In the last few months, there have been several important developments relating to international privacy and data security laws. In general, we're seeing more enforcement actions, more laws being enacted, and more private litigation. These developments are reminders of the importance of staying up to date on international privacy and data security laws and regulations, and developing comprehensive policies and procedures for complying with international laws governing the transfer of personal data across national borders.
Federal Trade Commission Enforces US-EU Safe Harbor Program
In August, for the first time, the Federal Trade Commission announced an enforcement action against a US company that falsely claimed it was participating in the US-EU Safe Harbor Program. (The Safe Harbor Program was developed to help companies comply with the European Union's Data Protection Directive, which limits the collection, use and sharing of personal data; requires notice and an opportunity to opt-out; and provides other privacy protections not usually required by US privacy laws. Companies that participate in the Safe Harbor Program self-certify to the US Dept. of Commerce and promise to comply with defined privacy and data security requirements.) In October, the FTC announced six companies had settled charges that they falsely claimed to be participating in and complying with the Safe Harbor Program. These actions by the FTC send a clear warning signal that the agency is monitoring companies' claims about providing privacy protections to consumers by participating in the Safe Harbor Program.
EU Proposal to Limit Online Behavioral Advertising
The EU is scheduled to vote later this year on its Telecoms Reform Package which includes an amendment to EU privacy law that would require companies engaging in online behavioral advertising to provide comprehensive disclosures and to obtain consumers' consent before collecting, using or sharing data from a consumer's computer. If approved, this measure would clearly impact advertisers, online companies, and third party ad servers that place cookies on consumers' computers to provide targeted ads. In a separate action, the UK Office of Fair Trade announced in October that it will begin a comprehensive study of online behavioral advertising and customized pricing, where prices are individually tailored using information collected about a consumer's internet use, to determine if consumers are being misled by these practices.
Non-Binding Global Privacy Standards
Earlier this month, at an international privacy conference in Madrid, EU data protection authorities approved creating non-binding global privacy standards, even though the US did not participate. The "Madrid Resolution" was unanimously supported by the data protection authorities who attended the 31st International Conference of Data Protection and Privacy Commissioners. The resolution urges the adoption of universal, legally binding standards that draw on the principles and rights related to the protection of personal data in the different geographic environments of the world, with particular emphasis on harmonizing different countries' laws while also assuring the maximum level of protection for consumers.
French Data Protection Authority Issues Opinion On Interplay of Privacy Laws and Discovery Requests
US companies that must comply with discovery requests by providing personal data located in the EU may have trouble complying with both US discovery laws and EU privacy laws. The French data protection authority recently issued an opinion that provides some guidance in this area. The opinion states that a company that is transferring personal data out of France, even if that transfer occurs in response to a discovery request, must comply with the French Data Protection Act, but the company does not need to notify the data protection authority of its activity as long as a new database is not being created. However, the company is required to disclose to data subjects, before the data is transferred out of the EU, the name of the company transferring the data, the reason why such transfer is necessary, an explanation of the data subject's rights and what could happen if a data subject does not consent to the transfer. There are some exceptions from these requirements if such disclosure could lead to the destruction of evidence or jeopardize a pending investigation.
For more information on these issues and other international privacy and security developments, please contact Ieuan Jolly at firstname.lastname@example.org or 212.407.4810.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations. For more information, please contact a member of Loeb & Loeb's Advanced Media and Technology Group.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.