Earlier this week, an information-sharing bill and a data breach bill passed through committee votes in the House, setting the stage for potentially significant legislative action on key cybersecurity issues in the near future. On Tuesday, the House Homeland Security Committee approved the National Cybersecurity Protection Advancement Act by a unanimous voice vote, following a markup session featuring debates over amendments regarding the bill’s liability protections and the possibility of a sunset provision. Yesterday, the House Energy & Commerce Committee held a markup session for the Data Security and Breach Notification Act, eventually approving the bill by a party-line vote of 29-20. Although the information-sharing bill is scheduled to head to the House floor for a vote next week, representatives from both parties stated that the data breach bill may need additional changes before it is brought before the full House for a vote.
The information-sharing bill, one of two recently passed out of committees in the House, would create liability protections for companies that share cyber threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center. During a markup session on Monday, the representatives agreed to an amendment from Rep. John Ratcliffe (R-Texas) to prevent information shared under the bill from being used for “engag[ing] in surveillance or other collection activities for the purpose of tracking an individual’s personally identifiable information.” The amendment was intended as a nod to privacy advocates who have raised concerns that the bill would create an additional source of information for the National Security Agency’s intelligence programs. The committee rejected a proposed amendment from Rep. Cedric Richmond (D-Louisiana) that would have removed the bill’s liability protections for entities that receive cyber threat information but fail to act on it, as other representatives noted that the bill needed broad liability protections to incentivize sharing. However, the committee did pass an amendment that removed the phrase “in good faith” from the bill’s liability protection language out of concern over the term’s ambiguity and the difficulty courts might face in interpreting it. The removal of this language, which was present in the bill’s liability protections for sharing cyber threat indicators or defensive measure or conducting network awareness, would require these activities to be done in strict accordance with the bill’s provisions, not just in a “good faith” attempt to comply with the bill’s provisions.
In February 2015, the Brazilian government issued a draft of Brazil’s first comprehensive privacy law, the Preliminary Draft Bill for the Protection of Personal Data (the “Draft Bill”). The Draft Bill builds on and codifies certain concepts relating to the treatment of personal data already present in Brazilian constitutional, statutory and case law.
The Draft Bill proposes — for the first time — much needed definitions of “consent”, “personal data”, “sensitive personal data”, and other key terms, and a framework of individuals’ rights regarding the use of their data (e.g., rights of access, correction, objection, etc.), as well as exceptions to such rights. It also requires that processing of personal data terminate when the original purpose for which the data was collected is achieved or if the data is no longer necessary. Licensors and licensees (or as more commonly known under EU privacy law — “controllers” and “processors”) of personal data will be jointly liable for damage caused by the processing of personal data. The Draft Bill also introduces rules relating to intra-company and international data transfers, and only permits the processing of data transferred to Brazil from other jurisdictions, where the relevant consent requirements (if any) of the country of origin are satisfied. It remains to be seen how companies will comply with this unusual requirement in practice (if the Draft Bill is adopted in its current form). There are also provisions that would require companies processing personal data, among other obligations, to adopt appropriate information security measures, to immediately notify competent authorities of data breaches, and to appoint a dedicated privacy officer, depending on the size of the relevant entity and the volume of personal data it processes.
The Draft Bill introduces a range of administrative sanctions, including fines, publication of the relevant violations, and suspension or prohibition of data processing operations for up to ten years. Individuals will also be able to claim damages for material and moral damages caused by the processing of their personal information.
The consultation on the law and comment period was recently extended until April 30, 2015.
On Tuesday, March 31, the U.S. District Court for the Northern District of California granted Hulu’s motion for summary judgment in a complaint alleging that Hulu had violated the Video Privacy Protection Act (VPPA) by sharing user information with Facebook. In granting summary judgment, the court found no genuine issue of material fact regarding whether Hulu “knowingly” disclosed video viewing information connected to individual Hulu users to Facebook, a required element for VPPA liability. While the court’s holding may be too fact-bound to have widespread impact on other VPPA cases, it does highlight the important role of the VPPA’s knowledge requirement in determining liability under the statute.
At a talk today with members of Covington’s Privacy and Data Security Group, Danielle Citron highlighted the need for more remedies for victims of online harassment, including women harassed by so-called revenge pornography.
Citron, a professor at the University of Maryland School of Law, focuses on information privacy law and is the author of Hate Crimes in Cyberspace. Her book argues that online harassment of women is a civil rights issue, a position made more compelling in light of the recent online assaults on women in the Gamergate and iCloud photograph hacking scandals.
Citron grouped online harassment into four different models: (1) using the internet to terrorize a victim, such as by cyberstalking, (2) using the internet to destroy a victim’s reputation, such as by defamatory postings, (3) using technology to invade a victim’s privacy, such as by posting private materials and (4) using technology to essentially shove a victim offline, such as by cyberattacks.
Google challenged the order by means of an administrative appeal, which had suspensive effect. Today, the Hamburg DPA rejected the appeal after several months of deliberation and upheld the order, just subject to slight modifications.
The case is noteworthy for several reasons:
- The Hamburg DPA held that the US company Google Inc was subject to German data protection law, applying the criteria established by the Court of Justice of the EU with respect to the applicable law rules in its famous Google Spain ruling (for a summary of that ruling, see here).
- The Hamburg DPA’s order is an example for the increased efforts of European data protection authorities to show their teeth and to enforce data protection law against non-EU companies.
- The Hamburg DPA’s order sets rather high standards (specific affirmative consent) for various data combination scenarios which, if applied broadly, could have repercussions for the use of big data analytics.
It is now in the hands of Google to implement the Hamburg DPA order or to bring the case before the administrative court which it can do within a one month period. Pursuant to the press release, Google has apparently signaled that it intends to make substantial changes to its services to meet the data protection law requirements and reportedly presented its plans at the end of March to the Google Task Force set up by the Article 29 Working Party. It remains to be seen whether this is really the end of the Google saga in Germany.
As we previously reported, in January AT&T filed a Motion to Dismiss the Federal Trade Commission’s (FTC’s) complaint alleging that AT&T engaged in unfair and deceptive conduct in violation of Section 5 of the FTC Act when it “throttled” mobile broadband subscribers who were “grandfathered” into the company’s unlimited mobile data plan. AT&T moved to dismiss on the basis that it is a common carrier subject to the Communications Act and thus exempt from Section 5 of the FTC Act. On March 31, a federal judge in the Northern District of California disagreed with AT&T and denied AT&T’s Motion holding that the common carrier exception applies only when the entity has the status of a common carrier and is engaging in common carriage activity.
The Court also addressed the impact on the case of the Federal Communications Commission’s (“FCC’s”) recent “Reclassification Order” that reclassified mobile data service from a non-common carriage service to a common carriage service. The Court noted that the Reclassification Order expressly states that reclassification will “apply only on a prospective basis” and when this suit was filed, AT&T’s past alleged mobile data service misconduct was not regulated as common carrier activity by the FCC. The Court rejected AT&T’s argument that once the Reclassification Order goes into effect, the FTC will no longer have jurisdiction to pursue the case even if limited to AT&T’s past conduct. The Order stated that “even if the change to the common carrier exception, resulting from the Reclassification Order, could be deemed a change in tribunal (i.e., because enforcement with respect to mobile data would be delegated to the [FCC] instead of the FTC and this Court would have jurisdiction only in the former instance), the fact remains that substantive rights are affected by that change as well.” Substantive rights are impaired, according to the Court and the FTC, because the FCC is not authorized to seek refunds for injured consumers and has a shorter one year statute of limitations. Thus, the Court reasoned that the reclassification’s effect on substantive rights undermined AT&T’s argument that the reclassification should be applied retroactively to divest the FTC of jurisdiction over past conduct.
As a result of the Court’s ruling, the FTC’s case against AT&T will proceed on the merits. FTC Chairwoman Edith Ramirez reportedly expressed that the FTC was “gratified” by the Court’s holding and “look[s] forward to proving that AT&T’s marketing of its ‘unlimited’ data plans was unfair and deceptive and returning money to the millions of consumers who were harmed by AT&T’s action.”
On Friday, March 27, 2015, the Federal Trade Commission and Wyndham Worldwide Corp. filed supplemental briefing in the Third Circuit regarding whether the FTC had made an adjudicative decision that the FTC Act prohibits unreasonable cybersecurity practices and, if not, whether a federal court could hear a case charging a violation of the FTC Act if the FTC has not yet made such an adjudicative decision.
Recall that, in FTC v. Wyndham Worldwide Corp. et al., the FTC has alleged that Wyndham violated the FTC Act’s prohibition against “unfair practices” by failing to reasonably secure its customers’ personal information. Unsurprisingly, the parties held diametrical opinions on the issue of whether the FTC had declared unreasonable cybersecurity practices unfair through the procedures of the FTC Act. The FTC began by arguing that it had done so through the issuance of an interlocutory decision in LabMD. Wyndham countered, noting that the interlocutory decision denying a motion to dismiss in LabMD was not final, and therefore could not amount to a formal declaration about the meaning of unfairness.
Next, the FTC argued that it had declared unreasonable cybersecurity practices through the issuance of more than 20 complaints charging as much. The FTC argued that “complaints are akin to policy statements or interpretive rulings,” which litigants and the courts may resort to for guidance, and that the FTC’s issuance of more than 20 complaints charging deficient data security practices are unfair was therefore sufficient to satisfy any requirement that the FTC have declared unreasonable cybersecurity practices unfair through procedures of the FTC Act. It is worth noting that, in making this argument, the FTC cited to a 2014 Third Circuit case which stated that courts and litigants may look to agency policy statements and interpretive rules for guidance. However, the same case also noted that such statements “do not have the force of law,” raising the question of whether they could be considered adjudicative decisions. Wyndham highlighted this point, arguing that because complaints and consent decrees do not adjudicate the legality of any action by a party thereto, they cannot constitute a declaration of law on any issue, including that unreasonable cybersecurity practices are unfair. “Try as it might,” Wyndham said, “the Commission cannot transform complaints and consent decrees into rules and adjudications.”
Finally, the FTC argued that it had declared unreasonable cybersecurity practices unfair through the giving of Congressional testimony stating that the FTC deemed inadequate data security to be a potentially unfair practice. This possibility was not addressed by Wyndham.
The above dispute aside, both parties agreed that the Third Circuit need not decide the issue of whether the case is a “proper case” within the meaning of Section 13(b) of the FTC Act and therefore appropriately before the federal court. Both parties noted that neither had raised the issue and that, in any event, resolution of the issue was not necessary to establish jurisdiction as the federal courts independently have jurisdiction of the case pursuant to 28 U.S.C. §§ 1331, 1337, and 1345. The parties also both noted that many courts have held that a “proper case” is any case that the Commission chooses to bring directly in court for violation of an FTC-enforced statue and that, were the Third Circuit to hold otherwise, it would create a circuit conflict.
The Federal Communications Commission will hold a workshop on April 28 to explore its role in protecting the privacy of broadband Internet access users.
The Commission’s recent net neutrality order applied certain privacy requirements to broadband access providers, including Section 222 of the Communications Act. That statute requires telecommunications carriers to protect the confidentiality of customer information and restricts their ability to use, disclose or permit access to customers’ individually identifiable customer proprietary network information (“CPNI”). While the Commission applied the statute to broadband providers, it did not apply its rules implementing the statute to broadband providers. Those rules were not “well suited to broadband Internet access service,” the order said. It chose to forebear on the rules, because the rules “focus on addressing problems that historically arise regarding voice service,” the order said.
The April workshop could be the first step toward creating new rules for how broadband providers handle CPNI. The workshop will start at 10 a.m. at the FCC’s headquarters in Washington D.C. and will be led by staff. The Commission will also provide audio and video coverage of the workshop on the FCC’s web site, at www.fcc.gov/live. In its statement announcing the workshop, the Commission suggested it would also address the extent to which the Commission can apply a “harmonized privacy framework across various services.”
Dan Cooper and Phil Bradley-Schmieg
On March 27, 2015, the England and Wales Court of Appeal (EWCA) handed down a historic judgment in Google Inc v. Vidal-Hall & Ors  EWCA Civ 311, with significant consequences for organizations handling personal data in, or from, the UK.
This case was brought against Google Inc. by three users of Apple’s Safari web browser. They argued that over a period of nine months, Google’s DoubleClick and AdSense services secretly tracked their visits to all websites that used Google AdSense to serve advertising, contrary to Google’s public assurances that users who maintained Safari’s default privacy settings would not be tracked or profiled by DoubleClick, or receive personalized advertising. This, they allege, allowed Google to wrongfully build up a detailed picture of their browsing history from which it could deduce their interests and personal characteristics, and thus serve personalized adverts. Similar cases have been brought against Google in the United States, leading to a US$22.5 million U.S. Federal Trade Commission fine and a US$17 million settlement with state attorneys general. Continue Reading
In an effort to improve international privacy rights, the United Nations Human Rights Council yesterday established a special rapporteur on the right to privacy. Special rapporteurs are expert individuals appointed with specific mandates to investigate, monitor, and report on particular human rights concerns that range from access to water to extrajudicial killings. Yesterday’s Resolution on the Right to Privacy in the Digital Age therefore would elevate privacy to a human rights issue, a step met with great approval from privacy advocates such as the Electronic Frontier Foundation and the Center for Democracy and Technology, who respectively praised the initiative as “giv[ing] the right to privacy the international recognition and protection it deserves” and “strongly reaffirm[ing] that privacy is a core part of human freedom.”
Brazil and Germany introduced the resolution, which states in part a deep concern “at the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights.” The United States, speaking in an explanation of the vote, said that, “The establishment of a mandate on privacy rights came at a crucial time,” and further, “The term digital age was not limited to any particular technology nor did it limit the work of the Special Rapporteur to technology-based infringements on privacy rights.”
The special rapporteur will serve for a period of three years and makes annual presentations to the General Assembly committee.