Archive for December, 2010

On December 1, the FTC issued its long awaited report in which it outlines a Proposed Framework for businesses and policy makers for the protection of personal data. The Proposed Framework would reach a broad range of commercial entities, both online and offline, that collect, maintain, share, or use consumer data. The protection would apply not only to what has traditionally been named “personally identifiable information” that can be reasonably linked to an individual, as this has been done in the past, but also to data that can be reasonably linked to a specific computer or device. (FTC Report, p. 42).

The proposed Framework is divided into three principles:  (a) implementation of “Privacy by Design”, (b) simplification of choices for consumers; and (c) providing greater transparency.

Each of these principles, if adopted and followed by US businesses, would bring the United States closer to the practices that have been in place in Western Europe and many APAC countries for many years, and that are increasingly adopted elsewhere, such as in the Americas (Canada, Mexico, Argentina, Uruguay, etc.). However, significant gaps would remain.

Privacy by Design

Referring to the concept of “Privacy by design” coined by Ann Cavoukian, the Information and Privacy Commissioner of Ontario (Canada), the FTC Proposed Privacy Framework would require companies to build privacy protections into their everyday business practices. In addition, companies would be expected to promote privacy throughout their organizations, and at every stage of the development of their product and services

Privacy Protections

The Framework would require at least the following privacy protections:

• Providing reasonable security for consumer data;
• Collecting only the data needed for a specific business purpose;
• Retaining data only as long as necessary to fulfill that purpose;
• Safely disposing of data no longer being used; and
• Implementing reasonable procedures to promote data accuracy.

There are significant similarities between these principles and the rules that already exist in data protection laws in effect throughout the European Union and many countries on all continents. For example, Article 17 of the 1995 EU Data Protection Directive requires security measures. Further, ensuring data accuracy and limiting collection and retention of personal data are among the Principles Relating to Data Quality listed in Article 6 of the EU Data Protection Directive. Thus, the adoption of these privacy protections would take United States companies significant closer to their counterparts in the 50 + countries that have adopted data protection laws.

Comprehensive Data Management Procedures

The proposed FTC framework would also require companies to develop a reasonable privacy program and comprehensive data management procedures throughout the life cycle of their products and services. This program would include, for example:

• Assign personnel to oversee privacy issues;
• Train employees on privacy issues; and
• Conduct privacy impact assessments when developing new products and services.

Such concepts are not new, and they are consistent with prior guidelines that the FTC has provided in its consent orders, such as in its 2002 Final Consent Order in its case against Eli Lilly and Company.

As it has done in its prior communications, the FTC explains that implementation can be scaled to each company’s business operations. For example, a small amount of non-sensitive consumer data would require less stringent or comprehensive measures than vast amounts of consumer data. Companies that engage in the business of selling consumer data would be subject to higher scrutiny.

Putting in place an appropriate privacy program may require significant efforts for companies that have not yet appreciated the value of personal information, and the need to protect personal information of employees, customers and others who contribute to the wealth of the business, through their work, their purchases, or otherwise.

The concept of a comprehensive data management process is also one of the components of the recent “Communication 609” published in early November 2010 by the European Commission. The Communication, which is intended to outline proposed changes to the current EU data protection framework, would also require that national laws provide for the appointment of a “Data Protection Official” for companies over a certain size, and for the conduct of a Privacy Impact Assessment before launching a new product or service. (See Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions: A comprehensive approach on personal data protection in the European Union, http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf.). Thus, in this respect, the Proposed FTC Framework and the proposed changes to the EU practices are consistent with each other.

Simplified Choices

Second, the proposed Framework would require companies to make it easier for consumer to understand their privacy practices and exercise choices, if any. The FTC provides a two-prong approach:

• Collection of data for “commonly accepted” purposes would not require prior consent of the data subject;
• For data practices that are not “commonly accepted,” consumers should be able to make informed and meaningful choices.
• Commonly Accepted Purposes

The FTC Report (see, page 43 of the report) provides examples of what would be “commonly accepted” purpose: product and services fulfillment; internal operations, fraud prevention, legal compliance and public purpose, and first party marketing. The view is that these practices are obvious from the nature of the transaction (e.g. delivery of a product) or sufficiently accepted or necessary for public policy reasons. Thus, it is not necessary to encumber the flow of data.

This concept is consistent with the view taken by the national laws of the EU Member States where the collection and processing of personal information (other than sensitive information) is permitted when it is necessary for the performance of a contract between the data subject and the entity collecting the data, for compliance with a legal obligations, or to protect public interest or the vital interest of the data subject. (See, e.g., Article 7 of the 1995 EU Data Protection Directive).

There is, however, a significant difference between the FTC view and the European view, in that the FTC Framework would allow the collection and processing of personal information for “first party marketing”, while this practice is restricted in the European Union to only the marketing of a similar product or service than that which the customer purchased previously. (See, e.g., Article 13, of the 2002 e-Privacy Directive). Thus, the US approach would be significantly more protective of business interests

Choice Required for Other Practices

For data practices that are not “commonly accepted,” the FTC Framework would require that privacy choices be clearly and concisely described and offered to consumers at the time when the consumers are making decisions about their data, such as when entering personal data or before accepting a product or service.

The current draft of the Proposed Framework is not yet clear as to the direction it will follow with respect to the collection and processing of sensitive information. The final Framework is likely to suggest restrictions to the collection and processing of sensitive information, and to specify what constitutes “sensitive information.”

While the concept of “sensitive data” has not yet been defined by the FTC or otherwise, in practice, the United States has identified “sensitive data” very differently than the rest of the world. Existing US laws – such as the laws pertaining to security breach disclosures – have mostly focused on identity theft, and have provided heightened protection to financial information and identity information, for instance. The rest of the world has generally identified as “sensitive,” information that pertains to our most intimate activities or thoughts, such as sexual preference, medical condition, or religious or philosophical beliefs.

In its Communication 609, the European Commission has announced that it would likely expand the definition of “sensitive information”, to include other types of information, such as genetic information. There has not been any expression of intent to include in this category any financial or identity information.

Greater Transparency

The third component of the FTC proposed Framework would focus on increasing the transparency of companies’ data handling practice. This would be achieved though several vehicles:

• Clearer, shorter, and more standardized privacy notices;
• Reasonable access to data maintained by the business;
• Prominent disclosures and affirmative express consent required when making material changes; and
• Consumer education.
• Privacy Notices

The FTC Report comments that privacy policies could play an important role in promoting transparency, accountability, and competition among companies if the policies are clear, concise, and easy-to-read. Thus, it would require that companies improve their privacy policies in order to allow a comparison of the data practices and choices across companies.

This requirement for simplicity and clarity is very similar to the call for ensuring that informed consent be provided that the EU Commission recently made in its Communication 609. In this document, the EU Commission commented that the opacity of privacy policies online makes it difficult for individuals to be aware of their rights and to give informed consent. Like the FTC, Communication 609 stresses the need for individuals to be well and clearly informed, in a transparent way, of the data controller’s data handling practices. The information must be easily accessible, easy to understand, and must be made using clear and plain language.

It is not surprising that both the United States and the European Union would express the same frustrations. In both regions, privacy notices have become lengthy, complex documents, that the average customer has trouble deciphering.

Access to Data

The FTC report also proposes providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers. Because of the significant costs associated with access, however, the report suggests that the extent of access might be proportional to both the sensitivity of the data and its intended use.

For many years, the right of access and correction has been absent from most privacy notices and privacy policies, except for those issued under HIPAA. On the other hand, the right of access and correction has been one of the most fundamental rights provided to individuals throughout the European Union, and in the non-EU countries that have followed the same principles.

Today, most US sites do not offer a right of access and modification; or this right is limited to the data that are published in the “my account” section of a site. It would be impossible, however to have access to the “dossier” that a company has created by compiling information about an individuals that would have been gathered through purchases from data brokers.

In contrast, many EU residents have enjoyed a right of access and correction for their data, for over 30 years. Nowadays, all EU residents enjoy a “right to know” (i.e. right to know whether an entity has data about them), a right of access, a right of correction, erasure, or blocking of data that are incomplete or inaccurate or have been collected or processed in violation of the applicable national law, and in some circumstances, a right to object to the processing of their data.

Further, in its Communication 609, the EU Commission has announced that the upcoming amendment to the data directives would provide enhanced rights for individuals, including: (a) requiring that access or correction be provided free of charge; (b) clarifying the right to prevent the processing of one’s data; and (c) the “right to be forgotten”.

The right of access to data and the associated rights have been one of the most significant differences between the United States and the rest of the world when comprising the privacy regimes throughout the world. With the proposed addition of a right of access and correction, the United States would be getting closer to the philosophies in effect in most the rest of the world.

Consent to Material Changes

In addition, under the Proposed Framework, all entities would be required to provide prominent disclosures and obtain affirmative consent for material, retroactive changes to data policies. For several years, the Federal Trade Commission has insisted that consumers should have the right to object to new uses of their information for purposes that had not been originally disclosed. For example, this requirement was expressed in the enforcement action against Gateway Learning, in 2004 (see, http://www.ftc.gov/opa/2004/09/fyi0454.shtm), and restated in several FTC documents (see, e.g., Behavioral Principles, http://www.ftc.gov/opa/2009/02/behavad.shtm).

This approach is consistent with the purpose limitation principle in effect in the EU (see, Article 6, 1995 Data Protection Directive), which requires that individuals consent to any new use of their personal information.

Consumer Awareness

Finally, the Proposed Framework would require that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies.

This approach is also consistent with the views recently expressed by the European Union in Communication 609. The Commission has also acknowledged that it was necessary to increase the public’s understanding and awareness of privacy issues. The Commission proposes to set aside a budget for an awareness campaign.

Conclusion

Borders used to create a wall between countries, and prevented the free flow of people, information and goods. Cloud Computing and the Internet have shattered this wall, and we now live in a borderless world. Nevertheless, countries have retained their identify and their sovereignty within their territory, which results in significant discrepancies in the way legal issues are handled. This has been the case, for example, for the protection of personal data throughout the world. The discrepancies in the data protection regimes throughout the world hamper the free flow of the personal data. This challenge also creates a challenge to global commerce. The more similar the laws are, the easier it is for people, goods and ideas to move freely, and for commerce to flourish.

With its proposed Privacy Framework, the Federal Trade Commission is outlining a structure that would take the protection of personal data and privacy rights in the United States closer to the regimes in effect in most of the world’s leading economic powers. This progress should be very favorable to electronic and traditional commerce. It is important to encourage the efforts of the Federal Trade Commission, so that all countries can better exchange people and goods, and interstate and international commerce can prosper.

Francoise Gilbert was interviewed for the article “FTC Stands by Self-Regulatory Approach in Long-Awaited Consumer Privacy Report” (subscription required) in the Privacy and Security Law Report section of the BNA.

In its long awaited report on privacy protection, which was published on December 1, 2010, the Federal Trade Commission outlines a Proposed Privacy Framework for businesses and policy makers. The Proposed Framework would focus on the collection, maintenance, sharing, or use by commercial entities of consumer personally identifiable information, online and offline. “Personally identifiable information” is defined as data that can be reasonably linked to an individual, computer, or device.

The proposed Framework does not promote the adoption of legislation, but it identifies three areas of focus:

• Promoting privacy throughout the organization, and at every stage of the development of products and services;
• Simplifying choices for consumers; and
• Providing greater transparency of data practices.

The FTC staff has requested that comments on each component of the Privacy Framework and how it might apply in the real world be filed by January 31, 2011. The Commission will issue a final report in 2011.

This article provides an overview of the Proposed Privacy Framework and analyses its potential effects on US businesses.  For a comparison of the Proposed Privacy Framework with the data protection laws in effect in the European Union and elsewhere in the world, see FTC Draft Privacy Framework: Getting a Little Closer to the EU Approach by Francoise Gilbert, published in BNA Privacy & Security Law Report, 9 PVLR 1672, (December 6, 2010) (subscription required), http://news.bna.com/pvln/PVLNWB/split_display.adp?fedfid=18687594&vname=pvlrnotallissues&fn=18687594&jd=a0c5m7w8w0&split=0.

Building Protection in Everyday Practices

First, the Proposed Privacy Framework would require companies to build privacy protections into their everyday business practices and to promote privacy throughout their organizations, and at every stage of the development of their product and services. This would be achieved by limiting their collection and retention of personal information, providing adequate security for all categories of personal information, and by implementing a comprehensive privacy program.

Quality, Security, and Limitations on Collection and Use

The Framework would require at least the following restrictions or requirements:

• Providing reasonable security for consumer data;
• Collecting only the data needed for a specific business purpose;
• Retaining data only as long as necessary to fulfill that purpose;
• Safely disposing of data no longer being used; and
• Implementing reasonable procedures to promote data accuracy.

The practices described above are well known “best practices” that are already incorporated in existing laws, such as the healthcare privacy laws and regulations (HIPAA Privacy and Security Rules, and HITECH Act and Regulations). Some of these practices are also part of the FTC Fair Information Practice Principles.

The adoption of these practices makes sense for many reasons, including increasing data quality, ensuring that data are not lost or altered, or preventing data leaks. Currently, however, many US companies do not abide by these principles.

For example, a quick survey of popular websites would show that a large majority of the forms that are used for registration on a website, signing-up for a seminar, or obtaining a copy of a white paper require the disclosure of much more personal details than is actually necessary for the service or product offered. As a result, most users provide false information in order to preserve their privacy or anonymity, or reduce the risk of identity theft. In turn, businesses obtain unreliable data.

Further, U.S. companies tend to retain information for much longer than necessary because data disposal is not a priority; the cost of storage has lowered significantly, thereby reducing the incentive for frugality; there are insufficient resources to address the issue; or the marketing team wants to hold on to the data in preparation for some unidentified project. The drawback of holding on to data for too long is that most of the time these data become useless, because they are obsolete or no longer relevant.

Those who dispose of information in paper or electronic form also often fail to use common sense measures such as shredding or performing simple procedures to erase disks or destroy tangible media. Press reports abound with tales of medical or tax files left in trash bins or spread on sidewalks, or second hand equipment sent to the purchaser, still loaded with the original data.

It has also been clear that reasonable security is lacking at many US companies. The tsunami of security breach disclosure in the past few years have provided devastating evidence of this shortcoming. In addition, while a significant number of US States laws require the use of adequate security measures, this protection is frequently provided only to a small category of “sensitive data,” such as Social Security numbers, drivers license or ID numbers, or financial information. Lack of appropriate security results in costly data leaks.

Companies and individuals would greatly benefit from better “data hygiene” and more discipline and care in the handling of personal data. Data quality would improve, risks and liability would decrease, and information systems would not be clogged with obsolete or unreliable data.

Comprehensive Enterprise Privacy Program

The Framework would also require companies to develop a reasonable privacy program and comprehensive data management procedures throughout the life cycle of their products and services. This program would include, for example:

• Assigning personnel to oversee privacy issues;
• Training employees on privacy issues; and
• Conducting privacy impact assessments when developing new products and services.

Such concepts are not new, and they are consistent with prior guidelines that the FTC has provided in its consent orders, such as in its 2002 Final Consent Order in its case against Eli Lilly and Company. The FTC found that the company’s inadvertent disclosure of patients’ personal information was an evidence of poor data management, and, among other things, required the appointment of a privacy official, and the provision of adequate training for the personnel.

As indicated in prior FTC communications, implementation could be scaled to each company’s business operations. For example, a small amount of non-sensitive consumer data would require less stringent or comprehensive measures than vast amounts of consumer data. Companies that engage in the business of selling consumer data would be subject to higher scrutiny.

To date, most regulated companies, such as financial or healthcare institutions and their service providers, as well as global companies that comply with foreign data protection laws have already appointed a chief privacy official to oversee privacy matters, or have otherwise designated one or several individuals to focus on privacy issues. However, the remainder of US businesses is likely not to have taken such steps.

Putting in place an appropriate privacy program is likely to require significant expenses for companies that have not yet taken any steps to adequately protect the personal information of employees, customers and others who contribute to the wealth of the business, through their work, their purchases, or otherwise. Posting a privacy policy on the company’s website is insufficient (as well as a deceptive practice that may be deemed to violate Section 5 of the FTC Act and similar state laws) if there are no internal practices to ensure that the company acts in accordance with the promises it made publicly.

New Approach to Choices

The Framework would require companies to make it easier for consumer to understand their privacy practices and exercise choices, if any. The FTC Privacy Framework suggests a two-prong approach:

• Collection of data for “commonly accepted” purposes would not require prior consent of the data subject;
• For data practices that are not “commonly accepted,” consumers should be able to make informed and meaningful choices.

Commonly Accepted Purposes

What the FTC defines as “commonly accepted” purpose includes: product and services fulfillment; internal operations, fraud prevention, legal compliance and public purpose, and first party marketing. The view is that these practices are obvious from the nature of the transaction (e.g. delivery of a product) or sufficiently accepted or necessary for public policy reasons; and therefore, it would be unreasonable and cumbersome to require individuals’ content to the collection or use of their data in order to accomplish these purposes.

One item on this list is notable. The FTC Privacy Framework would allow the collection and processing of personal information without the prior consent of the data subject for “first party marketing”, i.e. to allow a merchant from whom a purchase has been made to continue the relationship with the customer using the information that was provided by the consumer, such as a home address that would have been provided for the delivery of the goods or a personal phone number that would have been provided for receiving notice of the time and date of delivery.

It will be interesting and challenging to compare the rules that would apply to this “first party marketing” with those that already apply to different forms of marketing and solicitation, such as telephone sales, mobile marketing, or unsolicited commercial communications (or spam).

Other Purposes

For data practices that are not “commonly accepted,” the FTC Framework would require that privacy choices be clearly and concisely described and offered to consumers at the time when the consumers are making decisions about their data, such as when entering personal data or before accepting a product or service.

The Proposed Framework raises the issue of the collection and processing of sensitive information. There is currently no official or well-accepted definition of “sensitive information.” Existing US laws pertaining to security breach disclosures have primarily focused on identity theft, and have provided heightened protection to financial information and identity information, for instance. On the other hand, the rest of the world generally identifies as “sensitive,” information that pertains to our most intimate activities or thoughts, such as sexual preference, medical condition, or religious or philosophical beliefs.

It will be interesting to follow how this issue evolves, and what items will be included in the definition of “sensitive information.”

Transparency of Data Handling Practices

Finally, the FTC Privacy Framework would focus on increasing the transparency of companies’ data handling practice. This would be achieved though several vehicles:

• Clearer, shorter, and more standardized privacy notices;
• Reasonable access to data maintained by the business;
• Prominent disclosures and affirmative express consent required when making material changes; and
• Consumer education.

Shorter, More Standardized Privacy Notices

According to the FTC Report, privacy policies could play an important role in promoting transparency, accountability, and competition among companies if the policies are clear, concise, and easy-to-read. Among other things, companies would be required to improve their privacy policies in order to allow a comparison of the data practices and choices across companies.

Indeed, privacy notices have become lengthy, complex documents, that the average customer has trouble deciphering. The opacity of most privacy policies makes it difficult for individuals to be aware of their rights and to give informed consent. Any efforts to improve these documents, such as using clear and plain language, would allow individuals to be better informed, in a transparent way, of the data handling practices that are used.

This requirement for simplicity and clarity has long been an important theme in FTC communications. For example, it was the focus of the FTC’s recent action against Sears (see, http://www.ftc.gov/os/caselist/0823099/index.shtm). In its complaint against Sears (see, http://www.ftc.gov/os/caselist/0823099/090604searscmpt.pdf), the FTC stated that Sears failed to adequately disclose the actual use of the software application that it was offering to its subscribers, and this missing information would have been material in consumers’ decision to install the software. The FTC deemed Sears’ failure to disclose these facts clear and conspicuously to be a deceptive practice.

The FTC Report also observes that consumers should be able to easily compare the privacy policies of different organizations. For this purpose, the FTC suggests that a short form might be used, similar to that which has been recently adopted by the agencies that regulate financial institutions. Currently only few financial institutions have adopted the format proposed by financial institutions regulators. Thus, it is difficult to appreciate the efficacy of this format.

Access to Data

The FTC report also proposes providing consumers with reasonable access to the data that companies maintain about them, particularly for companies that do not interact with consumers directly, such as data brokers. Because of the significant costs associated with access, however, the report suggests that the extent of access might be proportional to both the sensitivity of the data and its intended use.

Granting data subjects access to their data is one of the FTC’s Fair Information Privacy Principles (http://www.ftc.gov/reports/privacy3/fairinfo.shtm), which were drafted almost 15 years ago. However, for many years, the right of access and correction has been absent from most company privacy policies, with the exception of those issued under HIPAA or those that comply with the US Safe Harbor Principles. Today, most US websites do not offer a right of access and modification. For those that do, in general, access is limited to the data that are published in the “my account” section of a website. It is usually impossible for an individual to have access to the dossiers or profiles that companies have created by compiling information gathered direct, or through purchases from data brokers.

According to the FTC Report, providing capabilities for access and correction could be very costly. The Report questions whether an administrative fee should be charged. There are indeed significant technical issues associated with the retrieval of data, such as when data are commingled with other data, gathered in huge databases, or held in back-up, storage, or archival media. On the other hand, companies that have implemented appropriate measure to address the requirements of the amendments to the Federal Rules of Civil Procedures may already have in place adequate technologies and methods in place that would allow for the retrieval of such information.

Consent to Material Changes

In addition, under the Privacy Framework, all entities would be required to provide prominent disclosures and obtain affirmative consent for material, retroactive changes to data policies. This requirement is not new. For several years, the Federal Trade Commission has insisted that consumers should have the right to object to new uses of their information for purposes that had not been originally disclosed. For example, this requirement was expressed in the enforcement action against Gateway Learning, in 2004 (see, http://www.ftc.gov/opa/2004/09/fyi0454.shtm), and restated in several FTC documents (see, e.g., Behavioral Principles, http://www.ftc.gov/opa/2009/02/behavad.shtm).

Privacy Awareness

Finally, the Proposed Framework would require that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. Increasing consumer understanding of the commercial collection and use of their information is important to facilitating competition on privacy across companies.

Numerous segments of the US population are vulnerable and need to be educated about the benefits and traps of information technologies, social media, mobile commerce, and other recent developments, and their effect on the disclosure and sharing of personal information.

Numerous organizations, such as the Federal Trade Commission, state agencies such as the California Office of Privacy, or non-profit organizations are already making extensive efforts to educate the public. As always budgets are needed, and it is hoped that grants and other allocations would be available to accomplish these goals.

Conclusion

The Proposed Privacy Framework presented by the Federal Trade Commission provides a valuable outline for issues to be explored and refined, and actions to be taken. The current draft of the FTC Report, however, is only another step in the development of tools for improving the manner in which entities collect and use personal information. More work and efforts are ahead. A final draft is expected in 2011; after that, these principles should be formally implemented, but there is currently no indication of how the implementation would be made.

Technologies and ways of doing business, such as social media, cloud computing, mobile commerce, or behavioral targeting are presenting numerous opportunities, but also great challenges. As new products and services are created, new issues with arise. It is important to continue seeking ways to striking a balance between improving the way personal data are collected, used, shared, and protected so that privacy rights and expectations of individuals are fulfilled, and companies that rely on personal data for their activities continue to have the ability to keep growing and prospering.