H&H Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan & Hartson Law Firm : Data Security, E-Commerce & Technology

Today is "Data Privacy Day", which is being marked around the world, including here in Berkeley, CA at the FTC's "Exploring Privacy" Roundtable.  The purpose of this roundtable discussion, the second in a series of three, is to "explore the privacy challenges posed by the vast array of 21st century technology and business practices that collect and use consumer data. Such practices include social networking, cloud computing, online behavioral advertising, mobile marketing, and the collection and use of information by retailers, data brokers, third-party applications, and other diverse businesses. The goal of the roundtables is to determine how best to protect consumer privacy while supporting beneficial uses of the information and technological innovation."  Today's discussion, like the one that took place at the first roundtable in Washington, is focusing on whether the traditional paradigm of Fair Information Practices -- and especially notice and choice -- suffices to allow consumers to understand and control what information is collected about them and used by others for marketing and other purposes.  Professor Paul Schwartz, on the cloud computing panel, just commented on how typically-complex privacy policies provide "TMI" (too much information) for a consumer to understand and act on.  And Harriet Pearson of IBM also commented on how simply providing a list of companies processing data in the clouds -- service providers -- would not be meaningful for consumers, a proposition with which Scott Shipman of Ebay agreed.

On the issue of meaningful notice, see yesterday's New York Times article on the emergence of an eye-catching icon attached to online ads to attract consumer attention, on which they can click to get information about  what information is being collected about them to deliver targeted ads.  (Full disclosure: the Future of Privacy Forum, the think tank that I founded and co-chair, was instrumental in development of the icon.)

• Email This
• Print

On November 17, the Federal Trade Commission released the agenda of the first of three privacy round tables it will hold over the course of the next few months.  The first round table will occur on December 7 at the FTC Conference Center in Washington, DC, and will feature four panels entitled "Benefits and Risks of Collecting, Using, and Retaining Consumer Data," "Consumer Expectations and Disclosures," "Online Behavioral Advertising," and "Exploring Existing Regulatory Frameworks."

The FTC also announced that its second privacy round table will be held on January 28, 2010 at the University of California, Berkeley, School of Law.  The round table will focus on how technology affects consumer privacy, including its role in both raising privacy concerns and enhancing privacy protections, and will include specific discussions on cloud computing, mobile computing, and social networking.  The FTC has posed two questions for comment in advance of this round table:

1. What role do privacy enhancing technologies play in addressing Internet-related privacy concerns?  Consider the efficacy of technological innovations in areas such as identity management systems, new means of providing consumer notice and choice, and emerging methods of ensuring accountability in data usage.  In framing comments, consider the costs and benefits of privacy-enhancing technologies in the following contexts:  cloud computing services; social networking sites; online behavioral advertising; the mobile environment; services that collect sensitive data, such as location-based information; and any other contexts you wish to address.  If privacy enhancing technologies do play a role in resolving privacy concerns, discuss whether and how to create incentives for the development and adoption of such technologies, and ways to ensure they are effective and useful to consumers.
2. What challenges do innovations in the digital environment pose for consumer privacy, and how can those challenges be addressed without stifling innovation or otherwise undermining benefits to consumers?  For example, consider the technology and business practices that enable greater collection, use, and distribution of consumer data, including evolving methods of observation and tracking; techniques for correlating data, including the re-identification of anonymized data; the merging of data between on-line and off-line environments; and the emergence of third-party application developers in online platform environments.

The FTC currently is soliciting requests to participate as panelists in this second round table, as well as recommendations for topics for inclusion in the agenda, which are due by December 9.  Comments or additional research on the topics will be considered prior to the second round table if they are received by December 21.

Details have not yet been released for the third and final privacy round table, which is to be held on March 17, 2010 in Washington.

• Email This
• Print

The University of Denver Law Review today presented a Syposium on "Cyber Civil Rights: New Challenges for Civil Rights and Civil Liberties in Our Networked Age."  Hogan & Hartson partner (and privacy group co-chair) Christopher Wolf delivered remarks on "Accountability for Online Hate Speech: What Are The Lessons From 'Unmasking' Laws?” 

Chris observed that online anonymity and the privacy it shields can be used as a sword to injure the human dignity of others who are victimized by hate speech.  It also can be used to mislead and indoctrinate young people.

The Internet, in large part because of the shield of online anonymity, has become the medium through which hate groups plot and promote real-world violence, recruit and indoctrinate like-minded haters, mislead and distort information for those – like students – who innocently link to their content. There are, of course, notorious hate mongers who use their real identities and revel in the limelight.   But the vast majority of hate spewed online is done so anonymously. The Internet content of hate mongers – words, videos, music, and social network postings – serve to offend the human dignity of the intended victims, minorities and those who hate groups identify as “the other”.   

Chris went on point out the problem of cyberbullying and hate-filled comments appended to mainstream news articles online.  After reviewing the legal regimes used to "unmask" online copyright infringers, those who commit defamation online and KKK members while marching in groups, Chris acknolwedges the First Amendment limitations on legal regulation of anonymous speech online and proposes a self-regulatory regime by online companies to address hate speech online.  A copy of his full remarks can be found here. 

• Email This
• Print

As the 31st annual International Conference of Data Protection and Privacy Commissioners wraps up in Madrid, capped by the announcement that next year’s conference will occur in Jerusalem, to be hosted by the Israeli Information and Technology Authority, some reflections:

• Security vs. Privacy   There continues to be a tension between the need for security from terrorist and criminal attacks and the right to be free of excessive collection and retention of personal data by governments.  This was the focus of the remarks of the Spanish Minister of the Interior and the US Secretary of Homeland Security, and a panel of experts from around the world who concluded that there needs to be greater focus on the need for all of the information that is harvested from citizens.  The pre-conference session of The Public Voice organized by the Electronic Privacy Information Center resulted in a Madrid Declaration that warned that "privacy law and privacy institutions have failed to take full account of new surveillance practices."

• Corporate Accountability and New Privacy-Enhancing Technologies  Presentations by corporate representatives of Google, Microsoft, eBay, Yahoo!, Procter & Gamble, Accenture and others showed that corporate accountability for privacy (a concept advanced enthusiastically by our friend Marty Abrams of the Center for Information Policy Leadership) is guided not only by the need to be legally compliant but also by the recognition that in our information society, responsible data management will build consumer trust.  There was an impressive demonstration of various new technologies that provide greater transparency and more robust notice to individuals about the collection of data about them, and that give them greater control over the collection, use, transfer and retention of personal data.  For example, Google unveiled new privacy tools and Jules Polonetsky, my co-chair at the Future of Privacy Forum, illustrated the array of technologies available to protect the privacy of children.  The greater demonstration of such “self-regulation” through corporate accountability and the deployment of privacy-enhancing technology was recognized at the conference as an essential pillar of privacy protection. 

• US Law and Enforcement  In the panel on children’s privacy, John Avila of the Walt Disney Company, gave a compelling overview of the breadth and depth of US legal protections for privacy, which includes COPPA to protect kids, and which he pointed out focuses on the areas of greatest privacy concern (such as financial and health privacy).  There were also presentations on the robust enforcement of US privacy laws by the FTC and other authorities, and the innovations in regulation that include, for example, data security breach notification laws which serve as a model for new regulation in Europe.  My conversations with various EU Data Protection Commissioners indicated a growing respect for the US scheme of data protection, in stark contrast to the official EU position that the US lacks adequate protections for personal data which prohibit the cross-border transfer of data to the US absent special arrangements (such as Safe Harbor participation, model contracts or Binding Corporate Rules).

• Cloud Computing and the Smart Grid  There was a focus on the privacy issues implicated by new technologies such as the next generation of cloud computing and the Smart Grid.

• Cross-Border Harmonization of Regulation  Another important theme of the conference concerned cross-border harmonization of privacy regulation, even among countries in the EU that operate under the common principles of the EU Directive but whose laws often reflect differences in detail and application.  In that regard, the European Commission is in the process of soliciting views on the new challenges for personal data protection in order to maintain an effective and comprehensive legal framework to protect individual’s personal data within the EU. 

As with many such conferences, the value of the formal program was augmented by the opportunity of data protection regulators to meet informally with representatives of civil society, privacy advocates, privacy lawyers, and corporate privacy officials.  The interactions over lunch and dinner, and at the wonderful art galleries of Madrid (where tours were made part of the official agenda), allowed for the sharing of perspectives and ideas, and a recognition that no matter which sector is involved, those gathering in Madrid share the commitment to the protection of personal  privacy.

Next year in Jerusalem!
 

• Email This
• Print

Today at the 31st International Conference of Data Protection and Privacy in Madrid, US Secretary of Homeland Security spoke to those of us in attendance about her goal of a US-EU binding agreement on data sharing and privacy.  See this account from former Hogan & Hartson partner Mary Ellen Callahan, now Chief Privacy Officer at DHS, who accompanied Secretary Napolitano to Europe.

Following the ceremonial opening of the conference and addresses from senior government officials from Spain and the US, the delegates got down to work on granular issues of privacy and data protection.  Look for more reports as the meeting progresses.

• Email This
• Print

In advance of the global meeting of data protection authorities starting tomorrow in Madrid, the International Association of Privacy Professionals (IAPP) and the Electronic Privacy Information Center (EPIC) are hosting side events today at the conference hotel.

The biggest news so far, discussed at the IAPP event,  is that the European Commission is seriously considering  new  data security breach notification laws. Previously, the Commission and  the European Council had focused only on breaches at telecom companies and ISPs.

The Commission’s Information Society Commissioner, Viviane Reding,  now has said that new EU-wide legislation requiring all entities to notify individuals and authorities of breaches is seriously under consideration.

Thus, EU compliance officers are paying rapt attention to the discussion by the Americans here of how to comply with data security breach laws.

• Email This
• Print

Starting on Tuesday, November 3d, Hogan & Hartson will be live blogging from international privacy events in Madrid.  Chris Wolf from the firm's Washington Office and Wim Nauwelaerts from the Brussels Office, both senior lawyers in the Privacy and Data Security Practice, will provide timely reports from side events leading to the 31st International Conference of Data Protection and Privacy Commissioners

The civil society conference The Public Voice: Global Privacy Standards in a Global World to be presented by the Electronic Privacy Information Center;  and 

The Data Protection and  Privacy Workshop to be presented by the International Association of Privacy Professionals.    

Then, starting on Wednesday, November 4th, we will bring you reports from the "main event", which the host, the Spanish Data Protection Agency (AEPD), has described as "the largest forum dedicated to privacy in the world, which every year brings together the highest authorities and institutions guaranteeing data protection and privacy, as well as experts in the field from every continent. "

Watch for our daily reports.

• Email This
• Print

Readers of our blog are cordially invited to a complimentary Hogan & Hartson webinar on the legal issues arising from Cloud Computing on Tuesday, October 6 from 11 AM - 12:30 PM EDT.  To request an invitation to the webinar, please e-mail:  jbhowe@hhlaw.com

Cloud computing allows businesses to use the remote computing power of others to handle data and data applications. For most businesses, it is not a question of whether but how to use cloud computing. Cloud computing — a unique form of outsourcing — can reduce costs, improve service delivery, and allow business innovation not feasible with proprietary servers and on-site software.

So the question is how a company can use the new services in ways that protect the company and its data. As with any transfer of valuable company information, there are legal issues and legal risks that must be addressed.

In this webinar, you will learn and have an opportunity to ask questions about these issues and more:

• What exactly is cloud computing? What forms does it take?
• What steps should a company take to protect its intellectual property, including trade secrets and confidential information, in the cloud?
• Is data in the cloud safe from government view, and what can you do to protect it?
• How should you address the privacy law issues implicated by cloud computing, especially in light of the international legal rules on the cross-border transfer of data?
• What labor and employment law issues are implicated by sending data to the cloud?
• How does a company deal with e-discovery when using cloud computing?
• What data security safeguards should a company put in place before outing data in the cloud?
• Whose responsibility is it if there is a data breach and how are the requirements of data security breach notification laws met?
• What are the contracting issues with cloud computing and the best practices for getting a solid cloud computing contract?
• How do companies and cloud service providers handle service level issues?

• Email This
• Print

By Lynda Marshall, Chris Wolf, Marcy Wilder and Tracy Gray

Hello and welcome to the Hogan & Hartson Chronicle of Data Protection.   

We are delighted to introduce you to our privacy blog.  Our goal is to use this blog to bring you timely updates on a wide-range of issues in the privacy arena, including the evolving role of privacy and data protection in health law and policy, security safeguards, international compliance and e-commerce.  The practical implications of changing privacy regulations affect us all, both as professionals and personally, and we hope this blog will serve as a key source of information for you in navigating this ever-changing field.

We also hope you will have the chance to catch some of Hogan & Hartson's privacy team at the IAPP Privacy Academy in Boston, September 16 - 18th.    H&H attorneys will be on the following panels:

• Data Retention - the Monster in the Servers, September 17th at 2:15, featuring Chris Zaetta, Hogan & Hartson, and Andy Holleman, Chief Privacy Officer and Associate General Counsel, Qwest Communications
• In to the Breach - Dealing with the Aftermath of a Data Breach, September 18th at 11 AM, featuring Christopher Wolf, Hogan & Hartson, Chris Cwalina, Vice President and Associate General Counsel, Intersections, Inc., and Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance and Government Affairs, LexisNexis Group
• Pie in the Sky - Looking at a Cloud Contract at Ground Level, September 18th at 11 AM, featuring Zenas Choi, Hogan & Hartson, and Geff Brown, Senior Attorney,  Law and Corporate Affairs, Microsoft Corporation

Thanks for joining us, and we look forward to being a helpful guide in the world of privacy.

• Email This
• Print