On Friday, March 27, 2015, the Federal Trade Commission and Wyndham Worldwide Corp. filed supplemental briefing in the Third Circuit regarding whether the FTC had made an adjudicative decision that the FTC Act prohibits unreasonable cybersecurity practices and, if not, whether a federal court could hear a case charging a violation of the FTC Act if the FTC has not yet made such an adjudicative decision.
Recall that, in FTC v. Wyndham Worldwide Corp. et al., the FTC has alleged that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to reasonably secure its customers’ personal information. Unsurprisingly, the parties held diametrical opinions on the issue of whether the FTC had declared unreasonable cybersecurity practices unfair through the procedures of the FTC Act. The FTC began by arguing that it had done so through the issuance of an interlocutory decision in LabMD. Wyndham countered, noting that the interlocutory decision denying a motion to dismiss in LabMD was not final, and therefore could not amount to a formal declaration about the meaning of unfairness.
Next, the FTC argued that it had declared unreasonable cybersecurity practices through the issuance of more than 20 complaints charging as much. The FTC argued that “complaints are akin to policy statements or interpretive rulings,” which litigants and the courts may resort to for guidance, and that the FTC’s issuance of more than 20 complaints charging deficient data security practices are unfair was therefore sufficient to satisfy any requirement that the FTC have declared unreasonable cybersecurity practices unfair through procedures of the FTC Act. It is worth noting that, in making this argument, the FTC cited to a 2014 Third Circuit case which stated that courts and litigants may look to agency policy statements and interpretive rules for guidance. However, the same case also noted that such statements “do not have the force of law,” raising the question of whether they could be considered adjudicative decisions. Wyndham highlighted this point, arguing that because complaints and consent decrees do not adjudicate the legality of any action by a party thereto, they cannot constitute a declaration of law on any issue, including that unreasonable cybersecurity practices are unfair. “Try as it might,” Wyndham said, “the Commission cannot transform complaints and consent decrees into rules and adjudications.”
Finally, the FTC argued that it had declared unreasonable cybersecurity practices unfair through the giving of Congressional testimony stating that the FTC deemed inadequate data security to be a potentially unfair practice. This possibility was not addressed by Wyndham.
The above dispute aside, both parties agreed that the Third Circuit need not decide the issue of whether the case is a “proper case” within the meaning of Section 13(b) of the FTC Act and therefore appropriately before the federal court. Both parties noted that neither had raised the issue and that, in any event, resolution of the issue was not necessary to establish jurisdiction as the federal courts independently have jurisdiction of the case pursuant to 28 U.S.C. §§ 1331, 1337, and 1345. The parties also both noted that many courts have held that a “proper case” is any case that the Commission chooses to bring directly in court for violation of an FTC-enforced statue and that, were the Third Circuit to hold otherwise, it would create a circuit conflict.
The Federal Communications Commission will hold a workshop on April 28 to explore its role in protecting the privacy of broadband Internet access users.
The Commission’s recent net neutrality order applied certain privacy requirements to broadband access providers, including Section 222 of the Communications Act. That statute requires telecommunications carriers to protect the confidentiality of customer information and restricts their ability to use, disclose or permit access to customers’ individually identifiable customer proprietary network information (“CPNI”). While the Commission applied the statute to broadband providers, it did not apply its rules implementing the statute to broadband providers. Those rules were not “well suited to broadband Internet access service,” the order said. It chose to forebear on the rules, because the rules “focus on addressing problems that historically arise regarding voice service,” the order said.
The April workshop could be the first step toward creating new rules for how broadband providers handle CPNI. The workshop will start at 10 a.m. at the FCC’s headquarters in Washington D.C. and will be led by staff. The Commission will also provide audio and video coverage of the workshop on the FCC’s web site, at www.fcc.gov/live. In its statement announcing the workshop, the Commission suggested it would also address the extent to which the Commission can apply a “harmonized privacy framework across various services.”
Dan Cooper and Phil Bradley-Schmieg
On March 27, 2015, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors  EWCA Civ 311, with significant consequences for organizations handling personal data in, or from, the UK.
This case was brought against Google Inc. by three users of Apple’s Safari web browser. They argued that over a period of nine months, Google’s DoubleClick and AdSense services secretly tracked their visits to all websites that used Google AdSense to serve advertising, contrary to Google’s public assurances that users who maintained Safari’s default privacy settings would not be tracked or profiled by DoubleClick, or receive personalized advertising. This, they allege, allowed Google to wrongfully build up a detailed picture of their browsing history from which it could deduce their interests and personal characteristics, and thus serve personalized adverts. Similar cases have been brought against Google in the United States, leading to a US$22.5 million U.S. Federal Trade Commission fine and a US$17 million settlement with state attorneys general. Continue Reading
In an effort to improve international privacy rights, the United Nations Human Rights Council yesterday established a special rapporteur on the right to privacy. Special rapporteurs are expert individuals appointed with specific mandates to investigate, monitor, and report on particular human rights concerns that range from access to water to extrajudicial killings. Yesterday’s Resolution on the Right to Privacy in the Digital Age therefore would elevate privacy to a human rights issue, a step met with great approval from privacy advocates such as the Electronic Frontier Foundation and the Center for Democracy and Technology, who respectively praised the initiative as “giv[ing] the right to privacy the international recognition and protection it deserves” and “strongly reaffirm[ing] that privacy is a core part of human freedom.”
Brazil and Germany introduced the resolution, which states in part a deep concern “at the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights.” The United States, speaking in an explanation of the vote, said that, “The establishment of a mandate on privacy rights came at a crucial time,” and further, “The term digital age was not limited to any particular technology nor did it limit the work of the Special Rapporteur to technology-based infringements on privacy rights.”
The special rapporteur will serve for a period of three years and makes annual presentations to the General Assembly committee.
By Dan Cooper and Phil Bradley-Schmieg
On March 24, 2015, the Court of Justice of the EU (CJEU) heard arguments in Case C-362/14 (Schrems). The High Court of Ireland has asked the CJEU whether Ireland’s data protection authority (DPA) — and by extension other EU DPAs — is bound by the Commission’s adequacy decision (Decision 520/2000/EC) with respect to the EU-US Safe Harbor framework, or whether the authority may, or must, conduct an independent investigation into the adequacy of the Safe Harbor in light of subsequent factual developments (potentially prohibiting use of the framework for EU to U.S. transfers).
The impact of the case could be wide-ranging, as thousands of organizations currently rely on the Safe Harbor for transferring personal data from the EU to the U.S., rather than alternative data transfer mechanisms. Max Schrems, the applicant in the underlying Irish proceedings, argued that given recent allegations as to the freedom with which U.S. intelligence agencies can access EU-originating data from Safe Harbor companies, the Safe Harbor no longer provides adequate protection as a matter of EU law. Continue Reading
By Ani Gevorkian
The issues of data breach notification and data security issued received a fair amount of attention in the House this week: On Wednesday, the House Energy and Commerce Subcommittee on Trade approved one data breach bill, and on Thursday, Rep. Jim Langevin (D-RI), co-chairman of the House Cybersecurity Caucus, announced the release of another.
The bill approved on Wednesday—the Data Security and Breach Notification Act—is sponsored by Reps. Michael Burgess (R-TX), Marsha Blackburn (R-TN), and Peter Welsh (D-VT). It would require companies to maintain reasonable security practices and inform customers within 30 days if their data might have been stolen during a breach. It would also empower the Federal Trade Commission (“FTC”) to enforce the bill’s rules. Continue Reading
By Ani Gevorkian
The Subcommittee on Commerce, Manufacturing, and Trade of the House Energy and Commerce Committee held a hearing on Tuesday entitled, “The Internet of Things: Exploring the Next Technology Frontier.” The hearing focused on the promises Internet of Things (“IoT”) technology holds, and what role Congress should play in addresses the challenges IoT presents, both with regard to privacy and data security concerns as well as technological concerns.
Panelists included Daniel Castro, Vice President of the Information Technology and Innovation Foundation; Brian van Harlingen, Chief Technology Officer of Belkin International, Inc.; Rose Schooler, Vice President of the IoT Group and GM of the IoT Strategy and Technology Office of Intel Corporation; and, Brad Morehead, CEO of LiveWatch Security, LLC. Continue Reading
As we previously reported, Covington was selected from thousands of applicants to host a Privacy by Design bootcamp and workshop during last week’s South by Southwest (“SXSW”) Interactive festival, which featured five days of compelling presentations and panels from industry leaders in emerging technology. SXSW designs workshops in particular to provide in-depth, hands-on education taught by innovative leaders. To close out our coverage of SXSW, below is a workshop recap for those who couldn’t make it to Austin this year.
With the premise that businesses are eager to build privacy considerations into all phases of their activities in this new era of “big data,” our Privacy By Design Bootcamp provided a step-by-step guide to develop and integrate Privacy by Design (“PbD”) into any organization. The workshop was well-attended, with audience members representing a diversity of sectors, including tech, financial, health, data, security, and academia, allowing for informative discussion spanning several industries. The workshop started with the history of PbD and then presented examples of real-world PbD, including basic elements of an effective program. We also walked through specific steps to initiate a successful PbD program, including implementing policies and procedures and examining the data lifecycle. The outline below addresses some key topics from our Privacy by Design workshop. If you’re interested in learning more, please contact PbD Bootcamp leaders Libbie Canter and Meena Harris. Continue Reading
As part of our continuing coverage of the Congressional Privacy Bill, we provide below a deeper examination and explanation of Title II of the bill, the Do Not Track Kids Act of 2015. The Do Not Track Kids Act of 2015 amends the Children’s Online Privacy Protection Act (“COPPA”) by making its protections more expansive and robust. Specifically, the bill extends COPPA’s protections to teenagers, expands the scope of the entities subject to COPPA’s provisions, and imposes new obligations on those entities.
COPPA currently requires websites and online services that knowingly collect information from children under the age of 13 or that are targeted toward children under the age of 13 to make certain disclosures and obtain parental consent before collecting and using personally identifiable information obtained from children. Continue Reading
Next Tuesday, March 24 at 11 a.m., the House Energy and Commerce Committee’s Subcommittee on Commerce, Manufacturing, and Trade will host a hearing entitled “The Internet of Things: Exploring the Next Technology Frontier.” The hearing will follow an Internet of Things (“IoT”) showcase featuring Internet-connected products manufactured in members’ districts.
Congress already has begun taking a deep dive this year into examining IoT developments. In February, the Senate Committee on Commerce, Science, and Transportation held its own IoT hearing, and in January, Congresswoman Suzan DelBene (D-WA) and Congressman Darrell Issa (R-CA) announced the launch of the Congressional Caucus on IoT. (As we reported, Reps. DelBene and Issa joined together most recently for a SXSW panel to talk about their support for legislation to reform the Electronic Communications Privacy Act.)
Witnesses for next Tuesday’s hearing have not yet been announced. Stay tuned for further coverage of the event from InsidePrivacy.