In a statement released on July 29, 2010, the UK Information Commissioner’s Office (“ICO”) has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise “does not include meaningful personal details that could be linked to an identifiable person.” This follows an assessment carried out by the ICO on a sample of the data in question at Google’s London offices.
In the latest chapter of the Federal Trade Commission’s ongoing efforts to promote consumer privacy with respect to online behavioral advertising, FTC Chairman Jon Leibowitz has reportedly suggested that the FTC may propose a Do Not Track Registry. The registry would be similar to the FTC’s popular Do Not Call Registry, which allows consumers to opt-out of many types of telemarketing calls, but registration on the Do Not Track Registry would not stop online advertisements. Instead, it would prevent those advertisements from being targeted to users based on their prior online activity. Mr. Leibowitz’s remarks came during a hearing on Consumer Online Privacy held yesterday by the U.S. Senate Committee on Commerce, Science, and Transportation. Current industry self-regulatory initiatives for providing consumers with choice regarding behavioral advertising include the Network Advertising Initiative’s Opt-Out Tool, which has been criticized for relying on opt-out cookies that consumers may accidentally delete, and a related beta Firefox browser extension designed to remember consumers’ opt-out preferences even after cookies are deleted.
Rite Aid has agreed to pay $1 million and implement remedial measures to resolve Department of Health and Human Services (“HHS”) and Federal Trade Commission allegations that it failed to protect customers’ sensitive health information. The FTC began its investigation following news reports about Rite Aid pharmacies using open dumpsters to discard trash that contained consumers’ personal information such as pharmacy labels and job applications. The FTC took issue with this practice in light of the pharmacy’s alleged claims that “Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously . . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.” At the same time, HHS began investigating the pharmacies’ disposal of health information protected by the Health Insurance Portability and Accountability Act.
On July 27, 2010, Senator John Kerry (D-Mass.) announced his intention to introduce an online privacy bill to regulate the collection and use of consumer data. “Our counterparts in the House have introduced legislation and I intend to work with Senator Pryor and others to do the same on this side with the goal of passing legislation early in the next Congress,” Kerry said in a prepared statement. Senator Kerry is the Chairman of the Commerce Subcommittee on Communications, Technology, and the Internet. He indicated that his bill would go beyond the regulation of targeted advertising. “Protecting the privacy of consumers online involves much more than the targeted advertising to which they are subjected,” Senator Kerry said. “Such advertising is just one result of the information that is routinely collected about us online.”
As we reported last week, Representative Bobby Rush (D-Ill.) introduced a bill regarding online data collection practices, which itself followed a similar bill proposed in May by Congressmen Boucher (D-VA) and Stearns (R-FL). Also on Tuesday, FTC Chairman Jon Leibowitz testified before the U.S. Senate about FTC efforts to protect consumer privacy.
On July 20, 2010, Hunton & Williams announced the release of the first edition treatise Privacy and Data Security Law Deskbook (Aspen Publishers) by lead author Lisa J. Sotto, managing partner of the firm’s New York office and head of the firm’s global Privacy and Information Management practice. The deskbook provides a detailed overview (with thousands of specific citations for the legal practitioner) of those areas of information privacy and data security law that have the greatest impact on and are most relevant to U.S. businesses operating in the global arena. In addition, the treatise contains a collection of sample documents, charts, checklists and other compliance-enabling tools.
On July 21, 2010, a coalition of 38 states sent a letter to Google demanding more information about the company’s collection of data from unsecured wireless networks by its Google Street View vehicles. The letter was sent by Connecticut Attorney General Richard Blumenthal on behalf of the executive committee of a multistate working group investigating Google Street View practices. As we reported on June 22, Blumenthal has spearheaded the nationwide investigation into Google Street View. Among other things, the letter asks Google to identify who was responsible for the software code that allowed the Street View cars to collect data broadcast over Wi-Fi networks, and for a list of states where unauthorized data collection occurred. The letter also asks Google for details regarding whether any of the data was disclosed to third parties or used for marketing purposes.
On July 14, 2010, the Article 29 Working Party issued a press release regarding its findings on the implementation of the European Data Retention Directive (Directive 2006/24/EC). The findings, compiled in a report to be contributed to the European Commission’s forthcoming evaluation of the Directive, indicate that the obligation to retain all telecom and Internet traffic data is not being applied correctly or uniformly across the EU Member States. Specifically, the Working Party’s press release states that service providers retain and share data in ways contrary to the Directive. The Working Party further noted that Member States’ reluctance to provide statistics on the use of retained data limits the ability to verify the value of data retention practices.
On July 19, 2010, Representative Bobby Rush (D-Ill.) introduced a bill “to foster transparency about the commercial use of personal information” and “provide consumers with meaningful choice about the collection, use and disclosure of such information.” The bill, cleverly nicknamed the “BEST PRACTICES Act”, presumably intends to set the standards for the use of consumer personal information by marketers. A similar bill was introduced by Representatives Boucher and Stearns in early May. Although both proposals would require opt-out consent for online behavioral advertising and express, affirmative consent for the collection or sharing of sensitive information, Rush’s bill has a broader definition of “sensitive information” and includes several other key differences. Perhaps most notably, unlike the earlier draft legislation, Rush’s bill features a private right of action that would allow individuals to sue companies that violate the law for up to $1,000 in actual damages, plus punitive damages and costs and attorney’s fees. The bill contains a safe harbor from the private right of action for companies that participate in, and comply with, a self-regulatory “Choice Program” approved by the FTC. In addition, the bill excludes from its definition of “covered information” any information collected from or about an employee by an employer “that directly relates to the employee-employer relationship.” A hearing on the proposed bill will be held on Thursday July 22, 2010.
On July 7, 2010, the German Federal Office for Information Security, the Bundesamt für Sicherheit in der Informationstechnik (“BSI”), published a basic paper on data security and data protection for radio-frequency identification (“RFID”) applications. The paper, Technical Guidelines RFID as Templates for the PIA-Framework, describes how to use RFID in compliance with data protection requirements, and explains the relationship between the BSI’s technical guidelines for the secure use of RFIDs and the European Commission’s Privacy Impact Assessment (“PIA”) Framework.
On June 1, 2010, Ukraine’s parliament adopted a bill on the protection of personal data which introduces a comprehensive regulatory regime for data processing in the country. The bill was signed by the President of Ukraine on June 24, 2010, and will come into force on January 1, 2011.