FTC Beat
Archive for the ‘Data Privacy and Cyber Security’ Category
Aug 28
2017

A Giant Demanding Piece of … Restrictiveness: Do you need to pay attention to the coming GDPR?

GDPR. If you see those letters and think it is an acronym for Gosh Darned Pain in the Rear (or an edgier equivalent) you are in large-part correct.  But if you don’t know any more than that, and you are a company with any ties to Europe, then you need to read further.

GDPR, the General Data Protection Regulation, is an extensive and broad-reaching regulation issued by the European Union dealing with how companies (including U.S. companies) process the data of people living in the E.U.  It replaces the E.U. Data Protection Directive and is slated to take effect May 25, 2018.

Companies that fall under the regulation’s requirements need to ensure (1) individuals’ data they are processing is secure in their hands, (2) that they have individuals’ consent to process it (or have an enumerated reason they don’t need consent), and (3) that they will keep individuals notified of individuals’ rights and developments surrounding the use of their data.

If you are a U.S.-based company, with little European presence, you may slough off the idea of getting into GDPR compliance. You may have analyzed the GDPR’s predecessor (the Data Protection Directive), decided that it didn’t implicate you, and assume the GDPR won’t implicate you either. Or you may have relied upon the Safe Harbor and assume you can continue to operate under that. Don’t draw assumptions. Don’t ignore the regulation. If you do, and you are ultimately found to have violated it, you could face some hefty penalties. Under the GDPR, there are two sets of thresholds for administrative fines[1]:

  • Up to €10million (almost US$ 12million) or up to 2% of global revenue, whichever is higher, for certain violations, including failure to implement data protection by design, failure to maintain written records, to report breaches when required; and
  • Up to €20million (almost US$ 24million) or up to 4% of global revenue, whichever is higher, for other violations, including failure to adhere to basic processing principals such as consent, notification of individuals’ rights, and international transfers.

These fines are meant to catch attention. Hopefully, they caught yours. They may inspire you to do a double take to see whether or not your business will be subject to the GDPR. The GDPR has a broader reach than the earlier Data Protection Directive. Moreover, the Safe Harbor is no longer valid.  It has been replaced by a “Privacy Shield” regime – which applies to data that companies transfer from the E.U. to the U.S.  But even the Privacy Shield is on shaky ground and it may not be enough to shield companies (so to speak) from liability for GDPR violations. GDPR is broader, covering information on E.U. residents even if the data is not transferred across borders – and instituting stricter measures in terms of how data should be handled.

Here are some questions you should ask to help you determine whether you need to prepare for the GDPR:

  • Do you have an E.U. office, or even a company representative who operates out of Europe?

If you have any real and effective European activity through stable arrangements (terms in italics represent terms used by E.U. courts to define implicated businesses), then you will be subject to the GDPR even if you do not process personal data in the E.U. So long as the data processed in the context of the European activities, the GDPR applies.

  • Are you outside of the E.U., but process data about E.U.-based individuals in connection with offering goods or services?

It does not matter whether or not there is any payment involved in the offer. Your offers can be free of charge and you are still implicated by the rule. So long as your company anticipates activity directed at E.U. individuals (e.g., you suggest items in E.U. currency or pay a search engine to increase access to E.U.-based people), you are implicated.

  • Are you outside of the E.U., but monitor the behavior of individuals in the E.U.?

If you track E.U.-based individuals online to create profiles, or to analyze or predict preferences, you are implicated.

The long and short is that, if you touch Europe, directly or remotely, in your operations and you process data that incorporates E.U. individuals, you should spend time assessing GDPR compliance.

For starters:

  • Review your E.U.-focused actual or directed information
  • Review the type of information you collect/use
  • Review the types of consent obtained and notifications on data usage provided
  • Review your service contracts to determine your company’s role in data processing and follow-on companies’ roles in data processing

[1] We will treat the E.U.’s ability to enforce these penalties in a later post, but assume they will be able to reach your assets.

Apr 22
2017

The FTC’s Role in Privacy

Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C.  Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:

  • Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.

Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs).[1]  But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.”  She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.

  • FTC to present positive findings from its enforcement actions.

Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings.  Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right.  The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.

  • How FCC and FTC oversight of ISPs differs.

Ohlhausen noted that the FCC has ended up with a different approach to data security oversight.  For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible.  She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.

  • The Privacy Shield and the FTC’s role in working with Europe.

Ohlhausen noted that the current Administration seems committed to the Privacy Shield.  She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement.  For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield.  Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.

  • Chinese forays into privacy.

Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer.  She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.

  • Privacy and overlap with other areas of law

When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act.  She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen.  But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.

 

[1] A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.

Connect with Us Share

About Ifrah Law

FTC Beat is authored by the Ifrah Law Firm, a Washington DC-based law firm specializing in the defense of government investigations and litigation. Our client base spans many regulated industries, particularly e-business, e-commerce, government contracts, gaming and healthcare.

Ifrah Law focuses on federal criminal defense, government contract defense and procurement, health care, and financial services litigation and fraud defense. Further, the firm's E-Commerce attorneys and internet marketing attorneys are leaders in internet advertising, data privacy, online fraud and abuse law, iGaming law.

The commentary and cases included in this blog are contributed by founding partner Jeff Ifrah, partners Michelle Cohen and George Calhoun, counsels Jeff Hamlin and Drew Barnholtz, and associates Rachel Hirsch, Nicole Kardell, Steven Eichorn, David Yellin, and Jessica Feil. These posts are edited by Jeff Ifrah. We look forward to hearing your thoughts and comments!

Visit the Ifrah Law Firm website

Popular Posts