Inside Privacy - Updates on Developments in Global Privacy & Data Security

The Federal Trade Commission has announced that it will host a workshop on April 26, 2012, to discuss mobile payments.  In addition to exploring payment technologies and business models, the workshop will likely cover consumer protection issues such as the risks of financial loss, the need for information disclosures, data protection concerns, and the remedies available to consumers.  The FTC plans to bring together a variety of stakeholders – industry, consumer advocates, regulators, technologists, and academics – and welcomes public comments in advance of the event.

As we previously noted, the law governing mobile payments is a complex blend of existing federal laws as well as rapidly changing state laws.  The regulatory picture is further complicated by the number of federal agencies that could theoretically assert jurisdiction over mobile payments.  Besides the FTC, other agencies that might have an interest include the Federal Deposit Insurance Corporation, the Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Communications Commission, the Treasury Department's Federal Crimes Enforcement Network, and the Consumer Financial Protection Bureau. 

Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act.  According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers.  A roundup of recent developments in Song-Beverly Act litigation:

• A case against Brookstone had been dismissed in May 2010 on the ground that a ZIP code is not “personal identification information” within the meaning of Song-Beverly, but a state appellate court ruled [PDF] that the subsequent contrary decision in Pineda applied retroactively and that the suit against Brookstone could therefore proceed. 
• Both state and federal courts in California have now reaffirmed that Song-Beverly does not apply to online transactions (Gonor v. Craigslist, Inc. [PDF]; Salmonson v. Microsoft Corp. [PDF]).  According to Mehrens v. Redbox Automated Retail LLC [PDF], Song-Beverly does not apply to transactions conducted at self-service kiosks either.  The courts recognized that fraud prevention justifies the collection of ZIP codes in online and kiosk transactions. 
• A California federal court preliminarily approved a settlement under which Tiffany and Co. agreed to provide a voucher for either $10 off or free engraving to an estimated class of 90,000 customers; $142,000 in attorneys’ fees to class counsel; and $2,000 to the class representative.

Continue Reading

Following more than two years of consultations and intense speculation in recent weeks, the European Commission today proposed comprehensive measures to reform the European data protection framework.  We currently are analysing the proposed reforms in detail, but it appears that the proposal for a General Data Protection Regulation largely mirrors earlier leaked drafts. 

For example, key measures include:

Continue Reading

The implementing regulations of Mexico’s Federal Law for the Protection of Personal Data (the “Law”) came into effect on 22 December 2011.  The regulations have allowed the Law to finally fully enter into force.  As reported earlier, Mexico’s privacy law is the first piece of federal legislation to regulate how businesses handle personal information in Mexico.

The implementing regulations bring into force the Law’s provisions dealing with data subjects’ rights to access, correct and delete personal information relating to them, which individuals have been able to exercise since January 2012.  Failure to comply with individuals’ requests to exercise these rights are actionable by the Federal Institute of Access to Information and Personal Data and may lead to civil penalties. The regulations also deal with security and breach notification, cloud computing, consent and notice requirements, as well as data transfers. 

Although the Law is now fully enforceable, a “honeymoon period” of 18 months has been granted to companies to implement the security measures required under the regulations.

Breaches of the Law may lead to fines as well as to custodial sanctions. If sensitive personal data is processed, the penalties can be increased significantly.

The Ontario Appeals Court last Wednesday recognized—for the first time in Canada—the intrusion upon seclusion privacy tort.  In Jones v. Tsige, 2012 ONCA 32, the plaintiff sued a coworker for looking through her financial records.  The motion judge granted summary judgment for the defendant on the ground that Ontario law does not recognize plaintiff’s claim.  The Court of Appeal for Ontario reversed, resolving a question that “has been debated for the past one hundred and two years”—namely, whether to recognize a tort for the invasion of privacy.

The court concluded that the time had come to recognize the cause of action.  Acknowledging “the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form,” the court stated that “technology change has motivated the legal protection of the individual’s right to privacy.” 

Ontario’s new cause of action adopts the elements of the intrusion upon seclusion tort in the Restatement (Second) of Torts, which requires that a defendant intentionally act to invade, without lawful justification, a person’s private affairs or concerns, and that a reasonable person would find the invasion highly offensive.  The court declined to impose an economic harm requirement, noting that “given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.”

The new privacy right is not absolute.  Competing claims—such as “claims for the protection of freedom of expression and freedom of the press”—may in some circumstances override individual privacy rights.

A putative class action was filed on Monday against Amazon.com following an online hacking attack that potentially compromised the personal information of up to 24 million customers of its online shoe retailer Zappos.com.  An email sent to customers from Zappos.com’s CEO on Sunday assured users that full credit card information and other payment information was not impacted, but stated that names, email address, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and/or cryptographically scrambled passwords (but not actual passwords) may have been improperly accessed.

The complaint, filed in the United States District Court for the Western District of Kentucky (the location of the purportedly compromised servers), includes claims for violation of the Fair Credit Reporting Act, negligence, and invasion of privacy.  The complaint alleges that the named plaintiff and proposed class members now are subject to a heightened risk of identity theft and will have to spend time changing the passwords on their Zappos.com accounts as well as other accounts with the same or similar passwords.

Denying the motion of the defendant internet service provider, Clearwire, to compel arbitration, the U.S. District Court for the Western District of Washington held last week that Clearwire's e-mail confirmation to the plaintiffs was inadequate notice of the terms of service.  This e-mail confirmation included, on the third page of the e-mail, a link to Clearwire's home page rather than a direct link to Clearwire's terms of service.  To navigate to the terms of service from the home page, the plaintiffs would have had to follow two hyperlinks.  The court held that this "trail of breadcrumbs" left by Clearwire to lead the plaintiffs to its terms of service did not constitute sufficient or reasonably conspicuous notice of the terms of service.  Accordingly, the court declined to enforce the arbitration clause of the terms of service without an evidentiary hearing with respect to the factual issue of the plaintiffs' assent to the terms.

The court applied Washington and Texas law to reach this decision, but it was heavily informed by well-known federal court decisions on the formation of contracts on the Internet.  Under those cases, Internet users must have reasonable notice of the terms of an agreement in order to be found to have assented to the agreement.  Courts considering whether users have reasonable notice of the terms have considered how conspicuous the placement of the terms is on the web page and whether it was possible to determine that a user has actually seen the terms.  

By Mark Young & Maria-Martina Yalamova

Following more than two years of extensive consultations on the review of the European data protection framework, the European Commission was expected to publish its proposal for a General Data Protection Regulation later this month.  As we reported on this blog, an early version of this proposal, which was widely leaked last December, contained several radically new concepts and granted the Commission significant powers to provide additional guidance and detail on particular matters.  We now understand, however, that following the “inter-services” review of different Directorates-General of the European Commission, the proposal will not be published until late February or early March 2012.  In the meanwhile, it is expected that Viviane Reding, the European Commissioner in charge of the review, will present some form of communication later this month, without full details of proposed legislation. 

Given the importance of the review, it is only right that the Commission takes its time with the proposal, but it seems likely that elements of the draft circulated for review within the Commission may have been resisted due to their controversial nature.  For example, as we previously reported, the leaked draft broadened the scope of “personal data” and placed significant reliance on opt-in consent as a legal basis to process data in a revised regime; appeared likely to increase administrative burdens for data controllers by introducing mandatory data protection impact assessments and reporting obligations; and granted supervisory authorities wide powers to impose substantial fines -- between 100,000 and 1,000,000 Euros, or as much as 5% of an enterprise’s annual worldwide turnover -- for breaching the new rules.

Law360, the highly respected legal news source covering developments and trends in some two dozen legal practice areas, has named the Covington team as privacy group of the year, one of only five groups so honored among more than 500 surveyed practices.  We’re thrilled to be recognized, and thank our clients for bringing us the leading-edge work that has permitted us to build the depth and breadth necessary for a true world-class global privacy practice.

Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in search engine results.  The toolbar feature also enabled users to choose to receive tailored advertising.  In connection with this aspect of the toolbar, the FTC alleged that Upromise (through an unnamed service provider) collected the names of all websites a user visited and all links clicked, as well as information that users entered into some webpages (which, in some cases, included credit card and financial account numbers, security codes, expirations dates and Social Security numbers). 

The Commission charged that the scope and frequency of the data collection was much broader than Upromise represented in its privacy statement.  The FTC contended that despite using a filter intended to limit the collection of PII, Upromise sometimes collected sensitive information, such as PIN numbers and security codes.  Finally, the FTC alleged that Upromise collected this information by causing the user’s browser to transmit it in clear text, which left it vulnerable to interception—particularly when users were connected to the Internet through unsecured wireless networks.  The FTC stated that by engaging in these practices, Upromise failed to adequately disclose the extent of its data collection and also “failed to provide reasonable and appropriate security for [the] consumer information” that was collected. 

Notably, the Commission described these alleged shortcomings in terms of Upromise’s failure to integrate privacy protections into the design and implementation of the toolbar feature (i.e., its failure to sufficiently adhere to the principle of “privacy by design,” which the Commission described in its December 2010 preliminary staff report).  For example, the complaint faulted Upromise for not testing the ad-tailoring feature or monitoring its collection of information after implementation to ensure that the collection was consistent with Upromise’s policies.  The complaint also alleged that Upromise had failed to ensure that employees responsible for creating and operating the feature received adequate training about security risks and Upromise's privacy and security policies.  Similarly, the Commission alleged that Upromise did not take appropriate steps to ensure that its service provider implemented the feature in a manner that was consistent with Upromise’s policies and the contractual provisions designed to protect consumer information. 

As in recent FTC settlements involving privacy and data security issues, the Upromise consent decree (among other things) would require the company to implement privacy by design in the form of a comprehensive information security program and obtain third-party audits for 20 years. 

Companies considering moving to the cloud sometimes are cautioned that heightened data security risks pose a potential drawback to cloud computing.  And it is certainly correct that before making a decision about whether and how to adopt cloud-based computing, companies should carefully consider the security practices of potential cloud service providers or build security into their internally-developed cloud system.  However, a recent announcement from Diebold that it is developing cloud-based automatic teller machines (ATMs) provides a reminder that local-based computing and storage can pose its own security risks, which sometimes may outweigh those in the cloud.

Diebold is developing ATMs that will both store data remotely and run software from the cloud.  Diebold describes the system they are developing as “virtualized” ATMs, and their CTO stated that they believe that no other ATM manufacturer has yet deployed fully cloud-based ATMs.  Despite physical and software security measures, ATMs are unusually vulnerable both because they are by necessity publicly accessible and because the data the financial data they process is especially valuable for fraud and identity theft.  Of course, ATMs also store money, and as InformationWeek reports, thieves in some countries have stolen entire ATMs, raising the risk that they will access not only the cash contained in the device but also any locally-stored data.

Given the unusual risks, it is perhaps not surprising that Diebold is developing cloud-based ATMs.  In particular, Diebold’s move highlights the risks involved in local computing and storage where the storing computers are readily accessible or contain especially valuable data.  Companies facing such circumstances or others that render local storage risky may contemplate a shift toward cloud computing, but in doing so should be sure to account for security in choosing a cloud service provider or developing their own cloud systems, in order to avoid simply replacing old risks with new ones.