Technology Law Source : Technology Lawyers & Attorneys for Patents, Trademarks & Copyright Issues in Ohio, Washington DC, Florida

Highlights
A joint conference, especially when organized by the European Commission, but held in Washington, D.C., instead of its headquarters in Brussels, naturally brings forth many polite statements of mutual admiration for one another’s efforts in the area of data privacy. Undoubtedly, the highlights of the conference occurred whenever the gloves came off and issues and expectations were voiced clearly.

One of my personal highlights was seeing my fellow German countrymen and -women live up to our reputation of being blunt, punctual and lacking any sense of humor. Paul Nemitz, Director of Fundamental Rights and Citizenship at the European Commission, set the tone by dashing the hopes of Cameron Kerry, General Counsel for the US Department of Commerce, that the White Paper published by the White House as a blueprint for a Consumer Privacy Bill of Rights has brought the United States any closer to an adequacy finding by the European Union. Mr. Nemitz also questioned the effectiveness of FTC enforcement actions by calling it mainly “good PR.” The criticism was superbly countered by Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the FTC, who very gracefully accepted the statement as a compliment. In addition, she also provided useful substantive information of the FTC’s enforcement priorities and as a result, earned a spot in my personal list of highlights.

Other memorable moments included the passionate speech by Representative Ed Markey, D-MA, who presented a good update on the status of the COPPA revisions and, as the long-standing co-chair of the Congressional Privacy Caucus, provided a fascinating historical summary of the various federal privacy initiatives of recent decades.

Peter Hustinx, the European Data Protection Supervisor, was one of the few European representatives with a slightly optimistic message for the US. In outlining his understanding of the interoperability requirements highlighted in the Joint Statement, he suggested that an adequacy finding could result from the implementation of the White Paper, even if it did not result in a comprehensive law, as adamantly requested by Francoise Le Bail, Director-General for Justice at the European Commission. Mr. Hustinx emphasized the need for sufficiently common principles and their binding implementation as far more important than the specifics of the regulatory regime.

Take-aways for US privacy practitioners:

• The current FTC enforcement priorities are:
  • Social media
  • Online tracking
  • Data security
  • Mobile privacy
  • FCRA and apps that allow for instant background checks, especially when utilized by employers or prospective employers
     
• Without a comprehensive law, the EU will likely not grant the US adequacy status. The concept of enforceable codes of conduct as introduced in the White Paper is viewed with skepticism among the EU regulators.
   
• Interoperability is the “hot” new term. While the technological implications are generally well understood, a definition from a legal perspective is still missing. Mr. Hustinx presented his understanding of interoperability requirements as:
  • Sufficiently common principles (which, of course, must be binding)
  • Common implementation of these principles
  • Common enforcement
  • Common mechanisms for individual redress
     
• Safe Harbor will continue despite European concerns over its effectiveness. Under the current budget situation, it is highly unlikely that the FTC will implement compliance audits, despite the adamant requests by various European NGOs.
   
• The EU Commission is convinced that European businesses will gladly accept stringent data protection rules as long as they are uniformly applied. The opinion was corroborated by the DPO of Deutsche Telekom who listed legal certainty as his top priority.

Conclusion
Great efforts are being made on both sides to understand, accept and ultimately overcome the differences in the respective approaches to the protection of privacy rights. Whether reliance upon dialogue alone will be enough to accomplish these goals remains to be seen. The conference seemed to indicate that mere education about the basic principles is insufficient, but that, instead, a certain level of personal experience is required to fully understand and accept the different political, social and historical contexts in which both regimes function.
 

The International Principles contain best practices and recommendations for addressing the preservation and discovery of “protected data” in U.S. litigation. Protected data broadly includes any information that must be safeguarded pursuant to federal, state, or foreign laws, or through other privacy obligations. Although focused primarily on the relationship between U.S. preservation and discovery obligations and the European Union Directive 95/46/EC, the International Principles are designed to apply whenever data protection laws or other privacy obligations conflict with U.S. preservation and discovery obligations. The International Principles also contain a model protective order for use with protected data as well as a cross-border data safeguarding process and transfer protocol to document the steps taken to comply with applicable privacy laws.

The International Principles encourage parties to examine whether their discovery requests and obligations present a conflict with any data protection laws. If a conflict exists, The Sedona Conference® maintains that the parties should try to avoid or minimize the conflict by limiting the scope of discovery, engaging in phased discovery, or limiting the production of protected data and metadata. The parties also should agree to a protective order or stipulation limiting the use and disclosure of protected data and to a plan setting forth the methodology by which protected data will be preserved, processed, transferred, and produced.

Interestingly, the sixth and final principle addresses how organizations should maintain their data before preservation and discovery obligations arise. This principle reinforces the importance of having strong records management policies in place and stresses that custodians of protected data should retain such information “only as long as necessary to satisfy legal or business needs.” The Comment to the Principle 6 states in part:

Many organizations worldwide have become electronic data hoarders. While the retention of paper-based information had tangible physical consequences and costs, it has become relatively inexpensive and more expedient to expand storage capacity rather than to apply records management lifecycle discipline to ESI. There are numerous direct and indirect costs and risks associated with unbridled accumulation and retention of data. Legal risks may also arise, especially in the context of data protected by Data Protection Laws, in the over-retention of information.

The Comment further encourages organizations to implement data privacy and data protection technologies and procedures and to collect personal data with data protection in mind, e.g., “privacy by design,” to lower the costs and risks relating to data protection.

A copy of the International Principles publication is available here.

In August we reported that a German Data Protection Agency (Unabhängiges Landeszentrum für Datenschutz in Schleswig Holstein, “ULD”) threatened to impose fines on all website owners who refused to remove social plug-ins, and especially the like-button, from their websites. The topic has become an issue of extensive substantive discussion[1], with the majority of the opinions rather critical of the approach and hinting, more or less directly, at a certain degree of overzealousness on behalf of the ULD. The main complaint is directed at the insufficiency of the ULD’s legal analysis which ignored many of the unsettled areas of privacy law, especially with regard to whether IP addresses constitute personal data under the Federal Data Protection Act. The DK opinion now offers an unconditional statement of support by declaring all social plug-ins as noncompliant with the law. The opinion holds the website owners responsible for the content of the data processed through social plug-ins and tells website owners to stay away from the like-button unless the website owner has a clear understanding of the scope of the data processing and transfer that could result from such a plug-in. This opinion comes as a surprise in light of the recent study published by the German Bundestag, which was remarkably direct in its criticism of some of the ULD’s legal conclusions. Whether the DK opinion will provide the ULD with the vindication it needed to enforce the threatened fines of up to €50,000 remains to be seen. To date, the Facebook like-button remains a prevalent feature of most business and even the Schleswig-Holstein government page is still asking users to endorse the website via social plug-ins.

Just last month, another German DPA attacked Facebook directly over its biometric database and the company’s refusal to obtain retroactive user consent. That the storage of user photos in a database to create a facial recognition feature is a legitimate issue of data privacy has been universally recognized. The legal discussion in Germany regarding this issue is mostly jurisdictional, with Facebook asserting that it is not subject to the German data privacy laws. The DK opinion, without addressing the Facebook situation directly, flat-out rejects this argument. Unless the social network is actually operated from within the European Union, simply forming a subsidiary in an EU member state is considered insufficient to limit jurisdiction to that particular country. Instead, German data protection laws shall apply to processing of all personal data derived from users located in Germany, according the DK opinion.

While it is difficult to predict the impact this opinion will have on how the individual Data Protection Agencies proceed against perceived violations of data privacy laws within the world of social networks, it is highly unlikely that it will create sufficient pressure to result in any settlement agreements similar to the one entered into with the Federal Trade Commission and Facebook.

Since 2009, the importance of data privacy has gained much broader recognition, and privacy advocates will likely celebrate the FTC agreement as a victory. Facebook’s reluctance, however, to show adequate consideration for the concerns raised by European data protection agencies suggests that celebrations may be premature.

Considering what made Facebook’s business model so successful, it is hardly surprising that Facebook would be reluctant in addressing European privacy concerns. It will likely always be a struggle to reconcile the business model built on a global platform with 800 million users publicly sharing information with the right to the protection of personal data granted by Article 8 of the Charter of Fundamental Rights of the European Union. Two recent press releases by a German data protection agency highlight these conflicts.

Purpose and Function of Cookies
On November 2, 2011, the Hamburg Commissioner for Data Protection and Freedom of Information released the results of an investigation related to Facebook’s use of cookies. According to Facebook, these cookies serve as security mechanisms to allow the restoration of passwords or to prevent children from creating accounts. The investigation report (which, in its German version, can be downloaded here) demonstrated that these goals were accomplished only to a minimal extent in relation to some purely optional functions and only if the functions were set accordingly by the user.

From these results, the agency concluded that the cookies likely served, for Facebook, a different primary purpose altogether—namely to create tracking profiles of Facebook users. Should this suspicion be confirmed, and provided that German law is applicable to Facebook, the company would be in violation of the German Telemedia Act (“TMG”). Despite Facebook’s assertion that it does not fall under the jurisdiction of the TMG, it has nonetheless indicated a willingness to discuss the underlying technical processes and the Commissioner appears cautiously optimistic that a solution can be reached which will comply with the German data protection laws, including the TMG.

Facial Recognition
The most recent press release, again by the Hamburg Commissioner for Data Protection and Freedom Information, was issued on November 10, 2011 and addressed Facebook’s biometric database. Facebook is using a facial recognition feature which, according to the Commissioner, requires express user consent in order to comply with German and European data protection laws. The feature which Facebook calls “tag suggestions” uses a face-mapping technology to identify individuals in photos on the site.

To address the compliance issues raised by the agency, Facebook and the Commissioner discussed the implementation of a procedure through which Facebook could obtain valid, informed consent. Following the familiar pattern of past exchanges, Facebook entered negotiations on the premise that it was in full compliance with EU law, insisting that its current practice of an opt-out check box provided easy and sufficient notice to its users about the tag suggestions and individual user ability to disable the feature.

Not surprisingly, German authorities did not agree with Facebook’s assessment of current compliance and expressed concern especially related to those users whose biometric facial characteristics were incorporated into the database prior to the introduction of the feature. Any opt-out solution offered by Facebook would only apply to future use of the facial recognition feature and not address the need to obtain the retrospective, explicit and informed consent, which the German authorities clearly consider a prerequisite to meeting EU privacy law standards. 

While negotiations are currently at a stand-still, it seems that the German authorities ought to be able to take advantage of the timing and content of Facebook’s pending FTC settlement. The proposed FTC terms mirror the Working Party’s Consent Opinion to a remarkable degree as both focus on the data subject’s right to limit the scope of the collection and processing of personal data. If Facebook promises to the FTC that it will first obtain user consent before exposing previously collected data to a broader audience than initially intended by the user, the company must also acknowledge that, under EU privacy law, the same consent procedure is required for the introduction of features such as facial recognition.

Obviously, the Commissioner’s request that Facebook obtain retrospective consent is much more extensive than the purported FTC agreement. The burden associated with tracing all (approximately 20 million people) whose pictures were allegedly added prior to the introduction of the feature is onerous enough to explain Facebook’s unwillingness to negotiate. One has to wonder, however, whether the current impasse is not an indicator of more comprehensive developments in the relationship between Facebook and the German data protection agencies and whether both sides are finally preparing to square off in court.

Despite asserting its inability to do so, ULD’s legal analysis[2] attempts a comprehensive study of Facebook’s data privacy policies and, as a result, appears to lose sight of the core issue which formed the basis for this enforcement action. ULD claims that website operators who incorporate Facebook plugins illegally transfer data to the U.S., yet the discussion of Facebook’s Safe Harbor Certification is restricted to one footnote.

Nonetheless, the opinion provides valuable insight into a typical DPA consent analysis and highlights common mistakes that will likely invalidate the consent obtained from the data subject. ULD analyzes the amount and quality of information provided to potential Facebook users during the registration process and concludes that the current method is not even remotely sufficient to justify the processing of personal data provided by Facebook users. Sheer mass is no substitute for the quality of information required to create valid consent, and ULD chastises Facebook for a blatant lack of clarity and transparency. The opinion further criticizes that the provided information is not only deliberately vague, but also incomplete as it excludes certain forms of data processing. 

Even if this particular action is tailored specifically to curb Facebook’s insatiable appetite for collecting personal data, other U.S. companies are well advised to consider the message sent by ULD’s enforcement action and review their consent procedures, regardless of whether they have a physical presence in the European Union. Data privacy and protection is quickly becoming a global issue and the lack of EU jurisdiction just means that DPAs will seek alternative ways to punish U.S. companies for violations of EU data privacy laws. In a novel approach, Facebook is being targeted through the prosecution of its business partners located within the EU, and ULD is obviously confident that the pain inflicted on the website operators will create sufficient momentum to cause a change in Facebook’s privacy policies.