Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Global

Subscribe to Global RSS Feed

U.S. Steps Up Efforts to Make “Safe Harbor Safe Again” – FTC, Justice Department Work to Keep EU Happy and Avoid Pull Back from Safe Harbor

Posted in Data Protection, Global

Within the span of two days, both the Federal Trade Commission (FTC) and the U.S. Department of Justice announced initiatives meant to assuage the European Union’s concerns over trans-Atlantic data flows and to secure Europe’s future commitment to the U.S.-EU Safe Harbor initiative.

On June 25, 2014, the FTC approved final orders that settled charges with 14 companies that had falsely claimed their participation in the U.S.-EU Safe Harbor program. Under the terms of their settlements, each of the 14 companies is prohibited from further misrepresenting its participation in any privacy or data security scheme, including Safe Harbor.

One day before the FTC’s announcement, U.S. Attorney General Eric Holder announced in Athens that the Obama administration would ask Congress to enact legislation granting EU citizens the right to bring claims in U.S. courts under U.S. privacy laws if they believe their personal data had been misused. This measure is intended to resolve one of the major sticking points in the broader negotiations for the Data Protection Umbrella Agreement, a framework with the EU to enhance anti-terrorism efforts by providing U.S. law enforcement authorities access to the personal data of individuals living in Europe. However, EU Vice President and Commissioner ... Continue Reading

Only 4 Weeks Until Canada’s New Anti-Spam Rules Come into Force

Posted in Global, Marketing and Consumer Privacy

Provisions Have Implications for US, Global Businesses

Starting on July 1, 2014, key provisions of Canada’s Anti-Spam Law (CASL) governing commercial electronic messages (CEMs) will go into effect, per our advisory thoroughly analyzing CASL.  The statute and its implementing rules generally prohibit sending CEMs without the recipient’s express consent, and as noted in the advisory, extend far beyond just email, reaching CEMs sent to instant message and social network accounts, as well as short message service (SMS) texts to cellphones.  And, CASL governs CEMs sent from or accessed by domestic computer systems, meaning the law’s provisions will extend far beyond Canada’s borders and affect CEMs sent from other countries, including the United States.... Continue Reading

UK Gives Search Engines Time to Comply With ‘Right to Be Forgotten’

Posted in Global, Marketing and Consumer Privacy

The UK data protection watchdog has said that it will give search engines like Google some time to put measures in place to respond to requests to take down links in search results.

On May 20, 2014, the UK Information Commissioner’s Office made its first public response to last week’s Court of Justice of the European Union decision against Google and its Spanish subsidiary. The court’s decision requires Google to take down links to lawfully published content about an individual if the individual believes the information to be inaccurate, irrelevant, outdated or excessive. See our advisory for more information about the CJEU ruling.

In a blog post, ICO Deputy Commissioner David Smith provided a pithy summary of the ICO’s takeaways from the Google decision and announced:

“We won’t be ruling on any complaints until the search providers have had a reasonable time to put their systems in place and start considering requests. After that, we’ll be focusing on concerns linked to clear evidence of damage and distress to individuals.”

The approach is similar to the informal grace period the ICO provided when unclear “cookie consent” rules were introduced by the EU in 2011.

It is worth noting that the ... Continue Reading

United States Charges China with Cyber-Espionage in Unprecedented Indictment

Posted in Cyber and National Security, Global
This morning, the U.S. Department of Justice (DOJ) announced that a grand jury in the Western District of Pennsylvania has indicted five Chinese military officials on charges of computer hacking, economic espionage, and related offenses. The indictment marks the first time that the DOJ has filed charges against a state actor for cyber-theft and cyber-espionage crimes.

The indictment alleges that, between 2006 and 2014, the five individuals, while working for the Chinese People’s Liberation Army, hacked or attempted to hack into six U.S. companies in the nuclear power, solar, and metals industries to steal sensitive, non-public business information and trade secrets. The indictment alleges that the defendants stole this information to obtain economic advantages for Chinese state-owned enterprises (SOE) and other state interests. A summary of the specific allegations may be read in the DOJ’s press release about the indictment. The allegations of criminal conduct range from the defendants stealing proprietary information from Westinghouse Electric Co. about the design of its powers plants while it was in negotiations with an SOE for the construction of plants in China, to the theft of emails from the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union ... Continue Reading

European Union’s Highest Court Rules Google Must Remove Links Containing Personal Data

Posted in Global, Marketing and Consumer Privacy

In a significant and concerning decision, the European Court of Justice (“ECJ”) has endorsed the so-called “right to be forgotten” and ruled that, in some circumstances, search engines can be compelled to remove search result links to websites, news articles, court records and other documents that reveal truthful information about individuals—even when the information is not prejudicial and has been posted lawfully. Google Spain SL, Google Inc. v Agencia Española de Protección de Datos.

At issue in the underlying case was a Spanish national’s demand that Google remove links to two 1998 newspaper announcements that appeared in search results for his name, and which mentioned the forced auction of his real estate holdings. The claimant argued that since the related attachment proceedings had long since been resolved, this personal data was no longer relevant and Google should therefore be required to remove the links. The Spanish Data Protection Agency agreed, and when Google appealed that decision, the National High Court of Spain sought advice from the ECJ, the European Union’s highest court.

CONTINUE READING …... Continue Reading

Brazil Enacts “Internet Bill of Rights,” Including Net Neutrality and Privacy Protections

Posted in Global, Technology
Brazil’s long-debated “Internet Bill of Rights” has finally become law. The legislation, which passed the Brazilian Senate unanimously in April, is intended to secure equality of access to the Internet in Brazil—i.e., Net Neutrality—and provide privacy protections for Brazilian users of the Internet. Experts hailed the law “for balancing the rights and duties of users, government and corporations while ensuring the Internet continues to be an open and decentralized network.”

The law, known as the Marco Civil da Internet or “Marco Civil” (in English, the Civil Internet Regulatory Framework) was first proposed in the Brazilian Congress in 2011, but received new significance in late 2013 after revelations that the U.S. National Security Agency had spied on the communications of persons across the world—including Brazilian President Dilma Rousseff. Rousseff signed the Marco Civil into law on April 23, 2014. The law goes into effect in July.

Commonly referred to in English as an “Internet Bill of Rights” or “Internet Constitution”, Brazil’s new Marco Civil provides for the freedom of expression and of content on the internet while also limiting the amount of metadata that can be gathered on Brazilian Internet users. The legislation also includes broadly worded protections for... Continue Reading

Acquisitions Don’t Nullify Prior Privacy Promises–FTC’s Letter to Facebook & WhatsApp Gives Caution to All to Honor Privacy Protections in Mergers

Posted in Global, Marketing and Consumer Privacy
Social networking site Facebook announced in February its plans to acquire WhatsApp—a “rapidly growing cross-platform mobile messaging company”—for the princely sum of $19 billion. While Facebook and WhatsApp are looking forward to a bright future together, the Federal Trade Commission is keeping a watchful eye on both companies regarding the privacy protections that WhatsApp promised its users in the past. On April 10, 2014, the Director of the FTC’s Bureau of Consumer Protection Jessica Rich wrote executives at Facebook and WhatsApp and made clear that both companies must continue to honor WhatsApp’s prior policies and statements against collecting and sharing user data with advertisers—policies that, as Director Rich notes, exceed Facebook’s current privacy protections for its users.... Continue Reading

EU High Court Overturns Telecom Data Retention Requirements

Posted in Data Protection, Global

The Court of Justice of the European Union, the highest court in the EU, declared the EU’s 2006 Data Retention Directive invalid in a judgment issued on April 8, 2014. The directive, which has been implemented via national legislation by most EU member states, requires telecommunications and Internet providers to collect and retain traffic and location data regarding users’ calls and Internet activity for up to two years in order to assist law enforcement in the prevention of “serious crime” (such as organized crime and terrorism). The Court of Justice, however, determined that the directive interferes with European citizens’ fundamental rights to privacy.

A press release featuring a summary of the ruling is available here, while the full text of the Court’s judgment can be found here.

The Court acknowledged that the directive was intended to further an important public objective by aiding in the fight against international terrorism and organized crime. Nevertheless, the Court found that the directive went too far in achieving its objectives, especially since the directive requires the retention of all traffic via numerous means of communication, including fixed and mobile telephony, Internet access, email, and Internet telephony. The Court noted that the data ... Continue Reading

Social Networking for Jerks: FTC Goes After Site for Scraping Facebook Content

Posted in Communications/Media, Global, Marketing and Consumer Privacy

In the 1979 Carl Reiner film The Jerk, a new phonebook is delivered and Steve Martin, playing the title character, rejoices that “I’m somebody now! Millions of people look at this book every day! This is the kind of spontaneous publicity—your name in print—that makes people. I’m in print! Things are going to start happening to me now.”

As we all know, a quarter-century later, things have changed. Getting one’s name publicized takes only a few seconds—if not to millions of people, at least to whomever we’re connected on social media. But, according to the Federal Trade Commission, jerks still abound.

On April 2, 2014, the FTC issued an administrative complaint against Jerk, LLC, a company doing business in Hingham, Massachusetts under the name The site was a mean-spirited social network of sorts where users could anonymously vote whether the person in a particular user profile was a “Jerk” or “not a Jerk.” According to the complaint, from 2009 to 2013 the website contained between 73.4 and 81.6 million unique consumer profiles. While some were created by users, the FTC alleges that in reality the vast majority of the user profile content was lifted from Facebook.

The complaint’s ... Continue Reading

Google “Street View” case may be headed for SCOTUS Review

Posted in Communications/Media, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014.... Continue Reading

Federal Lawmakers Revive Do Not Track Kids Legislation

Posted in Data Protection, Global

A bipartisan, bicameral effort is again underway to extend current law and impose new restraints on the online tracking of children and teens under the age of 16. As promised, on Thursday, Nov.14, 2013, Senator Edward Markey (D-Mass) and Rep. Joe Barton (R-Texas) introduced their respective versions (S. 1700 and H.R. 3481) of the “Do Not Track Kids Act of 2013.” Specifically, the Do Not Track Kids Act would:

Extend many of the privacy protections already afforded to children ages 12 and under in the Children’s Online Privacy Protection Act (COPPA) to teens through age 15 ;

Formally include online and mobile applications (the FTC already did this through enforcement actions and then by rule in its recent COPPA amendments);

Expand the definition of “personal information” to include device identifiers;

Extend COPPA protections to geolocation information;

Prohibit targeted marketing to children and minors without verifiable parental consent for children or the consent of a “minor” (13-15 year old);

Require the operators of a website, online service, or online or mobile application “directed to minors” to adopt and comply with a “Digital Marketing Bill of Rights for Teens” that is consistent with the Fair Information Practices Principles; and

Attempt to arm ... Continue Reading

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

Posted in Financial Services, Global, Policy and Regulatory Positioning

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.... Continue Reading

Congressmen ask FTC to Investigate Internet Use of “Supercookies”

Posted in Global, Marketing and Consumer Privacy

By David M. Silverman

Two Congressmen have written a letter to the Federal Trade Commission (FTC) asking the FTC to investigate certain websites’ use of “supercookies” to track the activities of website visitors after they have left the website and without their knowledge. The letter, written by Congressmen Joe Barton (R-TX) and Ed Markey (D-MA), is based on an August Wall Street Journal article discussing their use. The cookies have become a key issue based on concerns they may be placed without knowledge of computer users and are practically invisible to them. Such so-called “supercookies” differ from traditional HTTP cookies that track user data in that they are small files hidden within Adobe Flash and elsewhere that remain on users’ computers even when browsing history and cache are cleared, and can be picked up even when browsing in “private browsing” mode.... Continue Reading

Internet Privacy Class Actions

Posted in Cyber and National Security, Global, Litigation, Policy and Regulatory Positioning

In today’s cyberworld, operating in online and social media can put companies in a special class. Unfortunately, that class could mean a class action lawsuit. Websites and social media provide search engines, website operators, and advertisers powerful ways to obtain and monetize data about users. Jimmy Nguyen explores how this power has triggered public and governmental concern about consumers’ online privacy, even leading to a Wall Street Journal investigative report in August 2010 and a wave of class action lawsuits. To read more, click here.... Continue Reading

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted in Cyber and National Security, Data Protection, Financial Services, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

The FTC recently announced a consent decree with online retailer Life is good ( that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC’s view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers’ credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.... Continue Reading

New AOL Initiative May Help Shield Consumers from Targeted Advertising

Posted in Global, Marketing and Consumer Privacy

Posted by Hozaifa Y. Cassubhai

Web users may be better able to travel incognito online by the end of the year. 

AOL unveiled a new program last week that is designed to help webusers shield their online travels from advertisers. This technology would allow users to opt-out of online ads that are targeted to them based on their Web-surfing habits. The program aspires to “engender greater trust for targeted advertising by communicating with consumers in a more visible way, and by providing them more information about their choices,” stated Curt Viebranz, president of AOL’s ad platform. ... Continue Reading

Douglas Decision Applies Settled Law Regarding Online Contract Changes

Posted in Global

Posted by Randy Gainer

InDouglas v. United States District Court, No. 06-75424, 2007 WL 2069542, at *1-2 (9th Cir. July 18, 2007), the Court held that the terms of a revised online contract were ineffective when a user was not notified of changes when they were made.The Court statedthat the trials court’s decision finding the contract changes were effective “reflects fundamental misapplications of contract law and goes to the heart of petitioner’s claim. . . .” Id.

Although some observers seemed to believe the Douglas decision established new law, it applied long-settled principles, as others recognized. Principles regarding how online agreements may be amended are summarized in Raymond P. Nimmer & Holly K. Towle, Amending or Modifying the Terms, ¶ 8.10[7] The Law of Electronic Commercial Transactions (2007). Among those principles is that, under the common law of contracts, which generally governs service contracts, there must be an offer, acceptance, and consideration to amend a contract. Id. at *1-2. Douglas simply applied the offer and acceptance rule: a party cannot offer an amendment nor the other party accept the amendment without the offeror providing notice of the change. ... Continue Reading

Amending Terms of Service – Are Website Postings Enforceable?

Posted in Global

Posted by Charlene A. Brownlee

In our wired world of texting, email and the Internet, businesses continually communicate with potential and existing customers online. The majority of websites, regardless of content and functionality, post a link to an online agreement, typically referred to as the website “Terms of Use,” “Legal Terms,” “Acceptable Use Policy,” (or something similar). This agreement usually provides that, “We may amend this Agreement at any time by posting the amended terms on this Site.”... Continue Reading

Internet Adapts to Surveillance by Law Enforcement

Posted in Communications/Media, Global, Policy and Regulatory Positioning

Posted by Thomas Jeffry

Monday (May 14th) marked the deadline when all facilities-based broadband Internet access providers and providers of interconnected VoIP (voice over Internet protocol) needed to comply with Section 103 and 105 of the Communications Assistance for Law Enforcement Act of 1994 (CALEA), Pub. L. No. 103-414, 108 Stat. 4279. Cable modem companies, satellite internet companies, DSL providers, and broadband over powerline join traditional telecommunications carriers in providing technology that allows law enforcement agencies to tap into email, instant messaging, web browsing logs, and other forms of electronic communications.... Continue Reading

U.S. SAFE WEB Act of 2006

Posted in Cyber and National Security, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Posted by Charlene Brownlee

Congress approved S. 1608, the “Undertaking Spam, Spyware, And Fraud Enforcement with Enforcers beyond Borders Act of 2006,” (the US SAFE WEB Act of 2006) on December 9, 2006. The US Safe Web Act amends the Federal Trade Commission Act (FTCA) and improves the Federal Trade Commission (FTC)’s ability to protect consumers from international fraud by: (1) improving the FTC’s ability to gather information and coordinate investigation efforts with foreign counterparts; and (2) enhance the FTC’s ability to obtain monetary consumer redress in cases involving spam, spyware, and Internet fraud and deception.... Continue Reading

Court Rules Providers of Broadband Internet and VoIP Services Must Make Networks “Wiretap-Friendly”

Posted in Global

Posted by Brian Bennett

The U.S. Court of Appeals for the D.C. Circuit recently ruled in American Council on Education v. Federal Communications Commission that providers of broadband Internet access and voice over Internet protocol (VoIP) must make their services “wiretap-friendly” under the Communications Assistance for Law Enforcement Act (CALEA), 47 U.S.C. §§ 1001-1010.

The emergence of new communication technologies, including DSL, cable modems and VoIP, led providers to replace physical copper wires with ethereal and encrypted digital signals, which are harder to intercept using traditional law enforcement methods. Responding to these changes, Congress passed CALEA in 1994, requiring “telecommunications carriers” to ensure that law enforcement officials can access provider networks.... Continue Reading

Gonzales Continues to Push ISPs to Retain Data

Posted in Global

Posted by K.M. Das

On Friday, May 26, 2006, United States Attorney General Alberto Gonzales and FBI Director Robert Mueller met with representatives of several Internet Service Providers (ISPs), including AOL, Comcast, Google, Microsoft and Verizon Communications, to urge them to consider retaining subscriber data for periods as long as two years. Although the initial justification for requiring ISPs to agree to retaining data was to fight child pornography, law enforcement officials now state that requiring ISPs to retain subscriber data for as long as two years will also help in the fight against terrorism.


 ... Continue Reading

Whose Internet Is It, Anyway?

Posted in Global

Posted by Merrill Baumann

Historically, the Internet has “belonged” to the United States. It traces its origin to a Defense Department project; the authoritative root zone server is physically located here; and ICANN reports to the Department of Commerce. But that doesn’t sit well with a growing number of countries and international organizations, including the U.N. and EU. This issue will face an increasingly public battle next month at the upcoming World Summit on the Information Society in Tunisia. And in the US, members of Congress have joined a Senate colleague in introducing legislation that calls for the US to maintain oversight control over the Internet. While creating a broader international management platform is attractive, opponents say that more governmental supervision will lead to increased regulations and bureaucracies that will stifle innovation and further development.

What do you think?... Continue Reading