Article 29 Working Party Calls on FTC to Investigate Online Retention and Anonymization Policies

Posted on June 1, 2010 by Hunton & Williams LLP

In a letter to the U.S. Federal Trade Commission dated May 26, 2010, the Article 29 Working Party expressed concerns regarding the retention and anonymization policies of Google, Yahoo! and Microsoft.  Specifically, the Working Party requested that the FTC examine the compatibility of the three search engine providers’ actions with provisions of Section 5 of the FTC Act which prohibits unfair or deceptive trade practices.

The Working Party’s request references individual letters sent to Google, Yahoo! and Microsoft, also dated May 26, 2010, in which the Working Party stated that Yahoo! and Microsoft had not provided sufficient information about their anonymization practices to allow the Working Party to assess the quality of their policies, and Google’s existing policies were insufficient to guarantee adequate anonymization.  As a result, the Working Party could not conclude that the three companies’ retention and anonymization policies complied with the EU Data Protection Directive.

These concerns were first raised in March 2008, when the Working Party issued a detailed Opinion about search engines (Opinion 1/2008 - WP 148), which attempted to clarify and harmonize specific obligations for search engine providers with respect to the EU Data Protection Directive.  The Opinion also highlighted the Working Party’s concerns over the sensitivity of personal data related to search queries and the treatment of such personal data by search engine operators.  It urged companies to review their retention policies and bring them in line with the recommended maximum period of six months.  Following various consultations with the service providers in February 2009, the companies pledged their commitment to reduce retention periods (with limited exceptions) and announced steps to improve their anonymization procedures.

The Working Party urged all three service providers to review their anonymization claims and make the process verifiable.  To this end, the Working Party strongly suggested the use of audit procedures involving external and independent auditors.

In addition to the letter to the FTC, the Working Party also sent a copy of the service providers’ letters to Commissioner Viviane Reding in an effort to contribute in a meaningful way to the development and better enforcement of adequate, transatlantic data protection principles.
Tags: , , , , , , , , , , , ,

Microsoft Calls for Legislative Action to Set Rules for Cloud Computing

Posted on January 22, 2010 by Hunton & Williams LLP

Microsoft is urging Congress and the information technology industry to act now to ensure that cloud computing is guided by an international commitment to privacy, security and transparency for consumers, businesses and government.  A survey commissioned by Microsoft found that while the general population and senior business leaders are excited about the potential of cloud computing, most are concerned about the security, access and privacy of their information in the cloud and believe the government should establish laws, rules and policies for cloud computing.  Microsoft also has called for an international dialogue on data sovereignty to address users' desire that rules and regulations governing their data remain uniform regardless of the physical location of the information. 

Microsoft’s proposal includes reforming and strengthening the Electronic Communications Privacy Act to provide stronger protections for consumers and businesses; modernizing the Computer Fraud and Abuse Act to give law enforcement the tools to prosecute malicious hackers and deter online-based crimes; enacting legislation to ensure that consumers and businesses know whether and how their information is accessed and used by service providers and how it will be protected online; and pursuing a new multilateral framework to address data access issues globally.

View more information on Microsoft’s proposal.

Tags: , , , , ,

End to End Trust and the Need for Widespread Collaboration

Posted on October 8, 2009 by Hunton & Williams LLP

Lisa J. Sotto, Partner and Chair of Hunton & Williams' Privacy and Information Management practice, discusses the roles individuals, companies, service providers and governments play in helping to create a safer, more trusted Internet.   End to End Trust is Microsoft's broad and all encompassing vision for creating a "safer, more trusted Internet," which is achieved by focusing on three areas: security and privacy fundamentals, technology innovations and social, economic, political and IT alignment.  Microsoft believes these combined elements will help people make better choices and have more control about whom and what to trust online.

Tags: , , , , ,

Washington Court Rules that IP Addresses Are Not Personally Identifiable Information

Posted on July 10, 2009 by Hunton & Williams LLP

In a closely-watched case, the U.S. District Court for the Western District of Washington recently held that Internet Protocol (“IP”) addresses do not constitute personally identifiable information (“PII”). The plaintiffs in Johnson v. Microsoft Corp. brought a class action suit against Microsoft claiming that the collection of consumer IP addresses during the Windows XP installation process violated the XP End User License Agreement. The Agreement stated that Microsoft would not collect PII without the user’s consent. The plaintiffs referenced Microsoft’s own online glossary to support their claim that IP addresses should be considered PII. The glossary defined “personally identifiable information” as “[a]ny information relating to an identified or identifiable individual. Such information may include…IP address.” In granting summary judgment in favor of Microsoft, U.S. District Court Judge Richard Jones found that “[i]n order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer.”

The Washington court’s ruling diverges from other recent rulings in the United States and Europe. In 2008, New Jersey’s Supreme Court held that Internet Service Providers (“ISPs”) are forbidden from disclosing subscriber IP addresses without a subpoena. The court held that New Jersey citizens have a “reasonable expectation of privacy” in the “subscriber information they provide to Internet service providers – just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.” State v. Reid, 954 A.2d 503 (N.J. 2008).

Similarly, the European Union’s Article 29 Data Protection Working Party has noted that ISPs should “treat all IP information as personal data” unless the ISPs can “distinguish with absolute certainty that the data correspond to users that cannot be identified.” The Working Party has recommended that search engines delete or anonymize IP addresses once they are no longer needed, and should not retain the data longer than six months.

The issue of whether IP addresses are considered PII as a matter of law has significant implications for companies that collect and use consumer online information. To the extent IP addresses are considered PII, companies that use IP addresses for business purposes would be required to comply with numerous legal requirements with respect to that data.
Tags: , , , , , , ,