Data Privacy Archives - Page 20 of 35

Data Privacy

In with the New, Part II: 2014 Privacy, Advertising and Digital Media Predictions

by McDermott Will & Emery | Jan 30, 2014 | Consumer Protection, Cybersecurity, Data Privacy

On the heels of 2014 predictions from the U.S.-based Of Digital Interest (ODI) editorial team, following are some predictions from our London-based editor, Rohan Massey:

Security breaches

Recent security breaches concerning consumer data in the retail industry have demonstrated the damage breaches of this kind can have on a business’ brand, with potential impact on share price. Such breaches highlight the pressing need for robust data security measures, and the commercial importance these issues can have on an organization’s brand value. It is likely that, as with intellectual property assets 25 years ago, we will begin to see a push, driven by shareholders and proactive management for data assets to be listed as an accounting line item in corporate accounts in the coming year.

Europe

The draft report of Rapporteur Jan Philipp Albrecht on the proposed Data Protection Regulations recently discussed by the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament has indicated that the Commission and the Rapporteur strongly support radical changes to the current data protection regime. As we enter the next stage of negotiations for the draft Regulation, this report could have a significant impact, with reforms not anticipated to be finalized until 2015. Within the next 12 months, a roadmap of terms and timelines for the new regime will likely be delivered. We can expect larger penalty capacity and a streamlined, if broader, regulatory framework, but as we know the devil remains in the detail.

Data Privacy Day 2014

by McDermott Will & Emery, David Quinn Gacioch and Edward G. Zacharias | Jan 29, 2014 | Advertising & Marketing, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Electronic Contracting, Mobile Apps, Social Media, Text Messaging

In Boston, we celebrated Data Privacy Day (January 28) by presenting “U.S. Privacy and Data Protection: 2013 Year In Review and a Prediction of What’s to Come in 2014” for participants in an IAPP KnowledgeNet. Our panel of speakers discussed significant U.S. data privacy and protection events from 2013 and shared thoughts about what’s ahead for 2014 in U.S. data privacy and protection. You may download the presentation slides here.

We hope you find our presentation materials informative. Of course, please do not hesitate to contact any member of the Of Digital Interest editorial team with questions or comments.

Full Speed Ahead for EU Data Protection Reform

by McDermott Will & Emery | Jan 28, 2014 | Consumer Protection, Data Privacy

Data Protection Day 2014 (January 28) aims to raise awareness around what kind of data is collected about individuals, how it is used and why.

In marking this year’s Data Protection Day, Vice-President Viviane Reding, the EU Justice Commissioner, is calling for “a new data protection compact for Europe.” Reding continues to focus on EU data protection reform, with the objective of the swift adoption of the current draft Regulation and believes it should be “full speed on data protection in 2014.” If adopted, the European Commission proposals will serve as a comprehensive reform of the EU 1995 Data Protection Directive, with the aim of strengthening data privacy and thereby boosting Europe’s digital economy.

To become law, the draft Regulation must be adopted by the European Parliament, which is expected to adopt the proposals in first reading in the April 2014 plenary session, the Council of the EU and the European Council. This is followed by Jan Philipp Albrecht, the member (MEP) in charge of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee), who has said that the current timetable targets scoping a mandate for negotiations during June with inter-institutional negotiations taking place in July.

So perhaps it will be full speed ahead for 2014 after all…

Guidance on Personal Data Used in Advertising in Germany

by Paul Melot de Beauregard | Jan 22, 2014 | Advertising & Marketing, Data Privacy

German data protection authorities published new guidelines in December 2013 about the collection and processing of personal data for advertising purposes. The 2013 advertising guidelines (available here in German) supplement another set of advertising guidelines published in October 2012 (available here in German). Together, the 2012 and 2013 guidelines help to clarify how German data protection law relates to advertising activities.

The 2013 guidelines cover the following three main topics:

The “list-privilege” exception. The Bundesdatenschutzgesetz (Germany’s Data Protection Act) provides an exception to the rule that consent is required before personal data is processed for advertising. Certain personal data, such as name, address and year of birth, may be used for an organisation’s own marketing purposes without prior consent as long as the data is aggregated. The 2013 guidelines provide useful information on this exception by, for example, clearly stating that e-mail addresses and telephone numbers do not qualify for this exemption, and by providing commentary on how long the information qualifies for this exception after the last time it is used to contact the person to whom the data relates (generally two years, but the 2013 guidelines state that the time period can vary based on the facts).
Consent. The 2013 guidelines confirm that leaving business cards at a trade show for the express purpose of receiving information from business contacts constitutes consent to contact the person named on the business card for advertising purposes. For the digital world, the 2013 guidelines advise a double opt-in for consent provided electronically (e.g., via e-mail or SMS). Under the 2013 guidelines, double opt-in consent means that the person providing personal data about himself or herself must: (i) affirmatively consent (e.g., by clicking a button or checking an unchecked box on a website) at the time of data collection; and (ii) confirm his/her consent after receiving a written request for confirmation of consent (e.g., a detailed e-mail requiring confirmation by clicking a link) that includes enough information to enable the person to provide informed consent.
Right to object to use of personal data for advertising purposes. The 2013 guidelines state that when a person indicates (whether in writing or otherwise) that he/she no longer wishes to be contacted for advertising purposes, the organisation holding the data should take action in accordance with such a request without “undue delay.” (The 2013 guidelines don’t specify what time period is acceptable for undue delay.) The 2013 guidelines do, however, recognise that stopping all communications immediately may not be feasible, and advises organisations to inform individuals of any time lag to avoid complaints. The 2013 guidelines also remind organisations that a statement publicising an individual’s right to object should be included on every marketing communication, not just in (often lengthy) website terms and conditions.

New COPPA Parental Consent Method Approved by FTC

by McDermott Will & Emery | Jan 10, 2014 | Consumer Protection, Data Privacy

The Federal Trade Commission’s (FTC) amended Children’s Online Privacy Protection Act (COPPA) Rule (16 CFR § 312 et seq.), effective July 1, 2013, allows industry groups and companies to apply for FTC approval of new parental consent methods that aim to provide substantially the same or greater protections for children’s online privacy than the parental consent methods described in COPPA. COPPA requires parental consent to be “verifiable.” Thus, the key to establishing a new parental consent verification method under COPPA is to demonstrate that the authentication process is sufficiently reliable to ensure that the person providing consent is the child’s parent.

To date, three companies have applied to the FTC proposing new consent methods. The first application, filed in June 2013, proposed a social network-based verification method whereby the system would ask a parent’s “friends” on a social network to verify whether the person providing consent is the child’s parent. The FTC rejected the proposal as lacking sufficient proof of reliability. The FTC noted that, although the proposed method requires a minimum number of verifiers and a minimum “trust score,” the proposal failed to establish a particular “trust score” or a particular number of verifiers as adequate for authentication purposes. The FTC viewed the proposed method as involving an emerging technology and requiring further efficacy studies.

Unlike the first application, the other two applications both proposed more conventional knowledge-based authentication (KBA) methods similar to those used by financial institutions and credit bureaus. According to the FTC, these types of KBA methods, when implemented properly, are sufficiently reliable for identity authentication.

The second application, filed in August 2013, proposed a system that requires a child signing up on a website or mobile app to provide the name and email address of a parent. The system would send an email notification to the email address provided by the child that contained a link for the parent to grant consent and provide name, address, birthdate and the last four digits of his/her Social Security number (SSN). Then, the system would verify the parent’s identity by cross-checking the information provided against various consumer databases. If the parent’s identity cannot be verified by the cross-checking process, the system, as the fallback option, would ask the parent to answer a series of knowledge-based personal questions (previous addresses, phone numbers, etc.).

The third application, filed in October 2013, adopted a similar but more rigorous process than the process described in the second application. The third proposed method would use the name, address and last four digits of SSN provided by the parent to locate the parent’s “unique data record” from consumer databases and to generate up to six random questions that the parent must correctly answer for verification to be successful. The parent also would be required to provide a telephone number for the system to call to complete the process. This third application is open to public comment until late January 2014.

On December 23, 2013, the FTC approved the method described in the second application [...]

Continue Reading

The UK ICO’s Vision for the Future

by McDermott Will & Emery | Dec 16, 2013 | Consumer Protection, Data Privacy

The United Kingdom Information Commissioner’s Office (UK ICO), the UK regulator of information rights, has issued a consultation document to get feedback from consumers and stakeholders on the role and impact it should adopt in the future. According to the UK ICO, the main challenges to be faced in the coming years are an increasing workload coupled with funding cuts and the introduction of the European Union data protection reform package.

The UK ICO expects that, going forward, systemic problems will be addressed ahead of individual lapses, with investigations being triggered when a series of complaints from individuals are received in relation to a problem. The UK ICO is also eager to coordinate with other data protection authorities and to encourage the use of trust marks, privacy seals or other methods of certification to bolster individuals’ rights.

The UK ICO plans to publish its findings in March 2014, along with its 2014-2017 corporate plan.

Lights, Camera …Action on Your Website Documents

by McDermott Will & Emery | Dec 12, 2013 | Consumer Protection, Data Privacy, Mobile Apps

Terms and conditions of use and data privacy policies on websites, applications and other online and mobile services (aka “digital services”) are the subject of much discussion and debate among lawyers and lawmakers and in popular culture. A new documentary discussing such terms – descriptively titled “Terms and Conditions May Apply” – examines whether consumers read and/or understand the terms and conditions to which they routinely agree when registering for or using digital services. One humorous example from the film showed that 7,500 people agreed to terms and conditions requiring them to sell their immortal souls to the UK retailer GameStation.

Regardless of whether users take the time to read them, a patchwork of state and federal laws obligates businesses to provide such policies and terms and comply with the representations made in them. In future posts, we will discuss some current best practice trends for these website agreements and policies. In the meantime, every business with an online presence should take the time to make sure they have posted terms and conditions to which they can and do adhere.

Privacy and Data Protection: 2013 Year in Review

by Daniel F. Gottlieb | Dec 10, 2013 | Advertising & Marketing, Big Data, Cloud, Consumer Protection, Cybersecurity, Data Privacy, Data Transfers/Safe Harbor/Privacy Shield, Ecommerce, Email/Spam, General Interest, Mobile Apps, Social Media, Text Messaging

Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.

Read the full report here.

EU Disagrees on Data Protection “One-Stop Shop” Regime

by McDermott Will & Emery | Dec 10, 2013 | Data Privacy

The completion of the Data Protection Regulation faced another set-back last Friday (December 6, 2013) at the Council of Ministers, in which there was a fundamental disagreement surrounding the proposed “one-stop shop.” This proposal seeks to allow multinational companies to deal only with the privacy regulator of the member state in which the company is established, thereby streamlining enforcement.

Despite previous support for the proposals, legal services counsel for the Council of Ministers raised opposition at the meeting on Friday, claiming that the one-stop shop was designed for data controllers at the expense of data subjects, with the likely impact of breaching the human rights of European citizens. Furthermore, it was claimed that the one-stop shop would promote “forum shopping” whereby large multinationals would establish themselves in member states with perceived weak regulators.

European Commission Vice President Viviane Reding countered these arguments, claiming the reform’s enhancement of citizens’ rights, given that individuals “will always be able to go to their local data protection authority.” With efforts to finalize the data protection reform legislation now stalled, Ms Reding added, “I hope, therefore, that what we leave behind today, will be picked up with renewed energy, and a clear political commitment by the [incoming] Greek presidency in January”.

For further details, please see the Council’s press release.

Article 29 Data Protection Working Party Supports Reform

by McDermott Will & Emery | Dec 6, 2013 | Data Privacy

On December 4, 2013, the Article 29 Data Protection Working Party (Working Party) endorsed the data protection reform package presented by the European Commission, strongly encouraging all relevant parties to adopt the reform package and determine a final text prior to the end of the term of the current EU legislature.

The Working Party notes the challenges that are brought about by technological developments in the digital economy and globalization, leading to a simultaneous need for a robust and relevant EU data protection regime. In light of this, the European Commission devised a framework in January 2012 to address these issues and strengthen the rights of individuals. The Working Party has emphasised the importance of a unified, harmonized application of data protection legislation in instilling trust in citizens, with respect to governments and the digital economy. The Working Party further noted that a strong EU General Data Protection framework will be fundamental in ensuring the completion of the digital single market by 2015.

For further details, please access the Working Party press release via the following link: https://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/20131204_pr_dp_reform_package_en.pdf