The existing Law on the Protection of Consumer Rights and Interests has been in effect for about 20 years, although there have been vigorous discussions in recent years about amending this law. Proposed amendments have gained momentum due to the frequent occurrences of illegal disclosures of consumer personal information.

The current law provides no mechanisms for preventing or addressing these events. For example, the current law does not contain any provisions that protect the personal information of consumers. The Proposed Amendment would address this omission by providing that:

• consumers are entitled to the protection of their personal information such as their name and image when purchasing goods or receiving services;
• when collecting and using consumers’ personal information, companies must (1) comply with the principles of legality, fairness and necessity; (2) expressly inform the consumer of the purpose, method and scope of such collection and use; (3) publish their policies on the collection and use of personal information; (4) comply with relevant legal requirements and consumers’ preferences; and (5) obtain consumers’ consent to the collection and use of the personal information;
• companies must keep consumers’ personal information confidential, and must not disclose, amend, destroy, sell or illegally provide the consumer personal information to others;
• technical and other measures must be taken by companies to secure consumer personal information, and any destruction or loss of such information must be mitigated; and
• companies are not permitted to send any commercial digital information to any consumer without the consumer’s consent or request, including when the consumer expressly rejects the provision of such information.

The foregoing provisions are not new, but are instead consistent with provisions previously established under the Resolution of the Standing Committee of the National People’s Congress Relating to Strengthening the Protection of Information on the Internet, which was enacted in December 2012. The Proposed Amendment appears to extend existing rules applicable to the Internet information services sector to the realm of consumer protection. Similar provisions have been in effect for several years at the provincial level under provincial consumer protection regulations.

We will provide an update when the final version of the Proposed Amendment is officially enacted by the National People’s Congress.

While the FTC did not officially analyze any of these companies’ practices, the letters demonstrate that the FTC will not delay enforcement for companies whose practices are not in compliance with the updated Rule by July 1, 2013. The FTC did mention, however, that it will exercise prosecutorial discretion in enforcing the Rule, particularly with respect to smaller businesses that have attempted to comply in good faith soon after the deadline.

View the text of the updated COPPA Rule and our previous post on the updated Rule.

The Administration’s proposal is not expected to expand the government’s legal authority to conduct surveillance. Title 18 of the Federal Code and the Foreign Intelligence Surveillance Act already authorize the government to obtain a court order for surveillance of wire, oral or electronic communications of serious criminal suspects and national security threats. Instead, the proposal likely will create strong financial incentives for companies (in particular webmail providers and social networking sites) to develop the intercept capabilities necessary to comply with such orders in a timely fashion. Under current law, such providers are only required to provide the government with technical assistance.

In the early 1990s, the government confronted an earlier version of this problem when the telecommunications industry was developing and implementing new digital cell phone technology. In response, Congress enacted the Communications Assistance for Law Enforcement Act (“CALEA”) in 1994. CALEA required “telecommunications carriers” to develop network intercept capabilities to isolate and deliver communications to the government. Over the years, through interpretation by the Federal Communications Commission, CALEA has been expanded to apply to facilities-based broadband Internet access and certain types of Voice over Internet Protocol (“VoIP”) services. However, CALEA still does not cover Internet-based communication modalities such as webmail, social networking sites or peer-to-peer services. The Administration’s proposal is expected to create incentives for providers of such services to be able to comply with court orders for electronic surveillance.

The Administration’s review of the FBI proposal has sparked a heated, public debate between law enforcement and the technology industry over competing considerations regarding national security, the desire to minimize any effect on the competitiveness and innovation of U.S. companies, and concerns that mandating intercept capabilities will create new cybersecurity vulnerabilities. As reported in Bloomberg, Paul Tiao, partner at Hunton & Williams and former senior counselor for Cybersecurity and Technology to the FBI Director Robert Mueller, said, “The challenge is how to develop a system that enables the FBI and law enforcement agencies to protect the country without undermining the competitiveness and innovation of Internet entrepreneurs.”

An interagency task force within the Administration has been examining ways to modify the FBI proposal to address the “going dark” problem without undercutting innovation or creating cybersecurity risks. According to news accounts, the FBI originally proposed to broaden the scope of CALEA to cover Internet communications service providers. In response to concerns that this change would undercut innovation, the FBI modified its proposal to target only those companies that previously have been served with a court order or have been warned by the government that they are likely to be served with one. Under this proposal, companies that are not likely to be served with an order (e.g., start-ups that have only a small number of users) would not be required to devote engineering resources and time to developing a wiretap intercept capability.

We will provide updated information as this issue develops.

The Report highlights a lack of understanding of the Proposed Regulation by UK businesses. Of the 506 businesses surveyed, 87 percent of respondents were unable to estimate the likely cost of complying with the requirements of the Proposed Regulation, and 82 percent of respondents were unable to quantify their current spending on data protection compliance.

The uncertainty surrounding the cost implications of the Proposed Regulation is an important issue. The European Commission has estimated net savings of €2.3 billion attributable to the Proposed Regulation; in contrast, the UK Ministry of Justice has forecasted that compliance with the Proposed Regulation would cost the UK between £100 million and £360 million per year. The Report suggests that the financial impact is in fact unknown, stating that “what is best for business” must be based on valid evidence, and that the reform is “too important for guesswork.”

The Report also reveals that many businesses in the UK already are voluntarily implementing some of the provisions that will become mandatory, such as the appointment of a data protection officer. According to the Report, the vast majority of respondents with over 250 employees already employ staff with a job position focused on data protection compliance, as do most companies that maintain more than 100,000 records and have a greater perceived risk of security breaches.

In the ICO’s news release on the Report, the ICO “urge[s] the European Commission to take on board what [the Report] says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or lobbying regulators.”

For more information on the Proposed Regulation, visit our EU Data Protection Regulation Tracker.

The FTC noted that data broker companies that collect, distribute or sell consumer credit information are consumer reporting agencies (“CRAs”) under the FCRA. As CRAs, the data broker companies must verify the identities of their customers requesting the consumer information and ensure that these customers have a legitimate purpose for receiving the information.

As part of the test-shopping operation, FTC staff members posing as individuals or representatives of companies contacted 45 data broker companies seeking information about consumers to make decisions related to creditworthiness, eligibility for insurance and suitability for employment. According to the FTC, ten out of the 45 data broker companies appeared to violate FCRA requirements for CRAs. The FTC sent warning letters to the ten companies, which include 4Nannies, Brokers Data, Case Breakers, ConsumerBase, Crimcheck.com, People Search Now, U.S. Information Search, US Data Corporation and USA People Search. According to the FTC’s letters, the companies offered (1) “pre-screened” lists of consumers for making offers of credit; (2) consumer information for use in making insurance decisions; or (3) consumer information for employment purposes, without ensuring that that consumers’ information was protected.

The FTC issued the letters on May 2, 2013, in conjunction with an international privacy practice transparency sweep conducted by the Global Privacy Enforcement Network, which connects privacy enforcement authorities to promote and support cooperation in cross-border enforcement of privacy laws. The FTC’s letters are not official notices that the data broker companies are subject to FCRA requirements, nor are they formal complaints against the companies. Rather, these letters serve to remind the data broker companies to determine whether they are CRAs by reviewing their practices and how to comply with the FCRA if they are subject to its requirements. The letters come after the FTC had issued Orders to File Special Report in December 2012 to nine data brokerage companies, seeking information about how these companies collect and use personal data about consumers.

The French Data Protection Authority (“CNIL”) is participating in this initiative and has announced that it would subject 250 top websites to further scrutiny.

According to the CNIL, the purpose of the review is to examine whether web users are properly informed of:

• the types of personal data collected;
• the purposes for which the data are collected;
• whether personal data are transferred to third parties; and
• whether web users can object to the transfer of their personal data to third parties.

The CNIL also considered whether this information was provided in clear and plain language such that web users can easily understand the notice.

The CNIL may carry out more detailed reviews if its initial findings reveal serious breaches of the French Data Protection Act. It also is possible that other data protection authorities that are participating in the Internet Sweep may take similar action.

Apple used these clauses, which are summarized below, in terms and conditions for its online store as well as in its privacy policy. The court held that the clauses violated various provisions of Germany’s Civil Code, the Federal Data Protection Act, the Telemedia Act, the Telecommunications Act and the German Act Against Unfair Competition. Before the court issued its judgment, Apple had already agreed not to use seven of its other standard data protection clauses.

The case, which was brought by a consumer rights group, is important because the court interpreted the relevant data protection clauses in accordance with German data protection law rather than Irish data protection law. A similar issue was recently the subject of another judgment, although with a different outcome.

Notably, the court held that for the purposes of German data protection law, even “anonymized” location data can, in certain circumstances, constitute personal data. It also ruled that a pre-checked box by which the customer “opted in” to receive advertisements violated Germany’s Act Against Unfair Competition.

The clauses analyzed by the regional court of Berlin concerned:

• the sharing of personal data within Apple’s group of companies and the combination with other data to offer services, content or advertisements;
• the use and sharing of personal data relating to the customer’s family and friends;
• the use of personal data in the context of product announcements, software updates and events, as well as in the context of service, content or advertisement improvement;
• the use of personal data to develop, offer and enhance services, content and advertisements;
• the use of personal data for internal purposes such as data analytics and research to improve products, services and customer communications;
• the sharing of personal data with third parties in the context of serving or improving advertisements;
• the sharing of personal data with third party subcontractors in the context of data processing services, customer data management, evaluation of customer interest, customer research and surveys; and
• the collection and use of location data by Apple and its service providers in the context of location-based products.

The court’s judgment can still be appealed and is not yet binding.

The bill sets out the circumstances under which German law enforcement and intelligence agencies can access telecom user data. Notably, access will now be permitted not only in the context of suspected criminal offenses but also in the context of suspected administrative offenses (e.g., a traffic offense such as speeding). Commercial telecommunications service providers with more than 100,000 users are also required to make an electronic interface available to facilitate access to the telecom user data.

An earlier law which sought to regulate this area was curtailed by the German Federal Constitutional Court. In response, the bill seeks to address the Constitutional Court’s concerns. To become law, the bill must be signed by the German Federal President and published in the official legal gazette. Following that, and subject to any further challenges before the Constitutional Court, the proposed new law is expected to become effective on July 1, 2013.