Privacy & Information Security Law Blog

On December 1, 2010, the German Federal Ministry of the Interior (the “BMI”) issued a paper entitled “Data Protection on the Internet,” which contains a draft law to protect against particularly serious violations of privacy rights online.

On December 2, 2010, discussions about privacy continued at a hearing on “Do Not Track Legislation: Is Now the Right Time?” held by the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Commerce, Trade and Consumer Protection.  The hearing focused on a variety of consumer privacy issues, including the implications and challenges of a Do Not Track mechanism, the consumer’s desire for more control over the collection and use of their data and tracking practices, and the need to preserve an advertising supported Internet that promotes economic growth through online business.

The “Red Flag Program Clarification Act of 2010” (S. 3987) has passed the Senate.  The legislation would limit the scope of the Red Flags Rule, which requires certain “creditors” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.  The new legislation would exclude from the definition of “creditor” certain entities that “[advance] funds on behalf of a person for expenses incidental to a service provided by the creditor to that ...

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

On December 1, 2010, the Federal Trade Commission released its long-awaited report on online privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers.”  Observers expected the report to address the concept of privacy by design, the burdens placed on consumers to read and understand privacy notices and make privacy choices, the provision of individual access to personal data and the rights of consumers with respect to Internet tracking.  The FTC report introduces a privacy framework to “establish certain common assumptions and bedrock protections on which both consumers and businesses can rely as they engage in commerce.”  It includes the following elements:

David Vladeck, Director of the FTC’s Division of Consumer Protection, this morning previewed the long-awaited FTC report that sums up months of discussion regarding the future of privacy regulation in the United States and examines the viability of a Do Not Track mechanism.  Vladeck indicated at the Consumer Watchdog Policy Conference that the existing privacy framework in the U.S. is not keeping pace with new technologies.  In addition, he stated that the pace of industry self-regulation, while constructive, has been too slow.  According to Vladeck, the report will address several major themes, including the following:

The Centre for Information Policy Leadership (the “Centre”) this week issued “Data Protection Law and the Ethical Use of Analytics,” authored for the Centre by Paul Schwartz, Professor of Law, Berkeley Law School, University of California.  Marty Abrams shared this paper on November 30, 2010, at the European Data Protection and Privacy Conference in Brussels and plans to present the paper on December 1, 2010, at the Organization for Economic Cooperation and Development.

On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling.  View the press release.

The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles.  It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”  The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual.  Interestingly, Members States may decide to exclude the public sector under certain conditions.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Jennifer Stoddart has been nominated for reappointment as Privacy Commissioner of Canada for a three-year term.  The nomination will be tabled in the House of Commons for consideration and is widely expected to be accepted.

Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, said, “Commissioner Stoddart has been a key leader in bringing data protection into the 21st century.”

Ms. Stoddart has served as Privacy Commissioner since December 2003.

For further ...

In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.

• Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
• A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.