Photo of Sheila MillarPhoto of Tracy Marshall

On December 15, 2015, the European Commission announced that an agreement has been reached with the European Parliament and the Council (the “trilogue” meetings) regarding the Commission’s sweeping 2012 EU Data Protection Reform proposal.  The reform package, which consists of a General Data Protection Regulation and a Data Protection Directive for Police and Criminal Justice Authorities, updates and replaces Data Protection Directive (Directive 95/46/EC) and 2008 Framework Decision, and provides a comprehensive data protection regime for the entire EU.  The reforms will give European consumers new rights and control over their personal information, and impose new obligations on businesses. While some of the new measures will serve to make the system less cumbersome, the broad reach, new restrictions, expanded obligations and enhanced penalties imposes on businesses could more than offset these reductions.  For a more detailed summary, click here.

Photo of Sheila MillarPhoto of Tracy Marshall

On December 17, 2015, the Federal Trade Commission (FTC) announced that Lifelock, Inc. (LifeLock), agreed to pay a record-breaking $100 million to settle charges that it violated an earlier consent agreement related to flawed data security practices issued in March 2010. The LifeLock settlements implicate both the “fairness” of the company’s data security practices and its representations about those practices. The FTC contended that LifeLock both failed to implement a comprehensive security program as required by the earlier order, and falsely advertised the level of its security practices. The bulk of the $100 million – $68 million – is earmarked to pay class action consumers restitution for fees paid to LifeLock, but must be paid directly to consumers and may not be used towards administrative or legal fees.

The stipulated order requires LifeLock to share with the Commission information on customers sufficient to allow the FTC to administer the order, requires reporting for 5 years, and extends record-keeping obligations for 13 years. Commissioner Ohlhausen dissented on grounds that LifeLock’s Payment Card Industry Data Security Standard (PCI DSS) and other certifications undermine the staff’s ability to assert that it was in contempt, pointing out also that PCI DSS certifications were “important evidence of reasonable security” in the recent settlement with Wyndham Laboratories.

The stipulated order represents the largest amount obtained by the FTC in a proceeding to enforce an order.

Photo of Sheila Millar

The Vermont Department of Health won approval for its new, burdensome children’s product green chemistry reporting program from the state’s Legislative Committee on Administrative Rules on November 19, 2015. The final version of the Toxic Substances in Children’s Products Rule took effect on December 10, 2015, and follows from the state’s 2014 green chemistry bill, VT S. 239. Under the rule, companies selling children’s products in Vermont must disclose the presence of any of 66 chemicals:

  • as a contaminant, at 100 ppm or more; or
  • as an intentionally added chemical, over the chemical’s practical quantification limit (PQL).

Unlike the requirements in Washington State, reporting obligations affect all regulated companies and are not phased in.  Moreover, product-level reports are required.  See more on the rule here and here.

Although the first reports were slated to be due July 1, 2016 (for the reporting period January 1 through July 1, 2016), and then every second July 1 thereafter, there is some good news: the Department has announced that it will not be able to accept reports until spring 2016, following beta testing of the reporting system. The online reporting system will be announced via this email list, and “[a]ll manufacturers will have six months to report to the Department from the date of the system’s availability. This will be true even if that six[-]month period extends past July 1st, 2016.”

While this short reprieve is good news, companies should begin to think about compliance now.

Photo of Sheila MillarPhoto of Tracy Marshall

We’ve written about the ground-breaking and panic-inducing ruling of the European Court of Justice (ECJ) invalidating the U.S.–EU Safe Harbor framework as an adequate data transfer mechanism, and ruling that national authorities are not bound by Commission approvals. Click here for our September 23, 2015 blog post, and here for a related October 16, 2015 post. The ECJ’s decision not only affects the more than 4,500 companies that have been using the Safe Harbor framework as a mechanism to legally transfer personal data from the EU to the U.S., but generated sometimes conflicting reactions about the validity of other data transfer mechanisms from member state data protection administrators. While the U.S. and EU officials negotiate on Safe Harbor 2.0, companies around the world are grappling with how to manage global data flows in a way that meets legal standards, is cost-effective, and allows European consumers to benefit from an array of global products and services.

To learn more about what the end of the U.S.–EU Safe Harbor could mean, join Keller and Heckman and colleagues from member firms of Mackrell International this Friday for a complimentary webinar. Click here for more information and to register.

Photo of Sheila MillarPhoto of Tracy Marshall

The Article 29 Working Party (WP) issued a press release on October 16, 2015 announcing the outcome of the meeting to discuss coordinated action after the Court of Justice of the European Union (ECJ) decision in the matter of Schrems v. Data Protection Commissioner (C-362-14), which invalidated the U.S.-EU Safe Harbor Agreement. While calling for a coordinated position and urging Member States to urgently open negotiations with the U.S. to address “indiscriminate surveillance,” the WP stated: “transfers that are still taking place under the Safe Harbour decision after the [ECJ] judgment are unlawful” (boldface in original). The WP expressed the view that standard contractual clauses and binding corporate rules (BCRs) can still be used, but said that “this will not prevent data protection authorities to investigate particular cases, for instance on the basis of complaints, and to exercise their powers in order to protect individuals” (boldface in original).

The WP further expressed the position that if negotiations with the U.S. are not successful by the end of January 2016, or if the assessment of transfer tools does not yield results deemed to be privacy protective, then EU data protection authorities would be prepared to take actions up to and including coordinated enforcement. In this increasingly complex landscape, companies need to continue to quickly assess data transfer options.

Photo of Sheila MillarPhoto of Tracy Marshall

A European Court of Justice (ECJ) advocate general, Yves Bot, has called for the European Union–U.S. Safe Harbor Agreement to be invalidated due to concerns over U.S. surveillance practices (press release here, opinion here). The ECJ has discretion to reject the recommendation, but such opinions are generally followed. A final decision on the issue is expected to be issued late this year or next year.

The issue arises out of the claims of an Austrian law student, Max Schrems, who challenged Facebook’s compliance with EU data privacy laws. (The case is Schrems v. (Irish) Data Protection Commissioner, ECJ C-362/14.) He claims that the Safe Harbor Framework fails to guarantee “adequate” protection of EU citizen data in light of the U.S. National Security Agency’s (NSA) surveillance activities. Although the Irish data protection authority rejected his claim, he appealed and the case was referred to the ECJ.

The European Data Protection Directive prohibits data of EU citizens from being transferred to third countries unless the privacy protections of the third countries are deemed adequate to protect EU citizens’ data. The U.S. and EU signed the Safe Harbor Framework in 2000, which permits companies self-certify to the U.S. Department of Commerce (DOC) annually that they abide by certain privacy principles when transferring data outside the EU. Companies must agree to provide clear data privacy and collection notices and offer opt-out mechanisms for EU consumers.

In 2013, former NSA contractor Edward Snowden began revealing large-scale interception and collection of data about U.S. and foreign citizens from companies and government sources around the globe. The revelations, which continue, have alarmed officials around the world, and already prompted the European Commission to urge more stringent oversight of data security mechanisms. The European Parliament voted in March 2014 to withdraw recognition from the Safe Harbor Framework. Apparently in response to the concern, the Federal Trade Commission (FTC) has taken action against over two dozen companies for failing to maintain Safe Harbor certifications while advertising compliance with the Framework, and in some cases claiming compliance without ever certifying in the first place. For more, see here (FTC urged to investigate companies), here (FTC settles with 13 companies in August 2015), and here (FTC settles with 14 companies in July 2014).

Advocate General Bot does not appear to have been mollified by the U.S. efforts, however. He determined that “the law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU,] which is transferred under the [S]afe [H]arbor scheme, without those citizens benefiting from effective judicial protection.” He concluded that this amounted to interference in violation of the right to privacy guaranteed under EU law, and that, notwithstanding the European Commission’s approval of the Safe Harbor Framework, EU member states have the authority to take measures to suspend data transfers between their countries and the U.S.

While the legal basis of that opinion may be questioned, and larger political realities regarding the ability to negotiate agreements between the EU and the U.S. are at play, if followed by the ECJ, this opinion would make it extremely difficult for companies to offer websites and services in the EU. This holds true even for many EU companies, including those that may have cloud infrastructures that store or process data in U.S. data centers. It could prompt a new round of negotiations by the U.S. and European Commission to address increased concerns in the EU about surveillance.

Congressional action already underway may help release some tension, with the House Judiciary Committee unanimously approving legislation that would give EU consumers a judicial right of action in the U.S. for violations of their privacy. This legislation was a key requirement of the EU in an agreement in principle that would allow the EU and U.S. to exchange data between law enforcement agencies during criminal and terrorism investigations.

Although the specific outcome of this case will not be known for months, the implications for many businesses are clear: confusion and continued change in the realms of privacy and data security, and uncertainty about the legal rules of the game. Increased fragmentation across the EU may result, with a concomitant need to keep abreast of varying requirements in more countries. Change and lack of harmonization is surely the new normal now.

Photo of Sheila Millar

The Vermont Department of Health has released the final proposed version of its Toxic Substances in Children’s Products Rule (although it is not yet available on the Department’s website) adopted under state’s 2014 green chemistry law, Act 188. The rule, largely unchanged from the proposal, is now scheduled to go before the state’s Legislative Committee on Administrative Rules (LCAR) for its consideration on September 10, 2015. As with other state chemical disclosure rules, under the final proposed rule, companies selling children’s products in Vermont must disclose the presence of any of 66 chemicals present in children’s products at 100 parts per million or more as a contaminant or over the practical quantification limit (commonly known as the PQL) for the given chemical. In promulgating this rule, the Department refused to align its rule with Washington state’s, or to clarify important elements of the rule. The net result is that the Vermont green chemistry reporting requirement will impose significant, independent burdens on manufacturers selling children’s products in the state. Unless checked by LCAR, these onerous reporting requirements will be in place in 2016. Changes to the current green chemistry law were proposed in a 2015 bill, S. 139, which was rejected, but new legislation to further change the landscape may be re-proposed in the next legislative session. Vermont remains a state to watch.

Photo of Sheila MillarPhoto of Tracy Marshall

In a closely watched case where the Federal Trade Commission (FTC) pursued Wyndham Worldwide Corporation for several data breaches that led to millions of dollars in fraudulent charges on customers’ payment cards, the U.S. Court of Appeals for the Third Circuit on Monday agreed with the Commission’s broad interpretation of its “unfairness” authority (opinion here). The ruling ratifies the FTC’s authority in the domain of data security, and will allow the FTC to continue to seek settlements from companies that suffer data breaches when they fail to take adequate precautions to protect sensitive consumer data. More details can be found in the alert that we sent to clients on the ruling, available here.

Photo of Sheila MillarPhoto of Tracy Marshall

Thirteen companies have agreed to settle with the Federal Trade Commission (FTC) charges relating to their participation in the U.S.–EU and U.S.–Swiss Safe Harbor Frameworks. Seven companies allegedly failed to renew their Safe Harbor self-certifications, including a sports marketing firm, two software developers, a research organization, a business information firm, a security consulting firm, and an e-discovery service provider. Another six allegedly failed to seek certification under the Frameworks, but nevertheless claimed in their privacy policies to be certified, including an amusement park, two sporting companies, a medical waste service provider, a food manufacturer, and an e-mail marketing firm. Last year, fourteen companies settled with the FTC over similar claims (see our alert here), and advocacy group named 30 companies in a complaint alleging that they were out of compliance with the Safe Harbor Frameworks (see our alert here).

The European Commission’s Directive on Data Protection prohibits the transfer of personal data to non-EU countries that do not meet the EU standard for privacy protection, so the U.S. Department of Commerce (DOC) negotiated the Safe Harbor Frameworks to allow U.S entities to receive such data provided that they comply with the Directive. To participate in the Safe Harbor Frameworks, companies must annually self-certify that they comply with seven key privacy principles for meeting EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Only appropriately self-certified companies may display the Safe Harbor certification mark on their websites, and the FTC is charged with enforcing violations.

This enforcement action is a reminder of the importance of maintaining current Safe Harbor status for those who elect to participate the program. It is also a reminder that companies must act in accordance with their published privacy policies, and periodically review their privacy policies to ensure that they remain current and reflect companies’ actual practices.

Photo of Sheila MillarPhoto of Peter L. de la Cruz

In a 4–1 vote, the Federal Trade Commission (FTC) has issued its long-awaited Statement of Enforcement Principles outlining the Commission’s approach to “unfair methods of competition” prohibited by Section 5 of the Federal Trade Commission Act (FTCA) but not necessarily by the Sherman or Clayton Act. The statement is brief, and those awaiting the type of detailed policy statement that the FTC previously issued in connection with its deception and unfairness advertising enforcement will be disappointed. The policy outlines three central concepts framing when the Commission will decide to challenge an act or practice as an unfair method of competition in violation of Section 5 on a standalone basis:

  • the Commission will be guided by the public policy underlying the antitrust laws, namely, the promotion of consumer welfare;
  • the act or practice will be evaluated under a framework similar to the rule of reason, that is, an act or practice challenged by the Commission must cause, or be likely to cause, harm to competition or the competitive process, taking into account any associated cognizable efficiencies and business justifications; and
  • the Commission is less likely to challenge an act or practice as an unfair method of competition on a standalone basis if enforcement of the Sherman or Clayton Act is sufficient to address the competitive harm arising from the act or practice.

In comments announcing the principles, Chairwoman Edith Ramirez reiterated her prior support for a common-law approach to the development of Section 5 doctrine. Acknowledging that the principles are “concise,” she nevertheless stressed that was because those widely-used antitrust concepts, like “consumer welfare,” “rule of reason,” “harm to competition” and “cognizable efficiencies” “derive their content from 125 years of precedent under the Sherman and Clayton Acts, and that precedent will information Commission analysis under Section 5 as well.”

Commissioner Maureen Ohlhausen dissented, saying the policy statement was too abbreviated in substance and process for her to support it. In particular, she criticized the majority for failing to address case law, including instances where courts failed to support FTC action. Expressing concern about the potential expansive application of the policy, she stated:

I would prefer that any Section 5 policy statement be put out for public comment before adoption and include, among other things: (1) a substantial harm requirement; (2) a disproportionate harm test; (3) a stricter standard for pursuing conduct already addressed by the antitrust laws; (4) a commitment to minimize FTC-DOJ conflict; (5) reliance on robust economic evidence on the practice at issue and exploration of available non-enforcement tools prior to taking any enforcement action; and (6) a commitment generally to avoid pursuing the same conduct as both an unfair method of competition and an unfair or deceptive act or practice.

Time will tell if the policy statement becomes the basis for more expansive enforcement action, and how courts will react. Given the brevity of the Statement, future actions by the Commission may better define the current Commission’s views on the meaning of “consumer welfare” and “harm to competition,” particularly whether these terms mean anything other than the concepts as used under the Sherman and Clayton Acts, as opposed to the FTCA.