Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

European Commission Wants Leaders to Embrace Big Data

Posted in International

On 2 July 2014, the European Commission issued a Communication titled “Towards a thriving data-driven economy”, which describes the features of such economy and sets out some operational conclusions. The Communication responds to the European Council’s conclusions of October last year which called for EU action to provide the right framework conditions for a single market for big data and cloud computing.

The Communication follows in the wake of the White House’s comprehensive review of big-data and privacy issues and the parallel report of the President’s Council of Advisors on Science and Technology (“PCAST”) in May (see here) as well as the European Data Protection Supervisor’s preliminary opinion on Privacy and Competitiveness in the age of Big Data (see here) published in April.

The European Commission recognizes that “the European digital economy has been slow in embracing the data revolution compared to the USA” and has identified various obstacles which as reasons, including:

  • a lack of appropriate funding for research and innovation;
  • a shortage of experts;
  • the complexity of the legal environment;
  • the concerns and reduced trust in the digital economy among individuals and organisations; and
  • data location requirements limiting the cross-border flow of information and creating a barrier to a single market for cloud computing and big data.

The Commission is aware of the many opportunities that big data creates, realizing that “data is at the centre of the future knowledge and economy” and proposes an action plan to bring about the data-driven EU economy of the future.

From a data protection law perspective the following points in particular are noteworthy:

  • The European Commission emphasizes that big data processing has to comply with applicable data protection rules when it involves personal data. But the Commission demonstrates its willingness to enact effective data protection and network security rules, whereby the legal framework and the policies should be data-friendly. The European Commission calls for the legislative process on the reform of the EU data protection network and information security to be rapidly concluded as it hopes that this will foster trust and confidence and increase legal certainty. The reform should be complemented by adequate guidance on issues such as data anonymization and pseudonymization, data minimization, personal data risk analysis and tools and initiatives enhancing consumer awareness.
  • The Communication addresses the actions taken under the European Cloud Strategy, including the work on trusted cloud computing, standards, certification and fair contract terms and conditions for cloud users. These are described in more detail in the Report on the Implementation of the Communication ‘Unleashing the Potential of Cloud Computing in Europe’, a Commission Staff Working Document, which was also published on July 2 and can be downloaded here. The Commission will also launch a consultation on “personal data spaces” (basically user-controlled cloud-based technologies for storage and use of personal data) and study barriers created through data location requirements.
  • The Commission envisages funding for a series of projects related to the Internet of Things (essentially data gathered through smart connected objects) as well as support for R&I for privacy-enhancing ‘by design’ technical solutions, such as tools to assist users in selecting appropriate data sharing policies or reducing personal data breaches.
  • The Commission also wants to explore the security risks relating to big data and intends to propose risk management and mitigation measures, including guidelines on good practices.

The Commission will further consult with Parliament, Council, Member States and relevant stakeholders to draw up a more detailed action plan.

Court Denies Company’s Request for Identity of Online Commenter

Posted in Litigation, United States

A New York state trial court last week rejected a publicly traded company’s request to obtain the identity of an individual who anonymously wrote negative comments about the company on an online financial bulletin board.

In February 2014, an individual with the pseudonym “Pump Terminator” posted an article about Nanoviricides, Inc. on www.seekingalpha.com, a financial website.  The article was titled “NanoViricides: House of Cards with -80% Downside, ‘Strong Sell’ Recommendation,” and directly below the article, the author wrote “Disclosure: I am short NNVC.  I wrote this article myself, and it expresses my own opinions.  I am not receiving compensation for it.  I have no business relationship with any company whose stock is mentioned in this article.” 

The article provides a lengthy critique of the company’s business practices, calling it “the worst US reverse merger we have ever seen” and comparing it to the China RTO frauds.”  The article links to a shareholder complaint filed against the company’s CEO and president.

Nanoviricides filed a pre-action discovery proceeding, seeking the disclosure of the identity of “Pump Terminator” so that it could bring a libel claim against the author.  Among the statements that the company alleged are defamatory:

  • With multiple questionable stock promoters NNVC has pumped the stock +330% while heavily diluting shareholders and stealing NNVC out from under public investors as insiders siphoned off millions of dollars.
  • Anil hires his wife as CFO while Auditor and Internal Financial Controls are failing.

On June 26, Judge Cynthia S. Kern of the Supreme Court of New York denied the discovery request, concluding that the company failed to demonstrate that it has a meritorious cause of action for defamation.  Federal and New York courts have long held that statements of pure opinion — rather than factual assertions — cannot be the basis for a defamation claim.  Judge Kern concluded that, when considered as a whole, the article conveys the author’s opinion. 

Important to her conclusion were both the disclaimer that the article is the author’s opinion, and phrases such as “we believe” or “it seems to us” that appear in the article more than 15 times.  Moreover, Judge Kern concluded, the financial news website’s tagline, “Read. Decide. Invest” clearly gives the impression “that the website is designed to give people a place to express their opinions and for the reader to then form his or her own assumptions based on the posted articles.”  

Particularly noteworthy is Judge Kern’s finding that New York courts should protect against the use of subpoenas that stifle the free exchange of ideas online.  “Clearly the article herein at issue does not cast the petitioner in a positive light and the court can sympathize with the filing of the instant petition,” Judge Kern wrote.  “However, it is paramount in an open and free society that we protect the anonymity of those whose ‘publication is prompted by the desire to question, challenge and criticize the practices of those in power without incurring adverse consequences.”

Discovery requests for the identities of anonymous Internet commenters often arise in defamation cases that involve negative comments that were posted on websites and online bulletin boards.  Judge Kern’s decision is noteworthy for its fairly broad interpretation of what constitutes “opinions” that are protected from defamation claims and discovery.

Florida Enacts Stringent Breach Notice Law

Posted in Data Breaches, Data Security, State Legislatures, United States

Last Friday, Florida’s governor signed into law the Florida Information Protection Act of 2014 (“FIPA”), a bill repealing Florida’s existing data security breach notice law and replacing it with what will be one of the nation’s most stringent breach notice laws.  This post summarizes the key aspects of the new law, which becomes effective July 1, 2014

The Definition of “Personal Information” Now Includes Online Account Credentials

FIPA broadly defines that type of information that, if breached, could require a company to provide notice to consumers and (as discussed below) regulators (“personal information”).  Going beyond the narrow scope of information protected by most state data breach laws, FIPA’s definition of personal information includes “a user name or e-mail, in combination with a password or security question and answer that would permit access to an online account.”  (California’s breach notice law also defines covered information to include online account credentials.) 

Notice to Individuals Must Now Be Provided Within 30 Days of the Incident

The new law states that any required notices to individuals generally must be provided “no later than 30 days after the determination of a breach or reason to believe a breach occurred.”  This represents a shortening of Florida’s existing 45-day notice requirement. 

Continue Reading

Wyndham Data Breach Ruling Cleared for Potential Appeal to Third Circuit

Posted in Federal Trade Commission, Litigation

U.S. District Court Judge Esther Salas ruled on Monday that the U.S. Court of Appeals for the Third Circuit can review her conclusion that Section 5 of the Federal Trade Commission Act provides the FTC with authority to bring actions arising from companies’ data security violations.

In April of this year, Judge Salas denied Wyndham Hotels and Resorts’ motion to dismiss a FTC lawsuit that alleges that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to provide reasonable security for its customers’ personal information. Although her order is not a final ruling and is not binding on any other judge, it received considerable attention because it was the first time that a court has weighed in on the scope of the FTC’s authority over data security and privacy matters.

Denials of motions to dismiss ordinarily are not immediately appealable, absent permission from both the district court and the court of appeals.  In her ruling on Monday, Judge Salas granted Wyndham’s motion to appeal her order to the Third Circuit.  Judge Salas reasoned that there is substantial grounds for differences of opinion on two issues: (1) whether the FTC can bring a Section 5 unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing its unfairness claim.

If the Third Circuit grants Wyndham’s Petition to Appeal, the appellate court will review the legal conclusions in Judge Salas’s April order.  If the Third Circuit denies the petition, the case will proceed in the district court.  Even if the Third Circuit denies this petition for review, it ultimately may hear an appeal of the outcome of summary judgment proceedings or a trial in this case.

Eleventh Circuit: Warrant Required to Obtain Cell Site Location Information

Posted in Litigation, United States

The Eleventh Circuit ruled on June 11 that cell site location information—which can reveal the location of a cell phone user, based on his proximity to cell phone towers—is protected by the Fourth Amendment and can only be obtained with a warrant.  That ruling sets the stage for continued battles over Fourth Amendment protections for location data, an area that has come under increasing scrutiny amid calls for Congress to update the 1986 law governing the protection of electronic information.

In United States v. Davis, the Eleventh Circuit held that the defendant’s Fourth Amendment rights were violated when the government obtained a court order for his cell site location information under 18 U.S.C. § 2703(d) of the Stored Communications Act, rather than pursuant to a search and seizure warrant.  While warrants require the government to establish probable cause that the information sought will yield evidence of a crime, the government may obtain a § 2703(d) order upon the lesser showing of “specific and articulable facts” establishing reasonable grounds to believe the information is relevant to an investigation.  

Prosecutors relied on the location records in Davis to establish that the defendant was in close proximity to scenes of six crimes with which he was charged.  The court emphasized that the government had highlighted the location records at trial, noting the prosecutor’s statements during closing argument that the defendant “probably had no idea that by bringing [his] cell phone with [him] to these robberies,” he was allowing his cell phone provider “and now all of you to follow [his] movements on the days and at the times of the robberies. . . .” 

Continue Reading

EU Justice Ministers Reach A Common Position on Aspects of the Draft EDPR

Posted in European Union

By Dan Cooper & Maria-Martina Yalamova

On June 6, 2014, the Justice and Home Affairs Council of the European Union (the “Council”), representing individual EU Member States, reached a common position on certain important aspects of the draft European Data Protection Regulation (the “Regulation”).  Specifically, the Council reached an agreement on rules governing transfers of personal data outside the EU, set out in Chapter V of the Regulation, and on rules relating to its territorial scope.  A number of key elements of the proposal remain under review, however, with agreement not expected for some time.  And, the text of the proposed Regulation still has to be negotiated and agreed in its entirety by both the Council and the European Parliament, and Chapter V (as well as other provisions) may undergo further changes in the process.

While Parliament’s position is now set in stone (following a plenary vote in March 2014), the Council is still in the process of defining its position on key aspects of the Regulation.  According to unofficial sources, the Italian Presidency of the Council (which will take over in July) will aim to agree the remaining Chapters of the Regulation by the end of 2014.  It is unclear whether any negotiations on the text between the Council and Parliament will take place before then.  

Continue Reading

Senate Subcommittee Examines “Stalking Apps” Bill

Posted in Federal Trade Commission, Uncategorized

This week, the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to discuss the Location Privacy Protection Act of 2014, a bill reintroduced in March by Senator Al Franken (D-MN).  Most concerned with the potential for misuse and abuse of location data for purposes of stalking and perpetrating domestic violence, Senator Franken, who chairs the Subcommittee on Privacy, made clear at the hearing his view that, “Stalking apps must be shut down.”  Franken clarified, however, that his bill is not only intended to protect victims of stalking, but provides basic privacy safeguards for sensitive location information pertaining to all consumers.  Most critically, Senator Franken suggested that because location data lacks sufficient legislative protection, some of the most popular apps used widely by average consumers have been found to disclose users’ precise location to third parties without obtaining user permission.  Further, he noted that in light of stalking apps that are deceptively labeled as something else, such as “parental monitoring,” it is necessary to create a law with basic rules for any service that collects location information.

The witnesses representing law enforcement, federal agencies, and consumer-advocacy and anti-domestic violence groups gave testimony sharing Senator Franken’s concerns, and also suggested that industry self-regulation in this area so far has not been consistent or transparent.  Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection, for example, noted that broadly speaking, while many industry groups and individual companies purport to adopt the opt-in model as a best practice, enforcement has shown that the standard is in fact not complied with on a regular basis. 

In response, witnesses representing industry largely rejected the notion that legislation like Senator Franken’s is needed at this time.  Expressing particular worry that laws and regulations are inflexible and can quickly become outdated in the face of rapidly evolving technologies, Lou Mastria, Executive Director of the Digital Advertising Association (“DAA”), testified that innovation is better served by self-regulation, which can adapt to new business models because it is more “nimble” than government regulation, as subcommittee ranking member Senator Jeff Flake (R-AZ) phrased it.  Mr. Mastria pointed to the DAA’s Self-Regulatory Principles as an effective framework for self-regulation.  Sally Greenberg, Executive Director of the National Consumers League, however, contested the usefulness of DAA’s code, calling it weak, “full of holes,” and “late to the game,” especially in the face of her view that there is “monumental evidence that self-regulation is not working.”

Continue Reading

New Connecticut Law Adds Promotional SMS to State “Do Not Call” Registry Rules; Prohibits Promotional SMS to Numbers Not on State Registry Absent “Prior Express Written Consent”

Posted in Federal Communications Commission, State Legislatures

Last week, the governor of Connecticut signed into law a new requirement that extends compliance with the state’s existing Do-Not-Call registry to promotional text messages (SMS).  Specifically, the law amends the definition of a “telephonic sales call” to include a “text or media message sent by or on behalf of a telephone solicitor,” thereby prohibiting promotional SMS from being transmitted to any number on the state’s existing Do-Not-Call registry.  The law defines a “text or media message” to mean “a message that contains written, audio, video or photographic content and is sent electronically to a mobile telephone or mobile electronic device telephone number,” but it expressly excludes “electronic mail sent to an electronic mail address.”  Under the new law, a text or media message is promotional or commercial in nature if it involves marketing or sales, the extension of credit for good or services, or the collection of information for these purposes.

Like telephonic sales calls, promotional text or media messages need not be scrubbed against Connecticut’s existing Do-Not-Call registry if they are transmitted with the recipient’s “prior express written consent,” sent primarily in connection with an existing debt or contract that is pending, or are transmitted to an existing customer who has not asked to be excluded from such messages.  The new law, however, contains a separate, stand-alone prohibition against transmitting a promotional SMS to numbers that do not appear on the state’s Do-Not-Call registry, absent the “prior express written consent” of the message recipients.  The new law adopts the same definition for “prior express written consent” as the Federal Communication Commission’s existing telemarketing rules under the Telephone Consumer Protection Act.

The new law also increases the maximum penalty for violations from $11,000 to $20,000, although only the state Commissioner of Consumer Protection is given enforcement authority to carry out the law’s provisions.  The law also contains a new provision requiring telephone and telecommunications companies to at least twice per year include a conspicuous notice in their bills or account statements informing consumers about the relevant telemarketing prohibitions, along with information about how consumers can add their phone numbers to the state Do-Not-Call registry, and how to file a complaint with the state Department of Consumer Protection for violations of the law.

Connecticut’s new requirements become effective this fall, on October 1, 2014.

A Public Advocate for Privacy

Posted in Congress, United States

Since 1979, the United States Government has made at least 35,651 applications to the Foreign Intelligence Surveillance Court (FISC) for authority to conduct electronic surveillance and physical searches of individuals.[1]  Of those requests, only 12 have been denied; 532 requests have been formally modified.  According to one judge on the FISC, a substantially higher number have been modified as a result of informal communications between the government and the FISC staff.[2]  The nature of those modifications, however, remains confidential, as does the entire process for considering such requests.  Consequently, it is simply not possible to determine whether a larger number of requests should have been denied or further modified.  

Since our country’s founding, the rule of law and our judicial system that helped establish it have depended on an adversarial system to make sure that the appropriate balance is struck between competing interests—in this case between individual privacy and national security.  Our nation’s legitimate national security needs require that individuals who are under surveillance not know that the surveillance is being conducted.  But that imperative does not dictate that we dispense with the time-tested value of the adversarial system in the FISC.

To that end, several legislative proposals have recently been put forth to create a Public Advocate for Privacy who would defend, in the FISC, the legal interests of individuals subject to surveillance requests.  The Public Advocate would have all necessary security clearances, and his or her work would remain unknown to the persons potentially under surveillance.  Under the more robust proposals, the Public Advocate would be permitted to monitor the docket of the FISC and affirmatively litigate in both the FISC and on appeal to help vindicate legitimate privacy interests under the Fourth Amendment and other laws.

The bill recently passed by the House of Representatives has moved away from a Public Advocate office that would challenge individual surveillance requests and adopted instead a less robust “amicus” model consisting of a panel of lawyers that would intervene on legal questions only when (and to the extent) requested by the FISC itself.  As of this writing, however, the bill pending in the Senate continues to reflect the more robust version of the Public Advocate.

In the course of the legislative process, questions have been raised regarding the constitutionality of such a Public Advocate.  In particular, the Congressional Research Service (CRS) has produced a thoughtful paper identifying some important issues concerning, among other items, the standing of the Public Advocate to litigate such matters. 

To further the public discussion of this important issue, AOL, Inc. asked Covington & Burling to look at this question and provide an analysis of the constitutional issues raised by the CRS.  Their paper is available here.  It concludes that there is no insurmountable constitutional infirmity to a robust Public Advocate that can litigate on behalf of individuals subject to surveillance requests.

[1] The statistics referenced in this article are drawn from the Electronic Privacy Information Center.  See Foreign Intelligence Surveillance Act Court Orders 1979-2014, Elec. Privacy Info. Ctr. (last updated May 1, 2014), http://epic.org/privacy/wiretap/stats/fisa_stats.html.

[2] See Letter from Judge Walton of the FISC to Senator Grassley (Oct. 11, 2013).

Senate Judiciary Subcommittee To Examine “Stalking Apps”

Posted in Uncategorized

Tomorrow, the Senate Judiciary Subcommittee on Privacy, Technology and the Law will hold a hearing on legislation reintroduced in March by Senator Al Franken (D-MN), the Location Privacy Protection Act of 2014.  The bill would regulate the development, operation, and sale of “stalking apps” and also would require companies to get consumer permission before collecting and sharing with third parties consumers’ location data retrieved from smartphones, tablets, or in-car navigation devices.  The following witnesses, which include federal officials, consumer advocates, and industry experts, are scheduled to testify: 

  • Bea Hanson, Principal Deputy Director of the Department of Justice’s Office On Violence Against Women
  • Jessica Rich, Director of the FTC’s Bureau of Consumer Protection
  • Mark Goldstein, Director of Physical Infrastructure Issues at the U.S. Government Accountability Office
  • Brian Hill, Detective at Anoka County Sheriff’s Office Criminal Investigation Division
  • Lou Mastria, Executive Director of the Digital Advertising Association
  • Sally Greenberg, Executive Director of the National Consumers League
  • Dr. Robert D. Atkinson, President of the Information Technology and Innovation Foundation
  • Cindy Southworth, Vice President of Development And Innovation at the National Network to End Domestic Violence

The bill is co-sponsored by Senators Chris Coons (D-DE) and Elizabeth Warren (D-MA).  It also has the support of consumer and anti-domestic violence groups, including the National Center for Victims of Crime, the National Network to End Domestic Violence, the National Women’s Law Center, the Minnesota Coalition for Battered Women, Consumer Action, Consumers Union, the National Association of Consumer Advocates, the National Consumers’ League, and the Online Trust Alliance.  The bill does not deal with law enforcement location tracking, which is addressed in other legislation.  You can view a video of Sen. Franken talking about his bill here.