Posted on August 4, 2010 by David Navetta

FAQ on the "BEST PRACTICES Act" - Part Two

We recently published the first part of our FAQ series on Congressman Bobby Rush's new data privacy bill known as “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act (a.k.a. “BEST PRACTICES Act” or “Act”). In Part One we looked at some of the key definitions and requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two will focus on the “Safe Harbor” outlined in the Act, various exemptions for de-identified information, and application and enforcement of the Act.

What is the “Safe Harbor and Self-Regulatory Choice Program” that is referenced in the Act?

This appears to be a novel new mechanism that allows covered entities to avoid certain obligations under the Act if they fall into a “safe harbor” that is based on a self regulatory program (known as a “Choice Program”). In particular, covered entities that satisfy certain Choice Program requirements shall not be subject to:

  • the express affirmative consent obligations in 104(a);
  • the requirements of access to information under section 202(b) of the Act; or
  • liability in a private right of action brought under section 604 of the Act (discussed below)

Avoidance of the Act’s private right of action is especially significant in this context.

How does the “Choice Program” work?

It appears that people or entities (it does not appear to be limited to covered entities) can submit an application to the FTC for approval of a self-regulatory program (a.k.a Choice Program). The FTC can approve one or more of these programs. The FTC must either initially approve or deny a Choice Program within 270 days after the submission of the application. Modifications may be made to a Choice Program that was initially approved, and such modification must be approved or denied by the FTC within 120 days. Applicants have the right to appeal the FTC’s decision or failure to act within the 270 period to a U.S. District Court.

The FTC will only approve a Choice Program (or amendments) after notice and comments, and only if it satisfies the requirements of section 403 of the Act. If approved, a Choice Program remains approved for 5 years.

This section is very interesting as it appear to allow for some regulatory flexibility and recognizes the limitations of a one-sized-fits-all approach. Ostensibly certain industry segments could develop a Choice Program that more close fits their business model/industry (while of course still providing the protection and choice the Act seeks to impose).

What are the requirements of a Choice Program under section 403 of the Act?

In order to be approved a Choice Program must meet certain criteria. The Choice Program must provide individuals with:

  • a clear and conspicuous opt-out mechanism that, when selected by the individual prohibits all covered entities participating in the Choice Program from disclosing covered information to a third party for one or more specified uses, and may offer individuals a preference tool to enable individuals to make more detailed choices about the transfer of covered information to a third party; and
  • a clear an conspicuous mechanism to set communication preferences, online behavioral advertising preferences and other relevant preference options, and these preference would have to be followed by all covered entities in the Choice Program.

I almost think of this as a sort of “do not call list” type of mechanism. If a group of covered entity can agree to provide individuals with a set of choices, the individual does not have to constantly make a choice over and over again whenever engaging in particular transactions. While this is a little vague in terms of its mechanics and scope, it is very interesting and could provide meaningful trade-offs between business and individuals seeking to protect their privacy and more efficiently control their information.

In addition, a Choice Program will be approved by the FTC only if it establishes:

  • Guidelines and procedures requiring participants to provide equivalent or greater protection for individuals and their covered information as set forth in titles I and II of the Act;
  • Procedures for reviewing applications by covered entities to participate in the Choice Program (this appears to require an application and approval process, but it is not clear who would administer that process)
  • Procedures for periodic assessment of the Choice Program’s procedures
  • Periodic compliance testing of covered entities participating in the Choice Program; and
  • Consequences for failure to comply with program requirements (e.g. public notice, suspension, expulsion or referral to the FTC)

Again, this provision is extremely interesting. It would appear to require some sort of private regulatory body be set up around the Choice Program (e.g. like the PCI Council for the PCI Standard), as well as a funding mechanism. Note that under section 404 of the Act, the FTC is charged with implementing regulations to provide further details as to how this safe harbor system is to work.

Are there any types of information or activities exempted from regulation by the Act?

Yes, section 501 of the Act sets forth some general exclusions. The Act does not prohibit a covered entity from collecting, using or disclosing:

  • Aggregate information (see 501(a)(1)), which means data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed; or
  • Covered information or sensitive information from which identifying information has been removed or obscured using reasonable/appropriate methods such that there is no reasonable basis to believe that the information can be used to identify the specific individual to which it relates or the computer or device owned or used by a specific individual (see 501(a)(2)).

May covered entities disclose aggregate information or information stripped of identifying information (as referenced in section 501(a)(1) and (2)) to third parties?

Yes, under section 502 information in that format may be disclosed to a third party, but the covered entity is required to take reasonable steps to protect that information. The Act provides two examples of “reasonable steps to protect,” including:

  • refraining from disclosing to the third party the algorithm or other mechanism used to obscure or remove the identifying information, and obtaining; and
  • obtaining satisfactory written assurances from the third party that it will not attempt to reconstruct the identifying information.

Does the Act prohibit any uses of covered/sensitive information stripped of identifying information (as referenced in section 501(a)(2))?

Yes, under section 501(c), if a covered entity claims the exemption for de-identified information under section 501(a)(2), it is unlawful for any person to reconstruct or reveal the identifying information that has been removed or obscured from information stripped of identifying information (as referenced in section 501(a)(2)). In short, the Act makes it illegal for third parties that receive de-identified covered/sensitive information to re-identify it. However, the Act also requires the FTC to promulgate regulations to establish exemptions from this rule.

How does the Act relate/interact with other Federal privacy laws?

Section 502 of the Act indicates that, unless expressly provided for in the Act, the Act shall not have any effect on activities already covered under other Federal laws, including GLBA, FCRA, HIPAA, certain parts of the Social Security Act, COPPA, certain sections of the Communications Act of 1934, CAN-SPAM Act, ECPA, and the Video Privacy Protection Act. On the one hand, this provision may be helpful for limiting the scope of the Act’s application to some entities, especially those that only deal with particular types of personal information. However, since the Act does not override other Federal requirements, entities that deal with different types of personal information in different contexts, may find themselves with the need to address multiple regulatory regimes for different parts of their organization or with respect to different business practices.

How is the Act to be enforced by government agencies?

Under section 602, the Act may be enforced in two different ways by the government. First, the Act grants the FTC the authority to enforce the Act under section 18(a)(1)(B) of the FTC Act. The Act indicates that any violation of titles I – III of the Act shall be considered an unfair and deceptive act or practice under the FTC Act. The penalties, privileges and immunities of the FTC Act shall apply as well.

Second, under section 603, the Act may also be enforced by the states. In particular, if a State AG or an official or agency of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a violation of the Act, they may bring a civil action on behalf of those residents. However, no AG or state official/agency may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. The civil action may seek to enjoin further violation of the Act, compel compliance with the Act or impose civil penalties as described in the Act. The Act describes the various civil penalties that are available for violations of particular sections of the Act. In general penalties may be available for every day that a covered entity is not in compliance with the act, up to $11,000 per day. These penalties, however, are capped at $5 million for a related series of violations under title I of the Act, and $5 million for any related series of violations under titles II and III of the Act.

Does the Act provide a privacy right of action?

Yes, section 604 of the Act provides a private right of action for certain violations. In particular, covered entities that willfully violate sections 103 or 104 of the Act may be liable to affected individuals. However, no individual may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. Section 604 provides that affected individuals may recover the following amounts for such a willful violation:

  •  the greater of actual damages of not less than $100 and not more than $1000;
  •  punitive damages;  and
  • in the case of a successful action under this section, the costs of the action together with reasonable attorney fees.

Individuals have two years from their discovery of a violation (or reasonable opportunity to discover) to bring a civil action under section 604.

Does the Act preempt similar State laws?

The Act would preempt any State law with respect to covered entities that “expressly requires covered entities to implement requirements with respect to the collection, use or disclosure of covered information address in the Act. However, the Act specifically would not preempt any of the following State laws:

  • State laws that address the collection, use or disclosure of health information or financial information
  • State breach notice laws
  • State trespass, contract or tort law; or
  • Other State laws to the extent that those laws related to acts of fraud.

When would the Act come into effect if passed into law?

The Act, if passed, will take effect 2 years after the date it is enacted. However the FTC has the option to stay enforcement of the Act in order for the FTC to establish the parameters of the Choice Program under title IV.
Tags: , , , , , , , , ,
Posted on July 22, 2010 by David Navetta

FAQ on the "BEST PRACTICES Act" - Part One

Congressman Bobby Rush has introduced a new data privacy bill to Congress known as the “Building Effective Strategies to Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards" Act (a.k.a. “BEST PRACTICES Act” or “Act”). Congressman Rush has been active in the data security/privacy legislation space. In December of 2009, his “Data Accountability and Trust Act” or (“DATA Act”) passed the House of Representatives. While DATA focused more on data security and breach notice, the stated focus of the BEST PRACTICES Act is as follows:

To foster transparency about the transparency about the commercial use of personal
information, provide consumers with meaningful choice about the collection, use, and disclosure of such information, and for other purposes.

This Act comes on the heels of the Boucher Bill, which also represents a comprehensive data privacy approach (for more information on the reactions to the Boucher Bill you can look here and here).

We have put together a summary of the Act in “FAQ” format. In Part One we look at some of the key definitions, requirements concerning transparency, notice and individual choice, mandates around accuracy, access and dispute resolution, and finally data security and data minimization requirements under the Act. Part Two focuses on the “Safe Harbor” outlined in the Act, various exemptions for deidentified information, and provisions concerning the application and enforcement of the Act.  Final note, this is not a law, but rather only a bill -- if passed at all, it is likely that the final version will vary from this initial proposal.

What kinds of entities does the Act apply to?

The Act defines “covered entities” to mean any person engaged in interstate commerce that collects or stores data containing covered information or sensitive information.  However, section 601 of the Act limits the application of the Act to only those persons over which the Commission has authority pursuant to section 5(a)(2) of the FTC Act (Note:  this section previously indicated that the Act applied to all persons engaged in interstate commerce [which is in the definition of covered entity]; the error was noted by a reader and the correction made here). Covered entities do not include any divisions of Federal or state government or some entities that meet specified criteria (e.g. store less than 15,000 records; collect less than 12,000 records in a year, etc.; see definition of “covered entity” for more detail).

Observations:  Significantly, it does not appear that the definition of covered entity makes the traditional distinction between data owner/controller and service provider/processor. As such, service providers may be directly subject to the Act as a result of collection or storage of covered/sensitive information on behalf of their customers.

What kinds of information does the Act regulate?

The Act regulates “covered information” and “sensitive information.”

“Covered information” includes such information elements as first name or initial and last name, postal address, email address, telephone/fax number, government issued identification numbers (e.g. tax ID, driver’s license number, etc.), financial account numbers, credit/debit card number, access codes/passwords, “unique persistent identifiers” used to collect, store or identify information about a specific individual or create a profile (e.g. customer numbers, IP addresses, unique pseudonym), and any information collected, stored, used or disclosed in connection with the foregoing information. Section (B) of the definition also lists a number of important exclusions concerning certain business-related information.

“Sensitive information” means information associated with covered information of an individual that relates directly to the individual’s medical history or health, race or ethnicity, religious beliefs/affiliations, sexual orientation/behavior, financial information (income, assets, liabilities, etc.), a person’s geolocation information, unique biometric information or social security number.

Observations: The definitions of information regulated under the Act go well beyond any U.S. definition of personally identifiable information. For example, the “traditional” definition of PII normally requires first name and last name combined with additional information such as financial account numbers. The definition of “covered information” in the Act does not require such a combination – each data element stands on its own and may not need to be tied to or identify a specific person. If I, as an individual, had an email address that was wildwolf432@hotmail.com, that would would appear to satisfy the definition of covered information even if my name was not associated with it.

The definition of “sensitive information” echos similar definitions under the EU Data Protection Directive and other laws based on an EU Model. Interestingly, however, it also specifically includes geolocation information (which some believe may become a larger privacy issue with the prevalence of mobile computing and smartphones).

How does the Act promote transparency about the commercial use of information?

Section 101 of the Act purports to promote transparency by requiring covered entities to provide certain information about the covered entity’s information practices and the individual’s options with respect to such practices, including:

  • the identity of the covered entity
  • description of covered/sensitive information collected or stored by covered entity
  • the specific purposes for which the covered entity collects and used the covered information, including how the covered entity customizes products/services/prices based on such information
  • the specific purposes for which covered/sensitive information may be disclosed to third parties and the categories of third parties who may receive such information the choice and means for limiting the collection, use and disclosure of covered/sensitive information
  • a description of the information any individual may request access to and the means for making such a request
  • how the covered entity may merge, link or combine covered/sensitive information
  • the retention schedule for covered/sensitive information including whether the entity will retain information permanently
  • whether the individual can direct the deletion of information collected from or about the individual
  • a reasonable means for individuals to contact the covered entities regarding their handing of covered/sensitive information
  • the process by which the covered entity notifies individuals of material changes to its practices or policies
  • a hyperlink to the FTC Commissioner’s online consumer complaint form or the FTC’s toll-free number for the Commissions Consumer Response Center
  • the effective date of the privacy notice.

Observations: While much of the notice requirements of the Act parallel the Fair Information Privacy Principles, one could argue that the Act also includes notice elements that appear to go beyond such principles. These additional elements also appear to address current issues that some believe may pose privacy problems. For example, it is interesting that notice is required concerning where/how information will be merged or combined with other data. The retention schedule requirement is also interesting as it may address concerns that some have about some companies retaining data too long.

How must the notice required under the Act be provided?

Under section 102 of the Act, the notices described in the prior FAQ must be “concise, meaningful, timely, prominent, and easy-to-understand” in accordance with FTC regulations authorized under the Act that will be published later. Notices must be retained for six years from the later of the date the notice was issued or the date it was last in effect.

Is notice required for “in-person transactions”?

Under section 103 of the Act, it appears that the notice and information referenced above is not necessary for “in-person transactions” but only if the covered information is collected for an “operational purpose” (e.g.for the purpose of providing goods or services, managing operations, compliance with legal obligations or protection against risks and threats ) or if the covered entity is only collecting name, address, email or phone/fax and does not share the information or use that information to acquire additional information about the individual from third parties.

Observations:  Notably, the Act does not indicate that covered information needs to be collected solely for operational purposes. Based on the current wording, one could argue that if covered information was covered for both operational purposes and marketing purposes, it could fall under the “operational purposes” exception.

Are covered entities required to get consent from individuals for the collection and use of covered information?

Yes, under section 103 of the Act covered entities must provide “opt-out” consent in order to collect or use covered information (except for the collection or use of covered information for operational purposes). The Act indicates that a covered entity shall be considered to have obtained proper consent if it has provided the notice required under the Act, provides a reasonable means to exercise an opt-out right and decline consent; and the individual either affirmatively grants consent or does not decline consent.

The consent shall be considered permanent unless directed by the individual. However, the covered entity must provide an individual with a reasonable means to decline or revoke previously granted consent at any time.

A covered entity may also provide individuals with the ability to decline consent for specific uses of his or her personal information, but only if the individual has been given an opportunity to broadly opt-out of all collection and use of covered information.

May covered entities collection or use covered information as a condition of an individual’s receipt of a service or other benefit?

Yes, but only if: the covered entity has a direct relationship with the individual; the information is not shared with any third party without the express affirmative consent of the individual; the covered entity provides a clear, prominent and specific statement of the specific purposes for which covered information will be used; the individual provides consent by acknowledging such uses; and the individual is able to later withdraw consent.

Are covered entities required to get consent from individuals for the disclosure of covered information to third parties?

Yes. In general, a covered entity may not disclose information to a third party unless it has received express affirmative consent from the individual prior to disclosure. However, some exceptions apply.  For example, no such consent is necessary for joint marketing activities as long as the covered entity has entered into a contract with the third party that prohibits the disclosure of the information except as necessary to carry out the joint marketing relationship.

Are covered entities required to get consent from individuals for the collection, use or disclosure of sensitive information?

Yes. In general, under section 104 of the Act, a covered entity may not collect, use or disclose sensitive information to a third party unless it has received express affirmative consent from the individual.

Does the Act put any limitations or restrictions on behavioral advertising or tracking an individual’s Internet browsing activities?

Yes. Under section 104 of the Act, covered entities may not use software or hardware to monitor all or substantially all (a.k.a. “comprehensive online data collection”) of an individual’s browsing activity (or other significant Internet or computer activity), and may not collect, use or disclose information concerning that activity unless certain conditions are met.

Covered entities may engage in comprehensive online data collection if: they receive the express written consent of the individual or for the purpose of making such information accessible to the individual for the use by the individual.

Are there any exceptions to the consent requirements of the Act?

Yes, exceptions exist under section 106 of the Act.

Covered entities may disclose information to a service provider as long as it has obtained the initial consent to collect information and contractually prohibits the service provider from disclosing the information other than for purposes of carrying out the purpose for which the information was disclosed. However, the Act indicates that the covered entity remains responsible and liable for the protection of the information transferred to a service provider for processing.

Consent is also not required for collection, use or disclosure necessary for fraud detection, imminent danger or compliance with law.

In addition, consent under the Act is not necessary for the collection, use or disclosure of publicly available information. However, even publicly available information cannot be used by a covered entity for marketing purposes if the individual has opted out of such use.

Do covered entities have any obligation concerning the accuracy of information they collect, assemble or maintain?

Yes, section 201 of the Act requires covered entities to establish reasonable procedures to assure the accuracy of covered information or sensitive information they collect, assemble or maintain. This duty may be further fleshed out as section 201 requires the FTC to promulgate regulations to implement this section. Limited exceptions exist with respect to fraud databases and publicly available information.

Does the Act require the covered entity to provide individuals with access to covered information or sensitive information?

Yes, under section 202, covered entities are required to provide access to such information if such information may be used for purposes that could result in an adverse decision against the individual, including the denial of a right, benefit, or privilege. If the information could not reasonably result in an adverse decision, the covered entity is only required to provide a notice to the individual of the type of information the covered entity typically collects.

In addition, covered entities, upon request, must provide individuals with access to their personal files, but only if the entity stores such file in a manner that makes it accessible in the normal course of business.

However, none of the foregoing obligations apply to information retained for under 30 days.

Is there any time frame by which a covered entity must respond to a permitted access, correction or amendment request?

Yes, in general, under section 202(f), covered entities have thirty days from the receipt of such request to respond.

Does the Act impose any data security requirements with respect to covered information or sensitive information?

Yes, under section 302 of the Act each covered entity and service provider must establish, implement and maintain “reasonable and appropriate” administrative, technical and physical safeguards to:

  • ensure the security, integrity, and confidentiality of the covered information or sensitive information it collects, assembles, or maintains
  • protect against any anticipated threats, reasonably foreseeable vulnerabilities, or hazards to the security or integrity of such information; and
  • protect against unauthorized access to or use of such information and loss, misuse, alteration, or destruction of such information.

The Act requires the FTC to promulgate regulations to implement this section.

Does the Act require covered entities to conduct any risk assessment with respect to its information handling practices?

Yes, under section 302 of the Act covered entities are required to conduct an assessment of the risks to individuals raised by its collection, use and disclosure of covered information or sensitive information prior to engaging in such activities (or if it believes there is a reasonable likelihood that it will engage in such activities), but only if such activities will involve more than 1 million individuals.

Does the Act require any audits or assessments?

Yes, covered entities must conduct periodic assessments to evaluate whether the covered/sensitive information it has collected remains necessary for the purposes described at the time of collection, and whether the covered entities’ ongoing collection practices remain necessary for legitimate business purposes.

Does the Act limit how long a covered entity can retain covered/sensitive information?

Yes, under section 303 of the Act covered entities may retain covered/sensitive information for only as long as necessary to fulfill a legitimate business purpose or comply with a legal requirement.

Coming up next in Part Two:  the “Safe Harbor” outlined in the Act, various exemptions for de-identified information and application and enforcement of the Act.

 
 
Tags: , , , , , , , , , , ,
Posted on June 10, 2010 by W. Scott Blackmer

Do the New EU Processing Clauses Apply to You?

A new set of EU standard contract clauses  (“SCCs” or “model contracts”) for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU “Article 29” working group on the concepts of “controller” and “processor” under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.

I reported in February about the European Union adopting a new set of SCCs to legitimize the transfer of European personal data to foreign processors. From May 15 onward, the new SCCs must be used unless there is another legal basis for the transfers, such as the EU-US “Safe Harbor” program.

Here is a summary of the impact of this EU decision, in the form of FAQs:

Why Use Standard Contract Clauses?

The EU Data Protection Directive requires national authorities to forbid the transfer of personal information to countries outside the European Economic Area (EEA) unless the data will be adequately protected by law or a specific derogation, such as approved SCCs or the individual’s informed consent, applies.

The United States, India, China, the Philippines, Jamaica, South Africa, and other common destinations for outsourced data services do not have similar data protection laws and are not deemed to provide an “adequate level of protection.” US companies that participate in the “Safe Harbor” framework for handling European personal data in the US, or sending it onward for processing in a third country, are treated as offering adequate protection. So are multinationals that implement Binding Corporate Rules (“BCRs”) approved by each of the relevant European countries for data transfers within a corporate group. But apart from transfers to Safe Harbor companies or in certain narrow contexts such as express consent or BCRs, offshoring arrangements involving personal data typically do not comply with European national data protection laws unless the company in Europe enters into a contract with the foreign vendor that includes EU-approved SCCs.

(It is also possible to seek approval from each relevant country for a unique set of contractual clauses, but this is an uncertain and time-consuming alternative that few organizations pursue.)

There are good reasons for a US company to consider Safe Harbor or BCRs, although these are beyond the scope of this article. But in any event, there will almost certainly be contexts in which neither Safe Harbor nor BCRs will cover all the data transfers that the company requires, such as data transfers outside the corporate group or directly from Europe to vendors outside the United States. In those cases, SCCs will typically be required.

What Countries Accept the EU SCCs?

EU-approved SCCs are ostensibly a passport for personal data from all 27 EU member states plus the other three EEA countries – Iceland, Liechtenstein, and Norway. However, one EU member state, Hungary, has not yet conformed its national law to routinely allow data transfers based on SCCs (or on Safe Harbor or BCRs, for that matter); individual consent is still required in most cases in Hungary.

Outside the EEA, Switzerland and Israel, which have similar data protection regimes, allow the transfer of personal data abroad if the companies use EU-approved SCCs. There are also instances where other non-EEA countries, such as Russia, have approved data transfers under contracts employing the EU SCCs, on a case-by-case basis.

This does not mean that a company can sign an agreement including, or annexing, SCCs and just start transferring personal data to an affiliate or vendor in the US or India. Unlike transfers to “adequate” countries such as Canada or to US Safe Harbor companies, data transfers under SCCs require notification to the data protection authorities (DPAs) in many European countries, and in some countries the transaction must await prior approval by the local DPA. In the UK, notice is effected simply by checking a box on an online registration form. In France, Spain, or The Netherlands, on the other hand, the European company must submit details and await an official response. In Germany, the internal data protection officer must approve the transfers, and approval may also be required from a works council or labor union if the outsourcing involves employee data.

If a company does not vary from the text of the EU SCCs and attaches a satisfactorily detailed annex describing the data transfers, including any special provisions for protecting sensitive categories of personal information, authorization should be forthcoming. But authorization often takes as long as three or four months in some countries. This should be factored into project and contract timing.

What Do the SCCs Provide?

One of two different versions of EU-approved “controller-controller” SCCs must be used if the data controller in Europe is transferring personal data to a foreign data controller, such as a parent, affiliate, or business partner that will make its own use of the data. For transfers to a processor that is merely handling the data on behalf of a European data controller, the newly adopted version of “controller-processor” SCCs must be employed.

The SCCs, which must be made available to the authorities and affected individuals on request, identify the “data exporter” in Europe and the “data importer” overseas. In contracts with processors, the processor must agree to follow the instructions of the data controller and maintain the confidentiality and security of the data. In the case of contracts between data controllers, each of which can use the data for its own purposes, the relevant SCCs allow the parties to select the governing European data protection law or a minimum set of data privacy principles.

SCCs provide for third-party beneficiary liability to the affected individuals and allow the data exporter to terminate the entire data transfer agreement if the data importer fails to comply with the SCCs. The SCCs also require the parties to annex a description of the covered data transfers in a prescribed format.

What’s Different about the New Processing SCCs?

The chief difference between the new controller-processor SCCs and the prior version published in 2001 is that the new SCCs take account of the trends to subcontract storage, technical support, or specific processing functions to third parties. When such “subprocessing” is contemplated, the new SCCs require the vendor to obtain the customer’s consent to subprocessing and execute written agreements with the subprocessors placing them under the same obligations to protect the personal data. The customer is also required to maintain a list of such subprocessing agreements and make it available on request to the data protection authorities, who may audit any subprocessing.

Here are some examples where these changes will typically involve more investigation and documentation than previously:

• An outsourcing vendor in the US plans to have some contracted functions performed by its affiliates in India or China.

• A cloud computing vendor aggregates services and hosting provided by a network of third parties.

• A parent company in the US, which has been providing technical support to European affiliates under SCCs, plans to outsource some support functions to vendors.

Are Existing Vendor Contracts Grandfathered?

Yes. Contracts in place before May 15, using the older version of EU-approved processing SCCs, may continue without revision until they expire, or until the nature of the data transfers changes materially or the vendor seeks to add a subprocessor.

Should We Use the Controller or Processor SCCs?

Sometimes it’s hard to tell which SCCs to use, because it is a factual question whether the data importer is in some respects acting as a controller of the data as opposed to acting as a mere processor. Simply saying in the contract that the data importer is only a processor may not preclude a different opinion by the authorities or the courts.

A parent company in the US, for example, may support global communications and ERM functions on behalf of its European subsidiaries, similar to what an unrelated outsourcing vendor might provide. But if the US parent also has access to the European data for its own purposes – such as corporate planning, career development and succession planning, and perhaps global insurance, audit, or legal functions – the US parent looks more like a data controller with respect to those purposes. Thus, a US parent company might be viewed as both a controller and a processor of European data.

Similarly, a global company may retain a benefits provider, perhaps to manage an employee stock option program or administer a pension fund. To the extent that the benefits provider simply performs functions at the employer’s behest, it appears to be a processor. But if the benefits provider also markets and provides additional services directly to the employees, it seems to be taking on the role of a controller.

In most European countries, the parties could safely rely on the controller-controller SCCs in such cases of mixed use. However, DPAs (especially in Greece) sometimes insist on separating the functions and require the data importer to sign two SCCs, one as a controller and the other as a processor. European Commission staff reports have occasionally noted the potential ambiguities in this, and other, applications of the controller and processor concepts, but as yet there is not a uniform and predictable approach to the problem.

The EU Data Protection Directive primarily regulates data controllers. A controller is defined in Article 2 of the Directive as the natural or legal person or public agency that “alone or jointly with others” determines “the purposes and means of processing” personal data. A processor is a natural or legal person or agency that processes data on behalf of a controller. “Processing” is defined very broadly in the Directive to include collection, use, storage, manipulation, disclosure, disposal, and virtually any other action with personal data. A controller can decide either to process personal data itself or delegate some or all processing activities to a processor. International data transfer agreements using SCCs always involve a data controller in Europe transferring personal data to either a controller or processor abroad.

In February, the Article 29 Data Protection Working Party, comprised of data protection officials from the European Commission and each of the member states, issued Opinion 1/2010 on the concepts of “controller” and “processor.” The concepts are important, of course, not only in choosing which SCCs to use in international transfers, but more importantly in deciding who has ultimate responsibility for protecting and properly using personal data, and which country’s law applies.

The Article 29 Working Party Opinion identifies controllers as the entities that decide to have some personal data processed for their own purposes. It recognizes that multiple parties (such as a parent company and its affiliates or business partners) may collectively decide which data elements are needed and how they will be handled. They need not have equal voices in those decisions, and their respective responsibility and liability may be limited to their own decisions. The Working Party also concluded that a processor may have some discretion in determining “the most suitable technical and organizational means” to accomplish delegated processing, without becoming a controller.

The Opinion, in my view, supports the conclusions that many global companies have reached, that parent and affiliate companies in a group usually should be considered joint controllers of employee and customer data used for a variety of purposes within the group, and that third-party outsourcing vendors remain merely processors even if they propose and implement decisions about the means of processing, based on their expertise. When struggling with the controller/processor distinction, organizations should ask the basic questions, “who wants this personal data, and why?” as a guide to recognizing who is ultimately responsible for the data and who is merely crunching it on their behalf. Among other things, the answers to those questions will determine which set of SCCs to use for international data transfers.
 
Tags: , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on May 12, 2010 by Tanya Forsheit

Breaking Down the Boucher Bill

In early May, Reps. Rick Boucher (D-Va.) and Cliff Stearns (R-Fla.) introduced a long anticipated "discussion draft" of a bill "[t]o require notice to and consent of an individual prior to the collection and disclosure of certain personal information relating to that individual."  You have probably heard that industry and consumer groups alike are not happy with the discussion draft.  What exactly is the Boucher Bill and what would it mean for almost every company engaged in the collection, use or disclosure of personal information (not just companies engaged in online behavioral advertising)?  Following is a FAQ.  Comments on the draft legislation are due June 4 (mark your calendars).

 

  • Isn't the Boucher Bill just about online behavioral advertising conducted by large marketers?

No.  The Boucher Bill is proposed federal privacy and data security legislation that is very broad and far-reaching and goes way beyond regulation of online behavioral advertising as defined by the FTC.

  • What would the Boucher Bill prohibit?

Under the Boucher Bill, a "covered entity" would be prohibited from collecting, using, or disclosing "covered information" from or about an individual for any purpose unless the covered entity (A) makes available to the individual a prescribed form of privacy notice prior to the collection of any covered information; and (B) obtains the consent of the individual to such collection in the manner set forth in the Bill.

This is interesting given that many regulators and legislators, including the FTC, have been calling for an end to the notice and consent model when it comes to meaningful privacy choice.

  • What is a "covered entity"?

The Boucher Bill broadly defines a "covered entity" as any person engaged in interstate commerce that collects data containing covered information.  A covered entity would not include a government agency or any person that collects covered information from fewer than 5,000 individuals in any 12-month period and does not collect sensitive information.  Thus, it appears that just about any organization with more than 5,000 employees and/or customers would be a "covered entity" under the Boucher Bill.

  • What is "covered information"?

The short answer is - just about anything that identifies (or even might identify) an individual.  "Covered information" is defined as, with respect to an individual, any of the following:

  1. The first name or initial and last name.
  2. A postal address.
  3. A telephone or fax number.
  4. An email address.
  5. Unique biometric data, including a fingerprint or retina scan.
  6. Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number.
  7. A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
  8. Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used
    to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user.
  9. A preference profile.
  10. Any other information that is collected, stored, used, or disclosed in connection with any covered information described in 1-9 above.
  • What is a "preference profile"?

A "preference profile" is a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity.

  • How would a "covered entity" collecting "covered information" provide the required notice?

The answer depends on whether the covered entity collects the information online or offline.

Online:  If a covered entity collects covered information through the Internet, the Boucher Bill requires that it must post a privacy notice clearly and conspicuously on the website through which the covered information is collected.  The privacy notice must be accessible through a direct link from the Internet homepage of the covered entity.  This is very much like California's Online Privacy Protection Act, Business and Professions Code section 22575 et seq. 

Offline:  Unlike California (or any existing state law), the Boucher Bill would require notice even where information is collected offline or by means other than the Internet.  If a covered entity collects covered information by any means that does not utilize the Internet, the Bill requires that notice be made available to an individual in writing before the covered entity collects any covered information from that individual.

  • What information must be included in the privacy notice?

The privacy notice (for online and offline collection) must include all of the following:

  1. The identity of the covered entity collecting the covered information;
  2. A description of any covered information collected by the covered entity;
  3. How the covered entity collects covered information;
  4. The specific purposes for which the covered entity collects and uses covered information;
  5. How the covered entity stores covered information.
  6. How the covered entity may merge, link, or combine covered information collected about the individual with other information about the individual that the covered entity may acquire from unaffiliated parties [an "unaffiliated party" is any entity that is not related by common ownership or affiliated by corporate control with a covered entity];
  7. How long the covered entity retains covered information in identifiable form;
  8. How the covered entity disposes of or renders anonymous covered information after the expiration of the retention period;
  9. The purposes for which covered information may be disclosed, and the categories of unaffiliated parties who may receive such information for each such purpose;
  10. The choice and means the covered entity offers individuals to limit or prohibit the collection and disclosure of covered information;
  11. The means by and the extent to which individuals may obtain access to covered information that has been collected by the covered entity;
  12. A means by which an individual may contact the covered entity with any inquiries or complaints regarding the covered entity’s handling of covered information;
  13. The process by which the covered entity notifies individuals of material changes to its privacy notice;
  14. A hyperlink to or a listing of the FTC's online consumer complaint form or the toll-free telephone number for the FTC's Consumer Response Center; and
  15. The effective date of the privacy notice.

This goes far beyond the content requirements of California's Online Privacy Protection Act.

  • Are there any exceptions to these notice requirements?

Yes. The notice requirements would not apply to covered information that (1)  is collected by any means that does not utilize the Internet and (2)  (a)  is collected for a "transactional purpose" or an "operational purpose" or (b)  consists solely of a first name or initial and last name, a postal address, a telephone or fax number, and/or an email address, and is part of a "first party transaction."

  • What is a "transactional purpose"?

A "transactional purpose" is a purpose necessary for effecting, administering, or enforcing a transaction between a covered entity and an individual.

  • What is an "operational purpose"?

An "operational purpose" is a purpose reasonably necessary for the operation of the covered entity, including (i) providing, operating, or improving a product or service used, requested, or authorized by an individual; (ii) detecting, preventing, or acting against actual or reasonably suspected threats to the covered entity’s product or service, including security attacks, unauthorized transactions, and fraud; (iii) analyzing data related to use of the product or service for purposes of optimizing or improving the covered entity’s products, services, or operations; (iv) carrying out an employment relationship with an individual; (v) disclosing covered information based on a good faith belief that such disclosure is necessary to comply with a Federal, State, or local law, rule, or other applicable legal requirement, including disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process; and (vi) disclosing covered information to a parent company of, controlled subsidiary of, or affiliate of the covered entity, or other covered entity under common control with the covered entity where the parent, subsidiary, affiliate, or other covered entity operates under a common or substantially similar set of internal policies and procedures as the covered entity, and the policies and procedures include adherence to the covered entity’s privacy policies as set forth in its privacy notice.  However, "operational purpose" does not include the use of covered information for marketing, advertising, or sales purposes, or any use of or disclosure of covered information to an unaffiliated party for such purposes.

  • What is a "first party transaction"?

A "first party transaction" is an interaction between an entity that collects covered information when an individual visits that entity’s website or place of business and the individual from whom covered information is collected.

  • Do the consent requirements call for opt-in or opt-out consent?

It depends. 

Opt-out consent is enough in many circumstances.  Under the Bill, a covered entity is deemed to have the consent of an individual for the collection and use of covered information relating to that individual if the covered entity has provided to the individual a clear statement containing the information described above and informing the individual that he or she has the right to decline consent to such collection and use, and the individual either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual.  (However, if an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected.)  Alternatively, a covered entity may comply by enabling an individual to decline consent for the collection and use only of particular covered information, provided the individual has been given the opportunity to decline consent for the collection and use of all covered information.

However, some situations require opt-in consent:

  1. A covered entity must provide the notice described above and obtain the express affirmative consent of the individual prior to making a material change in privacy practices governing previously collected covered information from that individual or disclosing covered information for a purpose not previously disclosed to the individual and which the individual, acting reasonably under the circumstances, would not expect based on the covered entity’s prior privacy notice.  This would codify existing law that a company may not unilaterally alter its privacy policy and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).
     
  2. A covered entity is prohibited from selling, sharing, or otherwise disclosing covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates.  This would represent a fundamental change in existing US privacy law, except in particular narrow sectors.  Further, a covered entity that has obtained express affirmative consent from an individual must provide the individual with the opportunity, without charge, to withdraw such consent at any time thereafter.
     
  3. A covered entity is prohibited from collecting or disclosing sensitive information from or about an individual for any purpose unless the covered entity makes available to such individual the privacy notice described above prior to the collection of any sensitive information and obtains the express affirmative consent of the individual to whom the sensitive information relates prior to collecting or disclosing such sensitive information.  ["Sensitive information" is any information that is associated with covered information of an individual and relates to that individual’s (A) medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (B) race or ethnicity; (C) religious beliefs; (D) sexual orientation; (E) financial records and other financial information associated with a financial account, including balances and other financial information; or (F) precise geolocation information.]  This would also be a significant shift in US privacy law, bringing the US much closer to existing stringent privacy protections in the EU.
     
  4. A covered entity is prohibited from collecting or disclosing covered information about all or substantially all of an individual’s online activity, including across websites, for any purpose unless such covered entity makes available to such individual the privacy notice described above prior to the collection of the covered information about all or substantially all of the individual’s online activity and obtains the express affirmative consent of the individual to whom the covered information relates prior to collecting or disclosing such covered information.
     
  5. With certain limited exceptions, any provider of a product or service that uses location-based information would be prohibited from disclosing such location based information concerning the user of such product or service without that user’s express opt-in consent.
  • Are there any exceptions from these consent requirements?

Yes, but only with respect to the opt-out consent requirements and the opt-in consent requirements under (1) and (2) above.  There are no exceptions to the opt-in requirements under (3), (4) and (5) above.

The opt-out requirements and the Gateway-type opt-in requirements described in (1) above do not apply to the collection, use, or disclosure of covered information for a transactional purpose or an operational purpose.

The opt-in requirements described in (2) above do not apply to the disclosure of covered information by a covered entity to a service provider for purposes of executing a first party transaction if (A) the covered entity has obtained consent for the collection of covered information (opt-out and/or Gateway-type opt-in consent described above); and (B) the service provider agrees to use such covered information solely for the purpose of providing an agreed-upon service to a covered entity and not to disclose the covered information to any other person.   [A "service provider" is an entity that collects, maintains, processes, stores, or otherwise handles covered information on behalf of a covered entity, including, for the purposes of serving as a data processing center, providing customer support, serving advertisements to the website of the covered entity, maintaining the covered entity’s records, or performing other administrative support functions for the covered entity.]

In addition, notwithstanding (2) above, a covered entity may collect, use, and disclose covered information if (1) the covered entity provides individuals with the ability to opt out of the collection, use, and disclosure of covered information by the covered entity using a readily accessible opt-out mechanism whereby the opt-out choice of the individual is preserved and protected from incidental or accidental deletion, including by (A) website interactions on the covered entity’s website or a website where the preference profile is being used; (B) a toll-free phone number; or (C) letter to an address provided by the covered entity; (2) the covered entity deletes or renders anonymous any covered information not later than 24 months after the date the covered information is first collected; (3) the covered entity includes the placement of a symbol or seal in a prominent location on the website of the covered entity and on or near any advertisements delivered by the covered entity based on the preference profile of an individual that enables an individual to connect to additional information that (A) describes the practices used by the covered entity or by an advertisement network in which the covered entity participates to create a preference profile and that led to the delivery of the advertisement using an individual’s preference profile, including the information, categories of information, or list of preferences associated with the individual that may have led to the delivery of the advertisement to that individual; and (B) allows individuals to review and modify, or completely opt out of having, a preference profile created and maintained by a covered entity or by an advertisement network in which the covered entity participates; and (4) an advertisement network to which a covered entity discloses covered information does not disclose such covered information to any other entity without the express affirmative consent of the individual to whom the covered information relates.  [An "advertisement network" is an entity that provides advertisements to participating websites on the basis of individuals’ activity across some or all of those websites.]

  • Are there any other exemptions under the Bill?

Yes.  The Bill explicitly provides that nothing therein shall prohibit a covered entity from collecting or disclosing aggregate information or covered information that has been rendered anonymous.

  • What is "aggregate information"?

"Aggregate information" is data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed.

  • What does "render anonymous" mean?

"Render anonymous" means to remove or obscure covered information such that the remaining information does not identify, and there is no reasonable basis to believe that the information can be used to identify the specific individual to whom such covered information relates or a computer or device owned or used by a particular user.

  • Does the Boucher Bill include any data security requirements?

Yes.  A covered entity or service provider that collects covered information about an individual for any purpose must establish, implement, and maintain appropriate administrative, technical, and physical safeguards that the FTC determines are necessary to (A) ensure the security, integrity, and confidentiality of such information; (B) protect against anticipated threats or hazards to the security or integrity of such information; (C) protect against unauthorized access to and loss, misuse, alteration, or destruction of, such information; and (D) in the event of a security breach, determine the scope of the breach, make every reasonable attempt to prevent further unauthorized access to the affected covered information, and restore reasonable integrity to the affected covered information.  The Bill would therefore extend certain GLBA- and HIPAA-like protections to non-financial and non-health care sectors.

The Bill anticipates that the FTC will develop standards to carry out this section and, in doing so, will consider the size and complexity of a covered entity, the nature and scope of the activities of a covered entity, the sensitivity of the covered information, the current state of the art in administrative, technical, and physical safeguards for protecting information, and the cost of implementing such safeguards. 

The Bill prohibits the FTC, in promulgating rules pursuant to the Bill, from requiring the deployment or use of any specific products or technologies, including any specific computer software or hardware. Thus, the Bill seeks to make any security requirements technology-neutral (similar to the Massachusetts data security regulations and other state data security laws).

  • Does the Boucher Bill say anything about data integrity?

Not exactly.  The Boucher Bill addresses data "accuracy," requiring in very general terms that a covered entity "establish reasonable procedures to assure the accuracy of the covered information it collects."

  • Who would enforce the Boucher Bill?

Not surprisingly, the Bill gives the FTC enforcement power and would make a violation an unfair and deceptive act or practice in violation of the FTC Act.

The Boucher Bill also gives State attorneys general the power to bring a civil action seeking injunctive relief and/or damages.

The Bill explicitly states that it does not provide any private right of action.

  • Would the Boucher Bill preempt state law?

Yes, the Bill would preempt many state laws.  The Bill would supersede any provision of a statute, regulation, or rule of a State or political subdivision of a State, that includes requirements for the collection, use, or disclosure of covered information. 

The Bill would have no effect on GLBA, HIPAA, COPPA, the CAN-SPAM Act, certain other federal laws, or the FTC's authority pursuant to other laws.

 

 
Tags: , , , , , , , , , , , ,