Global Privacy Enforcement Priorities | Webinar from TRUSTe
description
Transcript of Global Privacy Enforcement Priorities | Webinar from TRUSTe
2 v Privacy Insight Series - truste.com/insightseries v
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording and slides sent out
later today
• Please use the GotoWebinar control panel on the right hand side to
submit any questions for the speakers
Thank you for joining the webinar
3 v Privacy Insight Series - truste.com/insightseries
Today’s Speakers
Eleanor Treharne-Jones
VP Consulting
TRUSTe
(moderator)
Ann LaFrance
Partner
Co-Chair, Global DP/Cyber Practice
Squire Patton Boggs
Chris Hoofnagle
Adjunct Full Professor of
Information and of Law
University of California, Berkeley.
4 v Privacy Insight Series - truste.com/insightseries v
Global Enforcement: The FTC’s Role
Chris Hoofnagle, Adjunct Full Professor of Information and of Law
University of California, Berkeley. Of counsel, Gunderson Dettmer, LLP.
5 v Privacy Insight Series - truste.com/insightseries
•Agency is now 100 years old; genesis in popular antitrust movement.
•Given broad, undefined mandate: prevention of “unfair competition”
–Freed the agency from common law requirements, such as proving harm,
causation, reliance, etc.
–Inherently has the power to act before harm occurs
–Conceived of as a quick, process-lite alternative to federal court
oThis necessitated limits on damages
–Regulated competition-–not regulated monopoly (like FCC)
•Agency turned quickly to consumer protection, formally in 1938
•Relies on enforcement because rulemaking was inefficient and now is
simply untenable procedurally
•Agency’s innovations are taken for granted—cigarette, holder rule
•Why important? Positive agenda of anti-FTC activists is to return to 19th
Century legal regimes
Context for FTC Powers
6 v Privacy Insight Series - truste.com/insightseries
•Fantastic investigatory powers—FTC can even obtain in-person
inspection of businesses. Powers are inquisitorial.
–Companies’ own records document §5 violations…
•Division of Identity and Privacy Protection primary lead on privacy
–Competitors may be the source of most complaints!
•Lawyers have “off the books” investigations
–Staff have the real power at the FTC—they have discretion to find cases
–Internet “investigations” can occur without much warning
–Answer inquiries from the FTC with haste
•DPIP lawyers are seeking policymaking cases, about 20/year
–Thus, if 1) your client owns up to it, 2) consumers are made whole, 3) protections
are put in place to prevent recurrence, and most critically, 4) the situation is just a
repeat of an already-brought FTC case, case could be dropped
•Look to other divisions (ad practices) for guidance
Investigatory Dynamics
7 v Privacy Insight Series - truste.com/insightseries
•Big incentives to bring SH/PS investigations, cases!
•Deception is the thin edge of the wedge.
–Data brokers, direct liability first, “means and instrumentalities,” unfairness
•Post-settlement oversight to intensify
–FTC conducting 6(b) study of PCI Processors
–Wyndham, LifeLock cases suggest something is wrong in assessments—
conflicts of interest, companies that “game” assessments, conditional
certifications
•IoT
–Security security security
–Problem of no opt out for cross-device tracking
–Fingerprinting in home
•Native advertising, endorsement
Policy-Setting Cases
8 v Privacy Insight Series - truste.com/insightseries
•Wyndham (3-0 3rd Cir.): affirmed FTC’s role in cybersecurity, making the
agency perhaps the most important regulator of cybersecurity—
unreasonably lax security=unfair practice.
•POM: (3-0, DC Cir.): FTC sought to impose 2 random, control trial tests
on makers of fruit juice that claimed health benefits from its
consumption. DC Cir. found that 1 was reasonable in that case. POM
was the ”Wyndham” of advertising law.
•Amazon (D.D.C. 2016): Time imposed on consumers to get refunds for
charges without authorization was substantial injury (thus supporting
unfairness claim). See also Neovi.
•Jerk (1st Cir. 2016): false representation that content was user
generated was material, supporting deception claim.
•Lesson: Activist case selection has been pretty poor, resulting in some
of the worst actors reaffirming broad FTC powers.
Celebrated Anti-FTC Litigation Has Backfired
9 v Privacy Insight Series - truste.com/insightseries v
Ann LaFrance
Co-Chair, Global Data Privacy & Cybersecurity Group
Squire Patton Boggs
London
Global Enforcement – Expanded
Powers of Independent Supervisory
Authorities under the GDPR
10 v Privacy Insight Series - truste.com/insightseries
–Maximum fines established by national law
under the GDPD range between €25K
(Austria) and €1.2 Million (Italy) - median
around €300K.
–Maximum fines rarely imposed –
considerable leeway has been given to
emerging technologies and businesses as
regulators, businesses and consumers
adapted to digital developments under
legislation enacted in the mid-90s.
–DPAs empowered by GDPD to order
blocking or erasure of data and to impose
“temporary or definitive ban on processing” –
but these powers have rarely been exercised.
1. Current Powers of EU Data Protection Authorities
11 v Privacy Insight Series - truste.com/insightseries
•GDPR – New and expanded enforcement powers (Art. 58), e.g.:
–order production of information
–carry out investigations/audits
–obtain access to all personal data held by controller/processor if necessary to
perform regulatory functions
–obtain access to premises, processing equipment, etc.
–impose temporary or definitive limitation including a ban on processing
–order suspension of data flows to recipients in third countries
2. GDPR
12 v Privacy Insight Series - truste.com/insightseries
Power to impose much higher administrative fines
1) Highest fines: Up to €20,000,000 or 4% of global turnover, for:
a) Breach of data protection principles in Articles 5, 6, 7 and 9, namely:
• Processing only for valid (specified) purpose
• Individual must be clearly told what is done with their data
• If consent is required, must be informed, free, unconstrained, withdrawable, by
affirmative act
• Adequate, relevant, limited to what necessary for purpose
• Accurate, up to date
• Kept in identifiable form only as long as necessary for purpose
• Kept secure
3. Administrative Fines
13 v Privacy Insight Series - truste.com/insightseries
b) Breach of Articles 12-20 - failure to:
• Give privacy notice
• Give access to person's personal data
• Rectify inaccurate data
• Erase data when required
• Comply with restriction on processing
• Allow data portability
• Comply with objection to profiling,
automated decision-making, marketing
c) Transfer of data outside EEA
without ensuring adequacy of
protection
d) Non-compliance with order/finding
of Supervisory Authority (SA)
3. Administrative Fines (cont’d)
14 v Privacy Insight Series - truste.com/insightseries
2) Lower Fines -- up to the higher of €10,000,000 or 2% of global
turnover for breach of other obligations, e.g.:
a) Article 8 - obtaining consent re children
b) Article 10 - de-identification
c) Article 23 - data protection by design and default
d) Article 24 - joint data controllers
e) Article 25 - representatives of controllers not established in EEA
f) Article 26 - appointing processors
g) Article 27 - only processing on instructions
h) Article 28 - records of processing activities
i) Article 29 - co-operation with SAs
3. Administrative Fines (cont’d)
15 v Privacy Insight Series - truste.com/insightseries
j) Article 30 - security of processing
k) Article 31 - notification of data breach to SA
l) Article 32 - notification of data breach to affected individual
m) Article 33 - privacy impact assessment (PIA)
n) Article 34 - consultation with SA on PIA
o) Article 35 - appointment of data protection officer
3. Administrative Fines (cont’d)
16 v Privacy Insight Series - truste.com/insightseries
Criteria for setting fines include, e.g.:
1) Nature, gravity and duration of infringement
2) Intentional or negligent character of infringement
3) Actions to mitigate harm
4) Previous infringements of controller/processor
5) Cooperation with SA (including how infringement made known to SA)
6) Categories of data affected by infringement
4. Criteria for setting fines
17 v Privacy Insight Series - truste.com/insightseries
1) Joint and several liability of controllers and processors
2) Fines may be imposed on processors
3) Right of data subjects to
-- effective judicial remedy against controller or processor
– appoint non-profit organisation to represent interests
– recover material or non-material damages
5. Other enforcement considerations
19 v Privacy Insight Series - truste.com/insightseries v
Chris Hoofnagle [email protected]
Ann LaFrance [email protected]
Eleanor Treharne-Jones [email protected]
Contacts
20 v Privacy Insight Series - truste.com/insightseries
•100-year history of the FTC’s
consumer protection activities
•Discount code: FTC16
•http://www.cambridge.org/us/ac
ademic/subjects/law/competitio
n-law/federal-trade-commission-
privacy-law-and-
policy?format=PB
Federal Trade Commission Privacy Law and Policy
21 v Privacy Insight Series - truste.com/insightseries v
Look out for details of our 2016 Summer/Fall Webinar Series to be
announced in June. If you’re interested in speaking contact
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!