Department of Commerce Announces a Public Meeting on "Information Privacy and Innovation in the Internet Economy"

Posted on April 16, 2010 by Hunton & Williams LLP

The Department of Commerce (“DOC”) will be holding a public meeting on May 7, 2010, in Washington, D.C., to listen to stakeholders’ views on privacy policies in the United States.  This session is part of a broader inquiry by the DOC’s newly created Internet Policy Task Force “whose mission is to identify leading public policy and operational challenges in the Internet environment.”  The DOC’s National Telecommunications and Information Administration and the International Trade Administration will issue a notice of inquiry to look at the nexus between innovation and privacy on the Internet.  The Centre for Information Policy Leadership will be participating in these processes.

Tags: , , , , , , ,

Court Finds That Lawyers Are Not Subject to the FTC's Identity Theft Red Flags Rule

Posted on October 29, 2009 by Hunton & Williams LLP

It is being reported that the U.S. District Court for the District of Columbia agreed this morning with the American Bar Association's argument that the FTC's Identity Theft Red Flags Rule ("Red Flags Rule" or the "Rule") does not apply to lawyers.  The Rule implements Section 114 and 315 of the Fair and Accurate Credit Transactions Act (the "FACT Act").  In relevant part, the Rule requires creditors and financial institutions that offer or maintain certain accounts to implement an identity theft prevention program.  The program must be designed to detect, prevent, and mitigate the risk of identity theft. The FTC has interpreted the definition of "creditor" broadly.  The Commission has taken the position in publications and numerous panels that lawyers and law firms meet the definition of creditor because they allow clients to pay for legal services after the services are rendered.  For law firms (as well as for other entities that the FTC deems subject to its enforcement jurisdiction), November 1, 2009 is the deadline for compliance with the provisions of the Rule that require implementation of an identity theft prevention program.

In reaching the decision, Judge Reggie Walton is reported to have stated that he was reluctant to conclude that Congress intended to regulate lawyers when it enacted the FACT Act, which the Red Flags Rule implements.  The court also questioned the FTC's broad interpretation of the term "creditor." Judge Walton is reported to have questioned whether the term could be interpreted so broadly as to render a plumber who bills a customer after performing his work a "creditor" within the meaning of the Rule.  Notably, the Judge's comment may leave the door open for other challenges to the Rule by myriad small businesses whom the FTC considers "creditors" subject to the Rule.

It is reported that the court granted an injunction against the enforcement of the Rule and a declaratory judgment finding that lawyers are not subject to the Rule.  The FTC is expected to appeal the decision.
Tags: , , , , , , , , , , ,

EU Commission Issues Recommendation on RFID, Privacy and Data Protection

Posted on May 13, 2009 by Hunton & Williams LLP

On May 12, 2009, the European Commission issued a long-awaited recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (“RFID”).  The recommendation follows a process initiated in 2006 when the European Commission launched a public consultation on RFID technologies.  Following this public consultation and in order to protect consumers’ privacy and data protection, the European Commission decided to take further steps by preparing a recommendation to regulate the use of RFID.

The recommendation applies the principles of the General Data Protection Directive (Directive 95/46/EC) and of the e-Privacy Directive (Directive 2002/58/EC) to RFID technology.  In summary, the recommendation provides that:

  • Operators of RFID immediately must deactivate RFID tags automatically and free-of-charge at the point of sale, unless the consumer explicitly opts in by asking to keep the chip operational.  This principle is, however, subject to exceptions.
  • Consumers must be clearly informed of the use of their personal data, the type of data collected and the purpose of the processing.
  • The reading device must be clearly identified, and a contact point must be indicated if the consumer would like to receive further information.
  • A common European symbol should be developed to indicate whether a product uses a smart chip.
  • Companies and public authorities should develop a framework for privacy and data protection impact assessments.  This framework will have to be endorsed by the Article 29 Working Party.  The goal of these privacy impact assessments is to ensure that consumer privacy is protected.

Strictly speaking, this recommendation is not legally binding on European Union Member States and so is not required to be implemented. Its influence, however, should not be underestimated.  The recommendation provides that Member States should take all necessary measures to bring this recommendation to the attention of all stakeholders which are involved in the design and operation of RFID.  Member States should also inform the Commission of action taken in response to the recommendation no later than 24 months following the publication of the recommendation.  Within three years from the publication of the recommendation, the Commission will provide a report on its implementation, its effectiveness and its impact on operators of RFID technology.

The recommendation can be found here and the FAQs on RFID here.
 
Tags: , , , , , , , ,