International and Mobile Privacy Laws In Flux
There is a dire need to update the principles of the European Union Data Protection Directive, privacy regulators said Thursday at the International Association of Privacy Professionals’ Global Privacy Summit in Washington. The evolution of technology in the past two decades has led to greater collections of personal data since the directive was implemented in 1995, experts said. The current review aims to address new issues such as a “right to be forgotten,” enhance international cooperation, database registration, international data transfers and introduce greater accountability provisions, they said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The revision effort will address some of the problems which have become visible in the last 15 years, said Peter Hustinx, European data protection supervisor. Specifically, the revisions will provide increased data protection safeguards across the board and offer a right to data protection, he said. “The emphasis is making a framework of binding laws to have more effective protections,” said Hustinx: “It is so important to get this right.”
"The right to be forgotten is a particularly important issue,” said Artemi Rallo Lombarte, director of the Spanish Data Protection Authority and vice chairman of the Article 29 Data Protection Working Party. “This year we are expecting more than 250 cases related to the right to be forgotten on the Internet,” he said. “It’s a hot topic and a difficult case.” Spanish privacy agencies are currently working with Internet companies like Google to formulate a new approach to this particular privacy issue, he said.
"On some issues stronger language is absolutely needed,” said Jacob Kohnstamm, chairman of the Article 29 group and president of the Dutch Data Protection Authority. Specifically lawmakers need to implement greater transparency provisions and ensure that individuals are clearly informed about what data are collected and who collects data, he said. “It cannot be expected that individuals keep track of the collection of their data,” said Kohnstamm. Therefore it should be the responsibility of data collectors to ensure that individuals are clearly notified of their data collection procedures, he said. Furthermore, there is a need for a uniform application of a legal framework for national laws in the European Union and a strengthening of the enforcement ability of current EU data protection authorities, he said. “Increasing accountability should make it easier for data subjects and data protection authorities to enforce,” said Kohnstamm.
European policy makers are keeping a close eye on the FTC’s consideration of do-not-track regulation, said Kohnstamm. “The FTC’s do-not-track mechanism is a very good idea, we like it very much,” he said. “We believe that a user has the right to say ‘yes I want to use the data in this way.’ Why not leave the decision primarily to the data subject?” Other regulators argued that implementing default do-not-track mechanisms could erode consumers’ ability to express choice concerning targeted advertisements. “Do-not-track is only acceptable when there is express consent,” said Hustinx. “Opting out is not consent.” Instead browsers should implement a privacy “wizard” that provides consumers with the ability to voluntarily consent to their privacy settings.
The State of Mobile Marketing Laws
The legal landscape concerning mobile marketing remains thorny as lawmakers struggle to keep pace with the industry’s rapid evolution, privacy experts said on another panel. Mobile advertisers must be aware of the overlapping network of federal and state laws to prevent expensive and crippling litigation, they said. “Our phones are an extension of our person, therefore the feeling of invasion is heightened,” said Joanne McNabb, chief of the California Office of Privacy Protection, and a member of the Department of Homeland Security Data Privacy and Integrity Advisory Committee.
Current federal mobile marketing laws make a distinction between computer to phone marketing and phone to phone marketing, the experts said. Computer to phone concerns are subject to the CAN-SPAM Act while phone to phone concerns are considered under the Telephone Consumer Protection Act (TCPA). But the jurisdiction of those laws may overlap in certain instances such as the case of Joffe v. Acacia Mortgage Corp., where the Arizona Court of Appeals determined that wireless messages sent via computer were also subject to TCPA rules. Further complicating things, state laws concerning mobile marketing are diverse and constantly evolving, the experts said.
Particularly strict child protection laws exist in states like Michigan and Utah and mobile marketing firms must use extra caution to avoid potentially costly regional laws, the experts said. There is a heightened level of scrutiny because there are so many children using mobile phones and big safety concerns remain due to unresolved age verification issues in the mobile world, said McNabb. “I find it troubling that you have games that target children where there are costs that can be incurred,” said Lois Greisman, associate director at the division of marketing practices in the FTC Bureau of Consumer Protection. “Maybe parents think that when they provide a mobile app for kids that they may incur some costs, but when those costs are in excess of $100, $500 or $1,000 it raises the level of concern,” she said.
Laws concerning Twitter advertisements fundamentally differ from text message ads because they require Twitter followers to opt in and receive messages, said Scott Delacourt, a former FCC deputy bureau chief and current partner at Wiley Rein. Creating privacy disclosures and acquiring consent via text messages, on the other hand, is much more difficult, he said. Looking forward, the experts said that there will be an increased interest in location-based marketing because it is more valuable information to the advertising industry. But the laws concerning GPS, remote tracking and geotagging applications are currently evolving, and states like California are currently considering new governance rules, the experts said. -- Bryce Baschuk
Global Privacy Summit Notebook
Privacy-by-design, transparency and more consumer choice are points of convergence between privacy frameworks in the European Union and the U.S., privacy regulators said at the conference. While comparing responses to an EU paper on modernizing data protection, “I was struck by how similar many of the themes were in our comments,” said FTC Chairman Jon Leibowitz. He also said he “was heartened by the convergence of privacy protection between the two regimes.” The commission is reviewing nearly 450 comments in response to its privacy proposal report. The FTC received comments from privacy regulators in the U.K. and France, he said. “It seems to me we are moving to some extent towards convergence.” In the FTC report, there’s a “clear recognition that the status quo in the U.S. is not satisfactory,” said Peter Hustinx, European data protection supervisor. “Self-regulation does not deliver enough,” he said. The FTC report identifies certain principles that should be applicable from the very start, he said. Principles are nice, “but you need to have something robust,” he said. “Part of the accountability and responsibility should be that organizations demonstrate that they have done this … in the beginning.” “One of the things that’s very clear in our report is we've moved beyond the harm-based model,” and “we're really looking to establish base-line principles,” Leibowitz said. In the area of privacy, “self-regulation is at a very critical point in the United states,” he said. “If companies don’t do a better job of protecting consumer privacy, then I think what they will face is much more prescriptive regulations from Congress.” Privacy is a very bipartisan issue, he added. -- KL
--
Alberta is one of four jurisdictions that has private sector privacy legislation in Canada, Alberta’s Information and Privacy Commissioner Frank Work said during a panel of Canadian regulators at the conference. In the U.S., breach notification “takes the form of setting a standard and then the organization suffering the loss … is required to notify affected employees and customers,” he said. In Alberta, “I wanted the notification to be mandatory to the commissioner.” People don’t know what to do with a breach notification when they get it, “or they regard it as spam,” he said. The commissioner could “exact information from the organization as to what happened and who it might have affected,” he said. At hospitals, anyone who is a healthcare provider has access to the computer systems and should, said Ann Cavoukian, Information and Privacy Commissioner in Ontario. But “it makes unauthorized access much easier,” she said. “That’s the dilemma.” Her office is concerned about “not hampering the delivery of healthcare services while finding a way to change from this very loose system of access to anyone,” Cavoukian said. Some of the work that is done outside Canada and in the U.S. “is asking the hugely relevant question of ‘how do companies demonstrate accountability?'” Canada Privacy Commissioner Jennifer Stoddart said. That’s what the Canadian law is being criticized for, she said. “Consumers and citizens really don’t understand what you're doing with their personal information.” The commissioner’s office is addressing what corporations have to do to demonstrate accountability, she said.