On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
Report from the Congressional Internet Caucus Advisory Board Privacy Program
On May 14, Hogan Lovells’ partner Chris Wolf moderated a panel discussion at the Rayburn House Office Building presented by the Congressional Internet Caucus Advisory Committee entitled, “New Internet Privacy Legislation: What the White House, Federal Trade Commission and the European Commission Are Recommending.” Maneesha Mithal, Associate Director of the Federal Trade Commission’s Division of Privacy and Identity Protection, began the event with a brief presentation about the FTC’s recently released report, “Protecting Consumer Privacy in an Era of Rapid Change” (the “FTC Report”). Following Ms. Mithal’s remarks, Mr. Wolf led panelists in a discussion about the FTC Report; the White House’s privacy white paper entitled, “Consumer Data Privacy in a Networked World;” and the proposed EU Data Protection Regulation.
The panel was comprised of:
- Justin Brookman, Director of the Center for Democracy & Technology’s Project on Consumer Privacy;
- Steve DelBianco, Executive Director of NetChoice;
- Rachel Thomas, Vice President of Government Affairs for the Direct Marketing Association (“DMA”); and
- Peter Swire, Professor of Law at the Ohio State University Moritz College of Law.
Ms. Mithal explained that the FTC Report, released in March of this year, refines but does not change the principles set forth in the preliminary staff report released in December 2010. She noted that there are four “big picture” takeaways from the FTC Report:
- Commission Report: It is a “commission report,” rather than a “staff report,” as it was adopted by a majority of the Commissioners, and as such, it carries more weight than a staff report.
- Legislation: It calls on Congress to enact privacy and data security legislation, including baseline privacy legislation, data security and breach notification legislation, and legislation aimed at improving the transparency of the information practices of data brokers.
- Best Practices: The Report does not prescribe “rules of the road” that the FTC will use as a template for enforcement actions. Rather, it merely sets forth recommended best practices.
- Relation to White House’s Privacy White Paper: The FTC Report and the White House’s privacy white paper are “entirely complementary and consistent.” Ms. Mithal noted that the white paper focuses more on implementation, while the FTC Report focuses on providing guidance to industry.
In response to questioning, Ms. Mithal stated that while the new best practices set forth in the FTC Report will not be the basis for an FTC enforcement action, a company that has otherwise committed a deceptive or unfair act or practice in violation of Section 5 of the FTC Act may be required to implement these best practices as part of the settlement with the FTC. Chris Wolf referenced the FTC’s enforcement action against MySpace, noting that the alleged violations of Section 5 seemed to be founded on the FTC Report’s concept of “reasonably linked.” But Ms. Mithal responded that the data at issue in the MySpace case was viewed by the FTC as an extension of PII, which is similar to a concept that the FTC previously set forth in its 2010 closing letter with Netflix.
The panelists discussed many privacy issues related to the recent FTC, White House, and EU proposals, and among the highlights of the discussion were the following points:
- In response to a question about what is privacy today and how does it differ from the past, Mr. Brookman stated that the scope of surveillance is much greater today, noting that tracking is prevalent and collection is the default.
- With respect to a discussion about how to handle companies that refuse to abide by self-regulation standards, Ms. Thomas explained that the DMA self-regulation program allows the DMA to take action against both members and non-members, and she noted that any company (whether a member or not) that refuses to comply with the program’s self-regulatory code of conduct will be reported to the FTC for enforcement.
- With respect to harmonization between the EU and US privacy regimes, most of the panelists felt that the US shouldn’t “chase” the EU, but rather – as Mr. DelBianco put it – the US should “sell our case” a little harder. Ms. Thomas agreed, stating that she feels our regime has achieved “adequacy.” Mr. Swire recalled the negotiations over the Safe Harbor framework, where the EU first took the approach that only EU law is acceptable, but softened its view over time as “reality set in,” suggesting that the EU may soften its view in other regards as well.
- With respect to the EU Regulation’s “Right to Be Forgotten,” Mr. Brookman remarked that it could be implemented in a “bad way,” which would impose huge burdens on business, but stated that if implemented properly, it could be a positive.
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016