and advertisers who use the new supercookies and other forms of persistent trackers highlighted in the report. The report reviews how Flash cookie use has changed in the last year and identifies two additional supercookies, Cache-Cookies and HTML5 Local Storage. KISSMetrics, a web analytics company, and their now former client Hulu.com, were sued for privacy violations after the report noted their use of ETags, a type of cache-cookie.4
The common thread between the supercookies discussed in the 2011 Report5 is that each is more persistent and allows for greater data storage than standard HTTP cookies. Flash cookies and ETags respawn HTTP cookies after a user has deleted them or gone into private browsing mode to prevent cookie creation. (Private browsing is an option available in many Internet browsers, such as Internet Explorer and Firefox, which prevents websites from downloading cookies or storing new information in the cache after the browsing session ends). HTML5 storage does not respawn HTTP cookies, but where HTTP cookies automatically expire after some period of time, HTML5 storage does not expire and so it must be affirmatively deleted by the user to disable tracking. Flash cookies and ETags can be used to respawn HTML5 cookies, in addition to HTTP cookies.
Flash Local Storage Objects.
Flash LSOs, like other supercookies, are resistant to deletion as they are not deleted through the browser as one would do for standard HTTP cookies. The user is required to take additional steps to prevent tracking. Flash LSOs hold more data than HTTP cookies, enabling better tracking and can be used to respawn or recreate HTTP cookies that a user has deleted. Flash LSOs, the subject of the prior report, have decreased in use since the release of that report. Of the 100 sites investigated by the authors, 100 flash cookies were found, down from 281. Only two sites used flash cookies to respawn HTTP cookies.
Cache-Cookies and ETags.
Cache-cookies are not actually cookies. This method of tracking involves using the web browsers cache to associate information between a deleted cookie and a new cookie. ETags are generally used by websites to tell a browser whether the site has changed, and if not, to use the copy of the website stored in the browsers cache rather than downloading new data.
The report discusses how an ETag in a cached copy of a website can include a unique identifier. Even if a user deletes her cookies, when she returns to the website and downloads a new cookie, the ETag in the cached copy still exists and can give the website enough information to associate the new cookie with whatever data was collected via the old cookie. In this way, the old cookie is said to respawn. Also, if a user visits websites via his or her Internet browsers private browsing mode, this type of tracking is not prevented. Specifically, if a user visits a website while not in private browsing, information is stored in the cache and may then still be retrieved when later visiting the website in private browsing mode. The only way to prevent this tracking is to manually clear the cache prior to revisiting the website.
HTML5 Local Storage.
The Report concluded that HTML5 cookies raise privacy concerns because they never expire. Instead, the user is required to affirmatively delete the cookie. The storage capacity is also significantly greater than any of the other cookies mentioned here, as well as standard HTTP cookies. A number of sites also respawned HTML5 cookies using either ETags or Flash cookies and others used matching values for their HTML5 and HTTP cookies, which makes respawning and association between the cookies easier.
Companies wishing to take advantage of social advertising tools should take a close look at the tracking technologies employed by businesses offering those tools to make sure that the technology does not override consumer privacy preferences. One way to obtain assurance is to determine if these businesses comply with pertinent industry best practices and standards. As the lawsuits that rely on the findings of the researchers reports make clear, the plaintiffs bar does not distinguish between the companies that develop persistent tracking technologies and the businesses that use those technologies for legitimate business purposes.
Ayenson, et.al., Flash Cookies And Privacy II: Now With HTML5 And ETag
Respawning, 2011 (2011 Report)
Entered in FTCS First COPPA Action Involving Mobile Apps
This is the first case brought by the FTC involving mobile app. The settlement was reached as the agency was finalizing proposed changes to the COPPA rule. Those changes include extending the rules application to new and emerging technologies, including mobile apps. Businesses that operate child directed websites and online services, including over new platforms, should expect additional enforcement actions involving those platforms.
W3 Innovations develops mobile apps and games for the iPhone and iPod that it sells through Apples App Store. The apps that led the FTCs to file charges were listed in the Games Kids section of the App Store and included the Emilys Girl World app and Emilys Dress Up app. These apps allowed users to design outfits by dressing up virtual models and play games such as Cootie Catcher and Truth or Dare, which reward the player with stickers for a virtual sticker album. A website of W3 Innovations described their apps as something that younger girls and nostalgic adults might enjoy. The FTC concluded that the apps were directed at Children under the age of 13 by assessing their subject matter and presentation, the analysis it undertakes when evaluating whether general audience websites are directed to children.
Users of these apps were encouraged to email Emily and to share stories and outfits designed through the app with Emily by sending an email. The apps also linked to Emilys blogs, where users can submit comments by providing an email address and, optionally, their full name. W3 Innovations collected and maintained over 30,000 emails, including email addresses through emails from the apps and collected, maintained, and/or disclosed the personal information of almost 600 people who registered to comment on the blogs. W3 Innovations did not maintain or link to any online notice of their information collection, use, or disclosure practices through the Emily apps. And W3 Innovations neither provided notice to parents of their information collection and use practices nor obtained parental consent prior to collecting, using, and disclosing childrens personal information.
The settlement enjoins W3 Innovations from violating the COPPA Rule. On any website or app which is directed to children, or on which they have actual knowledge that they are collecting childrens information, W3 must (1) provide sufficient notice of what information they collect from children and how such information is used and disclosed, (2) provide direct notice to parents of what information they are collecting from children and how it will be used and disclosed, and (3) obtain verifiable parental consent before collecting, using, or disclosing any personal information from children.
In addition to this injunction, W3 Innovations must also delete all information collected in violation of the COPPA rule and pay a $50,000 civil penalty. The consent decree also requires additional monitoring and reporting. These include filing sworn statements detailing the their privacy practices, procedures for collecting and protecting information, the methods for obtaining parental consent, and other information on how their apps collect and use personal information.
With over 15 billion downloads from Apples App Store alone and $2.5
billion paid to app developers by Apple as of early July, the app industry
is continuing to grow at an extraordinary pace. This growth, combined
with increased use of smartphones and apps by children, make it increasingly
likely that the FTC will enhance its scrutiny of the app industry and
its compliance with the COPPA rule. This first enforcement action by the
FTC against an app developer highlights the importance of understanding
and complying with COPPAs additional information privacy rules when
selling and operating apps directed to children. If developers of childrens
mobile apps and games wish to collect personal information as defined
under the COPPA rule, including email addresses from their users, they
and obtain verifiable consent from parents.
Updates its Data Breach Notification Law
SB 24, which will take effect January 1, 2012, also requires that the notifying entity send an electronic version of the notice to the state Attorney General (AG) in instances where a breach affects more than 500 California residents. According to SB 24s sponsor, Joe Simitian (D-Palo Alto), this requirement is intended to enable law enforcement to see the big picture and better understand statewide patterns of identity theft. Businesses, agencies and individuals subject to the law and who use substitute notice provisions permitted under the current statute must also provide an electronic version of the notice to the states Office of Information Security or the Office of Privacy Protection. Organizations that are subject to HIPAAs HITECH breach notification requirements will be deemed to be in compliance with laws breach notice content requirements but must still comply with the AG notification requirement.
Since 2003, California law required covered entities and individuals to notify affected persons of a data breach. However, unlike other state data breach laws, Californias statute did not mandate what information the breach notices should contain or require that state authorities be notified of the breach. Previous bills that addressed these gaps were vetoed by Governor Browns predecessor.
SB 24 addresses these gaps by establishing the following standard content requirements, which must be written in plain language for required breach notices:
SB 24 also authorizes covered entities and individuals to include in the notices, if they wish to do so, information about measures taken to protect persons whose information has been compromised as well as steps affected persons may take to protect themselves.
|Copyright © 2010 St. Ledger-Roty Neuman & Olson, LLP.|