Despite not being explicitly mentioned in the Constitution, the Supreme Court has firmly held that a right to privacy for all Americans is found in several amendments to the Constitution, with almost 100 years of case law providing precedent for many personal privacy rights that have become a cornerstone of American culture. However, in this new digital age of rapid technology change, with real-time access to information and the global exchange of information at the push of a button, new privacy protection questions arise almost daily. The extent to which an individual’s private information shared online is subject to privacy protection varies depending on which side of the pond you stand.
European nations generally take a more restrictive approach than the U.S. as to how companies can use personal data. EU nations often go head-to-head with U.S. digital companies over differing interpretations of privacy rights. Both Google and Microsoft have faced multiple investigations outside the United States.
Facebook seems to be a particularly popular target. As the world’s largest social network with 1.6 billion monthly users, Facebook earns its revenues from advertising aimed at users, after gathering information from the users’ social connections and activities in their posts. Late last month, a German court fined Facebook 100,000 Euros for failing to follow an order issued by a German court four years ago that required the social media site to revise a clause in its terms regarding any intellectual property content posted by users on or in connection with Facebook. The German court had found that the clause in the terms violated consumer rights. While Facebook modified the wording slightly for German users, the German court found that the revised wording still maintains the same underlying message as the original wording. Europe’s highest court also recently successfully challenged Facebook as to the way that data was transferred between the European Union and the United States. And just yesterday, a German court ruled that domestic websites could not transfer user data to Facebook via its “like” button without the specific consent of the user.
In a novel link between privacy protection and antitrust, the German competition authority known as the Federal Cartel Office (BKA) opened an investigation on March 2 into whether Facebook abused its dominant position in social networking in order to collect its users’ digital information, including placing unfair constraints on the users, who were forced to sign complicated terms and conditions in order to use the network. The investigation seeks to discover whether Facebook users were properly informed about how their personal data would be obtained through the site, including the type of data collected, as well as the extent of the data collected.
One might ask why the BKA would get involved with this novel approach to linking privacy protection to antitrust law. First, under antitrust law, the maximum fines are much greater than those under privacy law. For a company tech giant like Facebook, the fines imposed by data protection authorities can seem negligible, even for the most egregious cases, while antitrust fines pose a much more significant deterrent. Second, Facebook has claimed that it falls only within the jurisdiction of the data protection authority in Ireland, where its international headquarters are situated. By bringing the investigation under the auspice of the antitrust authority, this argument is avoided. The President of the BKA, Andreas Mundt, remarked that, “[d]ominant companies are subject to special obligations,” and he went on to say that such obligations include adequate terms of service, as far as they are relevant to the market. He also noted the importance of user data where Internet services are financed by advertising. The BKA noted, “. . . if there is a connection between infringement and market dominance, it could constitute an abusive practice under competition law.”
While some question the BKA’s position as ambitious and vague, others fear that this case could open the door to other investigations and cases using data protection violations to claim antitrust violations. Whether the BKA is successful or not, this should be a forewarning to other big U.S. technology companies: it is probably not enough to rely on U.S. privacy rules when playing in a global arena.
By Michelle Cohen, CIPP-US
On January 28th, in an effort raise awareness of privacy and data privacy, the United States, Canada and 27 countries of the European Union celebrate International Data Privacy Day. Many organizations use Data Privacy Day as an opportunity to educate their employees and stakeholders about privacy-related topics. With the recent, high-profile data breaches as Target, Neiman Marcus, and potentially, Michaels, the need for training and instruction on data security is more critical than ever before. In this vein, we’ve set forth our views on what we see as the year ahead in legal developments relating to data security and what companies can do to prepare.
Legislation Introduced but on the Move?
Data security and data breaches will continue to be the focus of regulators and Congress through 2014. In fact, Congress summoned Target’s Chief Financial Officer to appear before the Senate Judiciary Committee on February 4th and a House committee is seeking extensive documents from Target about its security program. Meanwhile, Senator Leahy re-introduced data breach legislation which would set a federal standard for data breach notifications (most states now require notifications, though the requirements differ state-to-state).
Senators Carper and Blunt introduced a separate bipartisan bill intended to establish national data security standards, set a federal breach notification requirement, and also require notification to federal agencies, police, and consumer reporting agencies when breaches affect more than 5,000 persons. Many companies have suffered data breaches and then faced civil lawsuits under various causes of actions, including allegations that they did not notify customers promptly. As a result, there may be strong support for federal standards rather than facing a patchwork of state laws. While the Target breach has certainly renewed interest in data security, and we expect Congress will conduct numerous hearings, ultimate passage of data breach legislation this Congress is still probably a longshot.
Watching Wyndham Take on FTC
As covered in this blog, various Wyndham entities have struck back at the FTC, challenging the FTC’s authority to bring an action against Wyndham for alleged data security failures. The Wyndham entities claim that the FTC may not set data security standards absent specific authority from Congress. Yet, with Congress having not set data security standards thus far, the court in oral arguments seemed concerned about leaving a void in the data security area. Wyndham’s motion to dismiss remains pending in federal court in New Jersey. Most observers think the court will be hard pressed to limit the FTC’s authority under Section 5 of the FTC Act, which broadly prohibits ”unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce” and provides the FTC with administrative and civil litigation enforcement authority. The agency has used this administrative authority with great success, bringing numerous data privacy actions that usually result in settlements by companies rather than risk further litigation expenses, penalties, and reputational damage. We think the FTC will remain vigilant in this space, including attention on the security of mobile apps.
Class Actions Jump on Breaches
Whether breaches affect Sony Playstation, Adobe, Target, or some other company, the class action firms have been busy filing lawsuits based upon data breaches. For example, by year end, at least 40 suits had already been filed against Target, with seven filed the day Target disclosed the breach. The plaintiffs use various theories – including violations of consumer protection statutes, negligence, fraud, breach of contract, breach of fiduciary duty, invasion of privacy and conversion. But, if a consumer’s information was potentially breached, yet nothing happened to the consumer as a result, does that consumer have cognizable damages? That has been a huge sticking point for these lawsuits. Yet, the class action lawyers will continue to file these suits and some companies will settle to avoid further reputational damages and litigation expenses.
Don’t Count out the States
States have taken the lead in setting data breach notification standards, and in some cases data security requirements. For instance, in March 2010, Massachusetts enacted strict data security regulations. Organizations that own or license personal information of Massachusetts residents are required to develop and implement a written comprehensive information security program (“CISP”) to protect that information. Almost all of the states have standards setting forth what types of information are covered by data breaches, who gets notified, what content goes in the notifications and, the timing of the notifications. Multiple states are investigating the Target breach; certainly less well known breaches get state regulators’ attention as well. We predict the states will continue to be active regulators and enforcers of data security and data breaches, and will likely continue to “rule the roost” while federal legislation lags behind.
Preparation and Training Still Key
We’ve said before that, unfortunately, no company is immune from data breaches. Companies cannot assume that they have the best anti-malware or security features and that these other newsworthy breaches resulted from lapses that would not apply to them. Whether it is a sophisticated hacker or, more commonly, a well-meaning but negligent employee, data loss and data breaches will occur. All organizations should have procedures in place NOW to prevent data loss and to prepare for a breach. This includes IT, human resources, legal, and communications resources. Companies should designate a “data security/data breach” team with representatives from these key departments (working with outside counsel and other privacy breach specialists when needed). The team should meet periodically to review procedures, recommend improvements, and engage in periodic training on data security.
We can’t stress here enough about employee training. An employee who, for instance, wants to finish a project at home after stopping by the gym might download information that contains sensitive personal information onto a flash drive. Let’s say the gym bag gets stolen, along with the flash drive. Well, the employee’s unlucky company may now have a huge data breach situation on its hands requiring notices to customers, state attorneys general, and potential litigation and other expenses (such as paying for creditor monitoring, now industry standard). Employees need training about securing sensitive information – from shredding documents instead of putting them in the dumpster, to encrypting information that is being taken offsite, to avoiding “phishing” scams, to having unique passwords they change periodically. According to recent reports, “password” and “123456” are still among the most popular passwords. While data breaches cannot be avoided completely, we can ameliorate some risks with better practices in our organizations.
FTC Vigilant on Children’s Privacy – Rejects Proposal for Collecting Verifiable Parental Consent Under COPPA
On November 12, 2013, the Federal Trade Commission (“FTC”), in a 4-0 vote, denied AssertID’s application for approval of a proposed verifiable parental consent (“VPC”) method under the Children’s Online Privacy Protection Rule (“COPPA”). Under the FTC’s COPPA rule, covered online websites and services must obtain “verifiable parental consent” (“VPC”) before collecting personal information from children under 13. The agency’s revised COPPA rule became effective in July; among other changes, it expanded the categories that can constitute “personal information.” The FTC’s COPPA rule sets forth several acceptable methods of obtaining parental consent. Notably, the rule also allows parties to seek FTC approval of other VPC methods.
The FTC’s approval process allows organizations to present innovative VPC methods, thereby permitting flexibility and taking into account new technologies, while still ensuring that parents provide consent on behalf of their children as required under COPPA. The FTC requires that applicants seeking approval for a unique VPC provide: (1) a detailed description of the proposed parental consent method; and (2) an analysis of how the method is reasonably calculated in light of available technology, to ensure that the person providing consent is the child’s parent.
The FTC reviewed AssertID’s proposed VPC method following a public comment period. AssertID’s product, “ConsentID,” would ask a parent’s “friends” on a social network to verify the identity of the parent and the existence of the parent-child relationship (“social-graph verification”). The FTC concluded that “ConsentID” did not meet the criteria to ensure that the person providing consent is the child’s parent. The agency determined that it is premature to approve ConsentID, since AssertID did not present sufficient research or marketplace evidence demonstrating the efficacy of social-graph verification.
The FTC also questioned the efficacy of social-graph efficacy in the “real world.” The agency noted that relying upon social network users to confirm parental consent posed many problems including the fact that many profiles are fabricated (noting that Facebook’s SEC 10-Q indicates it has approximately 83 million fake accounts). In conclusion, the agency found that “identity verification via social-graph is an emerging technology and further research, development, and implementation is necessary to demonstrate that it is sufficiently reliable to verify that individuals are parents authorized to consent to the collection of children’s personal information.”
The FTC has approved and denied other VPCs. The agency’s denial of AsssertID’s application signals that while the FTC encourages the uses of new technologies to obtain VPC under COPPA, it will review new methods carefully, mandating research results and demonstrable success in a “real world” scenario rather than just a beta test. Website operators collecting personal information of children under 13 (and “personal information” now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice) should review their COPPA compliance, including their methods of VPC. The FTC continues to be especially vigilant in protecting certain categories of personal information, including children’s information, financial information, and health information.