1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

FTC steps up enforcement action

Last week, the FTC announced that it had settled with a gaming company that falsely claimed to be certified under the US Safe Harbor.  The Safe Harbor agreement is a self-certification arrangement under which you can transfer personal data from Europe to the US without “tripping up” on the EU data export prohibition.  It is a critical plank in the platform for global companies who need to transfer personal data across borders.  Think about how many companies operate globally or who use cloud-based storage solutions and you can see how important it is to be able to transfer data internationally in a legally compliant manner.

Are we seeing a new pattern of enforcement?

Only last month, the FTC announced enforcement action against 12 companies who also falsely claimed to be Safe Habor certified. So this is starting to look like a deliberate move to be more pro-active on Safe Harbor infringers. This has mostly been for failure to certify. Annual re-certification is required under the Safe Harbor for it to be valid.  By the way, failing to hold a current certification doesn’t mean that you are guilty of any actual privacy law breach.  So the companies had not suffered a data leak or hack and were not, necessarily, guilty of ignoring any individual rights in relation to privacy.  Perhaps this is a sign of a new willingness to take enforcement action.

Why are we seeing additional privacy enforcement?

If you asked the FTC, they will tell you that enforcement of the Safe Harbor is a top priority and should send a signal to companies that they cannot pretend to be in the program when this is not the case.  But there may be a political reason too.  The recent Snowdon revelations are still bubbling in Europe and elsewhere and there is a real concern among European consumers that their data may be at risk if it is held in the US or by US companies. This is being stoked by the media and politicians although it is not quite clear who is more to blame. One of the longstanding criticisms of the US position is that enforcement of Safe Harbor or companies falsely claiming that they are participants has been limited. So the FTC’s latest enforcement action takes this criticism head on.  It also must be one of the most efficient ways to demonstrate a willingness to ensure companies are complying with the Safe Harbor without fighting long or complex disputes with alleged offenders.  Failing to self-certify is a fairly binary issue and easy to prove.

Of course, if you were going to be cynical, you would probably compare and contrast the US FTC enforcement action with equivalent action taken by supervisory authorities in Europe in relation to unlawful data exports.  While the EU supervisory authorities have been hot on many other enforcement issues, enforcement in relation to data exports has been pretty fragmented.  Suddenly the FTC looks like a rather more effective enforcer of privacy rights than some of the EU supervisory authorities would like to admit.  We are watching the FTC’s enforcement action and enthusiasm for Safe Harbor with great interest.

FTC steps up enforcement action

Data privacy: a look ahead at 2014

So as the latest Snowdon revelations (oh … and the New Year Holiday fun has subsided) how about we look at where data privacy is going in 2014.  Here is a quick “stocktake” on what is likely to happen next:

  • Snowden and the NSA – Expect more revelations from Edward Snowdon about the NSA and surveillance. Whatever you think about the issues, there is little doubt this is fuel for unending press stories.
  • EU General Data Protection Regulation – I really don’t know what to say here.  Some people think it is going to go through in some form or another.  Others seriously doubt it. Over to you!
  • US Safe Harbor – so we have avoided “falling off the edge of the figurative privacy cliff” and it’s apparently still legal to transfer data to Safe Harbor certified companies in the US.  Expect more extreme demands from Europe on how US and other non-European business should process personal data and watch how this impacts the marketplace.  Ask any supplier of services with French, German or other mainland EU customers and you will find a growing trend making it harder for non-European businesses to sell into the European market without setting up European servers or an EU cloud. The official rules are fast becoming a basis for pulling up the EU drawbridge and staying home!
  • Data breach – expect more data breaches!  This will continue for the “big boys” like Target in the US and providers of apps and digital media like Snapchat to quote some recent examples.
  • US regulatory approach – Expect greater alignment between privacy principles adopted by the FTC in the US and at least some of the data privacy rules in Europe.  For example, the FTC is moving towards an assumption that device-based data deserves special protection in the same way that Europe did 10 years ago.  You really need to look at the substance here to appreciate that there is greater US/EU alignment, already, than some care to admit. 
  • “Internet of things” – T-shirts that monitor your heart rate and other “wearable tech”.  2014 is likely to see a revolution in connected gadgets and data enabled clothing, cars, fridges and homes. 
  • BCRs – no let up in the number of companies starting to look at BCRs or, at least a BCR‑style data privacy governance engine.  How else to manage global data privacy risk and mitigate the associated reputational issues.

Finally, the best news of all: the term “geek” has been redefined by the Collins Dictionary.  It no longer means someone who is socially awkward or dull.  It is, in fact, in the dictionary’s list of “words of the year” so whatever you think of the above predictions, rest assured it is ok to be a privacy geek!

Data privacy: a look ahead at 2014

EU/US Safe Harbor … spotted alive!

The European Commission has announced that it will not kill off Safe Harbor. Instead it has published 13 recommendations to improve it and has called on US authorities to help sort this out by summer 2014. There will then be a further review of the functioning of Safe Harbor.

Safe Harbor is the self-certification regime under which US businesses can make public commitments to comply with the Safe Harbor Privacy Principles. It usually exposes them to regulation by the Federal Trade Commission; a serious regulator in anyone’s book and with a long history of enforcing privacy breaches.  The EU (in particular Germany) has long been wondering how “safe” the Safe Harbor really is.  The Edward Snowden revelations, including about Angela Merkel’s phone being monitored, gave it the platform to escalate the issue. That is what prompted this review so it a fraught political area.

Why is this important?

Lots of businesses use US vendors to provide services which involve servers, back up or IT maintenance being provided from the US.  Many others need to share data with their US operations or the US HQ.  In our globalised world, global data transfers are the norm. Killing off Safe Harbor without providing an alternative solution would push many companies into hot regulatory waters. After all, although there are alternatives like Binding Corporate Rules adopted by vendors (the so-called “Processor BCRs”) they are still in their infancy.

What are the 13 recommendations?

The recommendations proposed by the EU beef up requirements in relation to transparency, redress, enforcement and, interestingly, access by US law enforcement agencies. Much of this looks like good data privacy practice. So far so good, although it is difficult to see how the recommendation that companies state in their privacy policies that they may disclose data for the purposes of national security and law enforcement, will deal with the PRISM debate.  It’s surely not in a company’s gift to know whether a specific request for access is really necessary for legitimate purposes?  In any event, national security laws are not harmonised in Europe and have always been excluded from the EU Data Protection Directive.

What happens next?

There is no doubt that companies will have heaved a collective sigh of relief that Safe Harbor has survived. Such was the reaction to the PRISM debate and Edward Snowden earlier this year that some were saying Safe Harbor is dead!  This is important for the 3,000-plus companies that are Safe Harbor-certified and many more who we expect to join in order to sell their services into Europe as the digital and cloud markets grow.

The real question is whether the EU and the US can agree a basis to retain Safe Harbor in the long term which pays sufficient homage to European data privacy law and “works” for US business. It won’t help that we have European elections in May 2014 and that the Commission will be re-appointed at that time. To use the US analogy, does that make one of the negotiating parties analogous to a “lame duck president”? We doubt that, but it’s difficult to see how a final agreement can be reached any time soon. It’s also a reminder of the impact that politics can have on data privacy and that politics has, so far, failed to provide the answer.

EU/US Safe Harbor … spotted alive!

New EU rules on security

If you Google “EU law on security”, you’ll find the EU Data Protection Directive near the top of the search results. But search a little harder and you’ll find more.

This week saw the EU publish a new draft Directive on network and information security. However this isn’t about personal data or rules for particular sectors like telecoms. The proposed rules apply to all manner of digital platforms like e-commerce and payment platforms. They will also apply to a very broad range of critical infrastructure operators.

Who is covered by the new rules?

All “market operators” are caught. A “market operator” is defined as a provider of information society services (ISS) which enables the provision of other ISS. ISS, in this context, means an e-commerce service and this may include e-commerce platforms, internet payment gateways, social networks, search engines, cloud computing services and application stores. So, the rules will apply to those who provide any such services which underpin e-commerce services provided by others. But its’s still an incredibly broad list.

Market operators also include operators of critical infrastructure including providers of:

  • electricity, gas and oil
  • airlines, maritime transport, railways (even associated warehousing, cargo handling and support services)
  • banking
  • financial market infrastructure; and
  • healthcare

So what do the new rules say?

Market operators (ie. all of the above) have to ensure that appropriate technical and organisational measures (yes, that phrase from the Data Protection Directive) are in place to ensure network and information system security in particular to ensure business continuity for the services underpinned by their networks and services. So a cloud computing service has to comply where it has customers using it services to deliver services to end-users.  An electricity  company will have to comply as its services will almost certainly fall into this category. Have a look at Article 14 of the draft Directive for more detail.

Duty to Notify

Article  14 also requires market operators to notify the “competent authority” (to be set up or appointed by each EU member state) of any incidents having a “significant impact on the security of the core services they provide”. So if you’re hit by a cyber attack and this results in unscheduled downtime or a power outage, you would have to notify.

The Directive also deals with a range of information security requirements but it is the new duties to ensure security and notify a regulator that spell a broadening of the EU  rules in this area.



New EU rules on security

New European A29 Guidance on “Privacy in the Cloud”

Privacy debates in connection with cloud computing often generate more heat than light!  Some regulators (not in the UK!) have even said that use of the public cloud is illegal. Well, if it is, then many EU companies are in trouble as the cloud covers a multitude of types of virtualised processing, much of which has been used for years. Don’t let’s forget that “cloud” is partly a brand name as opposed to something wholly new.

But there are new components that cloud computing has introduced: mass market access to global processing operations where data can travel seamlessly cross-border. So it is timely that the EU’s Article 29 Working Party has, this week, published an Opinion (05/2012) as a useful summary of the EU data privacy rules on use of the cloud.

Question: Does the new guidance iron out all the legal issues?

Answer: No, but it is an interesting indication as to the “direction of travel” for privacy regulation of cloud customers and providers.

The first point is that the Opinion accepts that Cloud can bring benefits: access to top class technology and improvements in security, better access for SMEs (and a general stimulant for economic growth) and “pay and you use” pricing models.

So what gems are there in the new guidance?

Here is my reading of some of the more interesting points in the Opinion. What is particularly interesting is that many of the recommendations in the Opinion map to the requirements in the draft EU Data Protection Regulation rather than the current Directive. So, some of what follows is current practice; but some is new:

  • Primary obligations: the controller (ie. the customer) bears the regulatory risk and so is incentivised to ensure compliance (note that the new draft Regulation will, for the first time, extend the compliance risk to processors too, such as cloud providers)
  • Risk analysis: customer to conduct a comprehensive and thorough risk analysis at the outset and select a cloud provider that guarantees compliance with the data privacy rules
  • Two main risks: beware of data security and international data transfers; seen as the most important privacy issues for cloud
  • Contractual links: there should be a contractual link between the customers and the cloud provider and, separately, between cloud provider and any sub-contractors; we know this already. But the Opinion says that the customer should be able to terminate the contract if the provider changes sub-contractors and the customer does not agree.
  • Transparency: customers should be informed about sub-contractors, locations of processing and “meaningful information” as to security measures; data subjects should also be notified of sub-contractors and locations.
  • Safeguards: the contract should provide “sufficient guarantees” as to security and specify the customer’s instructions and service levels and penalties.
  • Confidentiality: the cloud provider and staff should be subject to confidentiality obligations
  • Co-operation: cloud provider to assist the customer to comply with applicable data subject rights and notify of any data breaches; this reads more like the terms of the new draft Regulation
  • International data transfers: the Opinion flags the introduction of Processor BCRs as being particularly relevant to cloud providers
  • Logging and auditing of processing operations: the customer should request that the provider does this.
  • Independent Certifications: the Opinion backs the use of third party certifications as a means for cloud providers to demonstrate compliance; we have yet to see this area develop but it is a sign of things to come. Certainly individual audits by multiple customers isn’t practicable and can compromise security.
  • Disclosures to law enforcement bodies: the Opinion wants to re-instate the original proposal in the new Regulation that you can only disclose data to another country’s law enforcement bodies pursuant to international agreement or mutual legal assistance treaties. So a requirement under the Patriot Act would not be enough. More work is needed here to develop a workable solution (given almost every country’s data surveillance and access powers to fight crime and terrorism).
  • European Cloud: the Opinion supports the European Cloud Partnership and the idea of promoting European clouds “sovereignly governed by European data protection law”.

Much to think about for privacy regulation in the cloud.

New European A29 Guidance on “Privacy in the Cloud”