Regulatory Enforcement on Privacy and Data Security:

Updates from North America

and Europe

• Alysa Z. Hutnik, Partner, Kelley Drye & Warren LLP

• Shaun Brown, Partner, nNovation LLP

• Eduardo Ustaran, CIPP/E, Partner, Hogan Lovells LLP

United States Update

Alysa Z. Hutnik, Partner, Kelley Drye & Warren LLP

FTC – Key Areas of Focus in 2014

“The FTC continually assesses new developments and emerging trends and threats in the privacy area. . . .”

- Jessica Rich, Director, FTC Bureau of Consumer Protection, June 2014

CFPB’S Emerging Privacy Interest

“Privacy and security concerns have been cited as reasons consumers do not use mobile banking and mobile financial management services.” -- CFPB, June 2014

Request for Information

• Key privacy and data security concerns for mobile devices?

• Mechanisms to disable lost/stolen mobile devices used to provide financial services?

• Steps consumers should take to protect their data and identify when using a mobile device?

Focus on Big Data

Enforcement Trends: Flawed Notice, Choice, & Security

• Location: Privacy Policy— Snapchat does not ask for, track, or access location-specific information

– Analytics tracking service collected location information

• Snaps Disappear?: Widely publicized methods to save snaps

• Address Book: Friend finder accessed phone address book without consent

• Registration: Security issue that allowed user to create an account using another person’s phone number

Enforcement Trends: Bypassing Notice & Choice

• Site allegedly harvested personal data from Facebook without user consent to create 73MM “Jerk” profiles, including children

• Alleged deception under Section 5

• FTC approved final order settling charges that Aaron’s allowed franchisees to spy on consumers via rental computers

• Tracking included geolocation and photos via webcam

Data Security Enforcement

FTC Investigation

Complaint in D.N.J.

Appeal to 3rd Circuit

Data Security Enforcement

• FTC Allegations

– Failed to secure personal information

– Misrepresented security precautions in the apps

• Alleged Security Failures

– Disabled SSL certification validation—apps could accept invalid certificates

– Failed to appropriately test, assess or review the apps

– Failed to maintain adequate process for receiving and addressing security vulnerability reports (Fandango)

– Failed to oversee service providers’ security practices (Credit Karma)

Online Platform Enforcement

WHAT CAN WE EXPECT GOING FORWARD?

Continued Focus on Mobile/IoT

• FTC requested comments on the following mobile security topics:

– Platform design

– Distribution channels

– Development practices

– Lifecycle and updates

• June: FTC testifies in support of the Location Privacy Protection Act of 2014, calling it “an important step forward in protecting consumers’ sensitive geolocation information.”

• August: FTC releases staff report recommending transparency improvements for mobile shopping apps

Platforms / Third-party Liability

Merchants / App Developers

Wireless Service Provider

App storefront/platform

Practical Takeaways: Top Triggers for Privacy + Security Enforcement/Litigation

1) Misrepresenting business practices about personal data and

security flawed notice

2) Lax protection of personal data (includes oversight of third

parties)

3) Concerns over how and if meaningful choices are provided to

consumers

4) Not responding quickly enough to a high volume of consumer

complaints

Why It Matters?

• Inadequate Privacy/Security

– Often trigger regulatory investigations that last years

– Affect company brand and bottom line

– Avg. data breach costs are $5.85M/incident [detection, escalation, notification, remediation, lost business] (Ponemon, May 2014)

– Pre-litigation defense costs often can exceed six figures ($US), and litigation costs are even more so

– Settlements can be 20 years or for an indefinite duration, and involve significant changes to business practices

Questions?

Alysa Z. Hutnik

PARTNER

Kelley Drye & Warren LLP

Phone: (202) 342-8603

Email: ahutnik@kelleydrye.com

Twitter: @kelleydryeadlaw

Connect with Kelley Drye

Web: www.KelleyDrye.com

Blog: www.AdLawAccess.com

http://www.kelleydrye.com/http://www.adlawaccess.com/http://www.facebook.com/KelleyDryeAdvertisingLawhttp://twitter.com/#!/KelleyDryeAdLaw

CANADA UPDATE:

OPC (PIPEDA) & CRTC (CASL)

Shaun Brown, Partner, nNovation LLP

Privacy Commissioner of Canada

• PIPEDA applies to collection, use & disclosure of personal

information in private sector

• Enforced by Privacy Commissioner of Canada (OPC)

– “Officer of Parliament”; ombudsman model

– No order-making powers, no penalties

– Federal Court of Canada can award damages (have been minimal)

• Growing calls for new powers – not likely anytime soon

• Can still make life difficult

Who is the new Commissioner?

• Daniel Therrien appointed in June to replace Jennifer Stoddart

• Controversial appointment – not from the privacy community

• Public sector lawyer with background in immigration and law enforcement issues

• Recent report focusses on “Online Privacy Transparency”, highlights investigations involving Apple and Google

What is CASL?

Dec. 2010: Royal Assent

Mar. 2012: Final CRTC Regs

Oct. 2012: CRTC Guidelines

Dec. 2013: IC Regs Final

Jul. 2014: CASL (mostly) in force

Jan. 2015: Rules re: Computer Programs in force

Jul. 2017: Private Right of Action in force

Canadian Radio-Television Telecommunications Commission (CRTC) • Role as enforcement agency began with Unsolicited

Telecommunications Rules (UTR) in 2008

• Broad investigatory powers

• Ability to impose administrative monetary penalties (AMPs); up to $10 million/violation

• Demonstrated willingness to impose AMPs under UTR: just under $400k since April, 2014

CRTC General Enforcement Approach

Our goal is to promote compliance with the CASL in the most efficient way possible while preventing recidivism. It is also to deter others who may be tempted to violate the law, so they understand what is required to comply and what the consequences are if they fail. We are looking to achieve a high level of voluntary compliance and deter severe non compliance. The enforcement approach will be dictated by the specific circumstances of each case. So the enforcement response will depend on various factors listed in the law, including the nature, seriousness and impact of the violation, the history of non compliance and the measures taken to prevent the violation from taking place. In short, our approach will be proportionate and measured.

What to Watch For

• First CRTC findings under CASL

• Guidance re: computer program rules (in force in January)

• Privacy Commissioner relationship with industry

Shaun Brown

PARTNER

nNovation LLP

Phone: (613) 656-1297

Email: sbrown@nnovation.com

Twitter: @emarketinglaw

Questions?

European Update

Eduardo Ustaran, CIPP/E, Partner, Hogan Lovells

Enforcement Today (I)

• Independent national regulators

• Core powers

• Investigative powers

• Powers of intervention

• Power to engage in legal proceedings

• Weak sanctions?

Graphics by

Enforcement Today (II)

Graphics by

Enforcement Today (II)

Name and shame Measured scrutiny

Enforcement Trends

• Still national regulators

• Greater international cooperation?

• One-stop-shop?

• Massive fines?

% of global turnover

Enforcement Tomorrow

Eduardo Ustaran, CIPP/E

PARTNER

Hogan Lovells

Phone: +44 20 7296 2000

Email: eduardo.ustaran@hoganlovells.com

Questions?