PL&B International Issue

Issue 132 December 2014 Ten ways the US election may NEWS 2 - Comment affect privacy law in 2015 Watch this space for US and EU privacy When Republicans take over the US Senate in January, the legislation priorities of committees overseeing privacy and data security 4 - HP dual BCR and CBPR certification issues will change significantly. By Jeff Kosseff . 5 - EU DP draft Regulation: The final n January, Republicans will con - in committee and on the Senate floor. round in 2015? trol both houses of Congress. Below are ten of the key privacy 7-EU contractual clauses to become But we shouldn’t expect an and data security trends to watch in easier to use • Central/East European Iimmediate sea-change in privacy the next Congress. guide on employee data laws. Although Republicans will 17 - CNIL reorganises and issues insurance industry compliance pack have a majority of votes in the Senate `e^kdb fk qlkb lc pbk^qb next year, they will be short of the 60 `ljjbo`b `ljjfqqbb \= 22 - China scrutinises Apple devices for votes necessary to bring a bill to the Retiring Senate Commerce Commit - security flaws floor. Privacy issues generally tend tee Chairman, Jay Rockefeller, 27 - ECJ to rule if IP addresses are not to break neatly along party lines Democrat-West Virginia, has been personal data • DPAs demand transparency from app developers and there will remain bipartisan sup - among the most active senators on port – and bipartisan opposition – to privacy and data security issues. ANALYSIS most initiatives. With a Democrat in Rockefeller has called for regulation 1 - Ten ways the US election may affect the White House, bipartisan support of data brokers, and he is a vocal privacy law in 2015 will be essential for any privacy legis - critic of companies’ privacy and data 13 - Privacy self-regulation in crisis? lation to pass. That said, the Republi - security practices. He is expected to TRUSTe’s ‘deceptive’ practices cans will control the agenda and 19 - African regional privacy instruments: whether legislation can receive a vote Continued on p.3 Harmonising effects LEGISLATION & REGULATION 10 - Book Review: Asian Data Privacy Search and access back issues by Laws: Trade and Human Rights key words on PL&B's website Perspectives Subscribers can now conduct detailed research on data protection and privacy 18 - New telecoms law has a serious issues on the Privacy Laws & Business website and access: impact on privacy in Mexico • Back Issues since 1987 23 - The ECJ invalidates the EU Data • Special Reports Retention Directive: Now what? • Materials from PL&B events • Videos and audio recordings MANAGEMENT • Search functionality giving you the most relevant content when you need it. 8 - How do global businesses know when EU DP Law applies? Further information at www.privacylaws.com/subscription_info To check your type of subscription, contact [email protected] or 11 - Boeing fits privacy into a telephone +44 (0)20 8868 9200. governance and ethics framework 22 - Apple integrates privacy functions COMMENT

ISSUE NO 132 DECEMBER 2014

PUBLISHER Stewart H Dresner Watch this space for US and [email protected] EDITOR EU privacy legislation Laura Linkomies In the US, there are several privacy Bills in the Congress (p.1) . The [email protected] Do Not Track initiative may not be successful. But the Federal ASIA-PACIFIC EDITOR Communications Commission’s (FCC) ability to regulate privacy Professor Graham Greenleaf and data security may be an issue as Congress debates new legisla - [email protected] tion for the agency. This is one to watch, as in October the FCC imposed a $10 million fine against two telecoms companies, SUB EDITOR extending its reach into data security regulation for the first time. Tom Cooper REPORT SUBSCRIPTIONS On the EU front, additional steps have been taken towards adop - Glenn Daif-Burns tion of the draft Data Protection Regulation. One of the unre - [email protected] solved questions is the One Stop Shop. The UK opposed the cur - CONTRIBUTORS rent Council proposals, which would allow each DPA concerned to defend its views, as it says the system would not work without a Jeff Kosseff Covington & Burling LLP, US Lead Authority. Germany is concerned that this would indeed lead to ‘forum shopping’ in relation to where companies choose to base Charles D. Raab their main operations in the EU ( p.5 ). University of Edinburgh, Scotland Victoria Hordern It is important to get this right as we have seen some disasters in Hogan Lovells, UK the past – the Cookie Directive is not exactly an easy-to-under - Chris Connolly stand piece of legislation, and the annulment of the Data Retention Galexia, Australia Directive shows that the legislator does not always understand pri - Nigel Waters vacy, or that too many compromises are being made to satisfy all Pacific Privacy Consulting, Australia players. Read a detailed analysis on the aftermath of the Data Mauricio Hernández Retention Directive on p.23 . Bufete Soni, Mexico Marie Georges Africa has seen many new DP laws adopted in the last ten years and Planète informatique et libertés, France several Bills are being considered. Africa is likely to have more har - Xavier Tracol monised DP practices in different sectors in the coming years ( p.19 ). Eurojust, Netherlands Merrill Dresner Privacy by Design should nowadays be more than just a theoreti - PL&B Correspondent cal concept. However, while steps have been taken in some PUBLISHED BY respects ( p.22 ), DPAs have found that app providers are still not Privacy Laws & Business, 2nd Floor, transparent enough. They recently wrote to operators of app mar - Monument House, 215 Marsh Road, Pinner, ketplaces, including Google Play and the Apple App Store, to urge Middlesex HA5 5NE, United Kingdom that they make it mandatory for mobile app developers to post Tel: +44 (0)20 8868 9200 Fax: +44 (0)20 8868 5215 links to privacy policies prior to download if they are going to col - Email: [email protected] lect personal information ( p.27 ). Website: www.privacylaws.com Subscriptions: The Privacy Laws & Business International All back issues of PL&B International and PL&B UK are now on Report is produced six times a year and is available on an annual subscription basis only. Subscription details are at the our website. To access the back copies, either carry out a keyword back of this report. search or browse through the archives – International :

Whilst every care is taken to provide accurate information, the w ww.privacylaws.com/int#4 UK : www.privacylaws.com/uk#4 publishers cannot accept liability for errors or omissions or for any advice given. Laura Linkomies, Editor Design by ProCreative +44 (0)845 3003753 Printed by Rapidity Communications Ltd +44 (0)20 7689 8686 PRIVACy LAWS & BUSINESS ISSN 2046-844X

Copyright: No part of this publication in whole or in part may be reproduced or transmitted in any form without the prior Contribute to PL&B reports written permission of the publisher. Do you have a case study or opinion you wish us to publish? Contri butions to this publication and books for review are always welcome. If you wish to offer reports or news items, © 2014 Privacy Laws & Business please contact Laura Linkomies on Tel: +44 (0)20 8868 9200 or email [email protected] .

US changes... from p.1 did not properly secure their data. And Republican Senator, Dean Heller, of in October, the FCC joined the Global Nebraska, has noted that online adver - Privacy Enforcement Network, an tising “provides many jobs and gener - be replaced by South Dakota’s John international association of privacy ates multiple billions of dollars in eco - Thune, a moderate Republican whose regulators that collaborates on cross- nomic activity.” track record on privacy issues is not as border enforcement actions. Before Minimization of a key privacy extensive as that of Rockefeller. Simi - October, the FTC was the only US watchdog? Because Senate Judiciary larly, the likely new top Democrat on member of the network. Travis Committee member, Al Franken, the committee, Bill Nelson of Florida, LeBlanc, chief of the FCC’s Enforce - Democrat – Minnesota, quickly has not been as vocal about privacy ment Bureau, said that if the FCC is to emerged as a leading advocate on con - issues as Rockefeller. Among the Sen - “detect, disrupts, and dismantle these sumer privacy issues after his election ate Commerce Committee members global privacy assaults, it is critical that in 2008, Judiciary Committee Chair - who have expressed the most interest we work closely with our international man, Patrick Leahy, created the Sub - in privacy issues are Richard Blumen - partners abroad, as well as our federal, committee on Privacy, Technology, and thal of Connecticut and Ed Markey of state, and local partners here at home.” the Law for Franken to chair. Franken Massachusetts, neither of whom has The Commerce Committee may ques - used the subcommittee to hold hear - the Senate seniority that Rockefeller tion why two agencies are regulating ings on a wide range of privacy issues, had. privacy issues, and whether it is neces - including facial recognition and geo- sary to have two cops on the beat. The location. Most recently, Franken asked obdri^qfkd qeb cq` Republican takeover of the Congress detailed questions of ride-sharing app The Federal Trade Commission in increases the chances of revisions to the Uber after one of its executives dis - recent years has increased its oversight Communications Act, which sets the cussed tracking journalists who have of companies’ data security practices. framework for the FCC’s ability to used its service. “The journalist’s per - The FTC does not have explicit statu - regulate communications companies. mission had not been requested, and tory authority to regulate data securi - The FCC’s ability to regulate privacy the circumstances of the tracking do ty; instead, it claims authority under and data security may be an issue as not suggest any legitimate business Section 5 of the FTC Act, which allows Congress debates new legislation for purpose,” Franken wrote. “Indeed, it it to regulate unfair and deceptive prac - the agency. appears that on prior occasions your tices. Many companies argue that the company has condoned use of cus - FTC has overstepped its bounds, and alJk lq Jq o^`h Ó ibpp ifhbiv tomers’ data for questionable pur - point out the FTC’s refusal to provide Senator Rockefeller has been among poses.” It is unclear whether Chuck specific guidance about what it consid - the most vocal proponents of Do Not Grassley, Republican – Iowa, the likely ers to be adequate data security. A fed - Track legislation that would enable new Judiciary Committee Chairman, eral appellate court currently is consid - customers to choose not to have their will retain this subcommittee. ering Wyndham Resorts’ argument browsing behavior tracked for online that the FTC simply does not have the advertising. An online advertising p`orqfkv lc dlsbokjbkq authority to regulate data security industry consortium has been trying prosbfii^k`b \= under this statute. Some Republican for years to develop voluntary Do Not Reauthorisation of key Patriot Act members of Congress agree. For exam - Track standards, but it has repeatedly provisions that come to an end in June ple, Senator Deb Fischer of Nebraska, reached a standstill. Rockefeller has will be a big test of the new leadership’s a member of the Commerce Commit - said that he does not believe that the willingness to reign in government sur - tee, has criticised the FTC’s industry group will ever develop such veillance. Grassley has criticised “unchecked” authority. The Republi - standards. Without Rockefeller in National Security Agency surveillance can takeover of the Commerce Com - Congress, it is unclear who will carry in recent years. Tea Party-aligned mittee – and the Senate as a whole – the torch for the Do Not Track legisla - Republicans on the Judiciary Commit - will likely provide a larger platform for tion that he has sponsored. Blumenthal tee, including Ted Cruz of Texas and such critics. We can expect to see an was a co-sponsor of Rockefeller’s Do Mike Lee of Utah, also have long criti - increase in congressional hearings that Not Track legislation, but he does not cised government surveillance. Biparti - challenge the FTC’s authority to bring have Rockefeller’s seniority — or com - san legislation reauthorising and data security complaints under Section mittee chairmanship. And Markey may reforming government surveillance 5, as well as a call for increased trans - not want to expand the scope of his was sponsored by Chairman Leahy parency in the agency’s enforcement ‘Do Not Track Kids’ bill to cover and Senator Lee, and companion legis - process. adults, which could make it more diffi - lation passed the House in May. The cult to garner support. In hearings on incoming chairman of the Senate Intel - obdri^qfkd qeb c`` online behavioral advertising, Thune ligence Committee, Richard Burr, is The Federal Communications Com - has taken a more moderate approach largely seen as sympathetic to the inter - mission has stepped up its privacy and focused on specific instances ests of the intelligence agencies, and enforcement, recently imposing a total where individuals were harmed by has been criticised by civil liberties of $10 million in fines on two phone behavioral advertising, rather than groups such as the American Civil companies that the Commission claims focusing on the entire industry. Liberties Union.

Unlike many commercial privacy considering a bipartisan proposal that Congress, senators introduced six issues, which often divide along party allows ECPA to apply to data stored different data security and breach lines, legislators often find themselves overseas only if that data belongs to notification bills, prompted in part by opposing other members of their same an account of a US citizen or high-profile data breaches. The bills party on government surveillance permanent resident alien. vary in scope, requirements, and issues – and working with members of penalties, and in light of the many the other party. For instance, Senator fjmolsfkd clobfdk obi^qflkp years of inaction on the issue, it seems Ted Cruz, a leader of the Tea Party Since Edward Snowden’s disclosures unlikely that members will reach a wing of the Republican Party, sup- about US government surveillance compromise in the next two years. ported legislation that would have programs, a number of foreign data ended the National Security Agency’s protection regulators — particularly `v_bopb`rofqv moldobpp bulk metadata collection and imposed in the European Union — have begun _b`ljbp jlob ifhbiv other reforms to intelligence agencies. to question whether their residents’ For about five years, members of It was supported by Leahy and other data is secure when it is transferred to Congress also have been attempting to members of both parties. But Ken- the United States. For instance, in pass legislation that improves cyberse- tucky Republican, Senator Rand Paul, November 2013, EU regulators curity infrastructure and allows the among the leaders of the libertarian released a report highlighting 13 private sector to share information movement in Congress, opposed the shortcomings of the voluntary US-EU about cyber-threats with the govern- bill because it would have reauthorised Safe Harbor program. The US Com- ment. The White House also has been some Patriot Act provisions until 2017. merce Department has been working pushing for comprehensive cyberse- closely with EU regulators to address curity legislation. Privacy watchdog jlabokfpfkd qeb bib`qolkf` these concerns. During an October groups have criticised some of these `ljjrkf`^qflkp mofs^`v ^`q 2014 meeting of the Trans-Atlantic proposals for providing companies Government surveillance of email and Business Dialogue, Ted Dean US with immunity from liability arising other electronic communications is Deputy Assistant Secretary of Com- from sharing information with the governed by a 1986 statute, the Elec- merce, reported that the US and Euro- government. The Republican takeover tronic Communications Privacy Act pean Union were near an agreement increases the chances of overcoming (ECPA). The statute requires law on 11 of the 13 points that the Com- opposition to such immunity making enforcement to obtain a warrant to mission raised in the report. The regu- the passing cybersecurity legislation access electronic communications lators are having a more difficult time more likely. content that is stored for 180 days or on the final two points, which involve less, but it does not require a warrant intelligence issues and are outside of for content that is stored for longer the Commerce Department’s scope of than 180 days. Members of both par- authority. Increased restrictions on ties recognise that this distinction is US government surveillance might outdated, and it is increasingly likely ease some of the foreign regulators’ AUTHOR that Congress will pass legislation concerns. Jeff Kosseff is an associate in the privacy requiring a warrant regardless of the and data security practice of Covington & length of time that the content has k^qflk^i a^q^ pb`rofqv Burling LLP in Washington, DC. Before becoming a lawyer, Mr. Kosseff was a been stored. Congress also is consid- ibdfpi^qflk\= reporter for The Oregonian, covering ering how to apply ECPA to global For a decade, members of Congress technology and Congress. He was a data flows. Currently, ECPA imposes have been attempting to pass a nation- finalist for the 2007 Pulitzer Prize for the same requirements on accounts al data security and breach notifica- national reporting, and a recipient of the that belong to US residents and tion that would replace the patchwork 2006 George Polk Award for national accounts that belong to people who of state laws that contain different reporting. Email: [email protected] live in other countries. Congress is requirements. During the current