[Privacy Webinar Slides] Global Enforcement Priorities

1 v Privacy Insight Series - truste.com/insightseries v

Global Enforcement Priorities

May 19, 2016


• We will be starting a couple minutes after the hour

• This webinar will be recorded and the recording and slides sent out

later today

• Please use the GotoWebinar control panel on the right hand side to

submit any questions for the speakers

Thank you for joining the webinar

3 v Privacy Insight Series - truste.com/insightseries

Today’s Speakers

Eleanor Treharne-Jones

VP Consulting

TRUSTe

(moderator)

Ann LaFrance

Partner

Co-Chair, Global DP/Cyber Practice

Squire Patton Boggs

Chris Hoofnagle

Adjunct Full Professor of

Information and of Law

University of California, Berkeley.


Global Enforcement: The FTC’s Role

Chris Hoofnagle, Adjunct Full Professor of Information and of Law

University of California, Berkeley. Of counsel, Gunderson Dettmer, LLP.


•Agency is now 100 years old; genesis in popular antitrust movement.

•Given broad, undefined mandate: prevention of “unfair competition”

–Freed the agency from common law requirements, such as proving harm,

causation, reliance, etc.

–Inherently has the power to act before harm occurs

–Conceived of as a quick, process-lite alternative to federal court

oThis necessitated limits on damages

–Regulated competition-–not regulated monopoly (like FCC)

•Agency turned quickly to consumer protection, formally in 1938

•Relies on enforcement because rulemaking was inefficient and now is

simply untenable procedurally

•Agency’s innovations are taken for granted—cigarette, holder rule

•Why important? Positive agenda of anti-FTC activists is to return to 19th

Century legal regimes

Context for FTC Powers


•Fantastic investigatory powers—FTC can even obtain in-person

inspection of businesses. Powers are inquisitorial.

–Companies’ own records document §5 violations…

•Division of Identity and Privacy Protection primary lead on privacy

–Competitors may be the source of most complaints!

•Lawyers have “off the books” investigations

–Staff have the real power at the FTC—they have discretion to find cases

–Internet “investigations” can occur without much warning

–Answer inquiries from the FTC with haste

•DPIP lawyers are seeking policymaking cases, about 20/year

–Thus, if 1) your client owns up to it, 2) consumers are made whole, 3) protections

are put in place to prevent recurrence, and most critically, 4) the situation is just a

repeat of an already-brought FTC case, case could be dropped

•Look to other divisions (ad practices) for guidance

Investigatory Dynamics


•Big incentives to bring SH/PS investigations, cases!

•Deception is the thin edge of the wedge.

–Data brokers, direct liability first, “means and instrumentalities,” unfairness

•Post-settlement oversight to intensify

–FTC conducting 6(b) study of PCI Processors

–Wyndham, LifeLock cases suggest something is wrong in assessments—

conflicts of interest, companies that “game” assessments, conditional

certifications

•IoT

–Security security security

–Problem of no opt out for cross-device tracking

–Fingerprinting in home

•Native advertising, endorsement

Policy-Setting Cases


•Wyndham (3-0 3rd Cir.): affirmed FTC’s role in cybersecurity, making the

agency perhaps the most important regulator of cybersecurity—

unreasonably lax security=unfair practice.

•POM: (3-0, DC Cir.): FTC sought to impose 2 random, control trial tests

on makers of fruit juice that claimed health benefits from its

consumption. DC Cir. found that 1 was reasonable in that case. POM

was the ”Wyndham” of advertising law.

•Amazon (D.D.C. 2016): Time imposed on consumers to get refunds for

charges without authorization was substantial injury (thus supporting

unfairness claim). See also Neovi.

•Jerk (1st Cir. 2016): false representation that content was user

generated was material, supporting deception claim.

•Lesson: Activist case selection has been pretty poor, resulting in some

of the worst actors reaffirming broad FTC powers.

Celebrated Anti-FTC Litigation Has Backfired


Ann LaFrance

Co-Chair, Global Data Privacy & Cybersecurity Group

Squire Patton Boggs

London

Global Enforcement – Expanded

Powers of Independent Supervisory

Authorities under the GDPR


–Maximum fines established by national law

under the GDPD range between €25K

(Austria) and €1.2 Million (Italy) - median

around €300K.

–Maximum fines rarely imposed –

considerable leeway has been given to

emerging technologies and businesses as

regulators, businesses and consumers

adapted to digital developments under

legislation enacted in the mid-90s.

–DPAs empowered by GDPD to order

blocking or erasure of data and to impose

“temporary or definitive ban on processing” –

but these powers have rarely been exercised.

1. Current Powers of EU Data Protection Authorities


•GDPR – New and expanded enforcement powers (Art. 58), e.g.:

–order production of information

–carry out investigations/audits

–obtain access to all personal data held by controller/processor if necessary to

perform regulatory functions

–obtain access to premises, processing equipment, etc.

–impose temporary or definitive limitation including a ban on processing

–order suspension of data flows to recipients in third countries

2. GDPR


Power to impose much higher administrative fines

1) Highest fines: Up to €20,000,000 or 4% of global turnover, for:

a) Breach of data protection principles in Articles 5, 6, 7 and 9, namely:

• Processing only for valid (specified) purpose

• Individual must be clearly told what is done with their data

• If consent is required, must be informed, free, unconstrained, withdrawable, by

affirmative act

• Adequate, relevant, limited to what necessary for purpose

• Accurate, up to date

• Kept in identifiable form only as long as necessary for purpose

• Kept secure

3. Administrative Fines


b) Breach of Articles 12-20 - failure to:

• Give privacy notice

• Give access to person's personal data

• Rectify inaccurate data

• Erase data when required

• Comply with restriction on processing

• Allow data portability

• Comply with objection to profiling,

automated decision-making, marketing

c) Transfer of data outside EEA

without ensuring adequacy of

protection

d) Non-compliance with order/finding

of Supervisory Authority (SA)

3. Administrative Fines (cont’d)


2) Lower Fines -- up to the higher of €10,000,000 or 2% of global

turnover for breach of other obligations, e.g.:

a) Article 8 - obtaining consent re children

b) Article 10 - de-identification

c) Article 23 - data protection by design and default

d) Article 24 - joint data controllers

e) Article 25 - representatives of controllers not established in EEA

f) Article 26 - appointing processors

g) Article 27 - only processing on instructions

h) Article 28 - records of processing activities

i) Article 29 - co-operation with SAs



j) Article 30 - security of processing

k) Article 31 - notification of data breach to SA

l) Article 32 - notification of data breach to affected individual

m) Article 33 - privacy impact assessment (PIA)

n) Article 34 - consultation with SA on PIA

o) Article 35 - appointment of data protection officer



Criteria for setting fines include, e.g.:

1) Nature, gravity and duration of infringement

2) Intentional or negligent character of infringement

3) Actions to mitigate harm

4) Previous infringements of controller/processor

5) Cooperation with SA (including how infringement made known to SA)

6) Categories of data affected by infringement

4. Criteria for setting fines


1) Joint and several liability of controllers and processors

2) Fines may be imposed on processors

3) Right of data subjects to

-- effective judicial remedy against controller or processor

– appoint non-profit organisation to represent interests

– recover material or non-material damages

5. Other enforcement considerations


Questions?


Chris Hoofnagle [email protected]

Ann LaFrance [email protected]

Eleanor Treharne-Jones [email protected]

Contacts

mailto:[email protected]


•100-year history of the FTC’s

consumer protection activities

•Discount code: FTC16

•http://www.cambridge.org/us/ac

ademic/subjects/law/competitio

n-law/federal-trade-commission-

privacy-law-and-

policy?format=PB

Federal Trade Commission Privacy Law and Policy

http://www.cambridge.org/us/academic/subjects/law/competition-law/federal-trade-commission-privacy-law-and-policy?format=PB



















Look out for details of our 2016 Summer/Fall Webinar Series to be

announced in June. If you’re interested in speaking contact

[email protected]

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.

Thank You!

http://www.truste.com/insightseries