On November 25, 2014, the Article 29 Working Party agreed guidelines for data protection authorities seeking to apply the Court of Justice of the European Union (CJEU) ruling reached earlier this year against Google, which has become known as the right to be forgotten or “RTBF” ruling. The full guidelines have not yet been published, but the Working Party has now released a short statement that already addresses some important issues.
The Working Party guidelines are not legally binding, but will influence enforcement decisions made by Europe’s data protection authorities.
These clarifications are written for data protection authorities, but will also help Google and other search engines understand the requirements set out in the CJEU judgment in better detail; we’ll provide more information in a later blog post when the full guidance is released.
Last week, TRUSTe, Inc. (“TRUSTe”) settled Federal Trade Commission (“FTC”) charges that it misrepresented its certification programs and non-profit status to consumers. TRUSTe offers clients Certified Privacy Seals, representing to consumers that the website, software, data processing service, or mobile application is compliant with the relevant TRUSTe program. These programs include specifications related to transparency of company practices, verification of privacy practices, and consumer choice regarding the collection and use of consumer personal information.
The FTC’s complaint alleges that TRUSTe represents that it annually recertifies all companies displaying the Certified Privacy Seal to ensure ongoing compliance with the program requirements, however, from 2006 until January 2013, TRUSTe did not do so in over 1,000 instances. According to the complaint, prior to its transition to a for-profit entity in July 2008, TRUSTe required its clients’ privacy policies to include a statement that “TRUSTe is an independent, non-profit organization.” The FTC also alleges that TRUSTe recertified clients who failed to update references to the company’s for-profit status. Continue Reading
Covington’s London office will be hosting a breakfast seminar for clients on ‘Mitigating Information Loss in the Healthcare Industry: the Insider Threat’ with The Chertoff Group on Wednesday, December 10.
Earlier this week, U.S. District Court Judge Esther Salas directed the Federal Trade Commission (“FTC”) and Wyndham Hotels and Resorts to seek mediation to resolve their landmark dispute over whether the FTC has the authority to regulate companies’ data-security practices. As we’ve previously reported, the FTC alleged that Wyndham violated Section 5 of the FTC Act’s prohibition against “unfair practices” by failing to provide “reasonable” security for the personal information of its customers. Although the FTC has settled complaints relying on this broad interpretation of its unfairness authority, this case was closely watched because it was the first time a court had the opportunity to weigh in on the scope of that authority in the privacy and data-security context.
Although not necessarily unprecedented, the mediation order has been cited by some as unusual because the case presents a legal question underpinning a major enforcement and policy priority for the FTC. To the extent, however, that parties traditionally are required to mediate in order to “conserve [judicial] resources,” as was stated in Judge Salas’s order, mediation may help narrow or further focus the dispute.
Following Judge Salas’s earlier denial of Wyndham’s motion to dismiss, in which she rejected each of Wyndham’s challenges to the FTC’s authority, the U.S. Court of Appeals for the Third Circuit agreed to consider the issue on interlocutory review. Therefore, while the order for mediation stays the proceedings in district court, the legal question at issue remains pending before the circuit court.
Researchers at Carnegie Mellon University have designed a website that doles out grades to Android apps based on their privacy practices. The website, privacygrade.org, assigns grades based on a model that measures the gap between people’s expectations of an app’s behavior and how the app actually behaves. The grades range from A+, representing no privacy concerns, to D, representing many concerns.
To determine its grades, the Carnegie Mellon model relies on both static analysis and crowdsourcing. In the static analysis component, Carnegie Mellon’s software analyzes what data an app uses, why it uses such data, and how that data is used. For example, the software assessed whether an app used location data, whether that location data was used to provide location features (such as a map app), or whether that location data was used to provide the user with targeted advertising (or for other purposes). In the crowdsourcing component, Carnegie Melon solicited user privacy expectations for certain apps. For example, researchers asked whether users were comfortable with or expected a certain app to collect geolocation information. Where an app collected certain information and users were surprised by that collection, the surprise was represented in the model as a penalty to the app’s overall privacy grade. Continue Reading
By Randall Friedland
Yesterday, the USA Freedom Act (S. 2685), a bill aimed at curbing the National Security Agency’s (“NSA”) data collection practices, fell two votes short of the 60 votes necessary for cloture in the Senate. The bill was largely blocked by Senate Republicans who expressed concern that the legislation would harm the government’s ability to fight terrorism. Referring to the ongoing terrorist efforts in Iraq and Syria, Senator McConnell commented that it was “the worst possible time to be tying our hands behind our backs.” This is a similar argument that was advanced by Michael Hayden (former director of the CIA and the NSA) and Michael Mukasey (former attorney general) in an op-ed published on Monday in advance of the vote. Senator Leahy, the sponsor of the bill, expressed dismay over the block, stating that “fomenting fear stifles serious debate and constructive solutions.”
This issue will not disappear for long, however, because the NSA’s data collection authority will expire on June 20 of next year if it is not reauthorized in some manner. Notably, the USA Freedom Act has the support of the Obama administration and a coalition of technology companies including Apple, Google, Microsoft, and Yahoo.
By Phil Bradley-Schmieg
The UK Information Commissioner’s Office (ICO) has launched an informal survey of current practices relating to the use of data-enabled medical devices and apps.
The short and anonymous survey explores whether organisations have put in place specific policies and procedures, asset registers, IT security requirements for medical device procurement policies, information governance and incident response processes, and an “end of life” policy for defunct/decommissioned devices.
It also asks high-level questions about the technology being used, such as whether the devices can connect to the Internet, and about the use of medical apps, mobile phones, tablets and dictaphones.
Earlier this week, the FTC notified Verizon by letter that it has closed its investigation into whether Verizon violated Section 5 of the FTC Act by failing to secure certain routers supplied to the company’s broadband subscribers. The FTC’s investigation centered on Verizon’s practice of supplying routers that incorporated an outdated default security setting, an encryption standard known as Wired Equivalent Privacy (“WEP”). According to the FTC, flaws in WEP were identified by researchers in 2004, but Verizon continued until recently to ship some WEP router models. According to the FTC, this left some Verizon subscribers vulnerable to hackers.
In its letter, the FTC explained that the following factors led it to close its investigation:
- Verizon’s overall data-security practices related to its routers.
- Verizon’s efforts to mitigate the risk that subscribers using WEP-model routers would be vulnerable to hackers, including:
- by removing the WEP model routers from distribution centers and setting them to Wi-Fi Protected Access 2 (“WPA2”), ensuring that future distributed routers would be set by default to WPA2;
- by implementing an outreach campaign to subscribers currently using WEP or no encryption, and requesting that those subscribers change their security settings to WPA2; and
- offering upgrades to WPA2-compatible units for subscribers in possession of older, incompatible routers. Continue Reading
The Ninth Circuit recently issued two opinions addressing whether companies should require customers to explicitly agree to key provisions of user terms and other policies.
On Monday, a unanimous three-judge panel issued an opinion in Knutson v. Sirius XM Radio. In this case, the plaintiff purchased a Toyota that included a trial subscription to Sirius. About a month after his trial subscription began, he received a Welcome Kit that included a customer agreement with an arbitration clause.
When Republicans take over the Senate in January, new leaders will control key committees that oversee privacy and data security issues, and their priorities will differ significantly from those of their predecessors. Privacy issues, however, generally tend not to break neatly along party lines and there will remain bipartisan support – and bipartisan opposition – to most initiatives.
But you shouldn’t expect an immediate sea-change in privacy laws, leaders of Covington’s privacy and data security practice said on a post-election conference call on Monday. Although Republicans will have a majority of votes in the Senate next year, they will be short of the 60 votes necessary to bring a bill to the floor. That said, the Republicans will control the agenda.
Below are 10 of the key privacy and data security trends to watch in the next Congress, as identified on the conference call by Covington’s Aaron Cooper, David Fagan, Lindsey Tonsager, Gerry Waldron, and Kurt Wimmer: