Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

FCC’s Agenda for April 28th Broadband Consumer Privacy Public Workshop

Posted in Federal Communications Commission

The FCC has announced its agenda and panelists for its public workshop on protecting the privacy of consumers who use broadband Internet access services, which will be held on April 28.

FCC Chairman Tom Wheeler will give opening remarks and Matt Blaze, Associate Professor of Computer and Information Science at the University of Pennsylvania, will provide an overview of the collection and use of broadband subscriber data.  In addition, the workshop will consist of two panels: (1) Privacy Implications Associated with Broadband Internet Access Services and (2) The Application of Section 222 of the Communications Act to Broadband Internet Access Services.

The workshop will begin at 10:00 am Eastern and will be held at FCC headquarters at 445 12th Street, S.W. in Washington, D.C.  A live webcast also will be available on the FCC’s webpage.

House Passes Cybersecurity Information Sharing Bills

Posted in Congress, United States

Yesterday the U.S. House of Representatives passed the National Cybersecurity Protection Advancement Act (NCPAA), a bill that would provide liability protections for companies sharing cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC).  A related bill, the Protecting Cyber Networks Act (PCNA), was passed by the House on Wednesday and would provide similar liability protections when companies share information with civilian agencies.  As we reported last week, the two bills are expected to be combined before heading to the Senate. Continue Reading

European Commission Targets May 28th for Conclusion of Safe Harbor Negotiations

Posted in European Union

Věra Jourová, the European Commissioner for Justice overseeing negotiations with the U.S. Department of Commerce over the future of the EU-U.S. Safe Harbor scheme, has reiterated the May 28th target date for near-completion of the negotiations (previously covered on InsidePrivacy here and here).  Her hope is that an agreement in principle can be found at this year’s EU-U.S. Justice and Home Affairs Ministerial Meeting taking place next month in Riga (Latvia).

The Commission has reportedly obtained satisfaction over most of its 13 recommendations for the reform of the Safe Harbor scheme, which aims to ensure adequate protection for personal data exported from the EU to participating organizations in the U.S..  However, talks are on-going over possible restrictions to U.S. authorities’ access to EU-originating personal data for law enforcement or national security purposes.  The Commission, spurred on by the European Parliament and several EU Member States following the reported mass collection of such data by the U.S. National Security Agency, had criticized the level of protection offered by the existing Safe Harbor system.

The criticism also forms the crux of an on-going legal challenge against the Safe Harbor scheme by Austrian privacy activist Maximilian Schrems.  His case is currently pending before the Court of Justice of the EU (as recently reported by InsidePrivacy here).

FTC Announces First Consent Order With a Retail Tracking Company

Posted in Federal Trade Commission

The Federal Trade Commission (“FTC”) today announced that it has entered into a proposed consent order with Nomi Technologies (“Nomi”), marking the agency’s first action against a retail tracking company.  The announcement comes one year after the agency held a workshop on mobile device tracking in the retail environment.  Although the action may indicate increased interest in retail tracking, the FTC did not focus on the unique aspects of that technology but instead focused on a single statement in Nomi’s privacy policy that the FTC claimed was material and deceptive.  Notably, two of the FTC’s five commissioners disagreed and dissented from the action.

Continue Reading

Article 29 Working Party Clarifies ‘Health data” in the Wellbeing App Context

Posted in European Union

The Article 29 Working Party has published a letter (with Annex) to the European Commission, clarifying the scope of the key legal term “health data” in relation to lifestyle and wellbeing apps.

Continue Reading

House Committees Approve Information Sharing and Data Breach Notice Bills, Setting Stage for Floor Vote

Posted in Congress, Cybersecurity, Data Breaches, Data Security, United States

Earlier this week, an information-sharing bill and a data breach bill passed through committee votes in the House, setting the stage for potentially significant legislative action on key cybersecurity issues in the near future.  On Tuesday, the House Homeland Security Committee approved the National Cybersecurity Protection Advancement Act by a unanimous voice vote, following a markup session featuring debates over amendments regarding the bill’s liability protections and the possibility of a sunset provision.  Yesterday, the House Energy & Commerce Committee held a markup session for the Data Security and Breach Notification Act, eventually approving the bill by a party-line vote of 29-20.  Although the information-sharing bill is scheduled to head to the House floor for a vote next week, representatives from both parties stated that the data breach bill may need additional changes before it is brought before the full House for a vote.

The information-sharing bill, one of two recently passed out of committees in the House, would create liability protections for companies that share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center.  During a markup session on Monday, the representatives agreed to an amendment from Rep. John Ratcliffe (R-Texas) to prevent information shared under the bill from being used for “engag[ing] in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information.”  The amendment was intended as a nod to privacy advocates who have raised concerns that the bill  would create an additional source of information for the National Security Agency’s intelligence programs.  The committee rejected a proposed amendment from Rep. Cedric Richmond (D-Louisiana) that would have removed the bill’s liability protections for entities that receive cyber threat information but fail to act on it, as other representatives noted that the bill needed broad liability protections to incentivize sharing.  However, the committee did pass an amendment that removed the phrase “in good faith” from the bill’s liability protection language out of concern over the term’s ambiguity and the difficulty courts might face in interpreting it.  The removal of this language, which was present in the bill’s liability protections for sharing cyber threat indicators or defensive measure or conducting network awareness, would require these activities to be done in strict accordance with the bill’s provisions, not just in a “good faith” attempt to comply with the bill’s provisions.

Continue Reading

Brazil Extends the Consultation Period on Its Draft Data Protection Law until April 30

Posted in International

In February 2015, the Brazilian government issued a draft of Brazil’s first comprehensive privacy law, the Preliminary Draft Bill for the Protection of Personal Data (the “Draft Bill”).  The Draft Bill builds on and codifies certain concepts relating to the treatment of personal data already present in Brazilian constitutional, statutory and case law.

The Draft Bill proposes — for the first time — much needed definitions of “consent”, “personal data”, “sensitive personal data”, and other key terms, and a framework of individuals’ rights regarding the use of their data (e.g., rights of access, correction, objection, etc.), as well as exceptions to such rights.  It also requires that processing of personal data terminate when the original purpose for which the data was collected is achieved or if the data is no longer necessary.  Licensors and licensees (or as more commonly known under EU privacy law — “controllers” and “processors”) of personal data will be jointly liable for damage caused by the processing of personal data.  The Draft Bill also introduces rules relating to intra-company and international data transfers, and only permits the processing of data transferred to Brazil from other jurisdictions, where the relevant consent requirements (if any) of the country of origin are satisfied.  It remains to be seen how companies will comply with this unusual requirement in practice (if the Draft Bill is adopted in its current form).  There are also provisions that would require companies processing personal data, among other obligations, to adopt appropriate information security measures, to immediately notify competent authorities of data breaches, and to appoint a dedicated privacy officer, depending on the size of the relevant entity and the volume of personal data it processes.

The Draft Bill introduces a range of administrative sanctions, including fines, publication of the relevant violations, and suspension or prohibition of data processing operations for up to ten years.  Individuals will also be able to claim damages for material and moral damages caused by the processing of their personal information.

The consultation on the law and comment period was recently extended until April 30, 2015.

Court Grants Summary Judgment on VPPA Claims Against Hulu Based on Lack of ‘Knowing’ Disclosure

Posted in United States

On Tuesday, March 31, the U.S. District Court for the Northern District of California granted Hulu’s motion for summary judgment in a complaint alleging that Hulu had violated the Video Privacy Protection Act (VPPA) by sharing user information with Facebook.  In granting summary judgment, the court found no genuine issue of material fact regarding whether Hulu “knowingly” disclosed video viewing information connected to individual Hulu users to Facebook, a required element for VPPA liability.  While the court’s holding may be too fact-bound to have widespread impact on other VPPA cases, it does highlight the important role of the VPPA’s knowledge requirement in determining liability under the statute.

Continue Reading

Danielle Citron Discusses Legal Remedies for Online Harassment

Posted in United States

At a talk today with members of Covington’s Privacy and Data Security Group, Danielle Citron highlighted the need for more remedies for victims of online harassment, including women harassed by so-called revenge pornography.

Citron, a professor at the University of Maryland School of Law, focuses on information privacy law and is the author of Hate Crimes in Cyberspace.  Her book argues that online harassment of women is a civil rights issue, a position made more compelling in light of the recent online assaults on women in the Gamergate and iCloud photograph hacking scandals.

Citron grouped online harassment into four different models: (1) using the internet to terrorize a victim, such as by cyberstalking, (2) using the internet to destroy a victim’s reputation, such as by defamatory postings, (3) using technology to invade a victim’s privacy, such as by posting private materials and (4) using technology to essentially shove a victim offline, such as by cyberattacks.

Continue Reading

Google Loses Administrative Appeal Against Hamburg Decision Concerning Its Practice of Cross-Service Data Combination

Posted in International

Pursuant to a press release of April 8, 2014, the Hamburg data protection authority (the “Hamburg DPA”) essentially upheld its order of September 2014, in which it found that certain of Google’s data processing operations explained in its 2012 privacy policy violated German data protection law. More in particular, the Hamburg DPA established that Google’s practice of combining personal data across all its services to create “meaningful and nearly comprehensive” personality profiles without users’ express and informed valid consent, and without allowing users to effectively exercise their right to object was in breach of several German law provisions. Consequently, the Hamburg DPA ordered Google to implement several measures that would enable users to better control the use of their personal data and the data combination for profiling purposes. The order set out various processing operations, including the combination of data across different services and of different types of data, for which Google must obtain consent. The order also specified the point in time when such consent should be obtained (e.g., prior to registration) and how it should be obtained, i.e., essentially after prior specific notice through affirmative action and with the possibility to revoke consent at any time. Moreover, Google had to implement a number of measures to ensure respect of the right to object. The Hamburg DPA did not impose a fine on Google, but set a deadline within which to comply, subject to a monetary penalty in case of failure to comply.

Google challenged the order by means of an administrative appeal, which had suspensive effect. Today, the Hamburg DPA rejected the appeal after several months of deliberation and upheld the order, just subject to slight modifications.

The case is noteworthy for several reasons:

  • The Hamburg DPA held that the US company Google Inc was subject to German data protection law, applying the criteria established by the Court of Justice of the EU with respect to the applicable law rules in its famous Google Spain ruling (for a summary of that ruling, see here).
  • The Hamburg DPA’s order is an example for the increased efforts of European data protection authorities to show their teeth and to enforce data protection law against non-EU companies.
  • The Hamburg DPA’s order sets rather high standards (specific affirmative consent) for various data combination scenarios which, if applied broadly, could have repercussions for the use of big data analytics.

It is now in the hands of Google to implement the Hamburg DPA order or to bring the case before the administrative court which it can do within a one month period. Pursuant to the press release, Google has apparently signaled that it intends to make substantial changes to its services to meet the data protection law requirements and reportedly presented its plans at the end of March to the Google Task Force set up by the Article 29 Working Party. It remains to be seen whether this is really the end of the Google saga in Germany.