regulatory enforcement on updates from north america · 2019-11-05 · mar. 2012: final crtc regs...
TRANSCRIPT
-
Regulatory Enforcement on Privacy and Data Security:
Updates from North America
and Europe
• Alysa Z. Hutnik, Partner, Kelley Drye & Warren LLP
• Shaun Brown, Partner, nNovation LLP
• Eduardo Ustaran, CIPP/E, Partner, Hogan Lovells LLP
-
United States Update
Alysa Z. Hutnik, Partner, Kelley Drye & Warren LLP
-
FTC – Key Areas of Focus in 2014
“The FTC continually assesses new developments and emerging trends and threats in the privacy area. . . .”
- Jessica Rich, Director, FTC Bureau of Consumer Protection, June 2014
-
CFPB’S Emerging Privacy Interest
“Privacy and security concerns have been cited as reasons consumers do not use mobile banking and mobile financial management services.” -- CFPB, June 2014
Request for Information
• Key privacy and data security concerns for mobile devices?
• Mechanisms to disable lost/stolen mobile devices used to provide financial services?
• Steps consumers should take to protect their data and identify when using a mobile device?
-
Focus on Big Data
-
Enforcement Trends: Flawed Notice, Choice, & Security
• Location: Privacy Policy— Snapchat does not ask for, track, or access location-specific information
– Analytics tracking service collected location information
• Snaps Disappear?: Widely publicized methods to save snaps
• Address Book: Friend finder accessed phone address book without consent
• Registration: Security issue that allowed user to create an account using another person’s phone number
-
Enforcement Trends: Bypassing Notice & Choice
• Site allegedly harvested personal data from Facebook without user consent to create 73MM “Jerk” profiles, including children
• Alleged deception under Section 5
• FTC approved final order settling charges that Aaron’s allowed franchisees to spy on consumers via rental computers
• Tracking included geolocation and photos via webcam
-
Data Security Enforcement
FTC Investigation
Complaint in D.N.J.
Appeal to 3rd Circuit
-
Data Security Enforcement
• FTC Allegations
– Failed to secure personal information
– Misrepresented security precautions in the apps
• Alleged Security Failures
– Disabled SSL certification validation—apps could accept invalid certificates
– Failed to appropriately test, assess or review the apps
– Failed to maintain adequate process for receiving and addressing security vulnerability reports (Fandango)
– Failed to oversee service providers’ security practices (Credit Karma)
-
Online Platform Enforcement
-
WHAT CAN WE EXPECT GOING FORWARD?
-
Continued Focus on Mobile/IoT
• FTC requested comments on the following mobile security topics:
– Platform design
– Distribution channels
– Development practices
– Lifecycle and updates
• June: FTC testifies in support of the Location Privacy Protection Act of 2014, calling it “an important step forward in protecting consumers’ sensitive geolocation information.”
• August: FTC releases staff report recommending transparency improvements for mobile shopping apps
-
Platforms / Third-party Liability
Merchants / App Developers
Wireless Service Provider
App storefront/platform
-
Practical Takeaways: Top Triggers for Privacy + Security Enforcement/Litigation
1) Misrepresenting business practices about personal data and
security flawed notice
2) Lax protection of personal data (includes oversight of third
parties)
3) Concerns over how and if meaningful choices are provided to
consumers
4) Not responding quickly enough to a high volume of consumer
complaints
-
Why It Matters?
• Inadequate Privacy/Security
– Often trigger regulatory investigations that last years
– Affect company brand and bottom line
– Avg. data breach costs are $5.85M/incident [detection, escalation, notification, remediation, lost business] (Ponemon, May 2014)
– Pre-litigation defense costs often can exceed six figures ($US), and litigation costs are even more so
– Settlements can be 20 years or for an indefinite duration, and involve significant changes to business practices
-
Questions?
Alysa Z. Hutnik
PARTNER
Kelley Drye & Warren LLP
Phone: (202) 342-8603
Email: [email protected]
Twitter: @kelleydryeadlaw
Connect with Kelley Drye
Web: www.KelleyDrye.com
Blog: www.AdLawAccess.com
http://www.kelleydrye.com/http://www.adlawaccess.com/http://www.facebook.com/KelleyDryeAdvertisingLawhttp://twitter.com/#!/KelleyDryeAdLaw
-
CANADA UPDATE:
OPC (PIPEDA) & CRTC (CASL)
Shaun Brown, Partner, nNovation LLP
-
Privacy Commissioner of Canada
• PIPEDA applies to collection, use & disclosure of personal
information in private sector
• Enforced by Privacy Commissioner of Canada (OPC)
– “Officer of Parliament”; ombudsman model
– No order-making powers, no penalties
– Federal Court of Canada can award damages (have been minimal)
• Growing calls for new powers – not likely anytime soon
• Can still make life difficult
-
Who is the new Commissioner?
• Daniel Therrien appointed in June to replace Jennifer Stoddart
• Controversial appointment – not from the privacy community
• Public sector lawyer with background in immigration and law enforcement issues
• Recent report focusses on “Online Privacy Transparency”, highlights investigations involving Apple and Google
-
What is CASL?
Dec. 2010: Royal Assent
Mar. 2012: Final CRTC Regs
Oct. 2012: CRTC Guidelines
Dec. 2013: IC Regs Final
Jul. 2014: CASL (mostly) in force
Jan. 2015: Rules re: Computer Programs in force
Jul. 2017: Private Right of Action in force
-
Canadian Radio-Television Telecommunications Commission (CRTC) • Role as enforcement agency began with Unsolicited
Telecommunications Rules (UTR) in 2008
• Broad investigatory powers
• Ability to impose administrative monetary penalties (AMPs); up to $10 million/violation
• Demonstrated willingness to impose AMPs under UTR: just under $400k since April, 2014
-
CRTC General Enforcement Approach
Our goal is to promote compliance with the CASL in the most efficient way possible while preventing recidivism. It is also to deter others who may be tempted to violate the law, so they understand what is required to comply and what the consequences are if they fail. We are looking to achieve a high level of voluntary compliance and deter severe non compliance. The enforcement approach will be dictated by the specific circumstances of each case. So the enforcement response will depend on various factors listed in the law, including the nature, seriousness and impact of the violation, the history of non compliance and the measures taken to prevent the violation from taking place. In short, our approach will be proportionate and measured.
-
What to Watch For
• First CRTC findings under CASL
• Guidance re: computer program rules (in force in January)
• Privacy Commissioner relationship with industry
-
Shaun Brown
PARTNER
nNovation LLP
Phone: (613) 656-1297
Email: [email protected]
Twitter: @emarketinglaw
Questions?
-
European Update
Eduardo Ustaran, CIPP/E, Partner, Hogan Lovells
-
Enforcement Today (I)
• Independent national regulators
• Core powers
• Investigative powers
• Powers of intervention
• Power to engage in legal proceedings
• Weak sanctions?
-
Graphics by
Enforcement Today (II)
-
Graphics by
Enforcement Today (II)
-
Name and shame Measured scrutiny
Enforcement Trends
-
• Still national regulators
• Greater international cooperation?
• One-stop-shop?
• Massive fines?
% of global turnover
Enforcement Tomorrow
-
Eduardo Ustaran, CIPP/E
PARTNER
Hogan Lovells
Phone: +44 20 7296 2000
Email: [email protected]
Questions?