Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Ninth Circuit Hears FTC’s Throttling Case Against AT&T

Posted in Uncategorized

Earlier this week, the Ninth Circuit heard oral argument in AT&T’s appeal of a lower court decision to not dismiss the Federal Trade Commission’s (FTC’s) complaint alleging that AT&T misled consumers by limiting its “unlimited” data plan for mobile customers.

As we previously reported, in October 2014 the FTC filed a complaint alleging that AT&T engaged in unfair and deceptive conduct in violation of Section 5 of the FTC Act when it “throttled” mobile broadband subscribers who were “grandfathered” into the company’s unlimited mobile data plan.  AT&T filed a Motion to Dismiss arguing that it is a common carrier subject to the Communications Act and thus exempt from Section 5 of the FTC Act.  That Motion was denied by the lower court, which held that the common carrier exception applies only when the entity has the status of a common carrier and is engaging in common carriage activity.  The court also held that the Federal Communications Commission’s recent “Open Internet” that prospectively reclassified mobile data service from a non-common carrier to a common carrier service does not remove the FTC’s jurisdiction over AT&T’s past alleged misconduct.  It was this lower court denial of the Motion to Dismiss that AT&T appealed to the Ninth Circuit.

FTC Hosts Cross-Device Tracking Workshop

Posted in Advertising & Marketing, Federal Trade Commission

The FTC’s cross-device tracking workshop on Monday focused on the benefits and challenges of cross-device tracking.  FTC Chairwoman Edith Ramirez emphasized that regardless of the specific technology employed, companies should continue working to address issues of transparency, notice, and choice in this area.  She also highlighted the self-regulatory efforts of the advertising industry on cross-device tracking, including the Digital Advertising Alliance (“DAA”) and the Network Advertising Initiative (“NAI”), both of which were represented on workshop panels.

The first panel, moderated by FTC Chief Technologist Ashkan Soltani, provided a technological perspective on cross-device tracking.  Panelists addressed the benefits of cross-device tracking to consumers, content providers, and advertisers, as well as the primary technical risks and techniques to avoid them.  The second panel, moderated by FTC attorney Megan Cox, provided a policy perspective on cross-device tracking.  Panelists discussed the need for increased consumer transparency and control over cross-device tracking, in addition to steps the advertising industry is already taking in this regard.  The DAA’s cross-tracking device guidance, the release of which coincided with the workshop, was also addressed by the panelists.

Maneesha Mithal, the Associate Director of the FTC’s Division of Privacy and Identity Protection, summarized the “five main takeaways” from the workshop as follows: (1) the benefits of cross-device tracking, including maintaining state, frequency capping, and seamless user experiences across devices; (2) the need to provide greater transparency, choices, and education for consumers; (3) the need to consider the consumer experience; (4) that there is room for industry innovation in this space; and (5) that companies should be mindful of their representations in this space and adhere to those representations.  The public comment period closes on December 16, 2015.

Administrative Law Judge Dismisses FTC’s LabMD Complaint, Finding Insufficient Evidence of “Substantial Injury” to Consumers

Posted in Federal Trade Commission

On Friday, November 13, Federal Trade Commission (FTC) Chief Administrative Law Judge Chappell issued an Initial Decision dismissing the FTC’s complaint against LabMD, on the ground that the Commission’s staff had failed to carry its burden of demonstrating a “likely substantial injury” to consumers resulting from LabMD’s allegedly “unfair” data security practices. While Judge Chappell’s decision represents a victory for LabMD as the first company to successfully challenge an FTC Section 5 data security enforcement proceeding, the ruling may prove short-lived, as staff likely will appeal the case to the full Commission, which will review the decision de novo. Nevertheless, the Commission’s eventual handling of this proceeding could articulate a more precise standard for likely substantial injury that could guide future Section 5 “unfairness” jurisprudence. Continue Reading

Third Circuit Resurrects State Law Claims Against Google in Safari Cookie Tracking Lawsuit

Posted in Litigation

Last week, the Third Circuit revived a multi-district privacy lawsuit against Google, finding that the trial court erred in dismissing the plaintiffs’ privacy claims under California state law.  The case centers around the plaintiffs’ allegations that Google violated state and federal law by circumventing the Safari browser’s default “cookie blocker” settings to track users’ online activity while publicly professing to respect users’ Safari browser settings.  While the Third Circuit affirmed the trial court’s dismissal of federal claims under the Wiretap Act, the Stored Communications Act (SCA), and the Computer Fraud and Abuse Act (CFAA), the court vacated the district court’s dismissal of the plaintiffs’ claims under California tort law and the California constitution’s right to privacy.

The plaintiffs’ claims originated from a 2012 Wall Street Journal article describing a researcher’s findings that Google, despite the Safari browser’s default settings intended to blocking tracking cookies, had utilized methods to circumvent these settings and track Safari users’ Internet browsing habits via tracking cookies.  At the same time, the plaintiffs alleged, Google made a series of public statements, including statements within its privacy policy, indicating that it respected the Safari browser’s cookie-blocking settings.  Google subsequently entered into settlements with the Department of Justice and a consortium of state attorneys general over its practices.  Twenty-four plaintiffs also filed putative class action suits against Google and third-party advertisers, alleging violations of federal and state privacy law.  The suits were combined into the instant litigation in the District of Delaware, and in October 2013, the district court dismissed the complaint in its entirety, finding that the plaintiffs failed to state a claim.

Continue Reading

NLRB Says Employer Can Use GPS Device to Track Employees

Posted in Uncategorized

Earlier this year, a woman sued her former employer for invasion of privacy and retaliation, claiming that she was fired after refusing to use a GPS tracking app that her employer required to be run at all times on her company issued mobile device, even outside of work hours.  That case appears to have been settled out of court, however in another case the National Labor Relations Board (“NLRB”) recently found that, at least in circumstances involving investigations of misconduct, employers may be entitled to track employee movements.  Specifically, the NLRB’s Division of Advice determined last month that an employer’s use of GPS tracking to monitor a unionized employee under investigation for misconduct did not constitute a “material, substantial, and significant” change in employees’ terms and conditions of employment.  Accordingly, the NLRB concluded that the employer had no obligation to bargain over the installation and use of the GPS device. Continue Reading

FCC Says It Will Not Require Websites to Honor ‘Do Not Track’

Posted in Federal Communications Commission, United States

Last Friday, the Federal Communications Commission (“FCC”) rejected a petition from consumer advocates asking the FCC to extend its Open Internet Order by requiring edge providers such as Facebook and Amazon to follow the privacy regulations of Section 222 and to require those edge providers to honor “Do Not Track” requests from consumers.  The FCC held in its Open Internet Order that it would apply Section 222 only to broadband Internet access providers that provide Internet services to end users, and not to edge providers.  The petition argued that consumers are just as concerned about online tracking by edge providers, and therefore the FCC should impose some rules on edge providers regulating the collection of personal information.

In summarily dismissing the petition without seeking comment on it, the FCC stated that it “has been unequivocal in declaring that it has no intent to regulate edge providers.”  The FCC also reiterated that, earlier this year when it adopted the Open Internet Order, it held that the move to reclassify broadband Internet access service as a telecommunications service under Title II of the Communications Act “was not ‘regulating the Internet, per se, or any Internet applications or content.’”  Rather, the reclassification involved only the transmission component of Internet access service, and therefore did not include edge providers.  The FCC concluded that the petition was “inconsistent with the Commission’s articulation of the effect of its reclassification of [broadband Internet access service] and the scope of the privacy practices it stated that it intends to address pursuant to that reclassification.”

A Closer Look at CISA’s Cybersecurity Information-Sharing Provisions

Posted in Congress, Cybersecurity

As we reported on October 27, the U.S. Senate passed the Cybersecurity Information Sharing Act (“CISA,” S. 754).  If enacted into law, CISA would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government and private entities.  CISA must now be reconciled with two similar bills that the House passed in April before it can be sent to the President and enacted into law.  According to CISA’s co-sponsor Sen. Richard Burr (R-NC), a conference version of CISA will not be available for review until January 2016, at the earliest.  Below is a deeper explanation of CISA’s four Titles and how they purport to improve cybersecurity.

Continue Reading

Cox Communications to Pay $595,000 in Data Breach Settlement

Posted in Data Breaches, Data Security, Federal Communications Commission, United States

By Hannah Lepow

Yesterday the FCC announced that it has entered into a $595,000 settlement agreement with Cox Communications to resolve an investigation into whether the company failed to protect its customers’ personal information when it suffered a data breach in 2014.  This is the first privacy  and data security enforcement action the FCC Enforcement Bureau has brought against a cable operator.

The Enforcement Bureau’s investigation found that Cox’s electronic data systems were breached last August by a hacker pretending to be from Cox’s IT department, who convinced a Cox customer service representative and a Cox contractor to enter their account IDs and passwords into a phishing website.  The hacker gained access to data including cable customer names, addresses, email addresses, and partial Social Security and driver’s license numbers and telephone customers’ Consumer Proprietary Network Information (CPNI).  The hacker — a member of the “Lizard Squad” hacker group — posted some of this personal information on social media sites, changed customer account passwords, and shared the compromised account credentials with another alleged member of the Lizard Squad.

The Enforcement Bureau found that Cox’s data security systems at the time of the breach did not include several measures that might have prevented the use of compromised credentials to access personal data.  Cox did not report the breach to the FCC’s CPNI data breach portal.

In addition to the $595,000 civil penalty, the settlement also requires Cox to adopt a comprehensive compliance plan that the FCC will monitor for the next seven years.  Under this plan, Cox will be required to establish an information security program that includes annual system audits, internal threat monitoring, penetration testing, and additional breach notification systems and processes to protect customers’ personal information and CPNI.  Cox also will identify affected customers, notify them of the breach, and provide them with one year of free credit monitoring.

European Commission issues guidance on the impact of the Schrems (Safe Harbor) ruling of the EU’s Highest Court

Posted in European Union, International

By Monika Kuschewsky and Vera Coughlan

Following the judgment of the Court of Justice of the EU of October 6 in the Schrems case (Case C-362/14) (see our previous blog post here), today, the European Commission issued guidance on transfers of personal data from the EU to the U.S. post Schrems. For the press release see here, Q&As here and the Commission Communication here.

In large, the guidance confirms the status quo and summarizes existing guidance of the Article 29 Data Protection Working Party (“WP29”), the EU advisory body on privacy comprised of representatives of the national data protection authorities (“DPAs”), the European Data Protection Supervisor and the Commission, and the WP29’s statement of October 16 (see our previous blog post here). Most notably, the Commission joins the WP29 in the position that alternative tools authorizing data flows can still be used by companies for lawful data transfers to third countries, including to the U.S. The Commission then further explains each of these alternative tools in more detail: Continue Reading

Trans-Pacific Partnership Trade Agreement May Authorize Cross-Border Data Flows

Posted in International

The text of the Trans-Pacific Partnership (“TPP”) agreement was released to the public for the first time today.  The TPP has yet to be ratified by the twelve Pacific Rim nations that negotiated the agreement, including the United States, where it has encountered opposition in Congress.  The nations that participated in the negotiations for the agreement are Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, the United States, and Vietnam.

Article 14.11 of the Electronic Commerce chapter of the agreement relates to “Cross-Border Transfer of Information by Electronic Means.”  Paragraph 2 states: “Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.”  The definition of “covered person” in Article 14.1 excludes financial institutions, but otherwise applies to any national or enterprise of parties to the agreement.

Arguably, this provision obligates TPP signatories to permit cross-border data flows, although this requirement is subject to a fairly broad exception in the next paragraph.  Paragraph 3 states:

Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:

(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and

(b) does not impose restrictions on transfers of information greater than are required to achieve the objective.

Thus, it appears that signatories would still be free to restrict cross-border data flows as long as the restriction reasonably relates to a “legitimate public policy objective” and is not applied in an arbitrary or discriminatory manner.