Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

What information does the Application obtain and how is it used?

• The MMA bifurcates this section into “User Provided Information” (e.g., information provided during registration) and “Automatically Collected Information” (e.g., mobile device’s unique device ID and the IP address of the mobile device).

 Does the Application collect precise real time location information of the device?

• This section is applicable to companies that collect “precise, real-time locational information.” Developers that collect such information should indicate how such information is used and, if applicable, opt-out options. Even if such information is not collected, the MMA recommends including a statement to that effect.

 Do third parties see and/or have access to information obtained by the Application?

• This section will be unique to the developer and application. In addition to disclosing to whom and in what circumstances information is disclosed to third parties, the MMA states that, generally, developers reserve the right to transfer information in the event of a sale of the application. 

 Automatic Data Collection and Advertising

• This section is intended to address applications that are ad supported. The MMA provides model language to address situations where a third party ad network obtains data for the purpose of ad targeting. 

 Where are my opt-out rights?

• This section will be unique to the developer, the application and the ad network utilized by the application, if applicable. The MMA provides an example that gives the user the following opt-out options: (a) opting out from all information collected by uninstalling the application; (b) opting out from the use of information for serving targeted ads; and (c) opting out from locational data collection.  

 Data Retention Policy, Managing Your Information

• This section is intended to communicate how long the developer will retain User Provided Data (the MMA has included “for as long as you use the Application and for a reasonable time thereafter.”) and allow users to contact the developer directly with notice to delete such data. 

Children

• This section is intended to address compliance with the Children’s Online Privacy Protection Act.   Even if the developer doesn’t need to comply with the act because the act is not applicable to the application, the MMA recommends including language that states the developer doesn’t knowingly solicit information or market to children under the age of 13. 

 Security

• This section is intended to provide an overview to the user of the developer’s security procedures and will be unique to the developer. The MMA has stated that “developers should ensure that their security procedures are reasonable.”

 Changes

• This section is intended to afford developers the flexibility to modify their privacy policy. The MMA notes that material changes to privacy practices generally require a user’s prior consent.

 Your Consent

• This section is intended to capture the user’s consent to have his/her data processed, collected and disclosed as set forth in the privacy policy. The MMA’s proposed language also geographically limits where activities related to data collected from users may occur to the United States.

 Contact Us

• This section is meant to provide email access to the developers of the application should a user have privacy questions or concerns.

While the Framework is not meant to set forth rigid parameters for developers to operate within, they do provide valuable guidelines that will assist most developers, with the help of their lawyers, to create a mobile application privacy policy that users will understand. However, it should be noted that the developers mustn’t simply rely on the language provided by the MMA; they must still draft a privacy policy to address their unique, application-specific privacy practices. Inaccurate or deceptive privacy policies are subject to actions by the Federal Trade Commission, state attorneys general and other regulators. 

In the case at hand, the French subsidiary of a U.S. group had, in 2008, implemented a whistleblowing system to comply with SOX requirements in the United States. After various modifications, the CNIL authorized the French subsidiary to implement the system because the program complied with the CNIL’s simplified filing procedure for whistleblowing systems.

Our readers will remember that pursuant to rules in existence since 2010, see our post of December 15, 2010, companies are able to take advantage of the CNIL’s simplified filing procedure for whistleblowing systems as long as the whistleblowing system does not encourage whistleblowers to remain anonymous and is limited in scope to conduct violations in the following areas:

• accounting;
• finance;
• banking;
• anti-corruption;
• competition;
• companies concerned by SOX Act section 301 (4) of July 31, 2002;
• Japanese SOX of June 6, 2006.

Here, despite the CNIL’s approval of the French subsidiary’s whistleblowing system, the employees’ representatives brought a lawsuit against the subsidiary in the Caen Tribunal of First Instance because they believed the system to be flawed in a number of ways, including the following:

• the scope of complaints which could be made through the whistleblowing system was too broad: employees could file complaints on any kind of wrongdoings or problems;
• any Internet user could report wrongdoings about a French employee of that company even if those wrongdoings were outside the scope of the CNIL’s simplified filing procedure;
• contrary to the simplified filing procedure issued by the CNIL, the whistleblowing system encouraged the whistleblower to remain anonymous; and
• employees were not sufficiently informed about their access and rectification rights with respect to the data about them.

The Court of Appeal of Caen ruled that the claims made by the employees’ representatives were well-founded for the following reasons:

• the whistleblowing system was outside the scope defined by the French Data Protection Agency, in large part because it permitted complaints of all kinds;
• the whistleblowing system had been modified unilaterally by the company without the works council and the health and safety committees being informed and consulted prior to any changes being made.

In light of this new decision, companies implementing whistleblowing systems in France need to make sure that (i) the scope of their whistleblowing systems does not exceed the scope defined by the CNIL in its simplified filing procedure and (ii) they inform and consult employees’ representative bodies prior to making any changes to such systems. Failure to do so may lead to challenges by employees or their representative bodies that will halt the implementation of the offending whistleblowing system in France. This, in turn, may raise various issues in the United States, in particular with respect to SOX compliance, that could have significant legal consequences, since according to Section 301 of SOX, audit committees of listed multinationals have to launch hotlines for the confidential, anonymous submission of employees’ complaints or concerns regarding questionable auditing or accounting matters.

According to article 34 of the French Data Protection Act of January 6, 1978 (as later amended, the “Act”), data controllers must take all useful precautions, depending on the nature of the data and the risks involved in processing it, to preserve the security of the data and, in particular, to prevent its alteration and damage, or access by non-authorized third parties.

Failure to do so is punishable by five years' imprisonment and a fine of €300,000.

This duty to ensure the security of data continues throughout all stages of data processing, i.e. from the data’s creation, to its use, back-up, filing and through to its eventual destruction.

In its recently issued guidelines, the CNIL particularly recommends that companies:

1.  Manage/Restrict access to data:

• Give a user-ID to each data processor in order to authenticate such user by means of a password, smartcard, digital fingerprint…and make sure that in cases where a password is used, it is modified every 3 months. The CNIL also recommends that companies remind their employees never to give their passwords to anyone, never to use the same password for different accesses, and not to configure their software so that passwords are recorded;
• Implement a permission management system to determine which category of employees may have access to each database. The CNIL considers that that each user should only have access to the data s/he needs for carrying out his/her duties. In order to have an effective permission management system, it is, for instance, advised to delete users’ access permissions as soon they are no longer authorized to have such access or processing rights as well as when they are terminated.

2.  Log/Register the actions made by users on the system during a defined period of time:

• According to Article 6 of the Act, processing may only be performed on personal data that meets the following conditions: the data shall be obtained and processed fairly and lawfully; it shall be obtained for specified, explicit and legitimate purposes; and it shall not subsequently be processed in a manner that is incompatible with those purposes.
• The CNIL recommends that any logs of user data should be stored for a maximum of 6 months.
• The data components to be stored are: the user number, the log-in date and time, and the log-out date and time.

3.  Guarantee the integrity of the data:

• Article 6 of the Act provides that data shall be accurate, complete and, where necessary, kept up-to-date;
• The CNIL recommends implementing measures to avoid viruses and fraudulent intrusions of company computers, and to secure remote access via Internet. To this end, the following protective measures may be introduced: limiting the number of access log-in attempts, implementing firewalls and automatic lock sessions, and using up-to-date antivirus programs.

4.  Implement processes enabling the deletion, archiving or anonymization of the data:

• Article 6 of the Act also provides that data shall be stored in a form that allows the identification of data subjects for a period no longer than is necessary for the purposes for which such data was obtained and processed
• Two types of anonymization exist, the first is irreversible, i.e., there is no ability to make the data identifiable to an individual again. The second is reversible and allows for the anonymized data to be reconverted into a format where the personal data is maintained. Regarding reversible anonymization, the CNIL specifies that the re-identification process must be very secure.

In order to guide companies to self-assess the level of security of their data processing, the CNIL has issued a questionnaire that focuses on the following points:

• Analysis of the risks;
• Authentication of the users;
• Permissions management;
• Work stations security;
• Mobile IT security;
• Back-ups;
• Maintenance security;
• Log files access security;
• Protection of the premises;
• Protection of the internal IT network;
• Servers and applications security;
• Managing subcontracting;
• Archiving; and
• Security of data exchanges with other companies.

To continue to strengthen companies’ security with regard to data processing, the CNIL has announced that a more elaborated document is being prepared.

1) Pre-emption

All four bills would pre-empt state laws pertaining to similar subject matter. However, the bills do allow states to specify additional information that must be included in data breach notifications. 

2) Regulatory enforcement and rulemaking

S. 239, H.R. 958 and S. 495 all delegate to the FTC the responsibility of establishing guidelines for data security and breach notification. Although the FTC’s mandate until now has not included breach notification, the FTC has a fair amount of experience with enforcing data security standards under its Section 5 (15 U.S.C. § 45) authority. 

The proposed legislation delegates authority to the FTC to promulgate regulations based on criteria similar to those the FTC already follows in its Section 5 cases: establishment of security policies, enforcement of those policies and monitoring of potentially vulnerable systems. See, e.g., H.R. 958, sec. 2.      

3) Breach notification duty belongs to data owner, not licensee or third-party data manager

H.R. 958 and S. 495 explicitly state that a third-party data manager’s only notification obligation after a breach is to alert the data owner, i.e., the entity on behalf of which the data is maintained, to the breach. S. 239 also imposes such an obligation, but notes that the proposed legislation does not prevent a data owner and a third party from allocating through contract the burden of notifying individuals’ whose data were compromised. The other two proposals are silent as to this issue.   

4) No private cause of action