Privacy & Information Security Law Blog

On July 13, 2011, the Article 29 Working Party (the “Working Party”), adopted an Opinion on the concept of consent as a legal basis for processing personal data, which includes recommendations for improving the concept in the context of the ongoing review of the EU data protection framework.  The Opinion also analyzes the conditions for valid consent under EU data protection law (that consent must be “freely given,” “specific,” “unambiguous,” “explicit,” “informed,” etc.), and clarifies the obligations of data controllers seeking consent.  In addition, the Opinion provides examples of valid and invalid consent with respect to company social media, medical research, body scanners, PNR data and online gaming.

On June 15, 2011, European Data Protection Supervisor (“EDPS”) Peter Hustinx gave a press conference to present his annual report for 2010.  The annual report provides an overview of the EDPS’ main activities in 2010 and sets forth key priorities and challenges for the future.

In his speech, Hustinx focused primarily on the review of the EU data protection framework and the Data Retention Directive.  He referenced his recent Opinion in which he concluded that the Data Retention Directive does not meet general EU data protection requirements and that the European Commission should explore the possibility of replacing it with alternative measures such as data preservation through a “quick freeze” procedure.  Hustinx also stated his intention to keep a close eye on any developments with respect to RFID technology, cloud computing and online enforcement of intellectual property rights.

As reported yesterday, on June 16 and 17, 2011, the Hungarian Presidency of the Council of the European Union hosted a high-level international data protection conference in Budapest.  The following are some highlights from the second day’s events:

• During the “New principles in the field” panel, Professor Paul De Hert of the Vrije Universiteit Brussel gave an explanation of the case I v. Finland, which was decided by the European Court of Human Rights on July 17, 2008, and which both he and European Data Protection Supervisor Peter Hustinx agreed was a key document for the concept of accountability in European data protection law.  Endre Szabó of the Hungarian Ministry of Public Administration and Justice noted that the principle of accountability had not yet been fully accepted by all members of the European Council.

On May 26, 2011, the United Kingdom’s Lord Chancellor and Secretary of State for Justice Kenneth Clarke spoke before the EU Committee of the British Chamber of Commerce in Belgium.  His remarks focused on data protection, a subject he characterized as one “heavily on the agenda” in Brussels and in many EU Member States.  Clarke emphasized his own role as a proponent of data protection and a defender of civil liberties and individual freedom, and discussed the introduction into Parliament of a major bill to enhance individual freedom in the UK.  Key measures in the bill, many of which respond to issues raised over the past few years by the UK Information Commissioner, include:

• Greater independence for the Information Commissioner
• Safeguards against misuse of counter-terrorism stop and search powers
• Further regulation of the use of closed-circuit television monitoring
• Reform of the regulations governing vetting and barring of ex-offenders and persons working with children and vulnerable adults

On April 25, 2011, Legal Bisnow interviewed Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, and Hunton & Williams partner Lisa Sotto about hot topics in privacy and data protection.

Read Legal Bisnow’s article, “Hottest Practice Area?”.

On April 12, 2011, U.S. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the Commercial Privacy Bill of Rights Act of 2011 (the “Act”) to “establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission.”  The bill applies broadly to entities that collect, use, transfer or store the “covered information” of more than 5,000 individuals over a consecutive 12-month period.  Certain provisions of the bill would direct the FTC to initiate rulemaking proceedings within specified timeframes, but the bill also imposes requirements directly on covered entities.

On March 16, 2011, a meeting of the “European Privacy Platform” group of the European Parliament was held in Brussels.  The meeting provided important insights into the likely structure and content of proposed revisions to the European Data Protection Directive 95/46/EC that the European Commission has been working on for the past several months.

The Council of the European Union (the “Council”) released its conclusions following meetings held on February 24 and 25, 2011, regarding the European Commission’s November 4, 2010 Communication proposing “a comprehensive approach on personal data protection in the European Union” which we reported on last November.

On January 28, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP filed comments with the United States Department of Commerce in which the Centre stressed privacy governance based on data stewardship by accountable organizations.  The Centre was one of a number of organizations that submitted comments in response to the Department of Commerce’s privacy paper, “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” which was released in December 2010.  The theme of today’s comments is similar to that which the Centre suggested earlier this month in its comments responding to the European Commission’s consultation paper.

While much of the attention of the privacy policy community in Washington, D.C. has been focused on the two reports issued in December 2010 by the Federal Trade Commission and the Department of Commerce, a third government report has received far less press attention, but may have a greater impact on U.S. business and consumers.  The work of the President’s Council of Advisors on Science and Technology (“PCAST”) and its Health Information Technology Working Group, the report, “Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward,” was released by the White House on December 8, 2010.

On January 17, 2011, the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) released a response to the European Commission’s consultation paper, “A comprehensive approach on personal data protection in the European Union.”  In its response, prepared by Richard Thomas, former UK Information Commissioner and Global Strategy Advisor of the Centre, the Centre calls for a modernized European framework for data protection that addresses the realities of the digital age.

The Centre for Information Policy Leadership at Hunton & Williams has issued the following statement about the U.S. Department of Commerce’s “Green Paper” released on December 16:

The Centre for Information Policy Leadership congratulates the Department of Commerce on the release of its Green Paper, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework,” and commends the Department for the extensive outreach and research it conducted to inform the document. 

As previously reported, on December 16, 2010, the U.S. Department of Commerce released its Green Paper “aimed at promoting consumer privacy online while ensuring the Internet remains a platform that spurs innovation, job creation, and economic growth.”

During a press teleconference earlier that morning announcing the release of the Green Paper, Secretary Gary Locke commented on the Green Paper’s recommendation of adopting a baseline commercial data privacy framework, or a “privacy bill of rights,” built on an expanded, revitalized set of Fair Information Practice Principles (“FIPPs”).  He indicated that baseline FIPPs would respond to consumer concerns and help increase consumer trust.  The Secretary emphasized that the Department of Commerce would look to stakeholders to help flesh out appropriate frameworks for specific industry sectors and various types of data processing.  He also noted that the agency is soliciting comments on how best to give the framework the “teeth” necessary to make it effective.  The Secretary added that the Department of Commerce is also open to public comment regarding whether the framework should be enforced through legislation or simply by conferring power on the Federal Trade Commission.

On December 16, 2010, the U.S. Department of Commerce Internet Policy Task Force issued its “Green Paper” on privacy, entitled “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.”  The Green Paper outlines Commerce’s privacy recommendations and proposed initiatives, which contemplate the establishment of enforceable codes of conduct, collaboration among privacy stakeholders, and the creation of a Privacy Policy Office in the Department of Commerce.  Noting that “privacy protections are crucial to maintaining the consumer trust that nurtures the Internet’s growth,” the Green Paper “recommends reinvigorating the commitment to providing consumers with effective transparency into data practices, and outlines a process for translating transparency into consumer choices through a voluntary, multistakeholder process.”

On December 10, 2010, Senior Advisor to U.S. Senator John Kerry (D-Mass.), Daniel Sepulveda, briefed the Centre for Information Policy Leadership at Hunton & Williams LLP (the “Centre”) members on Senator Kerry’s forthcoming privacy legislation.  The bill, which will be introduced next Congress, aims to establish a regulatory framework for the comprehensive protection of individuals’ personal data that authorizes rulemakings by the Federal Trade Commission.

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

David Vladeck, Director of the FTC’s Division of Consumer Protection, this morning previewed the long-awaited FTC report that sums up months of discussion regarding the future of privacy regulation in the United States and examines the viability of a Do Not Track mechanism.  Vladeck indicated at the Consumer Watchdog Policy Conference that the existing privacy framework in the U.S. is not keeping pace with new technologies.  In addition, he stated that the pace of industry self-regulation, while constructive, has been too slow.  According to Vladeck, the report will address several major themes, including the following:

Earlier today, a Department of Commerce official briefed Hunton & Williams and Centre for Information Policy Leadership representatives on the Department’s forthcoming “Green Paper” on privacy.  On November 12, 2010, Telecommunications Reports Daily published an article based on information obtained from an unofficial, pre-release draft version of the Green Paper.  It remains to be seen which portions of the leaked draft ultimately will survive the interagency approval process currently underway.  The Department of Commerce representative emphasized that the content of the draft Green Paper currently undergoing review is consistent with Assistant Secretary of Commerce Larry Strickling’s October 27, 2010, speech in Jerusalem.  In his speech, Secretary Strickling explained that the Department is calling it a “Green” Paper, “not because of its environmental impact, but because it contains both recommendations and a further set of questions on topics about which [the Department] seek[s] further input.”

On November 4, 2010, the European Commission (the “Commission”) released a draft version of its Communication proposing “a comprehensive approach on personal data protection in the European Union” (the “Communication”) with a view to modernizing the EU legal system for the protection of personal data.  The Communication is the result of the Commission’s review of the current legal framework (i.e., Directive 95/46/EC), which started with a high-level conference in Brussels in May 2009, followed by a public consultation and additional targeted stakeholders’ consultations throughout 2010.  Although the Commission considers the core principles of the Directive to still be valid, the Communication equally acknowledges that the existing legal framework for data protection in the European Union is no longer able to meet the challenges of rapid technological developments and globalization.

On October 26, 2010, the Centre for Information Policy Leadership (the “Centre”) released its long-awaited paper, “Demonstrating and Measuring Accountability, Accountability Phase II – The Paris Project” at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Israel.  This document is the result of the deliberations of an international working group that includes 60 representatives of business, civil society, government, data protection and privacy enforcement agencies, and the European Data Protection Supervisor.  ...

This year, the 32nd International Conference of Data Protection and Privacy Commissioners takes place in Jerusalem.  In addition, the Israeli Law, Information and Technology Authority (“ILITA”) is hosting a week of privacy activities to mark the 30th anniversary of the OECD Privacy Guidelines.

On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK.  The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly.  Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.

On September 29, 2010, the Centre for Information Policy Leadership (the “Centre”) hosted a pre-conference workshop at the International Association of Privacy Professionals (”IAPP”) Privacy Academy in Baltimore, Maryland.  The tutorial “Accountability on the Ground,” led by Centre Executive Director Marty Abrams, offered practical guidance on the subject of accountability.  The workshop, which featured presentations by Centre member companies, discussed in-depth examples of how organizations can implement an accountability program.

Please join us at these great events coming up this fall.  Several members of Hunton & Williams’ Privacy and Information Management team are presenting at these events to discuss the current and evolving privacy and data security issues occurring around the world.

Internet Rights and Technology: A Practical Legal Guide to Doing Business on the Internet – New York City Bar
On September 28, 2010, 6:00 p.m. – 8:45 p.m., the New York City Bar hosts a live program to discuss how the Internet affects various areas of law, including intellectual property, new media, litigation, regulatory and licensing.  The faculty includes Hunton & Williams partner, Aaron P. Simpson, who will lead the Privacy & Data Security session.

The European Union’s Article 29 Working Party adopted a detailed recommendation on accountability which was submitted to the European Commission on July 13, 2010.  Opinion 3/2010 elaborates on the Working Party’s 2009 recommendation to include a new principle on accountability in the revised EU Data Protection Directive.  The Opinion’s executive summary states:

“EU data protection principles and obligations are often insufficiently reflected in concrete internal measures and practices.  Unless data protection becomes part of the shared values and practices of an organization, and responsibilities for it are expressly assigned, effective compliance will be at considerable risk, and data mishaps are likely to continue.

…this Opinion puts forward a concrete proposal for a principle on accountability which would require data controllers to put in place appropriate and effective measures to ensure that principles and obligations set out in the Directive are complied with, and to demonstrate so to supervisory authorities upon request.”

The Centre for Information Policy Leadership at Hunton & Williams LLP made ten recommendations in response to the U.S. Department of Commerce’s notice of inquiry, “Information Privacy and Innovation in the Internet Economy.”  The Centre’s recommendations strongly suggest that organizational accountability is the key to providing the flexibility needed to use information robustly while protecting the interest of individuals in maintaining private space in a digital age:

“The flexibility to be innovative must be conditioned on the organization’s accountability for the manner in which it uses, manage, and protects data.  … To strike the appropriate balance between the value created by data use and the risk that use poses to privacy, organizations must implement privacy processes that are as dynamic as their business processes.” 

On April 20, 2010, the Department of Commerce (“DOC”) issued a Notice of Inquiry to solicit public feedback “on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy.”  The aim is to understand “whether current privacy laws serve consumer interests and fundamental democratic values.”  To this end, the DOC poses a number of questions, including:

• Is the notice and choice approach to consumer privacy outmoded?  Would consumers be better served by a “use-based” model?
• How does compliance with ...

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection.  The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.

On December 7, 2009, the Business Forum for Consumer Privacy released “A Use and Obligations Approach to Protecting Privacy: A Discussion Document" at the Federal Trade Commission’s roundtable entitled “Exploring Privacy.”  The roundtable was a first step in the FTC’s effort to re-examine privacy protection in light of rapid, dynamic changes in technology, advances in data analytics and increasingly ubiquitous data collection and use.  The paper is the product of a three year effort on the part of the Forum to develop an approach to protecting data that meets the needs of businesses and consumers in this emerging environment.  The paper may be found at www.informationpolicycentre.com.

In a closed session on November 5, 2009, the 31st International Conference of Data Protection and Privacy Commissioners adopted the International Standards on the Protection of Personal Data and Privacy (the “Standards”).  Although the document is advisory in nature and is not legally binding, it offers guidance to States that have not yet adopted comprehensive data protection laws.  The Spanish Data Protection Agency, which acted as the secretariat for drafting the Standards, held two meetings that included more than fifty privacy enforcement agencies, privacy advocates and businesses before hosting a final drafting session that was reserved for recognized data protection authorities.

In 1980, the Organization for Economic Cooperation and Development (“OECD”) first published privacy guidelines that included an accountability principle.  Since that time, little work has been done to define accountability or to describe what it means for organizations to be accountable for the responsible use and protection of data.  In an effort to fill that gap, The Centre for Information Policy Leadership has authored “Data Protection Accountability: The Essential Elements” which articulates the conditions organizations would have to meet to be accountable.  The Accountability paper is the result of the Galway Accountability Project, an initiative facilitated by Ireland’s Office of the Data Protection Commissioner and co-sponsored by the OECD.  As the project’s secretariat, the Centre served as principal drafter of the Accountability paper, which considers the concept of accountability as it applies in the current data environment where data collection and use is ubiquitous, data flows are difficult or impossible to track, and jurisdictional issues abound as data crosses national borders.  The Galway Project enlisted specialists from twelve countries, and the participation of privacy protection agencies from Europe, Asia and North America.  Consumer advocates and business representatives also took part.  The Accountability paper will bring a critical international perspective to the dialogue on changing privacy law in Europe, the United States and Canada.