Changes to e-Privacy Directive Approved by European Parliament

Posted on November 24, 2009 by Hunton & Williams LLP

On November 24, 2009, the European Parliament formally approved the European Union's telecoms reform package.  This reform proposed by the European Commission in November 2007 consists of various different EU Directives that set-up the legal framework applicable to the electronic communications sector (telecoms) and includes a new e-Privacy Directive.

New provisions of the e-Privacy Directive will strengthen the protection of privacy and personal data in the electronic communication sector and includes the following:

  • mandatory notification for personal data breaches applicable to electronic communication services providers (e.g., telecom providers and ISPs);
  • new regulations on cookies;
  • clarification of the scope of the e-privacy Directive; and
  • enhancement of the right of actions against spam.

The amendment to the e-Privacy Directive seems to be final now and the telecoms package will be signed by the presidents of the European Parliament and Council.  The telecoms reform package will then most likely be enacted with its publication in the EU's Official Journal on December 18, 2009.  EU Members States will be required to implement the new legislation into their national law by June 2011.

View the press release by the European Commission.

Tags: , , , , , , , , , , , , ,

Observations on Standards Document Adopted by 31st International Conference of Data Protection and Privacy Commissioners

Posted on November 13, 2009 by Hunton & Williams LLP

In a closed session on November 5, 2009, the 31st International Conference of Data Protection and Privacy Commissioners adopted the International Standards on the Protection of Personal Data and Privacy (the “Standards”).  Although the document is advisory in nature and is not legally binding, it offers guidance to States that have not yet adopted comprehensive data protection laws.  The Spanish Data Protection Agency, which acted as the secretariat for drafting the Standards, held two meetings that included more than fifty privacy enforcement agencies, privacy advocates and businesses before hosting a final drafting session that was reserved for recognized data protection authorities.

The Standards advise States without comprehensive data protection laws to (1) recognize privacy as a fundamental human right, (2) require organizations to follow traditional fair information practice principles, and (3) create supervisory authorities for data protection that “shall be impartial and independent, and will have technical competence, sufficient powers and adequate resources … .”  In addition, the Standards allow for data transfers to States that meet the requirements set forth in the document as well as transfers based on organizational accountability. 

This new framework outlined in the Standards marks a departure from the EU requirement that States establish “independent agencies” to be recognized as “adequate” under the data protection directive.  This difference in tone, as well as the openness in the drafting process and inclusion of new concepts, signal the potential for greater harmonization over the next decade and may be a significant step forward toward global interoperability.
Tags: , , , , , , , , , ,

FTC Takes Additional Safe Harbor-Related Enforcement Actions

Posted on October 6, 2009 by Hunton & Williams LLP

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program.  In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed.  The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program.  The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titled FTC's First Safe Harbor Enforcement Action.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000.  The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains a list of all currently-certified companies.

The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current.  If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers.  In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC's complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.
Tags: , , , , , , , , , , ,

FTC's First Safe Harbor Enforcement Action

Posted on September 8, 2009 by Hunton & Williams LLP

The Federal Trade Commission (“FTC”) has secured a temporary restraining order against a company that allegedly falsely claimed to have self-certified to the EU/U.S. Safe Harbor Program.  One count of the FTC's complaint claims that the company (named Balls of Kryptonite, LLC) misled consumers by inaccurately representing that it had self-certified to the U.S. Department of Commerce that it was Safe Harbor compliant.  While the FTC has not alleged a substantive violation of the Safe Harbor, this case is significant for two reasons.  First, it marks the first time the FTC has brought an enforcement action with respect to the Safe Harbor Program.  The court order prohibits the defendants from misrepresenting the extent to which they “are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.”  Second, the FTC acted in concert with the UK Office of Fair Trading after consumers in the UK registered complaints with the FTC using a website established by 25 international consumer protection agencies to facilitate global consumer protection efforts.  This is the first time the FTC has used the U.S. SAFE WEB Act of 2006 to enforce consumer protection regulations against a U.S. company operating exclusively outside the United States.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data.  Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU.  To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard.  A company under the FTC’s jurisdiction that self-certifies to the Safe Harbor principles but fails to implement them may be subject to an enforcement action under Section 5 of the FTC Act, which prohibits deceptive trade practices. 

In this case, the FTC successfully argued that, regardless of the company’s data protection practices, falsely claiming to be Safe Harbor certified could constitute a violation of the FTC Act in and of itself.  The defendants have been ordered to appear on September 25, 2009 to show cause why the court should not enter a preliminary injunction prohibiting further violations.
Tags: , , , , , , , , ,

RAND Report Commissioned by the UK Information Commissioner's Office

Posted on May 13, 2009 by Hunton & Williams LLP

The UK Information Commissioner's Office has published a review of the strengths and weaknesses of the EU Data Protection Directive, commissioned from RAND Europe.

The concept of such a review was highly radical when first proposed. It provoked the promise of a similar study from the European Commission and generated much debate as to whether, and if so when, the Directive itself might be reviewed. The conclusions of the RAND study are much less radical than anticipated but more likely, as a consequence, to stimulate constructive debate within Europe as to the future shape of data protection law. Whilst not endorsing the RAND study, in April 2009, the European Privacy and Data Protection Commissioners' Conference discussed the themes raised by RAND and issued a declaration committing to contribute to the ongoing debate concerning the future of data protection law, including better implementation and enforcement of the existing legal framework.

The RAND study concludes that the "widely applauded" principles contained in the Directive remain the touchstone for good data protection regulation. However, the implementation and enforcement of these principles require fresh thinking. Excessive bureaucracy and prescriptive criteria for data protection compliance, at the expense of a flexible, harms-based, approach, is one example of how out of date local implementation of the Directive has become.

The study includes a number of recommendations for improvement, working within the framework of the existing Directive, but leading ultimately to an outcomes based regulatory model for the future.

It may be less radical than many had hoped, but there is much within RAND which will stimulate debate. It represents merely the starting point for future discussion.

To access the RAND study, please click here.  To read the summary of the study, which includes a forward by Richard Thomas and the EU Commissioners' Declaration, please click here.
Tags: , , , , , ,