Centre Offers Ten Recommendations in Response to Commerce Department Inquiry

Posted on June 15, 2010 by Hunton & Williams LLP

The Centre for Information Policy Leadership at Hunton & Williams LLP made ten recommendations in response to the U.S. Department of Commerce’s notice of inquiry, “Information Privacy and Innovation in the Internet Economy.”  The Centre’s recommendations strongly suggest that organizational accountability is the key to providing the flexibility needed to use information robustly while protecting the interest of individuals in maintaining private space in a digital age:

“The flexibility to be innovative must be conditioned on the organization’s accountability for the manner in which it uses, manage, and protects data.  … To strike the appropriate balance between the value created by data use and the risk that use poses to privacy, organizations must implement privacy processes that are as dynamic as their business processes.” 

The comments went on to state that accountability can only be effective for the private sector if the government is held to similar requirements with respect to its own protection and use of data.
The Centre’s ten recommendations are:

  1. The Department of Commerce should represent the United States in global privacy discussions;
  2. The Department of Commerce should continue to support development of policy frameworks that will support the global flow of data;
  3. The government should articulate a vision for innovation and privacy in the information economy;
  4. Information policy must have a home within the government;
  5. Both industry and government must be accountable for its use of information;
  6. Federal privacy law must pre-empt state law;
  7. U.S. privacy policy should focus on successful privacy results rather than on procedures that do little to enhance privacy;
  8. Preventing harm must remain a significant feature of the U.S. approach to privacy;
  9. The Department of Commerce should undertake an initiative to develop privacy norms that apply to data analytics; and,
  10. Privacy oversight and enforcement are best carried out by regulatory agencies with authority over specified industry sectors.

View the Centre’s full response to the Department of Commerce’s notice of inquiry and supporting documents, filed June 14, 2010.
Tags: , , , , ,

Commerce Department Takes Lead in Developing U.S. Internet Privacy Framework

Posted on May 11, 2010 by Hunton & Williams LLP

“The Department of Commerce is back.”  With those words Cameron Kerry, General Counsel of the U.S. Department of Commerce, made it clear the Department intends to take a leading role in shaping domestic privacy policy and representing U.S. privacy interests in international discussions.  The announcement was made at the May 7, 2010, Department of Commerce symposium, “A Dialogue on Privacy and Innovation,” where the mostly business audience welcomed Mr. Kerry’s declaration with great enthusiasm.

In the 1990’s, during the Clinton Administration, the Department of Commerce led U.S. efforts to develop policy related to privacy on the Internet and encouraged the development of online privacy policies and privacy seal programs.  Within the Department, the National Telecommunications and Information Administration (“NTIA”) authored numerous privacy position papers, and the International Trade Commission (“ITA”) negotiated the U.S.-European Union Safe Harbor Framework.  During the Bush Administration and the first year of Obama’s tenure, however, the Department was largely silent on privacy issues. 

Beginning last fall, the Department began holding sessions to investigate the effectiveness of privacy protections in the United States and the impact of privacy regulation on businesses.  The sessions were led by Marc Berejka, Senior Policy Advisor in the Secretary’s Office at the Department of Commerce, and Danny Weitzner, Associate Administrator for the NTIA’s Office of Policy Analysis and Development.  Over the past few months, the Department, in conjunction with NTIA and ITA, formed the Internet Policy Task Force and issued a notice of inquiry to discuss the “nexus between privacy policy and innovation in the Internet economy.” 

Last Friday’s day-long symposium included an introductory discussion on the global Internet economy and privacy that was followed by four panel discussions.  Professor Fred Cate, Senior Policy Advisor with the Centre for Information Policy Leadership and Distinguished Professor of Law at Indiana University Law School, set the stage for the first panel on “Privacy, Innovation and Global Trade.”  The participation of other Obama administration officials indicated that the Department is not alone in these efforts.  White House Deputy Chief Technology Officer Andrew McLaughlin led a panel on “Privacy Frameworks and Innovative Uses of Personal Information,” and Deputy Assistant Secretary of State and U.S. Coordinator for International Communications and Information Policy Phil Verveer spoke on the “Privacy on the Ground” panel.
 
The Department of Commerce will be receiving comments until June 7, 2010, on the notice of inquiry it issued on April 20, 2010.  A draft paper is expected in early October, ahead of the Organization of Economic and Cooperation and Development’s conference on privacy and technology, and the 32nd International Data Protection and Privacy Commissioners Conference, both of which will take place in Jerusalem during the last week of October.
Tags: , , , , , , , , , , , ,

Department of Commerce to Seek Public Comment on Privacy Issues

Posted on April 22, 2010 by Hunton & Williams LLP

On April 20, 2010, the Department of Commerce (“DOC”) issued a Notice of Inquiry to solicit public feedback “on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy.”  The aim is to understand “whether current privacy laws serve consumer interests and fundamental democratic values.”  To this end, the DOC poses a number of questions, including:

  • Is the notice and choice approach to consumer privacy outmoded?  Would consumers be better served by a “use-based” model?
  • How does compliance with myriad state privacy laws affect business activities and online operations?
  • How do international privacy laws and regulations impact global Internet commerce, compliance costs, product development process and Internet users?
  • What jurisdictional conflicts do companies and regulators face as a result of privacy laws?  What is their impact on trade and foreign investment?
  • How does the U.S. privacy framework affect business innovation, accountability and compliance related to the use of personal information?
  • What is the state of the development, use and acceptance of privacy-related technologies?
  • How do privacy laws impact startup ventures and small and medium-sized entities?

The DOC plans to issue a report based on an analysis of public feedback it receives.  According to a DOC spokesperson, the Notice of Inquiry is expected to be published in the Federal Register on April 23, 2010.  Hunton & Williams’ Centre for Information Policy Leadership will be submitting comments. 

On April 16, we reported that the DOC will be holding a public meeting on May 7, 2010, to listen to stakeholders’ views on privacy policy and innovation in the United States.
 

Tags: , , , , , ,

Department of Commerce Announces a Public Meeting on "Information Privacy and Innovation in the Internet Economy"

Posted on April 16, 2010 by Hunton & Williams LLP

The Department of Commerce (“DOC”) will be holding a public meeting on May 7, 2010, in Washington, D.C., to listen to stakeholders’ views on privacy policies in the United States.  This session is part of a broader inquiry by the DOC’s newly created Internet Policy Task Force “whose mission is to identify leading public policy and operational challenges in the Internet environment.”  The DOC’s National Telecommunications and Information Administration and the International Trade Administration will issue a notice of inquiry to look at the nexus between innovation and privacy on the Internet.  The Centre for Information Policy Leadership will be participating in these processes.

Tags: , , , , , , ,

FTC Takes Additional Safe Harbor-Related Enforcement Actions

Posted on October 6, 2009 by Hunton & Williams LLP

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000.  The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains a list of all currently-certified companies.

The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current.  If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers.  In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC's complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.
Tags: , , , , , , , , , ,

FTC's First Safe Harbor Enforcement Action

Posted on September 8, 2009 by Hunton & Williams LLP

The Federal Trade Commission (“FTC”) has secured a temporary restraining order against a company that allegedly falsely claimed to have self-certified to the EU/U.S. Safe Harbor Program.  One count of the FTC's complaint claims that the company (named Balls of Kryptonite, LLC) misled consumers by inaccurately representing that it had self-certified to the U.S. Department of Commerce that it was Safe Harbor compliant.  While the FTC has not alleged a substantive violation of the Safe Harbor, this case is significant for two reasons.  First, it marks the first time the FTC has brought an enforcement action with respect to the Safe Harbor Program.  The court order prohibits the defendants from misrepresenting the extent to which they “are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.”  Second, the FTC acted in concert with the UK Office of Fair Trading after consumers in the UK registered complaints with the FTC using a website established by 25 international consumer protection agencies to facilitate global consumer protection efforts.  This is the first time the FTC has used the U.S. SAFE WEB Act of 2006 to enforce consumer protection regulations against a U.S. company operating exclusively outside the United States.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  A company under the FTC’s jurisdiction that self-certifies to the Safe Harbor principles but fails to implement them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits deceptive trade practices. 

In this case, the FTC successfully argued that, regardless of the company’s data protection practices, falsely claiming to be Safe Harbor certified could constitute a violation of the FTC Act in and of itself.  The defendants have been ordered to appear on September 25, 2009 to show cause why the court should not enter a preliminary injunction prohibiting further violations.
Tags: , , , , , , , ,

US-Swiss Safe Harbor Framework in Force

Posted on March 16, 2009 by Hunton & Williams LLP

On February 16, 2009, the US-Swiss Safe Harbor Framework, which is comparable to the EU-US Safe Harbor Framework, was adopted. The US-Swiss framework is intended to simplify the transfer of personal data by Swiss companies to American companies that are self-certified with the US Department of Commerce (DOC). Self-certified US companies are bound by the principles contained in the framework. They will automatically be considered as providing an adequate level of data protection under Swiss law. To read more and for more EU data protection updates, please click here.

Tags: , , , ,