• Truthful Advertising:
  • Tell the Truth About What Your App Can Do
  • Disclose Key Information Clearly and Conspicuously
• Privacy:
  • Build Privacy Considerations in From the Start
  • Be Transparent About Your Data Practices
  • Offer Choices that are Easy to Find and Easy to Use
  • Honor Your Privacy Promises
  • Protect Kids’ Privacy
  • Collect Sensitive Information Only with Consent
  • Keep user Data Secure

These guidelines appear to be only a start.  We will continue to monitor this area as it is likely the FTC will have more to say on mobile privacy and advertising in the future.   

In 2005, a hacker used the local wireless network at one of plaintiff DSW’s stores to hack into its main computer system and download customer credit card and checking information, pertaining to over 1.4 million customers of 108 stores.  The hacker used the credit card information to engage in fraudulent credit card transactions.  Unsurprisingly, plaintiff incurred significant expenses as a result, paying over $5.3 million for customer communications; public relations efforts; customer claims and lawsuits; attorneys’ fees in connection with state and federal investigations; and, most significantly, fines imposed by Visa and Mastercard.  Plaintiffs paid the two credit card companies over $4 million as a result of the data breach and aftermath.

Plaintiff sought coverage from its insurer, defendant National Union Fire Insurance Company of Pittsburgh, PA (“National Union”).  National Union denied coverage, asserting that the loss was excluded under the computer fraud rider because it was related to the theft of confidential customer information.  Moreover, National Union asserted that plaintiff’s loss did not qualify as a loss “resulting directly from . . . the theft of any Insured property by Computer Fraud,” as required by the policy. The District Court in Ohio granted summary judgment to the policyholder for the amount of the loss plus interest, including the fines paid to Visa and Mastercard due to the data breach.  The District Court rejected plaintiffs’ bad faith claims.  The Sixth Circuit affirmed the District Court opinion in its entirety.

In affirming the District Court, the Sixth Circuit found that a commonly used, broadly worded exclusion for proprietary and other confidential information did not apply to the loss in this case.  The coverage exclusion provided that “Coverage does not apply to any loss of proprietary information, Trade Secrets, Confidential Processing Methods, or other confidential information of any kind.”  The Court agreed with the District Court’s finding that even if the copying of customer information qualified as a “loss,” it was not a loss of “proprietary information . . . or other confidential information of any kind.”  The Court interpreted the definition to include only “confidential information” of DSW’s involving the way in which its business is operated.  Moreover, the stolen credit card and checking account information was not proprietary because it was owned or held by many entities, including the customers, financial institutions, and merchants involved in the stream of commerce.  The Court concluded that the term “other confidential information of any kind” did not mean all information belonging to anyone that is expected to be protected from unauthorized disclosure, because that interpretation “would swallow not only the other terms in [the] exclusion but also the coverage for computer fraud.”

Secondly, the Court rejected the insurer’s attempts to liken its policy to a traditional fidelity bond, which does not provide third party liability coverage.  The Court noted that the terms of the policy, rather than its title, govern the coverage provided.

Finally, the Sixth Circuit agreed that, under Ohio law, the losses plaintiff suffered did result directly from the data breach as required by the terms of the policy.  The Court found the phrase ambiguous, and further found that “resulting directly from” does not unambiguously mean that the data breach be the “sole” or “immediate” cause of the insured’s loss, as defendant urged.  Instead, the Court found that the language only required that the breach be the proximate cause of the loss.

This ruling represents a favorable outcome for policyholders that have been resistant to purchase cyber policies, as yet another commonly used policy has been held to cover data breach costs.  At least in the Sixth Circuit, commonly used, broadly worded exclusions for proprietary and other confidential information will not exclude coverage for customer credit card and checking information, and a less exacting proximate cause standard will be applied in determining whether an insured’s loss will be covered by crime policies.

Proskauer’s Insurance Recovery & Counseling Group focuses on assisting policyholders facing these issues by conducting strategic policy reviews that can identify potential gaps in coverage, and by representing policyholders in disputes with their insurers.  The Privacy & Data Security Group also works with clients to review their privacy policies to ensure compliance with applicable laws.  Please call or email us if you need assistance or have a question.

*This blog was written by Marc Rosenthal, a partner in Proskauer's Chicago office and member of the Insurance Recovery & Counseling and International Arbitration Groups, and Joe Clark, an associate in Proskauer's Los Angeles office and member of the Litigation Department.

Under newly added subsection (b)(2) of the statute, companies that are required to notify Connecticut residents of a data breach must also notify the Attorney General of Connecticut no later than the time when notice is provided to the residents (which, according to subsection (b)(1), must be made without unreasonable delay, subject only to delays resulting from law enforcement investigations and a company-conducted investigation to determine the nature and scope of the incident, identify the individuals affected, or restore the reasonable integrity of the underlying data system). 

• The amendment adds factors to consider when determining whether personally identifiable information has been acquired or is reasonably believed to have been acquired by an unauthorized person, including indications that the information: (i) is in the physical possession and control of a person without valid authorization, (ii) has been downloaded or copied, (iii) was used by an unauthorized person, or (iv) has been made public.  (§ 2430(8)(C))
• The law’s notification requirements were previously triggered by either unauthorized acquisition or access of personally identifiable information.  As amended, the requirements are only triggered by unauthorized “acquisition.”  At first blush, one might think this means that if data were merely accessed remotely from a Web site but not actually taken possession of, the law’s requirements are not triggered.  However, as discussed above, the amendment also adds four factors to be considered in determining whether there has been an unauthorized acquisition. One of those factors is whether the information has “been made public.”  Accordingly, this factor should be taken into consideration when interpreting the word “acquisition” in the amended law. (§ 2430(8)(A))
• Prior to the amendment, companies were required to notify consumers affected by a security breach in the most expedient time possible and without unreasonable delay.  This is still required, but the amendment adds that consumers must be notified, in any event, no later than 45 days after discovery or notification of the breach. (§ 2435(b)(1))
• Companies are required to notify the Attorney General of Vermont within 14 business days of the company’s discovery of the breach or when the company provides notice to consumers, whichever is earlier.  The notice to the Attorney General must include the date of the breach and of its discovery, and a preliminary description of the breach. There were no such obligations previously.  The information provided to the Attorney General pursuant to this requirement will not be made public.  As an exception to this preliminary notification requirement, companies that have certified in advance to the Attorney General that they maintain written policies and procedures to maintain the security of personally identifiable information and respond to a breach in a manner consistent with Vermont law are exempt from this preliminary notification requirement; instead, they must provide this notification to the Attorney General at any time prior to notifying consumers.  (§ 2435(b)(3)(A)(i))
• When notifying Vermont consumers affected by a security breach, companies must provide an additional notice to the Attorney General of Vermont which includes the number of Vermont consumers affected (if known) and a copy of the notice provided to affected consumers.  The information provided to the Attorney General pursuant to this requirement will be made public, and, as such, we recommend that the company also provide a second copy of the letter with the types of personally identifiable information involved redacted. This second copy will be used by the Attorney General’s office for public disclosure purposes.  (§ 2435(b)(3)(B)(i) and (ii))
• The notice letter that must be sent to affected consumers must now include the approximate date of the incident, in addition to the other information that was required by the law before it was amended.  (§ 2430(b)(5)(F))   
• Finally, as a result of the amendment, a toll-free number is no longer required to be included in the notice letter to consumers unless one is available. (§ 2430(b)(5)(D))

Although Maryland is the only state to have passed such legislation (as of the date of this blog post, Governor O’Malley had not yet signed the bill into law), several other states like Illinois, California, Minnesota, Michigan, Massachusetts and New York currently have similar bills pending.

• Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services. 
  • Companies should incorporate substantive privacy protections into their practices, such as data security, reasonable collection limits, sound retention and disposal practices, and data accuracy.
  • Companies should maintain comprehensive data management procedures throughout the life cycle of their products and services.

• Companies should simplify consumer choice.
  • Companies do not need to provide choice before collecting and using consumer data for practices that are consistent with the context of the transaction or the company’s relationship with the consumer, or are required or specifically authorized by law.
  • For practices requiring choice, companies should offer the choice at a time and in a context in which the consumer is making a decision about his or her data.  Companies should obtain affirmative express consent before (1) using consumer data in a materially different manner than claimed when the data was collected, or (2) collecting sensitive data for certain purposes. 

• Companies should increase the transparency of their data practices.
  • Privacy notices should be clearer, shorter, and more standardized to enable better comprehension and comparison of privacy practices.
  • Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.
  • All stakeholders should expand their efforts to educate consumers about commercial data privacy practices.

Additionally, the FTC has committed to being active in the following areas over the next year:

• Do Not Track – While progress has been made in implementing Do Not Track, the FTC has stated that it will continue to work with the Digital Advertising Alliance and the World Wide Web Consortium to “…complete implementation of an easy-to use, persistent, and effective Do Not Track system.”

• Mobile – The FTC has initiated a project to update its business guidance about online advertising disclosures. 

• Data Brokers – The FTC has indicated that it supports legislation that would provide consumers with access to their information that is in the possession of data brokers.  The FTC has also called on data brokers to create “…a centralized website where data brokers can (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”

• Large Platform Providers – The FTC has expressed concerns regarding the tracking of consumers by ISPs, operating systems, browsers and social media.  

• Promoting Enforceable Self-Regulatory Codes – The FTC has stated that it will participate in the Department of Commerce’s project to facilitate the development of sector-specific codes of conduct.  The FTC has indicated that, to the extent strong privacy codes are developed, adherence to such codes will be viewed favorably by the FTC.   

A copy of the report is available here.  

The Framework provides a general starting point that application developers can refer to when drafting their application privacy policies. The Framework includes model language to address the following questions and topics regarding the application’s and developer’s privacy practices:

What information does the Application obtain and how is it used?

• The MMA bifurcates this section into “User Provided Information” (e.g., information provided during registration) and “Automatically Collected Information” (e.g., mobile device’s unique device ID and the IP address of the mobile device).

 Does the Application collect precise real time location information of the device?

• This section is applicable to companies that collect “precise, real-time locational information.” Developers that collect such information should indicate how such information is used and, if applicable, opt-out options. Even if such information is not collected, the MMA recommends including a statement to that effect.

 Do third parties see and/or have access to information obtained by the Application?

• This section will be unique to the developer and application. In addition to disclosing to whom and in what circumstances information is disclosed to third parties, the MMA states that, generally, developers reserve the right to transfer information in the event of a sale of the application. 

 Automatic Data Collection and Advertising

• This section is intended to address applications that are ad supported. The MMA provides model language to address situations where a third party ad network obtains data for the purpose of ad targeting. 

 Where are my opt-out rights?

• This section will be unique to the developer, the application and the ad network utilized by the application, if applicable. The MMA provides an example that gives the user the following opt-out options: (a) opting out from all information collected by uninstalling the application; (b) opting out from the use of information for serving targeted ads; and (c) opting out from locational data collection.  

 Data Retention Policy, Managing Your Information

• This section is intended to communicate how long the developer will retain User Provided Data (the MMA has included “for as long as you use the Application and for a reasonable time thereafter.”) and allow users to contact the developer directly with notice to delete such data. 

Children

• This section is intended to address compliance with the Children’s Online Privacy Protection Act.   Even if the developer doesn’t need to comply with the act because the act is not applicable to the application, the MMA recommends including language that states the developer doesn’t knowingly solicit information or market to children under the age of 13. 

 Security

• This section is intended to provide an overview to the user of the developer’s security procedures and will be unique to the developer. The MMA has stated that “developers should ensure that their security procedures are reasonable.”

 Changes

• This section is intended to afford developers the flexibility to modify their privacy policy. The MMA notes that material changes to privacy practices generally require a user’s prior consent.

 Your Consent

• This section is intended to capture the user’s consent to have his/her data processed, collected and disclosed as set forth in the privacy policy. The MMA’s proposed language also geographically limits where activities related to data collected from users may occur to the United States.

 Contact Us

• This section is meant to provide email access to the developers of the application should a user have privacy questions or concerns.

While the Framework is not meant to set forth rigid parameters for developers to operate within, they do provide valuable guidelines that will assist most developers, with the help of their lawyers, to create a mobile application privacy policy that users will understand. However, it should be noted that the developers mustn’t simply rely on the language provided by the MMA; they must still draft a privacy policy to address their unique, application-specific privacy practices. Inaccurate or deceptive privacy policies are subject to actions by the Federal Trade Commission, state attorneys general and other regulators. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

Pursuant to the settlement, FrostWire:

• is prohibited from misrepresenting its file-sharing settings and must clearly and prominently disclose to the user which user-generated files and which downloaded files will be shared and with whom; 
• must modify its applications so that the user must affirmatively select which user-generated and downloaded content to share with other P2P users (as opposed to a default setting which allows for sharing);
• must update older versions of the mobile and desktop applications to reflect the terms of the settlement; and
• is subject to standard compliance monitoring and reporting obligations.

Perhaps if FrostWire implemented a “privacy by design” program, as proposed by the FTC in its December 2010 Preliminary FTC Staff Report, it would not have found itself addressing the FTC's allegations.  One thing is certain: This action demonstrates that, as mobile applications that make sharing content ever easier flood the market, the FTC is keeping a vigilant eye on companies that operate in this space so that users can take “intimate pictures” without having to worry about unwittingly sharing them with other P2P users. 

Playdom, Inc., an online game company owned by Disney Enterprises, Inc., and Playdom’s Chief Executive Officer, Howard Marks (the “Defendants”), agreed to pay $3 million to settle charges brought by the Federal Trade Commission (“FTC”) that they violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting, using and disclosing the personal information of children under the age of 13 without their parents’ prior, verifiable consent.  According to the FTC’s settlement announcement, the $3 million settlement is the largest civil penalty ever for a COPPA violation.

The FTC’s complaint, filed May 11, 2011, alleged that the Defendants operated 20 “virtual world” gaming websites and that when children registered on the websites, the Defendants collected children’s personal information, like their ages and email addresses. Between 2006 and 2010, around 403,000 children registered for Defendants’ general audience websites, while an additional 821,000 users registered for www.ponystars.com, the Defendants’ website directed to children. Once registered, children could create their own personal profile pages, which included things like name, location, email address and instant messaging information. The FTC claimed that the Defendants failed to provide sufficient notice on their websites of what information they collected from children and how they used and disclosed such information. The FTC also claimed that the Defendants failed to provide direct notice to the children’s parents of their collection, use and disclosure practices with regard to such information and failed to obtain parents’ verifiable consent to their practices.   

The FTC’s complaint also alleged that the Defendants failed to adhere to the promises set forth in their privacy policy, specifically, that they would neither collect the email addresses of children without parental consent, nor permit children under the age of 13 to post personal information on their websites.

It is worthy to note that Playdom took ownership of the websites when it acquired Acclaim Games, Inc. in May 2010 and Disney subsequently acquired Playdom in August 2010. Although most of the violations occurred when Acclaim Games was operating independently, its acquirers ended up getting stuck with the tab. 

In addition to the $100,000 penalty, Rascal Scooters is only allowed to call consumers if it has their consent in writing or if there is an actual “established business relationship” and is subject to ongoing monitoring and reporting requirements to ensure its compliance with the settlement order.

It is important to note that the penalty imposed could have been (and can be) much greater than $100,000. Pursuant to the settlement order, Rascal Scooters is subject to a $2 million penalty that is currently suspended due to its inability to pay.   The $2 million will become due immediately if it is revealed that the company misrepresented its inability to pay.

AT&T argued that no information should be disclosed under FOIA because the word personal as used under Exemption 7(C) applies to corporations.  AT&T argued that the definition of the word person includes legal entities, and therefore the definition of personal privacy should as well.  The Court rejected this proposition, deferring to the ordinary meaning of the word personal and holding that the word referred only to individuals.  The Court also indicated that when used together, the words personal privacy “suggests a type of privacy evocative of human concerns- not the sort associated with an entity like, say, AT&T.”  To lend further support to its decision, the Court also studied the rest of the statute and concluded that the existence of other exemptions available to entities under FOIA limited the scope of Exemption 7(C).     

Fittingly, Justice Roberts, who penned the opinion, closed with his hope that AT&T would not take the decision personally.

To access the new Data Security Standards, visit the PCI Document Library.

Here are some of the noteworthy updates:

• Companies must identify and rank vulnerabilities and develop testing procedures to address high-risk vulnerabilities (prior to June 30, 2012, ranking vulnerabilities is considered a best practice, after which it becomes a requirement) (PCI DSS, Section 6.2);
• Multiple virtual machines are permitted on the same physical hardware, so long as each virtual machine is performing only one task (PCI DSS, Section 2.2.1);
• Payment applications must facilitate centralized logging, in alignment with PCI DSS Section 10.5.3 (PA DSS, Section 4.4); and
• Similar to Section 6.2 of the PCI DSS, Section 7.1 of the PA DSS requires software vendors to identify vulnerabilities and rank them according to risk and test payment applications for new vulnerabilities.

While the new PCI DSS and PA DSS releases may not represent a significant shift in the Council’s position on payment card security, processors and software vendors alike should take steps to incorporate each standard’s updated requirements as we approach 2011.

In FenF, LLC v. Healio Health, Inc., No. 5:08-CV-404 (N.D. OH July 8, 2010), the court held that a provision from a settlement agreement entered into by FenF, LLC (“FenF”), the plaintiff, and Healio Health, Inc. (“Healio”), the defendant, which required Healio to transfer certain customer information to FenF was unenforceable because doing so would result in a violation of Healio’s privacy policy. The settlement agreement FenF was trying to enforce against Healio arose from Healio’s alleged infringement of FenF’s intellectual property. As a part of the settlement agreement, Healio agreed to transfer to FenF certain customer lists containing customer information. However, Healio promised in its privacy policy that it would not share its customers’ information with third parties. The court reasoned that “[a]llowing Plaintiff to obtain that information without any type of notice to the customers would result in manifest unfairness to those customers, who are not a party to this action and may very well have conditioned their purchases from Healio Health on that company’s promise to keep their customer information confidential.” Id. at 5. 

When you wrote your privacy policy, were you thinking about “the end”?

XY

Recently, the Federal Trade Commission (“FTC”) intervened in a bankruptcy case in which purchasers were attempting to acquire the personal information of subscribers of XY, which, before filing for bankruptcy, operated a magazine and website that targeted young gay men. When it was operating, XY collected sensitive data from anywhere between 500,000 to 1 million subscribers. XY promised its subscribers that their information was safe by stating on its website, “Our privacy policy is simple: we never share your information with anybody.”

The FTC wrote in its letter, dated July 1, 2010, to the counsel of the purchasers that the acquisition of such information would violate the FTC Act, because XY’s sale of subscriber information after XY explicitly promised not to share such information would be an unfair and deceptive act or practice. The FTC requested that XY destroy the subscriber information at issue due to the highly sensitive nature the information.   On August 3, 2010, in response to the FTC’s concerns, the U.S. Bankruptcy Court for the District of New Jersey approved the parties’ settlement agreement which stipulated that the information at issue would be destroyed.

Toysmart.com

The XY bankruptcy was not the first time that the sale of customer lists of a company in bankruptcy was thwarted due to promises made in its privacy policy. In 2000, Toysmart.com, LLC (“Toysmart”), an electronic toy retailer, announced that it was going out of business and sought offers for its customer lists which contained personally identifiable information of its customers. The FTC opposed such a sale and brought suit against Toysmart based on Toysmart’s promise in its privacy policy that it would not share its customers' personally identifiable information with third parties. Federal Trade Comm'n v. Toysmart.com, LLC, 2000 WL 34016434 (D. Mass. July 21, 2000) (Unreported). A group of state attorneys general took similar actions to prevent the sale of the lists. Ultimately, Disney, the majority owner of Toysmart, agreed to purchase and destroy Toysmart's customer lists.

Verified Identity Pass

Years after the Toysmart case, Verified Identity Pass, Inc. (“VIP”) encountered a similar situation. VIP was a company that allowed airport travelers to expeditiously pass through security checkpoints. The company filed for bankruptcy on December 1, 2009. VIP sought an acquirer, but the U.S. District Court for the Southern District of New York issued an injunction preventing VIP from selling or otherwise disclosing personal information from its database because VIP promised in its membership agreement and related privacy policy that it would not sell or distribute such information. On May 4, 2010, VIP was acquired by Alclear, LLC. The U.S. Bankruptcy Court for the Southern District of New York appointed a consumer privacy ombudsman to oversee the transfer of the personally identifiable information. VIP was forced to amend its Privacy Policy to reflect the fact that it would now be transferring its customers’ personal information to third parties. In addition, VIP had to send notice of the changes to its privacy policy to each affected customer and had to give each affected customer the option to opt-out of the transfer by electing to have his or her information destroyed.

The Bankruptcy Code

The Bankruptcy Code was amended in 2005 to specifically address the sale of a debtor company’s customer information as part of its liquidation. Now, under section 363(b)(1) of Chapter 11 of the Bankruptcy Code, the appointed trustee may sell the property of an estate; however, if the debtor has a privacy policy prohibiting the transfer of personally identifiable information to persons not affiliated with the debtor and that policy is in effect on the date of the commencement of the case, then the trustee may not sell such information. A sale of such information may nevertheless occur in the following circumstances: if the sale is consistent with the privacy policy (e.g., there is a carve-out in the privacy policy for a sale of the personally identifiable information), or if a court appoints a consumer privacy ombudsman in accordance with § 332 of the bankruptcy code and the court provokes the sale.

Kleffman alleged that Vonage used these multiple domain names in order to deliberately trick e-mail filters into believing that there were multiple senders (when in fact, all sites were under the control of Vonage). Kleffman alleged that this violated California Business and Professions Code § 17529.5(a)(2), which states that it is unlawful to advertise in a commercial e-mail if the e-mail “contains or is accompanied by falsified, misrepresented, or forged header information.” Id. at 1.

Vonage removed the case to the U.S. District Court for the Central District of California and was granted a dismissal. Kleffman appealed to the U.S. Court of Appeals for the Ninth Circuit which certified the central issue to the Supreme Court of California: “Does sending unsolicited commercial e-mail advertisements from multiple domain names for the purpose of bypassing spam filters constitute falsified, misrepresented, or forged header information under . . . § 17529.5(a)(2)?” Id. at 5.   

Noting that the domain names from which Vonage sent its e-mail advertisements were fully traceable to Vonage’s marketing agents, the Supreme Court of California found that “. . . an e-mail with an accurate and traceable domain name makes no affirmative representation or statement of fact that is false.” Id. at 16. The court also wrote that the state legislature did not intend to prohibit the use of multiple domain names and did not “make it unlawful to use a domain name in a single e-mail that does not make it clear the identity of either the sender or the merchant-advertiser on whose behalf the e-mail advertisement is sent.” Id. at 14.     

With the dust from the breach beginning to settle, the financial damage to Heartland is becoming evident. Should the MasterCard settlement be approved, Heartland could, in total, be on the hook for well over $100 million in breach-related settlement payments. 

Some financial institutions will gravitate towards the Model Form because by using it, they will obtain a legal “safe harbor” which confirms their compliance with the GLBA’s disclosure requirements. It remains to be seen, however, whether all financial institutions will adopt the Model Form given the difficulty a financial institution may have in conveying its complex affiliate relationships and the fact that the Model Form rules do not allow the form to be modified in any material respect.

The definition of data controller, under Article 2(d) of the Directive, is “the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data . . . .”

In clarifying the definition of controller, the Working Party analyzed its constituent parts. 

• In its discussion of “joint control,” the Working Party stated that parties who act jointly have certain flexibility with respect to the allocation of obligations and responsibilities under the Directive. In its assessment, the Working Party said that the factual circumstances relating to the relationship must be considered.  It warned that joint control among multiple controllers may lead to a lack of clarity in the allocation of responsibilities, which could potentially result in a violation of the principle of fair processing.

• In its discussion of “determines,” the Working Party advised that such an analysis should be factual, and should begin with the questions “why is this processing taking place? Who initiated it?” “[A] body which has neither legal nor factual influence to determine how personal data are processed cannot be considered as a controller.”

• In its discussion of “purposes and means of processing,” the Working Party advised that the key questions that should be asked when analyzing purposes of processing are “why the processing is happening and what is the role of possible connected actors like outsourcing companies: would the outsourced company have processed data if it were not asked by the controller, and at what conditions?” It also stated that the key questions that should be asked when analyzing the means of processing include technical questions, like “which hardware or software will be used?” and organizational questions, like “which data shall be processed? For how long shall they be processed?” The Working Party went on to state that determining the purpose of processing is reserved solely to the controller, while determining the means of processing may be delegated by the controller to a processor. 

Data Processor:

Data processor, under Article 2(e) of the Directive, is defined as “a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.” The processor must be a separate legal entity with respect to the controller. In its assessment, the Working Party focused on the meaning of “on behalf of the controller.”  It called upon the legal concept of “delegation,” in that the processor is only permitted to perform data processing within the bounds of the mandate given by the controller. The Working Party stressed that should a processor exceed such bounds and begin to acquire a role in determining the purposes and means of processing, it may become a controller rather than a processor under the Directive. 

After years of negotiations, on February 5, 2010, the European Commission (EC) updated its Standard Contractual Clauses (SCCs), which set forth contract terms that govern the protection of personal data transferred from data exporters within the European Union (EU) to data processors outside the EU.  On June 8, 2009, we wrote that the EC was considering implementing new SCCs.  On May 15, 2010, the new SCCs, promulgated under 2010/87/EU, will go into effect, replacing the old SCCs, promulgated under 2002/16/EC.