1 / 21

Global Privacy Enforcement Priorities Webinar from TRUSTe

"This webinar covers topics on Global Privacy Enforcement and other international regulatory co-operation. It explains some top priorities such as latest case law and enforcement actions in the EU law and perspectives on future outcomes in GDPR (General Data Protection Regulation).<br>Watch the On-Demand Webinar to learn how to keep your company out of the regulatory spotlight: https://info.truste.com/WB-2016-05-19-Insight-Series-Global-Privacy-Enforcement-Priorities_RegPage-OnDemand.html"<br>

truste
Download Presentation

Global Privacy Enforcement Priorities Webinar from TRUSTe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Global Enforcement Priorities May 19, 2016 v v Privacy Insight Series - truste.com/insightseries 1

  2. Thank you for joining the webinar • We will be starting a couple minutes after the hour This webinar will be recorded and the recording and slides sent out later today • • Please use the GotoWebinar control panel on the right hand side to submit any questions for the speakers v v Privacy Insight Series - truste.com/insightseries 2

  3. Today’s Speakers Chris Hoofnagle Adjunct Full Professor of Information and of Law University of California, Berkeley. Ann LaFrance Partner Co-Chair, Global DP/Cyber Practice Squire Patton Boggs Eleanor Treharne-Jones VP Consulting TRUSTe (moderator) v Privacy Insight Series - truste.com/insightseries 3

  4. Global Enforcement: The FTC’s Role Chris Hoofnagle, Adjunct Full Professor of Information and of Law University of California, Berkeley. Of counsel, Gunderson Dettmer, LLP. v v Privacy Insight Series - truste.com/insightseries 4

  5. Context for FTC Powers •Agency is now 100 years old; genesis in popular antitrust movement. •Given broad, undefined mandate: prevention of “unfair competition” –Freed the agency from common law requirements, such as proving harm, causation, reliance, etc. –Inherently has the power to act before harm occurs –Conceived of as a quick, process-lite alternative to federal court oThis necessitated limits on damages –Regulated competition-–not regulated monopoly (like FCC) •Agency turned quickly to consumer protection, formally in 1938 •Relies on enforcement because rulemaking was inefficient and now is simply untenable procedurally •Agency’s innovations are taken for granted—cigarette, holder rule •Why important? Positive agenda of anti-FTC activists is to return to 19th Century legal regimes v Privacy Insight Series - truste.com/insightseries 5

  6. Investigatory Dynamics •Fantastic investigatory powers—FTC can even obtain in-person inspection of businesses. Powers are inquisitorial. –Companies’ own records document §5 violations… •Division of Identity and Privacy Protection primary lead on privacy –Competitors may be the source of most complaints! •Lawyers have “off the books” investigations –Staff have the real power at the FTC—they have discretion to find cases –Internet “investigations” can occur without much warning –Answer inquiries from the FTC with haste •DPIP lawyers are seeking policymaking cases, about 20/year –Thus, if 1) your client owns up to it, 2) consumers are made whole, 3) protections are put in place to prevent recurrence, and most critically, 4) the situation is just a repeat of an already-brought FTC case, case could be dropped •Look to other divisions (ad practices) for guidance v Privacy Insight Series - truste.com/insightseries 6

  7. Policy-Setting Cases •Big incentives to bring SH/PS investigations, cases! •Deception is the thin edge of the wedge. –Data brokers, direct liability first, “means and instrumentalities,” unfairness •Post-settlement oversight to intensify –FTC conducting 6(b) study of PCI Processors –Wyndham, LifeLock cases suggest something is wrong in assessments— conflicts of interest, companies that “game” assessments, conditional certifications •IoT –Security security security –Problem of no opt out for cross-device tracking –Fingerprinting in home •Native advertising, endorsement v Privacy Insight Series - truste.com/insightseries 7

  8. Celebrated Anti-FTC Litigation Has Backfired •Wyndham (3-0 3rdCir.): affirmed FTC’s role in cybersecurity, making the agency perhaps the most important regulator of cybersecurity— unreasonably lax security=unfair practice. •POM: (3-0, DC Cir.): FTC sought to impose 2 random, control trial tests on makers of fruit juice that claimed health benefits from its consumption. DC Cir. found that 1 was reasonable in that case. POM was the ”Wyndham” of advertising law. •Amazon (D.D.C. 2016): Time imposed on consumers to get refunds for charges without authorization was substantial injury (thus supporting unfairness claim). See also Neovi. •Jerk (1st Cir. 2016): false representation that content was user generated was material, supporting deception claim. •Lesson: Activist case selection has been pretty poor, resulting in some of the worst actors reaffirming broad FTC powers. v Privacy Insight Series - truste.com/insightseries 8

  9. Global Enforcement – Expanded Powers of Independent Supervisory Authorities under the GDPR Ann LaFrance Co-Chair, Global Data Privacy & Cybersecurity Group Squire Patton Boggs London v v Privacy Insight Series - truste.com/insightseries 9

  10. 1. Current Powers of EU Data Protection Authorities –Maximum fines established by national law under the GDPD range between €25K (Austria) and €1.2 Million (Italy) - median around €300K. –Maximum fines rarely imposed – considerable leeway has been given to emerging technologies and businesses as regulators, businesses and consumers adapted to digital developments under legislation enacted in the mid-90s. –DPAs empowered by GDPD to order blocking or erasure of data and to impose “temporary or definitive banon processing” – but these powers have rarely been exercised. v Privacy Insight Series - truste.com/insightseries 10

  11. 2. GDPR •GDPR – New and expanded enforcement powers (Art. 58), e.g.: –order production of information –carry out investigations/audits –obtain access to all personal data held by controller/processor if necessary to perform regulatory functions –obtain access to premises, processing equipment, etc. –impose temporary or definitive limitation including a ban on processing –order suspension of data flows to recipients in third countries v Privacy Insight Series - truste.com/insightseries 11

  12. 3. Administrative Fines Power to impose much higher administrative fines Highest fines: Up to €20,000,000 or 4% of global turnover, for: 1) a) Breach of data protection principles in Articles 5, 6, 7 and 9, namely: • Processing only for valid (specified) purpose • Individual must be clearly told what is done with their data • If consent is required, must be informed, free, unconstrained, withdrawable, by affirmative act • Adequate, relevant, limited to what necessary for purpose • Accurate, up to date • Kept in identifiable form only as long as necessary for purpose • Kept secure v Privacy Insight Series - truste.com/insightseries 12

  13. 3. Administrative Fines (cont’d) b) Breach of Articles 12-20 - failure to: • Give privacy notice • Give access to person's personal data • Rectify inaccurate data • Erase data when required • Comply with restriction on processing • Allow data portability • Comply with objection to profiling, automated decision-making, marketing c) Transfer of data outside EEA without ensuring adequacy of protection d) Non-compliance with order/finding of Supervisory Authority (SA) v Privacy Insight Series - truste.com/insightseries 13

  14. 3. Administrative Fines (cont’d) Lower Fines -- up to the higher of €10,000,000 or 2% of global turnover for breach of other obligations, e.g.: 2) a) Article 8 - obtaining consent re children b) Article 10 - de-identification c) Article 23 - data protection by design and default d) Article 24 - joint data controllers e) Article 25 - representatives of controllers not established in EEA f) Article 26 - appointing processors g) Article 27 - only processing on instructions h) Article 28 - records of processing activities i) Article 29 - co-operation with SAs v Privacy Insight Series - truste.com/insightseries 14

  15. 3. Administrative Fines (cont’d) j) Article 30 - security of processing k) Article 31 - notification of data breach to SA l) Article 32 - notification of data breach to affected individual m) Article 33 - privacy impact assessment (PIA) n) Article 34 - consultation with SA on PIA o) Article 35 - appointment of data protection officer v Privacy Insight Series - truste.com/insightseries 15

  16. 4. Criteria for setting fines Criteria for setting fines include, e.g.: 1) Nature, gravity and duration of infringement 2) Intentional or negligent character of infringement 3) Actions to mitigate harm 4) Previous infringements of controller/processor 5) Cooperation with SA (including how infringement made known to SA) 6) Categories of data affected by infringement v Privacy Insight Series - truste.com/insightseries 16

  17. 5. Other enforcement considerations 1) Joint and several liability of controllers and processors 2) Fines may be imposed on processors 3) Right of data subjects to -- effective judicial remedy against controller or processor – appoint non-profit organisation to represent interests – recover material or non-material damages v Privacy Insight Series - truste.com/insightseries 17

  18. Questions? v v Privacy Insight Series - truste.com/insightseries 18

  19. Contacts Chris Hoofnagle Ann LaFrance Eleanor Treharne-Jones choofnagle@berkeley.edu ann.lafrance@squirepb.com eleanor@truste.com v v Privacy Insight Series - truste.com/insightseries 19

  20. Federal Trade Commission Privacy Law and Policy •100-year history of the FTC’s consumer protection activities •Discount code: FTC16 •http://www.cambridge.org/us/ac ademic/subjects/law/competitio n-law/federal-trade-commission- privacy-law-and- policy?format=PB v Privacy Insight Series - truste.com/insightseries 20

  21. Thank You! Look out for details of our 2016 Summer/Fall Webinar Series to be announced in June. If you’re interested in speaking contact eleanor@truste.com See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. v v Privacy Insight Series - truste.com/insightseries 21

More Related