Header graphic for print

Privacy Law Blog

e-IDs: the Future of Secure Digital Identification?

Posted in European Union, International, Legislation

Over the past decade, the EU has made significant technological and legal strides toward the widespread adoption of electronic identification cards.  An electronic ID card, or e-ID, serves as a form of secure identification for online transactions – in other words, it provides sufficient verification of an individual’s identity to allow that person to electronically sign and submit sensitive documents such as tax returns and voting ballots over the Internet.  Many people see e-IDs as the future of secure identification since they offer the potential to greatly facilitate cardholders’ personal and business transactions, and the EU Commission has recognized this potential by drafting regulations meant to eliminate transactional barriers currently hindering the cards’ cross-border reach.  However, the increasingly widespread use of e-ID systems also gives rise to significant data security concerns. 

Countries including Spain, Italy, Germany, and Belgium already have adopted e-ID systems, and the precise mechanics of the systems differ from country to country.  In the Estonian system, for example, each e-ID carries a chip with encrypted files that provide proof of identity when accessed by a card reader (which a cardholder may purchase and connect to his or her computer).  Once the card is inserted into the card reader, the user inputs different PIN numbers to access the appropriate database and electronically sign e-documents.

In fact, as recently detailed in The Economist, the small Baltic country of Estonia has one of Europe’s most highly-developed e-ID systems and exemplifies the underlying potential of this technology.  Around 1.1 million of the country’s 1.3 million residents have electronic ID cards, which they can use to take advantage of the country’s fairly advanced array of e-government offerings.  Estonians can use their e-IDs to go online and securely file their taxes, vote in elections, log into their bank accounts, access governmental databases to check their medical records, and even set up businesses, among many other tasks.  Estonia even has established an e-prescription system that permits doctors to order a refill by forwarding an online renewal notice to a national database, thereby allowing a patient pick up a prescription from any pharmacy in the country simply by presenting his or her e-ID.  The Estonian government also has announced a plan to start issuing cards to non-Estonians, so that citizens of other countries can easily set up businesses in Estonia or otherwise take advantage of that country’s many e-services.  Estonia’s e-ID system thus illustrates how these cards can enhance convenience and save time that may otherwise be spent waiting in line to file documents in government offices, and they represent a significant step in that country’s efforts to brand itself as “e-Estonia.”  

Naturally, the use of these cards to access such large quantities of personal data implicates important data security issues.  Estonia assures its cardholders that their transactions are secure because each card’s files are protected by 2048-bit public key encryption, and because users need to enter multiple PIN numbers to access and use certain online services.  To date, Estonia’s e-ID system has not suffered a major data breach.  Nevertheless, the security of the system has been called into question by researchers that claim that Estonia’s e-voting process is vulnerable to manipulation by skilled hackers.

So what other factors may hinder the deployment of this technology, beyond the large upfront costs of developing an e-ID system and distributing e-ID cards?  As mentioned above, the e-ID system requires the adoption of extensive data security measures to ensure the confidentiality of personal data.  Furthermore, systems like those established by Estonia are so efficient in part because they draw on personal data – including health information – held within government databases.  Citizens of other countries, such as those that have largely privatized medical systems like the United States, may be much more wary of government efforts to consolidate this type of personal information, even for the sake of efficiency.  Others countries share a similar concerns about governmental collection of personal information.  When the U.K. government announced plans to issue ID cards linked to a national identity register, for example, opposition proved so fierce that the government abandoned its pursuit of the project.  Denmark and Ireland also do not issue ID cards to their citizens.

Regardless of this opposition, the European Commission believes that e-IDs will facilitate business within the EU and is dedicated to removing many of the legal barriers hindering the implementation of this technology.  As early as 1999, the Commission issued Directive 1999/93/EC, which provided a framework for the legal recognition of electronic signatures.  And in 2012, the Commission issued its draft regulation on electronic identification and trust services for electronic transactions.  The regulation set forth a mutual recognition scheme mandating that all member states recognize and accept electronic IDs issued in other member states for the purposes of accessing online services.  The regulation would, for example, allow an Italian student attending a German university to pay her school fees online via  the university’s German website by using her Italian e-ID.

In sum, e-IDs have the potential to simplify the lives of cardholders – but only if those issuing the cards are willing to take the appropriate security precautions and work to achieve mutual recognition of other countries’ IDs.

One year of Data Protection Enforcement in France: what the CNIL’s Activity Report 2013 Reveals and what to expect in 2014

Posted in International

According to the French Data Protection Authority’s (“CNIL”) recently issued activity report for 2013 (http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_34e_Rapport_annuel_2013.pdf ), the CNIL was especially busy in 2013. The main topics addressed by the CNIL in 2013 were the creation of a national consumer credit database, the right to be forgotten, the right to refuse cookies, the proposed EU Regulation, and, of course, the revelations concerning the U.S. Prism program and the surveillance of European citizens’ personal data by foreign entities. The report also presents the main issues that the CNIL will tackle in 2014. Such issues include privacy in relation to open data, as well as in relation to new health monitoring apps or quantified self apps. The CNIL will also deal with “digital death” and more specifically, on how to deal with the social network profiles of deceased persons.

The CNIL’s report starts with what was the central issue in data protection throughout 2013, the U.S. Prism program and more generally any mass surveillance programs of European citizens by foreign entities. The CNIL created a working group on the related subject of long-arm foreign statutes which allow foreign administrations to obtain personal data from French and European citizens. Such statutes have various purposes (combating money laundering, corruption, the financing of terrorism, etc.) and lead to the creation of black lists. In addition, the CNIL addresses those subjects with the other Data Protection Agencies within the Article 29 Working Party.

Another important topic was the proposed creation in France of a centralized national register where all consumer credit lines opened by an individual would have been listed, in order to allow credit companies to verify an individual’s level of debt.  Indeed, consumer credit lines are fairly easily granted in France, and some consumers accumulate credit lines beyond their payment capacities and ultimately default in payment. The CNIL rendered negative advice on this register arguing that it breached the proportionality principle of the French law on data protection. Indeed, since only a small minority of people defaults, it considered that the collection and processing of data from all credit users was disproportionate. The register was nevertheless approved by the Parliament, but was immediately overruled by the French constitutional court in 2014, which, like the CNIL, considered that the register breached the right to privacy.

The CNIL also issued a recommendation in 2013 on how to obtain valid consent for cookies and any type of online tracking devices. The CNIL had initially interpreted consent for cookies (resulting from the e-privacy directive) as meaning explicit “opt-in” consent. But the CNIL finally backtracked and issued its 2013 recommendation allowing for opt-out consent, provided that website users are duly informed. In practice, the CNIL recommends the use of a banner on the website, stating that the site uses cookies and listing the purposes of the cookie. The user may click on the banner to refuse some or all cookies. But the banner provides that if the user continues to surf the website, he/she is deemed to have accepted the cookies (which is a form of opt-out consent). Some cookies, including those necessary for the functioning of the website or for security, do not require consent.

With regards to of the CNIL’s auditing and sanctions in 2013, the CNIL’s priorities remained committed to training, promoting awareness on data protection and issuing guidance for companies. Imposing financial penalties remains an exception. Statistics of the CNIL’s auditing and sanctions activities in 2013 demonstrate this quite clearly:

5640 complaints: Complaints to the CNIL were stable in 2013. The CNIL attributes this stability to its new guidance available on its website. This guidance deals with common issues such as video surveillance and direct marketing, and helps companies to comply, thus stabilizing the number of complaints to the CNIL.

414 audits: 75% of the CNIL’s audits in 2013 were of private companies, and 25% were of public administration. Many audits occurred after a complaint was filed with the CNIL (33% of the audits), but audits were also conducted at the initiative of the CNIL (27%) or following a previous sanction to make sure that the companies were now compliant (16%). Finally, 24% of the audits were devoted to sectors chosen by the CNIL: in 2013, companies dealing with open data as well as surveys were audited, and the social services administration was also audited.

14 decisions with sanctions: This includes 7 warnings and only 7 financial penalties.

For 2014, the CNIL has identified four major topics: open data, health data, and “digital death”. On open data, the CNIL will audit the current legal framework and will propose improvements. The CNIL itself wishes to open its data (rendered anonymous) to the public. With regards to health data, the CNIL will investigate the impact on privacy from apps and other tools (“quantified self”) that allow individuals to monitor their health and physical activity. The CNIL will address “digital death”, in particular how to deal with data of a deceased person. Finally, the CNIL will conduct audits in the penitentiary administration in order to verify whether the rights of prisoners to privacy are respected.

France Facilitates Implementation of Whistleblowing Systems

Posted in Data Privacy Laws

In France, before implementing a whistleblowing process, a company must inform and consult with its employees’ representatives, inform its employees and notify the French Data Protection Agency (CNIL).

There are two possible ways to notify the CNIL of a whistleblowing system:

  1. request a formal authorization from the CNIL (this is quite burdensome and difficult to obtain), or
  2. opt for the standard whistleblowing authorization (AU-004).

The standard whistleblowing authorization (AU-004) was enacted by the French Data Protection Agency in 2005 in order to facilitate notifying the CNIL of whistleblowing systems. As long as the company undertakes to comply with the principles and scope of the standard authorization, it is automatically authorized to implement the whistleblowing system. As enacted in 2005, the types of wrongdoings that could be reported through a whistleblowing system under the standard authorization were quite broad. Companies were authorized to adopt whistleblowing systems for purposes of regulatory internal control requirements, to comply with French law requirements and the United States Sarbanes-Oxley Act, and to protect vital interests of the company or the physical or psychological integrity of its employees.

However, in 2010, the CNIL had to modify the scope of the wrongdoings which could be reported when using a standard whistleblowing authorization pursuant to a decision of the French Supreme Court dated December 8, 2009 (see our post of December 15th, 2010: http://privacylaw.proskauer.com/2010/12/articles/data-privacy-laws/french-data-protection-agency-restricts-the-scope-of-the-whistleblowing-procedures-multinational-companies-need-to-make-sure-they-are-compliant/). In order to comply with the French Supreme Court decision, the CNIL narrowed whistleblowing reporting under the standard authorization to the following types of wrongdoings:

  • Accounting;
  • Finance;
  • Banking;
  • Anti-corruption;
  • Competition;
  • Companies concerned with the U.S. Sarbanes-Oxley Act, section 301(4); and
  • Japanese SOX of June 6, 2006.

The scope of the standard authorization was therefore very limited, requiring companies needing a broader scope of whistleblowing reporting to obtain a formal authorization from the CNIL and therefore to face the risk of a refusal.

From 2011 to 2013, given the scope limits of the standard authorization, the CNIL has had to process a high volume of filings for formal authorizations to implement whistleblowing systems.

Given the increased volume of requests from companies, on January 30, 2014, the CNIL decided to modify again the scope of application of the standard whistleblowing authorization (AU-004) to widen it.

As a consequence, companies implementing whistleblowing systems in France within the following categories can benefit from the new standard authorization:

  • Finance;
  • Accounting;
  • Banking;
  • Anti-corruption;
  • Competition;
  • Discrimination and bullying at work;
  • Health and safety at work; and
  • Environment protection.

In its updated standard whistleblowing authorization, the CNIL also stated its preference against anonymous whistleblowing. Anonymous whistleblowing is allowed only if:

  • The facts are serious and the factual elements are sufficiently detailed; and
  • The treatment of the alert is subject to particular precautions such as a prior checking before it is sent through the whistleblowing process.

Landmark Supreme Court Ruling Protects Cell Phones from Warrantless Searches

Posted in Fourth Amendment

Special thanks to Tiffany Quach, 2014 summer associate, for her assistance in preparing this post.

On June 25, 2014, the Supreme Court unanimously ruled that police must first obtain a warrant before searching the cell phones of arrested individuals, except in “exigent circumstances.” Chief Justice John Roberts authored the opinion, which held that an individual’s Fourth Amendment right to privacy outweighs the interest of law enforcement in conducting searches of cell phones without a warrant. The decision resolved a split among state and federal courts on the search incident to arrest doctrine (which permits police to search an arrested individual without a warrant) as it applies to cell phones.

The case of Riley v. California as heard before the Supreme Court combined two cases, one involving a smartphone and the other involving a flip phone. In the first case, Riley v. California, the police arrested David Leon Riley, searched his smartphone, and found photographs and videos potentially connecting him to gang activity and an earlier shooting. In the second case, United States v. Wurie, Brima Wurie was arrested for allegedly dealing drugs, and incoming calls on his flip phone helped lead the police to a house used to store drugs and guns.

Roberts wrote that neither of the two justifications for warrantless searches – protecting police officers and preventing the destruction of evidence – applies in the context of cell phones. According to the Court, the justification of protecting police officers falls flat since data on a cell phone cannot be used as a weapon. Roberts was also not persuaded by concerns that criminals could destroy evidence through remote wiping. He pointed out that police have alternatives to a warrantless search in order to prevent the destruction of evidence, including: turning the phone off, removing its battery, or placing the phone in a “Faraday bag,” an aluminum foil bag that blocks radio waves.

The Chief Justice focused on the differences between modern cell phones and other physical items found on arrested individuals to support his argument that modern cell phones “implicate privacy concerns far beyond those implicated by the search of a cigarette pack, a wallet, or a purse.” He cited modern cell phones’ huge storage capacity and how they function as “minicomputers that…could just as easily be called cameras, video players, rolodexes, calendars, tape recorders, libraries, diaries, albums, televisions, maps, or newspapers.” Roberts also noted that data viewed on a phone is frequently not stored on the device itself, but on remote servers, and that officers searching a phone generally do not know the location of data they are viewing.

However, Roberts maintained that exigent circumstances could still justify warrantless searches of cell phones on a case-by-case basis. Such circumstances include: preventing imminent destruction of evidence in individual cases, pursuing a fleeing suspect, and providing assistance to people who are seriously injured or are threatened with imminent injury.

Robert’s opinion is in line with the Court’s stance in the 2012 case United States v. Jones, which held that installing a GPS device on a vehicle and using the device to track the vehicle constitutes a search under the Fourth Amendment.

Justice Samuel Alito concurred in the judgment and agreed with Roberts that the old rule should not be applied mechanically to modern cell phones. However, he made two points that diverged from Roberts’ opinion. First, he disagreed with the idea that the old rule on searches incident to arrest was primarily based on the two justifications of protecting police and preventing destruction of evidence. Second, if Congress or state legislatures pass future legislation on searching cell phones found on arrested individuals, the Court should defer to their judgment.

The Riley opinion recognizes the unique role that cell phones play in modern life (“such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude that they were an important feature of the human anatomy”) and that they “hold for many Americans ‘the privacies of life.’”

Singapore Issues New Regulations In Advance of Data Protection Law Entering Into Force

Posted in International

On July 2, 2014 Singapore’s new Personal Data Protection Act (the “PDPA” or the “Act”)) will go into force, requiring companies that have a physical presence in Singapore to comply with many new data protection obligations under the PDPA.   Fortunately, in advance of the Act’s effective date, the Singapore Personal Data Commission has recently promulgated Personal Data Protection Regulations (2014) (the “Regulations”) to clarify companies’ obligations under the Act. 

Under the PDPA, an individual may request from an organization that is subject to the Act access to, and correction of, the personal data that the organization holds about that individual.  The Regulations clarify that the request must be made in writing and must include sufficient identifying information in order for the organization to process the request.  The Regulations also specify that the request for access or correction should be made to the company’s Data Protection Officer (which companies are now required to appoint under the Act).  Under the Regulations, an organization must respond to the request for access to personal data “as soon as practicable” but if it is anticipated that it will take longer than 30 days to do so, the organization must so inform the individual within that 30 day period.  

The Regulations confirm that individuals under the Act are entitled to expansive access rights: a company must provide them with access to all personal data requested, as well as “use and disclosure information in documentary form”.   If such is not possible however, the organization can provide the applicant with a “reasonable opportunity to examine the personal data and use and disclosure information.” 

Perhaps in an effort to reduce the burden and expense to organizations complying with an access request by an individual, the Regulations provide that an organization may charge an individual a “reasonable fee” to respond to an individual’s request for access to the personal data the company holds related to the individual, provided it has previously communicated an estimate of the fee to the applicant. 

The Regulations also contain a number of details regarding the transfer of personal data outside Singapore.  Specifically, the Regulations clarify that before transferring personal data to another jurisdiction, the transferring organization in Singapore must ensure that the recipient is “legally bound by enforceable obligations… to provide to the transferred personal data a standard of protection that is at least comparable to the protection under the Act.”

“Enforceable obligations” under the PDPA are similar to that under the European Union, and include the existence of a comparable data protection law, a written contract that provides for sufficient protections, as well as “binding corporate rules.”

The Regulations (together with recently issued Advisory Guidelines On Key Concepts In The Personal Data Protection Act (revised on 16 May 2014)) now provide much needed guidance in helping companies comply with their new data protection obligations under the Act.

No Class: Hulu Users Lose Certification Motion

Posted in Data Privacy Laws, Online Privacy, Privacy Litigation, Uncategorized

After a decision denying class certification last week, claims by Hulu users that their personal information was improperly disclosed to Facebook are limited to the individual named plaintiffs (at least for now, as the decision was without prejudice).

The plaintiffs alleged Hulu violated the federal Video Privacy Protection Act by configuring its website to include a Facebook “like” button.  This functionality used cookies that disclosed users’ information to Facebook.  But, the U.S. District Court for the Northern District of California credited expert evidence presented by Hulu that three things could stop the cookies from transmitting information: 1) if the Facebook “keep me logged in” feature was not activated; 2) if the user manually cleared cookies after his or her Facebook and Hulu sessions, or 3) if the user used cookie blocking or ad blocking software.  Continue Reading

Court Holds That Prior Notice is Required to Record Cell Phone Conversations

Posted in California, Invasion of Privacy, Mobile Privacy

Last month, a federal district court in the Northern District of California issued an order that may affect the policies of any company that records telephone conversations with consumers.

The trouble began when plaintiff John Lofton began receiving calls from Collecto, Verizon’s third-party collections agency, on his cell phone.  The calls were made in error – Lofton did not owe Verizon any money because he wasn’t even a Verizon customer – but Lofton decided to take action when he discovered that Collecto had been recording its conversations with him without prior notice.  Lofton brought a class action against Verizon under California’s Invasion of Privacy Act, theorizing that Verizon was vicariously responsible for Collecto’s actions because Collecto was Verizon’s third-party vendor and because Verizon’s call-monitoring disclosure policy did not require the disclosure of recordings in certain situations. Verizon filed a motion to dismiss, arguing that the recordings did not invade Lofton’s privacy and therefore did not run afoul of the statute. 

The court denied the motion to dismiss, holding that the statutory language of § 632.7 of the Invasion of Privacy Act banned the recording of all calls made to cell phones – not just confidential or private calls made to cell phones – without prior notice.  The statute’s treatment of cell phones thus diverges from its treatment of landlines, as recordings of calls made to landlines only have to be disclosed via prior notice if the call is “confidential.” 

Though the case is ongoing, this ruling indicates that Lofton v. Verizon Wireless (VAW) LLC ultimately may have a significant impact on how companies interact with consumers over the phone. First, the prevalence of cell phones means that companies should assume that § 632.7 applies to a large percentage of its calls with consumers – not only because it is highly likely that these consumers use cell phones instead of landlines, but because it may be difficult for the company to tell whether these consumers are in California and subject to § 632.7. Second, this recent order indicates that companies may be held responsible for their third-party vendors’ lack of disclosure, meaning that companies should change their policies to require their third-party vendors to refrain from recording phone conversations without prior notice, and also monitor the vendors for compliance with this requirement.  In sum, when it comes to providing prior notice of recordings to consumers, companies shouldn’t phone it in – they should ensure they and any third party vendors err on the side of disclosure to avoid legal hangups down the line.

The French Data Protection Authority Fines Google for Breach of French Privacy Laws

Posted in Data Privacy Laws, European Union, Online Privacy

After two years of investigation and proceedings regarding Google’s privacy policy, European Data Protection Authorities (DPAs) are now reaching their final decisions against Google. The French DPA (“CNIL”) issued ,on January 3rd 2014, a decision ruling that Google’s privacy policy did not comply with the French Data Protection laws and imposed a fine of € 150,000 http://www.cnil.fr/english/news-and-events/news/article/the-cnils-sanctions-committee-issues-a-150-000-EUR-monetary-penalty-to-google-inc/. Google has brought an appeal against the CNIL’s decision. Continue Reading

Second Circuit Ruling Opens Door to Telephone Consumer Protection Act Class Actions in New York

Posted in TCPA

Based on a December 3rd decision by the Second Circuit Court of Appeals, class actions under the Telephone Consumer Protection Act (TCPA) can now be brought in New York federal court. This decision marks a reversal of Second Circuit precedent, and will likely increase the number of TCPA class actions being filed in New York. Companies should review their telemarketing practices and procedures in light of the potential statutory penalties under the TCPA.

Continue reading

BBB Warns Advertisers and Web Publishers to Take Responsibility for Behavioral Advertising Disclosures

Posted in Behavioral Marketing

The Better Business Bureau (“BBB”) and the Direct Marketing Association (“DMA”) are in charge of enforcing the ad industry’s Self Regulatory Principles for Online Behavioral Advertising (“OBA Principles”), which regulate the online behavioral advertising activities of both advertisers and publishers (that is, web sites on which behaviorally-targeted ads are displayed or from which user data is collected and used to target ads elsewhere). Among other things, the OBA Principles provide consumers transparency about the collection and use of their Internet usage data for behavioral advertising purposes. Specifically, the “Transparency Principle” requires links to informational disclosures on both: (i) online behaviorally-targeted advertisements themselves, and (ii) webpages that display behaviorally-targeted ads or that collect data for use by non-affiliated third parties for behavioral advertising purposes. The “Consumer Control Principle” requires that consumers be given a means to opt-out of behavioral advertising.

Through its “Online Interest-Based Advertising Accountability Program”, the BBB recently enforced the OBA Principles in a series of actions—some with implications for publishers and some with implications for advertisers. Continue Reading

Jeremy Mittman Quoted by Law360 and Politico on International Privacy Matters

Posted in Articles

An article published by Law360 last week quoted Jeremy Mittman, co-Chair of Proskauer’s International Privacy Group and a member of the firm’s International Labor Group, on the data protection reform legislation recently passed by European Parliament and the difficulties multinational companies face to comply with both EU and U.S. privacy laws.

Jeremy was again solicited to comment on the EU-U.S. Safe Harbor Program in an article published by Politico on November 7.  The article mentions Jeremy’s experience drafting Safe Harbor certifications and EU model contracts.

Where do we stand on the territorial scope of EU data protection law following the recent European Parliament vote?

Posted in Data Privacy Laws, European Union, Legislation, Online Privacy

The determination of the territorial scope of the current EU Directive n° 95/46 is still under dispute both before national Courts and the European Court of Justice (ECJ). This issue may soon become moot with the adoption of future data protection regulation, which may modify and expand the territorial scope of EU data privacy law, especially following the results of the recent vote of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. The following is meant to help determine the current state of affairs regarding the issue of the territorial (and extraterritorial) scope of the future EU law following this vote of the European Parliament.  Continue Reading