Is our U.S. company subject to GDPR? New guidance on territorial scope from EDPB

By Jennifer Ruehr and Susan Lyon-Hintze

EDPB.jpg

Non-EU organizations that process personal data as data controllers or processors frequently ask whether they are subject to the General Data Protection Regulation (“GDPR”). The answer depends in part on the “territorial scope” provisions in Article 3 of the GDPR. Organizations fall under the territorial scope of the GDPR when they meet one of two main criteria: the “establishment” criterion under Article 3(1) or the “targeting” criterion under Article 3(2).[1]

On November 16, 2018, the European Data Protection Board (“EDPB”) released “Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)-Version for public consultation.” These guidelines provide interpretation and clarification of the Article 3 criteria that can help organizations understand and evaluate how the GDPR applies to their data processing. 

Establishment

As part of determining if its activities fall under the GDPR’s territorial scope, an organization must ascertain whether personal data is processed “in the context of the activities of an establishment of a controller or processor in the Union” under Article 3(1). The EDPB notes that processing may be in the context of an establishment’s activities whether the processing takes place in the EU or not. Article 3(1) may apply to either controllers or processors having an establishment in the EU and each should be considered separately.

Establishment through “Stable Arrangements”

GDPR’s Recital 22 states that “establishment implies the effective and real exercise of activities through stable arrangements.” The EDPB guidance explains that a “stable arrangements” determination is contextual. The arrangement and activities must be “considered in light of the specific nature of the economic activities and provision of services concerned.” And, that the threshold for “stable arrangement” can be “quite low when the centre of activities of a controller concerns the provision of services online” although it clarifies that maintaining a website accessible in the Union is not on its own enough to create a stable arrangement. For example, the EDPB describes a U.S headquartered company with a branch office in the EU that oversees all the company’s European operations, including marketing and sales, as a “stable arrangement.” The EDPB also states, “….in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.”

Establishment through “Inextricably Linked Activities”

The EDPB also clarifies that an organization located outside the EU and processing personal data outside the EU may still be subject to the GDPR through a relationship with a local establishment in the EU,  even if the local establishment does not participate in any data processing. So long as the local establishment in the EU and the data processing of a data controller or processor outside the EU are “inextricably linked,” the non-EU entity may be considered established in the EU.

As an example of what may be considered “inextricably linked,” the EDPB describes sales and marketing activities of a local establishment aimed at an EU market tied to data processing by a related establishment outside the EU. 

The EDPB also clarifies that if a related establishment in the EU  processes personal data of any data subject, regardless of the location or nationality of the data subject, the processing will be subject to the GDPR. 

Hiring of EU Vendors by Non-EU Organizations

If a non-EU organization that is not itself an “establishment” (or “targeting” EU data subjects under Article 3(2) as summarized below) employs processors established in the EU, that organization does not subject itself to the territorial scope of the GDPR by merely hiring a vendor with an establishment in the EU. 

According to the EDPB, that EU-established processor will be within the GDPR’s territorial scope under Article 3(1) with respect to its activities as a processor.  Thus, the non-EU organization hiring the vendor must consider the vendor’s obligations as a processor to comply with the GDPR requirements applicable to processors, including certain Article 28 contract requirements, and whether those obligations align with its business objectives. While an EU-established processor is required to act under a contract that meets the requirements of Article 28, the processor need not agree to assist with the controller’s GDPR obligations where no such GDPR obligations exist for the controller.

A non-EU-established controller should also consider that an EU-established processor must abide by applicable GDPR provisions when processing personal data of any data subject regardless of where the data subjects reside or are located. For example, if a U.S. controller hires an EU-established processor to process data of U.S. data subjects, the EU-established processor will be required to comply with the GDPR with respect to that processing.

Targeting

An organization not established in the EU under Article 3(1), may still be subject to the GDPR if it is targeting EU data subjects under Article 3(2). The territorial scope of the GDPR also applies to controllers or processors “not established in the Union, where the processing activities are related to (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.” 

Data Subjects in the Union

The territorial scope provisions of Article 3(2) are more narrowly scoped than in Article 3(1).  Article 3(1) applies to personal data processing relating to any natural person regardless of their nationality or place of residence if the organization meets the establishment criteria.  The scope of Article 3(2) is limited to “data subjects in the Union.” The EDPB explains that determining whether an individual is a “data subject in the Union” “must be assessed at the moment when the relevant trigger activity takes place, i.e. at the moment of offering goods or services or the moment when the behavior is being monitored…” As an example, if an organization not established in the EU offers a good or service that collects the approximate or precise location of individuals in order to target services to data subjects located in the EU, the organization would be subject to the GDPR.

Offering of Goods or Services

The EDPB details when an organization offers a good or service triggering application of Article 3(2). Offering services includes an information society service, which the EDPB defines by reference to the definition from the now-replaced 1995 EU Data Protection Directive: “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” The EDPB also clarifies that organizations may trigger Article 3(2) regardless of whether goods or services offered are paid for or not. Citing Recital 23 of the GDPR, EDPB explains that to determine whether goods or services are directed to individuals in the Union, “it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.”

The EDBP considers both the language of the GDPR and prior CJEU holdings to articulate several factors to consider when determining whether an organization is directing goods or services to data subjects in the Union. For example, the ability to access a controller or processor’s website or contact information from within the Union or the use of a particular language, are not sufficient on their own to constitute targeting.  Additional factors to consider are whether an organization:

  • uses a language generally used in one or more Member States;

  • pays a search engine to facilitate access to its site by EU consumers;

  • enables goods or services to be ordered in an EU currency;

  • conducts marketing and advertisement campaigns aimed at an EU audience;

  • engages in activity of an international nature, such as certain tourist activities;

  • mentions dedicated addresses or phone numbers reachable from an EU country;

  • uses top-level domain names associated with the EU such as “.de”, or “.eu”;

  • mentions international customers domiciled in the EU, such as reviews or endorsements written by such customers.

The EDPB notes that some of these factors by themselves, such as using an EU language on a website, may not constitute targeting, but in combination with others could lead to a conclusion of targeting.

The EDPB also clarifies that human resources management does not constitute an offer of goods or services under Article 3(2)(a) (although the presence of EU employees could be an establishment under Article 3(1)).

Monitoring Data Subject’s Behavior

If the non-EU organization is neither established in the EU, under Article 3(1), nor offering goods or services directed to data subjects in the Union under Article 3(2)(a), it may still be subject to the GDPR under Article 3(2)(b) if its processing activities are related to the monitoring of a data subject’s behavior. The EDPB explains that to trigger the GDPR, “the behavior monitored must first relate to a data subject in the Union” and the “monitored behaviour must take place within the territory of the Union. For example, if a non-EU controller develops an application or service that monitors the movements of data subjects in the EU to improve traffic patterns in a certain area, the non-EU controller is subject to the GDPR.  

The EDPB also describes those factors that would be considered to determine what constitutes monitoring activities.  When analyzing the processing activity to determine if it isa monitoring activity, the EDPB states that “it will be necessary to consider the controller’s purpose for processing the data, and in particular, any subsequent behavioural analysis or profiling techniques involving data.” And, the EDPB clarifies that it does not “consider that any online collection or analysis of personal data of individuals” is monitoring by default. Monitoring “implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data about an individual’s behaviour within the EU.” 

The EDPB cites as an example behavioral monitoring as described in Recital 24 of the GDPR which involves tracking natural persons on the internet including: “a potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analyzing or predicting his or her personal preferences, behaviors, and attitudes.” 

The EDPB provides other concrete examples of activities that could be monitoring activities subjecting a non-EU organization to the GDPR under Article 3(2)(b) including:

  • Behavioral advertising;

  • Other online tracking through the use of cookies or other tracking techniques, such as fingerprinting;

  • Geo-localization activities, in particular for marketing purposes;

  • Market surveys and other behavioral studies based on individual profiles

  • Personalized diet and health analytics services online

  • Use of CCTV

Conclusion

Non-EU organizations must consider a number of factors to determine whether they are subject to the GDPR’s territorial scope. They must consider whether they have met the criterion through an “establishment” in the EU or by offering goods or services or monitoring behavior of data subjects in the EU.

Non-EU organizations, especially those that wish to avoid application of the GDPR, will benefit from analyzing how, where, and for what purpose they collect, use, transfer, and store personal data as well as how they have set up the location and data processing related activities of their establishments and related entities in light of the EDPB guidance. For example, a company that conducts online tracking through third parties might consider whether those third parties use data for profiling and whether they implement geo-blocking of EU territories. This analysis can help an organization understand their obligations under the GDPR and be the basis for strategies around processing and activity changes that could help minimize the territorial scope of the GDPR to certain data processing.

The EDPB is accepting comments on these Guidelines through 18 January 2019.


[1] Under Article 3(3) the GDPR may also apply where Member State law applies by virtue of public international law.

Jennifer Ruehr joins Hintze Law PLLC

Ruehr_Jennifer_38117_Photograph.jpeg

We are pleased to announce Jennifer Ruehr has joined the Hintze Law team! In her role as Senior Associate, Jennifer will be advising technology clients on global privacy, security, and related data technology and transactional matters.

Prior to joining Hintze Law, Jennifer spent 5 years as Legal Counsel, Privacy and Security, for Adobe Systems Incorporated, providing guidance on global data protection compliance and strategy. While at Adobe, Jennifer counseled clients on vendor risk management, global data processing and transfer requirements, data breach response and notification, direct marketing (email, SMS, and telemarketing) laws, HIPAA compliance, automated processing and profiling issues, and global employee privacy issues  Prior to joining Adobe’s privacy team, Jennifer supported and advised Adobe’s products and services teams on data compliance and strategy during product development and in connection with marketing and technology licenses.  

Jennifer is a member of the International Association of Privacy Professionals (IAPP) and a Certified Information Privacy Professional – United States (CIPP/US).

Hintze Law PLLC exclusively provides global data protection counseling for technology, ecommerce, advertising, media, and mobile companies and organizations. More information about the firm is available at HintzeLaw.com.

Jared Friend named Associate to Watch in Chambers 2018 rankings

Jared_Chambers_2018_large.jpg

We are thrilled to report that Jared Friend, Senior Associate at Hintze Law, has been recognized in the Chambers USA 2018 lawyer ranking.  Notably, Jared is included as one of only two “Associates to Watch” in the Privacy & Data Security category nationwide. 

Jared works exclusively on complex issues at the intersection of emerging technology, privacy, and data security. They advise internet, mobile, gaming, and technology companies on a variety of U.S. and international privacy, data security, and related technology transactions.

Prior to joining Hintze Law in 2015, Jared was the Director of the Technology and Liberty Program at the ACLU of Washington, where they were responsible for driving policy work at the intersection of free speech, privacy, and developing technology through legislative development, litigation, and education. Jared currently serves on the Board of Directors of the ACLU of Washington.

Jared was previously an associate at Cooley LLP in the Technology Transactions Group, where they advised start-ups and public companies alike on technology licensing and privacy issues. Prior to law school, Jared worked for internet companies in product development and test engineer roles.

The prestigious Chambers listing is based on detailed research and interviews with attorneys and clients.  One client is quoted as remarking that “Jared’s maturity and ability to manage matters far exceeded his years of experience. Not only did Jared show the necessary command of the law, but he was able to translate legal and technical issues.” The Chambers profile of Jared can be seen at https://www.chambersandpartners.com/USA/person/25785434/jared-friend

J.D. Fugate joins Hintze Law PLLC

JDFugate1_2013 (003).jpg

We are pleased to announce that we have a new member of the Hintze Law team. J.D. Fugate joined the firm on March 1, 2018, as Of Counsel.

J.D. Fugate has been a trusted legal adviser to tech and e-commerce clients for 25 years, including 16 years in-house with Microsoft, most recently as an Assistant General Counsel for Regulatory Affairs, providing specialized privacy guidance. In addition to negotiating and writing agreements covering a broad spectrum of business needs for different businesses units including Windows marketing, source code sharing, hardware quality, and strategic silicon partners, he provided specialized regulatory guidance to the Microsoft Health Solutions Group for HIPAA and FDA compliance.

J.D. served as law clerk for Chief Judge Gilbert S. Merritt III on the Sixth U.S. Circuit Court of Appeals, then began his Seattle legal career at Preston Gates and Ellis (now K&L Gates). After 16 years at Microsoft, he continued his technology transaction practice at Gonzalez Saggio & Harlan, and Peregrine Law Group.

Hintze Law PLLC exclusively provides global data protection counseling for technology, ecommerce, advertising, media, and mobile companies and organizations. More information about the firm is available at HintzeLaw.com.

FTC Issues Enforcement Policy Statement on COPPA and Voice Recordings

By Smriti Chandrashekar

On October 23, 2017, the U.S. Federal Trade Commission (“FTC”) issued guidance on the online collection of certain audio voice recordings from children under the age of 13.  The guidance, in the form of an “enforcement policy statement” discusses the application of the Children’s Online Privacy Protection Act (“COPPA”) to such recordings. 

In 2013, the FTC amended the COPPA Rule to expand the definition of “personal information” to include, a photograph, video, or audio file that contains a child’s image or voice. The latest guidance provides a path to avoid enforcement of the COPPA Rule for online services that collect audio files containing a child’s voice and convert such audio files to text for the performance of a specific instruction or request.

COPPA requires operators of websites or online services directed at children or that have actual knowledge that a user is a child to obtain verifiable parental consent before collection of a voice recording. While confirming that the COPPA Rule is triggered by such activities, the FTC in its analysis notes that these voice-enabled features may be essential for children with disabilities and for children who have not yet learned to write. The FTC also concludes that these audio files when processed in accordance with FTC guidance, pose little risk to identifying and contacting an individual child. 

Based on these potential benefits and low risk to children, the FTC outlines a safe harbor that would protect operators against an enforcement action for not obtaining parental consent before collecting an audio file with child’s voice. The FTC will not take an action to enforce COPPA when operators take the following actions:

a.       collect audio files with children’s voice recordings solely to replace written words, for example to perform a search or fulfill a verbal instruction or request;

b.      not use such audio files for purposes beyond performing that instruction or request (e.g., behavioral targeting or profiling, identification through voice recognition, or posting, selling, or otherwise sharing the file with third parties);

c.       maintain such audio files only for the limited time necessary to perform that instruction or request and then immediately delete such files; and

d.      provide a clear notice in the privacy policy disclosing collection and use of audio files containing voice recordings and the operator’s policy for deleting such audio files.   

The FTC made it clear that this enforcement exception policy does not affect the need for operators to provide notice and verifiable parental consent in cases where other personal information is collected from children in addition to, or in connection with, audio files such as where an operator requests information through such audio files that would be otherwise considered to be “personal information,” for example, the name of the child.

The Commission issued this policy statement after receiving inquiries from numerous companies about whether such practices of collecting audio files that contain a child’s voice recording triggers COPPA’s requirements.  Popular voice-controlled intelligent personal assistant services, such as Amazon Echo and Microsoft’s Cortana, will likely benefit from this exception.  The Commission voted 2-0 to approve the new policy statement.  The FTC’s press release is available here.

FTC updates COPPA Compliance Plan for Businesses

By Carolyn Krol

On June 21, 2017, the U.S. Federal Trade Commission (“FTC”) published an update to the Children’s Online Privacy Protection Rule (“COPPA”) compliance plan for businesses. The FTC Business Blog describes the update as a reflection of the developments in the marketplace, such as internet-connected toys. The compliance plan provides businesses with a step-by-step guide to determine if a business activity is covered by COPPA, and if so, how to comply with COPPA.
 

There are three major updates to the compliance plan, regarding:

  • new business models,
  • new products covered by COPPA, and
  • new methods for getting parental consent.

The updated compliance plan considers new business models in its revisions which may affect COPPA obligations. In publishing this update, the FTC acknowledges companies have new ways of collecting data (e.g., voice-activated devices that collect personal information). As such, businesses should keep COPPA compliance in mind if they are implementing new ways to collect personal information.

COPPA applies to businesses with a website or online service that is directed to children under 13 collects personal information from them. The updated compliance plan clarifies that the meaning of “website or online service” may include internet-enabled location-based services, voice-over internet protocol (VOIP) services,  and connected toys or other Internet of Things devices. If they have not done so already, businesses providing location-based services and VOIP services or are in the connected toy or Internet of Things space should evaluate whether their products or services could trigger COPPA obligations. 

Subject to a few exceptions, COPPA requires that businesses obtain parents’ verifiable consent before collecting, using, or disclosing personal information from a child. The compliance plan discusses acceptable methods for obtaining verifiable parental consent. The updated compliance plan lists two new acceptable methods. First, parents now may provide consent by answering a series of knowledge-based challenge questions that would be difficult for someone other than the parent to answer. Second, parents may now submit a picture of a driver’s license or other photo ID and then compare that photo to a second photo submitted by the parent, using facial recognition technology.

In addition to reviewing the updated compliance plan, the FTC recommends reviewing the COPPA Frequently Asked Questions

 

How to Draft a Privacy Statement

A chapter by Hintze Law partner Mike Hintze, entitled "Privacy Statements: Purposes, Requirements, and Best Practices" will be included in the forthcoming Cambridge Handbook of Consumer Privacy, edited by Jules Polonetsky, Evan Selinger & Omer Tene, Cambridge University Press (2017).

The chapter explains that while drafting a privacy statement may be considered by some to be one of the most basic tasks of a privacy professional, doing it well is no simple matter. One must understand and reconcile a host of statutory and self-regulatory obligations. One must consider different audiences that may read the statement from different perspectives. One must balance pressures to make the statement simple and readable against pressures to make it comprehensive and detailed. A mistake can form the basis for an FTC deception claim. And individual pieces can be taken out of context and spun into PR debacles.

The chapter then goes on to explore the art of crafting a privacy statement. It explains the multiple purposes of a privacy statement. It lists and discusses the many elements included in a privacy statement – some required by law, and others based on an organization’s objectives. Finally, it describes different approaches to drafting privacy statements and suggests best practices based on a more complete understanding of a privacy statement’s purposes and audiences.

The pre-publication of the chapter can now be downloaded at https://ssrn.com/abstract=2927105.

 

The FTC’s Smart TV Workshop

By Mike Hintze

On Wednesday, December 7, 2016, the Federal Trade Commission held a Smart TV workshop, as part of its Fall Technology Series.

The event began with opening remarks from Jessica Rich, Director of the FTC's Bureau of Consumer Protection.  Rich described how the changes from traditional broadcast television to the use of more streaming services and smart devices have resulted in more data being collected about TV viewing.  And while the tracking of TV viewing behavior can result in better functionality, better measurement, and better ad revenue, there are significant privacy concerns. 

TV viewing data can reveal sensitive information about a person.  Recognizing the sensitivity of the data, Congress acted twice in the 1980s to protect the privacy of the video programming people watch -- enacting the privacy provisions of the Cable Communications Policy Act of 1984 and the Video Privacy Protection Act (VPPA) of 1988.  Rich also noted that the different histories of televisions and PC have created different consumer expectations regarding privacy and data collection.  Finally, she concluded by noting that as in other areas, the role of the FTC with regard to Smart TV will be to highlight privacy and consumer protection issues and to bring enforcement actions for unfair and deceptive acts.  

Next, the FTC's Justin Brookman (Policy Director, Office of Technology Research and Investigation) and Ian Klein, a graduate student at Stevens Institute of Technology who interned with the FTC during the summer of 2016, gave an overview of the Smart TV ecosystem.  They based their presentation in part on laboratory testing they conducted of disclosures, controls, and data coming off of smart entertainment devices, along with some speculation of what data collection, use, and sharing might be happening or could happen.   

Areas of particular concern and focus of this overview were:

  • The use of "automatic content recognition" --- a method by which snapshots of the content displayed on the device are sent to the manufacturer or another party in order to determine what content is being viewed;
  • Collection of audio or video from the home environment through microphones or cameras embedded in the entertainment devices;
  • Cross-device tracking;
  • Combining viewing behavior data with other sources of data (purchase data, geolocation, demographics, etc.);
  • Device security -- a lack of which could lead to attacks on the device itself, other devices on the same local network, or on others through the use of a compromised device in a distributed denial-of-service attacks; and
  • User controls, with their research finding some controls for data collection by the device manufacturer, but few or no platform-level controls for app data collection or third party data sharing. 

The first of two panels, entitled "New Frontier in Media Measurement and Targeting," consisted of industry representatives and was moderated by FTC attorney Kevin Moriarty.  The panel discussed the benefits of data collection in the Smart TV context, including better and more personalized content discovery and recommendation, enabling more "second screen" experiences, and more relevant (and potentially fewer) ads.  

There was general agreement that with the fragmentation of media, traditional "Nielsen-like" sampling methods are no longer sufficient to measure viewing behavior, and there is a need to collect more complete "census" data from entertainment devices. But Josh Chasin, Chief Research Officer for comScore, also noted that collecting lots of data is not the objective -- and that "good data" is more important than "big data."

While there was an acknowledgement that the data collection use necessary for the provision of these new and useful services raises legitimate privacy concerns, members of the panel argued for a reliance on industry self-regulation.  Jane Clarke, CEO of the Coalition for Innovative Media Measurement, stated companies in this space do a good job of keeping PII and non-PII separate, and using only non-PII for analytics and measurement.  Ashwin Navin, CEO of Samba TV (a provider of media measurement software and services), noted that his company requires TV manufacturers that include their measurement software to provide users with notice and an ability to turn off the data collection. 

Shaq Katikala from the Network Advertising Initiative (NAI) noted that today's Smart TV environment involves the convergence of three distinct groups of companies:  cable providers, app and software platform companies, and TV manufacturers -- and each comes with very different histories and experiences with regard to regulation.  Thus, there is a strong appetite for self-regulation to help bridge the gaps and inconsistencies. 

Nevertheless, there are still challenges with respect to getting it right in the Smart TV ecosystem.  There are still no accepted or standard ways to provide notice and choice on a smart entertainment device, and there are unique challenges because of differing platforms and a lack of easily clickable links on most TV interfaces.  According to one panelist, the manufacturers have little or no bargaining power over the data collection by the "top-tier apps" that manufacturers feel they must have on their devices.  Thus, the top-tier apps dictate what data is collected and how it is used, and the TV manufacturer has little insight or ability to influence that.

The second panel, entitled "Consumer Understanding and Regulatory Framework," was moderated by FTC attorney Megan Cox and included representatives from industry, advocacy organizations, and academia. It began with Serge Egelman from the Berkeley Laboratory for Usable and Experimental Security (BLUES) presenting the results of survey research he conducted on consumer views on data collection and sharing, and their expectations with regard to Smart TVs.  He concluded that people often perceive that data collected on Smart TVs (such as for voice recognition) doesn't leave the device, that data is not used for secondary purposes, and that there are legal protections against sharing(and that there is a strong correlation between those people who believe there are legal protections against data sharing and those who believe data is not used for other purposes.  Egelman also a found a level of cynicism among respondents, with some expressing a view that companies find ways around legal protections to the extent they exist.  

Most of the panelists concurred that there is a lack of transparency and understanding with respect to what data is collected and shared, by whom, for what purposes, and what controls are available.  Claire Gartland from the Electronic Privacy Information Center (EPIC) noted that there is a complex ecosystem with many actors that are not known or understood by consumers - and that privacy policies do a poor job of explaining this.  Dallas Harris from Public Knowledge echoed this, and added that consumers feel powerless to control how data is collected and shared.  Maria Rerecich from Consumer Reports noted that user controls, when available, are often buried deep in menus and are not well explained. 

The panelists discussed what existing laws will apply to the Smart TV environment.  The VPPA, Cable Act, and the Children’s Online Privacy Protection Act (COPPA) may all play a role, but panelists suggested that unclear and incomplete application of those laws to this new and emerging area results in inadequate protections. 

 Emmett O'Keefe from the DMA cautioned against taking steps that could interfere with the ability to provide new television services that consumers want and enjoy.  He suggested that many of these services are similar or identical to services that have been available on laptops, tablets, and smartphones for several years and the fact that they are now being offered through a larger screen does not require a new or different approach to regulation.  O’Keefe also noted the DMA would be releasing a white paper on the Smart TV ecosystem (which is now available here).

There was a lively debate among the panelists on the effectiveness of self-regulation in protecting consumer privacy -- with O'Keefe referring to self-regulation of privacy in online advertising as "the gold standard" and Egelman calling it "an abject failure." Finally, Rerecich stated that Consumer Reports will begin including privacy and security ratings in its product reviews. She agreed that consumers want these new features, and the ratings will help them make informed decisions based on an understanding of the data collected and the privacy protections offered. 

 

De-Identification and the GDPR

Next Tuesday, November 8, 2016, Hintze Law partner Mike Hintze will present his new paper, "Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification and Compliance," at the Brussels Privacy Symposium.  The key argument is that if European regulators acknowledge that there is a full spectrum of de-identification techniques, and develop guidance under the General Data Protection Regulation (GDPR) based on that recognition, they can:

  • provide greater clarity in areas of the GDPR that remain opaque;
  • enable organizations to adopt pragmatic compliance tools and strategies;
  • create greater incentives for companies to adopt the strongest de-identification that is compatible with the purposes of the data processing (thus achieving the optimal balance between data protection and data utility); and
  • advance the objectives of the GDPR by enhancing the protection of individuals’ personal data.   

You can access a pre-publication version of the paper here.

 

Hintze Law Welcomes Mike Hintze as Partner

Hintze Law Welcomes Mike Hintze as Partner

October 11, 2016.  Hintze Law is pleased to announce that Mike Hintze has joined the firm as partner. Mike joins Hintze Law after serving as Chief Privacy Counsel at Microsoft, where, for over 18 years, he advised on data protection compliance globally, and helped lead the company’s strategic initiatives on privacy differentiation and public policy.  Mike joins Susan Lyon-Hintze, partner and founder of Hintze Law, in leadership of the firm. His practice focus on global privacy and data protection compliance, policy, and strategy.

Read More

Publicly Available Privacy and Security Resources

If you are a startup or just a privacy or security officer with a lean budget, please check out our list of publicly available privacy and security resources.  

We update this from time to time for presentations we give to companies just starting to build their privacy and security programs and always welcome input on any "free" resources you find helpful.  

Publicly Available Privacy and Data Security Resources 

The following is a list of publicly available resources, most at no cost, which privacy professionals may find helpful in obtaining information and tools for developing their privacy and data security programs.
Privacy General

International Association of Privacy Professionals ("IAPP") Resources

https://www.privacyassociation.org/

Privacy links, job listings, and links to all of the world's data protection authority websites.

 Microsoft: Privacy

http://www.microsoft.com/privacy/           

Collection of FAQs and white papers prepared by Microsoft pertaining to user privacy protection, data governance, ad-serving, EU privacy compliance, and more.

 Cooley Privacy Policy Generator

http://generator.cooley.com/sites/privacy/Privacy/PQ2/Pre-PRIVACY-Start.aspx

Generally Accepted Privacy Principles ("GAPP")

http://www.aicpa.org/InterestAreas/InformationTechnology/Resources/Privacy/GenerallyAcceptedPrivacyPrinciples/Pages/default.aspx            

Principles for designing and implementing privacy practices and policies from the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.

 Truste Resources

www.truste.com/resources

Surveys, whitepapers, guidance, including a behavioral targeting checklist, security guidelines etc.

BrightTALK

http://www.brighttalk.com/ 

Privacy and security webcasts available with registration.

 Privacy International

https://www.privacyinternational.org/       

Country by country summaries of data protection laws and privacy rights.

National Conference of State Legislatures: Privacy & Security

http://www.ncsl.org/Default.aspx?TabID=756&tabs=951,71,539#951

Charts of state privacy and security laws. Also includes articles, briefs, and newsletters discussing state regulation of privacy and security issues.

Organisation for Economic Co-Operation and Development: Information Security and Privacy

www.oecd.org/sti/security-privacy              

Homepage for OECD working party on Information Security and Privacy.

 Privacy Exchange: Legal Library

http://www.privacyexchange.org/legal/index.html

Index of privacy laws from around the world with links to statutory texts.

Nymity

http://www.nymity.com/Free_Privacy_Resources/Latest_Privacy_Studies.aspx?sort=RefPercent&order=d

Newsletter, privacy interviews, privacy breach analysis, links to privacy studies.

DataGuidance.com

http://www.dataguidance.com/index.asp

Paid subscription service offering database of privacy compliance information. 

The Data Governance Institute

http://datagovernance.com/index.html

Free data governance program documents, processes, templates and tools.

The Ponemon Institute

http://www.ponemon.org

Source of independent research on privacy, data protection and information security policy.

 

Privacy – U.S. 

Federal Trade Commission: Privacy Initiatives

http://www.ftc.gov/privacy/index.html

Information on the FTC's privacy initiatives: unfairness and deception, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Children's Online Privacy Protection Act.

FCC Proposed Broadband Consumer Privacy Rules

https://www.fcc.gov/document/fcc-proposes-broadband-consumer-privacy-rules

Proposed privacy guidelines for broadband Internet Service Providers (ISPs)

FCC Customer Proprietary Network Information (CPNI) Small Business Compliance Guide

https://apps.fcc.gov/edocs_public/attachmatch/DA-08-1321A1.pdf

Privacy guidance for small entity telecommunications carriers and VOIP service providers

California Office of Privacy Protection

http://www.privacy.ca.gov/          

Guidance on California privacy laws, general privacy links, and links to other privacy laws.  

Privacy – Rest of the World

European Commission Data Protection Site

http://ec.europa.eu/justice/data-protection/index_en.htm

  • General Data Protection Regulation (GDPR)

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

Data Transfers from Europe

·        Eu model Contracts for Transfer of Personal Data to Third Countries
http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm

·        EU – U.S. Privacy Shield

https://www.privacyshield.gov/

UK Information Commissioner's Office

http://www.ico.gov.uk/

http://www.ico.gov.uk/upload/documents/pia_handbook_html_v2/html/0-advice.html

Resources include handbook for conducting Privacy Impact Assessments.  

Australian Government Office of the Privacy Commissioner

http://www.privacy.gov.au/

Information sheets, privacy impact assessment guide, personal information security breach guide.

Canadian Office of the Privacy Commissioner

http://www.priv.gc.ca/index_e.cfm             

Reports, publications, guidelines, research, tools, videos, privacy illustrations, privacy impact assessments.

Privacy in Product Development / Privacy by Design

Privacy by Design (Ontario Information and Privacy Commissioner)

http://www.privacybydesign.ca/

Publications and resources on the concept of Privacy by Design 

Microsoft’s Privacy Guidelines for Developing Software Products and Services http://www.microsoft.com/en-us/download/details.aspx?id=16048

Data Security

Protecting Personal Information: A Guide for Business

http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html

FTC guide for implementing data security principles, with public domain security training materials. 

Fighting Fraud with the Red Flag Rules: the FTC's How-to Guide for Businesses

www.ftc.gov/bcp/edu/microsites/redflagsrule/index.shtml

Guide for organizations that are building Identity Theft Prevention programs with compliance tips, information about the Rule's applicability, and a guided four-step process.

National Institute of Standards and Technology: Computer Security Resource Center

http://www.nist.gov/itl/csd/index.cfm        

Provides a range of information technology security standards and guidelines.

PCI DSS: Standards, Self-Assessment, and Compliance

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Website for payment card industry standards, guidelines, and compliance tips.

Secure Coding

Microsoft’s Security Development Lifecycle ("SDL")

http://www.microsoft.com/security/sdl/default.aspx

Secure coding guidelines developed by Microsoft but generally applicable to all platforms.

Microsoft’s Security Development Lifecycle ("SDL") training

https://www.microsoft.com/en-us/SDL/process/training.aspx

PowerPoint training modules that cover secure design, implementation, and verification.

OWASP

https://www.owasp.org/index.php/Main_Page

Free security trainings on a variety of technology or process-specific topics including mobile security.  

Android Security Guidelines

https://developer.android.com/training/best-security.html.

Google’s security best practices for developing on the Android platform.

iOS Security Coding Guidelines

https://developer.apple.com/library/ios/

Apple’s secure coding practices guidelines. 

Data Breach Response

National Conference of State Legislatures: State Data Breach Laws

http://www.ncsl.org/Default.aspx?TabID=756&tabs=951,71,539#951

Charts of state security breach notification laws.

Data Loss db – Primary Source Archive of Data Breach Notification Letters

http://datalossdb.org/primary_sources

Searchable archive of breach notification letters submitted to various U.S. jurisdictions.

Massachusetts: Sample Letter for Notifying State Attorney General About a Breach

http://www.mass.gov/ago/docs/consumer/93h-sampleletter-ago.pdf   

Vermont: Security Breach Guidance and Sample Notification Letter

http://www.atg.state.vt.us/assets/files/2009-7-29%20Security%20Breach%20Guidance.pdf 

Privacy Rights Clearinghouse’s Chronology of Data Breaches

https://www.privacyrights.org/data-breach  

 

For questions and input contact:


Susan Lyon- Hintze – susan@hintzelaw.com, 206-601-3233

Mike Hintzemike@hintzelaw.com, 206-719-6934

Jared Friend jared@hintzelaw.com, 206-325-3277

Hintze Law PLLC
505 Broadway E. #151
Seattle, WA 98102

www.hintzelaw.com

 

U.S. Department of Commerce Issues Fact Sheet on the EU-U.S. Privacy Shield Agreement

On February 2, 2016, following the announcement of the EU-U.S. Privacy Shield Agreement, the U.S. Department of Commerce distributed a fact sheet about the new data-transfer agreement with the European Union. The fact sheet provides further detail on the elements of the agreement described in the EU Commission's press release.

The Department of Commerce’s fact sheet states that U.S. companies participating in the EU-U.S. Privacy Shield must "commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies." Arbitration will be “at no cost to the individual.” Whether U.S. companies must bear the cost is not clear.

Further, the fact sheet states that the Privacy Shield contains additional obligations regarding use of service providers by participating companies in the form of "new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies' agents to improve accountability and ensure a continuity of protection."

The Privacy Shield allows for European Data Protection Authorities to refer complaints to the Department of Commerce and the Federal Trade Commission. The Department of Commerce states it will dedicate "a special team with significant new resources to supervise compliance with the Privacy Shield" as part of its effort to resolve these complaints.

The EU Commission press release also announced that the U.S. gave the EU Commission written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The fact sheet provides details on the nature of these written assurances, stating that "[i]n connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence Community has described in writing for the European Commission the multiple layers of constitutional, statutory, and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. Government."

While the Department of Commerce has shed a bit more light on the details of the EU-U.S. Privacy Shield, many questions still remain. Stay tuned.

 

By Carolyn Krol

 

City of Seattle Adopts First of Its Kind Privacy Principles

On February 23, 2015, the Seattle City Council unanimously approved a resolution approving its first ever set of comprehensive privacy principles.  The principles are also the first of its kind to be adopted by a major U.S. city.

The privacy principles guide the City of Seattle when collecting, using, and sharing personal information from the public. The principles include considering potential privacy risks when collecting and using personal information; minimizing data collected; providing notice and, if possible, choice about how data is used; securing data; and maintaining accuracy of personal information.

In a message to followers on Twitter, Mayor Ed Murray said the new privacy principles “create a comprehensive ethical framework in protecting privacy and building public trust.”

The Council also set a deadline of August 2015 for each City department to develop a “Privacy Toolkit.”  These Privacy Toolkits will consist of a package of actionable privacy standards that implement compliance with the privacy principles. The official  at: http://murray.seattle.gov/city-adopts-privacy-principles-to-protect-the-public/#sthash.xLGTSCwu.XrojDCoq.dpuf 

The following are the City of Seattle’s Privacy Principles in full:

What is Personal Information?

“Personal information” is any information relating to an identified or identifiable individual. Examples of personal information include but are not limited to a person’s name, home or email address, social security number, religion, political opinions, financial and health records, and racial and ethnic origin.

Privacy Principles

The City of Seattle collects personal information from the public so that we can provide many important services including community and critical infrastructure protection, 911 call response, waste management, electricity delivery and other services. We work to find a fair balance between gathering information to provide these needed services and protecting the public’s privacy.

While privacy laws protect some personal information, the information we collect becomes a government record that others can ask to see through public records requests. Therefore, it is important for you to know when and how your personal information is collected, how we use it, how we disclose it and how long we keep it.

The following Privacy Principles guide the actions we take when collecting and using your personal information:

1. We value your privacy…

Keeping your personal information private is very important. We consider potential risks to your privacy and the public’s well-being before collecting, using and disclosing your personal information.

2. We collect and keep only what we need…

We only collect information that we need to deliver City services and keep it as long as we are legally required and to deliver those services. Whenever possible, we tell you when we are collecting this information.

3. How we use your information….

When possible, we make available information about the ways we use your personal information at the time we collect it. We commit to giving you a choice whenever possible about how we use your information.

4. We are accountable…

We are responsible for managing your personal information in a manner that is consistent with our commitments and as required by law. We protect your personal information by restricting unauthorized access and by securing our computing resources from threats.

5. How we share your information…

We follow federal and state laws about information disclosure whenever we work with outside governmental agencies and in answering Public Disclosure Requests (PDRs). Business partners and contracted vendors who receive or collect personal information from us or for us to deliver City services must agree to our privacy requirements.

6. Accuracy is important…

We work to maintain and use accurate personal information for City business. When practical, we will work to correct inaccurate personal information. We also direct our partners and contracted vendors to follow the same guidelines