A brief rundown of developments in recent weeks in the area of EU data protection law:
EU Data Protection Regulation
On Monday, June 15, the EU Council (comprised, for purposes of data protection reform, of the justice ministers from each of the EU member states) reached an agreement on a draft data protection regulation, marking an important milestone in the ongoing effort to reform and modernize data protection law in the EU. (This development follows the European Commission’s publication of a proposed regulation in January 2012 and the European Parliament’s official agreement to a “compromise” version in March 2014.) Beginning this week, these bodies will begin negotiations to reconcile the three versions with a stated goal of promulgating a final regulation by the end of the year. The regulation will replace the 1995 Data Protection Directive and, once it comes into force, will apply directly in each of the EU member states, creating greater uniformity across the EU in respect of data protection standards.
Check back here next week for an overview of the key differences (and, thus, areas for negotiation) among the positions promulgated by the Commission, Parliament and Council.
As we recently reported, the US and EU continue to negotiate reforms to the US-EU Safe Harbor. It was announced earlier in June that progress is being made, and one EU official told the Wall Street Journal at that time that US officials were being given “another month” to address the EU’s concerns. As we’ve reported in the past, US government access to personal data appears to remain a sticking point.
Concurrent with these negotiations, the European Court of Justice (“ECJ”) also has been considering a broad challenge to the Safe Harbor in the case of Schrems v. Facebook Ireland Ltd. The plaintiff in that case has argued that, given the NSA/Snowden revelations, the Safe Harbor (upon which Facebook—like many other US-based companies—relies to transfer and hold users’ personal data in the US) could not provide adequate protection as a matter of EU law. The ECJ is considering, among other questions, whether a data protection authority can investigate an individual’s claim that the US does not adequately protect data transferred from the EU or whether it must accept as a matter of law that Safe Harbor compliance means data is adequately protected. The case has the potential to have far-reaching effects if the ECJ were to reach the merits of the sufficiency of the Safe Harbor program (as opposed to simply addressing whether the Irish data protection authorities may investigate and/or punting in light of the ongoing reform negotiations). An opinion was originally scheduled to be issued on June 24, 2015, but it was disclosed last week that the opinion will be delayed, and no new publication date has yet been announced.
**This post also appears on Proskauer’s International Labor and Employment Law Blog.**
On Thursday, the Digital Advertising Alliance (“DAA”) announced that it will enforce its previously issued “Application of Self-Regulatory Principles to the Mobile Environment” (the “Mobile Guidance”) beginning September 1, 2015.
Although the Mobile Guidance was initially issued in July 2013, enforcement was delayed pending the DAA’s implementation of an effective choice mechanism for the mobile environment. In February 2015, the DAA released two mobile tools for consumers – the “AppChoices” mobile application and the “DAA Consumer Choice Page for Mobile Web.”
The Mobile Guidance clarifies how the existing Self-Regulatory Principles for Online Behavioral Advertising and MultiSite Data (collectively, the “Self-Regulatory Principles”) apply to mobile web sites and applications. In particular the Mobile Guidance addresses:
- privacy notice, enhanced notice, and controls (opt-out mechanism) for data collected from a particular device regarding application use over time and across non- affiliate applications (“Cross-App Data”);
- privacy notice, enhanced notice, and controls (opt-in consent) for data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device (“Precise Location Data”); and
- transparency and controls (opt-in consent) for calendar, address book, phone/text log, or photo/video data created by a user that is stored on or accessed through a particular device (“Personal Directory Data”).
After September 1, any entity that collects and uses Cross-App Data, Precise Location Data or Personal Directory Data will be required to demonstrate compliance with the Mobile Guidance, or risk being subject to the DAA accountability mechanisms. The Mobile Guidance will be enforced by the Council of Better Business Bureaus (“CBBB”) and the Direct Marketing Association, the same two entities which have had oversight of the Self-Regulatory Principles since 2011. During that period the CBBB has issued 29 Accountability Program decisions regarding advertisers, ad publishers and ad networks.
This client alert was prepared by my colleagues Robert Leonard, Michael Mavrides and Christopher Wells.
On April 23, 2015, Washington State Governor Jay Inslee signed into law a bill strengthening the state’s data breach notification law (amending Wash. Rev. Code §§ 19.255.010 and 42.56.590 and creating a new section). H.B. 1078 makes the following substantial changes to the existing law:
- Under the current law, businesses and agencies that own or license computerized data including personal information about a Washington resident must disclose any breach in the security of the system involving such personal information that is unencrypted. H.B. 1078 expands this requirement to include:
- both computerized and hard copy data that contain personal information that is not “secured;” and
- encrypted information when the person gaining unauthorized access to the data had access to the encryption key or an alternative means of deciphering the “secured” data. The amendment also provides a standard for encryption. Continue Reading
In the largest ever data security enforcement action taken by the Federal Communications Commission (FCC), AT&T agreed to pay $25 million to resolve an investigation into consumer privacy violations at its call centers in Mexico, Colombia, and the Philippines. The FCC announced the settlement on April 8, 2015, stating that phone companies are expected to “zealously guard” their customers’ personal information and encouraging the industry to “look to this agreement as guidance.” Continue Reading
The past few years have seen exponential growth in the use of technology in the classroom, with applications ranging from the increased availability and use of e-books to the displacement of physical classrooms through Massive Open Online Courses (also known as MOOCs). One of the fastest growing segments of the education technology market relates to online educational services and applications, which are designed to track individual student progress and use the data gathered to deliver an individualized learning experience to each user. However, while online educational services and applications hold significant potential, the gathering of massive amounts of data has also sparked fears about what data will be collected, from whom, how it will be used, and whether, if at all, it will be deleted. This fear is especially prevalent when it comes to online educational services and applications targeted at children.
Last week, Australia became the latest country to pass a mandatory data retention law. The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015, which amends Australia’s Telecommunications (Interception and Access) Act 1979, requires telecommunications and Internet service providers (ISPs) to store customer metadata for two years. This means that Australian ISPs and telecom providers will have to store data associated with electronic communications, such as the names and addresses of account holders, the names of the recipients of any communications, the time and duration of communications, the location of equipment used to make the communication (such as cell towers), and computers’ IP addresses. Although the law does not require ISPs and telecoms to store the contents of customers’ electronic communications, metadata still can provide a picture of an individual’s identity, interests, and even location, which makes it of great interest to law enforcement and national security agencies seeking to prevent crime and terrorist attacks. Indeed, the law was promoted as a national security measure designed to give law enforcement access to information that could allow them to prevent terrorist attacks, but its opponents have decried it as a means to subject Australians to mass government surveillance.
The US-EU Safe Harbor has been back in the news recently as Germany’s data protection commissioners met at the end of January and expressed impatience at the delay in implementing what many view as necessary reforms to the program. The European Court of Justice also recently heard a challenge to Facebook’s reliance on the Safe Harbor for the transfer of user data in what many see as an important test case; this lawsuit will be the topic of a future blog post. Continue Reading
With the news of the recent cyber-attack and resulting data breach at health insurance giant Anthem Inc., the buzz around data security and privacy is again high. The Anthem breach serves as a reminder to those entities subject to the Health Insurance Portability and Accountability Act (HIPAA) that failing to keep protected health information secure and private can lead to serious consequences. Continue Reading
Data security is big news. And so is the Federal Trade Commission (“FTC”). Put the two together in a crucible of litigation, and it is sure to be a blockbuster. That is what the closely-watched case FTC v. Wyndham, now pending before the Third Circuit Court of Appeals, is shaping up to be.
To compile data for the report, the EU’s Article 29 Data Protection Working Party conducted a sweep of 478 of the most frequently visited websites in the e-commerce, media, and public sectors in eight EU Member States. The sweep targeted websites in these sectors because they likely pose the greatest risk to data protection and privacy for European citizens. The cookie sweep consisted of two stages: (1) a statistical review of cookies used by the websites and their technical properties; and (2) an in-depth manual review of cookie information and consent mechanisms. The study recorded each website’s cookie notification method, the visibility and quality of cookie information provided, and the mechanism offered for users to express consent. Continue Reading
On January 27, 2015 the Federal Trade Commission (the “FTC”) issued a report detailing best practices and recommendations that businesses engaged in the Internet of Things (“IoT”) can follow to protect consumer privacy and security. The IoT refers to the connection of everyday objects to the Internet and the transmission of data between those devices. According to Gartner estimates the IoT services spending will reach $69.5 billion in 2015. The potential benefits of IoT growth include enhanced healthcare through connected medical devices, convenience and cost savings through home automation and improved safety and convenience through connected cars.