United States: Navigating The Privacy Maze In The U.S. And Abroad

Last Updated: August 1 2006
Article by Demetrios Eleftheriou

The Metropolitan Corporate Counsel interviews Demetrios Eleftheriou, Willkie Farr & Gallagher LLP. This interview was originally published in the July 2006 issue of The Metropolitan Corporate Counsel.

Editor’s Note: Mr. Eleftheriou co-chairs the Information Services, Technology and Data Protection Committee and the Young Lawyers’ Interest Network Committee of the American Bar Association Section of International Law. He is also Vice President of the Data Protection, IP and New Technology Commission of the Association Internationale Des Jeunes Avocats.

Editor: Please describe the privacy conference in Washington that took place May 5-6 and your role.

Eleftheriou: The privacy conference was co-sponsored by the ABA Section of International Law and the International Young Lawyers Association. I have leadership roles in both organizations and was actively involved in planning and conducting the conference, which was titled "Data Protection & Security: A Transnational Discussion."

Speakers from the U.S. included representatives of the Federal Trade Commission and the Department of Commerce. Also in attendance was the Privacy Commissioner of Canada, Jennifer Stoddart, our luncheon speaker, and speakers from the EU, South America and India. Our keynote speaker was Dr. Spiros Simitis, one of the leading authorities on data protection in the EU. He is sometimes referred to as the "father" of the EU Data Protection Directive. Attendees came from 13 countries.

The conference covered a broad range of privacy topics, including the cross-border transfer of personal data, data protection and security in the U.S. and abroad, outsourcing, and RFID. Conference materials may be purchased from AIJA (www.aija.org).

Given the tremendous amount of positive feedback we received about the conference, we may do this again, perhaps in Europe -- stay tuned.

Editor: Give us some idea of the magnitude of the security breach problem and the steps being taken in the U.S. to address the problem?

Eleftheriou: We continue to see a growing number of reported data security breach incidents in the U.S. They involve such things as hacking, stolen or missing computers and backup tapes, inside jobs and stolen passwords. According to one source, approximately 85 million accounts have been compromised since the ChoicePoint incident in February 2005. As you may know, ChoicePoint notified consumers of its data security breach pursuant to a pioneering California data security breach notification law. Since then, at least 30 states have enacted data security notification legislation, and expect more states to follow. This is not good for businesses, since they are confronted with an increasing number of inconsistent security breach notification laws; for example, businesses are confronted with different requirements regarding who and when to notify in the event there is a data security breach.

There is no federal security breach notification law, but several bills addressing this issue are pending in Congress. It is unclear whether we will see a federal law this year, although there has been a renewed interest for a federal requirement as a result of a major data security breach recently experienced by the Department of Veteran’s Affairs. The VA reported that the personal data of over 26 million veterans had been stolen.

Financial institutions should be aware that last year certain federal agencies jointly issued an interagency guidance on response programs for unauthorized access to customer data and providing notice -- the guidance is available on federalreserve.gov (http://www.federalreserve.gov/boarddocs/press/bcreg/2005/20050323/default.htm).

The FTC also issued a guidance document on information compromise and notification, available on ftc.gov (http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus59.htm).

Editor: What types of government enforcement action are we seeing as a result of data security breaches?

Eleftheriou: The FTC has challenged the data security practices of several companies as deceptive -- i.e., misrepresenting data security practices; and unfair -- i.e., not having reasonable security measures in place.

For example, earlier this year, ChoicePoint settled with the FTC by agreeing to pay $15 million dollars, consisting of $10 million in civil penalties (the largest civil penalty in FTC history) and $5 million in consumer redress, to settle charges that its security practices violated consumer privacy rights and federal law. Under the settlement, ChoicePoint is required to implement a comprehensive information security program and to obtain audits by an independent third party every two years for twenty years. CardSystems Solutions also settled with the FTC with respect to charges that it had engaged in unfair practices by failing to take appropriate security measures to protect sensitive data. Like the ChoicePoint settlement, Card Systems is required to implement a comprehensive data security program and to obtain third party audits biennially.

The FTC’s thirteenth case challenging faulty data security practices was settled in May of this year. It involved a title company that had promised to maintain physical, electronic and procedural safeguards to protect consumer financial information. The FTC charged the company with failing to provide reasonable and appropriate security measures to protect personal data in violation of federal law. Expect to see more cases like these in the future.

The important issue here is to what extent are their actual damages -- for example, identity theft -- resulting from breaches in data security. According to one study, only one in a thousand compromised accounts are in fact used fraudulently. According to the FTC, at least 800 cases of identity theft arose out of the ChoicePoint incident, which affected more than 163,000 consumers.

Editor: How does the European Union address data privacy and security?

Eleftheriou: The EU has adopted privacy legislation (the EU Data Protection Directive) that establishes comprehensive principles addressing the collection, use, disclosure and security of personal data. Of course, when you are dealing with the EU, you are dealing with 25 (and soon to be 27) EU Member States and their implementing laws, which are inconsistent with one another. Article 17 of the Directive requires the safeguarding of personal data -- for example, companies must implement appropriate technical and organizational measures to protect personal data. The Directive, however, does not specifically require notification in the event there is a security breach. To my knowledge, only the US and Japan have laws that specifically require security breach notification.

For those interested in learning more about the Directive, there is a fantastic guide on the Directive on europa.eu (http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm).

Editor: Can we expect to see global harmonization of privacy laws?

Eleftheriou: There is certainly a growing interest in harmonizing privacy principles on a global level. For example, last year at an international privacy conference in Switzerland, privacy commissioners from around the world called for the harmonization of privacy principles. They will review the harmonization issue again at their next meeting in Argentina later this year. I think it is possible for countries to adopt harmonized privacy principles, but, as in the case of the EU Data Protection Directive, incorporating those principles into national legislation with minimal inconsistencies will be the greatest challenge. Global privacy harmonization would also have to take the form of a treaty, as opposed to non-binding cooperative arrangements (i.e., the APEC Privacy Framework), which may not be sufficient to compel participating countries to implement harmonized principles.

Editor: In addition to harmonization, what are some of the other "hot" international privacy issues?

Eleftheriou: Cross-border transfers is a significant issue, particularly between EU Member States and other countries. Article 25 of the EU Data Protection Directive (the most controversial provision of the Directive) generally prohibits the transfer of personal data to any country that does not provide "adequate" privacy protection. There is a short list of countries that are deemed by the EU to provide adequate privacy protection, but the US is not on this list.

There are, of course, alternative means to satisfying this adequacy requirement, including participating in the Safe Harbor, obtaining consent from the data subject (although this is less of an option in light of a recent paper by the Article 29 Working Party (WP 114), the European Commission’s advisory board on data protection, and a bit tricky in employment contexts), through the use of ad hoc contracts or EU-approved model clauses, and the use of binding corporate rules. BCRs are sets of binding and enforceable standards (internal "law") adopted by a company or corporate group that provide legally-binding protections for data processing within the company or corporate group. Although BCRs have not been a popular option, expect to see more companies using BCRs and more EU Member States endorsing them.

Note that critics of this "adequacy" standard are pushing for the global recognition of an alternative "accountability" standard for cross-border transfers (followed by the APEC Privacy Framework) -- cross-border transfers are allowed, but the transferor remains responsible for the transferred data.

Of course, we also have the conflict between Sarbanes Oxley’s whistleblowing reporting requirement and EU Member State laws. Last year, the French CNIL (the French data protection agency) and the German Labor Court found that anonymous employee whistleblowing hotlines without certain safeguards are unlawful. The good news is that the CNIL issued guidelines and FAQs on implementing whistleblowing systems, which are available on the CNIL site (http://www.cnil.fr/index.php?id=4). Also, the Article 29 Working Party recently adopted a working paper (WP 117) on whistleblowing compliance that provides how the Data Protection Directive should be applied in this context, which is available on europa.eu (http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm). Note also that, earlier this year, the First Circuit found that Congress did not intend for the SOX whistleblowing protection provision (Section 806) to apply extraterritorially.

The transfer of airline passenger data from the EU to the US is another important issue. Since 2004, airlines in the EU have been sharing the personal details of those passengers flying to the US with the US. Airlines are required to share the personal data of each passenger within 15 minutes of departure for the US. Recently, the European Court of Justice -- the EU’s highest court -- ruled that these transfers are illegal. The ECJ gave the EU until September 30 to find an alternative solution to transfer the data.

Data retention is another major issue. Last year, the EU approved rules requiring all telecom providers and ISPs to retain telephone and Internet traffic (all customer phone calls and electronic communications, but not the content of such communications) to be retained for up to 2 years. Note that, in the US, the Attorney General and the FBI Director have been urging ISPs to retain nonpersonal customer data (e.g., searches, Web surfing habits, etc.) for 2 years, which could be used in terrorism and child pornography investigations.

Editor: Do you foresee a comprehensive U.S. federal privacy law?

Eleftheriou: Yes, it’s inevitable. Can anyone argue that our current "band-aid" (or sectoral) approach to data protection is better than a comprehensive federal privacy law?

Editor: Any final thoughts or suggestions on data privacy or security?

Eleftheriou: Businesses should ensure that their data collection, use, disclosure and security practices are consistent with the representations made in their privacy policies -- this cannot be emphasized enough.

Do not panic if you experience a data security breach; this does not necessarily mean that you failed to implement reasonable and appropriate measures to secure your customers’ personal data. However, entities that have not experienced a data security breach should not assume that they will not get a knock on the door from the government. Those entities that are looking for guidance on what is generally considered reasonable data security measures should take a look at the FTC’s GLBA Safeguards Rule.

Expect to see an increasing number of government requests for customer information -- personal and nonpersonal. Appropriate management and disclosure measures on how to cooperate with government investigations should be in place.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions