Anti-fall08

Antitrust, Vol. 26, No. 3, Summer 2012. 2012 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may notbe copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
B Y C H R I S T O P H E R W O L F A N D W I N S T O N M A X W E L L TECHNOLOGICAL ADVANCEMENTS social media, and Cloud computing cross national borders, have made it easier and more cost effective for allowing data to be transmitted to any location in the world.
businesses to collect, use, share, and store vast As such, the privacy problem is not restricted to any one juris- amounts of personal information about con- diction. Indeed, the wonder of modern technology is the sumers and employees alike. As a result, priva- ability of people to access information and entertainment cy is becoming an ever-important issue for businesses of all from virtually anywhere, and to send information globally.
types and sizes. The media increasingly are turning their Thus, one would expect nations of the world to focus on a attention to privacy-related issues, raising the stakes for busi- global standard of protection, and to harmonize existing nesses that maintain personal information, as one instance of mishandling personal information could harm the public’s In that connection, at a recent conference held simulta- perception of a business. There are almost daily headlines neously in Washington and in Brussels, the EU Commis - about privacy abuses and mistakes. The continuing, Pulitzer sioner for Justice, Fundamental Rights and Citizenship and Prize-nominated, Wall Street Journal series entitled “What the U.S. Secretary of Commerce issued a joint statement They Know” has focused national and international attention declaring that “[t]his is a defining moment for global personal on the often-undisclosed uses of Internet tracking technolo- data protection and privacy policy and for achieving further gy to collect and share consumer information obtained from interoperability of our systems on a high level of protec- computers and mobile devices.1 Thus, it is not surprising that policymakers around the world are re-examining the One basis for the hoped-for interoperability is the wide legal framework that regulates the collection, use, sharing, agreement around the world, as there has been for decades, and storing of personal information—making more robust on the basics of what it means to protect privacy in an infor- the protections afforded to such information, and increasing mation age. The so-called “Fair Information Practice Prin - ciples,” or “FIPPs,” focus on empowerment of people to con- The privacy frameworks recently proposed by the Euro - trol their personal information and on safeguards to ensure pean Commission, the White House, and the FTC seek adequate data security.3 FIPPs form the core of the 1980 more protection of individuals, and are founded on the same OECD privacy guidelines on which both the U.S. and underlying principles of fairness. However, despite a common European models are based, and that were adopted “to har- foundation, the privacy regimes from opposite sides of the monise national privacy legislation and, while upholding [ ] Atlantic exhibit fundamental differences in approach and human rights, [ ] prevent interruptions in international flows The Global Nature of Privacy
The Targeted Approach to Privacy in the
As a result of the ubiquitous nature of the Internet, data United States
rarely stays in only one jurisdiction. Rather, the Internet, Historically, the EU and United States have taken divergentapproaches to implementing the FIPPs. In the United States, C hrist opher Wolf is a par tn er in H ogan Lov el ls US LL P, resident in where privacy interests are balanced with the right to free Washington, DC, where he leads the global Privacy and Information expression and commerce, and where the legal framework Management practice. Winston Maxwell is a par tner in the Paris office of assumes that—as a practical matter—not every piece of per- Hogan Lovells Int’l LLP, where he focuses on data protection, technology, sonal information can be protected and policed, the frame- media, and telecoms. The authors acknowledge with thanks the assistance work provides the highest levels of protection for sensitive of their Hogan Lovells colleague Steve Spagnolo in the preparation of this personal information, such as financial, health, and chil- dren’s data. For example, the Gramm-Leach-Bliley (GLB) Act regulates how financial institutions collect, disclose, share, ing programs in place within businesses to provide physical, and protect personally identifiable financial information.5 administrative, and technical protections for personal data, The Health Insurance Portability and Accountability Act and to ensure that new products and services take privacy (HIPAA) regulates the use and disclosure of “protected health information” by such entities as physicians, hospitals, and In a revealing 2011 Stanford Law Review article, Univer - health insurers.6 And the Children’s Online Privacy Pro - sity of California at Berkeley Professors Kenneth Bamberger tection Act of 1998 (COPPA), regulates websites’ collection and Deirdre Mulligan presented findings from the first and use of the personally identifiable information of chil- study of corporate privacy management in fifteen years.16 Bamberger and Mulligan effectively responded to the criti- A major, if not defining characteristic of U.S. privacy law, cism of the U.S. privacy regime as lacking sufficient legal comes from the targeted enforcement actions against bad protections (what they termed “privacy on the books”) with (or negligent) actors—principally by the U.S. Federal Trade a descriptive account of privacy “on the ground.” They Commission—which has created a “common law” of what is explored the emergence of the Federal Trade Commission as expected from business when it comes to the collection, use, a privacy regulator; the increasing influence of privacy advo- and protection of personal information. The FTC has author- cates; market and media pressures for privacy protection; ity to take enforcement action against “unfair or deceptive” and the rise of privacy professionals, and concluded that, practices. In the privacy context, this has resulted in enforce- together, these factors played a major role in preventing vio- ment actions against companies that have promised some- lations of consumers’ expectations of privacy in the United thing in their privacy policies about the collection, use, or protection of personal information but, in practice, handledthe personal information in ways that differed from the The EU’s Across-the-Board Approach to Privacy
promised treatment. Early examples include enforcement In the EU, by contrast, a region-wide Directive, with nation- actions against Eli Lilly,8 Microsoft Passport,9 and Gateway,10 al laws in twenty-seven jurisdictions to implement the when each company made representations concerning its requirements of the Directive, purports to regulate every data practices—such as how data will be collected, shared, piece of personal information and is predicated on the notion and protected—which were contrary to what actually hap- that privacy is a fundamental human right.17 Thus, under the approach of across-the-board regulation, there are strict lim- Data security breach notification laws require public noti- its on the collection and use of information, although fication of information security mishaps. The laws motivate enforcement of those limits has been episodic. Some of the companies to improve their data security to avoid having to enforcement actions have been criticized, such as a criminal report breaches publicly since publicity invites legal chal- case against Google executives on the grounds of invasion of lenges. With the advent of the breach notification laws11 the privacy for a video posted by a YouTube user that depicted FTC developed new targets for enforcement—inadequate a group of Italian students bullying a disabled classmate— information security programs. A number of FTC enforce- a video that Google took down within hours of being noti- ment actions have resulted in consent decrees requiring com- fied about it.18 After removing the video, Google fully coop- prehensive data security programs regularly assessed and erated with Italian police to help identify the individual who reported upon by independent outside auditors. For example, uploaded the video, and the video was used to convict that the FTC brought enforcement actions against BJ’s Wholesale individual. Google stated in its official blog that “[i]n these Club12 and DSW,13 both of which were victimized by hack- rare but unpleasant cases, that’s where our involvement ers who tapped into their computer systems to obtain their would normally end,” but four Google executives were sub- customers’ credit card information, alleging that each com- sequently arrested and charged with violating Italian privacy pany failed to provide reasonable security for the sensitive laws for not blocking the video, and three of them were con- customer information that it collected and maintained. The FTC required both companies to implement, establish, and Another example of controversial enforcement of privacy maintain comprehensive security programs.
laws in the EU is a case currently before the European Court The 2011 settlements by Facebook14 and Google15 with of Justice in which the Court has been asked to decide the FTC contained, for the first time, requirements for com- whether Google must honor requests from Spanish citizens prehensive (and auditable) privacy programs, patterned on who wish to have their data removed from Google’s search the FTC requirements in the data security area. These pro- engine, even when Google is not the creator of the content.20 gram requirements are seen as creating a new and heightened These unusual cases are distinct from the FTC’s enforce- FTC standard for protection of consumer data. ment actions, whose consent decrees have the effect of setting In addition, Chief Privacy Officers (CPOs) are proliferat- certain standards of conduct for American businesses. ing and gaining in importance in U.S. businesses, adding to Still, the EU firmly believes its framework is superior to the level of American privacy protection. CPOs ensure that that of the United States, and it has been steadfast in the there are documented and enforceable compliance and train- belief that because the United States does not have an across- the-board privacy law, its protections are inadequate andtransfers of personal data from the EU to the United States [ T h e E U ] h a s b e e n s t e a d f a s t i n t h e b e l i e f t h a t
must be controlled and subject to special regulation. VivianeReding, Vice President of the European Commission and b e c a u s e t h e U n i t e d S t a t e s d o e s n o t h av e a n
Commissioner for Justice, Fundamental Rights and Citizen -ship, is skeptical of anything less than comprehensive U.S.
a c r o s s - t h e - b o a r d p r i v a c y l aw, i t s p r o t e c t i o n s a r e
privacy legislation akin to that in the EU.21 The belief on the European side that the United States i n a d e q u a t e a n d t r a n s f e r s o f p e r s o n a l d a t a f r o m t h e
lacks adequate protections for personal data theoretically E U t o t h e U n i t e d S t a t e s m u s t b e c o n t r o l l e d a n d
could mean that personal data could not be transferred acrossEU borders to the United States, bringing trans-Atlantic s u b j e c t t o s p e c i a l r e g u l a t i o n .
commerce to a grinding halt. To address that unthinkableresult, legal mechanisms have been established, requiringexpense and burden, to transfer data from the EU to the residents, or monitor their behavior. And, if they are sub- United States. These mechanisms are the EU-U.S. Safe ject to its rules, with certain exceptions, they must appoint Harbor,22 which requires eligible businesses to certify com- a representative to whom data protection concerns may be pliance with the Safe Harbor principles of notice, choice, onward transfer, data integrity, security, access, and verifica- A new principle of accountability would require data tion and enforcement; Model Contracts,23 which are standard controllers to demonstrate their compliance with the law contractual clauses approved by EU authorities that must be by maintaining extensive documentation on their pro- included in agreements that involve the transfer of personal cessing, implementing appropriate security requirements, data outside the EU; and Binding Corporate Rules,24 which and performing impact assessments when required. This are a set of comprehensive internal policies and procedures replaces the current requirement of administrative filings. that allow for intra-company cross-border transfers, and that Ⅲ There are new rights to have data deleted (the “right to be
must conform to standards approved by EU authorities.
forgotten”) and to move data from one service to anoth- Some had speculated, or perhaps merely hoped, that the er (“data portability”), which would have a particular current focus on improving the privacy frameworks in the United States and the EU would bring the parties closer to Ⅲ Borrowing from the U.S.-developed concept of data secu-
international harmonization or comity. In the past few rity breach notification laws, data breaches would have to months recent proposals for privacy reform were announced be reported to supervisory authorities without undue delay in Brussels and Washington, but it remains to be seen and, where feasible, within twenty-four hours—a time whether those reforms will act to ease the tensions between period most people experienced with data breach notifi- the EU and the United States over their respective approach- cation view as impractical. “Serious breaches” must also be es to privacy, so that there will be convergence and greater cooperation between the two regimes.
Ⅲ Binding Corporate Rules are expressly recognized in the
Regulation as an appropriate form of compliance for inter- The Proposal for an EU Privacy Regulation
national cross-border transfers of data. They will be sub- In January, the European Commission unveiled a new pro- ject to approval by only one supervisory authority, thus posal for privacy in the EU, calling for a region-wide shortening the current and very long approval process.
Regulation that would replace national laws passed in each Ⅲ Where consent is to be a ground for data processing, it
EU Member State to implement the 1995 Directive on Data must be explicit. Implied consent will no longer be possi- Protection and proposing strict new privacy rules (and penal- ble and, once given, consent can be withdrawn at any ties for violating those rules).25 Upon final passage of the Regulation, the current 1995 Data Protection Directive Ⅲ Fines may be imposed by supervisory authorities for vio-
would be repealed. The proposed rules are intended to take lations of the proposed Regulation, reaching up to 2 per- into account the pervasive new technologies capable of col- cent of an organization’s annual turnover in the most seri- lecting and sharing information about people, and to give ous cases. This potential fining authority for failing to individuals more control over their personal information. abide by the Regulation’s many still-to-be-clarified provi- Ⅲ Under the new Regulation, individuals and organizations
sions is viewed by many as potentially draconian.
would only need to deal with one supervisory authority, The draft Regulation has entered the political process of located in the country of their main establishment or res- the EU co-decision procedure, under which agreement will idence, rather than the fragmentary jurisdiction current- need to be reached between the European Parliament and the ly provided by the Directive. The Regulation would make Council of the European Union. There is no way to predict organizations outside the EU subject to its provisions if exactly how long that process may take, but debate has they process personal data to offer goods or services to EU The Obama Administration’s Proposals for
Referring to the differences in national privacy laws that Better Privacy
create challenges for businesses that wish to transfer data One month after the announcement in Brussels of the pro- across national borders, the Administration states that it is posed Regulation to replace the Data Protection Directive, “critical to the continued growth of the digital economy the Obama Administration announced its “Privacy Blue - that they strive to create interoperability between privacy print” for the United States, calling for legislation containing regimes.”29 The Administration states that it is committed to a Privacy Bill of Rights and proposing enforceable codes of increasing international interoperability by pursing mutual conduct developed through a so-called “Multistakeholder recognition of commercial privacy frameworks, international codes of conduct based on the multistakeholder process, The cornerstone of the Administration’s privacy blueprint and bilateral or multilateral enforcement cooperation. is the Consumer Privacy Bill of Rights, which adapts the Finally, the Administration calls on Congress to adopt the decades-old Fair Information Practice Principles to the inter- Consumer Privacy Bill of Rights—noting that Congress connected and interactive world. The Privacy Bill of Rights should provide the FTC and State Attorneys General with the applies to commercial uses of personal data and seeks to pro- power to enforce those rights—as well as a national standard vide greater privacy protection for consumers and greater for security breach notification, which would replace the patchwork of state breach notification laws that are current- There are seven core rights that comprise the Privacy Bill ly in effect in forty-six states, the District of Columbia, Puerto Ⅲ Individual Control: Consumers have a right to exercise
control over what personal data organizations collect from The Federal Trade Commission’s Privacy Viewpoint
Shortly after the White House announcement of its priva- Ⅲ Transparency: Consumers have a right to easily under-
cy proposals, the independent U.S. Federal Trade Commis - standable information about privacy and security prac- sion followed with a report on privacy containing that agency’s expectations and hopes for the collection of per- Ⅲ Respect for Context: Consumers have a right to expect
sonal information. Entitled “Protecting Consumer Privacy that organizations will collect, use, and disclose personal in an Era of Rapid Change: Recommendations for Busi - data in ways that are consistent with the context in which nesses and Policy makers,” the Report is intended to articu- late “best practices” for companies that collect and use con- Ⅲ Security: Consumers have a right to secure and responsi-
sumer data, and to assist Congress as it considers new Ⅲ Access and Accuracy: Consumers have a right to access
The Report calls for companies to implement (1) privacy and correct personal data in usable formats, in a manner by design, (2) simplified consumer choice, and (3) greater that is appropriate to the sensitivity of the data and the risk transparency; and it recommends that Congress pass baseline of adverse consequences to consumers if the data are inac- privacy legislation. The Report also encourages companies to incorporate substantive privacy protections (e.g., data secu- Ⅲ Focused Collection: Consumers have a right to reason-
rity, collection limits, retention and disposal practices, and able limits on the personal data that companies collect and data accuracy) and maintain comprehensive data manage- ment procedures throughout product and service life-cycles.
Ⅲ Accountability: Consumers have a right to have person-
In addition, companies are called upon to give consumers a al data handled by companies with appropriate measures choice about their data at a time and in a context in which in place to assure they adhere to the Consumer Privacy Bill the consumer is making the decision, and to obtain affirma- tive express consent before collecting sensitive data or mak- The Administration’s blueprint contemplates a multi- ing material retroactive changes to privacy representations.
stakeholder approach spearheaded by the Department of The Report proposes that privacy notices should be clearer, Commerce that will produce enforceable codes of conduct that implement the Privacy Bill of Rights. The multistake- FTC Chairman Jon Leibowitz, commenting on the holder approach is championed by the Administration due to Report, stated: “If companies adopt our final recommenda- the “flexibility, speed, and decentralization necessary to tions for best practices—and many of them already have— address Internet policy challenges.”28 This process is designed they will be able to innovate and deliver creative new serv- to avoid a one-size-fits-all approach and instead opts for flex- ices that consumers can enjoy without sacrificing their ibility and a tailored standard. In addition to flexibility, the speed with which the multistakeholder process is expected to In the Report, the FTC recommends new targeted legis- be able to produce solutions—as compared to the regulato- lation to address the practices of data brokers, and recognizes ry or law making process—is also appealing due to the con- that the more sensitive the data, the greater the protections stantly evolving nature of privacy issues. needed. The new framework applies to both online and offline contexts and to data that is “reasonably linkable” to And the U.S. proposed rules do not contemplate a “right to specific consumers, computers, or devices. be forgotten,” a major feature of the EU proposal and one The Report also highlights five “action items” that the that First Amendment scholar Professor Jeffrey Rosen has FTC will focus on over the next year to promote the new pri- labeled “the biggest threat to free speech on the Internet in Ⅲ Do Not Track: The FTC will work with industry to
Similarly, there is no right to “data portability” in the implement an “easy-to-use, persistent, and effective Do U.S. proposals as there is in the EU plan. The EU proposal Not Track system” which will allow users to opt out of contemplates broad jurisdiction to enforce its law, even being tracked by online advertising networks and other extending to U.S. businesses without a physical presence in the EU, under certain circumstances. And even though the Ⅲ Mobile: The FTC recommends that companies providing
EU has borrowed the data breach notification idea from the mobile services improve their privacy practices, including United States, it proposes a presumptive obligation to provide through the use of shorter, more meaningful disclosures. notice within twenty-four hours of a breach, a time frame Ⅲ Data Brokers: As mentioned above, the FTC is support-
widely regarded as wholly unworkable by those who have ing targeted legislation to provide consumers with greateraccess to the personal information held by data brokers. Italso recommends that data brokers develop a centralized . . . t h e U . S . p r o p o s e d r u l e s d o n o t c o n t e m p l a t e
website to identify themselves to consumers, describe theirinformation practices, and detail the access rights and a “ r i g h t t o b e f o r g o t t e n , ” a m a j o r f e a t u r e o f t h e
other choices they provide with respect to consumer data. Ⅲ Large Platform Providers: The FTC is planning to host
E U p r o p o s a l . . .
a public workshop in the second half of 2012 to exploreprivacy issues associated with “comprehensive” online worked under the U.S. data breach laws. Finally, the EU tracking that can be conducted by ISPs, operating systems, proposes a schedule of monetary fines of up to 2 percent of an entity’s global worldwide turnover for violations of the Ⅲ Self-Regulatory Codes: The FTC will participate in the
proposed Regulation––an amount that many stakeholders Department of Commerce’s upcoming multistakeholder view as unreasonable due to the discretion given to enforcers process to develop voluntary, enforceable industry codes of Until the EU Regulation is finalized, businesses need to consider the impact of the proposed new rules on their oper- Impact of the Recent Proposals
ations and on their bottom lines. Importantly, they also need As is evident from these descriptions of the EU, White to consider whether the proposed rules even are achievable House, and FTC 2012 proposals, there indeed are common under their particular business models. The period ahead aspects to the EU and U.S. proposals. Both call for imple- will be one of adjustments to the proposed EU Regulation to mentation of the “Privacy by Design” concept intended to make it acceptable to the European Parliament and to the build privacy sensitivity and consideration into every stage of Council of the European Union, the bodies responsible for the development of products and services. Both recognize the the co-decision procedure required to adopt the Regulation.
importance of accountability by those who collect and use Input can be expected from businesses in Europe concerned personal data. Both reflect the principle that people should about the practicality and the effect on trade of the proposed not be surprised by the use of their personal data collected for more-restrictive privacy rules. Likewise, in the United States, one purpose but used for another purpose. There is no dis- the exact shape of the new privacy framework is still to be agreement about the need for informed consent about the determined, on Capitol Hill and through the work of the collection and use of personal information (although the kind of consent envisioned in each jurisdiction differs as to As things now stand there is a big gap to bridge between various categories of data). Finally, the U.S. view of what con- the two trans-Atlantic approaches. Both are, in many ways so stitutes “personal data” seems to be moving toward the EU’s: close, yet very far apart in fundamental respects. Ⅵ
the FTC refers to data that can be “reasonably linked to a spe-cific consumer, computer or other device,”33 a standard very close to—and arguably even broader than—the EU defini- What They Know—Wsj.com, http://online.wsj.com/public/page/what-they-know-digital-privacy.html (last visited Apr. 19, 2012) (updated periodically). 2 Viviane Reding, European Commission Vice President and Commissioner for Big differences in approach emerge from the fact that the Justice, Fundamental Rights and Citizenship, and John Bryson, U.S.
United States, while proposing a first-ever federal privacy Secretary of Commerce, EU-US Joint Statement on Data Protection (Mar. 19, law with a “Privacy Bill of Rights,” still intends to rely on a 2012), available at http://europa.eu/rapid/pressReleasesAction.do?refer variety of self-regulation (more precisely, co-regulation, since ence=MEMO/12/192&format=HTML&aged=0&language=EN&guiLanguage=en. self-regulatory rules could be enforced by law enforcement).
Fed. Trade Comm’n, Fair Information Practice Principles, http://www.ftc.gov/ See Nick Leiber, Why the Google-Italy Privacy Case Matters to Your Business, reports/privacy3/fairinfo.shtm (the five FIPPs, as set forth by the FTC, BLOOMBERG BUSINESSWEEK (Mar. 3, 2010), http://www.businessweek.com/ are: (1) Notice/Awareness, (2) Choice/Consent, (3) Access/Participation, smallbiz/running_small_business/archives/2010/03/why_the_google- (4) Integrity/Security and (5) Enforcement/Redress) (last visited Apr. 19, .html; see also Kit Eaton, Italy Convicts Google Execs on Privacy Invasion Charges, Revisits Dark Ages, FAST CO. (Feb. 24, 2010, 7:19 AM), http:// www.fastcompany.com/1560995/google-youtube-italy-law-legal-court- OECD, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, http://www.oecd.org/document/18/0,3746,en_ 2649_34255_1815186_1_1_1_1,00.html (last visited April 19, 2012). Serious Threat to the Web in Italy, GOOGLE OFFICIAL BLOG (Feb. 24, 2010, 4:57 AM), http://googleblog.blogspot.com/2010/02/serious-threat-to-web- Financial Services Modernization Act (Gramm-Leach-Bliley), Pub. L. No. 106- in-italy.html#!/2010/02/serious-threat-to-web-in-italy.html. 102, 113 Stat. 1338 (1999) (codified at 15. U.S.C. §§ 6801–6809). See Claire Davenport, Spain Refers Google Privacy Complaints to EU’s Top Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L.
Court, REUTERS (Mar. 2, 2012, 1:31 PM), http://www.reuters.com/article/ No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered 2012/03/02/us-eu-google-idUSTRE8211DP20120302 (The individual requests to remove data from Google’s search results include a plastic sur- 7 Children’s Online Privacy Protection Act (COPPA), Pub. L. No. 105-277, 112 geon who wants to have all references to a “botched operation” removed, Stat. 2681-728 (1998) (codified at 15 U.S.C. §§ 6501–6506).
and a man who wishes that references to the repossession of his home due 8 Eli Lilly and Co., FTC File No. 012-3214 (2002), available at http:// to non-payment of social security be removed). www.ftc.gov/os/caselist/0123214/0123214.shtm (Eli Lilly provided a serv- 21 Viviane Reding, European Commission Vice President and Commissioner for ice to consumers that used the anti-depressant medication Prozac, which Justice, Fundamental Rights and Citizenship, Speech at the 2nd Annual enabled the consumers to receive email reminders when it was time to take European Data Protection and Privacy Conference: The Future of Data or refill their medication. In an email communicating the termination of the Protection and Transatlantic Cooperation (Dec. 6, 2011) (“I am worried reminder program, an Eli Lilly employee accidentally disclosed to each par- that US ‘self-regulation’ will not be sufficient to achieve full interoperability ticipant in the program the email addresses of all other participants, which, between the EU and US.”), available at http://europa.eu/rapid/press the FTC claimed, was contrary to the claims of privacy and confidentiality ReleasesAction.do?reference=SPEECH/11/851&type=HTML. that Eli Lilly made in its privacy policies.).
22 See Welcome to the U.S.- E.U. Safe Harbor, EXPORT.GOV, http://export.
9 Microsoft Corp. FTC File No. 012-3240 (2002), available at http://www.ftc.
gov/safeharbor/eu/eg_main_018365.asp (last visited Apr. 19, 2012). gov/os/caselist/0123240/0123240.shtm (Microsoft made a series of 23 See Model Contracts for the Transfer of Personal Data to Third Countries, misrepresentations about its data privacy and security practices with regard EUROPEAN COMM’N—JUSTICE, http://ec.europa.eu/justice/policies/privacy/ to data collected through its Passport Web services. Notably, Microsoft modelcontracts/index_en.htm (last visited Apr. 19, 2012). claimed that it did not collect any personally identifiable information other than as described in its privacy policy and that it employed a high level of See Overview—BCR, EUROPEAN COMM’N—JUSTICE, http://ec.europa.eu/ online security with respect to the data collected, claims which the FTC justice/policies/privacy/binding_rules/index_en.htm (last visited Apr. 19, Gateway Learning Corp., FTC File No. 042-3047 (2004), available at European Commission, Proposal for a Regulation of the European http://www.ftc.gov/os/caselist/0423047/0423047.htm (Gateway rented Parliament and of the Council on the Protection of Individuals with Regard consumers’ personal information to third parties contrary to statements in to the Processing of Personal Data and on the Free Movement of Such Data its online privacy policy that it would not do so absent the consumer’s explic- (General Data Protection Regulation), Jan. 25, 2012, available at http:// ec.europa.eu/justice/data-protection/document/review2012/com_2012_ Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws that require notification of security breaches that involve THE WHITE HOUSE, CONSUMER DATA PRIVACY IN A NETWORKED WORLD: protected personal information. These laws require notification in a rea- A FRAMEWORK FOR PROTECTING PRIVACY AND PROMOTING INNOVATION IN THE sonable amount of time to the individuals whose data was compromised, GLOBAL DIGITAL ECONOMY (2012), available at www.whitehouse.gov/sites/ and in some instances, to state government entities, such as the State Attorney General’s office and consumer reporting agencies. See, e.g., CAL.
12 BJ’s Wholesale Club, Inc., FTC File No. 042-3160 (2005), available at http://www.ftc.gov/os/caselist/0423160/0423160.shtm (The FTC alleged 30 FED. TRADE COMM’N, PROTECTING CONSUMER PRIVACY IN AN ERA OF RAPID that BJ’s failed to provide reasonable security for sensitive consumer infor- CHANGE: RECOMMENDATIONS FOR BUSINESSES AND POLICYMAKERS (2012) [here- mation. Specifically, the FTC noted that BJ’s failed to encrypt the informa- inafter FTC PRIVACY REPORT], available at http://www.ftc.gov/os/2012/03/ tion, stored it for longer than necessary, stored it in an unsecure manner, and failed to take measures to prevent and detect unauthorized access to Fed. Trade Comm’n, FTC Issues Final Commission Report on Protecting Consumer Privacy (Mar. 26, 2012), http://www.ftc.gov/opa/2012/03/ DSW, Inc., FTC File No. 052-3096 (2005), available at http://www.ftc.gov/ FTC PRIVACY REPORT, supra note 30, at 72–73. Facebook, Inc., FTC File No. 092-3184 (2011), available at http://ftc.gov/ Google, Inc., FTC File No. 102-3136 (2011), available at http://www.ftc.gov/ The EU definition refers to data that can permit, directly or indirectly, the identification of a natural person (art. 2, Directive 95/46/EC, supra note 17). Although the EU definition does not refer to machine addresses, most Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on European data protection authorities believe that IP addresses and other the Ground, 63 STAN. L. REV. 247 (2011). machine identifiers are “personal data” because a machine can in many 17 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing 35 Jeffrey Rosen, The Right to Be Forgotten, 64 STAN. L. REV. ONLINE 88 of Personal Data and on the Free Movement of Such Data, 1995 O.J. (2012), available at http://www.stanfordlawreview.org/online/privacy- (L 281) 31 (1995), available at http://eur-lex.europa.eu/LexUriServ/ LexUriServ.do?uri=CELEX:31995L0046:EN:HTML.

Source: https://www.telecom-paristech.fr/fileadmin/documents/pdf/formation_continue/Big-Data/New-Privacy_ABA-Antitrust-Magazine.pdf