Vicarious liability may be used to state a claim under the FACTA provision prohibiting a retailer from printing a credit card expiration date on a receipt. See Keith v. Back Yard Burgers of Nebraska, Inc., No. 8:11-CV-135 (D. Neb. Apr. 13, 2012). According to the court, only one other unreported decision had addressed a franchisor's vicarious liability under FACTA.
On May 16, 2011, EU's Article 29 Working Party (WP29) adopted an opinion setting out privacy compliance guidance for mobile geolocation services.WP29 is comprised of representatives from the EU member states' data protection authorities (DPAs), the European Data Protection Supervisor and the European Commission. WP29's mandate includes (i) giving expert advice to the EU member states regarding the implementation of European data protection directives, and (ii) promoting uniform implementation of the directives in all EU state members as well as in Norway, Liechtenstein and Iceland. WP29's opinions, therefore, carry significant weight in the interpretation and enforcement of data protection laws by European DPAs. Not surprisingly, WP29 has concluded that geolocation data is "personal data" subject to the protections of the European data protection framework, including the EU Data Protection Directive 95/46/EC. The Working Party also determined that the collection, use and other processing of geolocation data through mobile devices generally requires explicit, informed consent of the individual. Below are the highlights of the opinion.
The UK Information Commissioner's Office announces new rules for website cookies, which will normally require explicit user consent.
Dan Or-Hof, a privacy and technology partner at the Israeli law firm Pearl Cohen Zedek Latzer is reporting that the EU Commission published the much-anticipated announcement on the adequacy of data protection law in Israel. Published on January 31, 2011, the decision adopted by the Commission determines that Israel provides an adequate level of protection for personal data transferred from the EU, however only in relation to automated international data transfers and to automated processing of data in Israel.
On December 23, 2010, Russia's President Dmitry Medvedev signed legislation delaying until July 1, 2011 the enforcement of the country's omnibus data protection law (the Federal Law Regarding Personal Data). Pursuant to the new legislation, the revised effective date for the country's data protection law is January 1, 2011, but operators have until July 1, 2011 to bring their personal data information systems into compliance with the law.
The Blog of Legal Times is reporting that late on December 7, 2010 the House of Representatives passed a bill on a voice vote that amends the definition of "creditor" in the Fair and Accurate Credit Reporting Act (FCRA) and, as a result, dramatically limits the scope of the Red Flags Rule. The House bill is identical to the legislation enacted by the Senate last week. We previously covered in detail on our blog both the House bill and the Senate bill.The legislation has the effect of largely limiting the applicability of the Red Flags Rule to financial institutions and entities commonly understood to be "creditors". It will generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time. The legislation leaves open the possibility that the FTC would bring various types of creditors within the scope of the Rule through rulemaking. However, it sets a procedural threshold for expanding the scope of the Rule and appears to require the determination to be specific to the type of creditor. "When I think of the word 'creditor,' dentists, accounting firms and law firms do not come to mind," said Rep. John Adler (D-N.J.), speaking on the House floor.
Last week, the U.S. Senate adopted by unanimous consent a bill (S. 3987) that would limit the scope of the Federal Trade Commission's Red Flags Rule by amending the Fair Credit Reporting Act's (FCRA's) definition of "creditor." The Senate bill is identical to the bipartisan House proposal we covered in detail in our blog on November 22, 2010.Both bills have been referred to the House Committee on Financial Services. Given that the House and Senate are now on the same page with respect to the Red Flags Rule, there is a good chance that this proposal will become law before the FTC begins enforcing the Rule on December 31, 2010. The bills seek to largely limit the applicability of the Red Flags Rule to entities commonly understood to be "creditors". They would generally exclude from the Rule's scope organizations whose "credit" activities are limited to providing a product or service and allowing customers to pay for the product or service at a later time.
The Federal Trade Commission's latest delay in enforcing the Identity Theft Red Flags Rule is slated to expire on December 31, 2010. This fifth delay, which the FTC announced on May 28, 2010, was requested by members of Congress, who had been working to respond to the outcry over the FTC's broad interpretation of the Rule. In the latest legislative initiative, on November 17, 2010, representatives Adler (D-NJ), Broun (R-GA) and Simpson (R-IN) advanced a bill (HR 6420) that seeks to limit the scope of the FTC's Red Flags Rule by amending the Fair Credit Reporting Act's (FRCA's) definition of "creditor."
During the final week of October and beginning of November, I attended two privacy events that were set far apart geographically and philosophically: the Data Protection Commissioners Conference in Jerusalem and the ad:tech conference in New York City. The Jerusalem event had a decidedly pro-privacy flavor, while at ad:tech businesses showcased myriad ways for monetizing personal information. Both conferences posed interesting questions about the future of privacy, but as a privacy lawyer I was more interested in learning and observing than engaging in the privacy debates. The events' apparently divergent privacy narratives made me ponder where a privacy lawyer may fit on the privacy continuum between these two great cities.
Several news outlets are reporting today on the November 15, 2010 argument before the U.S. Court of Appeals for the D.C. Circuit on the applicability of the Federal Trade Commission's Identity Theft Red Flags Rule.The relevant part of the Rule implements Section 114 of the Fair and Accurate Credit Transactions Act (FACTA) and requires certain creditors to develop and maintain an identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft. The FTC has taken the position that attorneys and law firms are within the scope of the Rule's definition of "creditor" to the extent they allow clients to pay for legal services after the services are preformed. The ABA successfully challenged the applicability of the Rule to attorneys before the D.C. District Court. The FTC appealed that ruling.
Earlier today, the European Commission released documents setting out the road map for revision of the European data protection rules, including the EU Data Protection Directive 95/46/EC. The strategy is based on the Commission's position that an individual's ability to control his or her information, have access to the information, and modify or delete the information are "essential rights that have to be guaranteed in today's digital world." The Commission set out a strategy on how to protect personal data while reducing barriers for businesses and ensuring free flow of personal data within the European Union.
Last week, we joined privacy regulators, practitioners and industry representatives from around the world in Jerusalem for the 32nd International Conference of Data Protection and Privacy Commissioners. On numerous panels, conference participants engaged in lively discussions about privacy compliance and enforcement as well as the future of privacy in light of evolving consumer expectations and advances in technology that tracks and identifies individuals.
Scott Blackmer provides a "discovery" checklist for global enterprises handling personal data from multiple jurisdictions, as well as advice on a global approach to privacy compliance and risk management.
German state data protection authorities have recently criticized both cloud computing and the EU-US Safe Harbor Framework. From some of the reactions, you would think that both are in imminent danger of a European crackdown. That's not likely, but the comments reflect some concerns with recent trends in outsourcing and transborder data flows that multinationals would be well advised to address in their planning and operations.
Mexico has joined the ranks of more than 50 countries that have enacted omnibus data privacy laws covering the private sector. The new Federal Law on the Protection of Personal Data Held by Private Parties (Ley federal de protección de datos personales en posesión de los particulares) (the "Law") was published on July 5, 2010 and took effect on July 6. IAPP has released an unofficial English translation. The Law will have an impact on the many US-based companies that operate or advertise in Mexico, as well as those that use Spanish-language call centers and other support services located in Mexico.
A new set of EU standard contract clauses ("SCCs" or "model contracts") for processing European personal data abroad came into effect on May 15, 2010. Taken together with a recent opinion by the official EU "Article 29" working group on the concepts of "controller" and "processor" under the EU Data Protection Directive, this development suggests that it is time to review arrangements for business process outsourcing, software as a service (SaaS), cloud computing, and even interaffiliate support services, when they involve storing or processing personal data from Europe in the United States, India, and other common outsourcing locations.
As previously reported here, the Federal Trade Commission (FTC) is currently scheduled to commence enforcement of the FACTA Red Flags Rule (72 Fed. Reg. 63,718) on June 1, 2010. On Friday, only 10 days before the deadline, the American Medical Association, the American Osteopathic Association, and the Medical Society for the District of Columbia filed suit against the FTC in the United States District Court for the District of Columbia (AMA v. FTC, D.D.C., No. 1:10-cv-00843), following in the footsteps of similar lawsuits filed in the past year by the American Bar Association (ABA) and the American Institute of Certified Public Accountants (AICPA). The ABA, in a lawsuit filed last August (ABA v. FTC, No. 1:09-cv-01636-RBW), succeeded in obtaining an order (now on appeal) barring the FTC from enforcing the Red Flags Rule against lawyers. (There has been no ruling on the AICPA complaint filed last November.) Following is a discussion of the definitions ("creditor" and "credit") at the heart of the dispute, a summary of the positions taken by the FTC and the AMA with respect to application of the Red Flags Rule to physicians, and a brief review of the court's decision in ABA v. FTC.
In honor of Data Privacy Day and its spirit of education, I thought it might be appropriate (and fun) to celebrate some (but certainly not all) of the A, B, Cs of Data Privacy. Would love to see your contributions, too!
As our readers know, the FTC, after four extensions of the deadline, currently intends to begin enforcing the Red Flags Rule with respect to organizations subject to its jurisdiction on June 1, 2010. In the meantime, the Red Flags Rule remains in effect as to all financial institutions and creditors (and has been subject to enforcement by the banking regulators since November 1, 2008). Although a recent decision of the United States District Court for the District of Columbia, ABA v. FTC, brought lawyers outside the scope of the Rule, the Rule remains broad and covers a wide range of entities as "creditors." Creditors subject to the FTC's jurisdiction need to have their written Red Flags Rule Identity Theft Prevention Programs prepared, approved by the Board, and implemented by June 1. For more on the history and the requirements of the Rule, see my recent article, "The FACTA Red Flags Rule: A Primer," published in Bloomberg Law Reports - Risk & Compliance, reproduced here with the permission of Bloomberg.