Category: Uncategorized

By: Kimberly Chow

 

Last week, Senator Jay Rockefeller (D-W. Va.) reintroduced his “Do Not Track Online Act.” Under the bill, consumers on the Internet would be able to affirmatively choose not to allow companies to collect information on their online activities.  The Federal Trade Commission would provide enforcement.

 

Rockefeller’s initial bill, introduced in 2011, did not make it out of committee, and last year, the Federal Trade Commission endorsed a self-regulatory alternative in its report, “Protecting Consumer Privacy in an era of Rapid Change.” Currently, the World Wide Web Consortium (W3C) is assessing how consumers would send a Do-Not-Track message and what companies would do when they receive the message.  W3C’s Tracking Protection Working Group has been meeting since September 2011, with an end date in April 2014.

 

Some commentators who have complained that this self-regulatory approach is too slow are welcoming the possibility of legislation that might speed up the process.  But it remains to be seen whether the often-slow or ultimately unproductive legislative process is any more satisfying. While it’s possible that the bill may have greater success than it did two years ago because of increased public awareness of Internet data privacy issues and because its co-sponsor, Connecticut Senator Richard Blumenthal, sits on the Commerce Committee, it may yet turn out that the self-regulatory approach is the only way to get anything done.

 

http://www.adweek.com/news/technology/rockefeller-reintroduces-do-not-track-act-147610

 

http://www.prnewswire.com/news-releases/consumer-watchdog-backs-sen-jay-rockefellers-do-not-track-bill-194057131.html

 

http://www.w3.org/2011/tracking-protection/charter

 

 

 

By: David Wildman

 

On February 28, 2013, the Supreme Court of Virginia ruled that an attorney’s blog postings that named clients who were defendants in criminal proceedings, without permission, qualified as protected free speech under the First Amendment.  Key to the court’s decision was the fact that the defendants’ names were a matter of public record, because “[i]t is settled that attorney speech about public information from cases is protected by the First Amendment.”  As such, the lawyer was insulated from charges of violating ethics rules meant to protect client privacy.

 

At issue was Virginia’s Rule 1.6(a), which bars an attorney from revealing “information gained in the professional relationship … the disclosure of which would be embarrassing or would be likely to be detrimental to the client unless the client consents after consultation.”  The Virginia State Bar interpreted the rule to cover public information as well as information protected by attorney-client privilege.  The court, however, agreed with attorney Horace Hunter that such an interpretation would violate the First Amendment, stating “[t]o the extent that the information is aired in a public forum, privacy considerations must yield to First Amendment protections.”

 

Moreover, public dissemination, the court noted, trumps considerations of “whether the practice in question [furthers] an important or substantial governmental interest unrelated to the suppression of expression and whether the limitation of First Amendment freedoms is no greater than is necessary or essential to the protection of the particular governmental interest involved” (internal quotes and citations omitted).  The court also refrained from confining its holding to non-commercial attorney speech, holding that Rule 1.6(a) could not bar Hunter from disclosing client names (when a matter of public record) even though it found the blog posts themselves to be commercial speech.

 

http://www.abajournal.com/news/article/lawyer_has_first_amendment_right_to_name_criminal_clients_on_blog_virginia_/

 

The opinion in full:

 

http://www.courts.state.va.us/opinions/opnscvwp/1121472.pdf

 

By David Schiff

 

Most states require permits for concealed weapons, but public access to permit records is becomingly increasingly rare.  Last December, in the wake of the school shooting in Newtown Connecticut, a White Plains, New York newspaper, the Journal News, published an interactive, online map with the locations of handgun permit holders in its readership area.  Journal News created the map by using Freedom of Information Act requests to obtain concealed weapon permit information from a state database.  The map became the focus of both local and national controversy.  A primary concern was that the map infringed on the privacy of gun owners and placed them at heightened risk of burglary.

 

When New York State passed a gun reform law in January, it included an opt-out provision for gun permit holders to have their names and addresses removed from the state’s publicly accessible records (a subsequent court ruling has required that addresses of permit holders be automatically withheld from the public).  And after New York’s law passed, Journal News took its map down.

 

Although Journal News’s gun map lasted less than a month, it is expected to have a lasting effect on the public availability of gun permit records maintained in state databases.  According to a recent report by Stateline, the online news service of the Pew Charitable Trusts, Maine, Virginia, Arkansas and Mississippi have all followed New York in closing off public access to gun permit records.  A majority of states have enacted similar laws in past years, and at present, only seven states (California, Iowa, Montana, North Carolina, Ohio, Tennessee and West Virginia).  Of those seven, two allow only restricted access and at least one more is contemplating legislation to close its gun permit records to the public entirely.

 

Stateline Report on gun records reform: http://www.pewstates.org/projects/stateline/headlines/lawmakers-move-swiftly-to-block-release-of-gun-permit-records-85899457096

 

Journal News article introducing Gun Map (map itself has been taken down): http://www.lohud.com/interactive/article/20121223/NEWS01/121221011/Map-Where-gun-permits-your-neighborhood-?nclick_check=1

 

Washington Post article on Journal News removing gun map:

http://www.washingtonpost.com/blogs/erik-wemple/wp/2013/01/18/journal-news-takes-down-gun-maps/

 

New York Magazine Daily Intelligencer blog post on court decision that further restricted access to gun records:

http://nymag.com/daily/intelligencer/2013/02/court-makes-gun-map-impossible-to-recreate.html

 

By: Kolby Loft

Last October, the United States Court of Appeals for the Ninth Circuit held that yellow pages phone books, taken as a whole, constitute noncommercial speech.  The court found that although the phone books display many commercial advertisements, they also provide phone listings and community information and thus go “beyond the threshold classification of commercial speech.”

 

The defendant in the case, the City of Seattle, had asserted the right of privacy as one justification for an ordinance that established the City’s own opt-out registry and required publishers to display a message informing recipients of the registry on their websites and on the covers of the phone books themselves.  Additionally, it required publishers to pay a licensing fee and fourteen cents for each phone book distributed.  After finding that the yellow pages deserved full First Amendment protection, the Ninth Circuit applied strict scrutiny review and invalidated the ordinance.

 

The parties recently reached a settlement that authorizes the yellow pages industry, and not the government, to maintain the opt-out program.  The settlement comports with the Ninth Circuit’s opinion, which noted that the an opt-out program administered by the yellow pages industry would be a less restrictive means to further the City’s interest in waste reduction, resident privacy, and cost recovery.

 

The settlement strikes a balance by permitting the distribution of yellow pages, giving individuals the opportunity to opt-out (which takes about three minutes), and allowing the yellow pages industry to maintain the opt-out system.

 

Opponents of the opt-out system claim that most people are unaware that they can opt-out and may receive the phone books either way.  However, studies suggest where opt-in is the rule only 2% of individuals will do so.  Meanwhile, it appears that the yellow pages have, for now, managed to preserve at least some viability for as many as two out of three consumers in urban households.  Time is probably not on the side of printed phone books, but there are sound arguments in favor of the opt-out system, especially where visibility of the opt-out program is strong and individuals are provided with a simple and reliable avenue to do so.

By: Alicia Reyes-Hernandez

 

The “Do Not Track” proposition has been part of the consumer’s information privacy protection discussion for several years.  Although it has proven to be a very polarizing topic among privacy advocates and industry representatives, particularly from the advertising industry, there is a consensus among them and the government that it is one viable and desirable mechanism to heighten the protection of consumer’s privacy online.

 

In that line, on February 2012, the Obama Administration officially endorsed the adoption of the “Do Not Track” system as part of their Consumer Privacy Bill of Rights proposal.  Following the publication of the mentioned privacy framework, government officials, digital advertisers, browser makers and privacy advocates embarked on a round of conversations with the purpose of reaching a consensus on how to delimit and implement the “Do Not Track” system.  One year later, however, no consensus has been reached.  Among the issues keeping the negotiations on a deadlock is how to determine the consumer’s intent over online tracking, particularly whether the “Do Not Track” mechanism should be an opt-in or an opt-out feature.  Over that matter, the advertising industry has opposed to the opt-out approach because of the negative impact it will have on their business.  One of their main arguments is that big companies like Google and Yahoo will not be affected by the opt-out approach since they will still be able to track the behavior of the users in their respective web sites.  Given the immense amount of users that they receive every day, they assert that the impact in terms of the collection of consumer behavior information is minimal, thus putting the advertising companies in a competitive disadvantage.

 

http://money.cnn.com/2012/11/30/technology/do-not-track/index.html

 

Considering the aforesaid, a general agreement among the players in the private sector seems implausible, at least in the near future.  In the mean time, Congress has decided to step into the discussion once again.  On February 28, 2013, Sen. Jay Rockefeller introduced the “Do-Not-Track Online Act of 2013” for consideration by Congress.  The proposed bill implements an opt-out approach to the “Do Not Track” mechanism by requiring online companies, web browsers and app makers to provide the consumers with the option to opt out of their online behavior tracking practice.  The bill, if enacted as drafted, will also give the Federal Trade Commission (FTC) authority to enforce the Act and to formulate the appropriate mechanisms that will allow consumers to notify if they want to be tracked online or not.

 

http://news.cnet.com/8301-1023_3-57571958-93/do-not-track-privacy-bill-reintroduced-in-senate/

 

It is too early in the process to know with certainty what will happen with the “Do-Not-Track Online Act of 2013”.  From the outset, however, the probability of this bill becoming law looks very grim.  It is expected that advertising and online companies will vehemently oppose to this bill.  This opposition, as well as the apparent lack of public clamor for a “Do Not Track” system, seems at this point as insurmountable obstacles in the path of this bill.

 

http://tech.fortune.cnn.com/2013/03/04/why-do-not-track-faces-an-uphill-road/?iid=SF_F_River

 

 

 

By Ana Maria Calero

 

After the storm of lobbying efforts and in the middle of the fiercest criticism from public interest organizations, the European Commission endorsed the ITRE opinion on the proposal for reform of the data protection regulation. The main purpose of the reform is to provide certainty and uniformity required for the industry; however several doubts about the independency of the European Commission have been raised.

 

On February 20, 2013, the European Commission voted and adopted an opinion by the European Parliament’s Industry, Research and Energy Committee (ITRE) on the proposals to reform the data protection rules which date back to 1995 in order to modernize and update its principles to deal with the new challenges of the digital age. The Civil Liberties, Justice and Home Affairs Committee (LIBE) will now consolidate the proposals and vote on its own report by the end of April. Vice-President Viviane Reding, the EU’s Justice Commissioner said on Wednesday “today’s vote by the European Parliament’s Industry Committee is an important signal that industry needs uniform and clear data protection rules to take advantage of our Digital Single Market.”

 

The main innovations of the reform are the introduction of (i) directly applicable regulation on the processing of personal data; (ii) a “one-stop shop” for companies that operate in several EU countries by establishing that they will only have to deal with the data protection authorities of the EU country where they have their main place of business; (iii) a “consistency mechanism” to ensure that the Commission serves as support when regulators cannot agree on a common line’ and (iv) new exceptions for small and medium-sized enterprises. According to the Commission’s Memo the importance of this step towards new privacy regulations lies on the need to deal with the transfer of data to third countries in light of cloud computing. Furthermore, the Commission stresses a declining confidence in online services and tools, negatively affects the “growth of the digital economy and Europe’s digital single market.”

 

The ITRE report received numerous criticisms by civil liberties groups and consumer organizations accusing members of the Parliament (MEPs) of caving in to pressures from big businesses like Amazon, eBay as well as from the American Chamber of Commerce. According to some of these critiques, MEPs have voted to reduce the control over the use and narrow the definition of personal data, weakened the meaning of consent and personal information and allowed companies to use data for purposes unrelated to the original collection.

 

In effect, the new regulations on digital privacy were subject of lobby efforts by various U.S. corporate entities. It is important to note that the first proposal on data protection was extremely strict, especially in the field of the right to be forgotten. Yet, after more than one year of lobby campaigns, the EU document suffered severe changes. Seán Kelly, the parliamentarian in charge of drafting the opinion, denied any such accusations and stated that no one had influenced him although his “door was open” and that the proposals were “by and large, well-balanced”. However, using openly-available information the site LobbyPlag showed that in many cases the European Representatives introduced word-for-word the documents prepared by lobbyists, into the amendments proposed for the Data Protection Regulation.

 

 

http://europa.eu/rapid/press-release_MEMO-13-124_en.htm

 

http://www.computerworlduk.com/news/it-business/3427560/eu-makes–900-changes-to-data-privacy-law/

 

http://www.techweekeurope.co.uk/news/bt-lobbyists-eu-privacy-legislation-108195

 

http://www.lobbyplag.eu/#/compare/overview

 

http://www.techdirt.com/articles/20130212/04013421949/how-lobbyists-changes-to-eu-data-protection-regulation-were-copied-word-for-word-into-proposed-amendments.shtml

By Sharmeen Mazumder

 

In a case presented to the European Court of Justice, Spanish officials argued that Google should delete information from search engine results where an individual’s privacy is breached. Google argues that it should not be required to remove lawful content which it did not create from its search index. The case issued from a Spanish man’s complaint that Google search results of his name resulted in a newspaper announcement made several years prior. The announcement stated that property owned by the individual was up for auction due to his non-payment of social security contributions.

 

One major issue presented by this case is whether Google can be considered a data “controller,” or is merely a host. Another major issue is whether a Google, a search engine rune by a company based in California, can be subject to EU privacy law. The ECJ will address both of these questions when it rules on the matter by the end of the year. The outcome of the hearing would be relevant in all EU countries. Further, this case could determine the scope of new draft provisions of the EU law, which are intended to strengthen individual privacy. Some of those proposed rules would give individuals the right to have personal data deleted from the web.

 

http://www.reuters.com/article/2013/02/26/us-eu-google-dataprotection-idUSBRE91P0A320130226

By Eugene Levin

 

http://www.nytimes.com/2013/02/27/us/politics/supreme-court-rejects-challenge-to-fisa-surveillance-law.html?partner=rss&emc=rss

The Supreme Court, in a 5-4 decision, denied standing to a group of plaintiffs, including lawyers, journalists, human rights and privacy advocates, seeking to challenge the constitutionality of the the FISA Amendments Act. The plaintiffs argued that they had been encumbered by the legislation, that their speech had been chilled and they had incurred additional expenses in avoiding possible surveillance while meeting with sources and clients. Justice Alito, writing for the majority, dismissed such harms as the product of speculation on the part of the plaintiffs, insufficient to grant standing to challenge the law.

By Samantha Steinfeld

 

http://dailycaller.com/2012/03/05/white-house-follows-eu’s-lead-with-new-internet-rules-of-the-road/

 

This article, from March of last year, does a good job of synthesizing the notions undergirding this week’s discussion of European privacy laws and regulations, and the themes that have pervaded our previous class discussions.

 

The first interesting aspect of this article is its discussion of President Obama’s proposed “Internet Rules of the Road,” which, as the article’s author notes, in many ways resemble EU privacy regulations. Quoting Darren Hayes, a professor at Pace University, the article draws parallels between the ways in which EU laws and regulations, and the President’s proposed “Rules” are both aimed at “provid[ing] a shield to consumers…from unsavory marketing practices.” The author also points out that many American legal journals have begun to view European-style regulations as more “sophisticated” in recent years, and have thus begun to advocate for American laws that provide more uniformity and are less sectoral or self-regulatory in nature.

 

Specifically, the President’s proposed “Rules” would crack down on targeted advertisements and greatly curb the ways in which companies can track web users’ online behavior. They would also provide for a much broader FTC enforcement power, which we know to be a significant development, given that a major point in our class discussion regarding FTC enforcement is that the agency’s limited power and jurisdiction prevent FTC enforcement actions from being a truly powerful source of online data and privacy protection for consumers.  Enactment of these “Rules” would seem to minimize this issue, by creating an “enforceable ‘code of conduct’ that Internet companies would have to comply with, or face litigation or civil penalties, under the expanded FTC power.”  Finally, it is important to note that the President, in his proposal, has asked Congress to “codify the new rights;” not only would this approach represent a massive departure from the largely sectoral and self-regulatory approach to privacy that permeates U.S. privacy law to date, but it very much echoes the European “fundamental rights”-based approach to privacy and data protection that we have seen reflected in the EU Directive and OECD Guidelines.

 

In addition to hitting on these topics, the article also addresses some other major themes of our class thus far, such as the centrality of notice and consent to information privacy law, and the pushback by industry and other powerful figures against a more omnibus-style approach in the U.S. Providing a counterpoint to Professor Hayes’ support for the “Rules,” Professor Jacob D. Furst of DePaul University argues that privacy concerns can be mitigated by changes in consumer behavior, and that the only way people can be sure that their privacy is protected online is “to be smart about their online behaviors.” Furst, like many business leaders and other advocates for the American-style approach, points out that almost every company has privacy policies readily available on their website, and that forcing companies to do anything more to ensure that data is protected and not misused would be unduly burdensome, both in financial terms, as well as in terms of companies’ ability and willingness to continue to provide services to consumers on as wide of a scale.

 

The executive branch’s response to these concerns is, oddly, a characteristically European one, and focuses on the supremacy of consumers’ “internet rights.” Indeed, the article concludes with a statement from the White House asserting that “consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online.”

 

While I think that this move is certainly undergirded by legitimate policy concerns, I do not believe that an omnibus-style approach will work in America. Such a “Bill of Rights” would not just be a cumbersome effort to control industry, but it would also represent a top-down determination of what “type” of information sharing is “appropriate” on an individual level. In my opinion, the federal government should not be defining what is and is not acceptable information sharing by consumers; this is a decision that should be left to individuals. Perhaps a broader-based FTC enforcement power without an enforceable code of conduct would be a better way to achieve this outcome.

 

NB: you can find the proposed “Internet Rules of the Road,” along with its proposed “code of conduct” here: http://www.whitehouse.gov/the-press-office/2012/02/23/we-can-t-wait-obama-administration-unveils-blueprint-privacy-bill-rights

By Judd Lindenfeld

 

The proposed changes to the European Data Protection Directive were sure to face strong opposition from U.S. lobbyists representing Facebook, Google and other pillars of the tech industry. After all, the switch from mere “directive” to actual “regulation” is one that gives the provisions an immediate and uniform impact across the European Union. This is on top of the additional requirements and standards that the change imposes. But consternation from Member States themselves—to the point of calling for the changes to be scrapped entirely—is a bit more surprising.

 

However, this is exactly what the UK Information Commissioner’s Office (ICO) has called for.

 

http://www.ico.gov.uk/news/~/media/documents/library/Data_Protection/Research_and_reports/data_protection_reform_latest_views_from_the_ico.ashx

 

The UK ICO has called the current undertaking “a great opportunity” to update the way that personal information is used today yet laments the outcome of the process for a number of reasons. First, the ICO takes general aim at the updates for being “too prescriptive” when it comes to its administrative requirements. This concern is mostly reserved for small and medium enterprises (SMEs) that cannot afford the safeguards—such as hiring a Data Protection Officer—that the regulations require. Indeed, these kinds of administrative requirements create greater barriers of entry into the tech industry.

 

Next, the ICO complains about the lack of clarity in the regulations. Terms like “personal data” must be defined more precisely by the new regulations (do they include non-obvious identifiers such as IP addresses). The same applies to the new “right to be forgotten” that the regulations create (how forgotten is “forgotten”? Will users understand the degree of protection that this right offers?). Determining the definition of these provisions is crucial because of the heavy penalties that result from violating the regulations.

 

Finally, the ICO questions what is perhaps the key feature of the regulations: its uniformity. He correctly points out that different Member States have different legal traditions and “what is allowed by law is not spelled out in the UK in the way that it is in some other countries’ legal systems. However, in the change from “directive” to “regulation,” what is applied to one State is applied to all.

 

The position of the UK ICO is illuminates a number of important considerations in the quest to achieve data protection. First, it shows that patrolling the tech industry through an omnibus set of regulations is a difficult venture. Growth in the tech sector is dependent on small firms and start-ups that lack the protective capabilities of their larger counterparts. And terms like “personal data” that may seem clear today might, with the advent of new technologies, seem murky tomorrow.

 

Most importantly, it’s questionable whether the goal of data protection can be achieved through the same means in every State. Of course, uniformity of law brings its own set of benefits. However, these benefits will never be realized if the laws that apply to every Member State are not “one size fits all”

 

For more information on the controversy surrounding the new regulations:

 

http://www.wired.co.uk/news/archive/2013-02/07/ico-against-eu-data-protection

http://www.theregister.co.uk/2013/02/06/uk_ico_position_data_protection_directive/

http://www.wired.co.uk/news/archive/2013-01/22/us-eu-data-protection-advocates