Technology Transactions

On 13 September, the Information Commissioner’s Office (ICO) published draft guidance on GDPR contracts and liabilities on contracts between controllers and processors under the GDPR (the “Guidance”).  The ICO is consulting on the Guidance until 10 October.  We summarize the key aspects of the Guidance below.
Continue Reading GDPR Contracts and Liabilities Between Controllers and Processors

As businesses increasingly work with various types of third parties that process sensitive information and, in some cases, access a company’s networks, there is an inherent risk:  these third parties create new avenues of attack against a company’s data, systems, and networks.   Covington attorneys David Fagan, Nigel Howard, Kurt Wimmer,
Continue Reading Covington Attorneys Author Chapter on the Challenges of Managing Third-Party Outsourcing Risks

In May 2015, reports about the German government’s plans to establish federal German cloud infrastructure (the “Bundes-Cloud”) raised concerns about the possible introduction of data localization requirements (preventing the storage and processing of data outside Germany).  The criteria for the use of cloud services by Germany’s federal administration, which have recently been published, now give shape to these concerns.
Continue Reading Data Localization Requirements Through the Backdoor? Germany’s “Federal Cloud”, and New Criteria For the Use of Cloud Services by the German Federal Administration

New consumer protection provisions that clarify how companies may collect, use, and protect personal information of consumers will come into effect in China on March 15, 2015.

On January 5, 2015, China’s State Administration of Industry and Commerce (“SAIC”) issued measures to implement China’s Consumer Rights Protection Law (“CRPL”), which was amended effective March 2014 to include, among other things, provisions on the protection of personal information of consumers and administrative penalties for the misuse of personal information.   The newly promulgated measures, entitled Measures on Penalties for Infringing Upon the Rights and Interests of Consumers (“CRPL Penalty Measures”; Covington’s translation is available here) flesh out the CRPL by addressing a range of consumer protection issues.  From a privacy perspective, the CRPL Penalty Measures (1) clarify the definition of “personal information of consumers,” (2) provide more detail on the CRPL’s requirements for the collection, use, and protection of consumer personal information, and (3) provide for significant penalties for violations.  The CRPL Penalty Measures take effect on March 15, 2015, China’s Consumer Protection Day.
Continue Reading China Clarifies Requirements for Companies Regarding Consumers’ Personal Information

Today, the Federal Trade Commission (“FTC”) issued a staff report examining the consumer-protection implications of popular shopping apps.  These services are intended to ease and enhance the shopping experience by allowing consumers to, for example, compare prices in-store across retailers, collect and redeem deals, or pay for purchases while shopping
Continue Reading Federal Trade Commission Releases Report on Mobile Shopping Apps: Finds Insufficient Disclosures to Consumers

On Thursday, the Federal Trade Commission (“FTC”) hosted a workshop to explore the practices and privacy implications of comprehensive data collection. The event gathered consumer protection groups, academics, privacy professionals, and business and industry representatives to examine the current state of comprehensive data collection, its risks and potential benefits, and what the future holds for consumers and their choices.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company’s relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).Continue Reading FTC Hosts Workshop to Examine Comprehensive Data Collection

The U.S. Supreme Court ruled on Tuesday that the federal government does not always lose its sovereign immunity to damages lawsuits claiming that an agency violated the Fair and Accurate Credit Transactions Act (“FACTA”) by printing the expiration date of a credit card on a receipt issued to a consumer. In a unanimous decision, authored by Justice Antonin Scalia, the Court rejected a November 2010 ruling by the Federal Circuit that the Little Tucker Act authorized the government to be sued for money damages under the Fair Credit Reporting Act (“FCRA”), which FACTA amended.  

James Bormes, a Chicago lawyer, paid a $350 court filing fee through the federal government’s pay.gov system with his American Express card. He was sent an electronic receipt for the transaction, which contained his credit card’s expiration date. Bormes alleged that this violated FACTA’s prohibition on printing expiration dates on credit card receipts issued at the point of sale.  He sued the government, seeking class-action status on behalf of thousands of people issued receipts that displayed card expiration dates or more than the last five digits of credit and debit card numbers (which FACTA also prohibits).

The district court initially dismissed the suit, finding that the FCRA does not contain an explicit waiver of the government’s sovereign immunity and could, therefore, not allow for the plaintiff’s damages claims. Bormes appealed to the Federal Circuit, which has exclusive jurisdiction for appeals in which a lower court’s jurisdiction was based partly on the Little Tucker Act. The government moved to transfer the suit to the Seventh Circuit, arguing that the Act’s jurisdictional provision did not apply. The Federal Circuit denied the motion and vacated the lower court’s ruling. The federal government then took the sovereign immunity issue to the Supreme Court.Continue Reading Government May be Immune to Suits Alleging Violations of FACTA

Yesterday the Department of Transportation issued its final rule on “Enhancing Airline Passenger Protections.”  The proposed rule had been published in December 2009 and received over 2,000 comments.  One of the most controversial aspects of the original proposed rule was a requirement that airlines must provide all their fare and product

Continue Reading DOT issues final rule on passenger rights

Fiserv, Inc. recently released the results of a survey suggesting banks are taking a “wait and see” approach to mobile payments. Fiserv commissioned and Forrester Consulting conducted the survey of 15 large U.S. banks, which found that most of the banks offered mobile banking services allowing customers to make transfers

Continue Reading Survey Indicates Banks Taking “Wait and See” Approach to Mobile Payments

I attended the ABA’s Antitrust Law Spring Meeting the last two days.  What struck me the most was the increased prominence of data and privacy as factors in analysis of markets and competition in antitrust law.  This was the topic in the Chairman’s Showcase session on Thursday.  Julie Brill, the FTC Commissioner, perhaps made the point the best.  She explained that if privacy is becoming a competitive differentiator (e.g., consumers are persuaded to use one service over another because the chosen service has better privacy practices), then privacy is clearly a non-price factor in competition law analysis.  Commissioner Brill provided an overview of the FTC’s report on consumer privacy and emphasized three parts of the report: privacy by design, transparency and choice.  She also emphasized that the FTC was focused on the fact that technical approaches to privacy solutions could impact competition in the market.  However, her view was that standards bodies would mitigate against this concern.  Ken Anderson, Assistant Commissioner for Privacy in Ontario provided an explanation of privacy by design.  Much of the information from his presentation is readily available in a useful video presentation at  www.privacybydesign.ca

HP demonstrated an automated tool that it is testing as part of its privacy by design implementation which looked impressive. The HP “Accountablity Model Tool” sends records and reports to the HP privacy office as products are developed.  Google introduced the audience to the “data liberation front” which enables users to extract their data from Google products – see www.dataliberation.org.Continue Reading Privacy increasingly a factor in antitrust/competition law analysis